Posts filed under ‘FDIC’

Bank/Tech Contract Concerns Issued By FDIC IG

Written by: Lindsay Harden

The FDIC’s independent Office of Inspector General (OIG) issued a report late last week detailing a study it conducted of contracts between financial institutions and technology service providers (TSPs). The report concluded that such contracts are commonly not sufficient to address certain risks that are inherent in these relationships. Specifically, contracts with TSPs frequently lack specificity and completeness with respect to business continuity and incident response procedures and obligations.

For several years the financial regulatory agencies have shown an interest in third-party risk management, including ensuring adequate protection of private customer information. Recently, the FDIC and FFIEC have engaged in further initiatives related to cybersecurity and outsourcing of technology services. However, according to the FDIC’s Division of Risk Management Supervision, contracts with TSPs are generally out of date and do not reflect recent efforts to strengthen cybersecurity.

Based on a review of 48 contracts between financial institutions and TSPs, the OIG report made the following findings:

  • Financial institution analyses do not fully consider business continuity and incident response risks presented by TSPs
  • Key contract provisions provide limited coverage of the TSP’s business continuity planning and incident response and reporting responsibilities
  • Key contract terms lack clear and specific definition
  • The FDIC has implemented numerous initiatives to address cybersecurity risks
  • Financial institution third-party relationship risks remain and will require continued supervisory attention

In addition, the report provided some examples of necessary types of provisions that are frequently missing from contracts. For instance, only half of the contracts reviewed explicitly included business continuity provisions, and only a handful established clear performance standards and remedies for failure to meet those standards. Furthermore, many key terms used in regulatory and supervisory guidance—including “misuse of information,” “unauthorized access,” “significant disruption,” and “cyber event”—were often unused, undefined, or inadequately defined in TSP contracts.

The FDIC has plans to take certain actions by October of 2018 to follow up on the OIG’s recommendations in the report. One such action is continuing to communicate to financial institutions the importance of effective contracts with TSPs through the FDIC’s risk management supervision program, which includes guidance, examination procedures, examinations, and off-site monitoring.

The OIG report and potential FDIC action provide banks with additional leverage in negotiating TSP contracts. Affected banks should closely review existing contracts, and if your contracts are close to renewal, or if you are considering adding services under those contracts, you have an opportunity to address deficiencies.  You should review the terms of the agreement and work with counsel to identify gaps in existing or proposed agreements. Please contact us if you need assistance, as we have significant experience negotiating and drafting contracts with TSPs and assisting banks with TSP vendor diligence.

For more information, please contact Karen Garrett or Steve Cosentino, leaders of our fintech practice.

February 23, 2017 at 10:00 am

FDIC Final Rule on Deposit Account Recordkeeping

Written by: Maria Macoubrie

On November 15, 2016, the Federal Deposit Insurance Corporation (FDIC) released its final rule regarding deposit account recordkeeping  ( (Final Rule) to help insure prompt access to funds in the event of a bank failure, particularly in large banks with a high number of accounts that use multiple deposit systems, where data aggregation and account identification is otherwise difficult.    The Final Rule is effective April 1, 2017. While the Final Rule is designed to apply to institutions with large numbers of deposit accounts, there is some ambiguity with respect to how those accounts should be counted.

The Final Rule applies only to “covered institutions.”  A “covered institution” is an insured depository institution that has 2 million or more deposit accounts in two consecutive quarters.  There is some uncertainty within the industry whether deposit accounts for prepaid and similar omnibus relationships that (based on previous guidance regarding brokered deposits) have been treated as a single deposit account, should be counted as a single deposit account for purposes of the Final Rule. The FDIC failed to respond to several comments requesting clarification of this particular issue.  This issue will continue to be a top question raised by several industry groups to the FDIC as the effective date looms closer.

The Final Rule requires a covered institution to configure its information technology system to be capable of performing the following tasks within 24 hours of the FDIC being appointed as a receiver: (a) accurately calculating deposit insurance coverage for each deposit account; (b) generating output records in the specified format and layout; (c) restricting access to some or all of the deposits in a deposit account until the FDIC has made a deposit insurance determination using the covered institution’s technology system; and (d) debiting from the deposit account the uninsured amount.

The Final Rule includes both general and alternative recordkeeping requirements.  The general recordkeeping requirements are robust and include unique identifying information to determine ownership rights.  The alternative recordkeeping requirements apply where the covered institution does not maintain the account holder data itself.  Under the alternative recordkeeping requirements, the covered institution need only maintain the unique identifier of the account holder and a file code designating the account type as set forth in the File Rule.  In cases where the covered institution is able to use the alternative recordkeeping requirements, the covered institution must certify to the FDIC that the account holder for the omnibus account will provide to the FDIC the information needed for the covered institution’s information technology system to calculate deposit insurance coverage as required within 24 hours after the appointment of the FDIC as receiver.

