[Senate Hearing 113-306]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 113-306


           OVERSIGHT OF FINANCIAL STABILITY AND DATA SECURITY

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
                              
                   BANKING,HOUSING,AND URBAN AFFAIRS
                   
                          UNITED STATES SENATE

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                                   ON

 EXAMINING REGULATORY EFFORTS TO IMPROVE FINANCIAL STABILITY AND DATA 
    SECURITY REGULATORY STANDARDS, UPDATING THE FINALIZATION OF THE 
   ``VOLCKER RULE'', AND RECEIVING A PROGRESS REPORT ON OTHER RULES 
 REQUIRED BY THE DODD-FRANK WALL STREET REFORM AND CONSUMER PROTECTION 
                                  ACT

                               __________

                            FEBRUARY 6, 2014

                               __________

  Printed for the use of the Committee on Banking, Housing, and Urban 
                                Affairs


                 Available at: http: //www.fdsys.gov /


                                   ______

                       U.S. GOVERNMENT PRINTING OFFICE 

91-489 PDF                     WASHINGTON : 2014 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Printing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001




            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS

                  TIM JOHNSON, South Dakota, Chairman

JACK REED, Rhode Island              MIKE CRAPO, Idaho
CHARLES E. SCHUMER, New York         RICHARD C. SHELBY, Alabama
ROBERT MENENDEZ, New Jersey          BOB CORKER, Tennessee
SHERROD BROWN, Ohio                  DAVID VITTER, Louisiana
JON TESTER, Montana                  MIKE JOHANNS, Nebraska
MARK R. WARNER, Virginia             PATRICK J. TOOMEY, Pennsylvania
JEFF MERKLEY, Oregon                 MARK KIRK, Illinois
KAY HAGAN, North Carolina            JERRY MORAN, Kansas
JOE MANCHIN III, West Virginia       TOM COBURN, Oklahoma
ELIZABETH WARREN, Massachusetts      DEAN HELLER, Nevada
HEIDI HEITKAMP, North Dakota

                       Charles Yi, Staff Director

                Gregg Richard, Republican Staff Director

                  Laura Swanson, Deputy Staff Director

                   Glen Sears, Deputy Policy Director

                    Phil Rudd, Legislative Assistant

                  Greg Dean, Republican Chief Counsel

              Jelena McWilliams, Republican Senior Counsel

                       Dawn Ratliff, Chief Clerk

                       Taylor Reed, Hearing Clerk

                      Shelvin Simmons, IT Director

                          Jim Crowell, Editor

                                  (ii)


                            C O N T E N T S

                              ----------                              

                       THURSDAY, FEBRUARY 6, 2014

                                                                   Page

Opening statement of Chairman Johnson............................     1

Opening statements, comments, or prepared statements of:
    Senator Crapo................................................     2
    Senator Reed.................................................     3

                               WITNESSES

Mary J. Miller, Under Secretary for Domestic Finance, Department 
  of the Treasury................................................     4
    Prepared statement...........................................    33
    Responses to written questions of:
        Senator Crapo............................................   105
        Senator Kirk.............................................   106
Daniel K. Tarullo, Governor, Board of Governors of the Federal 
  Reserve System.................................................     5
    Prepared statement...........................................    37
    Responses to written questions of:
        Senator Crapo............................................   109
        Senator Menendez.........................................   116
        Senator Kirk.............................................   121
Martin J. Gruenberg, Chairman, Federal Deposit Insurance 
  Corporation....................................................     7
    Prepared statement...........................................    44
    Responses to written questions of:
        Senator Crapo............................................   123
        Senator Menendez.........................................   130
        Senator Kirk.............................................   133
Thomas J. Curry, Comptroller of the Currency, Office of the 
  Comptroller of the Currency....................................     8
    Prepared statement...........................................    56
    Responses to written questions of:
        Senator Crapo............................................   136
        Senator Menendez.........................................   140
        Senator Kirk.............................................   144
Mary Jo White, Chair, Securities and Exchange Commission.........    10
    Prepared statement...........................................    68
    Responses to written questions of:
        Senator Crapo............................................   146
        Senator Merkley..........................................   149
        Senator Kirk.............................................   154
Mark P. Wetjen, Acting Chairman, Commodity Futures Trading 
  Commission.....................................................    11
    Prepared statement...........................................    97
    Responses to written questions of:
        Senator Crapo............................................   156
        Senator Merkley..........................................   160
        Senator Kirk.............................................   163

                                 (iii)
 
           OVERSIGHT OF FINANCIAL STABILITY AND DATA SECURITY

                              ----------                              


                       THURSDAY, FEBRUARY 6, 2014

                                       U.S. Senate,
          Committee on Banking, Housing, and Urban Affairs,
                                                    Washington, DC.
    The Committee met at 10:14 a.m. in room SD-538, Dirksen 
Senate Office Building, Hon. Tim Johnson, Chairman of the 
Committee, presiding.

           OPENING STATEMENT OF CHAIRMAN TIM JOHNSON

    Chairman Johnson. I call this hearing to order.
    Today, the Committee continues its oversight of the 
implementation of the Dodd-Frank Wall Street Reform and 
Consumer Protection Act. There has been good progress since our 
last hearing, including the completion of the long-awaited 
Volcker Rule. I believe our economy is on much more stable 
footing, in part due to the efforts of our witnesses and their 
staffs.
    However, there is still work to be done, and oversight will 
continue to be a top priority for this Committee. Some of the 
pending work includes enhanced capital, leverage, and liquidity 
rules for the largest banks, a new regulatory framework for 
nonbank financial companies designated as SIFIs, QRM, and the 
new derivatives rules. I have asked the witnesses to outline 
their timeline for completing these and other rules and to 
provide information on how each agency's rules will reduce 
systemic risk and enhance financial stability.
    To date, the regulators have been thoughtful and 
responsive. For example, they worked quickly to address a 
concern raised by community banks that the Volcker Rule 
unintentionally could have resulted in large, unexpected losses 
for some. I ask that the agencies continue to monitor the 
impact of their actions and to coordinate their ongoing work. 
Agency implementation of Wall Street Reform should also 
continue to be focused on institutions and activities that pose 
the greatest systemic risks. Final rules should not be one-
size-fits-all for banks and insurance companies, nor should 
they impose unnecessary burdens on community banks and credit 
unions.
    In recent weeks, American consumers have been victims of 
large data breaches at national retailers, their personal 
information exposed to identity theft and fraud. Those 
responsible must be held accountable, and we must examine what 
more can be done to better safeguard consumer information going 
forward. I have asked each agency to detail its coordination 
with other regulators and law enforcement on data breaches, as 
well as each agency's role in the retail payment system.
    Wall Street Reform created an important financial stability 
watchdog, the FSOC. In its most recent annual report, the FSOC 
identified securities threats in cyberspace as a potential 
systemic risk. I want to hear what each agency testifying today 
is doing to mitigate cyber and other data security risks, as 
well as protect consumer data at the agencies they regulate.
    I now turn to Ranking Member Crapo for his opening 
statement.

                STATEMENT OF SENATOR MIKE CRAPO

    Senator Crapo. Thank you, Mr. Chairman.
    I have repeatedly stressed the need for the U.S. banking 
system and capital markets to remain the preferred destination 
for investors throughout the world. While it is too early to 
tell the extent to which our overall Dodd-Frank rules will make 
our financial system more stable, Federal regulators must 
ensure that we do not tip the balance of the scales with too 
heavy a hand. Otherwise, the cumulative effect of the rules and 
their interaction with each other may burden the economy far 
more than any stabilizing benefit.
    In addition, it is paramount that the regulators understand 
the full spectrum of the rules they are implementing and any 
consequences before finalizing the rules. This was evident in 
December when the regulators issued the final Volcker Rule and, 
as the Chairman mentioned, did not realize that the accounting 
rules would force community banks to recognize unrealized 
market losses. Regulators worked hard over the holidays to fix 
this for community banks, but the bigger question is why, after 
3 years of promulgating the rule, did no regulator foresee this 
situation.
    This incident with the Volcker Rule only reinforces my 
belief that we need targeted fixes of various Dodd-Frank 
provisions. Some of those fixes include the end-user exemption, 
the swaps push-out, and community banks relief, as identified 
by Chairman Bernanke last year.
    In addition to ensuring that regulators take appropriate 
actions on the rulemaking front, they must also take necessary 
steps to ensure that our payment system and financial data are 
adequately protected. One of the top priorities for this 
Committee is protection of consumer financial data and the 
integrity of the U.S. payment system. Even the Financial 
Stability Oversight Council, FSOC, has identified data security 
as an emerging threat to our financial stability.
    At the Subcommittee hearing on Monday, Members started a 
discussion about the standards used to protect consumer data, 
the payment technologies available, and the roles of all 
parties in the payment system. The U.S. payment system is a 
shared enterprise. While parties approach the system from 
different positions, everyone recognizes and benefits from the 
fast, safe, and accurate transmission of consumer financial 
data.
    Whether we use credit cards at the gas station, the grocery 
store, or even use our smartphones to purchase a sandwich or a 
book, everyone expects a safe and secure system for our 
financial information. Recent data breaches reveal just how 
much information different entities collect about consumers.
    Financial institutions of all sizes face a thorough 
examination process and oversight by regulators when it comes 
to data security, but there are many entry points that could be 
attacked in our payment system. We must answer three key 
questions.
    First, are the existing regulatory tools adequate to 
protect all actors in the payment system and capable of 
safeguarding our financial information?
    Second, with so many stakeholders affected by recent data 
breaches, how can we minimize the damage to consumers and make 
the system less vulnerable?
    And, third, should industry participants consider new 
technologies that may improve the safety of the payment system, 
and if so, what technologies are most appropriate?
    Recent hearings have also unveiled that Federal regulators, 
including the witnesses before us today, collect vast amounts 
of consumer financial data and information. Regulators still 
have not provided a sound rationale, in my opinion, for all of 
the data they collect. Their data collection needs to be as 
safe and as secure as possible so consumers will not have to 
fear a data breach at the Federal Government level, and I will 
add, so consumers do not have to fear the misuse of that data 
being collected by the Government.
    Today, our witnesses will address some of these issues and 
their role in protecting consumers' financial information and 
the stability of our payment system, and I look forward to the 
discussion.
    Thank you, Mr. Chairman, for holding this hearing.
    Chairman Johnson. Thank you, Senator Crapo.
    I would like to allow for more time for questions, but 
would any Member like to make a brief opening statement? 
Senator Reed.

                 STATEMENT OF SENATOR JACK REED

    Senator Reed. Well, thank you very much, Mr. Chairman. I 
will make a very brief opening statement. I have to shortly go 
to the floor to continue to work for the extension of 
unemployment benefits for 1.7 million Americans. But, before I 
do, I wanted to make some very brief comments.
    As I have said previously, it is important to finish 
implementing Dodd-Frank such as the SEC's need to finish its 
share of the derivatives rules relating to security-based 
swaps, and I would urge moving as quickly and diligently as 
possible.
    Lastly, in light of the Target data breach and its 
widespread impact on our constituents, I urge and expect all of 
the regulators here today to take a fresh and careful look at 
beefing up their cyber and data security standards to ensure 
that the regulators themselves and those entities under this 
jurisdiction are ahead of the curve and do not fall victim to 
cyber and data breaches.
    And with that, thank you, Mr. Chairman, for your 
consideration.
    Chairman Johnson. Anyone else?
    [No response.]
    Chairman Johnson. I would like to remind my colleagues that 
the record will be open for the next 7 days for opening 
statements and any other materials you would like to submit.
    Now, I would like to introduce our witnesses. Mary Miller 
is the Under Secretary for Domestic Finance at the U.S. 
Department of the Treasury.
    Dan Tarullo is a member of the Board of Governors of the 
Federal Reserve System.
    Martin Gruenberg is the Chairman of the Federal Deposit 
Insurance Corporation.
    Tom Curry is the Comptroller of the Currency.
    Mary Jo White is the Chair of the Securities and Exchange 
Commission.
    Mark Wetjen is the Acting Chairman of the Commodities 
Futures Trading Commission.
    I thank all of you for being here today. I would like to 
ask the witnesses to please keep your remarks to 5 minutes. 
Your full written statements will be included in the hearing 
record.
    Under Secretary Miller, you may begin your testimony.

   STATEMENT OF MARY J. MILLER, UNDER SECRETARY FOR DOMESTIC 
              FINANCE, DEPARTMENT OF THE TREASURY

    Ms. Miller. Chairman Johnson, Ranking Member Crapo, and 
Members of the Committee, thank you for inviting me to testify 
today on behalf of the Treasury Department.
    I would like to update the Committee on several important 
regulatory developments since I appeared before you last July, 
Treasury's role in enhancing cybersecurity in the financial 
sector, and our 2014 priorities.
    From his first day in office, Secretary Lew stressed the 
importance of finishing work on the Volcker Rule and the 
importance of having a single, strong final rule that was true 
to President Obama's proposal and the statute's intent. The 
final rule adopted in December will protect taxpayers by ending 
banks' speculative proprietary trading and restricting their 
investments in private equity and hedge funds, while 
maintaining deep liquid financial markets and allowing banks to 
hedge those risks.
    We also made progress implementing Title II of Dodd-Frank. 
All of the firms required to submit living wills have now done 
so, and the largest bank holding companies submitted their 
second round of living wills last fall.
    In December, the FDIC sought public comment on an important 
document detailing the single point-of-entry strategy to 
facilitate the orderly liquidation of a failing financial 
company.
    Last summer, the Financial Stability Oversight Council 
designated American International Group, General Electric 
Capital Corporation, and Prudential Financial for enhanced 
prudential standards and consolidated supervision by the 
Federal Reserve. In September, the Office of Financial Research 
released a study of asset management activities to help inform 
the Council's understanding of potential risks in this sector.
    We also continued to make progress on derivatives reform. 
The CFTC finalized its guidance on how Dodd-Frank applies to 
cross-border transactions, and the CFTC and European Commission 
agreed on a path forward, laying out their joint understanding 
regarding those issues.
    In September, an international working group finalized 
margin standards for noncentrally cleared derivatives 
transactions. U.S. regulators are now working to adopt these 
standards domestically and we expect these rules to be 
finalized this year.
    In addition, later this month, trading in several interest 
rate and credit derivatives markets will be required to take 
place on new electronic trading platforms.
    In December, Treasury's Federal Insurance Office released a 
report setting out 27 recommendations designed to bring our 
insurance regulatory system into the 21st century.
    Another area of growing concern for Treasury and the 
Council is the vulnerability of our financial sector 
infrastructure to cyber events. I want to thank the Committee 
for choosing to focus part of today's hearing on this topic. 
The changing nature of these cyber threats prompted the 
Financial Stability Oversight Council last year to highlight 
cybersecurity as worthy of heightened risk management and 
supervisory attention. Under the President's Executive Order on 
cybersecurity, Treasury also serves as a sector-specific agency 
for the financial sector, with a leading role in information 
sharing and a coordinating role in incident response.
    Finally, I would like to highlight for the Committee a few 
areas where Treasury intends to direct significant attention 
this year to complete outstanding pieces of financial reform. 
We will take steps to promote consistent implementation of 
global capital and liquidity standards. We have forged ahead in 
implementing key derivatives reforms, and we need to make sure 
similar reforms are put in place around the globe. Treasury and 
the regulators will continue to closely collaborate with our 
international counterparts through forums like the Financial 
Stability Board and on a bilateral basis to address obstacles 
to resolving large cross-border firms.
    Of course, there is still much to be done domestically, as 
well. As was the case with the Volcker Rule, Secretary Lew, as 
Chairperson of the FSOC, is responsible for coordinating the 
joint rulemaking to implement the risk retention rule. The rule 
was re-proposed last year, and completion of these regulations 
in 2014 is a key priority for the Treasury.
    The last year was a busy one and we made substantial 
progress in financial regulatory reform. These reforms have 
made our financial system stronger, more stable, and more 
focused on fulfilling its core function of facilitating growth 
of the broader economy. That does not mean we will be able to 
relax our guard. The crisis revealed that regulation and 
oversight failed to keep pace with an evolving financial system 
and demonstrated why we must always remain vigilant to 
potential emerging risks in financial institutions and markets.
    Thank you, and I look forward to taking your questions.
    Chairman Johnson. Thank you.
    Governor Tarullo, you may proceed.

STATEMENT OF DANIEL K. TARULLO, GOVERNOR, BOARD OF GOVERNORS OF 
                   THE FEDERAL RESERVE SYSTEM

    Mr. Tarullo. Thank you, Mr. Chairman, Senator Crapo, and 
other Members of the Committee.
    Let me make four quick points in beginning today. First, 
with respect to the rulemaking agenda, in a hearing before this 
Committee just about a year ago, I expressed the hope and the 
expectation that 2013 would be the beginning of the end of the 
major portion of rulemakings implementing Dodd-Frank and 
strengthening capital rules. Specifically, at that time, I 
anticipated, first, that we would issue final regulations on 
the Volcker Rule, capital rules, Section 716, some of the 
special prudential requirements for systemically important 
firms, and, second, that we would issue proposed rules on the 
capital surcharge for systemically important banks and the 
liquidity coverage ratio.
    In the event, we did get final rules on Section 716, the 
Volcker Rule, and the LCR proposal done in 2013. We also issued 
a final rule implementing Section 318, which requires an 
assessment on large financial institutions for supervisory 
expenses. We did not get the additional Section 165 final rule 
or the SIFI surcharge proposed rule out, but these, along with 
completion of the additional leverage ratio for systemically 
important firms, are the priorities to be taken up in the near 
term.
    Second, we continue to refine our stress testing and our 
annual comprehensive capital analysis exercise. We have 
broadened the nature of risks incorporated into the scenarios 
we develop. We have issued a policy statement describing our 
approach to scenario development. And we have issued a paper 
covering expectations for internal capital planning at large 
firms. These and other refinements which have been informed by 
the extensive commentary and advice we get from banks, 
technical experts, and policy analysts, continue to improve 
what I think is the single most important change in supervisory 
practice since the financial crisis.
    Third, as I have said before, we need to address more 
comprehensively the systemic risks potentially posed by heavy 
reliance on short-term wholesale funding, both by the largest 
institutions and more generally in financial markets, 
particularly those arrangements for securities finance 
transactions. We have been discussing internally ideas for 
doing so, some of which I have sketched out in some recent 
speeches. I do not want to give a timeframe for when we may 
have proposals in this area, but I do want to reiterate the 
importance we attach to this issue.
    Finally, with respect to cybersecurity, I would make a few 
general observations. First, the recent data breaches at some 
retailers and Internet service providers underscore the extent 
to which the effective scope of the payment system involves 
many more intermediaries than just regulated depository 
institutions. The weakest links in any part of that chain will 
be exploited by criminals and other malefactors.
    Second, while the recent episodes involve data security 
breaches resulting in the theft of card and other consumer 
information, they should also remind us that cybersecurity is 
an even broader concern, implicating the integrity of our 
financial system and the rest of the economy. You all remember, 
I am sure, the denial of service attacks on numerous U.S. banks 
over the past couple of years.
    Third, we should not think of either the recent data 
breaches or any other cybersecurity problems as discrete 
problems susceptible to solutions, but rather as new conditions 
of continuing vulnerability that will require adaptive, dynamic 
responses by both Government and the private sector.
    Thank you for your attention. I would be pleased to answer 
any questions you might have.
    Chairman Johnson. Thank you.
    Chairman Gruenberg, please proceed.

