Financial Services Law

Trump Election May Dramatically Change Landscape for Financial Institutions

By Joseph G. Passaic, Jr. | Craig D. Miller

Republicans retain the House and Senate and Donald Trump wins the presidential election, providing a Republican sweep of all the elected branches of the federal government. At this moment, it is unclear and uncertain what the election results will mean long term for U.S. financial institutions. However, the win will likely embolden the Republicans to continue to aggressively pursue deregulation led by Congressman Jeb Hensarling (R - Texas), Chairman of the powerful House Financial Services Committee, and his efforts to roll back onerous provisions of Dodd-Frank, including potential elimination of the Volcker Rule and exempting community and regional banks from being required to comply with a stringent regulatory regime.

While banks may have thought that Hillary Clinton would hopefully preserve the status quo and market stability, she had laid out a very aggressive increased regulatory plan aimed at more bank regulation and scrutiny. President-Elect Trump, on the other hand, has indicated that Dodd-Frank should be repealed because increased regulation has adversely impacted the banks’ ability to lend and thereby impeded job growth. It is also conceivable that the combined Congress and Trump presidency may seek to curtail the powers of the CFPB or eliminate it in its entirety. At the very least, we expect President-elect Trump may announce his candidate to replace the current CFPB director soon.

President-Elect Trump stated publicly that he would limit the powers of the Federal Reserve and seek to authorize the Congress with oversight authority over the Federal Reserve and its decisionmaking process. Contrary to the Republicans’ call for regulatory reform, President-Elect Trump expressed support for the restoration of the Glass-Steagall Act (Glass-Steagall). This obviously would require an Act of Congress and more regulation. There is no way to know at this time whether Glass-Steagall will be on his agenda with a Republican Congress. Until Trump lays out his economic plan, legislation plan and tax policies, the high degree of uncertainty surrounding the impact on financial institutions of his upset election will continue well into 2017 even for those in the know inside the Beltway.

Once Trump’s victory was declared, the global international markets initially reacted negatively and were highly volatile, presumably because of his announced policies relating to trade and future international and cross-border relationships. The U.S. markets on the day after the election have risen sharply and the dollar has rallied. However, until there is clarity on Trump’s positions relating to the financial sector (not unlike what is happening in the U.K. with the political aftermath of Brexit), uncertainty will continue and investors will be in a risk-averse mode. Bank stocks, on the other hand, rallied the day after the election on hopes that the Congress and Trump will finally adopt broad regulatory deregulation measures benefiting financial institutions and making them more appealing to bank investors.

As a result, the early stages of a Trump presidency will likely have an adverse effect on capital market transactions and merger and acquisition transactions, particularly for financial institutions, as investors will likely be sitting on the sidelines. Moreover, bank buyers that were currently in the market looking for acquisition opportunities may put their plans on hold for the short term until there is clarity on Trump policies toward financial institutions as well as political and market stabilization. However, the strong possibility of deregulation may outweigh the uncertainties, and banks will become more attractive again possibly making it easier to raise capital and complete transactions on a timely basis without undue regulatory burden.

If regulatory relief for banks becomes a reality, there may be a resurgence of new community banks unfettered by overregulation and significant compliance costs. Existing community banks given regulatory relief would also have the option of remaining independent. In addition, regulatory relaxation could result in a resurgence of de novo charter applications from potential bank organizers that see a greater opportunity in starting fresh than they may have seen prior to the election results.

For public companies, regulatory relief could result in the elimination of disclosure obligations, including pay-ratio and hedging disclosures, and repealing of requirements related to incentive compensation and clawbacks.

Much is rather unpredictable and uncertain at this time. We anticipate that during the transition period to the new presidency, as nominees are proposed for various key cabinet posts and within the first six months of the administration there will be further guidance on the impact of the new regime on financial institutions. We will provide further updates as matters unfold.

back to top

OCC Embraces "Responsible Innovation" With New Office, Framework

The Office of the Comptroller of the Currency (OCC) announced plans to establish an office dedicated to responsible innovation, accompanied by a formal framework to "improve the agency's ability to identify, understand, and respond to financial innovation affecting the federal banking system."

What happened

Traditional banking business models have been challenged by technological advances and evolving consumer preferences, which are reshaping the financial services industry at an accelerated pace, the agency explained. To support the ability of national banks and federal savings associations to fulfill their role of providing financial services to consumers, businesses, and their communities, the OCC elected to embrace "responsible innovation."

