Bank Lawyer's Blog

FDIC: Bring Me Your Tired, Your Poor, Your Huddled De Novos, Yearing To Be Free

2016-04-10T21:50:00-05:00

Last week, FDIC Chairman Martin Greunberg announced that the FDIC was rescinding a policy that it instituted during the depths of the last recession, of requiring heightened scrutiny of de novo banks during their first eight years of existence, and was returning to the policy of the "good old days," when new banks suffered life under an regulatory electron microscope for only three years. Gruenberg claims that "the FDIC welcomes applications for deposit insurance, and we clearly have a role to play in facilitating the establishment of new institutions." He also claimed that the reason that de novo applications have slowed to "a trickle" since the start of the Great Recession is because of economic factors, not a real or imagined FDIC moratorium on insurance of accounts for de novo banks.

I should note that establishing even a small community bank is a challenging endeavor. Developing a sound business plan, raising the needed financial resources and recruiting competent leadership and staff takes work and we want to ensure that every new institution that is established is in a position to succeed.

But we are very committed to working with and providing support to any group with an interest in starting a community bank. To that end, we are developing a handbook to guide applicants through the review process.

There is ample room for new community banks with sound funding and well conceived business plans to serve their local markets. It is essential that they have a clear path to approval.

This all sounds well and good on the surface. However, I'm with attorney Charles Horn who, writing in the National Law Journal, indicates that he is, like me, from Missouri on this matter.

That said, the dearth in new deposit insurance approvals in recent years has, to some extent, become a self-fulfilling prophecy in that a perceived FDIC reluctance to approve new deposit insurance applications has helped suppress industry interest in establishing new banks. Chairman Gruenberg is correct, in part, in attributing the decline in deposit insurance applications to post-financial crisis economic conditions. At the same time, experience has shown us that persons wanting to organize a new insured depository institution have been discouraged by the FDIC’s failure to approve more than a small handful of new deposit insurance applications in the past few years (none so far in 2016, two in 2015, none in 2014, three in 2011, and two in 2010, according to the FDIC’s website).

While we state the obvious in saying that the best way for the FDIC to encourage the formation of new banks is to approve more deposit insurance applications, the point here is that it is actions—not words—that will speak the loudest on this subject.

There is no question that these are still difficult times to make money in the community banking business, no matter how much lipstick Gruenberg paints on the lips of the community banking business in the course of his address (and he lathers it on in rosy red hues in the linked article). A good portion of that difficulty is due to the small interest rate spreads and low interest rates imposed by the Federal Reserve's policies over the past nine years, which, as of today, seem rooted in place. Nevertheless, as the Federal Reserve's own economists have noted, the dearth of de novos is also due to the regulatory burdens placed on the small banks by the FDIC, FRB, and OCC. Greunberg does state that a "gentler approach" and "tiered regulation" are on the way. If true, this relief will be welcome.

We'll have to wait and see whether this promise of more de novos is true or false. As we noted just a few months ago, even those applicants who have weathered the storm and made it over the finish line have painted a grim picture of the time and expense required, as well as of much higher capital requirements (which means reduced return on equity). If organizers expect to pay consultants and attorneys hundreds of thousands of dollars to assist them in raising capital, creating extensive business plans, and preparing detailed applications for insurance of accounts, I think that they want to feel more confident that they will have a decent shot at approval.

As Horn observes, in this area, actions will speak louder than words.

Stressing Stress Testing

2016-03-13T21:29:00-05:00

A recent White Paper from the consulting firm Invictus discusses what those of us who represent community banks have been aware of for some time now: the requirements for "stress tests" that were supposed to apply only to those "Too Big To Fail" banks are "trickling down" to community banks. The buzzwords that apply to banks both large and small are "forward-looking risk analytics." While Invictus notes that bank regulators initially publicly stated that stress testing was only for the Big Guys, their actions belied their words (or, they simply changed their minds).

Regulatory actions in the waning months of 2015 should serve as notice that ignoring forward-looking analytics will lead to lower CAMELS scores, more examiner scrutiny and higher regulatory capital requirements. The new current expected credit loss model (CECL), which is expected early in 2016, is also a forward-looking tool.

