As the coronavirus crisis unfolds, federal and state financial services regulatory agencies have taken multiple actions impacting banks, non-bank financial service providers, and their customers. Below is a summary of those actions to date. We will update this information as new information becomes available.

Joint Agency Statement

On March 9, the Federal Reserve Board (FRB), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the Consumer Financial Protection Bureau (CFPB), the National Credit Union Administration (NCUA), and the Conference of State Bank Supervisors issued a joint press release urging financial institutions to meet the needs of their customers. The agencies encouraged financial institutions to “work constructively” with borrowers. In doing so, the agencies stated it would be unlikely that prudent efforts “consistent with safe and sound lending practices” would subject institutions to criticism from their examiners. The regulators will also expedite requests to alter the provision of banking services in communities affected by the virus.

Federal Financial Regulatory Response

CFPB: The CFPB has not issued industry guidance on dealing with the emergency, other than the March 9 FFIEC joint press release. The CFPB has published a blog post aimed at consumers on how to protect themselves, including advising consumers struggling to make payments on how to work with their lenders.

FDIC: On March 13, the FDIC issued a Financial Institution Letter addressing the crisis. The FDIC encouraged the industry to work with its customers and committed to both rescheduling examinations and increasing the use of off-site reviews to reduce burden. Importantly, the FDIC stressed that a financial institution’s “prudent efforts” to modify affected customers’ loan terms “will not be subject to examiner criticism.”

FRB: On March 13, the FRB’s Division of Supervision and Regulation issued a letter recommending all financial institutions review prior guidance letters addressing emergency response. The FRB called attention to its March 2013 letter, which addresses working with affected borrowers, examination expectations in response to emergency situations, and handling BSA/AML requirements when assisting borrowers and applicants who can provide limited identifying documentation due as a result of the emergency.

OCC: The OCC has not issued new guidance since its bulletin accompanying the joint March 9 FFIEC statement. The OCC has created a webpage dedicated to the crisis.

State Regulatory Guidance (as of March 16, 2020)

Working from home

On March 5, the State of Washington’s Department of Financial Institutions published work from home guidance for mortgage loan originators. Multiple states have used Washington’s publication as a template, issuing similar written guidance expressly permitting mortgage loan officers to temporarily work from home due to the virus. While the requirements vary by state, the regulators generally want to make sure that when employees work from home licensees and employees continue to adhere to privacy and data security requirements. For example, Arkansas explicitly requires licensees to use VPNs, confirm employees have all required security updates and patches installed on their devices, and continue to maintain physical books and records at the location on file with the state regulator. Oregon requires licensees to send any temporary virus-related policies to the state. At least one state, Maryland, has not relaxed guidelines but instead referred licensees to existing regulatory authority permitting employees to work from home if certain conditions are met.

Several regulators have restricted what work can be done from home. Multiple states are restricting advertising from a person’s home and have barred in-person meetings with borrowers or applicants. Connecticut is requiring that employees work from their own home.

Business Continuity Plans

Some states, including Alabama and Massachusetts, have encouraged licensees to review and update their disaster recovery and business continuity plans. Massachusetts published specific guidance regarding how to document a pandemic strategy, ensure continuity of critical operations, and communicate plans to staff, customers, service providers and regulators, among others.

New York’s Department of Financial Services (DFS) has published several industry letters regarding coronavirus and its impacts. Several require licensees to take action and submit information to DFS.

• New York DFS is requiring regulated banks, credit unions, and licensed lenders to submit a written response to the agency describing the institution’s plan to manage the financial risks to it posed by the impacts of the coronavirus within 30 days (by April 9). Institutions’ responses must include assessments in six categories: (i) credit risk and ratings of impacted customers, counterparties, and business sectors, (ii) credit exposure, (iii) scope and size of the credits adversely impact by the virus that may move to delinquent status, (iv) valuation of impacted assets and investments, (v) overall impact of the virus on earnings, profits, capital, and liquidity (vi) reasonable and prudent steps to assist those impacted by the virus. The last three factors also apply to virtual currency businesses.
• New York DFS is also requiring regulated businesses (including licensees, banks, credit unions, and virtual currency businesses) to provide assurances that they have preparedness plans in place to address operational and financial risk posed by the coronavirus. The plans must be provided to NY DFS no later than April 9 and the plans must address nine categories: (i) Preventative measures tailored to the institution’s specific profile and operations to mitigate the risk of operational disruption, which should include identifying the impact on customers, and counterparts, (ii) a strategy addressing the impact of the outbreak in stages, so that the entity’s efforts can be appropriately scaled, consistent with the effects of a particular stage of the outbreak; (iii) assessment of all facilities, systems, policies and procedures necessary to continue critical operations and services if members of the staff are unavailable for longer periods or are working off-site, including the effectiveness and security of remote access; (iv) an assessment of potential increased risk of cyber-attacks and fraud due to an outbreak; (v) employee protection strategies, (vi) assessment of the preparedness of critical third-party service providers and suppliers; (vii) development of a communication plan to effectively communicate with customers, counterparties and the public, and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed; (viii) testing the plan to ensure its policies, processes and procedures are effective; and (ix) governance and oversight of the plan, including identifying the critical members of a response team, to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and the institution’s own monitoring program.
• New York DFS also issued guidance encouraging licensees and regulated banks to take steps to assist businesses adversely impacted by the virus by offering payment accommodations, waiving overdraft fees, and easing credit terms.