Defining the term as "[t]he use of new or improved financial products, services, and processes to meet the evolving needs of consumers, businesses, and communities in a manner consistent with sound risk management and aligned with the bank's overall business strategy," the OCC began the process with a working group, meetings with industry stakeholders and other regulators, as well as focus groups. In March, the agency published a white paper, requesting comments on its proposed plans.

The decision was made to develop a framework to support responsible innovation and create an Office of Innovation to implement the framework. The Office will provide both internal and external visibility; serve as a central point of contact and facilitate responses to inquiries and requests; conduct outreach and provide technical assistance; enhance awareness, culture and education; monitor the evolving financial services landscape; and collaborate with domestic and international regulators.

While commenters generally favored such an Office, they objected to an entity that would result in "another regulatory hurdle or silo," the OCC noted. The Office itself will be located at OCC headquarters in Washington, D.C., headed by a Chief Innovation Officer. Other members of the staff will include an Innovation Technician and a "small number" of Innovation fellows, some located in financial technology hubs such as New York City and San Francisco.

The framework to be effectuated by the staff members contained five areas, the OCC said: Outreach and Technical Assistance; Awareness and Training; Coordination and Facilitation; Research; and Interagency Collaboration.

For "a robust program of outreach and technical assistance to maintain agency awareness of innovation trends and activities and support banks and fintechs in their pursuit of responsible innovation affecting the federal banking system," the Office will engage in an ongoing dialogue with all stakeholders to stay abreast of current trends and developments.

Dialogue will not be limited to banks, the agency noted, with outreach to nonbanks and third parties as well, including technical assistance such as creating resource material on regulatory principles, processes, and expectations and designing "rules of the road" material for nonbanks. "Office hours" and other meetings will also be encouraged to provide both banks and fintechs with meaningful information about how to "effectively and responsibly" engage in innovation, the OCC added.

The second element of the framework will find the agency conducting awareness and training activities. An Innovation Networking Group, an internal web page with information for OCC staff, and new materials that describe the fundamentals of emerging products, services, processes, and technology will all be included as part of an effort to broaden and increase OCC expertise in areas related to innovation. The agency will also look to recruit individuals with a broader variety of skills in areas such as engineering, advanced information technology, systems development, cybersecurity, statistics, and mathematical modeling.

To encourage coordination and facilitation, the OCC pledged to improve the timeliness and transparency of its decision making, noting that failures in these areas were common criticisms found in comments. Furthermore, the Office will establish specific response and disposition expectations for innovation inquiries and requests, including communication standards and plans to use a standard workflow to manage inquiries and requests for new products, processes, and services.

In addition, the Office will develop and implement an optional program for OCC participation in bank-run pilots, a move praised by commenters. Further development to create this "sandbox" or "safe space" for experimentation will follow, the agency said.

The Office will also stay attuned to changes in the industry by conducting industry innovation research and promoting interagency collaboration, leveraging existing channels (a relationship with the Consumer Financial Protection Bureau, for example).

To read the OCC's Innovation Framework recommendations and decisions, click here.

Why it matters

The agency expects to have the new Office up and running in the first quarter of 2017. The real test of the efficacy of the Office will depend on its ability to be innovative and flexible in responding to new proposals and business models. "The OCC supports responsible innovation that enhances the safety and soundness of the federal banking system, treats customers fairly, and promotes financial inclusion," OCC Comptroller Thomas J. Curry said in a statement. "By establishing an Office of Innovation, we are ensuring that institutions with federal charters have a regulatory framework that is receptive to responsible innovation and the supervision that supports it." The agency also noted that consideration of granting a special purpose national bank charter to nonbank financial technology companies continues, with no determination yet, as well as a plan to publish a paper later in 2016 "discussing the issues associated with establishing a special purpose charter and seeking comment on the topic."

back to top

Federal Regulators Seek Comments on Proposed Cybersecurity Rulemaking

The Federal Reserve Board, Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) released joint Advanced Notice of Proposed Rulemaking addressing enhanced cybersecurity standards for financial institutions and third parties that provide services for banks.

What happened

Anticipating that a cyber event at a major, interconnected financial institution could have a ripple effect on other markets beyond the targeted bank, the three federal banking regulators outlined the framework for new Enhanced Cyber Risk Management Standards and sought public comments in anticipation of proposed rulemaking.

The regulators' joint Advanced Notice of Proposed Rulemaking (ANPR) anticipates that banks with $50 billion or more in assets, Fed-supervised nonbank financial companies, financial market infrastructures and financial market utilities, and third parties who provide services to such companies would be required to develop and implement a written cyber risk management strategy encompassing five categories of cyber standards. The ANPR anticipates that community banks with less than $50 million in assets would not be subject to the new rules, but would continue to be subject to existing guidance and standards for the provision of banking services by third parties.

The regulators proposed five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.

The cyber risk governance standards would emphasize that the cyber risk management is an enterprise-wide strategy and that cyber risk policies would require the approval of the board of directors or an appropriate committee. Senior management would be accountable "for establishing and implementing appropriate policies consistent with the strategy." Officers with cybersecurity responsibility should have independent access to the board of directors.

Cyber risk management should be integrated into the responsibilities of at least three independent functions (the business unit, independent risk management, and the audit function), according to the ANPR, while internal dependency management should ensure that covered entities identify and manage cyber risks associated with the business assets they depend upon to deliver services.

External dependency management standards would mandate that relationships with external organizations and service providers—vendors and customers, for example—must be evaluated to identify and manage cyber risks, with an eye towards the information flow and interconnections between the parties.

Finally, covered entities would have to ensure that their strategy addresses incident response, cyber resilience, and situational awareness, with plans on how to respond to, contain, and rapidly recover from disruptions caused by cyber events, including preserving data integrity and maintaining operations during cyberattacks.

The regulators anticipate more stringent requirements for systems that are designated "critical to the financial sector," where covered entities would be required to implement the "most effective, commercially available controls" and tasked with the ability to substantially mitigate the risk of a disruption or failure due to a cyber event.

The regulators seek comments on the criteria that the agencies should use to identify the systems critical to the financial sector, whether the agencies should consider broadening or narrowing the scope of entities to which the proposed standards would apply, and how well the proposed standards for incident response, cyber resilience, and situational awareness address the safety and soundness of individual financial institutions, among other questions.

To read the ANPR, click here.

Why it matters

At a time when financial institutions are already facing greater regulatory compliance burdens and increasing costs as they strive to enhance the security of their IT systems, imposing additional regulatory standards will further increase the pressure on financial institutions as they strive to meet the expectations of the Federal Reserve, FDIC, and OCC with respect to prevention and resiliency.

Comments will be accepted on the ANPR until January 17, 2017.

back to top

FinCEN: Cyber Events Should Be Reported via SARs

The Financial Crimes Enforcement Network (FinCEN) reminded banks that they are required to report cyber-enabled crime and cyber events just like any other suspicious activity.

What happened

Observing that financial institutions can play an important role in protecting the U.S. financial system from cybercriminals, FinCEN reminded banks that the obligations to file suspicious activity reports (SARs) extends to cyber events that are security threats.

For purposes of the advisory, FinCEN defined a "cyber event" as "an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information," and a "cyber-enabled crime" as "illegal activities (e.g., fraud, money laundering, identify theft) carried out or facilitated by electronic systems and devices, such as networks and computers."

FinCEN and law enforcement "regularly" use information reported by financial institutions pursuant to the Bank Secrecy Act (BSA), the advisory noted, with SARs from banks providing "a valuable source of investigatory leads" to track criminals, identify victims, and trace illicit funds.

The agency reminded financial institutions of regulatory expectations with regard to cyber events and the BSA.

"A financial institution is required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets," FinCEN wrote. "If a financial institution knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions, it should be considered part of an attempt to conduct a suspicious transaction or series of transactions."

When deciding whether to report a cyber event, a financial institution should consider the totality of the circumstances, including all available information surrounding the event, its nature, and the data and systems targeted, the advisory explained.

Other cyber-related SAR-filing obligations may also be triggered by a cyber event, FinCEN noted, such as reports to other regulators like the Office of the Comptroller of the Currency or the Board of Governors of the Federal Reserve System.

The advisory offered examples of situations where SAR reporting of cyber events is mandatory. In one hypothetical, a malware intrusion by cybercriminals gained access to the bank's systems and information. The bank later determined that the event put $500,000 of customer funds at risk based on the systems and/or information targeted, leading the bank to reasonably suspect the intrusion was in part intended to enable the perpetrators to conduct unauthorized transactions using customers' funds.