  STATEMENT OF MARTIN J. GRUENBERG, CHAIRMAN, FEDERAL DEPOSIT 
                     INSURANCE CORPORATION

    Mr. Gruenberg. Chairman Johnson, Ranking Member Crapo, 
Members of the Committee, thank you for the opportunity to 
testify today on the FDIC's actions to implement the Dodd-Frank 
Act and to provide oversight of financial institutions' data 
integrity efforts.
    The adoption of the final Volcker Rule in December by the 
agencies testifying today was a significant milestone in the 
implementation of the Dodd-Frank Act. The purpose of the 
Volcker Rule, as you know, is to limit certain risky activities 
of banking entities that are supported by the public safety 
net, whether through deposit insurance or access to the Federal 
Reserve's discount window. In general, the rule prohibits 
banking entities from engaging in proprietary trading 
activities and places limits on the ability of banking entities 
to invest in or have certain relationships with hedge funds and 
private equity funds. The proprietary trading restrictions of 
the rule seek to balance the prudential restrictions of the 
Volcker Rule while preserving permissible underwriting, market 
making, and risk-mitigating hedging activities.
    In response to concerns raised by commentors, the final 
rule provides compliance requirements that vary based on the 
size of the banking entity and the amount of covered activities 
it conducts. For example, the final rule imposes no compliance 
burden on banking entities that do not engage in activities 
that are covered by the Volcker Rule. Most community banks will 
not need to make changes to their policies and procedures and 
will have no new reporting requirements, provided they do not 
engage in activities covered by the rule.
    We also recognize that clear and consistent application of 
the final rule across all banking entities will be extremely 
important. To help ensure this consistency, the five agencies 
have formed an interagency Volcker Rule Implementation Working 
Group. The Working Group has begun meeting and will meet 
regularly to address reporting, guidance and interpretation 
issues to facilitate compliance with the rule.
    The FDIC has made additional progress in other areas of the 
Dodd-Frank Act that are described in my written statement, 
including the risk retention requirement, which seeks to ensure 
that securitization sponsors have appropriate incentives for 
prudent underwriting.
    In addition, the FDIC continued to make progress on the 
provisions of the Dodd-Frank Act relating to the resolution of 
systemically important financial institutions, or SIFIs. Using 
the standards provided in the statute, the FDIC and the Federal 
Reserve are currently reviewing the revised resolution plans 
required under Title I of Dodd-Frank for the largest most 
systemically significant financial institutions.
    The FDIC also issued a Federal Register notice for public 
comment providing a detailed description of the Single Point of 
Entry strategy developed by the FDIC to implement the Title II 
resolution authorities under the Act.
    Finally, we have continued our active engagement with 
foreign jurisdictions that will be important to the cross-
border resolution of a SIFI, including the United Kingdom, 
Germany, Switzerland, Japan, and the European Commission.
    The FDIC also joined with the Federal Reserve and the OCC 
in issuing rules that significantly revise and strengthen risk-
based capital regulations through implementation of the Basel 
III international accord. The agencies also issued an NPR that 
would significantly strengthen the supplementary leverage 
capital requirements in the Basel III rulemaking for the eight 
largest bank holding companies and their insured banks. 
Completion of this NPR is a top priority for the FDIC.
    In regard to the issue of data integrity, the FDIC treats 
data security as a significant risk area due to its potential 
to disrupt bank operations, harm consumers, and undermine 
confidence in the banking system and the economy. The FDIC's 
most direct role in ensuring cybersecurity within the financial 
sector is through its onsite examination programs of financial 
institutions and third-party service providers. These 
examinations are designed to ensure that financial institutions 
protect both bank and customer information.
    The FDIC is actively providing our supervised banks with 
assistance in planning and training for cyber threats. This 
includes a new program directly designed to assist community 
banks in planning for cyber threats. We are also working with 
our FFIEC colleagues through the Cybersecurity and Critical 
Infrastructure Working Group to strengthen examination policy, 
training, information sharing, and incident communication and 
coordination.
    Mr. Chairman, that concludes my remarks. I would be glad to 
respond to questions.
    Chairman Johnson. Thank you.
    Comptroller Curry, please proceed.

  STATEMENT OF THOMAS J. CURRY, COMPTROLLER OF THE CURRENCY, 
           OFFICE OF THE COMPTROLLER OF THE CURRENCY

    Mr. Curry. Chairman Johnson, Ranking Member Crapo, and 
Members of the Committee, thank you for the opportunity to 
appear before you today.
    Your invitation asked for our thoughts on a range of 
important issues, and my written testimony covers those matters 
in detail. In the time I have now, I would like to speak 
briefly about what the OCC is doing to improve the security of 
consumer financial information held by banks, implement the 
Dodd-Frank Act, and improve our own supervisory processes.
    First, let me say that there are few issues of greater 
concern to me or to the OCC than the increasing risk of cyber 
attacks. The data breaches at Target, Neiman Marcus, as well as 
recent denial of service attacks on some banks, are more than 
just an inconvenience for banks and their customers. The 
affected customers pay a price in terms of the time lost 
monitoring accounts as well as the very real expense incurred 
in restoring their credit information, even though they are 
generally protected against fraudulent charges by their 
financial institutions. Banks bear the expense of replacing 
cards, providing credit monitoring services, and reimbursing 
customers for fraud losses.
    Moreover, every data breach raises questions about the 
security of our retail payment systems, which can diminish 
public confidence. Further, I am concerned that these cyber 
attacks are becoming increasingly sophisticated and may impair 
our financial sector's critical infrastructure.
    The banking sector is highly regulated and subject to 
stringent information security requirements. Banks and their 
service providers must protect both their own systems and their 
customers' data and respond promptly when any breach of 
customer information occurs. Moreover, the OCC regularly 
updates our supervisory practices and industry guidance to keep 
pace with the rapidly changing nature of cyber threats. For 
example, we recently issued updated guidance on third-party 
vendors to stress our expectation that banks have appropriate 
risk management practices in place for these relationships. We 
also encourage ongoing outreach to bankers to share information 
on emerging threats.
    One of my first initiatives as Chairman of the Federal 
Financial Institutions Examination Council was to establish a 
working group on cybersecurity issues. This group has already 
met with intelligence, law enforcement, and homeland security 
officials to share information and is exploring additional 
actions we can take to ensure that banks of all sizes have the 
ability to safeguard their systems.
    We have also made great progress in implementing the Dodd-
Frank Act and in strengthening the resiliency of the banking 
system by requiring enhanced capital reserves and liquidity. 
For example, we finalized a rule requiring that an 
institution's lending limit calculation account for credit 
exposure arising from derivatives and securities financing 
transactions.
    Last year, the OCC along with the other rulemaking agencies 
adopted final regulations implementing the Volcker Rule, which 
bars banks from engaging in proprietary trading and limits 
their ability to invest in or sponsor hedge funds or private 
equity funds. Throughout the interagency rulemaking, the OCC 
worked to minimize the compliance burden on community banks 
that are engaged in limited activities while ensuring that the 
largest banks are subject to robust compliance and reporting 
requirements.
    But, while Congress gave us a number of important tools to 
help preserve the stability of the banking and financial 
system, it would be a mistake to overlook the important role of 
supervision to the health of the banking industry. Since the 
crisis, the OCC has taken a number of steps to help ensure the 
future strength of the industry.
    For example, we developed a set of heightened standards for 
large bank management and boards of directors. We expect large 
banks to meet the highest standards for risk management and 
corporate governance. We have proposed to include these 
standards as enforceable guidelines in our Part 30 regulation, 
which will improve our ability to enforce them.
    At the same time, we have also taken a hard look at our own 
supervision program. Last year, I asked a team of senior 
international supervisors to provide a frank and independent 
assessment of the way we supervise large institutions. Their 
thoughtful response notes strengths in our program and 
identifies areas in which we can improve. We are evaluating how 
best to implement their recommendations.
    This is not an easy thing for an agency to do, and I have 
been impressed with the willingness of OCC staff to embrace 
every opportunity to improve. That attitude is the mark of a 
healthy organization, and it is one of the reasons I believe 
that the OCC continues to be ready to meet the challenges of 
supervising a rapidly changing industry.
    Thank you, and I look forward to your questions.
    Chairman Johnson. Thank you.
    Chair White, please proceed.

  STATEMENT OF MARY JO WHITE, CHAIR, SECURITIES AND EXCHANGE 
                           COMMISSION

    Ms. White. Chairman Johnson, Ranking Member Crapo, and 
Members of the Committee, thank you for inviting me to testify 
about the SEC's ongoing implementation of the Dodd-Frank Act 
and the important issue of data security.
    The Dodd-Frank Act significantly expanded the regulatory 
responsibilities of the SEC. It enhanced the SEC's authority 
over credit rating agencies and clearing agencies and 
strengthened our regulation of asset-backed securities. It gave 
the SEC new responsibilities over municipal advisors and hedge 
fund and other private fund advisors, and required a new 
oversight regime for over-the-counter derivatives. It also 
created a whistleblower program and provided the SEC with 
additional enforcement tools, which we are using.
    Implementing the Dodd-Frank Act has required the SEC, as 
you know, to undertake one of the largest and most complex 
agendas in the history of the agency, with more than 90 
provisions requiring rulemaking and more than 20 others 
requiring studies or reports. In addition, the Dodd-Frank Act 
and the financial crisis that preceded it have focused the 
SEC's efforts more directly on enhancing financial stability 
and reducing systemic risks.
    While certainly more work remains, we have made substantial 
progress implementing this agenda. Since I arrived at the 
Commission in April 2013, we have advanced rules and other 
initiatives across the wide range of regulatory objectives set 
by the Dodd-Frank Act for the SEC.
    We have adopted final rules for the registration of 
municipal advisors. We have analyzed the first complete set of 
data from registered advisors to private funds so that the SEC 
and Financial Stability Oversight Council can better assess 
their impact on financial stability. We have issued a 
comprehensive rule proposal for the cross-border application of 
our regulatory framework for security-based swaps. We have 
adopted a rule to further safeguard customer funds and 
securities held by broker-dealers.
    We have removed references to credit ratings in our broker-
dealer and investment company regulations. We have proposed a 
rule to disclose the ratio of compensation a public company 
pays its CEO relative to what it pays its median employee. We 
have finalized a rule disqualifying felons and other bad actors 
from an important private securities offering exemption.
    We and others have re-proposed a rule concerning the 
retention of certain credit risk by securitizers of asset-
backed securities. And, we and others here today have adopted a 
final Volcker Rule that is consistent with the language and 
purpose of the Dodd-Frank Act and that preserves the benefits 
of diverse and competitive markets.
    These measures are in addition to the rules we have 
advanced and reports we have completed to implement the JOBS 
Act, including by permitting the use of general solicitation in 
certain private offerings, crowdfunding, and updating and 
expanding Regulation A, and they are also in addition to other 
significant initiatives, including our proposals to reform 
money market funds and to enhance the responsibilities of key 
market participants over their technological systems. 
Completing the rulemakings and studies mandated by the Dodd-
Frank and JOBS Act remains among my top priorities for 2014.
    Under the Dodd-Frank Act, the Commission also has taken 
additional steps to protect customer data. Last April, the SEC 
and CFTC jointly adopted Regulation SID, which requires certain 
regulated financial institutions and creditors to adopt and 
implement policies and procedures designed to identify and 
address red flags signaling the possible theft of a customer or 
client's identity. Regulation SID built upon the SEC's existing 
Regulation SP, which requires registered broker-dealers, 
investment companies, and investment advisors to adopt written 
policies and procedures instituting safeguards for the 
protection of customer records and information.
    The SEC monitors and enforces compliance with these rules 
and regulations through our examination and enforcement 
programs. Examinations of registrants relating to data 
protection and information security continues to be an exam 
priority for the SEC's National Exam Program, and in recent 
years, the SEC has also brought enforcement actions for a 
registrant's failure to adopt reasonable policies and 
procedures to protect customer information from imminent 
threats and for failure to respond or follow up on security 
threats despite red flags. There is no question that data 
protection is a critical national and global priority on which 
both the private and public sectors must continue to closely 
focus.
    Thank you again for the opportunity to testify today. I 
would be pleased to answer any questions.
    Chairman Johnson. Thank you.
    Chairman Wetjen, please proceed.

