We e-mail each new entry in the Bank Regulatory Blog to our clients and friends. If you would like to be added to our mailing list, send an e-mail to alan.harris@harrislawusa.com. Three New Government Plans – What They Mean for Community Banks October 15, 2008 Regulators announced details yesterday of three new measures designed to help depository institutions shore up their capital and attract new deposits. These opportunities may be attractive to many community banks and their holding companies, but they do come with strings attached. FDIC Insurance Coverage for All Non-Interest Bearing Transaction Deposits The FDIC will provide full insurance coverage – over and above the $250,000 already insured – for non-interest bearing transaction accounts at participating institutions until December 31, 2009. This measure is geared to help smaller and mid-sized banks attract accounts in which commercial customers frequently maintain large balances, for transactions such as payroll processing. After the first 30 days of the program, participating banks will pay the FDIC a 10 basis point surcharge – added to the deposit insurance premium that already applies -- on the portion of the deposits covered by the additional insurance. All depository institutions will be part of the program for the first 30 days. Institutions that notify the FDIC before the end of that 30 day period can opt out of the enhanced coverage. A bank not opting out apparently still must be deemed eligible by the FDIC in consultation with the bank’s primary regulator, but it is not yet clear what standards may apply. Now for the catch -- banks participating in the program will be subject to enhanced supervisory oversight designed to prevent excess risk taking and rapid growth. The FDIC has not elaborated on what that open-ended phrase might entail. FDIC Guarantee of Senior Debt The FDIC will guarantee senior unsecured debt issued by qualifying banks and holding companies between October 14, 2008 and June 30, 2009. The types of debt covered may include commercial paper, promissory notes, or inter-bank funding. The guarantees will terminate on June 30, 2012, even if the qualifying debt matures at a later time. There is a limit on the amount of an institution’s debt covered by the guarantee – 125% of any debt that the institution had outstanding as of September 30, 2008 and that was scheduled to mature before June 30, 2009. With this limit, the program seems aimed at institutions that desire to roll over existing debt. Institutions with no debt outstanding as of September 30, 2008 do not appear eligible for the guarantee. Participants will incur an annualized fee of 75 basis points, multiplied by the amount of debt issued under the program. Like those desiring additional deposit insurance coverage, institutions opting for the guarantee will be subject to eligibility requirements – as well as the same type of enhanced supervisory oversight targeting risk taking and rapid growth. Treasury Purchase of Preferred Stock The Treasury Department will invest up to $250 billion in non-voting preferred stock of U.S. depository institutions or their holding companies. Holding companies with investments or activities that are not financial in nature (such as some “grandfathered” unitary thrift holding companies and many corporate owners of ILCs) are not eligible. Treasury has already allocated $125 billion of investments in nine of the nation’s largest institutions, with the remaining $125 billion purportedly intended for smaller and regional institutions. The amount of preferred stock that Treasury acquires generally will be between 1% and 3% of a participant’s risk-weighted assets. The preferred stock will qualify as Tier 1 capital. With these investments, Treasury also will acquire warrants to purchase an institution’s common stock having an aggregate market value equal to 15% of the preferred stock investment. The exercise price for the warrants generally will based on the market price for common stock on the date of Treasury’s initial investment, subject to various adjustments. The preferred stock will pay 5% cumulative dividends for the first five years of issuance, and 9% thereafter. However, dividends on preferred stock issued by banks that are not in a holding company structure will be non-cumulative. The preferred stock will have a $1,000 liquidation preference. The stock will rank senior to an institution’s common stock and at least equal to other existing series of preferred stock. The institution is free to redeem the preferred stock in whole or in part at any time after three years. During the first three years, the issuer can redeem the stock only with the proceeds of equity offerings that meet certain requirements. Following redemption of all the preferred stock, the institution also can redeem any common stock held by Treasury at fair market value. Treasury will have the right to transfer the preferred stock and warrants to third parties. To facilitate such transfers, Treasury will obtain piggyback registration rights and (presumably only as to public issuers) will require shelf registration of the securities, and actual registration at appropriate times. The catch to this program involves limits on executive compensation. Participating institutions must ensure that incentive compensation for senior executives does not encourage unnecessary and excessive risks; must require a “clawback” of any bonus or incentive compensation paid to senior executives that is based on statements of earnings, gains or other criteria that later prove to be materially inaccurate; cannot make golden parachute payments to senior executives; and must agree not to deduct for tax purposes any senior executive’s compensation exceeding $500,000. Institutions desiring to participate must act quickly and notify Treasury by November 14, 2008. Treasury will determine eligibility and the amount of investment allocated to a particular participant after consultation with the appropriate regulator. Interested institutions should ensure that their charters authorize the issuance of preferred stock, or take steps now to amend them accordingly. Some entities that cannot issue preferred stock, such as subchapter S banks and most mutual institutions, appear ineligible to participate in the Treasury’s program. Conclusion Many more details of these programs have yet to be fleshed out. Bankers and their boards are well advised to watch for coming developments as they weigh the potential benefits and burdens of