What can community banks expect from bank regulatory agencies in 2017?
By Mary Thorson Wright
When it comes to 2017’s expected regulatory landscape, Community Banker University instructor Cliston V. “Doc” Bodine III, of Gerrish Smith Tuck, PC, in Memphis, Tenn., emphasizes the need to look at the big picture. “Beyond technical requirements,” he says, “2017 will likely subject community banks to a forward-looking phase of regulatory management. Its hallmarks are controls, procedures and prevention, and it reflects the overarching regulatory shift to focus on risk management in all forms.”
Risk management and cybersecurity
World, national and industry events constantly shift the focus of examinations and supervision among existing and emerging mandates and affect the rigor of regulatory supervision. Bodine observes that, while the predominant technical emphasis of regulatory examinations does shift, 2017 will likely see the importance of technical performance matched, or even usurped, by what he cites as two risk management principles.
The first is vigilance to the “raw” regulatory environment, a result of the industry’s emergence from a crisis period. Since the recent financial crisis, the economy has relaxed a bit, and Bodine has seen improvements in asset quality, real estate market stability, collateral values and quality of business borrowers. Positive trends can cause a less aggressive approach from the regulators; however, at a time so close to recent industry breakdowns, they are still on edge. “The environment is better, but precarious,” he cautions, “and should a bank have a negative occurrence, the regulators would be poised to step back to the more restrictive role quickly. The regulators may deem a program sufficient, then revert quickly in the event of a few errors, even those self-identified by the bank.”
Banking practices have become more complex, more technical and more time-consuming, and community banks employ third-party companies to a significant extent to expand products or services, reduce operating costs, and increase access to core competencies not available in-house. Third-party vendor assistance is valuable, but third-party vendors can present risk-management challenges.
The regulators have expanded risk-management’s importance over the past several years. For example, in November 2016, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Uniform Interagency Consumer Compliance Rating System designed to better reflect current consumer compliance supervisory approaches and to more fully align the rating system with the agencies’ current risk-based, tailored examination processes. The updated rating system will be effective for consumer compliance examinations beginning on or after March 31, 2017.
The second principle of bank risk management, according to Bodine, is to change the methods of managing risk from those used in the past in order to keep up with changing circumstances. Cybersecurity is not just an IT issue and not just a big bank issue. It now spans every aspect of the banking industry, including those functions tasked to third parties.
Cyber risk is comprised of an assortment of risks that manifest themselves from numerous bases and through many channels. The rising volume and sophistication of cyber threats allow bad actors to capitalize on the very systems essential to today’s financial environment.
“A few years ago,” Bodine points out, “community banks may not have implemented robust cyber protections, because the electronic-based products and services they offered were initially more limited than at larger institutions, and community bankers felt detached from those market segments. That changed as customers became aware of and demanded access to the same types of electronic banking facilities offered by larger institutions.” He cites the growing IT and cybersecurity representation on bank boards or through a third-party resource as a signal that community banks recognize the need to address cybersecurity.
Global awareness fosters preparedness
The global regulatory environment facilitates regulatory consistency, and what one regulator deems important today will very likely become the basis of joint guidance issued tomorrow. Bodine urges community banks to be cognizant of their prudential regulatory agencies’ policies, enforcement practices and guidance, but to also heed those of the Consumer Financial Protection Bureau (CFPB) and the other federal bank regulators. He adds that state issuances are also important, even to banks with a national charter, especially if the organization houses a nonbank financial company.
Technical performance remains vital to demonstrate the letter and spirit of laws and regulations. Bodine cites the Bank Secrecy Act (BSA) as receiving “an inordinate amount of attention” over the past few years, and it remains at the top of the regulators’ list. The BSA customer due diligence (CDD) rule becomes effective in May 2017, and it requires covered institutions to add a fifth pillar to the structure of the BSA program, and to implement and maintain appropriate risk-based procedures for conducting ongoing customer due diligence.
Fair lending remains a focus and is also getting attention based on the CFPB’s recent commitment to fair lending enforcement in 2017. Bankers need to think beyond overt discrimination, notes Bodine, and look at the potential for disparate impact from seemingly innocuous policies and practices.
Will the TRID honeymoon be over? In October 2015, Congress passed a provision effective until Feb. 1, 2016, for a safe harbor from enforcement actions and private civil actions for lenders making good-faith efforts to implement the new TRID rule. With the dawn of 2017 and being well past the safe harbor expiration, the industry should expect to feel full enforcement of “Know Before You Owe.”
The CFPB’s final HMDA rules include 48 new or revised unique data fields for which covered community banks must collect and report data on most residential mortgage loan applications—not just approved loans. Banks are not under the gun for compliance for revised HMDA rules until late 2017 or 2018 but will expect to see significant developments to support HMDA changes throughout the year.
Actions to take now
Looking at the big picture, Bodine stresses the importance of a multipronged approach for community banks, beginning with maintaining awareness of regulatory issues, employing technology commensurate to evolving challenges, and maintaining controls and procedures for early identification and corrections.
“Regulatory risk management,” he adds, “is about preventing, identifying and fixing regulatory problems, and it is also about contributing effectively to the conversation with regulators about the bank’s ability to manage its risk and to minimize future criticism.”
Mary Thorson Wright, a former Federal Reserve manager, is a financial writer in Virginia.