In this situation, the bank would be required to file a SAR, FinCEN said. Although no actual transaction occurred, the circumstances of the cyber event and the systems and information targeted could reasonably lead the financial institution to suspect that the event was intended to be part of an attempt to conduct, facilitate, or effect an unauthorized transaction or series of unauthorized transactions aggregating or involving at least $5,000 in funds or assets.

In addition to the mandatory reporting obligations, the agency encouraged financial institutions "to report egregious, significant, or damaging cyber-events and cyber-enabled crime when such events and crime do not otherwise require the filing of a SAR."

A bank that has been the target of a distributed denial of service (DDoS) attack that disrupted a financial institution's website and disabled the institution's online banking services for a significant period of time, for example, should consider filing a SAR "because the attack caused online banking disruptions that were particularly damaging to the institution," FinCEN wrote. "SAR reporting of cyber-events, even those that may not meet mandatory SAR-filing requirements, is highly valuable in law enforcement investigations."

Financial institutions should include all available cyber-related information in a SAR, the agency said, from IP addresses with time stamps, virtual wallet information and device identifiers. Other important data highlighted by the advisory: a description and magnitude of the event; known or suspected time, location, and characteristics or signatures of the event; indicators of compromise; methodologies used; and any other information the institution believes is relevant.

FinCEN also urged collaboration between cybersecurity and BSA units within a financial institution, which could reveal additional patterns of suspicious behavior and identify suspects not previously known, as well as information sharing between financial institutions, with banks working together to identify threats, vulnerabilities, and criminals.

"By sharing information with one another, financial institutions may gain a more comprehensive and accurate picture of possible threats, allowing for more precise decision making in risk mitigation strategies," according to the advisory, which noted that banks are protected by a safe harbor under Section 314(b) of the USA PATRIOT Act for voluntarily sharing information for the purpose of identifying and reporting potential money laundering or terrorist activities.

To read FIN-2016-A005, click here.

Why it matters

The advisory provided an important reminder for financial institutions of their obligations to report cyber events pursuant to the BSA. FinCEN also encouraged banks to report other cyber-enabled crime even when the activity does not require the filing of a SAR as well as share information both internally and with other financial institutions.

back to top

Jurors Hit Failed Bank Directors With $5M Verdict

A federal jury in Georgia awarded almost $5 million to the Federal Deposit Insurance Corporation (FDIC) in one of the few suits against the directors of a failed bank that made it all the way to trial.

What happened

Buckhead Community Bank failed in December 2009. In 2012, the FDIC filed a civil action in Georgia federal court as receiver of the failed bank against nine of the former directors and officers. The agency alleged claims for negligence and gross negligence, asserting that the defendants engaged in "numerous, repeated, and obvious breaches and violations of the Bank's Loan Policy, underwriting requirements and banking regulations, and prudent and sound banking practices."

The FDIC highlighted a total of 13 loans and loan participations that demonstrated the defendants' illegal behavior that the agency said caused the bank damages in excess of $21.8 million.

The case immediately made headlines, in part due to the defendants' high profiles in the community but also because new law developed as a result. As part of the pretrial proceedings, the defendants argued that the business judgment rule insulated them from liability for merely negligent acts—an issue that took the case all the way to the state's highest court.

In July 2014, the Georgia Supreme Court upheld the validity of the business judgment rule in the state while leaving the door open for some negligence claims. State statute has not overruled the business judgment rule—enshrined in state case law since 1913—but negligence claims alleging that directors or officers made decisions without deliberation or the requisite due diligence, or in bad faith, could be actionable, the court said.

Trial began on October 12 against nine of the defendants, with the number of challenged loans down to ten. The FDIC told jurors that as a group, the defendants owned 30 percent of the bank's outstanding shares and were motivated solely by profit. As a result, the FDIC lawyer argued, the defendants signed off on risky loans in violation of state and federal banking regulations, prudent banking practices, and their own bank policies.

Counsel for the defendants countered that the jury would be presented with no evidence of fraud or self-dealing, with the defendants guilty of one fault: failing to predict the future.

After two weeks of trial, the jury rendered a mixed verdict. Jurors found in favor of the defendants on six of the loans and found some of the defendants liable for some of the other four loans, with a total liability of $4,986,993.

To read the verdict form in FDIC v. Loudermilk, click here.

Why it matters

The case against the Buckhead Community Bank directors and officers was one of very few against failed banks that the FDIC did not settle and one of only two that actually went to trial and resulted in a verdict. (The other case yielded a $168.8 million verdict against former directors and officers of the California-based IndyMac Bank in December 2012.)

back to top