Our Take: financial services regulatory update – October 25, 2024

• What happened? On October 21st, the OCC finalized its recovery planning guidelines for certain large insured national banks, federal savings associations, and federal branches. The revisions were proposed on July 3rd.
• What are the revisions and what changed from the proposal? The primary change from the proposal is an extension of the compliance dates for banks that are or become newly covered by the guidelines. Otherwise, the following revisions were largely finalized as proposed:
  • Expanding recovery planning guidelines to apply to institutions with over $100 billion in assets, down from the current threshold of $250 billion (which was raised from $50 billion in 2018)
  • Changing the definition of “average total consolidated assets” to the “total assets” line in an institution’s call report
  • Adding an expectation for institutions to test their overall recovery plan and the underlying elements across severe financial and non-financial stress scenarios no less than annually and following any significant changes in response to a material event
  • Specifically calling for banks to appropriately cover the impact of non-financial risks (e.g., operational and strategic risk) in recovery planning
• What’s next? The revisions are effective on January 1st, 2025. Banks that are covered by the current recovery planning guidelines (i.e., those with over $250 billion in assets) will have until January 1st, 2026 to amend their plans to consider non-financial risk and until July 1st, 2026 to comply with the testing requirements. Banks that will become covered by the new threshold on the effective date or after will have 12 months to develop a recovery plan and an additional 12 months to comply with the testing provision.

Our Take

Another brick in the wall to mitigate the disruption of bank stress. The quick and mostly unmodified finalization of these revisions reflects their relatively mild reception, with the OCC noting that it only received five comments. The most significant change from the current guidelines remains the reduced threshold in response to last year’s bank failures as each of the banks that failed was below the current $250 billion threshold. The reduced asset threshold will recapture a number of institutions that would need to refresh past plans to account for numerous changes to their businesses and market dynamics since 2018. However, many of the elements of the recovery plans described in the guidance, including testing, are already expected to be included in banks’ contingency funding and contingency capital plans. While the guidelines do not explicitly define how the recovery plans should relate to existing plans, covered financial institutions should consider taking a holistic approach when assessing these new guidelines, including how their recovery plans relate to their contingency and resolution plans. In terms of incorporating non-financial risks, financial institutions should leverage their operational resilience strategies to define non-financial triggers and clarify how their actions may differ in response to them relative to financial triggers.

• What happened? On October 21st, the SEC released its 2025 examination priorities, covering the next year’s examinations of registered investment advisers (RIAs), registered investment companies (RICs), broker-dealers (BDs), self-regulatory organizations (SROs), clearing agencies, and other market participants such as security-based swap dealers (SBSDs).
• What are priority highlights for 2025? Selected priority areas and key changes from the SEC’s 2024 priorities include:
  • Emerging technologies. The 2025 priorities include a new focus on artificial intelligence (AI), specifically institutions’ use or representations of use of AI. Examiners will evaluate accuracy of representations and firms’ oversight of AI usage, including for back office operations, financial crimes prevention, trading functions, and investment strategies. They will also examine the use of AI provided by third parties and how firms prevent the loss or misuse of customer data. The 2025 priorities also mention the use of digital engagement practices, which were covered in past priorities but excluded in 2024.
  • Cybersecurity and operational resilience. These are not new areas for the SEC’s examination priorities but they include a new focus on compliance with Regulations S-ID and S-P,^[1] including policies and procedures, internal controls, oversight of third parties, and governance. With regard to cybersecurity, the priorities also newly mention risks associated with sub-contractors and any use of IT resources without the IT department’s approval, knowledge or oversight (e.g., end user computing (EUC) solutions). In addition, exams will continue to assess compliance with Regulation Systems Compliance and Integrity (Reg SCI), including policies and procedures around the software development lifecycle, third-party dependencies, network segmentation, and reliance on external applications.
  • Fiduciary duties and standards of conduct. As with the last several years, the 2025 priorities confirm that SEC examiners will continue to focus on both broker-dealers and investment advisers’ obligations under Reg BI, Form CRS and other fiduciary standards with a focus on completeness of disclosures, consideration of alternative recommendations, management of conflicts, and alignment with investors’ goals and account characteristics. For investment advisers, examiners will assess whether disclosures are sufficient for a client to provide informed consent. In addition, the priorities note that examinations may focus on recommendations regarding products that are high-cost, unconventional, illiquid and difficult-to-value, and sensitive to higher interest rates or changing market conditions, such as commercial real estate.
  • Private funds. Although a court vacated an August 2023 SEC rule aimed at enhancing private fund investor protection, the Division of Examinations remains focused on private fund advisers’ compliance programs with priorities including compliance with Form PF amendments, meeting fiduciary obligations in times of market volatility, calculation and allocation of fees and expenses, alignment with the amended marketing rule, and disclosures of practices, conflicts of interest, and risks. The Division notes that it “may particularly focus on examinations of advisers to private funds that are experiencing poor performance and significant withdrawals and/or hold more leverage or difficult-to-value assets.”
  • RICs. The SEC’s examinations of RICs, including mutual funds and exchange-traded funds, will continue to focus on compliance programs, disclosures, and governance practices with particular attention to 1) fund fees, expenses, waivers and reimbursements; (2) oversight of service providers; (3) consistency of portfolio management practices and disclosures; and (4) issues associated with market volatility, including RICs with exposure to commercial real estate.
  • Topics not included in 2025. Whereas the 2024 priorities include derivatives risk management assessments for RICs and BDCs as well as recommendations of derivatives by IAs and BDs, these topics are not included in the 2025 priorities. Similar to the 2024 priorities, this year also has no mention of environmental, social, and governance (ESG) focused investing after being included in the Division of Examination’s priorities from 2021-2023.
  • Structural changes. The Division notes that it has added specialized capabilities across cybersecurity, security-based swaps, digital assets, and intelligence as well as additional resources focused on national securities exchanges, private funds and clearing agencies.

