BCLP Banking Blog

Main Content

Vetting FinTechs as Business Risk Partners: OCC Bulletin

Innovation is a key to competitive advantage and keeping pace with consumer digital banking preferences. Increasingly, banks are engaging the services of fintech’s who can deliver certain information and services in a more agile environment, putting banking services at consumers’ fingertips. Some banks are entering into strategic alliances to ensure their platforms keep a competitive edge in the coming months and years. From a risk management and regulatory supervision/enforcement perspective, banks need to understand the specific services and capabilities of their partners and the risks involved. Last month, the OCC, the FDIC and the Federal Reserve released a joint bulletin “Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks.” OCC Bulletin 2021-40.

In the Bulletin, the OCC highlights: “During due diligence, a community bank considers how the fintech company may assist the bank in meeting its strategic objectives and determines whether the relationship aligns with the bank’s risk appetite. A community bank evaluates whether the proposed activity can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements. To augment existing resources, leverage specialized expertise, and gain efficiencies, community banks might collaborate or engage external resources when evaluating a proposed relationship with a fintech company.”

The OCC also refers community banks to its prior third-party vendor management and supervision requirements, but notes importantly, that the new Bulletin is a separate “resource for bank management.”  

Read More

Sharper Lines Mean Tighter Nets: How the FinCEN’s Latest Priorities are Another Step to Increased Enforcement

In the latest sign that the federal enforcement apparatus is slowly but surely training its sights on white-collar professionals and businesses, particularly financial services, the Financial Crimes Enforcement Network (“FinCEN”) published a list of priorities last week. For the last few years, prosecutors have aggressively pursued allegations of corruption and fraud – at times too aggressively, in the views of many federal judges. Executives willing to roll the dice at trials have increasingly found receptive audiences in judges who have chastised prosecutors for bringing criminal charges where the lines demarking unlawful conduct were not so clearly drawn. The publication of the FinCEN priorities is another step in drawing those lines.

Developments This Year

Earlier this year, Congress overrode then-President Trump’s veto to pass the Anti-Money Laundering Act of 2020 (“AMLA”) which included greatly increased incentives for whistleblowers to report on money laundering and Bank Secrecy Act (“BSA”) violations, broadened BSA’s coverage to capture dealers of antiquities and cryptocurrency, and gave the U.S. Treasury Department and the U.S. Department of Justice authority to obtain records from foreign financial institutions.

Just over a month ago, on June 3, 2021, the White House published the Memorandum on Establishing the Fight Against Corruption as a Core United States National Security Interest (the “Memorandum”). In the Memorandum, President Biden sets forth a policy of “effectively preventing and countering corruption and demonstrating the advantages of transparent and accountable governance” and commits to “lead efforts to promote good governance; bring transparency to the United States and global financial systems; prevent and combat corruption at home and abroad; and make it increasingly difficult for corrupt actors to shield their activities.” The Memorandum directs 15 federal agencies to collaborate in a 200-day “interagency review” to enhance the government’s ability to fight corruption.

FinCEN’s AML/CFT Priorities

In one tangible result of those anti-corruption efforts, FinCEN published guidance for the financial services sector just a few weeks after the release of the Memorandum, in the form of the Statement on the Issuance of the Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) National Priorities (the “Statement”) and Anti-Money Laundering and Countering the Financing of Terrorism National Priorities (the “AML/CFT Priorities”). The AML/CFT Priorities are applicable to all “covered entities” – financial service providers required to maintain an anti-money laundering program under the BSA – which includes banks, money services businesses, credit card system operators, loan and finance companies, and broker-dealers.[1] While the priorities are not expected to be addressed until the effective date of regulations,[2] we expect covered entities to begin consideration of the priorities in the course of any periodic updating processes. Indeed, FinCEN recommends in their statement that covered entities begin considering how to incorporate the AML/CFT Priorities into their compliance programs.

Echoing President Biden’s earlier policy statements, the eight priorities are (1) corruption; (2) cybercrime, including relevant cybersecurity and virtual currency considerations; (3) foreign and domestic terrorist financing; (4) fraud; (5) transnational criminal organization activity; (6) drug trafficking organization activity; (7) human trafficking and human smuggling; and (8) proliferation financing.[3] A high-level summary of the AML/CFT Priorities is available here.