To the extent the “account holder” is a program manager or other party that maintains records on large numbers of persons that have pass-through FDIC deposit insurance, the Final Rule could present a regulatory risk to covered institutions if those account holders are not prepared to comply with the very specific and detailed recordkeeping requirements imposed by the Final Rule.

Not less than 10 business days after a covered institution becomes subject to the Final Rule, it must notify the FDIC of the person(s) responsible for implementing the recordkeeping and information technology system capabilities required by the Final Rule.

Covered institutions must certify compliance (meeting specific certification requirements) before the effective date and then annually thereafter.

In addition, the FDIC has the right to audit compliance beginning the first calendar quarter following the effective date and every three years thereafter (more frequently if there is a particular risk).

The Final Rule also contains several provisions to request temporary relief from the Final Rule.  It also grants the FDIC the right to expedite the effectiveness of the Final Rule for certain covered institutions.

November 28, 2016 at 1:53 pm

Proposal to Streamline Call Reports for Community Banks


Written by: Nate Van Emon

On Friday, August 5, the Federal Financial Institutions Examination Council (FFIEC) requested public comment on a proposal to streamline the existing regulatory reporting requirements by eliminating and revising several Call Report data items for certain financial institutions with assets of less than one billion and domestic offices only. The proposal attempts to reduce the reporting burden for the smaller, less complex financial institutions, while still gathering the information required to allow regulators to monitor the safety and soundness of such institutions. The streamlined Call Report would remove approximately 40% of the requested data items, which eliminates 24 pages from the existing Call Report.

Specifically, the changes focus on (i) eliminating certain schedules relating to complex or specialized activities, (ii) removing data items identified as unnecessary for monitoring the safety and soundness of smaller institutions, (iii) reducing the frequency of data collection for certain data items, and (iv) removing data items that are only required for institutions larger than one billion in assets. Comments must be received within 60 days from the date the proposal is published in the Federal Register.

To view the full text of the proposal, please click here:

August 17, 2016 at 8:30 am

Commercial Real Estate Portfolio Reminder: New Rules on Increased Risk Weighting for Commercial Real Estate Loans Now in Effect

Written by: Joseph Hipskind

The first quarterly Consolidated Reports of Condition and Income for 2015 have been generated and fresh attention is being paid to the possibility of increased risk weighting for many real estate loans. For most banks, savings and loan holding companies and large bank holding companies, new rules for the risk weighting of “High Volatility Commercial Real Estate” (HVCRE) loans went into effect on January 1, 2015. As a result of these new rules, some loans that might have been classified as being risk-weighted at 100 percent are now being risk-weighted at 150 percent.

Most followers of the actions of the multi-national Basel Committee on Banking Supervision, which includes the United States, and the U.S. banking agencies are well aware of the increased focus on capital adequacy and risk management.  The Basel Committee’s Basel III Accord took aim at the financial crisis of 2007. The framework developed as part of Basel III led to the Federal Reserve Board’s promulgation of rules in 2003 which implement both the Basel III Accord and the Dodd-Frank Wall Street Reform and Consumer Protection Act.  These rules were also approved and promulgated by the OCC and the FDIC.  One small part of these rules focus on lending institution exposure to real estate loans.

The final rules amount to hundreds of pages of text and one such final rule relates to what U.S. banking agencies classify as HVCRE loans.  In what amounts to a material change to past practice, HVCRE loans are required to be risk-weighted at 150 percent.   HVCRE loans include all loans that finance the acquisition, development and construction of commercial real estate, with important exceptions.   One to four family residential properties, certain loans for the purchase or development of agricultural land,  and certain loans for projects that qualify as community development investment are exempt from the HVCRE classification.

Also, as elucidated in the FDIC’s final rule codified in Title 12 of the Code of Federal Regulations in Part 324, a  commercial real estate loan may avoid the HVCRE classification if:

  • the loan-to-value ratio (LTV) is equal to or less than the maximum supervisory LTV (which is 80% for commercial construction loans), and
  • the borrower contributes capital to the project in the form of cash or unencumbered readily marketable assets (or has paid development expenses out of pocket) of at least 15% of the real estate project’s “as completed” appraised value, and
  • the borrower contributed the amount of capital before the advance of funds under the loan and the borrower’s 15% is contractually required to remain in the project until the loan is converted to a permanent loan, sold or paid off.

These rules were finalized in 2013 but the first quarter of 2015 presented the first opportunity for banks to grapple with the new rules.  Naturally, if such work has not already been done, financial institutions should take immediate action on reviewing real estate loan portfolios in light of the new rules. Among other things, “as completed” appraisals for real estate projects must be reviewed for the “as completed” appraised value.  Borrower contribution to the capital of the project must be calculated. Loan documents should be analyzed to determine whether contributed capital is contractually required to remain in the project. And, looking ahead, care should be taken in insuring that future real estate loans include appropriate contractual provisions to address these points.