STATEMENT OF MARK P. WETJEN, ACTING CHAIRMAN, COMMODITY FUTURES 
                       TRADING COMMISSION

    Mr. Wetjen. Good morning, Chairman Johnson, Ranking Member 
Crapo, and Members of the Committee. I am pleased to join my 
fellow regulators in testifying today, and it is great to be 
back in the Senate.
    As this Committee is well aware, the Commodities Futures 
Trading Commission was given significant new responsibilities 
through the passage of the Dodd-Frank Act. The Commission has 
substantially met those responsibilities with only a few 
rulemakings remaining. As a result, nearly a hundred swap 
dealers and major swap participants have registered with the 
Commission and become subject to new risk management and 
business conduct requirements. Counterparty credit risk has 
been reduced through the Commission's clearing mandate. And 
pre- and post-trade transparency in the swaps market exists 
where it did not before.
    The Commission also has adopted cross-border policies that 
account for the varied ways that risk can be imported into the 
United States. Congress recognized in Dodd-Frank that even when 
activities do not obviously implicate U.S. interests, they can 
still create less obvious but legally binding obligations that 
are significant and directly relevant to the health of a U.S. 
firm and that, in aggregate, could have a material impact on 
the U.S. financial system.
    In a matter of days, the compliance date for one of the 
remaining hallmarks of the financial reform effort will arrive, 
as well, the effective date of the swap trading mandate. The 
Commission also is working to complete in the coming months 
rulemakings for capital and margin requirements for uncleared 
swaps, rulemakings intended to harmonize global regulations for 
clearinghouses and trading venues, and rules establishing final 
position limits under the Commission's newest proposal.
    Looking forward, the agency will continue its efforts to 
ensure an orderly transition to the new market structure for 
swaps. The agency staff is presently exploring whether to 
recommend a number of new proposals to address remaining end-
user concerns.
    In recent weeks, the Commission also finalized the Volcker 
Rule. Through this effort, the market regulators went beyond 
the Congressional requirement to simply coordinate. In fact, 
the Commission's final rule includes the same substantive rule 
text adopted by the other agencies. The rule strikes an 
appropriate balance in prohibiting the types of proprietary 
trading that Congress contemplated while protecting liquidity 
and risk management through legitimate market making and 
hedging activities.
    Compliance with the Volcker Rule, including the reporting 
of key metrics, will provide the Commission important new 
information that will buttress its oversight of swap dealers 
and Futures Commission merchants, which are banking entities 
under Dodd-Frank that are subject to the Commission's 
registration rules.
    To ensure consistent, efficient implementation of the 
Volcker Rule, the agencies have established an implementation 
task force. One of the Commission's goals for this task force 
will be to avoid unnecessary compliance and enforcement efforts 
by the agency. Indeed, this goal is one of necessity for the 
Commission. Our agency remains resource constrained and cannot 
reasonably be expected to effectively police compliance to the 
fullest extent. The Commission is also analyzing whether it can 
leverage the use of self-regulatory organizations, such as the 
National Futures Association, to assist with its 
responsibilities under the rule.
    Regarding the interim final rule relating to TruPS, the 
Commission last month quickly and unanimously adopted the 
measure in an effort to protect liquidity and markets that are 
important to community banks. In doing so, the agency sought to 
avoid what could have been significant capital and funding 
consequences for community banks. This is another example of 
the Commission responding promptly to compliance challenges 
presented to it and also demonstrated the enduring commitment 
of all the agencies here to ongoing coordination.
    Related to the Committee's concerns about customer data 
breaches, the Commission takes seriously its responsibility to 
protect against the loss or theft of customer information. I 
must note that the Commission's limited examinations staff has 
an impact on its ability to examine and enforce critical rules 
that protect customer privacy and ensure firms have robust 
information security and other risk management policies in 
place.
    Nonetheless, the Commission has taken several steps in this 
area, including jointly adopted with the SEC the final rules 
requiring our registrants to adopt programs to identify and 
address the risk of identity theft. The Commission also adopted 
new risk management requirements for firms, including policies 
addressing risks related to retail payment systems, including 
identity theft, unauthorized access, and cybersecurity.
    Additionally, the agency staff is poised to release a staff 
advisory outlining best practices for compliance with 
provisions of Gramm-Leach-Bliley designed to ensure financial 
institutions protect customer information. In light of recent 
events, the Commission also is presently considering 
implementing rules under Gramm-Leach-Bliley to expand upon our 
current customer protection regulations with more specificity 
regarding the security of customer information.
    Thank you for inviting me today. I would be happy to answer 
any questions.
    Chairman Johnson. Thank you for your testimony.
    As we begin questions, I will ask the Clerk to put 5 
minutes on the clock for each Member.
    Secretary Miller, what steps will Treasury take to promote 
cooperation between industry, law enforcement, the intelligence 
community, and regulators so that American consumers' financial 
information is better protected from threats, including cyber 
attacks and data breaches?
    Ms. Miller. Thank you for the question and for the focus on 
that issue at this hearing today. I think I would mention a few 
things.
    First of all, as you have recognized, the FSOC has 
highlighted this issue in its annual report to call attention 
to the operational risks of financial sector infrastructure in 
cybersecurity attacks, and I think the FSOC will continue to 
focus on that in terms of bringing it to the attention of all 
of its members.
    At the Treasury, we are the sector-specific agency for the 
financial sector on this issue. As such, we have an important 
role in coordinating incident responses, but also making sure 
there is very strong information sharing between the private 
sector itself and between the private sector and regulators, 
and Treasury has stepped up to make sure that we can translate 
information from the intelligence and the security agencies to 
the private sector.
    One of the ways we have done that this year is to make sure 
that we have current security clearances for people both in the 
Government and in the private sector so we can very quickly 
share information to make sure that there are no delays in 
responding to a cybersecurity incident.
    Finally, we work with the Executive Order that the 
President has put out on this issue, but we also think it would 
be very valuable to have comprehensive legislation on 
cybersecurity. Thank you.
    Chairman Johnson. Comptroller Curry, as current Chair of 
the FFIEC, is there more than can be done to help financial 
regulators better protect Americans' financial information 
regardless of where they bank or shop?
    Mr. Curry. Thank you, Mr. Chairman. One of the major 
focuses of our cybersecurity effort at the FFIEC is to make 
sure that the regulated financial institutions are up to the 
task in the area of cybersecurity. The FFIEC is a unique forum 
that has present in it the Federal banking agencies, the 
consumer protection agency, as well as State bank supervisors. 
So, our focus has been on making sure that all financial 
institutions, including community banks and credit unions, are 
meeting our expectations from a regulatory standpoint.
    As part of our program, we are making an assessment of 
whether the overall regulatory structure is effective, from 
communicating awareness of cyber threats, making sure our 
examination procedures, our enforcement authorities, which 
would also include the statutory framework, are effective, 
given the nature of the ongoing cyber threats. We will also be, 
given the incidents relative to the data security breaches, 
focusing on whether or not existing regulatory standards for 
technology for data security are sufficient and whether or not 
there is a need for greater coordination with other players in 
the ecosystem. Thank you.
    Chairman Johnson. Chair White and Chairman Wetjen, in your 
testimony, you highlight a lack of resources as significant 
challenges to your agency. So, specifically, how would the 
current funding levels impact your efforts to protect data and 
implement and enforce Wall Street Reform? Chair White.
    Ms. White. Yes. We do have significant budget challenges 
which impacts a number of our very important IT initiatives. 
There is nothing we value more importantly, however, than data 
security. I think the sophistication of the perpetrators 
continually evolves, and threats to both governments and market 
participants alike increase in complexity, really, on a daily 
basis. And so we do want to keep pace with those challenges.
    We clearly will prioritize our resources so as not to 
compromise on data security, but it does present quite a 
challenge. You know, clearly, we are also devoting resources to 
our examination program directed at data security, and to our 
enforcement program, as well, in that space, and the FY 2014 
budget request actually asked for 450 additional positions in 
enforcement and examination, so, obviously, not receiving 
funding for that, that has an impact. But, we intend to keep 
data security very much in the forefront of our priorities.
    Chairman Johnson. Chairman Wetjen.
    Mr. Wetjen. Thanks, Mr. Chairman. I would echo what Chair 
White said. The main tool that we have is to examine the 
practices of our registered entities. They have a variety of 
risk management requirements that relate to keeping customer 
information safe and secure, and because we are resource 
constrained, it is very likely we are not going to be able to 
review and examine those systems that the registered entities 
have in place and so we cannot be sure that the data that is 
being kept by our registered entities is going to be as secure 
as we would like. So, that is the real world explanation or 
reason why the challenges we continue to face on the resource 
front could have an impact on consumers.
    Chairman Johnson. Chairman Gruenberg, I commend you and 
your fellow regulators for acting quickly to fix a Volcker Rule 
issue that could have unintentionally harmed community banks. 
As you analyze other rules, what are you doing to minimize 
unintended consequences and monitor the impact on community 
banks?
    Mr. Gruenberg. Thank you, Mr. Chairman. I think it is fair 
to say that in all of the rulemakings we have been undertaking, 
the agencies across the board have paid particular attention to 
the impact on community banks. In the two major rulemakings we 
did last year on the Basel III capital accord as well as the 
Volcker Rule, we made significant changes in the final 
rulemakings to be responsive to comments and concerns raised by 
community banks. We made three significant changes in the Basel 
III rules responsive to the comments. As I noted, in the 
Volcker Rule, we made adjustments in the final rule so that for 
the large majority of community banks that do not engage in 
activities subject to the Volcker Rule, that large majority of 
community banks will have no compliance requirements under 
Volcker.
    I would note the importance of the cybersecurity issue to 
community banks, and perhaps it has been less appreciated 
because most of the focus on cybersecurity has been on the 
large institutions. But, I can tell you, we have an advisory 
committee of community banks from around the country that our 
board meets with three times a year, and when we went through 
issues of concern to them, cybersecurity was near the top of 
their list. All of them related incidences that their 
institutions experienced. As the larger institutions have 
strengthened their defensive positions, there really has been a 
movement down the system.
    So, this, I think, is really an area that needs particular 
concern, and we have developed a number of tools to assist 
community banks in this area.
    Chairman Johnson. Senator Crapo.
    Senator Crapo. Thank you, Mr. Chairman.
    Under Secretary Miller, I have a lot of questions that 
relate to Dodd-Frank implementation and data security, but I 
would be remiss if I did not first raise the issue of housing 
finance reform that is a critical issue before this country.
    As you know, in the State of the Union, the President 
called on Congress to send him legislation that protects 
taxpayers from footing the bill for a housing crisis ever again 
and keeps the dream of home ownership alive for future 
generations. I just want to ask you, as a representative of the 
Administration here, to confirm that the President has, indeed, 
called on Congress to send him housing finance reform 
legislation and that this is a top priority which we need to 
handle now.
    Ms. Miller. Thank you for the question. I could not agree 
with you more. This has been a priority of the Treasury since 
the day I arrived, to make sure that we are planning for a safe 
and stable housing finance system. As you know, last summer, 
the President articulated four important points: One, that we 
need to design a system that brings more private capital back 
into the housing finance market; two, that we design something 
that winds down the GSEs as they performed and make sure that 
we are protecting the taxpayers in a future housing finance 
system; that we provide broad access to credit for creditworthy 
borrowers who want to own a home; and that we also make sure 
that we provide adequate financing for rental options in this 
country.
    We are very heartened that the improvement in the housing 
market, the recovery we are seeing in housing prices, the 
slowing or diminution of loan delinquencies and foreclosures is 
giving us the opportunity and the platform now to move forward 
with housing finance reform, and we very much look forward to 
working with Members of this Committee on a bipartisan piece of 
legislation. Thank you.
    Senator Crapo. Well, thank you, and I just wanted to get 
that out there so that it is clear that this is a priority, and 
I appreciate your emphasis on that and your work on this.
    My next question really is not a question, it is more of a 
statement about the Volcker Rule, and the reason is because 
there is so much that I want to ask, there is just not time for 
me to get into it right here, so I am simply going to make a 
statement and then I will, with follow-up questions on the 
record, engage with each of you on the Volcker Rule and what we 
have seen.
    The concern I have is one that I know was raised yesterday 
in hearings and that has been raised significantly, which is 
that I think we are just beginning to see the unintended 
consequences of the Volcker Rule. And, as I mentioned in my 
opening statement, I am a little bit baffled that after 3 years 
of work on the Volcker Rule, none of the agencies foresaw the 
unintended consequence related to CDOs that was fixed, but I am 
not sure it has been completely resolved and properly yet, but 
at least the issue is the concern about unintended consequences 
with the Volcker Rule and the problems that we are now seeing 
highlighted there with the multiple regulators having to 
coordinate with each other and fully consider all of the 
dynamics of a very major rule such as this.
    So, I am going to leave it at that right now and not ask 
you to engage with me right now, because I have got a lot of 
other questions to try to get to, but I will, with questions on 
the record, be engaging with you.
    For the next question, Chair White, I would like to turn to 
you. I understand that FSOC is evaluating whether and how to 
consider asset management firms for designation as SIFIs. As a 
part of that evaluation process, the FSOC asked the Office of 
Financial Research to draft a study of the asset management 
industry, and unfortunately, the OFR report failed to fully 
take into account the perspectives of and the data from the SEC 
and market participants, as I see it. The asset management 
industry is squarely within the SEC's jurisdiction and core 
expertise.
    What additional work and data gathering do you believe 
should be done to further understand the asset management 
industry and to achieve the right result in this context?
    Ms. White. I should say, I guess, at the outset, the SEC is 
very actively working in the FSOC setting with our fellow 
agencies in following up on concentrating exactly on those 
issues. We provided technical assistance to OFR before that 
study was completed, commented extensively, some of those 
comments taken, some of those not, as is usual, but agreed to 
disagree on a number of things. So, I think it is very 
important that we have complete data, complete expertise 
applied to all these issues and focus on what differences there 
are in terms of asset managers, which are obviously based on an 
agency model, business model. But, I think that discussion is 
going on.
    Senator Crapo. Thank you very much.
    And one more question. This goes to both Chairman White and 
Chairman Wetjen. I have a lot more questions, but this will be 
the last one I get to get at here, and that is that over the 
last year, I have repeatedly expressed my view that the SEC and 
the CFTC, to move in a more coordinated way with regard to 
Dodd-Frank implementation and cross-border initiatives for 
derivatives. Some argue that the CFTC's implementation is 
largely complete, while the SEC has a fair amount of work left 
to be done.
    As the landscape for Title VII continues to develop, what 
are the concrete steps that your agencies are taking to ensure 
coordination from both rulemaking and compliance perspectives?
    Ms. White. Let me just, I guess, take that first, which is 
that, A, we are prioritizing the completion of our rules in 
2014 for Title VII. Our staffs are in pretty much constant 
contact about implementation issues. We are also actually 
looking at the possibility of accelerating on some issues that 
do not require full rulemaking, and we are also engaged at the 
principal level, which I think is very important, as well.
    Senator Crapo. Thank you.
    Mr. Wetjen.
    Mr. Wetjen. Thanks, Senator Crapo. I agree with Chair 
White. It is a priority for our agency to coordinate closely 
with the SEC. At a personal level, I have been involved in that 
since joining the agency. Of course, as you alluded to, our 
cross-border guidance is currently in place, but there are 
still some issues that continue to arise related to it and we 
continue to consult with the SEC as those arise.
    And to give you a specific example, there is some interest 
in some subsequent staff advisories concerning our guidance. We 
are hosting a Global Markets Advisory Committee meeting at the 
Commission next week and the SEC will be participating in that 
meeting, as well as some foreign regulators from both the FCA 
in the United Kingdom and the European Commission in Brussels. 
So, we will have regulators from around the globe, including 
the SEC, providing their input, all in an effort to, as you 
say, coordinate as best we can.
    Senator Crapo. Thank you.
    I have a number of additional questions, but I will submit 
those for the record, Mr. Chairman, and I look forward to 
working with the witnesses here on those. Thank you.
    Chairman Johnson. Senator Menendez.
    Senator Menendez. Thank you, Mr. Chairman, and thank you 
for adding data security to today's topics.
    I would like to ask those who I understand are most 
involved in this, but anyone who feels that they have a role, 
as well, Governor Tarullo and Chairman Gruenberg and 
Comptroller Curry, and exactly what roles are your agencies 
playing as it relates to data security standards that in my 
understanding are largely set by the industry? I get the sense 
that your role is generally outlining general principles and 
leaving the private sector to fill in the details, or maybe if 
I am wrong, I would be interested in what you are doing beyond 
that.
    This past Monday, we had a Subcommittee hearing that 
Senator Warner held with the retailers, the banks, the card 
industry, consumer advocates, and what not, and I am wondering, 
should we not be establishing a Federal standard, one that does 
not lock in a specific technology, because that can be eclipsed 
in time, but one that certainly looks at the question of a 
regulatory standard based on performance. For example, could we 
not say that at some point, it has to be considered an 
unreasonable security risk for a company not to be using, for 
example, chip and PIN technology, or something that performs 
equivalently, if that is the highest standard that exists in 
the marketplace at a given time, so that at least companies 
would understand what that standard is that they are being held 
accountable to and we could respond accordingly with the FTC or 
others as it relates to violating that standard on behalf of 
consumers.
    Mr. Curry. Senator, I think the basic framework is in place 
for the financial institutions regulated by the banking 
agencies. We have standards for information security. We have 
an ongoing oversight program in terms of examining the 
individual institutions under our jurisdiction. And we also 
supervise certain institution-affiliated parties, independent 
service organizations. The agencies, the OCC, in particular, 
has also set out detailed expectations with respect to third-
party vendors that are used by those service providers.
    Senator Menendez. Do those standards serve us well in the 
data breaches in Target and Neiman Marcus and others?
    Mr. Curry. Well, in that particular instance, the breaches 
did not occur at the bank end, and I think what you pointed out 
correctly is there are different standards between different 
players within the system. The banking industry does have basic 
standards in place that are not necessarily existing in the 
merchant or retail space, so that in order to provide a 
consumer with the same breach notification rights, it may be 
necessary to impose legal or other requirements on retailers or 
merchants, and that is the situation.
    Senator Menendez. Governor Tarullo.
    Mr. Tarullo. Senator, let me supplement a bit. I agree with 
Comptroller Curry, obviously, about the mechanisms the three 
banking regulators have put in place. But, I think your 
question gets to a broader issue, and I agree with what I think 
is the premise of your question, which is we cannot look at 
just the banks right now. I think we need to think in terms of 
a consumer who uses a credit card, and at that point, her 
information starts on a trail which may go through a retailer 
and a processor and one or more banks before the final payment 
is eventually made. And I think right now, we do not have any 
mechanism for taking that view of what I would characterize as 
a very extended payment system and making sure that the kind of 
standards which would assure protections at each step of the 
way are actually realized. As I said in my introductory 
remarks, the weakest link in the chain is where the attention 
is going to be directed by criminals or others.
    You know, there are a lot of people doing a lot of work 
throughout the U.S. Government on this----
    Senator Menendez. So----
    Mr. Tarullo.----but I think you are going to need some more 
general standards. Let me just give you one example, which is 
sort of helpful. I think we probably need some uniform 
requirements on disclosure when breaches have actually taken 
place. You know, the three banking agencies require 
remediation, particular remediation efforts and notification 
and the like, but that is not true generally. And until the 
banks and customers are assured that they know whenever 
anything has happened with their data, it is going to be hard 
for people to respond.
    Senator Menendez. Well, we look forward to your work on 
what I think should be a standard that we can--across the 
universe of those who ultimately hold consumer information.
    If I may, one final question, Mr. Chairman.
    Chairman Johnson. Yes.
    Senator Menendez. Again, to the three of you, we have seen 
reports in the press of regulated financial institutions 
purchasing credit protection, often using credit default swaps, 
from unregulated entities like hedge funds or entities formed 
offshore to avoid regulation in order to reduce the amount of 
capital that they need to hold an investment on the book. And, 
in fact, these trades are transferring risk from a regulated 
entity, institution, that are subject to capital requirements, 
to unregulated entities that are not subject to capital 
requirements. And instead of raising equity to pay for an 
investment, the bank is taking an exposure to an entity that 
may or may not be able to pay up if the investment goes bad. 
And if that story sounds familiar, it is because it is very 
strikingly similar to what we saw happen with AIG before the 
financial crisis.
    So, the question is, when a regulated financial institution 
purchases credit protection, can you describe how you take into 
account counterparty credit risk when determining how much 
credit the financial institution gets toward its capital 
calculations and what is required of banks to monitor their 
counterparties' ability to perform on a trade, because 
otherwise, I just see us, as we are talking about financial 
security here and stability and systemic risk, we are almost 
back in this element to the same type of risk possibility that 
we were before Dodd-Frank.
    Mr. Curry. Senator, we share your concerns from a 
supervisory standpoint on the risks from credit transfer 
transactions, as you have described them. So, as a result, it 
is something that we scrutinize carefully from an examination 
standpoint at the OCC. Our position is that we are looking to 
see that it is actually a true transfer, and if it is not, we 
will not accord it the more favorable capital treatment.
    Senator Menendez. Chairman.
    Mr. Gruenberg. Senator, I would just comment. We have not 
approved requests for these kind of arrangements for our 
supervised institutions, and I would note that under the 
leverage ratio, firms would not receive any capital benefits 
from these kinds of interactions, which underscores the value 
of the strong leverage ratio requirement, as well.
    Senator Menendez. Well, we look forward to your continuing 
work in that regard.
    Thank you, Mr. Chairman.
    Chairman Johnson. Senator Brown.
    Senator Brown. Thank you, Mr. Chairman.
    Governor Tarullo said in his testimony that, quote, ``work 
remains to be done to address the problems of too-big-to-fail 
and systemic risk.'' I would like to ask each of you to give me 
a simple yes or no, starting with you, Ms. Miller, if you 
believe that too-big-to-fail--if you agree with Governor 
Tarullo, that we have not ended too-big-to-fail. A simple yes 
or no, if each of you would do that. Ms. Miller.
    Ms. Miller. I do not think we have ended the perception of 
too-big-to-fail, but I think we have gone a long way to ending 
too-big-to-fail with the regulations.
    Senator Brown. Governor Tarullo, I assume you agree with 
Governor Tarullo's statement.
    Mr. Tarullo. [Nodding head.]
    Senator Brown. OK.
    [Laughter.]
    Senator Brown. Mr. Gruenberg.
    Mr. Gruenberg. Yes, I agree.
    Senator Brown. I am sorry?
    Mr. Gruenberg. Yes, I agree with the question that you 
raised.
    Senator Brown. OK. Mr. Curry.
    Mr. Curry. Yes, I also agree. Thank you.
    Senator Brown. We have not ended it. OK. Ms. White.
    Ms. White. Too soon to tell. I agree.
    Senator Brown. Mr. Wetjen.
    Mr. Wetjen. I also agree with Under Secretary Miller's 
comments.
    Senator Brown. OK. If too-big-to-fail is not over, and most 
of you agree with that--some of you, I am not sure on either 
end where you sit exactly--I want to ask about two ways to 