Behind the scenes, however, regulators began changing their own methods for examining community banks, relying more and more on forward-looking analytics. In recent months, with signs that community banks are again accumulating higher concentrations of risky commercial real estate loans, regulators are reminding community banks that stress testing is indeed required to manage concentration risk in their portfolios and to develop realistic scenarios for interest rate risk management.
Regulatory actions in the waning months of 2015 should serve as notice that ignoring forward-looking analytics will lead to lower CAMELS scores, more examiner scrutiny and higher regulatory capital requirements. The new current expected credit loss model (CECL), which is expected early in 2016, is also a forward-looking tool.
The large banks have already adopted forward-looking risk analytics and are using the results with regulators. Although community banks are not subjected to the same stress testing requirements as the large banks, the regulatory trend is in the same direction. Those community banks that fail to incorporate new analytics into their risk management systems will find it difficult to communicate effectively with regulators.

The White Paper traces recent public issuances by the FDIC, FRB, and OCC in this direction. A specific red flag is the December 2015 joint agency guidance on CRE concentrations. Those of us who represented community banks and their directors in the aftermath of the last meltdown, when commercial real estate brought a number of community banks to grief, took special note of that guidance. It's "guidance" in the same way vendor management guidance is merely "guidance." Try violating it and see how "sticky" the wicket gets. You'll be up to your eyeballs in MRAs on the your next report of examination...or worse.

Even if you thinkl your CRE isn't all that "concentrated," Invictus thinks that you ought to seriously consider hoping on this forward-looking train.

Even if your bank doesn’t have CRE concentrations, use forward-looking risk analytics to stress test your capital, your strategic plans and any potential acquisition you might be considering. Present the results to regulators. Invictus’ clients that have used stress testing results with examiners have seen their capital requirements decrease, their management piece of their CAMELS composite increase, and their strategic plans win fast regulatory approval.

At the very least, it's worth pausing for a moment and, while you stoop to smell the roses, thinking about whether you might benefit from this approach (if you haven't already adopted it).

Trickle Down Guidance

2016-02-21T21:30:00-06:00

From the FDIC's Office of Inspector General comes an interesting little tale that may have slipped by your attention while you and the family were reveling in the latest bloviations from the walking, talking hairdo that is THE GREATEST SHOW ON EARTH, I PROMISE YOU!!!

The entire incident was triggered by a false alarm about a possible security breach of a third party service provider (TSP) that turned out to be some pesky adware. However, the FDIC IG, operating on the premise that no (non)crisis should ever go to waste, used its investigation of the incident to uncover sloppy security breach incident response policies and procedures by all concerned, including not only the bank and TSP, but by the FDIC's own Risk Management Supervision field office (RMS) as well.

The entire "Case Study" by the IG is less than two pages long, so I won't reiterate it in detail. However, I will use it to bleat about a couple of additional points of my own. The first concerns the application of the FFIEC Interagency Guidelines Establishing Information Security Standards to TSPs.

The Case Study observes:

The InteragencyGuidelines require FIs to develop and implement a risk-based response program to address incidents of unauthorized access to customer information. The Interagency Guidelines also provide that FIs’contractual arrangements shall require that TSPs implement appropriate measures to meet the Interagency Guidelines objectives.

I recently had a TSP respond to a financial institution's request that its agreement for technology services with the TSP (which services would give the TSP access to nonpublic personal information (NPI) of the bank's customers) contain a provision pursuant to which the TSP agreed to protect the security of the NPI with the brilliant argument that the TSP was not a financial institution and, therefore, was not required to comply with the Interagency Gudelines. I not-so-patiently relied that the Guidelines "recommended" that my client make them apply to the TSP via a contractual provision and, since my client took such "recommendation" seriously and incorporated such a requirement into its vendor management policy, if the TSP wanted to do business with the financial institution, its could either agree to the provision or not do business with the institution. The TSP's business people conceded the point and it added a provision to the agreement designed to meet this requirement.