July 22, 2015 at 8:00 am Leave a comment

Increased Regulatory Scrutiny Over Add-On Credit Card Products

Written by: Tanner Weigel

Increased regulatory scrutiny over the offering, marketing and billing practices used for add-on products has led to a marked increase in the number of regulatory enforcement actions and consent orders imposed on credit card issuers. Add-on products are credit card products that are ancillary to the actual extension of credit; some examples of these products include debt protection products, identity theft protection products and credit score monitoring products. Notably, regulatory scrutiny has increased for all credit card issuers, regardless of size and regardless of the primary regulator for the issuer. Indeed, the CFPB and other regulators are making good on the CFPB’s October 2013 promise to increase scrutiny over the marketing and sale of add-on products.

For example, on April 7, 2014, a large credit card issuer agreed to pay approximately $772 million to settle OCC and CFPB claims that the issuer violated section 5 of the FTC Act, 15 U.S.C. §45(a) (“Section 5”), by using deceptive marketing and billing practices relating to certain add-on products. In the Order, the regulators allege that, among other violations, the issuer 1) billed customers for the full cost of the add-on product even though the customers were not receiving all of the product’s advertised benefits, and 2) enrolled customers in products without obtaining their affirmative consent.

Similarly, the FDIC determined that a small bank issuer engaged in deceptive and unfair acts and practices in violation of Section 5. Some of the criticized practices included add-on products. The FDIC recently imposed a $1 million civil money penalty and ordered the issuer to 1) refund all interest charged by the issuer during a “zero percent interest for 12 month” promotional offer, and 2) clearly and accurately disclose to credit card customers that enrollment in a particular add-on product was not required to obtain or maintain a bank issued credit card.

Card issuers must act now to ensure their practices fully comply with applicable statutes, regulations and regulatory expectations. The following set of considerations is adapted from a CFPB Bulletin and provides an analytical framework for issuers to consult when conducting a compliance review. To ensure the issuer is marketing and selling credit card add-on products in a manner that limits the potential for statutory or regulatory violations, the issuer should take the following actions:

• Adequately disclose important product terms and conditions and always avoid deceptive acts, practices or tactics. Marketing materials, including direct mail materials, telemarketing scripts and electronic and print advertisements, must fully and accurately reflect the terms and conditions of the product and not be deceptive or misleading. Banks are encouraged to evaluate the following factors:
1) Is the statement prominent enough for a reasonable consumer to notice?
2) Is the information presented in an easy-to-understand format that does not contradict other information relating to the product?
3) Is the information in a location where a reasonable consumer can be expected to look?
4) Is the information in close proximity to the claim it qualifies?

• Obtain affirmative consent before enrolling consumers in the add-on product. Banks must not enroll customers in add-on products without clear affirmative consent, which should be obtained only after the consumer has been informed of the terms and conditions of the add-on product.

• Disclose the voluntary nature of the enrollment process. The purchase of add-on products cannot be required as a condition of obtaining credit. Therefore, banks should evaluate their current practices to ensure oral and written statements to consumers do not require enrollment in an add-on product prior to the extension of credit.

• Only bill customers for services that are actually performed. Issuers should only bill for services actually performed and should ensure that customers receive all advertised product benefits when they are charged the full amount of the product’s cost. The failure to provide all advertised benefits without a corresponding reduction in fees will lead to adverse consequences.

• Appropriately design and monitor employee incentive or compensation programs. Employee incentive programs tied to the sale and marketing of add-on products must be designed to ensure that the programs do not create incentives for employees to provide inaccurate information about the products. Issuers must frequently analyze sales tactics, including all scripts and manuals used by the issuer’s customer service centers, to ensure the following obligations are met:
1) The customer service representatives accurately state the terms and conditions of the various products;
2) Attempts to rebut the customer’s attempt to decline the product are made in accordance with established and clearly defined bank guidance. Ideally, such guidance will include the appropriate rebuttal language that may be used, clearly define when such language is appropriate, and limit the number of times rebuttal attempts may be made;
3) Customer service representatives are not regularly deviating from approved scripts;
4) Cancellation requests are handled in an appropriate manner.

• Design and employ effective compliance management programs. Programs should be designed to ensure compliance with prohibitions against deceptive acts and practices, as well as all other Federal and state consumer financial protection laws and regulations, including the Truth in Lending Act and the Equal Credit Opportunity Act. Issuers should:
1) Conduct periodic quality assurance reviews;
2) Engage an independent auditor to objectively evaluate the add-on program;
3) Monitor any affiliates or third-party service providers that perform marketing or other functions related to the add-on products to ensure they are complying with applicable law;
4) Implement an appropriate channel for resolving consumer complaints; and
5) Design and implement a comprehensive training program for employees involved in the marketing, sale and operation of add-on products.

May 12, 2014 at 5:26 pm Leave a comment

Older Posts

Enter your email address to follow this blog and receive notifications of new posts by email.

Produced & Maintained By

Stinson Leonard Street Logo


A legal resource for Banking & Financial Services


%d bloggers like this: