August 14, 2023 — The Federal Deposit Insurance Corporation (FDIC) today published its 2023 Risk Review. The report summarizes conditions in the U.S. economy, financial markets, and banking industry.
The 2023 Risk Review provides a comprehensive summary of key developments and risks in the U.S. banking system, as in prior reports, and includes a new section focused on crypto-asset risk. The report focuses on the effects of key risks on community banks in particular, as the FDIC is the primary federal regulator for the majority of community banks in the U.S. banking system.
The FDIC’s Risk Review is an annual publication and based on year-end banking data from the prior year. This year’s expanded report incorporates data and insights related to the recent stress to the banking sector through first quarter 2023. FDIC intends to publish its next Risk Review in the spring of 2024.
FDIC: PR-61-2023
Courtesy of PYMNTS.com
The words “systemic” and “risk” have been on everyone’s lips in the past few weeks.
And for Big Tech, at least, the regulatory gaze will only widen, eyeing the payments ambitions of the biggest platforms, and whether new payment types — stablecoins among them — might scale enough on those platforms to be a cause for vigilance.
The Consumer Financial Protection Bureau (CFPB) efforts may get renewed vigor in the wake of the fact late last month federal appeals court ruled that the CFPB’s funding via the Federal Reserve is constitutional.
And this week, appearing on Yahoo Finance Live, CFPB Director Rohit Chopra gave some insight into the areas ripe for consideration and review — and perhaps some new regulations too.
He said the Financial Stability Oversight Council has the authority to “designate certain payment activities [including] payment clearing and settlement as either systemic or likely to become systemic.”
Among the payment methods that need to be examined, per Chopra’s commentary: stablecoins, which could conceivably start “riding the rails of a Big Tech platform or a card network.”
Who’s on the Platform and Who’s Not
“There are some questions we have,” he said of the platforms, “about how do some of these services decide to kick a merchant off or kick a user off? How are they actually using all the data that they’re collecting through our phones and through what we buy?”
He noted that beyond the ability to craft targeted ads, there may be a “move to a world with personalized pricing.”
The regulators, he said, have been looking, and will continue to look, at the cloud services offered by Big Tech players — with particular concern around the risks tied to outage or attacks by fraudsters and hackers, non-state and state actors alike. The risks extend to healthcare, energy and other sectors, he said.
“It’s hard to know what specific tools we’ll use,” he told the finance site, as to what guardrails, regulations and policies may be on the horizon.
As reported by PYMNTS in recent weeks, the drumbeat for stablecoin regulation is likely to grow louder after the stablecoin USDC briefly lost its dollar peg. USDC dipped to as low as 86 cents after the issuer of the stablecoin, Circle, said that some of the funds backing the stablecoin were held at Silicon Valley Bank.
Big Tech’s financial services roadmaps may be determined in part by open banking, where as banks share account data and other details (with consumer permission), they can offer a range of financial products. There’s also, of course, the ability for Big Tech to apply for banking licenses. Apple’s latest push into buy now, pay later (BNPL), with Apple Pay Later, is but one of the more recent examples of the lines blurring between payments, providers and platforms.
Compliance professionals within financial service firms are finding that they need to demonstrate their abilities with new technologies in order to meet regulatory requirements
The expansion of governance, risk, and compliance responsibilities into new technology-related areas beyond traditional functions has created a new burden for financial service firms’ compliance departments, and placed new demands on the skills of compliance professionals.
The intersection of compliance with tech has created a need for expertise and essential coordination across firms while involving artificial intelligence, big data, data privacy, cybersecurity, and algorithmic trading, to name just a few.
Financial service firms must now fully integrate these technologies and demonstrate that the activities employing them meet regulatory requirements. For compliance professionals, it has become essential to understand how the technologies work as well as their limitations and vulnerabilities. It can even help to know the computer code that went into creating them.
Several recent enforcement cases and regulatory initiatives underscore the need for compliance departments to become more tech savvy by taking steps that include technical coordination across the company, embedding technologists within compliance teams, or increasing the tech skills of individual compliance professionals.
DOJ emphasis on data
Deputy Attorney General Lisa Monaco gave a speech last month outlining ambitious plans being embraced by the Department of Justice (DOJ) to fight corporate misconduct. Among the principles, there was significant emphasis placed on the need to demonstrate an overall compliance culture.
The DOJ made clear in its compliance program guidelines released in 2020 that prosecutors should evaluate whether companies have a “data-driven compliance program” to detect potential misconduct and to monitor the effectiveness of their compliance policies. Monaco expanded on that in her speech and in an accompanying memo to federal prosecutors.
In evaluating whether a compliance program is “adequately resourced and empowered,” the DOJ said in 2020, prosecutors should consider the following questions:
“Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
The emphasis on “access” to data can be viewed as a signal that the DOJ needs to see people with skills in place to analyze, monitor, and interpret such data on the part of compliance departments.
Regulators emphasis on monitoring communications
The new policies put forth in Monaco’s memo also focus on monitoring the use of personal devices and third-party messaging platforms — a demanding technology task. “The ubiquity of personal smartphones, tablets, laptops, and other devices poses significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover relevant data from them during a subsequent investigation,” the memo stated. “The rise in use of third-party messaging platforms, including the use of ephemeral and encrypted messaging applications, poses a similar challenge.”
Other financial regulators have pursued similar priorities. In December last year, JPMorgan Chase & Co.’s securities unit was slapped with a $200 million penalty over data retention violations related to the use of personal communications and messaging devices. The Securities and Exchange Commission (SEC) imposed a $125 million share of the fine, and the Commodity Futures Trading Commission (CFTC) claimed the remaining $75 million.
The JPMorgan case represented the largest-ever fine for record-keeping violations related to communications reviews. It was followed up last week with an announcement by the SEC and CFTC of similar case settlements involving 16 other large financial institutions, which were fined $1.1 billion and $710 million by the agencies, respectively.
In the release announcing the settlements, the SEC said employees of the penalized firms had routinely communicated about business matters using text messaging applications on their personal devices. “The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities laws,” the SEC stated. “The failings occurred across all of the 16 firms and involved employees at multiple levels of authority, including supervisors and senior executives.”
Compliance takeaways
The rapidly changing and growing compliance, risk, and audit responsibilities stemming from technology innovation require compliance departments to examine their own expertise, capabilities, and skill requirements.
The 2022 Cost of Compliance Survey, published by Thomson Reuters Regulatory Intelligence, showed frustration that, despite compliance departments’ widening responsibilities, staff numbers are unlikely to grow as staff costs increase and financial service firm budgets remain tight. Therefore, outsourcing, technology, and regulatory technology may step in to plug some of the gaps. Still, there will be a growing need for compliance professionals within firms to become more sophisticated in order to better steer the type of changes required by the new technologies.
As the Compliance Survey noted: “Of the 66% of respondents who expect the cost of senior compliance staff to increase in the next 12 months, nearly half (47%) gave the demand for skilled staff and knowledge as the top reason.”
Although the use of outsourcing and third-party management has been a popular strategy for many firms due to the complexities of software development, cloud computing, and data privacy and storage, regulators still expect compliance departments to have a thorough understanding and knowledge to oversee and “own” these outsourced functions.
Courtesy of Todd Ehret, Senior Regulatory Intelligence Expert, ThomsonReuters