These updated priorities come on the heels of an already-increasing appetite for white-collar prosecution. The aggressive push from the Department of Justice can be traced back to 2015, when then-Deputy Attorney General Sally Yates issued the Yates Memorandum, which made “[f]ighting corporate fraud and other misconduct . . . a top priority of the Department of Justice,” especially in prosecuting individuals. A year and a half and a change in administration later, the Department of Justice’s priorities turned elsewhere — largely to combatting violent crimes — but not before a new wave of white-collar prosecutions had already begun. As the Wall Street Journal recently documented, one of these cases led a judge to vacate a conviction against a Wall Street executive, remarking that the “government completely overreached,” and that the “lines have to be very clear, because when someone crosses a line and is likely to end up in jail, you want that line to be clear.”[4]  Other judges have remarked that federal authorities have been too eager to grab cash and assets before proving any wrongdoing.[5]  

Examples of judges reaching for the extreme remedy of overriding a jury verdict are increasingly common. The Third Circuit Court of Appeals earlier this year threw out convictions of four former bank executives because the key regulation underlying their convictions was ambiguous,[6] and the Second Circuit will soon decide whether to affirm a New York federal judge’s decisions to toss guilty verdicts against hedge fund executives based on, in that judge’s view, insufficient proof of criminal intent.[7] The Wall Street Journal noted that the federal prosecutors’ normally near-perfect batting average in getting convictions has slipped to just below 80% in Wall Street cases over the past five years. That is undoubtedly because proving intent in such cases, particularly against the backdrop of murky regulations, is challenging. 

But the FinCEN priorities, along with the AMLA and the Memorandum, may indicate an intent by regulators to ratchet up the pressure. Notably, on July 6, 2021, after listing cybercrime as one of the priorities, FinCEN hired Michele Korver, a former federal prosecutor, as its first “Chief Digital Currency Advisor.”[8] Enhanced regulations yet to come will help prosecutors extract resolutions from companies and pursue individual prosecutions through trial. When those lines become more focused, verdicts are more likely to stand.

Next Steps

A robust AML/CFT program likely includes elements of the AML/CFT Priorities, but the FinCEN guidance provides helpful information that covered entities should take into consideration – and that covered entities can use to direct internal resources to specific areas of concern. The AML/CFT Priorities also highlight increased national focus on domestic terrorism and cybersecurity, the latter already front-page news from a recent spate of high-profile and critical infrastructure ransomware and hacking attacks. While compliance with the above AML/CFT Priorities is not yet required, covered institutions are encouraged to begin investigating workable solutions for implementation without overburdening compliance and regulatory teams. Starting early to update policies, procedures, and systems can minimize friction when regulations are finalized and implemented.


[1] Separate statements were published for non-bank financial institutions by FinCEN, and jointly for banks and credit unions by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency. See 31 CFR Chapter X; see also summary of covered entities provided in AML/CFT Priorities, FN 6.

[2] Regulations must be promulgated within 180 days after the establishment of the priorities. 31 U.S.C. § 5318(h)(4)(D) (as amended by the Anti-Money Laundering Act of 2020 § 6101(b)(2)(C)).

[3] Priorities.

[4] Aruna Viswanatha & Dave Michaels, Flaws Emerge in Justice Department Strategy for Prosecuting Wall Street, Wall St. J. (July 5, 2021), https://www.wsj.com/articles/flaws-emerge-in-justice-department-strategy-for-prosecuting-wall-street-11625506658.

[5] The Wall Street Journal Editorial Board, Guilty Until Proven Innocent (July 7, 2021), https://www.wsj.com/articles/guilty-until-proven-innocent-11625697428.     

[6] United States v. Harra, 985 F.3d 196 (3d Cir. 2021).

[7] United States v. Mark Nordlicht, et al., No. 16 CR 640 (BMC), (Dkt. No. 799) (E.D.N.Y. 2019); Second Circuit Docket Nos. 19-3209 & 19-3207. 

Read More

Jim McAlpin featured on ‘Bank Director’

June 29, 2021

Categories

Due to ongoing changes in the banking industry — from demographic shifts to the drive to digital — it’s never been more important for bank boards to get proactive about strategy. James McAlpin Jr., a partner at Bryan Cave Leighton Paisner and global leader of the firm’s banking practice group, shares his point of view on three key themes explored in the 2021 Governance Best Practices Survey.

  • Taking the Lead on Strategic Discussions
  • Making Meetings More Productive
  • The Three C’s Every Director Should Possess
Read More

BCLP Sponsors Banking Governance Best Practices Survey

May 13, 2021

Categories

Bryan Cave Leighton Paisner was pleased to sponsor the 2021 Governance Best Practices Survey, conducted by Bank Director. BCLP Partner Jim McAlpin worked with Bank Director in framing the questions for the national survey and interpreting the results. Bank Director shared the results May 10, and featured the results in their weekly newsletter, The Slant. An article on the survey and related topics will be published byBank Director this summer.

Read More

Conversations about Banking: An Interview with Greg Morse

This month we continue our “Conversations about Banking” series. The series will consist of video conversations with leaders and influencers in the banking industry about topics of current interest. We hope you will enjoy and find benefit in this new aspect of BankBCLP.

