Time to Reform U.S. Regulation of International Banking As We Know It?
Plus, Webster Financial's material weakness and Blue Ridge Bank's fintech deposits
Fair warning: to allow the dust to settle, this post does not include any discussion of by far the biggest bank regulatory story in the news. Instead, it offers up brief thoughts on three other bank regulatory developments (broadly defined) this past week.
Graham Steele’s New Article, “Banking on the Edge”
Graham Steele currently serves as Assistant Secretary for Financial Institutions at the U.S. Department of the Treasury. In a law review article published online this past week, Steele calls for “a thorough reexamination of the purposes and functions of international banking as we know it, beginning with the Edge Act.”
As is standard and as the first page of the article makes plain, the “views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of any agency of the U.S. government.” So to be super clear: this article does not necessarily represent the views of Treasury, much less the views of the Federal Reserve Board which is responsible for implementing the Edge Act through Regulation K.
Of course that does not mean the article is not worth reading, either just as a matter of general interest or because the thoughts included therein are representative of a side of the likely debate around future revisions to Regulation K, when the Board gets around to it.1
It is a long and detailed article, and I do not want to risk mischaracterizing Steele’s arguments as to why he believes the laws governing operations by banks abroad deserve a rethink. So I will mention here only the reform proposals discussed at the end of the article.
Legislative Proposals
Before getting to the perhaps slightly more realistic regulatory proposals, the article makes a few suggestions for legislation. Steele acknowledges that congressional action is a “difficult path” but states that legislation is the “ideal vehicle” for Edge Act reforms:
“The most direct method of mitigating the risks raised by the Edge Act would be legislative repeal, aimed to eliminate these nonbank-banks altogether.”
“Alternatively, Congress could amend the definition of “bank” as it is used throughout various statutes to ensure that it includes EACs, thereby extending the intent of CEBA to an additional category of nonbank-bank entity.”
“Congress could clarify and strengthen the Fed’s supervisory powers over banks with EAC subsidiaries by removing the BHCA requirement that requires deference to the primary regulator of functionally regulated subsidiaries.”
Regulatory Proposals
Steele believes that regulatory changes are less “procedurally cumbersome,” but on the other hand “are likely to be less holistic than legislation, and are certain to be less enduring.” If changes to Regulation K or other related regulations are made, Steele recommends:
“[S]tronger limits on EACs’ permissible investments and EACs’ transactions with affiliates.”
A closer examination of whether “some EACs have met, or continue to meet, the legal requirement that they be ‘well managed’ in order to deal in equity securities abroad”
A closer examination of whether “certain EACs adhere to the general principle of meeting ‘high standards of banking or financial prudence’ required by Regulation K”
Narrowing the scope of activities permissible for Edges, including by “revisiting the Fed’s grant of ‘general consent’ to EACs to engage in certain activities abroad without affirmative approval, provided they satisfy certain criteria”
I have a different view on the merits of the current approach to international banking than Assistant Secretary Steele, but it is an article worth reading however you feel about some of its arguments or the conclusions reached. Particularly because, regardless of whether you think the rules for U.S. firms engaging in international banking should be tightened, loosened, or a mix of the two, it is tough to make the case that the current Regulation K coheres perfectly with changes over the past few decades to other U.S. banking laws.
More on Webster Financial
Last week we discussed a notice filed by Webster Financial saying that the company would need a little more time to file its 10-K, as it had “identified a potential material weakness.”
On Friday morning, Webster filed the delayed 10-K and disclosed that the potential material weakness is now a confirmed one.
Our management conducted an assessment, under the supervision and with the participation of our Chief Executive Officer and Chief Financial Officer under the oversight of our Board of Directors, of the effectiveness of our internal control over financial reporting as of December 31, 2022, based on criteria established in Internal Control - Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Based on this evaluation, our management concluded that our internal control over financial reporting was not effective at December 31, 2022, because of the material weaknesses described below.
Based on the COSO criteria, management identified control deficiencies that constitute material weaknesses. A “material weakness” is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is more than a reasonable possibility that a material misstatement of our annual or interim financial statements will not be prevented or detected on a timely basis.
The Company did not have effective general information technology controls (ITGCs) related to Sterling, which was acquired during 2022. Specifically, the Company did not design and implement appropriate logical access controls including deprovisioning, privileged access, and user access reviews. These control deficiencies were a result of ineffective risk assessment associated with the IT environment and individuals with insufficient knowledge and training associated with designing and implementing the controls. As a result, process level automated controls and manual controls that are dependent on the completeness and accuracy of information derived from the affected IT systems are considered ineffective because they could have been adversely impacted.
The material weaknesses did not result in any identified misstatements to the financial statements or previously released financial results.
The company expects to complete remediation work by the end of 2023.2
I would be interested to hear more about the company’s internal analysis of what went wrong, especially given what Webster and Sterling told the Federal Reserve Board about their integration plans in the Section 3 application filed by Webster. For example:
Both WFC and Sterling Bancorp have management who are experienced in successfully integrating operations of acquired entities. […] To assist in the decision-making process for the Proposed Transaction and planning for a successful integration, management of WFC and Sterling Bancorp led a comprehensive due diligence review of all lines of business and functional areas of each other’s organizations, including, among other areas: credit, compliance, operations, human resources, finance and capital, information technology and legal aspects. The senior leadership of WFC and Sterling Bancorp have established an integration planning framework and process with governance and risk management protocols.