address it. One is living wills. Yesterday, Chairman Gruenberg 
and Governor Tarullo answered Representative McHenry, you are 
willing to say living wills are deficient as you evaluate the 
second round submitted by the biggest banks. Both Ms. Miller 
and Chairman Gruenberg note that bankruptcy is the standard 
against living wills are supposed to be measured. I doubt that 
all of the largest banks, those with more than--those 8 to 10 
banks that are $250 billion up in assets--I doubt that those 
largest banks can be resolved through an orderly process, so it 
is clear we all have work to do.
    The other issue of the other of the two ways to address 
too-big-to-fail is the supplemental leverage ratio. I was 
encouraged a number of months ago when OCC, FDIC, and the Fed 
proposed their supplemental leverage ratio requiring the 
largest insured banks and bank holding companies to have the 
ability to produce tens of billions of dollars, to have initial 
tens of billions of dollars in capital to protect against 
failure. Governor Tarullo notes that the Basel Committee's 
revisions for measuring bank assets under Basel III leverage 
ratios will be incorporated into your proposed leverage ratio.
    So, my question is about how soon and how we do this. For 
Governor Tarullo and Comptroller Curry and Chairman Gruenberg, 
how do you do this? Will the United States finalize its 
supplemental leverage ratio first and then revise the asset 
definitions once Basel has completed its process, or will you 
wait until there is an international standard in finance, an 
international standard to finalize the leverage ratio? In other 
words, are we going to move first or are we going to continue 
to wait? Ms. Miller.
    Ms. Miller. I think I would actually prefer to defer to the 
regulators to talk about the work that they are doing in this 
particular area because I think it is really their charge to 
adopt these standards and put them into----
    Senator Brown. There is no Treasury recommendation here?
    Ms. Miller. No, we certainly support the proposals on 
supplemental leverage ratio and making sure that we have a very 
effective regime here in terms of----
    Senator Brown. But you do not have a position on the timing 
of these rules?
    Ms. Miller. The only thing that I think we have been clear 
about is we want to make sure that we are coordinating well 
with our international counterparts. So, for example, some of 
the meetings that took place in January were quite helpful, I 
think, in articulating common standards. So, I think we would 
like to make sure we are moving in concert with our 
international partners, but we would like to see these things 
done as quickly as possible----
    Senator Brown. I hope that ``in concert'' and ``working 
with'' does not imply an abdication of leadership and we will 
not go first. But, the three regulators. I think Ms. Miller is 
right. Governor Tarullo, if you would go first.
    Mr. Tarullo. I think the redefinition of the denominator, 
which was basically what the international work was about, is 
essentially done. I mean, we know where they have come out. The 
question that remains is what is the required minimum ratio 
going to be given that work. And as I think you know, because 
you alluded to the proposed regulation, it is the intention of 
the three bank regulatory agencies to have a higher minimum 
ratio than that that prevails in the international forum right 
now.
    So, what we have been able to do is to move toward a point 
where we have got our definitions harmonized, but we will 
independently put in a higher leverage ratio than the 
international standard. And as I said in my opening remarks, 
for us, that is one of the three regulatory initiatives that is 
the top priority in the near term.
    Senator Brown. Chairman Gruenberg, timing and action and 
what are you going to do.
    Mr. Gruenberg. Yeah. I think--I am hopeful we can move 
forward quickly to finalize the supplementary leverage ratio 
proposal, and we will need to also act to incorporate the 
changes to the denominator, as Governor Tarullo indicated, that 
were finalized by the Basel----
    Senator Brown. And that means we are going to move first?
    Mr. Gruenberg. Yes, I believe so.
    Senator Brown. Comptroller Curry.
    Mr. Curry. Yes. I think Chairman Gruenberg described the 
process. My own view of what should happen is that we should 
adopt both provisions, the final version of the NPR and the 
supplemental leverage ratio, and also adopt the--consider 
adopting the changes in the denominator coming out of the Basel 
Committee and do that as quickly as possible. It is a real high 
priority for me and the OCC.
    Senator Brown. Good. Last July, in response to my question, 
Chairman Bernanke told this Committee that he believes the 
United States has a leadership position and other countries are 
likely to follow our example. You can cite--he did not, but you 
can cite a number of issues. The EU just proposed its own 
version of the Volcker Rule. It is important we lead, and I 
urge all of you in positions to do this to move quickly and 
decisively.
    Thank you, Mr. Chairman.
    Chairman Johnson. Senator Shelby.
    Senator Shelby. Thank you.
    Governor Tarullo, we have been talking about--I was gone a 
few minutes, but the Senator from Ohio was talking about, I 
think, the Volcker Rule and the implementation, at least that 
is what I got. Let us go back just a minute. How will the 
Volcker Rule when it is fully implemented differ from what we 
had under Glass-Steagall?
    Mr. Tarullo. So, under Glass-Steagall, Senator, there could 
not be an affiliation, that is, a corporate affiliation, 
between a commercial bank, an insured depository institution, 
on the one hand, and, for example, a broker-dealer trading 
generally, doing underwriting of equities and trading in 
equities and----
    Senator Shelby. Separation of commercial banking from 
investment banking?
    Mr. Tarullo. Exactly. That is sort of the distilled version 
of what Glass-Steagall was.
    Senator Shelby. OK.
    Mr. Tarullo. The Volcker Rule prohibits the proprietary 
trading activity within any part of a bank holding company----
    Senator Shelby. We understand that.
    Mr. Tarullo.----but it does not require that there be a 
separation between investment banking and----
    Senator Shelby. They can still trade from their customers, 
can they not?
    Mr. Tarullo. Correct. Full agents----
    Senator Shelby. But they could not trade proprietary for 
themselves.
    Mr. Tarullo. That is correct.
    Senator Shelby. And risk--the idea was to risk capital to 
the bank, right?
    Mr. Tarullo. That it is kind of a moral hazard----
    Senator Shelby. And ultimately to the taxpayers.
    Mr. Tarullo. It is a moral hazard motivation, exactly, 
Senator.
    Senator Shelby. OK. What can, say, a commercial bank do 
now, including the Volcker Rule, what can they do that they 
could not do before Glass-Steagall was----
    Mr. Tarullo. Oh, what can the commercial bank do----
    Senator Shelby. Yes. What can they do that they could not--
--
    Mr. Tarullo. So----
    Senator Shelby.----including the restrictions put on them 
by proprietary trading by the Volcker Rule.
    Mr. Tarullo. Right. There was a parallel movement over the 
time the Glass-Steagall was in effect whereby banks got more 
powers. They were allowed to do things that they had not been 
allowed to do in 1933. Neither Glass-Steagall nor Gramm-Leach-
Bliley really changed that so much. So, I do not actually think 
that either Gramm-Leach-Bliley or the Volcker Rule has 
basically changed what national banks can do, and Comptroller 
Curry may want to weigh in on this. All it has done is put a 
constraint on----
    Senator Shelby. And you emphasized national banks, did you?
    Mr. Tarullo. No, it would--well, so no----
    Senator Shelby. Or all banks?
    Mr. Tarullo.----under the FDI Act----
    Senator Shelby. OK.
    Mr. Tarullo.----no bank can do--no insured depository 
institution----
    Senator Shelby. Right.
    Mr. Tarullo.----can do as principal anything that a 
national bank----
    Senator Shelby. Right. Right. On the European banks that do 
business in this country, and a lot of them do, the big ones, 
they, as I understand it, will come under the Volcker Rule, 
too, here.
    Mr. Tarullo. Here in the United States, yes, sir.
    Senator Shelby. Now, how is that coming along?
    Mr. Tarullo. Well, of course----
    Senator Shelby. Because in Europe, they have got a 
different deal, have they not?
    Mr. Tarullo. That is right. We are just----
    Senator Shelby. Like, if it was a Deutsche Bank, an HSBC, 
the Volcker Rule in the European Union there does not apply to 
them, but it would apply to them doing business in the United 
States.
    Mr. Tarullo. That is right. The rules enacted by the five 
agencies would apply to any banking organizations within the 
United States, and so they would apply. There is, as you know, 
an exception in the Volcker Rule for activity done solely 
outside the United States by a foreign bank, and so there are 
standards for meeting that. As you suggest, the European Union 
is now thinking about their own version of the Volcker Rule, 
but that is a proposal at this juncture, so we do not know 
exactly how it would line up.
    Senator Shelby. I know all of you watch what is going on in 
Europe, and you should. They have a number of so-called stress 
tests coming up. How do those stress tests compare to the 
stress tests that you folks put our banks through? We have 
always thought and heard and read that they are not as 
stringent or strict.
    Mr. Tarullo. Well, as you can tell, we have paid a lot of 
attention to our stress tests in the United States and we try 
to improve them every year. I think what you are seeing in 
Europe now is a somewhat different approach to the stress 
testing exercise, and importantly, it is now being done at the 
European Central Bank, and the European Central Bank is doing 
it as the soon-to-be umbrella supervisor for all the large 
banks in Europe. They have the capacity to do scenarios the way 
we do, and so I think we are going to see a somewhat different 
approach.
    They do have a big task, though. You know, we do about 30 
of our institutions and they have got over 100 that they have 
to cover. So, it is a big task and it is going to take them 
about a year to do it. But I think here, as in many other 
areas, we are starting to converge more on practice.
    Senator Shelby. I will direct--this is my last question--to 
both you and the Chairman, Marty, of FDIC. Today, 2014, how do 
you feel about the capitalization of our banking system 
overall? First, Marty, I will ask you, and then--that is very 
important. And how far has it come, and is it where you want it 
or are you going--they are going to have to jump through some 
more hoops?
    Mr. Gruenberg. I would say, Senator, we are getting there.
    Senator Shelby. Mm-hmm.
    Mr. Gruenberg. We have made real improvements.
    Senator Shelby. Absolutely.
    Mr. Gruenberg. I think, it is fair to say as a general 
proposition over these last 4 years since the crisis, our banks 
across the board, from large to small, have significantly 
rebuilt their balance sheets and are in a stronger capital 
position today. I also think, and Governor Tarullo certainly 
will comment on this, that we are moving, in particular, to 
strengthen the capital requirements for our largest, most 
systemically significant institutions. That is still a work in 
progress, but I think we are moving in the right direction.
    Senator Shelby. Governor.
    Mr. Tarullo. Senator, with respect to the smaller banks, 
which I would say is all but the biggest 30, the expectations 
that we have with respect to the new capital rules, I think 
those are all now in place and most banks already meet those, 
and those that are not, do not, I think will be coming up to do 
so.
    As Chairman Gruenberg mentioned, we are still focused on 
the largest institutions, and it will not surprise you to hear 
me say that I am particularly focused on institutions that have 
a heavy reliance on short-term wholesale funding. And I believe 
that we need to think in terms of potentially more capital at 
the very largest institutions which have that vulnerability to 
runs from short-term wholesale funding.
    The second thing I would say is, what the stress tests do 
is give us a dynamic capital measure as opposed to a static 
one. We give a scenario. We project forward what losses will be 
rather than just rely on backward-looking measures. And the 
continued improvements on that, the rigor in the scenario, the 
taking into account new things like interest rate shocks are a 
way to assure that, regardless of the capital ratios required 
on the books, that we do have the kind of resiliency in the 
system which we have all been striving for.
    Senator Shelby. What about flexibility of capital? How 
important is that? You can have the capital, but you have got 
to be able to use it at stressful times, have you not?
    Mr. Tarullo. That is correct, Senator, and that is why the 
emphasis that all three of us have had on common equity, which 
is the most loss absorbent form of capital. You know, over the 
years--we should just call it as it was--there were some games 
played with the kind of things that could qualify as capital.
    Senator Shelby. Sure.
    Mr. Tarullo. I think we saw in the crisis that when stress 
hits, the markets will see right through those sorts of things, 
and that is why common equity needs to be at the center of our 
calculation.
    Senator Shelby. But you ought to be able to see through it 
first, as a regulator, right?
    Mr. Tarullo. That is correct, Senator.
    Senator Shelby. Thank you. Thank you, Mr. Chairman.
    Chairman Johnson. Senator Warren.
    Senator Warren. Thank you, Mr. Chairman.
    All of our regulators have conceded that our largest banks 
are still too-big-to-fail. Perhaps this is a time to note that 
a 21st century Glass-Steagall would reduce both the size of the 
financial institutions, so there would not be so many that are 
too big, and reduce the risk by separating their banking 
activities and help us bring too-big-to-fail under control. I 
do not think we should be waiting longer to do this.
    But, I also want to talk about another part while we have 
got you here, and that is in 2013 alone, J.P. Morgan spent 
nearly $17 billion to settle claims with the Federal 
Government, claims relating to its sale of fraudulent mortgage-
backed securities, its illegal foreclosure practices, like 
robo-signing, its manipulation of energy markets in California 
and the Midwest, and its handling of the disastrous London 
Whale trade. And at the end of the year, J.P. Morgan gave its 
CEO, Jamie Dimon, a 75 percent raise, bringing his total 
compensation to $20 million.
    Now, you might think that presiding over activities that 
resulted in $17 billion in payouts for illegal conduct would 
hurt your case for a fat pay bump, but according to the New 
York Times, members of the J.P. Morgan Board of Directors 
thought that Jamie Dimon earned the raise, in part, and I am 
quoting here, ``by acting as chief negotiator as J.P. Morgan 
worked out a string of banner government settlements.'' I think 
this raises questions about whether our enforcement strategy is 
working or whether it is actually so bad that we are making it 
more likely for big banks to break the law.
    Neil Weinberg, the Editor-in-Chief of the American Banker 
magazine, said that in the current environment, quote, ``Bank 
executives would be crazy to hold back. If they get caught, 
they can pay their way out of the problem with shareholders' 
money. And if their misdeeds pay off as expected, the profits 
will goose their pay.'' I will add, even if they do get caught, 
the executives might still get a raise.
    So, here is my question. Does anyone on this panel 
seriously think that the Government's current enforcement 
system for financial crimes is actually working in the sense of 
deterring future law breaking? Anyone?
    Mr. Tarullo. Well, I think we are going to have to wait and 
see, Senator, as to whether the magnitude of those fines will, 
in fact, have a deterrent effect going forward. As you noted, 
any dollar paid in compensation to any employee comes out of 
the capital available for distribution to shareholders.
    Senator Warren. I am not quite sure I am following the last 
point, though, Governor Tarullo. Jamie Dimon got a raise after 
he negotiated $17 billion to pay off for activities that were 
illegal that he presided over. So, I am not quite sure how this 
is a deterrent for other CEOs.
    Mr. Tarullo. Again, I am not going to comment on the 
specifics of that case other than to make the point that I do 
not know whether it is going to be a deterrent. I can say from 
our point of view, we are concerned with the healthy 
capitalization of the firm and the question in making sure that 
no payment of executive compensation or distribution to 
shareholders threatens that. The issue is between the 
shareholders and the executive, as long as it does not run 
afoul of those kind of safety and soundness considerations, 
that is not something that we get directly involved in. I do 
not know if you are asking whether you think the fines need to 
be even larger.
    Senator Warren. So, no, the question I am asking is whether 
or not there is adequate deterrence to prevent the largest 
financial institutions in this country from breaking the law, 
and I am just reading what evidence we have to go on right now.
    You know, in the criminal system, we try to defer future 
misconduct by sending people to jail. In the civil system, we 
try to deter future conduct, bad conduct, by having treble 
damages and other things that will be sufficient deterrents. 
But right now, if financial institutions can just settle their 
claims out of court and get a raise for settling them, then 
where is the deterrent? That is the part I am having trouble 
understanding. Anyone?
    Mr. Wetjen. Senator, I will make one observation in the 
context of the LIBOR settlements that the CFTC has engaged in. 
It has been brought to the attention of the agency that a lot 
of modifications of behavior have resulted in the wake of those 
settlements and in the wake of those enforcement actions, which 
collected more than a billion dollars for the taxpayer. I am 
not suggesting that there might not be other ways to enhance 
our enforcement program or the enforcement program of other 
regulatory agencies, but there does seem to be some 
modification of behavior that is very, very positive for the 
markets.
    Senator Warren. Well, I am glad to see there is some 
modification of behavior, but we have to worry about this. You 
know, I want to say, I thought that SEC Chairwoman Mary Jo 
White took the right step when she changed the SEC's ``no 
admit, no deny rule'' so that there was at least less room for 
financial institutions.
    I guess we can stop this now, but I think the public has 
little confidence in regulators' willingness to seek the kind 
of penalties that will actually deter future financial crimes, 
and I do not blame them. I know that many of your agencies have 
been starved for the financial resources that you need to be 
aggressive in your enforcement actions.
    I know it is tough to go up against a big financial 
institution that seems to have unlimited resources. But Jamie 
Dimon himself said on CNBC a couple of weeks ago that J.P. 
Morgan could never afford a public trial. He said--I am quoting 
here--``Banks have a very tough time doing that. That would 
have been criminal for me to subject our company to.'' If Jamie 
Dimon sees that he could not go to trial and it is totally up 
to him, this should enhance your leverage.
    It tells me that if regulators are even slightly willing to 
take a large financial institution to trial, that will have an 
impact on future behavior of these financial institutions and 
on the meaningfulness of any settlement. Until that time comes, 
I am not confident that our enforcement system is doing nearly 
enough to protect the public from financial crimes.
    Thank you, Mr. Chairman.
    Chairman Johnson. Senator Menendez, and then Senator Shelby 
to wrap it up.
    Senator Menendez. Thank you, Mr. Chairman. I appreciate the 
opportunity again.
    I understand totally what Senator Warren is raising, and 
the question of the terms--I just want to go back to the three 
witnesses that I was talking to--data breach again, because it 
is the same concern about making sure that there is a 
deterrence. When you look at a financial institution's data 
security measures, to what extent are you evaluating based on 
risk of harm to the financial institution versus risk of harm 
to the consumer?
    Mr. Curry. Senator, I think it is both. In terms of the 
risk to the system, that is part of the examination and 
supervision that we do. I mean, it is critically important that 
the financial plumbing works, so that is one of our focuses. We 
are enforcing, basically, consumer protection laws with respect 
to notification, assistance if there are breaches and making 
sure that controls and systems are in place to prevent future 
incidences. So, I would say it is both. The focus is to protect 
the consumer as well as to protect the system itself.
    Senator Menendez. Mm-hmm. Do any of you have a comment?
    Ms. White. I could just add, Senator Menendez, I think that 
is why enforcement and examination is so important in this 
space, too, in order to make sure that you at least are 
bringing to bear maximum deterrence. It is really for the 
benefit of the client or the customer where you have the 
authority to act, even though your jurisdiction is over the 
entity.
    Senator Menendez. Chairman, do you----
    Mr. Gruenberg. Senator, I agree with the points that have 
been made. It both goes to the financial institution and to the 
customer. I think the authorities in this area are strong for 
the financial institution. One area that may be worth some 
review is the Bank Service Company Act, which was enacted in 
1961. It goes to the third-party service providers, which have 
become a more important factor in this whole system and may be 
worth some attention. I think the gap here is for the 
nonbanking sector that needs focus and attention.
    Senator Menendez. Well, at the hearing the other day, we 
had the banks, the retailers, and the card companies, and it 
was interesting to see the bankers and the retailers pointing 
to each other as the ones who should be requiring greater 
liability consequences. The only problem with that is they are 
going like this. The consumer is in the middle and not being 
protected. So, going back to the Governor's comments, I really 
do believe we need to create a standard that has a common 
thread across all of this universe to protect the consumer at 
the end of the day.
    Finally, on a different topic, Under Secretary Miller, I 
recently asked Treasury nominee Sarah Bloom Raskin in her 
confirmation hearing about the tasks that financial regulators 
set in setting capital requirements for new types of companies 
under the Wall Street Reform legislation. And as I asked her in 
her hearing, I said, I support strong capital requirements and 
believe they are an important component for both safety and 
soundness and systemic risk regulation, but I have heard 
concerns from, for example, insurance companies about 
regulators applying bank-specific capital requirements to them, 
despite the fact that many insurance companies have very 
different business models, balance sheets, and risk profiles 
from banks.
    And in her hearing, Ms. Bloom Raskin agreed that capital 
standards for insurance companies have to be properly tailored, 
saying a one-size-fits-all is not going to work, and 
recognizing that they have a very different set of asset 
liability structures than banks do. Do you agree with her 
statement, and what is Treasury doing in its role on the 
Financial Stability Oversight Council to ensure that we do not 
mistakenly take a one-size-fits-all approach, that we use the 
right tool for the right circumstances?
    Ms. Miller. Thank you, Senator Menendez. I am not sure I 
can add a lot to what Governor Raskin elucidated in her 
response to you before, but I would say, at the FSOC, in the 
process of designating nonbank financial institutions, a lot of 
attention has been paid to the business models. A lot of 
attention has been paid to the fact that you cannot have that 
one-size-fits-all approach to capital. I think that the Federal 
Reserve is charged with the appropriate calibration of 
rulemaking to these institutions, and I think that we have 
given them all the support we can to make sure that we get this 
right.
    Senator Menendez. Yes, but you have a role at FSOC.
    Do you want to comment, Governor? I know this is an area 
where----
    Mr. Tarullo. Yes. Thank you, Senator. We share your view 
that the liability structure on the financial institution 
affects the amount of capital it needs. It does not affect how 
risky a particular asset is. It does not matter who holds it. 
An asset is an asset. But the liability structure does affect 
how much capital is needed.
    Both with respect to the savings and loan holding 
companies, which are owned in some cases by insurance 
companies, and with respect to any institutions designated by 
FSOC as systemically important, including AIG and Prudential, 
we are trying to tailor, as best we can, the capital 
requirements to take account of, A, the particular products 
that insurance companies offer that banks do not, and, B, the 
different business model.
    A is pretty straightforward. Sometimes, it is technically 
complex, but conceptually, it is pretty straightforward and we 
are in the process of doing that. It is a little harder to do 
with B, in some cases, because of the Collins Amendment, which 
does place a bank-generated floor under capital requirements 
for all institutions.
    So, we are continuing to work as best we can. That is one 
of the reasons we delayed the capital requirements for S&L 
holding companies, because we want to take as much time as we 
can to use the authority we do have to tailor these provisions 
as best we can.
    Senator Menendez. Well, we look forward to hopefully 
getting it right, because it is going to make a big difference 
in terms of the consequences to not only insurance companies, 
but that as a product for Americans to be able to create both 
security for themselves and time and opportunity.
    So, thank you, Mr. Chairman.
    Chairman Johnson. Senator Shelby.
    Senator Shelby. Yes. I would like to direct this, first, to 
Chairman White. It seems in recent months that the SEC has 
become a lot more aggressive on its enforcement, which I think 
is more than welcome in this country. Of course, you bring 
unique qualifications as a former U.S. Attorney to the SEC. 
What has bothered a lot of people in this country for a long 
time, that when you enforce something and people pay huge 
fines--huge--and they do it without admitting any wrongdoing, 
either criminal or civil, you know, sometimes. And sometimes, I 
know, you punish people by fines. We understand that. It hurts.
    But sometimes it seems to me that people, if they are 
guilty of wrongdoing, criminal or civil, that that should be 
part of the deal in your law enforcement, because at the 
beginning of the day and end of the day, the financial system, 
the banking system, securities, everything that goes with it, 
the integrity of that system is so important, not just the 
perception, but a lot of times reality, too.
    How are you working--I know you set a different tone over 
there yourself, and I commend you for that. How are you working 
with the other regulators in ferreting out wrongdoing----
    Ms. White. We work--I am sorry.
    Senator Shelby.----jurisdiction, dealing with securities, 
because it overlaps everywhere.
    Ms. White. Yes, it does overlap. We have very close working 
relationships, I think, with all of the criminal enforcement 
agencies as well as civil enforcement agencies where there is 
that overlapping jurisdiction, because you certainly can get 
synergies and do more.
    As you know, Senator, shortly after I got to the 
Commission, I did change our settlement protocol to, in 
appropriate cases--I could talk about parameters, but in 
certain cases where I think public accountability is 
particularly important, that we will require admissions, 
because it does give that public accountability, particularly 
in cases of egregious conduct, that I think the public deserves 