In this session of Conversations about Banking  Jim McAlpin speaks with Greg Morse, CEO of Worthington National Bank in Ft. Worth, Texas. Worthington National is a business oriented bank serving the Ft. Worth and Arlington, Texas communities. Greg is a native Texan who is as comfortable in a saddle as he is in a board room, and his observations about banking are both pragmatic and insightful. During the conversation Greg also describes the community outreach that is at the core of his bank’s culture, including financial literacy education for those in need. Please join us for this enjoyable 25 minute discussion.

Read More

Lessons Learned from New York’s Second Cybersecurity Action

The New York Department of Financial Services (NYDFS) has announced its second regulatory enforcement action against a regulated entity (a New York licensed mortgage banker and loan servicer) for violating NYDFS’s Cybersecurity Regulations. The action involved the mortgage banker’s failure to report a data breach – a breach caused by an employee overriding the company’s multi-factor authentication (MFA) protocol – enabling intruder access. The company agreed to pay a $1.5 million fine and take several actions to bolster its cyber risk and assessment practices.

The unusual data breach, detailed in the Consent Order between the NYDFS and mortgage banker, highlights the need for companies to use more advanced, creative and multi-layered training to prevent their personnel from opening the door to outside intrusions.

The data breach started with a phishing email to an employee who routinely collects large amounts of sensitive personal data from mortgage applicants. The email – which appeared to be from a business partner – directed the employee to a malicious website that asked for a username and password which the employee provided. The data breach still could have been avoided, however, because the company utilized MFA which required the employee to respond affirmatively to an alert on her smartphone. The employee provided the secondary authentication – and did so four times that evening after she left work – each time allowing access to her email files. After a fifth attempt the following day, the employee reported the incident.

An internal investigation by the company confirmed the unauthorized access, which it blocked, but that was it. The company did not investigate further, did not ascertain whether customer information had been compromised, and did not report the incident to outside authorities or the NYDFS. Additionally, the breach was not included in the next Certification of Compliance filed by the company’s Chief Information Security Officer with the NYDFS. The NYDFS discovered the breach during a routine cybersecurity investigation of the company. The examination also revealed that the company didn’t have a comprehensive cybersecurity risk assessment, which is required by the Cybersecurity Regulations.

This cautionary tale shows the importance of having training practices that are frequent and varied. Breaches cannot be prevented solely through software security, MFA, company protocols and basic personnel training. The company in this instance did have many protocols, such as MFA, and required network access through Active directory with strong, complex passwords. The company utilized both anti-virus and end-point protection software on end-user devices and automated detection rules were in place for transmission of private consumer data, like social security numbers, and the automatic blocking of e-mail redirects by unauthorized actors. Still, none of these protocols were able to prevent this data breach. 

Companies will need to be more creative with their training techniques and double down on the frequency of training exercises, adding incentives and disincentives throughout. More advanced training is crucial, as hackers become more sophisticated in the ways they attempt to trick users to override security protocols. Companies may also need to install automatic warning and filtering systems that identify phishing emails before they reach end users and implement IP address filtering systems to block access from suspicious locations. Companies might further consider employing systems that detect anomalies or changes in employees’ normal use patterns (e.g., after-hours access) and issue alerts when such anomalies are detected.

As the instant case, however, demonstrates, a well-trained and vigilant work force, at all levels of an organization, will continue to be a crucial line of defense.

For more information about best practices related to the NYDFS Cybersecurity Regulations, see our prior Client Alert.

Read More

Conversations about Banking: An Interview with Jon Winick

This month we continue our “Conversations about Banking” series. The series will consist of video conversations with leaders and influencers in the banking industry about topics of current interest. We hope you will enjoy and find benefit in this new aspect of BankBCLP.

In this session of Conversations about Banking, Jim McAlpin speaks with Jon Winick, CEO of Chicago based Clark Street Capital. Jon is also the editor and main contributor to the BAN Reports, a widely read banking industry newsletter. During our conversation, Jon shares his candid observations on a wide range of trends and developments impacting the financial services industry. This is a quick paced and entertaining 30 minute video discussion.

Read More

Conversations about Banking: An Interview with Bill Easterlin

This month we continue our “Conversations about Banking” series. The series will consist of video conversations with leaders and influencers in the banking industry about topics of current interest. We hope you will enjoy and find benefit in this new aspect of BankBCLP.

In this second installment of our new “Conversations about Banking” series Banking group partner Jim McAlpin speaks with Bill Easterlin, CEO and President of Queensborough National Bank & Trust Co. Bill is the fourth generation leader of a $1.5 billion family owned bank in eastern Georgia.