This seems like a fairly common requirement, yet the TSP was a technology service provider that does a lot of work with banks. In the course of the discussion on this point, it was evident that if the vendor's representatives were telling the truth (I accepted their assertions at face value, since it did not alter my client's position whether or not they were truthful), we were the only bank to ever ask for this provision. If that is correct, then the regulators need to be a lot more diligent in their vendor management reviews, because there are a lot of agreements with this TSP that don't comply with the "recommendations" of the Interagency Guidelines. On the other hand, it was the TSP's lawyer putting forth this position, so maybe it was a bald-faced lie.

The IG's Case Study also noted that "[t]he Interagency Guidelines The federal banking agencies, including the FDIC, conduct periodic information technology (IT) examinations at FIs and their TSPs." Other regulatory guidance, such OCC Bulletin 2013-29, "recommends" that financial institutions place in their agreements with TSPs an acknowledgment by the TSP that such examinations are permitted and that the TSP will cooperate in the conduct of the same. I have always considered this a "belt-and-suspenders" approach, designed to ward off unnecessary delay, since the Bank Service Company Act gives the federal bank regulators this power to examine third party service providers. On the other hand, I have had a contract negotiator for one of the country's largest technology service providers tell me that their attorneys have taken the position that the law does not require the TSP to allow the bank's regulator to conduct such an examination. The TSP only permitted them out of the goodness of its heart, I suppose. Regardless, the agreement with the TSP should always have a provision that requires that the TSP to permit, and to provide reasonable cooperation in connection with, such examinations.

A final few nuggets I gleaned from the Case Study: (1) a contract with a TSP needs to require full cooperation with the financial institution in the event of security breach and other provisions that are designed to permit the financial institution to be able to meet its obligations the recommendations under another set of guidelines, the Interagency Guidance on Response Programs for Security Breaches; (2) as part of their initial and ongoing due diligence and monitoring of technology services providers, institutions would be well-advised not to neglect the TSP's security breach incident response programs, and make sure that the TSP complies with "cybersecurity best practices;" and (3) just as the bank has a regulator looking over its shoulder and second-guessing it, so does the regulator. I'm not claiming that this is necessarily a bad thing, but you wonder how much of the effort in this area is directed toward placating Monday Morning Quarterbacks.

Rent-a-Charter vs. Strategic Alliance

2016-02-15T21:58:00-06:00

In June 2004, I wrote a post about schemes by non-bank lenders, especially payday lenders, to "partner" with banks and thrifts in ways that would allow the non-banks to use the bank's or thrift's status to "preemept" "inconvenient state laws, such as those pesky usury limits. As I said at the time:

Apparently, the state-chartered banks involved in this practice are counting on the continued lack of objection by the FDIC, and the continued sympathy of state banking regulators who are eager to increase the number of state-chartered institutions that they regulate. In my opinion, this is a risky course.

I also pointed out at the time that national banks and federal savings banks could rest assured that their primary federal regulator would be scrutinizing their business arrangements with non-banks like Elizabeth Warren looking under her bed every night for a bad banker looking to steal all the cash she has hidden in the sock that she keeps under her pillow.

According to a recent client alert from Chapman and Cutler LLP, this bad old idea not only refuses to die, but has engendered state officials to take action to stop it in its tracks. While the alert discusses the State of Pennsylvania going after payday lenders who've aligned themselves with Native American tribes (which has been a problematic marriage for quite some time), it has wider implications for similar arrangements. In this instance, the Commonwealth of Pennsylvania alleged that the "true lender" for regulatory purposes was not a bank in Delaware that would have been exempt from Pennsylvania usury limits and licensing requirements but the non-bank website "originator" that did most of the origination work and derived most of the economic benefits from the loans. The authors note that in other jurisdictions, the court decisions have not been in lockstep on the issue of preemption, arrangements like the one challenged here are likely always to put the lenders in the regulatory crosshairs.

No clear rule has emerged although regulatory challenges almost certainly are more likely to be made when excessive interest rates and/or abusive sales or collection practices are involved. In this case, the loans imposed interest rates of 200% to 300%.

The alert notes that even though the court's decision involved only a motion to dismiss Pennsylvania's action, and that is a long way from a judgment on the merits, the red flags for financial institutions involved in such relationships are clear "because it demonstrates that plaintiffs will continue to raise the “true lender” theory and courts will not necessarily dismiss at an early stage (for failure to state a claim upon relief can be granted) “true lender” claims solely because a bank is the named lender on the loans, at least where there are allegations that the originating bank does not have substantive duties or an economic interest in the program."