and, frankly, is important to the credibility of law 
enforcement and deterrence. I think----
    Senator Shelby. And for the justice system of America.
    Ms. White. Yes, and for the justice system, and I come from 
that----
    Senator Shelby. Because if the perception is, if you are so 
rich and you are so powerful that you can get by with this and 
that, that undermines everything, does it not?
    Ms. White. I think that it certainly can do that, without 
question.
    Senator Shelby. Mm-hmm.
    Ms. White. We still, in many cases, and I think wisely so, 
do follow the ``no admit, no deny'' protocol to settle cases. 
It results in returning monies to harmed shareholders more 
quickly. It does eliminate litigation risk. But at the same 
time, we have to be cognizant of, I think, in all cases, 
frankly, is this one where there will be no settlement unless 
there is that admission of wrongdoing.
    Senator Shelby. OK. Thank you very much.
    Chairman Johnson. Senator Schumer.
    Senator Schumer. Thank you. Thank you, Mr. Chairman. I 
thank the witnesses.
    My first question is for Governor Tarullo. It is a general 
question. It a little bit relates to what Senator Menendez was 
saying.
    Now, I know we have Collins and the $15 billion and the 
Volcker Rule, and I know how that passed at the last minute and 
all of that. But, it is a more general problem, and that is 
there all too often, both here and in the regulatory world, 
sort of a cutoff that is a numerical number, even when it does 
not apply to the Collins rule.
    And what I am finding is there are a good number of banks 
that are fairly large but are pretty much plain vanilla banks, 
and this is, in general, how they are regulated. In other 
words, they are not the huge banks in New York City that do all 
kinds--they are investment banks as well as regular banks, and 
having high capital requirements and making sure the mistakes 
of 2007 and 2008 are not repeated, making sure the Volcker Rule 
applies and all of that, I have no problem with.
    But, oftentimes, it is also applied to banks that might 
have $30, $40, $50 billion in assets but are plain vanilla 
banks. They do not do all of the investment banking activities, 
the trading activities that the largest banks do, and yet they 
seem regulatorily often to be lumped in with them And some of 
these institutions are in Upstate New York and they are really 
good for the economy. They are doing lending to businesses, 
small business lending, just what a traditional bank was.
    And I was just wondering, do you think that, too often, the 
regulators and even the rulemaking process--look, we just had 
it here. Senator Merkley had an amendment on conflict of 
interest in flood insurance, if the bank--banks below $15 
billion were exempt. Well, conflict of interest could occur in 
a small community bank just as easily in the largest bank in 
the country. There was no reason to exempt all the community 
banks from this or to treat them differently than the larger 
banks.
    So, my question is, how is the Fed and how are the 
regulators, since you are the bank regulation guy, 
differentiating and not treating larger banks who are plain 
vanilla banks and do the same types of activities as smaller 
banks like the ones that do the much riskier types of 
activities? I am hearing this complaint constantly, not just 
from New York, but from around the country.
    Mr. Tarullo. So, I think a couple of things, Senator. One, 
as you know, Section 165 of the Dodd-Frank Act put into law the 
proposition that with the increasing size and complexity of 
banks, there should be increasingly stringent regulation. It 
sounds simple, but that has not always been a precept of 
financial regulation, and I think it is quite central to what 
we should be trying to do.
    A second point which builds on that is at the Fed, we have 
created a special mechanism, including the Large Institution 
Supervision Coordinating Committee--for the very largest, most 
complex banks, and many of the regulations which we talked 
about earlier in the hearing--I know you were not present for 
it, but many of the regulations we are proposing to do now, 
some of the ones in my prepared testimony, we will be applying 
only to those institutions, things like the requirement for a 
minimum amount of subordinated debt, things like the 
supplementary leverage ratio.
    So, having said that, though, coming to the third point. It 
is the case that as we adapt and make more stringent and more 
horizontal and more interdisciplinary our regulation and 
supervision of the very largest institutions, I have noticed 
there is an unintentional trickle down effect, which is to say 
supervisors may look and say, gee, you know--they are requiring 
the biggest banks to do this. That must be state-of-the-art 
supervision.
    And I have tried to impress on people that I think we need 
to develop a state-of-the-art supervision for the largest 
institutions. We need to develop a state-of-the-art supervision 
for community banks and for the regionals and the super-
regionals, each of which is not a paler or stronger version of 
the other but is instead customized to those institutions.
    And it is something that I have been thinking about more 
and more over the last year because I keep hearing it, and it 
is--you know, we have seen it with stress testing, that we are 
supposed to have different expectations for the different size 
institutions, and I realize that the senior people in our 
Banking Supervision and Regulation Division need to keep making 
clear they are different expectations. So, it is almost a 
natural instinct of people to say, we want the best or the 
toughest.
    So, I agree with the premise behind your question. You 
know, my perspective on banks that are essentially lending 
institutions of a traditional sort is that strong capital, good 
examination, and some of the traditional activities 
restrictions are really the core of what we need. And some of 
the other things, if I can put it in cost-benefit terms, 
Senator Crapo, cost more than they are worth----
    Senator Schumer. Right.
    Mr. Tarullo.----in terms of increased safety.
    Senator Schumer. Good. I am glad to hear that from you. As 
you said, it is size and complexity. None of these institutions 
will bring down the country if, God forbid, they were to fail. 
So, it is not size alone. It is complexity that ought to be 
playing a role here. Thank you.
    Chairman Johnson. I want to thank today's witnesses for 
testifying about oversight of both financial stability and data 
security. Both are incredibly important to today's economy.
    This hearing is adjourned.
    [Whereupon, at 11:57 a.m., the hearing was adjourned.]
    [Prepared statements and responses to written questions 
supplied for the record follow]:
                  PREPARED STATEMENT OF MARY J. MILLER
    Under Secretary for Domestic Finance, Department of the Treasury
                            February 6, 2014
    Chairman Johnson, Ranking Member Crapo, and Members of the 
Committee, thank you for inviting me to testify today on behalf of the 
Treasury Department.
    Just over three and a half years ago, Congress passed and President 
Obama signed into law a historic set of reforms to make our financial 
system stronger and more stable. We have made considerable progress 
toward achieving those objectives through implementation of the Dodd-
Frank Wall Street Reform and Consumer Protection Act, and related 
reforms. The crisis revealed that regulation and oversight failed to 
keep pace with an evolving financial system, and demonstrated why we 
must always remain vigilant to potential emerging risks in financial 
institutions and markets.
    Most of the foundational reforms laid out in the Dodd-Frank Act 
have now been finalized, and intensive work on the remaining pieces 
continues. The new Consumer Financial Protection Bureau has taken up 
its mission quickly, acting to strengthen consumer protections in the 
mortgage market; establish Federal supervision over large payday 
lenders and debt collectors for the first time; and provide assistance 
to the elderly and military families who are so often targeted by 
unscrupulous lenders. Last year, the bank regulatory agencies finalized 
key rules strengthening the quality and quantity of capital that banks 
are required to hold, and proposed new rules that will require the 
largest firms to decrease their leverage. A new framework for 
regulatory oversight of the over-the-counter derivatives market is 
largely in place, for those swap dealers registering with the Commodity 
Futures Trading Commission (CFTC) and certain interest-rate and credit-
index swap transactions moving to central clearinghouses, reducing 
overall risk to the financial system. Starting this month, new classes 
of swaps transactions will begin to be traded on swap execution 
facilities, bringing much-needed transparency to these markets.
    The United States has moved quickly to put these critical reforms 
in place, and the American people are beginning to feel the benefits of 
reform through a safer and stronger financial system and a broader 
economic recovery. Although financial markets have recovered more 
quickly than the overall economy, the economic recovery is gaining 
traction. Private sector payrolls have increased by more than 8 million 
jobs from the low point in February 2010, and December marked the 46th 
consecutive month of private-sector job growth. The unemployment rate, 
while still too high at 6.7 percent, has fallen to 3.3 percentage 
points since its October 2009 peak of 10.0 percent, and almost a full 
percentage point since my last testimony before this Committee. The 
recovery in the housing market appears to be taking firm hold as 
measured by rising home prices, and a declining number of delinquencies 
and defaults.
    Although we have made good progress, we must continue our efforts 
to complete the remaining pieces of financial reform and stand ready to 
identify and respond to new threats to financial stability. We must 
also continue to work with our international counterparts to promote 
strong and consistent global approaches to financial regulation and 
encourage them to move swiftly toward the completion and implementation 
of key reforms in their jurisdictions, preventing firms from evading 
reforms through regulatory arbitrage.
    I would like to update the Committee on several important 
regulatory developments since I appeared before you last July.
    Secretary Lew, in his capacity as Chairperson of the Financial 
Stability Oversight Council, was responsible for coordinating the 
regulations issued by the five rulemaking agencies--the Board of 
Governors of the Federal Reserve System (Federal Reserve), the Federal 
Deposit Insurance Corporation (FDIC), the Office of the Comptroller of 
the Currency (OCC), the Securities and Exchange Commission (SEC), and 
the CFTC--to implement Section 619 of the Dodd-Frank Act, commonly 
referred to as the Volcker Rule. Starting from his first day in office, 
Secretary Lew stressed the importance of finishing work on the Volcker 
Rule, and the importance of having a single, strong final rule that was 
true to President Obama's proposal and the statute's intent. The final 
rule adopted in December will protect taxpayers and the Federal safety 
net by ending banks' speculative trading activities for their own 
benefit rather than for the benefit of their customers, and restricting 
their investment in private equity and hedge funds, while preserving 
banks' ability to maintain deep, liquid financial markets and hedge 
their risks. The rule's requirement that the largest firms' CEOs attest 
to the maintenance and enforcement of compliance programs will help 
foster a ``tone at the top'' for a culture of compliance. The rule also 
contains a tiered compliance regime, to help ensure that smaller banks 
that do not engage in impermissible proprietary trading or private fund 
activities do not face unnecessary compliance burdens.
    Our progress in 2013 was not limited to completion of the Volcker 
Rule. Last summer, the Federal Reserve, FDIC, and OCC finalized an 
important set of rules implementing the Basel Committee's risk-based 
capital standards, which will increase both the quantity and quality of 
capital held by banks and bank holding companies. The banking 
regulators also proposed complementary enhanced leverage standards that 
will act as a backstop to the risk-based capital requirements, and will 
require the largest banks and bank holding companies to reduce their 
overall leverage. An international group of regulators recently made 
significant progress toward consistent application of the leverage 
requirement across different jurisdictions by agreeing on a global 
framework for calculating the leverage ratio. The United States 
continues to lead international efforts to raise regulatory standards 
around the world.
    The Federal Reserve is also poised to issue additional enhanced 
prudential standards that will increase safety and soundness at the 
largest and most complex banks and designated nonbank financial 
companies.
    The bankruptcy process, aided by the Dodd-Frank Act's living wills 
requirement, continues to be the primary method for resolving failing 
financial companies. All of the firms that are required to submit 
living wills have done so, and the largest bank holding companies 
submitted their second round of living wills last fall, providing a 
more refined tool to facilitate their orderly resolution through 
bankruptcy should they fail.
    However, in the case where bankruptcy cannot be relied on to 
resolve a failing financial company without imposing serious adverse 
effects on U.S. financial stability, the Dodd-Frank Act's orderly 
liquidation authority provides critical new authorities so that firms 
can safely be allowed to fail, no matter how large and complex.
    In December, the FDIC issued and sought public comment on an 
important document detailing its strategy for resolving a financial 
company using its orderly liquidation authority. The document provides 
greater detail on the FDIC's ``single point-of-entry'' strategy that 
the FDIC developed to implement its authority. The single point-of-
entry strategy is designed to accomplish the goals of orderly 
liquidation by allowing critical operating subsidiaries of a failing 
firm to remain in business during the resolution, while also preserving 
market discipline in accordance with the law's requirements--that 
losses are borne by shareholders and creditors, that culpable 
management are held accountable and removed, and that taxpayers bear no 
losses. International cooperation is critical to ensure workability 
across borders, a topic discussed in more detail below.
    The Financial Stability Oversight Council (Council) remains focused 
on its authority to determine that certain large, complex nonbank 
financial companies whose material financial distress could threaten 
U.S. financial stability will be subject to more stringent prudential 
standards and oversight. This past summer, the Council designated 
American International Group, Inc. and General Electric Capital 
Corporation, Inc., subjecting them to enhanced prudential standards and 
consolidated supervision by the Federal Reserve. And, after company 
management had a formal hearing with the Council to contest the 
Council's proposed designation of the company, the Council also 
finalized its designation of Prudential Financial, Inc. These 
designations are in addition to the eight financial market utilities 
that the Council designated in 2012.
    The Council's review of nonbank financial companies is an ongoing 
process, and the Council will continue to evaluate other companies for 
potential designation.
    The progress we have made on instituting a significantly stronger 
capital regime and creating a credible resolution process, and the 
expansion of the supervisory umbrella to cover designated nonbank 
financial companies, are key developments in making the failure of 
large, complex firms less likely and making our financial system more 
resilient in the event of such a failure.
    We also continued to make progress on derivatives reform in 2013. 
The implementation of reporting and clearing rules were critical steps 
forward in improving the safety and transparency of the derivatives 
market. We understand that for derivative reforms to work correctly, 
they must align globally. Last summer, the CFTC finalized its guidance 
with respect to the applicability of the Dodd-Frank Act's derivatives 
reforms to cross-border derivatives transactions and, together with the 
European Commission, announced a ``Path Forward,'' laying out their 
joint understandings regarding the regulation of cross-border 
derivatives transactions. In September, an international working group, 
co-chaired by the Federal Reserve and including the SEC and CFTC, 
finalized margin standards for noncleared derivative transactions. U.S. 
regulators are now working to adopt these standards domestically, and 
we expect these rules to be finalized this year. In addition, by the 
end of last year, 22 swap execution facilities were registered with the 
CFTC, and the trading volume on those platforms is expected to increase 
significantly later this month when trading in several interest rate 
and credit derivatives will be required to take place on SEFs.
    Treasury's Federal Insurance Office (FIO) also made significant 
progress in fulfilling its mission in 2013. In December, the FIO 
released its report on the modernization and improvement of the system 
of insurance regulation in the United States. The report made 27 
recommendations designed to bring our insurance regulatory system into 
the 21st century and make it more responsive to the needs of consumers, 
market participants, and host supervisors in a global environment. The 
FIO will also release a report on the reinsurance market, and the 
President's Working Group on Financial Markets, with input from the 
FIO, will release its analysis of the long-term availability and 
affordability of terrorism risk insurance this year.
    In addition, the FIO continues its work on the international front 
to represent U.S. interests in the development of international 
insurance standard-setting and financial stability activities. The FIO 
has worked and will continue to work closely and consult with other 
Federal agencies and with State insurance regulators on these efforts. 
The FIO is involved in the work of the International Association of 
Insurance Supervisors (IAIS) to develop a common supervisory framework, 
including a capital standard, for internationally active insurance 
groups.
    Treasury and the Financial Stability Oversight Council also remain 
focused on emerging threats that might arise outside, or on the 
periphery of, the traditional banking sector. To that end, the Council 
is actively analyzing the extent to which there are potential threats 
to U.S. financial stability arising from asset management companies or 
their activities, and whether such threats could be mitigated by 
Council designations or whether they would be better addressed through 
other regulatory measures. As part of this analysis, the Council 
requested that the Office of Financial Research conduct a study of 
asset management activities to help determine whether these activities 
could create, transmit, or amplify stress through the financial system. 
The OFR released its study at the end of September following a careful 
analysis that included discussions with a number of market participants 
and input from Council member agencies with relevant expertise.
    The Council's focus on emerging risks outside the core banking 
system led it to issue, at the end of 2012, proposed recommendations 
for money market mutual fund (MMF) reforms. Throughout this process, 
the Council has made it clear that the SEC is the primary regulator of 
MMFs and should take the lead in driving reform. Last June, the SEC 
proposed regulations intended to reduce the risks presented by MMFs, 
and we expect that the SEC will issue a final rule later this year that 
will address the vulnerabilities identified by the Council.
    Another area of growing concern for Treasury and the Council is the 
vulnerability of our financial sector infrastructure to cyber events. 
Cyber threats to financial institutions and markets are growing in both 
frequency and sophistication. The changing nature of these cyber 
threats prompted the Council last year to highlight operational risk, 
and cybersecurity in particular, as worthy of heightened risk 
management and supervisory attention. Council member agencies are 
providing guidance to financial firms concerning appropriate governance 
mechanisms, information security procedures and testing, adequate 
backup systems, and emergency business continuity and recovery plans.
    To maintain data security, safeguard the integrity of markets, and 
preserve consumer and investor confidence, the U.S. Government and the 
financial sector have come together to identify financial system 
vulnerabilities, improve the resilience of our financial system, and 
refine incident management protocols. A public-private partnership is 
necessary to combine the resources and capabilities of the Government 
with those of the private sector. In a public meeting in December, the 
Council highlighted this partnership by engaging both public sector and 
private sector leaders to discuss their efforts. They emphasized 
information sharing, declassification of threat information, and 
strengthening the resilience of firms outside the financial services 
sector that are integral to the functioning of the sector.
    In addition to its role as a Council member agency, Treasury serves 
as the sector-specific agency for the financial sector with a leading 
role in policy development and a coordinating role in incident 
response. In this role, Treasury has sought to increase engagement, 
improve coordination, and facilitate information-sharing on 
cybersecurity issues with colleagues across the Federal Government, 
particularly those involved with national security, homeland security, 
and law enforcement. We communicate regularly with senior officials in 
these areas on matters specific to cybersecurity, both in the context 
of incidents and on more general operations and policy matters. 
Importantly, Treasury is focused on protecting the financial sector as 
a whole, from the largest financial institutions and exchanges to 
community banks and credit unions. Accordingly, we work to reach 
institutions of all sizes.
    I would also like to highlight for the Committee a few areas where 
Treasury intends to direct significant attention and resources this 
year to complete key outstanding pieces of reform. The United States 
responded to the financial crisis aggressively and on a bipartisan 
basis to make our domestic system safer and more secure. But given the 
global nature of our financial system, we must continue working with 
other regulators to forge compatible rules so that reforms in other 
jurisdictions are as strong as our own. From the outset of the crisis, 
the time and energy we put in to domestic regulatory reform have been 
paired with international efforts to promote high-quality standards, 
build a level playing field, and reduce risk. We have made considerable 
progress through the G-20 and the Financial Stability Board in 
designing a more stable and resilient global financial system. But 
design is not sufficient. Implementation and follow-through are key.
    Later this month, the G-20 finance ministers will meet in Australia 
and the United States will use that opportunity to call on the world's 
largest economies to bear down even more forcefully on implementation. 
And next week I will be making a trip to several countries in Asia to 
discuss their progress on financial regulatory reform.
    In 2014, we will take steps to make sure that global banks meet the 
high standards we have set. That means moving swiftly to build strong 
and high-quality capital, properly risk-weight assets, curb leverage, 
and build strong liquidity buffers to protect themselves in times of 
crisis. Several years ago, the G-20 recommended that trading, 
reporting, and clearing of over-the-counter derivatives be in place by 
now. The United States has forged ahead in getting that done. We need 
to make sure these recommendations are put in place around the globe. 
There will be difficult cross-border issues to manage, and these are 
made more complex because other nations are moving far more slowly than 
the United States.
    One area that will require significant international cooperation is 
the task of ensuring not only that all derivatives transactions are 
reported to trade repositories, but that the information collected can 
be used for the purposes it was intended: bringing transparency to our 
derivatives markets and helping regulators and market participants 
develop more insight into the types and levels of exposure throughout 
the financial system. A great deal of work still needs to be done to 
ensure that the data reported by industry and collected by regulators 
will be as useful as possible, or we will be at risk of not achieving 
that goal. The data are fragmented, with many different trade 
repositories, within and across jurisdictions, collecting different 
kinds of information in different ways, keeping us from putting all of 
that information together to develop a full picture of the market. We 
need to roll up our sleeves and address any obstacles to making these 
data useful for market participants and for regulators who are 
monitoring financial stability.
    Treasury will also continue to engage closely with regulators in 
the United States and abroad to strengthen our ability to wind down 
failing financial companies while minimizing the negative impact on the 
rest of the financial system and the global economy. Major financial 
institutions operate globally, and cross-border coordination is 
necessary for resolution of these firms to be effective. Our agenda in 
the coming year will focus heavily on completing the work underway on 
international arrangements that establish how home and host authorities 
will cooperate to wind down a globally active firm in an orderly way. 
Treasury and the regulators will continue to closely collaborate with 
our international counterparts through forums like the Financial 
Stability Board and on a bilateral basis to address obstacles to 
resolving large, cross-border firms.
    In addition to this critical international reform agenda, there is 
still much to be done domestically. As was the case with the Volcker 
Rule, Secretary Lew, as the Chairperson of the Financial Stability 
Oversight Council, is responsible for coordinating the joint 
rulemakings to implement Section 941 of the Dodd-Frank Act, the so-
called ``risk-retention'' rule. This rule generally requires issuers of 
asset-backed securities to retain an interest in the securities they 
sell to third parties. The rule was re-proposed last year, and staff 
from Treasury, the banking agencies, the Federal Housing Finance 
Agency, the Department of Housing and Urban Development, and the SEC 
have met regularly--including just last week--to review comments, 
analyze data, and coordinate on drafting the final rule. Completion of 
these regulations in 2014 is a priority for Treasury.
    And finally, in considering risks to financial stability, we cannot 
ignore fiscal developments at home. Last year, Congress passed a 
temporary suspension of the debt limit, and that temporary suspension 
lasts only through February 7, which is tomorrow. After that, in the 
absence of Congressional action, Treasury will be forced to use 
extraordinary measures to continue to meet its obligations. We now 
forecast that we are likely to exhaust these measures by the end of 
this month. And even though this is an estimate, it is clear that 
extraordinary measures will not last for an extended period.
    It would be a mistake to wait until the 11th hour to get this done. 
The fact is, simply delaying action on the debt limit can cause harm to 
our economy, financial markets, and taxpayers. We are already seeing 
some volatility in Treasury bills that mature after February 7. Around 
the time of last year's delay, we saw consumer and business confidence 
drop, and investors and market participants publicly question whether 
it was too risky to hold certain types of U.S. Government debt. Such a 
question should be unthinkable.