participating. Harris Law Firm PC stands ready to help clients understand how these programs may mesh with their particular circumstances and goals. The FDIC last month released updated guidance on managing third party risk – the operational, reputational, compliance, and other risk that banks can face when utilizing the services of third party providers to carry out certain bank functions. These activities may include IT services, support of lending operations, marketing, human resources administration, and even major construction projects, among others. As if to demonstrate its resolve in this area, just days after the guidance the FDIC announced enforcement actions against three banks and CompuCredit Corporation, a third party that each of the banks utilized to promote credit card products. The FDIC alleged that CompuCredit had engaged in deceptive marketing practices. What’s more, the FDIC asserted that the banks had engaged in unsafe and unsound practices by ineffective oversight of CompuCredit’s marketing programs. One of the banks consented to a $7.5 million civil monetary penalty, while the other two banks vowed to contest the actions. Bankers who are negotiating contracts with third parties – or who may be unsure if their existing contracts will withstand examiners’ scrutiny – should consider having them reviewed by competent legal counsel. Retooling agreements where necessary could help make the next regulatory exam less painful and benefit both the bank and its service provider in the process. June 13, 2008 Emanating from the regulatory relief legislation passed in 2006, the changes take effect on July 1, 2008. Among other things, the revisions: · Clarify that organizers of a new national bank do not have to obtain preliminary OCC approval of the charter application before raising capital. Rather, the bank in organization can launch a stock offering after filing articles of association, an organization certificate, and a completed charter application. · Eliminate the requirement to file a Form D with the OCC following a private stock offering. · Affirm that national banks can invest in funds holding bank-permissible assets other than securities, such as loan funds. · Clarify that an operating subsidiary can be in the form of a limited partnership, as long as certain conditions are met. · Expand the availability of after-the-fact notice procedures for conducting new activities in an operating subsidiary. Additions to the list of qualifying activities include merchant processing, billing and collection services, data processing for unaffiliated customers, and branch management services. · Open to banks that are not “well-capitalized” or “well-managed” the opportunity to make non-controlling investments in subsidiaries, subject to an application process. · Eliminate the need to file subsequent applications after first-time regulatory approval to operate an “intermittent” branch serving the same site at regular intervals, such as a branch at a state fair, an annual festival, or a college campus during student registration. · Simplify the rules for paying dividends and provide boards of directors greater flexibility for declaring dividends as they deem appropriate. · Expand a national bank’s authority to guarantee the obligations of a customer, subsidiary or affiliate. · Add the issuance of electronic letters of credit to the list of activities that a national bank can conduct by electronic means. · Increase the limit on a national bank’s public welfare investments from 10% to 15% of capital and surplus, and simplify the process for obtaining OCC approval of investments exceeding the limit. Payment Processors – Pariahs? April 30, 2008
The OCC has set its scope on another player in the “beware the company you keep” category: payment processors. In a Bulletin 2008-12 released last week, the OCC urged national banks to take extra care in their relationships with customers who are in the payment processing business. The bulletin explains that providing banking services to a payment processor can expose a bank to risks not usually found in other customer relationships. A payment processor typically uses its bank as a vehicle for executing transactions for merchants who are the processor’s clients. For example, a processor may generate remotely-created checks drawn on customers of merchants and deposit them into the processor’s account at the bank. A processor might also use the bank to originate ACH debits to the accounts of a merchant’s customers. In these situations, the bank has no direct customer relationship with the merchant, and there are risks to the bank if neither the processor nor the bank has performed due diligence on the merchants for whom the processor is originating payments. If these merchants obtain payments from consumers by unfair or fraudulent practices, the bank can suffer reputational, transactional, legal and other harm. The OCC goes so far as to say that banks without appropriate controls to address the risks in these relationships could be viewed as facilitating unlawful activity perpetrated by its customer processor or any of the processor’s merchant clients. The bulletin calls for banks to implement a due diligence and underwriting policy when taking on payment processors as customers. Such a policy should require a background check not only of the processor – but also of all the processor’s merchant clients – in order to verify their creditworthiness, business practices, and business legitimacy. Certain merchants such as telemarketers warrant even higher scrutiny. Banks also must monitor deposit accounts of payment processors for high levels of returns and chargebacks and other unusual patterns of activity that may suggest unscrupulous practices by a processor or its merchant clients. The day after issuing the bulletin, the OCC showed its resolve in this area by entering into an order and agreement with Wachovia Bank, National Association. Under the order, Wachovia must pay up to $125 million in restitution to consumers who were victims of unauthorized transactions by payment processors and telemarketers that were customers of the bank. The OCC characterized Wachovia as engaging in “a pattern of misconduct” owing to alleged shortcomings in its customer due diligence and account monitoring. A fine and other costs bring Wachovia’s total potential liability to nearly $144 million. This is not the first time that the federal banking regulators have identified payment processors as posing special risks to banks. But the OCC’s heightened focus on processors is reminiscent of the scrutiny that the regulators began applying to banks’ relationships with money services businesses (MSBs) several years ago. The regulators began holding banks accountable to ensure that their MSB customers had effective policies and procedures in place to combat money laundering. This led many in the industry to claim that banks were being made the “de facto” regulator of MSBs. As a result, many banks cut MSBs from their customer ranks, and MSBs began encountering difficulty obtaining banking services. Could payment processors be the next “MSBs” for banks? Bankers can expect their examiners to take a close look at how they initiate and monitor relationships with these customers. Will Your Business Continuity Plan Hold Water? April 17, 2008