In order to mitigate the risk of claims based on the “true lender” doctrine, companies that engage in internet-based lending programs through an arrangement with one or more banks should consider how the programs are structured. For example, consideration should be given to operations where the bank has substantive duties and/or an economic interest in the program or loans. We are aware that some internet-based lending programs are considering structural changes of this nature.

The firm also advises institutions to make certain that they comply with regulatory guidance governing relationships with service providers. They cite FIL-9-2016 and related FDIC guidance. I'd also suggest taking a look at the OCC's Bulletin 2013-29.

Or, for a change of pace, a bank considering one of these schemes might decide to take its entire capital to The Bellagio in Vegas, walk up to nearest roulette wheel, and lay it all on "00." I mean, if you like dancing along the razor's edge with insured deposits, you might as well go all-in. Plus, you get free booze as long as your money lasts. To hedge your bet, you might want to hold back enough to buy a one-way ticket to Havana (regular flights from the States start soon) just in case that method of income-generation doesn't work out as well as a strategic alliance with a non-bank payday lender.

De Novo Deep Freeze Thawing? Not So Fast!

2016-01-31T21:54:00-06:00

Although SNL's Nathan Stovall tantalizes readers with the headline "De novo market could be warming up," I think that--reading between the lines--the De Novo Deep Freeze of the past 8 years is not going to be thawing this year.

Stovall cites the recent de novo charter approval of California's Core Commercial Bank. However, that bank's investment adviser's CEO, Edward Carpenter, while stating his belief that "you can expect to see more applications in the relatively near future," warns that the path to approval of a de novo charter is a rocky one.

[T]he application process for de novos is "considerably more difficult" and requires much greater preparation now than before the credit crisis...

[...]

"We believe that a new bank requires more capital than it did in the past. It requires a stronger and deeper management team than it did in the past. And it needs to make a more persuasive case than was often made in the past about community need."

Core Commercial, like the two other most recent de novos, Pennsylvania's Bank of Bird-in-Hand and New Hampshire's Primary Bank, "plans to target a fairly narrow customer base as well, catering to small and medium-sized businesses that might feel disenfranchised by the nation's largest institutions." I assume that the geographic market area is also relatively focused, and that the applicants had to prove with more than lip service that the community was not being adequately served by existing financial institutions.

While Carpenter seems optimistic (and, I'm sure, stands ready to assist other potential clients with their de novo needs), others, including some regulators, are less pie-eyed.

Candace Franks, commissioner of the state banking department in Arkansas, acknowledged that de novo banking activity certainly slows during a recession, but said prior downturns have been followed by a "generous" era of de novo applications. She said that certainly hasn't been the case this time around. Franks, the immediate past chairman of the Conference of State Bank Supervisors, said the lack of de novo activity is "very concerning to us," particularly in rural areas like Arkansas, where community banks serve as the engine of small business activity.

Some observers have argued that regulators were hesitant to grant new charters since many banks that failed during the crisis were de novos formed in early 2000s. The Federal Reserve discussed the issue on a handful of occasions. Robert Mahalik, director of applications at the Federal Reserve Bank of Dallas, said at a conference in April 2014 that he saw no hint that new charter activity or approval would be on the near horizon.

Stoval also discusses other disincentives that may restrain a de novo deluge.

While regulators might be easy to blame for the dearth of de novos, Stevens noted that bankers have not painted a very attractive picture for parties considering entering the industry, often complaining about heightened regulatory burdens. Such rhetoric could serve as a deterrent to potential investors.

Some advisers say there simply are not many investors looking to form new banks. DD&F Consulting Group President Randy Dennis, who has helped launch a number of de novos in his career, said there is a whole new breed of investors that want to put money to work in the banking sector, but some are concerned they will not be able to receive regulatory approval. He further said the higher capital requirements facing de novo banks have limited investor interest.

[...]

...Tom Brown, longtime bank investor and CEO of Second Curve Capital LLC, said at a conference in mid-November that he understood why there is so little investor interest in forming a new bank charter. He believes the capital constraints on de novos make it difficult for investors to earn adequate returns on their capital.

"Who in their right mind would start a bank today? The FDIC requires $35 million in capital to start a bank. And no one can pencil out an annual rate of return on $35 million in the next five years, so you're not seeing new chartered banks," Brown said at the event.

Well, obviously the investors in Core Commercial, who we presume are not insane.

Noted bank attorney Walt Moeling of Bryan Cave also is cautiously optimistic. He thinks the prospects of additional de novo applications is "real," but that there numbers will be far less than in the past.

All the observers seem to agree that the application process will not be easy. The organizers will need to present a convincing case, based on hard data, of the need for the new institution. Capital will be king, and as Tom Brown asserts, the more capital required, the more difficult it is to earn a decent return on equity, especially when private investors have places to place their capital where the returns are larger, quicker. Management will also be critical, with both expertise and probity playing critical roles. Finally, the application process is likely top much more time-consuming and expensive than it ever has been.

And, of course, once the doors are opened, what you have is a community bank, trying to make money in a Post-Franken-Dodd world chock-full of Maxine Waters, Elizabeth Warrens, and other "progressive" ideologues who will look over your shoulder 24/7/365 to "guide" you on the path to righteousness, if not necessarily to profitability.

Clinton Promises to Fly Beyond Dodd-Frank

2015-12-13T21:52:00-06:00

Hillary Clinton, in trying to out-Warren Warren, is ensuring that many bankers, of whatever stripe, will have to take a moment to ponder what a Clinton presidency might mean for the entire banking business before pushing the lever for her in November 2016. Unlike many Republican candidates, who publicly promise to roll back Dodd-Frank's more onerous provisions (regardless of private intent), Hillary promises to take Dodd-Frank to places that even its most ardent supporters have only dreamed about.

But it’s not enough simply to protect the progress we have made," Clinton wrote. "As president, I would not only veto any legislation that would weaken financial reform, but I would also fight for tough new rules, stronger enforcement and more accountability that go well beyond Dodd-Frank."

On Clinton's wish list are the usual proposals to strengthen the Volcker Rule, reimpose Glass-Steagall, break up big banks, restrain "risky" derivative trading, put Jamie Dimon in thumb screws, and force Wall Street interns to entertain donors to the Clinton Foundation at various strip clubs, she gets into the ominous "bad bankers" proposals that threaten to turn a danger of "trickle down" of big-bank regulation onto community banks into a virtual Niagra Falls.

Extend the statute of limitations for major financial crimes to 10 years
Require financial firms to admit wrongdoing as part of settlements
Increase transparency about terms of settlement and fines actually paid to the government
Penalize executives when their firm pays a fine

She also wants the SEC and CFTC to be "independently funded," just like the CFPB. That way, behavioral psychologist and utopian intellectuals can team up to remove any checks-and-balances on the social engineering agendas of the Progressives that Hillary is courting in her bid to grab the grass crown. As King Richard and his minions have been attempting to do with the CFPB.

Her desire to insert "strong regulators" into bank regulatory agencies also bodes ill for community banks. If you love the way that for the last eight years, bank regulators have second-guessed executive decision making on a continuous basis, used regulatory power to attempt to choke off bank access to legal but politically and/or "morally" disfavored businesses, and pushed the envelope of theories like "disparate impact" to find discrimination where no one has ever found it before in order to reward favored constituencies, you'll love another eight years under the current president's "logical successor." At least she's giving you a "heads up" and not hiding the ball. Don't say you weren't warned.

Now, if the opposing party could only nominate something other than the south end of a horse traveling north to run against her. If they can find one, that is.

The Fed On MJ Banking: Nyet

2015-10-25T21:57:00-05:00

Over the summer, while I was downing cold beers by the barrel rather than blogging, the Federal Reserve Bank of Kansas City and the NCUA finally acted on the applications of Fourth Corner Credit Union for, respectively, a "master account" for access to the Federal Reserve System and for insurance of share accounts. In both cases, the answer was not only "No," but "Hell, No!" Fourth Corner sued both the NCUA and the Fed. last week, the Fed filed a Motion to Dismiss Fourth Corner's complaint that ought to send a chill down the spine of every bank in Colorado, Washington, Oregon and Alaska that thinks it can "work around" the federal banking regulators on the Supremacy Clause when it comes to banking a state-legal, federal-illegal marijuana business.

In broad strokes, the Fed alleges that federal law, in this case the Controlled Substances act, trumps state law on marijuana use by virtue of the Supremacy Clause of the US Constitution. This should be "Hornbook Law" to any bank regulatory attorney. The manufacture, sale, and distribution of marijuana is prohibited by the Controlled Substances Act. Therefore, "any affirmative action that Colorado has taken to facilitate the distribution of marijuana is preempted by federal law."

In the present case, Colorado attempted to grant TFCCU a charter that would, in effect, intentionally allow TFCCU to aid and abet violations of federal law by offering banking services to businesses engaged in the manufacture and/or distribution of marijuana. Such an act is preempted by federal law and is void and without effect...The Court would not aid other such attempts--such as if Colorado enacted a scheme to allow trade in endangered species or trade with north Korea in derogation of federal laws, and then chartered a credit union to handle finances for companies conducting such illegal trade...TFCCU is not an entity that can be recognized under federal law" and the credit union's complaint must be dismissed.

Beyond the "master account" and insurance of accounts applications at issue here, the Motion to Dismiss contains a broad condemnation for any existing financial institution--credit union or bank--that thinks that it is somehow safely avoiding federal criminal law prosecution and/or bank regulatory agency enforcement action because it follows the "FinCEN Guidance" issued in early 2014 that, in turn, followed the "Cole Memorandum" guidance provided to US Attorneys on prosecutorial discretion in the area state-legal marijuana businesses. The Fed contends that such "guidance" is not a protection from criminal prosecution (which the guidance itself states, if read carefully). Even if it affords such protection, the Fed makes clear that the Fed would not be bound by it.

The Fed also makes clear that it considers any financial institution that engages in providing financial services to a state-legal marijuana business to be engaging in aiding and abetting a criminal activity under federal law, and that federal law controls. Under that analysis, the Fed should, if it is consistent, take enforcement action against any Fed-member bank that is so engaged. I fail to see why the OCC, FDIC, or NCUA would take a contrary position.

An anonymous (naturally) critic from Dogpatch, U.S.A., attempted to leave a comment on the blog a few months ago that criticized my support of (the critic's phrase) "federal infallibility" regarding state marijuana laws. The poor soul apparently conflated "Papal Infallibility," a theological doctrine of the Roman Catholic Church, with the constitutional principle of "Federal Supremacy. The issue at stake is not who is "right" or "wrong" regarding whether the manufacture and distribution of marijuana for recreational use should or should not be illegal, it is whose law prevails when state and federal law conflict on this matter. My view is that federal law prevails and that any financial institution (and its directors, officers, and employees) that "banks" a state-legal marijuana business is running a serious risk of being hammered by different federal agencies for violating federal criminal laws.

If your credit union's or bank's business plan is "I feel lucky today," more power to you. I think that you're playing with fire and not wearing an asbestos suit.

Operation Choke Point Lawsuit: The Plaintiffs Are Still In The Game

2015-10-04T21:25:00-05:00

While some pundits think that Operation Choke Point is a dead issue, as evidenced by the FDIC's recent guidance that claimed that they were only kidding when they labeled entire lines of business as "high risk," the folks at Ballard Spahr note that the lawsuit filed by the payday loan industry against the bank regulatory agencies continues to forge forward. On September 25, the federal judge hearing the case "rejected most of the arguments in the agencies’ motion to dismiss," allowing the lawsuit proceed.

The agencies first challenged plaintiffs’ standing to sue. While acknowledging that the denial of banking services establishes one necessary element of standing (an “injury in fact”), defendants argued that the plaintiffs do not satisfy the two remaining elements, namely causation, a link between the defendants’ actions and the plaintiffs’ injuries, and redressability, evidence that a favorable ruling will redress the plaintiffs’ alleged injuries.