                                      * * * * *

    Given these realities, it is important that Congress move right 
away to increase our borrowing authority.
    The last year was a busy one, and we made substantial progress 
toward the goal of implementing the reforms set forth in the Dodd-Frank 
Act and adopting related reforms to make our financial system stronger, 
more stable and more focused on fulfilling its core function of 
facilitating the growth of the broader economy. That does not mean we 
will be able to relax our guard. To quote Winston Churchill: ``This is 
not the end. It is not even the beginning of the end. But it is, 
perhaps, the end of the beginning.'' Constant evolution in the 
financial system and the activities of financial institutions will 
require regulators to be flexible and ready to address new threats to 
the financial system.
                                 ______
                                 
                PREPARED STATEMENT OF DANIEL K. TARULLO
        Member, Board of Governors of the Federal Reserve System
                            February 6, 2014
    Chairman Johnson, Ranking Member Crapo, and other Members of the 
Committee, thank you for the opportunity to testify on the Federal 
Reserve's activities in mitigating systemic risk and implementing the 
Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank 
Act). In today's testimony, I will provide an update on the Federal 
Reserve's recent activities pertaining to the implementation of the 
Dodd-Frank Act and describe our key regulatory and supervisory 
priorities for 2014. I will also discuss the Federal Reserve's 
expectations with regard to information security at the financial 
institutions it oversees. Since testifying before this Committee in 
July 2013, the Federal Reserve and other banking supervisors have made 
considerable progress in implementing the congressional mandates in the 
Dodd-Frank Act and otherwise improving financial stability and 
mitigating systemic risks. While these efforts have helped to produce a 
sounder, more stable, and more resilient financial system, work remains 
to be done to address the problems of ``too-big-to-fail'' and systemic 
risk.
Recent Dodd-Frank Act Implementation Milestones
    Since your last oversight hearing, the Federal Reserve, often in 
tandem with some or all of the other agencies represented at this 
hearing, has made progress on a number of important Dodd-Frank Act 
reforms.
Liquidity rules for large banking firms
    In October, the Federal Reserve and the other U.S. banking agencies 
issued a proposed rule, consistent with the enhanced prudential 
standards requirements in section 165 of the Dodd-Frank Act, which 
would implement the first broadly applicable quantitative liquidity 
requirement for U.S. banking firms. Liquidity standards for large U.S. 
banking firms are a key contributor to financial stability, as they 
work in concert with capital standards, stress testing, and other 
enhanced prudential standards to help ensure that large banking firms 
have a sufficiently strong liquidity risk profile to prevent creditor 
and counterparty runs.
    The proposed rule's liquidity coverage ratio, or LCR, would require 
covered banking firms to hold minimum amounts of high-quality liquid 
assets, such as central bank reserves and high-quality Government and 
corporate debt, that could be converted quickly and easily into cash 
sufficient to meet expected net cash outflows over a short-term stress 
period. The proposed LCR would apply to internationally active banking 
organizations--that is, to bank holding companies and savings and loan 
holding companies with $250 billion or more in total consolidated 
assets or $10 billion or more in on-balance-sheet foreign exposures. 
The proposal would also apply a less stringent, modified LCR to bank 
holding companies and savings and loan holding companies that are not 
internationally active, but that have more than $50 billion in total 
assets. The proposal would not apply to bank holding companies with 
less than $50 billion in total assets.
    The proposal's LCR is based upon a liquidity standard agreed to by 
the Basel Committee on Banking Supervision, but is more stringent than 
the Basel Committee standard in several areas, including the range of 
assets that will qualify as high-quality liquid assets and the assumed 
rate of outflows for certain kinds of funding. In addition, the 
proposed rule's transition period is shorter than that in the Basel 
Committee standard. The proposed accelerated phase-in of the U.S. LCR 
reflects our objective that large U.S. banking firms maintain the 
improved liquidity positions that they built following the financial 
crisis, in part due to our supervisory oversight. We believe the 
proposed LCR should help ensure that these improved liquidity positions 
will not weaken as memories of the financial crisis fade.
Stress testing and capital planning requirements
    The comprehensive stress testing conducted by the Federal Reserve, 
pursuant to the Dodd-Frank Act and in connection with the annual 
Comprehensive Capital Analysis and Review (CCAR), has become a key part 
of our supervisory efforts for large banking firms, and we are 
continuing to develop and expand the scope of this exercise. Most 
recently, the Federal Reserve issued proposed supervisory guidance 
regarding internal stress testing by banking firms with total 
consolidated assets between $10 billion and $50 billion as mandated by 
the Dodd-Frank Act and issued interim final rules clarifying how 
banking firms should incorporate the revised Basel III regulatory 
capital framework into their capital projections for the CCAR and Dodd-
Frank Act stress testing cycles that began in the fall.
    We are continuing to improve the implementation of our stress 
testing framework by refining the formulation of the hypothetical 
macroeconomic scenarios that form the basis of the stress tests. In 
designing coherent stress scenarios, we draw on many of the modeling 
tools used to inform monetary policy, but also aim to reflect the fact 
that not all significant risks facing banks arise in typical 
recessions. As a result, our scenarios now generally incorporate other 
adverse developments, such as an exceptionally large decline in housing 
prices, the default of the largest counterparty, and a worsening of 
global economic conditions more severe than might normally be expected 
to accompany a deep recession in the United States. In order for our 
stress testing to remain focused on key vulnerabilities facing the 
banking system, our stress scenarios will evolve further over time as 
banking firms' risk characteristics and business models evolve, the 
relationship between scenario variables and banking firm performance 
shifts, and the economic and market environment in which banking firms 
operate changes. Over the past 6 months, the Federal Reserve also has 
increased the transparency of our capital planning and stress testing 
work. We have published both a policy statement describing the scenario 
development process for future capital planning and stress testing 
exercises and a paper discussing our expectations for internal capital 
planning at large banking firms and the range of practices we have 
observed at these companies during the past three CCAR exercises. The 
transparency of our stress testing processes complements our enhanced 
transparency around the results of the exercises and our assessments of 
firms' capital planning, all of which aim to give investors, analysts, 
and the public valuable information about firms' financial conditions 
and resiliency to stress.
Volcker Rule
    In December, the U.S. banking agencies, the Securities and Exchange 
Commission (SEC), and the Commodity Futures Trading Commission 
finalized the Volcker Rule to implement section 619 of the Dodd-Frank 
Act. As you know, the Volcker Rule prohibits banking entities from 
engaging in short-term proprietary trading of certain securities and 
derivatives for their own account. The Volcker Rule also imposes limits 
on banking entities' investments in, and relationships with, hedge 
funds and private equity funds. The finalization of this rule took a 
substantial amount of time and effort in part because of the intrinsic 
challenges in distinguishing between the proprietary trading that is 
outlawed by the Dodd-Frank Act and the hedging and market making 
activities that are allowed by the Act.
    The ultimate success of the final rule will depend on how well the 
implementing agencies supervise and enforce the rule. While the Federal 
Reserve's supervisory role will be less than that of the Office of the 
Comptroller of the Currency and the SEC, we will continue to work with 
the other implementing agencies to develop an effective and consistent 
supervisory framework and to ensure that the Volcker Rule is 
implemented in a manner that upholds the aims of the statute, while not 
jeopardizing important activities such as market making and hedging. In 
pursuit of this goal, shortly after the adoption of the Volcker Rule, 
the Federal Reserve and the other implementing agencies agreed to 
create an interagency working group, which has already begun to meet. 
In mid-January, the five implementing agencies approved an interim 
final rule to permit banking entities to retain interests in certain 
collateralized debt obligations backed primarily by trust preferred 
securities that would otherwise be subject to the Volcker Rule's 
covered fund investment prohibitions.
Derivatives push-out
    In December, the Federal Reserve also approved a final rule 
clarifying the treatment of uninsured U.S. branches and agencies of 
foreign banks under section 716 of the Dodd-Frank Act, which is 
commonly known as the derivatives push-out provision. The provision, 
which became effective in July 2013, generally prohibits certain types 
of Federal assistance, such as discount window lending and deposit 
insurance, to swap entities such as swap dealers and major swap 
participants. Insured depository institutions that are swap entities 
may avail themselves of certain statutory exceptions and are eligible 
for a transition period of up to 2 years to comply with the provision. 
Under the final rule, uninsured U.S. branches and agencies of foreign 
banks are treated as insured depository institutions for the purposes 
of section 716 and therefore qualify for the same statutory exceptions 
as insured depository institutions and are eligible to apply for the 
same transition period relief. The final rule also establishes a 
process for State member banks and uninsured State branches or agencies 
of foreign banks to apply to the Federal Reserve for the transition 
period relief.
Federal Reserve emergency lending authority
    Also in December, the Federal Reserve issued a proposal relating to 
its emergency lending authority in section 13(3) of the Federal Reserve 
Act that would implement sections 1101 and 1103 of the Dodd-Frank Act. 
As required by these statutory provisions, the proposed rule is 
designed to ensure that any emergency lending program or facility is 
adequately secured by collateral to protect taxpayers from loss and is 
for the purpose of providing liquidity to the financial system, and not 
to aid an individual failing financial company.
Risk retention
    Section 941 of the Dodd-Frank Act generally requires firms to 
retain credit risk in securitization transactions that they sponsor. In 
August, the U.S. banking agencies, the Federal Housing Finance Agency, 
the Department of Housing and Urban Development, and the SEC revised a 
proposed rule issued in 2011 to implement that statutory provision. The 
proposed rule would provide securitization sponsors with several 
options to satisfy the risk retention requirements in section 941 and, 
as required by the Dodd-Frank Act, would exempt certain 
securitizations, including securitizations of ``qualified residential 
mortgages'' (QRM), from risk retention. The revised proposal would 
define QRM to have the same meaning as the term ``qualified mortgage'' 
established by the Consumer Financial Protection Bureau in January 
2013, and, as such, would include a maximum back-end debt-to-income 
ratio of 43 percent, a 30-year limit on the term of the mortgage, and a 
3 percent cap on points and fees. While the revised proposal's 
definition of QRM has been broadened as compared to that in the 
original proposal, it continues to exclude many loans with riskier 
product features, such as home-equity lines of credit; reverse 
mortgages; and loans with negative amortization, interest-only, and 
balloon payments. The revised proposal also requested comment on an 
alternative, stricter definition of QRM that would include a maximum 70 
percent loan-to-value ratio requirement and certain credit history 
standards in addition to the qualified mortgage criteria. The comment 
period for the revised proposal closed at the end of October, and the 
agencies are now carefully reviewing comments.
Assessment fees
    Section 318 of the Dodd-Frank Act directs the Federal Reserve to 
collect assessment fees equal to the expenses it estimates are 
necessary or appropriate for the supervision and regulation of large 
financial companies. The Federal Reserve issued a final rule 
implementing this statutory provision in August of last year. The rule, 
which became effective in October, sets forth how the Federal Reserve 
determines which companies are charged, estimates the applicable 
supervisory expenses of the Federal Reserve related to covered 
companies, determines each covered company's assessment fee, and bills 
for and collects the assessment fees. Payments for the 2012 assessment 
period were due in December, and the Board collected approximately $433 
million from 72 companies. As required by law, these fees were 
transferred to the U.S. Treasury.
Key Regulatory Priorities for 2014
    The Federal Reserve's regulatory program in 2014 will concentrate 
on establishing enhanced prudential standards for large U.S. banking 
firms and foreign banks operating in the United States pursuant to 
section 165 of the Dodd-Frank Act and on further enhancing the 
resiliency and resolvability of U.S.-based global systemically 
important banks, or GSIBs.
Enhanced prudential standards/or large U.S. and foreign banking firms
    The Federal Reserve has issued proposed rules, pursuant to section 
165 of the Dodd-Frank Act, which would establish enhanced prudential 
standards for U.S. bank holding companies and foreign banking 
organizations with total global consolidated assets of $50 billion or 
more. We anticipate that these rules will be finalized in the near 
term. For the large U.S. bank holding companies, the outstanding 
proposed standards include liquidity requirements, risk-management 
requirements, single-counterparty credit limits, and an early 
remediation regime. Finalizing these outstanding proposals would 
complement the capital planning, resolution planning, and stress 
testing requirements for large U.S. bank holding companies that the 
Board previously finalized.
    The Federal Reserve has also proposed enhanced prudential standards 
for large foreign banking organizations with a U.S. banking presence. 
Prior to the financial crisis, the Federal Reserve's approach to 
regulating the U.S. operations of foreign banks rested on substantial 
structural flexibility for the foreign bank, substantial reliance by 
the Federal Reserve on the supervisory and regulatory framework of the 
foreign bank's home country, and substantial expectations of support by 
the parent foreign bank of its U.S. operations. A number of 
developments since the 1990s prompted a reevaluation of this approach 
to the regulation of foreign banks in the United States, just as the 
Federal Reserve had in the past reevaluated its approach in response to 
changes in the size and scope of foreign banking activities and 
financial market changes. Most notably, the U.S. operations of foreign 
banks in the years leading up to the financial crisis grew much larger 
and became much more complex and interconnected with the rest of the 
U.S. financial system. For example, 5 of the top 10 U.S. broker-dealers 
are currently owned by foreign banks and together hold almost $1.2 
trillion in assets. The U.S. operations of large foreign banks also 
became much more dependent on the most unstable sources of short-term 
wholesale funding and established very substantial net credit exposures 
to the parent foreign bank in the years leading up to the financial 
crisis. As a result, during the crisis, these banks were heavy users of 
the Federal Reserve's liquidity facilities.
    Under the proposed rule, foreign banking organizations with a large 
U.S. presence would be required to organize their U.S. subsidiaries 
under a single U.S. intermediate holding company that would serve as a 
platform for consistent supervision and regulation. These U.S. 
intermediate holding companies would be subject to the same generally 
applicable risk-based capital, leverage, and capital planning 
requirements that apply to U.S. bank holding companies. In addition, 
U.S. intermediate-holding companies and the U.S. branches and agencies 
of foreign banks with a large U.S. presence would be required to meet 
liquidity requirements similar to those applicable to large U.S. bank 
holding companies. The Federal Reserve issued the proposed rule to 
promote the resiliency of the U.S. operations of foreign banking 
organizations and, in turn, U.S. financial stability.
Other regulatory efforts to improve the resiliency and resolvability of 
        GSIBs
    The financial crisis made clear that policymakers must devote 
significant attention to the potential threat to financial stability 
posed by our most systemic financial firms. Accordingly, the Federal 
Reserve has been focused on developing regulatory proposals that are 
designed to reduce the probability of failure of a GSIB to levels that 
are meaningfully below those for less systemically important firms and 
materially reduce the consequences to the broader financial system and 
economy in the event of failure of a GSIB. Our goal has been to 
establish regulations that force GSIBs to internalize the large 
negative externalities associated with their disorderly failure and 
that aim to offset any remaining too-big-to-fail subsidies these firms 
may enjoy.
GSIB risk-based capital surcharges
    A key component of the Federal Reserve's program to improve GSIB 
resiliency is our forthcoming proposal to impose graduated common 
equity risk-based capital surcharges on GSIBs. This proposal will be 
based on the GSIB capital surcharge framework developed by the Basel 
Committee, under which the size of the surcharge for an individual GSIB 
is a function of the firm's systemic importance. We currently are 
working on the implementing regulation for the Basel Committee GSIB 
risk-based capital surcharge framework and expect to issue a proposal 
fairly soon. By further increasing the amount of the most loss-
absorbing form of capital that is required to be held by the firms that 
potentially pose the greatest risk to financial stability, we intend to 
reduce the probability of failure of these firms to offset the greater 
negative externalities their failure would have on the financial system 
and to offset any funding advantage such firms may have because of 
their perceived status as too-big-to-fail.
GSIB leverage surcharges
    To further bolster the regulatory capital regime for the most 
systemic U.S. banking firms, the Federal Reserve and the other U.S. 
banking agencies have proposed to strengthen the internationally 
agreed-upon Basel III leverage ratio as applied to U.S. GSIBs. This 
proposal would require U.S. GSIBs to maintain a tier 1 capital buffer 
of at least 2 percent above the minimum Basel III supplementary 
leverage ratio of 3 percent, for a total of 5 percent. In light of the 
significantly higher risk-based capital rules for GSIBs under Basel 
III, imposing a stricter leverage requirement on these firms is 
appropriate to help ensure that the leverage ratio remains a relevant 
backstop for these firms. And we have calibrated the proposed GSIB 
leverage surcharge thresholds to raise the leverage standards for these 
firms by an amount that is roughly commensurate with the Basel III 
increase in the risk-based capital thresholds for these firms. We 
expect to finalize this proposal in the coming months.
    We also intend to incorporate in the United States the revisions to 
the Basel III leverage ratio recently agreed to by the Basel Committee. 
These changes would strengthen the ratio in a number of ways, including 
by introducing a much stricter treatment of credit derivatives.
Resolvability of GSIBs
    Our enhanced regulation of GSIBs also includes efforts to improve 
their resolvability. The Federal Reserve's resolvability efforts 
include work with the Federal Deposit Insurance Corporation (FDIC) to 
improve the bankruptcy resolution planning of large banking firms and 
work to assist the FDIC in making large banking firms more resolvable 
under the Orderly Liquidation Authority (OLA) of the Dodd-Frank Act.
    The Federal Reserve is consulting with the FDIC on a proposal that 
would require the largest, most complex U.S. banking firms to maintain 
a minimum amount of long-term unsecured debt outstanding at the holding 
company level. While minimum capital requirements are designed to cover 
losses up to a certain statistical probability, in the event that the 
equity of a financial firm is wiped out, successful resolution without 
taxpayer assistance would be most effectively accomplished if a firm 
has sufficient long-term, unsecured debt to absorb additional losses 
and to recapitalize the business transferred to a bridge operating 
company. The presence of debt explicitly identified for possible bail-
in on a ``gone concern'' basis should help other creditors clarify 
their positions in an orderly liquidation process.
    A requirement for long-term debt could have the benefit of 
improving market discipline, since the holders of that debt would know 
they faced the prospect of loss should the firm enter resolution. In 
addition, this requirement should have the effect of preventing the 
erosion of the current long-term debt holdings of GSIBs, which, by 
historical standards, are currently at fairly high levels. Absent a 
minimum requirement of this sort, there likely would be declines in 
these levels as the flatter yield curve of recent years steepens. We 
have recently seen some evidence of the beginnings of such declines. At 
the international level, the Federal Reserve is working through the 
Basel Committee and the Financial Stability Board (FSB) to develop an 
international proposal for gone concern loss absorbency requirements 
for GSIBs.
Regulatory Reform, Shadow Banking, and Short-term Wholesale Funding
    ``Shadow banking'' is a term used to describe a wide variety of 
activities involving credit intermediation and maturity transformation 
outside the insured depository system. These activities are often 
funded through collateralized borrowing arrangements known as 
``securities financing transactions,'' a term that generally refers to 
repos and reverse repos, securities lending and borrowing, and 
securities margin lending. Some of this activity involves the short-
term funding of highly liquid securities, and directly supports the 
current functioning of important markets, including those in which 
monetary policy is executed. Securities financing transactions can also 
directly or indirectly fund less liquid instruments.
    In normal times, lending through securities financing transactions, 
even when backed by less-liquid instruments, appears low-risk because 
of the fact that the transactions are usually short-term, over-
collateralized, and exempt from the automatic stay in insolvency 
proceedings. But during times of stress, lenders may become unwilling 
to lend against a wide range of assets, including very high-quality 
securities, forcing liquidity-strained institutions to rapidly 
liquidate positions. The rapid constriction of large amounts of short-
term wholesale funding and associated asset liquidations in times of 
stress in the financial markets can result in large fire sale 
externalities, direct and indirect contagion to other financial firms, 
and disruptions to financial stability. A dynamic of this type engulfed 
the financial system in 2008.
    While the term ``shadow banking'' suggests activity outside of the 
banking system, reality is more complex. In many cases, shadow banking 
takes place within, or in close proximity to, regulated financial 
institutions. Most of the largest banking organizations rely to a 
significant extent on securities financing transactions and other forms 
of short-term wholesale funding to finance their operations, and if 
such a firm were to come under stress, the fire sale externalities 
could be very similar to those we saw during the financial crisis. 
Banking organizations also participate in shadow banking by lending to 
unregulated shadow banks, and by providing shadow banks with credit and 
liquidity support that enhances their ability to borrow from other 
market participants. In still other cases, unregulated shadow banks are 
able to operate without coming into contact with the banking system. As 
prudential requirements for regulated firms become more stringent, it 
is likely that market participants will face increasing incentives to 
move additional activity beyond the regulatory perimeter.
    Since the crisis, regulators have collectively made progress in 
addressing some of the close linkages between shadow banking and 
traditional banking organizations. We have increased the regulatory 
charges on support that banks provide to shadow banks; for example, by 
including within the LCR requirements for banks to hold liquidity 
buffers when they provide credit or liquidity facilities to 
securitization vehicles or other special purpose entities. Changes have 
also been made to accounting and capital rules that make it more 
difficult for banks to reduce the amount of capital they are required 
to hold by shifting assets off balance sheet.
    We are also addressing risks from derivatives transactions, which 
can pose some of the same contagion and financial stability risks as 
short-term wholesale funding in the event that large volumes of 
derivatives positions must be liquidated quickly. Standardized 
derivatives transactions are currently in the process of moving to 
central clearing, while nonstandardized trades will be subject to 
margin requirements. In September 2013, the Basel Committee and the 
International Organization of Securities Commissions adopted final 
standards on margin requirements that will require financial firms and 
systemically important nonfinancial entities to exchange initial and 
variation margin on a bilateral basis for noncleared derivatives 
trades. The Federal Reserve and other Federal financial regulatory 
agencies are now working to modify the outstanding U.S. proposals on 
noncleared derivatives margin requirements to more closely align them 
with the requirements in this landmark global agreement.
    Still, we have yet to address head-on the financial stability risks 
from securities financing transactions and other forms of short-term 
wholesale funding that lie at the heart of shadow banking. There are 
two fundamental goals that policy should be designed to achieve. The 
first is to address the specific financial stability risks posed by the 
use of large amounts of short-term wholesale funding by the largest, 
most complex banking organizations. The second is to respond to the 
more general macroprudential concerns raised by short-term 
collateralized borrowing arrangements throughout the financial system.
    One option to address concerns specific to large, complex banking 
firms would be to pursue modifications to bank liquidity standards that 
would require firms that have matched books of securities financing 
transactions to hold larger liquid asset buffers or maintain more 
stable funding structures. The Basel Committee has recently proposed 
changes to its Net Stable Funding Ratio that would move in this 
direction.
    A complementary bank regulatory option would be to require banking 
firms that rely on greater amounts of short-term wholesale funding to 
hold higher levels of capital. The rationale behind this approach would 
be that while solid requirements are needed for both capital and 
liquidity adequacy at large banking firms, the relationship between the 
two also matters. For example, a firm with little reliance on short-
term wholesale funding is less susceptible to runs and, thus, to need 
to engage in fire sales that can depress capital levels at the firm and 
impose externalities on the broader financial system. A capital 
surcharge based on short-term wholesale funding levels would add an 
incentive for firms to use more stable funding and, where a firm 
concluded that higher levels of such funding were nonetheless 
economically sensible, the surcharge would increase the loss absorbency 
of the firm. Such a requirement would be consistent with, though 
distinct from, the long-term debt requirement that the Federal Reserve 
is developing to enhance prospects for resolving large firms without 
taxpayer assistance.
    Turning to policies that could be used to address concerns about 
short-term collateralized borrowing arrangements more broadly 
throughout the financial system, the Federal Reserve is also carefully 
analyzing proposals to establish minimum numerical floors for 
collateral haircuts in securities financing transactions. In its most 
universal form, a system of numerical haircut floors for securities 
financing transactions would require any entity that wants to borrow 
against a security to post a minimum amount of excess margin to its 
lender that would vary depending on the asset class of the collateral. 
Like minimum margin requirements for derivatives, numerical haircut 
floors for securities financing transactions would serve as a mechanism 
for limiting the buildup of leverage at the transaction level, and 
could mitigate the risk of pro-cyclical margin calls.
    In August, the FSB issued a consultative document that outlined a 
framework of minimum margin requirements for securities financing 
transactions. The FSB's current proposal has some significant 
limitations, however, including (1) a scope of application that is 
limited to transactions in which a regulated entity lends to an 
unregulated entity against nonsovereign collateral, and (2) a 
relatively low calibration. If the scope of the FSB's proposal was 
expanded to cover a much broader range of firms and securities and the 
calibration of the proposal was strengthened, the FSB proposal could 
represent a significant step toward addressing financial stability 
risks in short-term wholesale funding markets.
Information Security at Financial Institutions
    Before closing, I would like to discuss briefly the Federal 
Reserve's expectations with regard to information security at the 
financial institutions it oversees, as recent events have led to an 
increased focus on the potential for cyber attacks on the information 
technology infrastructures of these institutions.
    Cyber attacks on financial institutions and the data they house 
pose significant risks to the economy and to national security more 
broadly. While some attacks are conducted with the intent of disrupting 
customer access and normal business operations of financial 
institutions, other attacks include malicious software implanted to 
destroy data and systems, intrusions to gain access to unauthorized 
information, and account takeovers for financial fraud. The varied and 
evolving nature of these attacks make them a continuing challenge to 
address.
    The Federal Reserve requires the financial institutions it 
regulates to develop and maintain effective information security 
programs that are tailored to the complexity of each institution's 
operations and that include steps to protect the security and 
confidentiality of customer information. In addition, to address any 
data breaches that occur, the Federal Reserve requires supervised 
financial institutions to develop and implement programs to respond to 
events in which individuals or firms obtain unauthorized access to 
customer information held by the institution or its service providers. 
Specifically, when a financial institution becomes aware of an incident 
of unauthorized access to sensitive customer information, the 
institution should conduct a reasonable investigation to promptly 
determine the likelihood that the information has been or will be 
misused; assess the nature and scope of the incident; identify the 
types of information that have been accessed or misused; and undertake 
risk mitigation, which can include notifying customers, monitoring for 
unusual account activity, and re-issuing credit and debit cards.
    The Federal Reserve's approach to information security supervision 
leverages internal firm expertise, published guidance, and 
collaboration between the Board, the Reserve Banks, and other U.S. 
banking agencies to promote effective protection of data and systems by 
supervised institutions. The Reserve Banks employ examiners 
specializing in information technology supervision to conduct the bulk 
of their information security examination activities. Federal Reserve 
staff has also developed guidance, some collaboratively with other 
banking regulators, to define expectations for information security and 
data breach management. Nine significant information security guidance 
documents have been issued since July 2001. We are continuing to focus 
on this risk through our participation in the Federal Financial 
Institutions Examination Council's recently established working group 
aimed at enhancing supervisory initiatives on cybersecurity and 
critical infrastructure protection.
    Although many agencies throughout the U.S. Government are working 
to address problems posed by cyber attacks--in part as a result of 
initiatives such as the executive order issued last February that 
directed the National Institute of Standards and Technology to develop 
a cybersecurity framework--we believe there should be increased 
attention and coordination across the Federal Government to support the 
security of the Nation's financial infrastructure. In particular, we 
support efforts to leverage the technical capabilities of law 
enforcement and national security agencies with respect to cyber 
threats and attacks at financial institutions. Financial regulators set 
expectations for security programs and controls at financial 
institutions, and they help to validate that these expectations are 
being met. However, financial regulators do not maintain the technical 
capacity to identify many of the most sophisticated threats, to respond 
to threats as they occur, or to evaluate the alternatives for immediate 
and effective responses to new types of viruses or attacks. We 
appreciate the efforts of U.S. Government agencies to date and 
encourage continued coordination across agencies to ensure the safety 
and security of the financial system.
Conclusion
    The financial regulatory architecture is considerably stronger 
today than it was in the years leading up to the crisis, but work 
remains to complete the post-crisis global financial reform program. 
Over the coming year, the Federal Reserve will be working with other 
U.S. financial regulatory agencies, and with foreign central banks and 
regulators, to propose and finalize a number of the important remaining 
initiatives. In this continuing endeavor, our goal is to preserve 
financial stability at the least cost to credit availability and 
economic growth. We are focused on reducing the probability of failure 
of systemic financial firms, improving the resolvability of systemic 
financial firms, and monitoring and mitigating emerging systemic risks.
    Thank you for your attention. I would be pleased to answer any 
questions you might have.
                                 ______
                                 
