It sounds like every banker’s dream come true. The FDIC has proposed retiring 374 of the 664 risk management supervision-related Financial Institution Letters (FILs) issued between 1995 through 2017.
But there’s not much reason to get excited yet. The agency is required to review its rules every 10 years to find outdated or unnecessary regulation as part of the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (EGRPRA). As its first step it identified FIL that “are outdated or that convey regulations or other information that is still in effect but available elsewhere on the FDIC’s website.”
In other words, it’s cutting items that are unlikely to have an impact on your risk management efforts. For example, almost 50 of the FILs are old Office of Foreign Asset Control (OFAC) sanctions and changes to the Specially Designated Nationals and Blocked Persons list from 2008 and before.
What topics are covered?
Bank Secrecy Act
In the category of Bank Secrecy Act/Anti-Money Laundering/Anti-Terrorist Financing, the FDIC proposes archiving 49 FILs, yet this is unlikely to impact the day-to-day operations at financial institutions. For example:
FIL-60-2014: Bank Secrecy Act: Revised Bank Secrecy Act/Anti-Money Laundering Examination Manual. Eliminating this FIL wouldn’t mean abandoning the manual. It simply means there are more recent FILs discussing the most up-to-date version.
FIL-138-2008: Bank Secrecy Act: The SAR Activity Review – Trends, Tips & Issues, October 2008 Edition. Archives a publication of 10-year-old stories of how SARs helped catch Ponzi schemes, a gift shop operating as an unlicensed money service business, and a restaurant at the center of a property crime ring, among others.
FIL-41-2006: Bank Secrecy Act: Guidance on Provision of Financial Services to Belarusian Senior Regime Elements Engaged in Illicit Activities. This is one of several old letters that called out specific foreign institutions or countries like Latvia and Syria for money laundering concerns.
There were some old, outdated standards on the books.
FIL-84-96: Market Risk. This doesn’t eliminate the need to worry about market risk. It simply retires a document that used the outdated risk-based capital requirements from 1996 that have since been updated several times. Other FILs touch on capital standards.
This doesn’t do much of anything to simplify disaster recovery. These FILs apply to specific geographic events, like floods, tornadoes, mudslides and Hurricanes Katrina and Sandy.
Does your bank spend a lot of time worrying about the risk of U.S. Treasury checks stolen in 1998 and other fraudulent documents and instruments from 20 years ago? If not, then the special alerts comprising this batch of proposed FILs to retire won’t be of much help.
Technology has evolved rapidly and new guidance has been regularly issued, leaving outdated items.
FIL-131-97: Security Risks Associated with the Internet. This letter would be helpful if it was 1998 and your institution was “planning to use the Internet as an information resource or delivery channel.”
FIL-81-2000: Risk Management of Technology Outsourcing. While this guidance contains good information, it’s been superseded by other guidance since it was released. The same goes for letters about the FFIEC Technology Examination Handbook.
The agency is retiring quarterly Consolidated Reports of Condition and Income for 2014 through 2016.
The Good News
Outdated regulations are like dusty cardboard boxes in the attic. They take up space and can distract us from finding what’s really important. But when financial institutions are clamoring for more regulatory relief, throwing out a few old boxes doesn’t feel like a ton of progress.
Fortunately, the FDIC says it’s still reviewing the rest of the FILs for “opportunities for updates and additional streamlining.” That means there is still a chance that the agency will find ways to improve existing regulation and perhaps make things less confusing and even lighten regulatory burden.
But don’t expect to put the brakes on your risk management efforts anytime soon. As long as credit, transaction, operational, financial, reputation, cyber and concentration risk exist, those risks will need to be managed for an institution to be successful.