Read More

Stimulus Bill Creates Second Draw PPP Loans

On December 27, 2020, President Trump signed the 2021 Consolidated Appropriations Act, which also contained the latest stimulus relief bill. Part of that bill was the Economic Aid to Hard-Hit Small Businesses, Nonprofits and Venue Act, which made changes to all Paycheck Protection Program (PPP) loans, re-opened the PPP program for new loans, and allowed certain borrowers to obtain a second PPP loan.

This post specifically looks at the changes implemented by the Economic Aid to Hard-Hit Small Businesses, Nonprofits and Venue Act (the “Act”) that affects new PPP borrowers. The changes previously discussed that will affect all PPP borrowers will also generally affect Second Draw PPP loans, and the changes previously discussed that only affect new PPP loans will also generally apply. The discussion below is based on the text of the Act, and may be further modified or clarified by subsequent regulations or guidance.

Ability to Apply for a Second PPP Loan. While the CARES Act originally limited eligible small businesses to one PPP loan, Section 311 of the Act creates a new opportunity for certain PPP borrowers (including those that received a PPP loan in 2020 or that will receive a new PPP loan in 2021) to apply for one additional PPP loan, a so-called “second draw” loan. In order to apply for a second draw loan, the PPP borrower will need to have utilized 100% of their prior PPP loan prior to distribution of the second draw loan. This requirement should presumably not be particularly burdensome for those that obtained their PPP loan in 2020, but may limit the ability of new PPP borrowers to obtain both a PPP loan and a second draw PPP loan in 2021.

The Act provides for up to $259 billion for second draw PPP loans, with $25 billion set aside for second draw PPP loans to entities with no more than 10 employees (in individual loan amounts not to exceed $250,000 and made to an entity in a low or moderate income neighborhood). Second draw PPP loans are to be available through March 31, 2021.

Eligibility – Number of Employees. In order to be eligible for a second draw loan, the small business may have no more than 300 employees (down from 500 employees for general PPP loan eligibility). Based on the language in the Act, it appears that the other means of eligibility for a small business to have qualified for a PPP loan, namely the revenue standards or the alternative size standard, will not be available to qualify for a second draw loan.

Eligibility – Revenue Decline. Unlike a primary PPP loan, eligibility for a second draw PPP loan is also conditioned on specific evidence that the business has been harmed by the pandemic. Specifically, to be eligible for a second draw loan, a small business will need to show that gross receipts during at least one quarter in 2021 was down at least 25% from the comparable 2019 quarter. The Act provides that for loans up to $150,000, borrowers may merely attest certification to this revenue standard, but would then be required to provide supporting documentation before submitting forgiveness.

Loan Size. Like the primary PPP loan, the size of the loan is generally set to be an amount equal to 2.5 times monthly payroll costs, however the maximum size of a second draw PPP loan will be $2 million. (As over 995 of the original PPP loans were for $2 million or less, this small size cap should not affect most borrowers.) In addition, the Act provides that small businesses that are classified under NAICS 72 code (generally those in the accomodation and food services sector) are eligible for a larger PPP loan, namely up to 3.5 times their monthly payroll costs (but still capped at $2 million).

Read More

Stimulus Bill Changes to New PPP Loans

On December 27, 2020, President Trump signed the 2021 Consolidated Appropriations Act, which also contained the latest stimulus relief bill. Part of that bill was the Economic Aid to Hard-Hit Small Businesses, Nonprofits and Venue Act, which made changes to all Paycheck Protection Program (PPP) loans, re-opened the PPP program for new loans, and allowed certain borrowers to obtain a second PPP loan.

This post specifically looks at the changes implemented by the Economic Aid to Hard-Hit Small Businesses, Nonprofits and Venue Act (the “Act”) that affects new PPP borrowers. The changes previously discussed that will affect all PPP borrowers will also affect new borrowers. The changes below only affect new PPP borrowers, and do not affect existing outstanding PPP loans. The changes below are based on the text of the Act, and may be further modified or clarified by subsequent regulations or guidance.

Applications Re-Opened through March 31, 2021. The Act authorizes a renewed opportunity for eligible small businesses to apply for a PPP loan. The Act authorizes up to $259 billion in new PPP loans, although some of that money could also be utilized for second draw PPP loans. The prior authorization for new PPP loans ended on August 8, 2020. The terms of these new (first) PPP loans remain essentially the same… up to $10 million, based on monthly payroll costs, with a cap of $20 million for any affiliated corporate group. Eligibility is also generally unchanged: less than 500 employees and ability to certify that due to economic uncertainty the PPP loan is necessary.

Public Companies Ineligible. If a company has securities listed on an exchange registered with the SEC, then it is ineligible for a covered loan on or after December 27, 2020.

Expanded Non-Profit Eligibility. Section 318 of the Act slightly expands eligibility for non-profit entities to include 501(c)(6) and “destination marketing organizations.”

Read More
The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.