According to the defendants, the plaintiffs’ injuries resulted from independent decisions by their banks rather than the agencies’ guidance documents. Judge Kessler notes that the plaintiffs’ burden of eventually proving their “third party” causation theory−that the defendants’ conduct compelled the banks to deny them service−will be substantial. However, taking as true all of the plaintiffs’ factual allegations, as is required when deciding a motion to dismiss, she determined that the claims satisfy both the causation and redressability requirements.

The judge also found that the agencies' subsequent "guidance" that "urged" banks to take a risk-based approach on a client-by-client, rather than industry-by-industry basis, does not render the controversy "moot."

Although she agreed that the agencies’ subsequent pronouncements have largely superseded earlier Choke Point guidance, Judge Kessler rejected the defendants’ contention that this alone renders moot all of the plaintiffs’ claims. In particular, she notes that the plaintiffs claim they have been stigmatized and deprived of their ability to engage in a legally permitted business, all without constitutionally required notice and opportunity to be heard.

The judge dismissed claims based upon alleged violation of the Administrative Procedures Act, ruling that agency "guidance" is not final agency action. That is technically correct. However, as those of us who see the consequences of failing to follow agency "guidance," including the inclusion on examination reports of MRAs (matters requiring attention) for "violation" of "guidance," the way the agencies use guidance might be considered by a cynic as an end-around the APA. Luckily, I'm an optimist and would never suggest such a thing.

As I've previously assert, I think that the only thing that will ultimately drive a stake through the heart of Operation Choke Point will be a change in the White House in 2016. Until then, I hope that the plaintiffs continue to keep fighting the good fight.

Reality Check

2015-05-20T21:48:00-05:00

While ideologues pontificating from ivory towers claim that community banks don't need regulatory relief, since they are doing just fine financially, boots on the ground tell a different story.

Community banks are drowning in a torrent of regulatory compliance costs, and Jack Barrett, president and CEO of First Citrus Bank, wants that to change.

Federal agencies that supervise financial institutions should focus on the largest institutions with the most complex transactions, Barrett wrote in a May 13 letter to Martin Gruenberg, chairman of the Federal Deposit Insurance Corp.

Barrett claims that the FDIC devotes three-quarters of its supervisory efforts to community banks that hold 13% of the industry's assets, while devoting only one-quarter to the largest banks.

“How is it sound for a soundness regulator to direct three times the amount of supervisor resources to 13 percent ($2.1 trillion) of industry assets, while 87 percent, $13.2 trillion of exposure, garners a mere 1/4th of supervisory resources?” Barrett’s letter said.

However, it's not the misallocation of FDIC resources, but the cost to First Citrus of managing all that regulatory scrutiny, that causes Barrett the most heartburn.

In 2014, First Citrus incurred $412,000 in expenses related to regulation, compared to less then $25,000 spent each year prior to 2008. The biggest chunk of regulatory expenses last year — $189,000 — was for personnel, as First Citrus, like many other community banks, has had to beef up compliance staff.

Regulatory costs equated to 72 percent of the bank’s net income of $662,000 in 2014.

"If we are too small to save, do the regulatory agencies know we are also small enough to drown in torrential compliance costs?” the letter said.

Yes, they know it. They'll pay lip service to the problem, then get about the business of consolidating the banking industry on the Canadian model favored by some. A few huge banks, working hand-in-glove with the central government to redistribute credit to those who most "deserve" it.

Vendor Mismanagement

2015-05-10T14:03:37-05:00

While banks have complained about the crushing burden of regulations in a post-Franken-Dodd world, in one area they could use a little more regulation. Not of the banks, but of third-party service providers to banks.

I have yapped repeatedly on this rag sheet about how banks need to treat regulatory guidance seriously. While some regulators send confusing signals about the legal enforceability of guidance, they have also made clear that they expect banks to comply with it. Period.

One piece of guidance that we have discussed is OCC Bulletin 2013-29 regarding third party relationships, which is a reworking and expansion of guidance first issued in in 2001 (OCC Bulletin 2001-47). Other federal financial institution regulators have issued similar guidance. One portion of that guidance deals with provisions that the OCC expects to be incorporated into written agreements between banks and their service providers. Banks who take regulatory guidance seriously attempt to ensure that their written agreements with their significant vendors meet the regulators' expectations.

If some technology service providers are to be believed, not many banks take the guidance seriously.