Banks wanting to ensure their readiness for a catastrophic event – as well as the next visit by examiners – should review the new Business Continuity Planning Booklet released last month by the FFIEC. The booklet, which forms part of the FFIEC IT Examination Handbook, replaces a previous version from 2003. Since the time of the earlier booklet, we have experienced hurricanes Katrina and Rita and heightened our awareness of possible pandemic and terrorist threats. The new booklet contains numerous additions and revisions owing to recent “lessons learned.” The booklet addresses the need for banks to adopt a business continuity plan (BCP) that outlines procedures for resuming critical functions following a disruptive event. Even though the booklet is part of a series focusing on IT matters, a BCP must cover all important elements of an institution’s (and any affiliates’) business, not just the technology components. Before preparing its BCP, a bank should perform a business impact analysis (BIA). The BIA assesses the potential effects of a catastrophic event on the institution. It prioritizes the institution’s various functions, estimates the maximum downtime that those functions could sustain without irreparable loss, and sets objectives for recovery of critical operations. Next, the institution should perform a risk assessment. The risk assessment evaluates the assumptions of the BIA by gauging the impact of various threat scenarios, including malicious activity, natural disasters, technical disasters and pandemics. Threats that are assessed should range from those with high probability but low impact, such as a brief power outage, to those with low probability but high impact, such as a terrorist attack. The institution should consider its locations, lines of business, and other relevant factors when determining the likelihood of specific types of threats. The final part of the risk assessment is a “gap analysis.” This entails comparing the policies and procedures that the institution should adopt for recovery from threats it may face, compared to those currently in place at the bank. The difference between the two highlights additional risk exposure that management should address when developing the BCP. Among other things, the BCP should specify what events or conditions will set the plan in motion and lay out steps for maintaining safety of personnel and minimizing damage incurred by the institution. The BCP also should detail procedures for recovery of each critical business function; specify how personnel will communicate with one other and with outside parties; and provide for relocation to alternate facilities where appropriate. In addition, the BCP should outline procedures for approving unanticipated expenses. Once written, the BCP should be reviewed and approved by the bank’s board and senior management at least annually and disseminated to employees for timely implementation. An institution should test its BCP at least once per year through a program established by the board. Tabletop exercises, walk-through drills, and simulations are all important testing methodologies. How well the BCP holds up during testing should be evaluated by bank personnel, independently assessed by internal audit or qualified third parties, and reported to the board and senior management. Finally, management and the board should update and modify the BCP as needed according to test results, changes in business operations, and recommendations of auditors and examiners.
Third Party Risk – Do Your Service Contracts Need an Overhaul?
July 15, 2008
The FDIC’s guidance emphasizes that a bank’s board and officers are responsible for managing activities conducted through third parties to the same extent as if the functions were handled within the institution. The FDIC also spells out detailed standards for a bank’s assessment of the risks posed by a third party relationship, due diligence in selecting potential third party providers, structure and review of contracts with third parties, and ongoing oversight of third parties and their performance.
Even though the FDIC’s guidance applies only to state-chartered nonmember banks, it is quite similar to bulletins issued several years ago by the OCC for national banks and the OTS for thrifts. The Federal Reserve does not appear to have issued a comprehensive pronouncement on third party risk, but its examination guidance in various areas for state member banks – such as the sale of securities and insurance on bank premises – incorporates similar principles.
So whatever your charter, your institution is well advised to assess its third party risk management practices against the regulators’ expectations. This should include a focus on your bank’s contracts with significant third party service providers.
Of course, these contracts should clearly delineate the activities that the contract covers, the respective rights and obligations of the bank and the third party, the length of the contract term, and events constituting a party’s default or triggering early termination. At a minimum, the contracts also should address the following:
It’s the Little Things: OCC Regulatory Revisions Make Life Easier for National Banks
The adage that much of life is made of “the little things” could be said to fit the OCC’s recent revisions to a host of its regulations. Momentous the changes are not, and they will leave many national banks largely unaffected. But banks planning to embark on certain activities or investments will find that life has gotten a bit easier for them. State chartered institutions that enjoy parity statutes also should benefit from those updates relating to the substantive powers of national banks.