Our Take

Heightened focus on technology and security. Similar to priorities and statements issued by other financial regulators, this year’s SEC examination priorities reflect growing concerns about how firms are using new technologies such as AI, relying on third parties, and securing customer data. Although third party risk management and data security are not new priorities and cut across numerous aspects of SEC-supervised entity operations, they are intensified by use of AI that often comes through third parties and uses large amounts of data. Any firm using AI needs to have comprehensive governance processes, thorough understanding of their AI models and results, and assurance that their disclosures and marketing materials accurately reflect their use and oversight of AI. They should also review their arrangements with third parties providing AI and other services to understand their security practices and how they would be impacted by disruption of those services. Outside of these areas, the priorities generally cover the SEC’s bread-and-butter concerns around compliance programs, conflicts of interest, fees and disclosures across each type of covered entity. Although the SEC’s expectations in these areas are mostly not new, there are slight changes including greater focus on exposure to commercial real estate and reduced focus on derivatives. BDs, RIAs and RICs should not rest when it comes to perennial priorities and continue to review their policies, procedures and actual practices around identifying, disclosing and mitigating fees and conflicts of interest. Firms should also prepare for closer scrutiny into the adequacy of their disclosures and whether they are demonstrating reasonable care and diligence to make sure recommendations are in line with customers’ investment portfolios and risk appetites, particularly if they have started using AI in any part of their business or operations. 

_{1. Regulation S-ID, also known as the "Identity Theft Red Flag Rule", requires SEC-regulated institutions to implement programs to prevent, detect, and mitigate identity theft. Regulation S-P contains rules that govern the treatment of consumers’ nonpublic personal information. In May 2024, the rule’s requirements were updated to address the expanded use of technology and corresponding risks.} 

These notable developments hit our radar recently:

• CFPB issues guidance on worker surveillance. On October 24th, the CFPB issued a circular on the use of third-party consumer reports, including background dossiers and algorithmic scores, to make decisions about workers. It describes the use of such reports to monitor worker activities and clarifies applicable obligations for any such use under Fair Credit Reporting Act (FCRA) rules, including getting permission from employees and providing notice before taking adverse action.
• SEC finalizes recovery and margin requirements for covered clearing agencies. On October 25th, the SEC finalized amendments to intraday margin rules and new requirements for covered clearing agency (CCA) recovery plans. CCAs must file required changes within 150 days after the amendments are published in the Federal Register and make the changes effective within 390 days.
• Acting Comptroller speaks on systemic risk. On October 25th, Acting OCC Comptroller Michael Hsu spoke on frameworks to identify systemic risk. He described the need to identify systemic risks in a systematic way and highlighted risks that regulators are currently monitoring, such as those associated with interest rate volatility, liquidity, commercial real estate, geopolitical dynamics, regulatory arbitrage, synthetic risk transfers, cybersecurity, operational resilience and “crowded trades.” He also noted risks associated with the growth of shadow banking, including those associated with private credit, banking supply chains and mortgage servicing.