Repeatedly, attorneys who advise banks on such agreements will hear a common complaint: the bank asking for such a contractual provision is the only bank that has ever asked the vendor for the same. Putting aside my stock response ("You'll never be able to say that again, will you?"), let's take them at their word and see what this means.

Let's pick two provisions, access by the bank's regulators to the service provider's records concerning the services it provides to the bank, and a binding agreement by the vendor to provide the bank with a disaster recover plan and modifications to it. These aren't the only provisions. There are many more, but I don't make a living off this blog, so they'll have to do for now.

OCC Bulletin 2013-29 provides in part as follows:

In contracts with service providers, stipulate that the performance of activities by external parties for the bank is subject to OCC examination oversight, including access to all work papers, drafts, and other materials. The OCC treats as subject to 12 USC 1867(c) and 12 USC 1464(d)(7), situations in which a bank arranges, by contract or otherwise, for the performance of any applicable functions of its operations. Therefore, the OCC generally has the authority to examine and to regulate the functions or operations performed or provided by third parties to the same extent as if they were performed by the bank itself on its own premises.

That's pretty clear. Yet, we have repeatedly encountered service providers, including one of the major technology service providers in the United States, who have resisted such a contractual "stipulation". In one discussion, a service provider that was providing an online banking system and related customer-facing services asked the bank to cite the provision of the law that gave the OCC the right to have such access. When we gave it the citation to 12 USC 1867(c), it responded that its inside counsel did not agree with the OCC's interpretation of the Bank Service Company Act, and that examinations that it had permitted the OCC to make were purely voluntary and could be terminated at any time. We responded that we didn't give a flying fig in a rolling donut what its in-house counsel thought about the OCC's interpretation, since the law was clear on its face. In that case, we compromised on language that required such regulatory access "as is required by applicable law." However, we were told by that vendor that other banks did not insist on such a provision in the agreement.

With respect to business continuity plans, OCC Bulletin 2013-29 provides the following:

Ensure that the contract requires the third party to provide the bank with operating procedures to be carried out in the event business resumption and disaster recovery plans are implemented. Include specific time frames for business resumption and recovery that meet the bank’s requirements, and when appropriate, regulatory requirements. Stipulate whether and how often the bank and the third party will jointly practice business resumption and disaster recovery plans.

Recently, we have encountered a technology service provider who provides a critical online banking service that absolutely refuses to agree to any provision in the agreement that addresses business continuity plans or procedures. While it states that it has such a plan and that the bank can review it, it will not agree to put anything in the contract regarding such plans. Again, the bank was informed by the vendor that it has never agreed to provide such contractual protection to a financial institution, and that no other bank has insisted upon it. Again, this is a critical service provider whose service, if it went "offline" for any length of time, would cause intense heartburn to the bank.

These are only two examples. There are many, many more. It's as if not only are many vendors unaware of requirements that their bank clients must meet (and that have been required for over a decade), but that many banks do not care about complying with regulatory guidance. In the case of smaller institutions, there is also the problem that they lack the expertise to negotiate, or perhaps they believe that they do not have sufficient importance to the vendor to bargain effectively. Whatever the reasons, many of them are rolling over with their paws in the air instead of trotting in the other direction.

This leaves those banks that take regulatory guidance seriously in a tough position. Some of them are simply walking away and trying to find vendors who "get it," even if they are not the first choice from a purely business standpoint. Others end up negotiating with themselves to arrive at less-than-reasonable contractual compromises.

I have a couple of suggestions for the regulators. First, try enforcing the guidance across the board. There are financial institutions who are trying to "do it right," but who are being undercut by those who aren't. Moreover, use your authority under the Bank Service Company Act and otherwise to bring home to the vendors directly that if they want to play in this arena, they need to play by your rules. Some of them are not getting the message. Perhaps it would be helpful to start naming names on both ends of the spectrum. Perhaps that would get some attention.

In fairness, there are technology service providers who are doing it right. They understand the guidance, and while they are not willing to fall over and play dead, they are willing to make a reasonable attempt to accommodate what is essentially appropriate risk allocation between the parties, and appropriate accommodation to their customers' regulators' expectations. They "get it." Here's hoping that more of them eventually get the message, as well.