- Banking Agencies Issue New Guidance on Third-Party Risk Management
- Federal Banking Agencies Finalize Policy Statement for Commercial Loan Workouts
- OCC Report Highlights Key Risks Facing the Banking System
- Federal Agencies Propose Advice on Reconsidering Collateral Valuations for Home Loans
- Other Developments: Cybersecurity and Real Estate Valuation
1. Banking Agencies Issue New Guidance on Third-Party Risk Management
The federal banking agencies have published new guidance to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology (fintech) companies. The new guidance, released on June 6, offers a framework of risk management principles for banking organizations to consider in developing risk management policies and procedures for third-party vendor relationships, including due diligence and vendor selection, contract negotiation, ongoing monitoring, and termination. The guidance emphasizes that the use of a third-party vendor does not diminish the responsibilities of a banking organization’s board of directors to provide oversight of senior management or the responsibilities of senior management to oversee the activity in which the vendor is engaged to ensure compliance with safety and soundness considerations and all applicable laws and regulations. The guidance reaffirms the supervisory principle that banking organizations are expected to adopt risk management practices that are commensurate with the level of risk, complexity, and size of the banking organization and the nature of the relevant third-party vendor relationship. The guidance replaces each agency’s existing guidance on third-party vendor risk management. Click here for a copy of the new guidance.
Nutter Notes: The new guidance suggests that examiners expect banking organizations to “engage in more comprehensive and rigorous oversight and management of third-party relationships that support higher-risk activities, including critical activities.” According to the guidance, each banking organization must identify its critical activities, as an activity that is critical for one banking organization may not be critical for another. Examples of characteristics indicative of critical activities include those that could cause a banking organization to face significant risk if the vendor fails to meet expectations, have a significant impact on customers, or have “a significant impact on a banking organization’s financial condition or operations.” The guidance provides insights into supervisory expectations for a banking organization’s third-party vendor risk management functions. For example, the guidance explains that the federal banking agencies may use their examination authority to evaluate the functions or operations performed by a vendor on behalf of a banking organization, including evaluation of the vendor’s ability to perform its contractual obligations, and the vendor’s ability to comply with applicable laws and regulations.
2. Federal Banking Agencies Finalize Policy Statement for Commercial Loan Workouts
The federal banking agencies and the NCUA, in consultation with state bank and credit union regulators, have jointly issued a final policy statement for prudent commercial real estate (CRE) loan accommodations and workouts. The policy statement, released on June 29, updates and expands on existing guidance, including the 2009 Policy Statement on Prudent Commercial Real Estate Loan Workouts, by incorporating recent policy guidance on loan accommodations and accounting developments for estimating loan losses. The policy statement emphasizes the need for banks to work prudently and constructively with creditworthy borrowers during times of financial stress and provides new guidance on short-term loan accommodations. Specifically, the policy statement identifies short-term loan accommodations as a tool that can be used to mitigate adverse effects on CRE borrowers and encourages banks to work with such borrowers who are or may become unable to meet their contractual payment obligations during periods of financial stress before a loan reaches a workout scenario. According to the policy statement, such short-term accommodations are often in the best interests of both banks and CRE borrowers because they may mitigate long-term adverse effects on borrowers by allowing them to address the issues affecting repayment capacity. The policy statement is substantially similar to the proposed version released for public comment last year. Click here for a copy of the final policy statement.
Nutter Notes: As in the proposed version, the final policy statement addresses supervisory expectations with respect to a bank’s handling of loan accommodations and loan workouts on matters including risk management, classification of loans, regulatory reporting, and accounting considerations. The final policy statement also includes some additional clarifications not included in the proposed version. For example, in response to industry comments, the final policy statement clarifies that the examiners’ role is to review and evaluate the information provided by bank management to support a real estate valuation, and not to perform an independent valuation. The policy statement therefore explains that an examiner may adjust the estimated value of collateral for credit analysis and classification purposes if the examiner can establish that underlying facts or assumptions used by the bank “are irrelevant or inappropriate for the valuation or can support alternative assumptions based on available information.” While focused on CRE loans, the agencies indicated that the policy statement also includes general principles that are relevant to a bank’s commercial loans that are collateralized by other business assets (such as furniture, fixtures, or equipment). The policy statement reaffirms certain key principles from the 2009 policy statement, including the supervisory principle that banks implementing prudent CRE loan workout arrangements after performing a comprehensive review of a borrower’s financial condition will not be subject to criticism for such arrangements even if they result in modified loans that have weaknesses resulting in adverse credit classification.
