- Pandemic Preparation: Financial Regulators Update Pandemic Planning Guidance
- CFPB Responsible Conduct Bulletin Updated
- SOFR, So Good
Pandemic Preparation: Financial Regulators Update Pandemic Planning Guidance
The Federal Financial Institutions Examination Council (FFIEC) has issued an interagency statement updating prior guidance and informing/reminding financial institutions that their business continuity plans should address the threat and effects of a pandemic.
The interagency statement clarifies that a financial institution’s business continuity plan should address pandemics and be sufficiently flexible to address a wide range of possible effects of a pandemic. As is typical, the pandemic business continuity plan should be scaled to and reflect the financial institution’s size, complexity and business activities. At a minimum, the pandemic segment of the business continuity plan should include:
- A preventive program, including employee education and hygiene training
- A documented strategy scaled to the stages of a pandemic, such as the Pandemic Intervals Framework from the Centers For Disease Control (CDC)
- A comprehensive framework of facilities, systems and/or procedures to ensure the continuance of critical operations
- A testing program
- An oversight program to ensure that the plan is reviewed and updated
The FFIEC notes that a pandemic presents a significant risk to the entire business of a financial institution and is not just an information technology issue. Planning should involve senior management for all functional, business and product areas.
The interagency statement does not specifically mention the coronavirus or COVID-19, and it is meant to apply more broadly beyond the current outbreak. Given the current spread of COVID-19, however, financial institutions should expect questions in the near term from their regulators on their business continuity plans for pandemics. If they haven’t started the process already, any financial institutions supervised by any of the FFIEC members (OCC, FDIC, Federal Reserve Board, CFPB, NCUA and state regulators though the State Liaison Committee) should review the pandemic interagency statement; review their business continuity plans, with the expectations and guidance in the interagency statement in mind; and make adjustments in accordance with the FFIEC interagency statement as soon as possible.
Reflecting the CFPB’s more measured atmosphere since Bureau Director Kathy Kraninger has been at the helm, the CFPB updated its Responsible Business Conduct Bulletin for the first time since 2013. When the Bulletin was initially published in 2013, the CFPB was in its most severe mode of cracking down on consumer financial services companies, whether their compliance activities were good, bad or indifferent.
The 2020 version of the Responsible Conduct Bulletin is more thoughtful and more workable for companies, and includes specific information as to what a company gains when engaging in “responsible conduct”; in the context of investigation, this behavior could lead to fewer alleged violations or penalties, and in the context of supervision, it could lead to the resolution of concerns in a nonpublic manner.
When the initial Responsible Business Conduct Bulletin came out in 2013, the big question for companies was whether to believe that self-reporting potential violations would really help them, especially since the CFPB all but said at the time that all forms of responsible conduct as described were important, but that self-reporting was a point of “special emphasis.” Anecdotal reports of companies that proceeded to self-report potential violations—especially those that were unlikely to have been found by the CFPB through examination or otherwise— seemed to indicate that whatever “benefit” companies might have received for this kind of self-reporting was far outweighed by the zealous, unyielding response by the CFPB.
The CFPB, in the 2020 Bulletin, seems to have recognized that companies are still unlikely to self-report potential violations and has softened the language in an effort to encourage more self-reporting than currently occurs, even going so far as to state that “self-reporting of a potential issue does not require [the company] to concede that it has violated the law.” The CFPB also added, however, that if it finds evidence of efforts to conceal likely violations, then that represents “concrete evidence of the entity’s lack of responsibility to address the conduct at issue.”
Other areas where changes in the Bulletin suggest a kinder and gentler shift by the CFPB to recognize “responsible conduct” more often include:
- In the “self-assessment” category of responsible conduct, the CFPB changed the category from “self-policing” to “self-assessment.” The agency now recognizes that when concerns are identified by a strong compliance management system (CMS), that means the company has engaged in responsible conduct, especially when the identification occurs as part of business as usual and not because an examination or investigation is pending.
- In the “remediation” category of responsible conduct, the CFPB removed the suggestion that remediating was expected even before a potential problem had been fully investigated and determined to represent a violation.
- In the “cooperation” category of responsible conduct, the CFPB specifically called out that when, in the context of investigation, a company asserts privilege in good faith, doing so still allows a company to remain “eligible for potential favorable consideration for cooperating.” The CFPB also removed the requirement that the company expend significant effort to “identify any additional related misconduct likely to have occurred.”
In preparation for the transition away from LIBOR, the Federal Bank of New York has started publishing 30-day, 90-day and 180-day Secured Overnight Financing Rate (SOFR) Averages, as well as a SOFR Index. The new SOFR data will now be published daily by the New York Fed at approximately 8 a.m. Eastern time.
For anyone who really wants to get into the weeds on SOFR, the New York Fed has also made available additional information regarding the SOFR Averages and the SOFR Index, including calculation methodology (i.e., lots of math), such as calculations for non-business days, and a revision policy.