WFC and Sterling Bancorp leadership will ensure that the integration of the two companies will be well-planned and effectively managed and implemented
WFC’s and Sterling Bancorp’s management are working together in planning the integration of the respective organizations to manage successfully the integration risk, including during the interim period between consummation of the Proposed Transaction and systems conversion
The integration process will evaluate and select best practices at each firm for governance, controls, change management, systems, risk measurement and risk management to ensure effective risk management and maintain robust governance and risk management systems at the combined company and combined bank
Blue Ridge Bank and Fintech Deposits
A couple weeks ago I expressed some surprise to learn that deposits generated through banking-as-a-service relationships represent 23.5% of the deposits of Metropolitan Commercial Bank. (I also confessed to a bit of uncertainty at the time as to whether this was genuinely surprising or whether it just reflected my ignorance of the smaller bank BaaS space. The feedback I got was mostly the former.)
Anyways, yesterday the parent company of another smaller BaaS sponsor bank, Blue Ridge Bankshares, filed its 10-K. Similar to Metropolitan Commercial Bank, deposits sourced through fintech partnerships represent around a quarter of Blue Ridge Bank’s total deposits, up sharply from a year ago.
Deposits. The principal sources of funds for the Company are core deposits, which include transaction accounts (demand deposits and money market accounts), time deposits, and savings accounts, all of which provide the Bank a source of fee income and cross-marketing opportunities. Core deposits are generally a low-cost source of funding for the Bank and are preferred to brokered deposits. The Company's fintech partnerships have been a significant source of deposits and comprised approximately $690 million (or 27.6%) of the Company's deposits as of December 31, 2022 compared to approximately $189 million (or 8.2%) as of December 31, 2021.
The 10-K describes these fintech relationships as partnerships in which “[f]intech companies provide technologies to enable the delivery of digital bank services, which generate interest income, fees, and deposits and increase the Bank’s customer reach beyond its traditional branch footprint. Two of the Company's fintech relationships provide the Bank access to other fintech companies and vastly expand the Bank’s customer reach.”
In 2022 Blue Ridge Bank’s fintech partners included “Unit Finance, Flexible Finance, Increase, Upgrade, Kashable, Jaris, Grow Credit, MentorWorks, and Marlette.”
I went back to the company’s prior filings to look at the quarter-over-quarter growth in deposits sourced through fintech partnerships (which here I’ll define as “fintech deposits”):
Q4 2021: $189 million total fintech deposits
Q1 2022: $329 million total fintech deposits
Q2 2022: $395 million total fintech deposits
Q3 2022: $529 million total fintech deposits
Q4 2022: $690 million total fintech deposits
The continued fintech deposit growth in the second half of the year is somewhat surprising (again at least to me, someone without as much background in this space as I probably ought to have), given that the bank in August 2022 became subject to a Written Agreement with the OCC requiring, among other things, that:
Prior to onboarding new third-party fintech relationship partners, signing a contract with a new fintech partner, or offering new products or services or conducting new activities with or through existing third-party fintech relationship partners, the Board shall obtain no supervisory objection from the OCC. At a minimum, the bank shall submit the due diligence package including supporting documentation, any proposed contract, and any management or board committee minutes approving the relationship.
Elsewhere in the 10-K, the company states that Blue Ridge Bank “is actively working to bring its fintech policies, procedures, and operations into conformity with OCC directives and believes its work to date has been delivered on schedule.”
Thanks for reading! Thoughts, challenges, criticisms are always welcome at bankregblog@gmail.com
As Steele notes in his article, and as industry-friendly groups like to point out as well, Section 25A of the Federal Reserve Act requires the Board to “issue rules and regulations under this section consistent with and in furtherance of the purposes described in the preceding sentence, and, in accordance therewith, shall review and revise any such rules and regulations at least once every five years.”
Nonetheless, it has been around 20 years since any significant changes were made to Regulation K. An update is understood to be in the works, but timing is still TBD. From a Davis Polk slide deck:
At an American Bar Association panel on January 7, 2023, Federal Reserve General Counsel Van Der Weide indicated, as in the same panel a year earlier, that Board Staff is still working on updating existing regulations, including Regulations Y, K, H, O and W, that have not been refreshed in over 20 years. However, he pulled back from the optimism expressed the prior year, stating only that staff would make “substantial progress” this year.
From the 10-K:
Management plans to implement measures designed to ensure that the control deficiencies contributing to the material weaknesses are remediated, such that these controls are designed, implemented, and operating effectively. The remediation actions include:(i) designing and implementing controls related to deprovisioning, privileged access, and user access reviews, (ii) developing an enhanced risk assessment process to evaluate logical access, and (iii) improving the existing training program associated with control design and implementation. We believe that these actions will remediate the material weaknesses. The material weaknesses will not be considered remediated, however, until the applicable controls operate for a sufficient period of time and management has concluded, through testing, that these controls are operating effectively. We expect that the remediation of these material weaknesses will be completed prior to the end of 2023.