3. OCC Report Highlights Key Risks Facing the Banking System
The OCC has published a report that identifies key issues facing the banking system in its Semiannual Risk Perspective for Spring 2023. The report, released on June 14, offers the OCC’s evaluation of trends in key risks, including that both operational risk and compliance risk are considered elevated by the agency. The report primarily attributes the elevation in operational risk to continuing cyberattacks on banks, which it describes as becoming “more sophisticated and damaging to the U.S. economy.” The report also notes that perpetrators of cyber attacks increasingly target bank service providers or exploit vulnerabilities of third-party software used by banks. The report attributes the elevation in compliance risk to overseeing and managing relationships with fintechs and other third-party services providers, and to the implementation by banks of new, modified, or expanded products, services, and operational structures. The OCC also sees credit risk as remaining moderate in general, but with increasing stress in the areas of consumer credit and certain types of commercial real estate. Click here for a copy of the report.
Nutter Notes: Acting Comptroller of the Currency Michael Hsu made public statements concurrently with the release of the Semiannual Risk Perspective for Spring 2023, noting that the OCC expects national banks and federal savings associations to guard “against a false sense of comfort from the recent relative stability in bank markets and from the benign credit performance data over the course of the pandemic.” He also suggested that examiners will expect banks to re-evaluate exposures, such as asset and liability concentrations, across a range of scenarios, and to take measures to preserve capital and maintain liquidity “consistent with each bank’s risk profile.” Acting Comptroller Hsu warned banks to be watchful about accumulating “technology debt”—described in the report as the accumulated future costs “to operate existing technology systems, and the costs to update to more advanced technologies.” The report highlights risks association with continued use of aging technologies, such as increased likelihood of system outages, security vulnerabilities, system maintenance challenges, and other issues that may reduce operational resilience. According to the report, postponing system updates or delaying technology upgrades can create risks to a bank and unnecessarily increase its technology debt.
4. Federal Agencies Propose Advice on Reconsidering Collateral Valuations for Home Loans
The federal banking agencies, together with the NCUA and CFPB, have requested public comments on proposed guidance to address the reconsideration by lenders of collateral value for residential real estate transactions. The proposed guidance, released on June 8, would advise banks and other home mortgage lenders on policies that they may implement to allow consumers to provide information that may not have been considered during an appraisal or if deficiencies in the original appraisal are identified. According to the proposed guidance, a lender may submit a reconsideration of value (ROV) request to an appraiser if a consumer provides information to the lender about potential deficiencies in the original appraisal or other information that could affect the valuation of the collateral real estate. The proposed guidance would describe how a lender could implement or amend an ROV policy consistent with safety and soundness standards and in compliance with applicable laws and regulations, while preserving appraiser independence. Public comments on the proposed guidance will be due within 60 days after it is published in the Federal Register, which is expected shortly. Click here for a copy of the proposed guidance.
Nutter Notes: Among other things, the proposed guidance would describe the risks related to deficient residential real estate valuations and how home mortgage lenders could incorporate ROV policies and procedures into current risk management functions. Factors that can contributed to a deficient collateral valuation include prohibited discrimination, errors, or omissions, or “valuation methods, assumptions, data sources or conclusions that are otherwise unreasonable, unsupported, unrealistic, or inappropriate,” according to the proposed guidance. The proposed guidance would warn that deficient collateral valuations pose risks to the lender, such as loan losses and violations of consumer protection laws that may lead to civil money penalties or litigation. The proposed guidance would provide examples of ROV policies and procedures that a lender may implement to help identify, address, and mitigate valuation discrimination risk.
5. Other Developments: Cybersecurity and Real Estate Valuation
- OCC Makes New Cybersecurity Supervision Work Program Available
The OCC has released an examination tool that banks may use to evaluate their cybersecurity preparedness. The OCC made its Cybersecurity Supervision Work (CSW) Program publicly available on June 26. According to the OCC, the CSW provides bank exam objectives and procedures “that are aligned with existing supervisory guidance and the National Institute of Standards and Technology Cybersecurity Framework.” Click here to access the CSW.
Nutter Notes: In its release, the OCC noted that the CSW does not change a bank’s optional use of the FFIEC Cybersecurity Assessment Tool or other cybersecurity frameworks. According to the OCC, the CSW does not establish new regulatory expectations, and banks are not required to use it to assess cybersecurity preparedness.
- Proposed Rule to Govern Automated Residential Real Estate Valuations Released for Public Comment
The federal banking agencies, together with the NCUA, CFPB and FHFA, have issued a proposed rule that is designed to ensure the credibility and integrity of automated valuation models (AVMs) used in valuing collateral for home mortgage loans. Under the proposed rule released on June 1, the agencies would require banks and other home mortgage loan originators engaged in certain covered transactions to adopt policies, practices, procedures, and control systems to ensure that AVMs adhere to certain quality control standards. Public comments on the proposed rule will be due within 60 days after it is published in the Federal Register, which is expected shortly. Click here for a copy of the proposed rule.
Nutter Notes: According to the agencies, the proposed AVM standards are designed to ensure a high level of confidence in the estimates produced by AVMs, help protect against the manipulation of data, and help to avoid conflicts of interest. The proposed AVM standards would require random sample testing and reviews, among other controls.