               PREPARED STATEMENT OF MARTIN J. GRUENBERG
            Chairman, Federal Deposit Insurance Corporation
                            February 6, 2014
    Chairman Johnson, Ranking Member Crapo and Members of the 
Committee, thank you for the opportunity to testify today on the 
Federal Deposit Insurance Corporation's (FDIC) actions to implement the 
Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank 
Act).
    The FDIC has made significant progress in recent months in 
implementing the new authorities granted by the Act.\1\ My testimony 
will address several topics. First, I will discuss the recently adopted 
regulation implementing the Volcker Rule and the actions we have taken 
on the risk retention and qualified mortgage rules. I will then provide 
an update on our progress in implementing the authority provided to the 
FDIC to resolve systemically important financial institutions and 
proposals to improve the quantity and quality of capital. Finally, I 
will address data integrity issues for the banking industry.
---------------------------------------------------------------------------
    \1\ A summary of the FDIC's progress implementing the provisions of 
the Dodd-Frank Act is attached to this testimony.
---------------------------------------------------------------------------
The Volcker Rule
    Section 619 of the Dodd-Frank Act, also known as ``the Volcker 
Rule,'' requires the Securities and Exchange Commission (SEC), the 
Commodities Futures Trading Commission (CFTC), and the Federal banking 
agencies to adopt regulations to prohibit banking entities from 
engaging in proprietary trading activities and to limit the ability of 
banking entities to invest in, or have certain relationships with, 
hedge funds and private equity funds. In general terms, proprietary 
trading occurs when an entity places its own capital at risk to engage 
in the short-term buying and selling of securities primarily to profit 
from short-term price movements, or enters into derivative products for 
similar purposes.
    On December 10, 2013, the FDIC, along with the Federal Reserve 
Board (FRB), the Office of the Comptroller of the Currency (OCC), the 
SEC, and the CFTC, adopted a final rule implementing Section 619. The 
Volcker Rule is designed to strengthen the financial system and 
constrain the level of risk undertaken by firms that benefit, directly 
or indirectly, from the Federal safety net provided by Federal deposit 
insurance or access to the Federal Reserve's discount window. The 
challenge to the agencies in implementing the Volcker Rule was to 
prohibit the types of proprietary trading and investment activity that 
Congress intended to limit, while allowing banking organizations to 
provide legitimate intermediation in the capital markets.
    In finalizing this rule, the agencies carefully reviewed more than 
18,000 comments and made changes to the original proposal to address 
commenters' concerns. The final rule is intended to preserve legitimate 
market making and hedging activities while maintaining market liquidity 
and vibrancy. The final rule also is designed to reduce overall burden 
by focusing requirements on those institutions that are more likely to 
engage in proprietary trading and covered fund activities.
    The final rule is structured around the three main elements of 
Section 619: 1) the proprietary trading prohibition, 2) the covered 
funds prohibition, and 3) the compliance requirements.
Proprietary Trading Prohibition
    In general, the final rule prohibits proprietary trading by banking 
entities. However, consistent with Section 619, the final rule includes 
exemptions for underwriting, market making, and risk-mitigating 
hedging, among other exemptions provided in the final rule.
    The underwriting exemption requires that a banking entity act as an 
underwriter for a distribution of securities and that the trading 
desk's underwriting position be related to that distribution. The 
underwriting position must be designed not to exceed the reasonably 
expected near-term demands of customers.
    The exemption for market making-related activities requires that a 
trading desk routinely stand ready to purchase and sell one or more 
types of financial instruments. The trading desk's inventory of these 
instruments must be designed not to exceed the reasonably expected 
near-term demands of customers.
    Under the final rule, determining customer demand is based on such 
things as historical demand and consideration of current market 
factors. A market-making desk may hedge the risks of its market-making 
activity under this exemption, provided it is acting in accordance with 
certain risk management procedures required under the final rule.
    The requirements of the risk-mitigating hedging exemption are 
generally designed to ensure that hedging activity is limited to risk-
mitigating hedging in purpose and effect. For instance, hedging 
activity must be designed to demonstrably reduce or significantly 
mitigate specific, identifiable risks of individual or aggregated 
positions of the banking entity. In addition, the banking entity must 
conduct an analysis (including a correlation analysis) supporting its 
documented hedging strategy, and the effectiveness of hedges must be 
monitored and, as necessary, recalibrated on an ongoing basis.
    Under the final rule, a banking entity would be allowed to hedge 
individual exposures or aggregate exposures--for example, a specific 
loan book. However, a banking entity would not be allowed to engage in 
so-called ``macro hedging.'' The result is to allow cost-effective, 
risk-reducing hedging while preventing banking entities from entering 
into speculative transactions under the guise of hedging.
    The final rule allows a bank to engage in proprietary trading in 
certain Government obligations and generally does not prohibit certain 
trading activities of foreign banking entities, provided the trading 
decisions and principal risks of the foreign banking entity occur and 
are held outside of the United States. Such transactions may involve 
U.S. entities only under particular circumstances. The final rule also 
clarifies other exclusions and exempts certain other permitted 
activities.
Covered Funds Prohibition
    The final rule prohibits banking entities from owning and 
sponsoring ``hedge funds'' and ``private equity funds,'' referred to in 
the final rule as ``covered funds.'' The final rule follows the 
statutory definition of covered funds and encompasses any issuer that 
would be an investment company under the Investment Company Act if it 
were not otherwise excluded by two provisions of that Act (section 
3(c)(1) or 3(c)(7)). The final rule also includes in the definition of 
covered funds other similar funds such as certain foreign funds and 
commodity pools, which are defined in a more limited manner than under 
the proposed rule.
    The final rule includes a number of exclusions from the definition 
of covered funds. These exclusions cover certain entities having more 
general corporate purposes (such as wholly owned subsidiaries or joint 
ventures), registered investment companies and business development 
companies regulated by the SEC and any issue of securities backed 
entirely by loans subject to certain asset restrictions.\2\
---------------------------------------------------------------------------
    \2\ Accordingly, covered funds do not generally include 
securitizations such as residential mortgage-backed securities 
(including GSE exposures), commercial mortgage-backed securities, auto 
securitizations, credit card securitizations, and commercial paper 
backed by conforming asset-backed commercial paper conduits. Certain 
other securitizations, such as collateralized loan obligations or 
collateralized debt obligations, will likely meet the definition of 
covered funds if they are unable to divest impermissible assets during 
the conformance period.
---------------------------------------------------------------------------
    Consistent with the Dodd-Frank Act, the final rule designates 
certain activities as permissible. The final rule permits a banking 
entity, subject to appropriate conditions, to invest in or sponsor a 
covered fund in connection with organizing and offering the covered 
fund, underwriting or market making-related activities, certain types 
of risk-mitigating hedging activities, activities that occur solely 
outside of the United States, and insurance company activities.
    The final rule places a number of limitations on permitted 
ownership interests in covered funds. In general, consistent with the 
statute, the final rule provides that a banking entity may not have any 
ownership in a covered fund unless it qualifies for an exemption such 
as organizing and offering the fund in accordance with requirements of 
the final rule or acting as a market maker for the fund. A banking 
entity that organizes and offers a covered fund must limit its total 
interest in each covered fund to no more than 3 percent of the 
ownership interests issued by the covered fund, and to no more than 3 
percent of the value of the entire covered fund. However, if the 
covered fund is subject to risk retention requirements that must be 
satisfied by the banking entity, the final rule provides that the 
banking entity may retain additional ownership interests in the covered 
fund in order to satisfy any minimum risk retention requirement that 
may be established by the agencies by regulation. In addition, the 
aggregate of all interests the banking entity has in all covered funds 
may not exceed 3 percent of the banking entity's tier 1 capital. 
Finally, the banking entity must deduct the value of all of its 
interests in covered funds and any retained earnings from its capital 
for purposes of applying the regulatory capital standards.
    Certain other securitizations, such as collateralized loan 
obligations, will be excluded from the definition of a covered fund if 
they are backed exclusively by loans. However, securitizations that 
currently include assets other than loans can be excluded from the 
definition of covered funds if they divest impermissible assets during 
the conformance period. For securitizations that are covered funds, the 
conditions for a banking entity to be permitted an ownership interest 
in these types of securitizations are, with one exception described 
below, the same conditions that apply to any other covered fund--for 
instance, it organizes and offers the securitization or engages in 
underwriting or market making-related activities.
Compliance Requirements
    In order to ensure compliance with the final rule, institutions 
engaged in covered practices will be required to have compliance 
programs in place commensurate with their size and level of activity. 
The agencies will monitor compliance through the compliance programs 
established by the institutions they regulate. To ensure consistent 
application of the final rule across all banking entities, the FDIC, 
FRB, OCC, SEC and CFTC have formed an interagency Volcker Rule 
Implementation Working Group (Working Group). The Working Group will 
address implementation issues on an ongoing basis and will provide the 
industry with additional guidance or clarity as necessary. The Working 
Group has begun meeting and will meet regularly to address reporting, 
guidance and interpretation issues to facilitate compliance with the 
rule.
    The final rule generally requires banking entities to establish an 
internal compliance program reasonably designed to ensure and monitor 
compliance with the final rule. In response to concerns raised by some 
commenters, the final rule provides compliance requirements that vary 
based on the size of the banking entity and the amount of covered 
activities it conducts. For example, banking entities that do not 
engage in activities covered by the final rule will have no compliance 
program requirements.
    Under the final rule, larger banking entities with $50 billion or 
more in total consolidated assets must establish a more detailed 
compliance program as described in Appendix B of the final rule, 
including requirements that:

    The banking entity adopt a written compliance program 
        approved by the board of directors;

    The board of directors and senior management are 
        responsible for setting and communicating an appropriate 
        culture of compliance and ensuring that appropriate policies 
        regarding the management of trading activities and covered fund 
        activities or investments are adopted to comply with the 
        requirements of the final rule; and

    The chief executive officer of the banking entity must 
        annually attest in writing to its primary Federal regulator 
        that the banking entity has in place processes to establish, 
        maintain, enforce, review, test, and modify the compliance 
        program in a manner reasonably designed to achieve compliance 
        with the final rule.

    Banking entities with total consolidated assets between $10 billion 
and $50 billion will be subject to the minimum compliance program 
requirements included in section 20(b) of the final rule.
    Finally, the final rule requires banking entities with significant 
trading operations to report certain quantitative metrics related to 
trading activities, in accordance with section 20(d) and Appendix A of 
the final rule. These metrics are designed to monitor certain trading 
activities and. will be phased in over a period of time based on the 
type and size of the firm's trading activities.
Burden Reduction
    While the requirements of Section 619 apply to all banking entities 
regardless of size, the prohibited proprietary trading activities and 
investments in, and relationships with, hedge funds and private equity 
funds that are covered by the final rule are generally conducted by 
larger, more complex banking organizations. As a result, the final rule 
is designed to avoid placing needless requirements on banks that do not 
engage in these activities or have only limited exposure.
    The final rule focuses compliance requirements on those 
institutions that are more likely to engage in prohibited proprietary 
trading and covered fund activities. Under the final rule, a bank is 
exempt from all of the compliance program requirements, and all of the 
associated costs, if it limits its covered activities to activities 
that are excluded from the definition of proprietary trading, such as 
trading in certain Government, agency, State, and municipal 
obligations. In particular, the final rule provides that a banking 
entity is not required to implement a compliance program if it does not 
engage in activities or investments covered by the rule. This 
eliminates the compliance burden on banking entities that do not engage 
in covered activities or investments.
    A banking entity with total consolidated assets of $10 billion or 
less that engages in covered activities can meet the compliance 
requirements of the final rule simply by including in its existing 
compliance policies and procedures references to the requirements of 
section 13 of the Bank Holding Company Act and subpart D of the final 
rule as appropriate given the activities, size, scope and complexity of 
the banking entity. This significantly reduces the compliance burden on 
smaller banking entities that engage in a limited amount of covered 
activities or investments.
    The final rule requires all other banking entities to establish a 
compliance program designed to ensure compliance with Section 619 and 
the requirements set forth in the final rule. Even for banking entities 
that must establish a compliance program, the final rule makes changes 
from the NPR to reduce the burden of the metrics reporting 
requirements. For example, the final rule raised the threshold for 
metrics reporting from $1 billion in trading assets and liabilities 
threshold originally proposed to $10 billion in trading assets and 
liabilities, thereby capturing only firms that engage in very 
significant trading activity. The final rule also reduced the number of 
mandatory trading metrics required to be reported to the agencies from 
around 20 in the original proposal to 7 in the final rule. 
Additionally, the final rule provided for metrics reporting to be 
phased-in based on the size of the banking entity's trading assets and 
liabilities, with banks with more than $50 billion in trading assets 
and liabilities reporting first, following banks with more than $25 
billion in trading assets and liabilities, and then banks with more 
than $10 billion in trading assets and liabilities.
Treatment of TruPS CDOs
    Following the issuance of the final rule implementing section 619, 
a number of community banking organizations expressed concern that the 
final rule conflicts with the Congressional determination under section 
171(b)(4)(C) of the Dodd-Frank Act to grandfather trust preferred 
securities (TruPS). On December 19 and December 27, 2013, the banking 
agencies issued joint statements providing guidance to financial 
institutions regarding the potential impact of the final rule on the 
treatment of TruPS held in collateralized debt obligations (CDOs). 
These statements outlined some of the issues that must be resolved in 
order to determine whether ownership of an interest in a securitization 
vehicle that holds primarily TruPS would be subject to the provisions 
of section 619 of the Dodd-Frank Act and the final implementing 
rules.\3\
---------------------------------------------------------------------------
    \3\ http://www.fdic.gov/news/news/press/2013/pr13123.html; http://
www.fdic.gov/news/news/press/2013/pr13126a.pdf.
---------------------------------------------------------------------------
    Following additional review, the agencies determined that it is 
appropriate and consistent with the provisions of the Dodd-Frank Act to 
exempt certain collateralized debt obligations backed primarily by 
trust preferred securities (TruPS CDOs) from the investment 
prohibitions of section 619 of the Act. Section 171 of the Dodd-Frank 
Act provides for the grandfathering of TruPS issued before May 19, 
2010, by certain depository institution holding companies with total 
assets of less than $15 billion as of December 31, 2009, and by mutual 
holding companies established as of May 19, 2010. The TruPS CDO 
structure was the vehicle that gave effect to the use of TruPS as a 
regulatory capital instrument prior to May 19, 2010, and was part of 
the status quo that Congress preserved with the grandfathering 
provision of section 171.
    The interim final rule (IFR) adopted by the agencies on January 14, 
2014 \4\ is consistent with the relief the agencies believe Congress 
intended to provide community banking organizations under section 
171(b)(4)(C) of the Dodd-Frank Act. Under the IFR, the agencies have 
exempted TruPS CDOs that meet specific criteria from the prohibition on 
the acquisition or retention of any interest in or sponsorship of 
covered funds by banking entities. The Federal banking agencies also 
released a nonexclusive list of issuers that meet the requirements for 
the exemption.\5\ The IFR is clear that banking organizations can rely 
solely on this list for compliance purposes. The agencies will accept 
public comment on the IFR for 30 days following its publication in the 
Federal Register.
---------------------------------------------------------------------------
    \4\ http://www.fdic.gov/news/news/press/2014/pr14003a.pdf.
    \5\ http://www.fdic.gov/news/news/press/2014/pr14003b.pdf.
---------------------------------------------------------------------------
Risk Retention
    On August 28, 2013, the FDIC Board approved an NPR issued jointly 
with five other Federal agencies to implement the credit risk retention 
requirement set forth in Section 941 of the Dodd-Frank Act, which seeks 
to ensure that securitization sponsors have appropriate incentives for 
prudent underwriting. The proposed rule generally requires that the 
sponsor of any asset-backed security (ABS) retain an economic interest 
equal to at least 5 percent of the aggregate credit risk of the 
collateral. This is the second proposal under Section 941; the first 
was issued in April 2011.
    The current NPR provides the sponsors of ABSs with various options 
for meeting the risk retention requirements. As required by the Dodd-
Frank Act, the proposed rule defines a ``qualified residential 
mortgage'' (QRM), that is, a mortgage which is statutorily exempt from 
risk retention requirements. The NPR would align the definition of QRM 
with the definition of ``qualified mortgage'' (QM) as prescribed by the 
Consumer Financial Protection Bureau (CFPB) in 2013. The NPR also 
includes a request for public comment on an alternative QRM definition 
that would add certain underwriting standards to the existing QM 
definition. Similar to the prior proposal, the current proposal sets 
forth criteria for securitizations of commercial real estate loans, 
commercial loans, and automobile loans that meet certain conservative 
credit quality standards to be exempt from risk retention requirements.
    The FDIC has received approximately 150 comments on the current 
NPR. A number of comments relate to risk retention issues regarding 
open market collateralized loan obligations (CLOs).\6\ The proposed 
rule considers an open market CLO manager to be a securitization 
sponsor and, therefore, the manager would generally be required to 
retain 5 percent of the credit risk of CLO issuances. As an 
alternative, managers or sponsors could satisfy the risk retention 
requirement if the lead arrangers of the loans (typically the main 
lender) purchased by the open market CLO retained the required risk. 
Some commenters have argued that the lead arranger option is unworkable 
and that the proposal would significantly affect the formation and 
continued operation of CLOs, and that this could reduce the volume of 
commercial lending. The agencies are continuing to review comments and 
meet with interested groups to discuss their concerns and will give 
full consideration to all issues raised before we issue the final rule.
---------------------------------------------------------------------------
    \6\ An open market CLO is defined as one (i) whose assets consist 
of senior, secured syndicated loans acquired directly from the sellers 
in open market transactions and of servicing assets, (ii) that is 
managed by a CLO manager, and (iii) that holds less than 50 percent of 
its assets, by aggregate outstanding principal amount, in loans 
syndicated by lead arrangers that are affiliates of the CLO or 
originated by originators that are affiliates of the CLO.
---------------------------------------------------------------------------
Examination Treatment of Qualified Mortgages
    Recognizing that many institutions are assessing how to implement 
the Ability-to-Repay and QM rules issued by the CFPB, the Federal 
financial regulators jointly issued interagency statements on their 
supervisory approach for residential mortgage loans. The agencies 
emphasize that an institution may originate both QM and non-QM 
residential mortgage loans. A bank's decision to offer only QM loans, 
absent other factors, should not elevate a supervised institution's 
fair lending risk and is compatible with meeting Community Reinvestment 
Act obligations. The interagency statements emphasize that the agencies 
will not subject a residential mortgage loan to regulatory criticism--
either from a safety and soundness or consumer protection perspective--
based solely on the loan's status as a QM or a non-QM.
Resolution of Systemically Important Financial Institutions
Resolution Plans--``Living Wills''
    Under the framework of the Dodd-Frank Act, bankruptcy is the 
preferred option in the event of the failure of a SIFI. To make this 
objective achievable, Title I of the Dodd-Frank Act requires that all 
bank holding companies with total consolidated assets of $50 billion or 
more, and nonbank financial companies that the Financial Stability 
Oversight Council (FSOC) determines could pose a threat to the 
financial stability of the United States, prepare resolution plans, or 
``living wills,'' to demonstrate how the company could be resolved in a 
rapid and orderly manner under the Bankruptcy Code in the event of the 
company's financial distress or failure. The living will process is an 
important new tool to enhance the resolvability of large financial 
institutions through the bankruptcy process.
    The 165(d) Rule, jointly issued by the FDIC and the Federal Reserve 
Board in 2011, implemented the requirements for resolution plans and 
provided for staggered annual submission deadlines based on the size 
and complexity of the companies. Eleven of the largest, most complex 
institutions submitted initial plans in 2012 and revised plans in 2013. 
During 2013, the remaining 120 institutions submitted their initial 
resolution plans under the 165(d) rule. In addition, in 2013, the FSOC 
designated three nonbank financial institutions for Federal Reserve 
Board supervision. These firms are expected to submit their initial 
resolution plans in 2014.
2013 Guidance on Living Wills
    Following the review of the initial resolution plans submitted in 
2012, the agencies developed Guidance for the firms to detail the 
information that should be included in their 2013 resolution plan 
submissions. The agencies identified an initial set of significant 
obstacles to rapid and orderly resolution which covered companies are 
expected to address in the plans, including the actions or steps the 
company has taken or proposes to take to remediate or otherwise 
mitigate each obstacle and a timeline for any proposed actions. These 
eleven institutions submitted their revised resolution plans in October 
2013.
    As required by the statute, the resolution plans submitted in 2013 
will be subject to informational completeness reviews and reviews for 
resolvability under the Bankruptcy Code. The agencies are reviewing how 
each resolution plan addresses a set of benchmarks outlined in the 
Guidance which represent the key impediments to an orderly resolution. 
The benchmarks are as follows:

    Multiple Competing Insolvencies: Multiple jurisdictions, 
        with the possibility of different insolvency frameworks, raise 
        the risk of discontinuity of critical operations and uncertain 
        outcomes.

    Global Cooperation: The risk that lack of cooperation could 
        lead to ring-fencing of assets or other outcomes that could 
        exacerbate financial instability in the United States and/or 
        loss of franchise value, as well as uncertainty in the markets.

    Operations and Interconnectedness. The risk that services 
        provided by an affiliate or third party might be interrupted, 
        or access to payment and clearing capabilities might be lost;

    Counterparty Actions. The risk that counterparty actions 
        may create operational challenges for the company, leading to 
        systemic market disruption or financial instability in the 
        United States; and

    Funding and Liquidity. The risk of insufficient liquidity 
        to maintain critical operations arising from increased margin 
        requirements, acceleration, termination, inability to roll over 
        short-term borrowings, default interest rate obligations, loss 
        of access to alternative sources of credit, and/or additional 
        expenses of restructuring.

    The FDIC and the Federal Reserve are charged with reviewing the 
165(d) plans and may jointly find that a plan is not credible or would 
not facilitate an orderly resolution under the Bankruptcy Code. If a 
plan is found to be deficient in either case, the FDIC and the Federal 
Reserve must notify the filer of the areas in which the plan is 
deficient. The filer must resubmit a revised plan that addresses the 
deficiencies within 90 days (or other specified timeframe). The FDIC 
and the Federal Reserve currently are in the process of reviewing the 
plans under the standards provided in the statute.
Orderly Liquidation Authority
    In cases where resolution under the Bankruptcy Code may result in 
serious adverse effects on financial stability in the United States, 
the Orderly Liquidation Authority set out in Title II of the Dodd-Frank 
Act serves as the last resort alternative. Upon recommendations by a 
two-thirds vote of the Federal Reserve Board and the FDIC Board and a 
determination by the Treasury Secretary in consultation with the 
President, a financial company whose failure is deemed to pose a risk 
to the financial system may be placed into an FDIC receivership. Under 
the Act, key findings and recommendations must be made before the 
Orderly Liquidation Authority can be considered as an option. These 
include a determination that the financial company is in default or 
danger of default, that failure of the financial company and its 
resolution under applicable Federal or State law, including bankruptcy, 
would have serious adverse effects on financial stability in the United 
States and that no viable private sector alternative is available to 
prevent the default of the financial company.
    In my July 11, 2013 testimony before this Committee, I described 
how the FDIC is developing a strategic approach, referred to as Single 
Point-of-Entry (SPOE), to carry out its Orderly Liquidation Authority 
for resolving a SIFI. Under the SPOE strategy, the FDIC would be 
appointed receiver of the top-tier parent holding company of the 
financial group following the company's failure and the completion of 
the recommendation, determination, and expedited judicial review 
process set forth in Title II of the Act. The FDIC would organize a 
bridge financial company into which assets from the receivership 
estate, including the failed holding company's investments in, and 
loans to subsidiaries, would be transferred.
    The FDIC would oversee operations of the bridge financial company 
and would retain control over certain high-level key matters of the 
bridge financial company's governance. Shareholders would be wiped out, 
unsecured debt holders would have their claims written down to reflect 
any losses that shareholders cannot cover, and culpable senior 
management would be replaced. The FDIC would appoint a board of 
directors and nominate a new chief executive officer and other key 
managers to operate the bridge financial company under the FDIC's 
oversight. The plan for restructuring the company could include 
changing business, shrinking businesses, breaking the company into 
smaller entities, and liquidating certain assets or closing certain 
operations. The FDIC also would likely require the restructuring of the 
firm into one or more smaller nonsystemic firms that could be resolved 
under bankruptcy.
    During the operation of the bridge financial company, the healthy 
subsidiaries of the company would remain open, allowing them to 
continue business. In this manner the resolution strategy would protect 
against contagion in the financial system by maintaining vital linkages 
among critical operating subsidiaries, ensuring continuity of services, 
and avoiding the disruption that would likely accompany failure. At the 
same time, the strategy would protect against moral hazard by holding 
accountable the failed company's owners and management responsible for 
its failure.
    On December 10, 2013, the FDIC Board approved publication of a 
Federal Register notice \7\ which provides greater detail on the SPOE 
strategy and discusses the key issues that will be faced in the 
resolution of a SIFI. The notice seeks public comment and views as to 
how the policy objectives set forth in the Dodd-Frank Act could better 
be achieved.
---------------------------------------------------------------------------
    \7\ FDIC, Resolution of Systemically Important Financial 
Institutions: The Single Point of Entry Strategy, 78 Fed. Reg. 76,614 
(Dec. 18, 2013).
---------------------------------------------------------------------------
    In addition, the Federal Reserve, in consultation with the FDIC, is 
considering the merits of a regulatory requirement that the largest, 
most complex U.S. banking firms maintain a minimum amount of unsecured 
debt at the holding company level. Such a requirement would ensure that 
there are creditors at the holding company level to absorb losses at 
the failed firm.
Cross-border Issues
    Advance planning and cross-border coordination for the resolution 
of globally active SIFIs will be essential to minimizing disruptions to 
global financial markets. Recognizing that global SIFIs create complex 
international legal and operational concerns, the FDIC continues to 
reach out to foreign regulators to establish frameworks for effective 
cross-border cooperation.
    As part of our bilateral efforts, the FDIC and the Bank of England, 
in conjunction with the prudential regulators in our respective 
jurisdictions, have been developing contingency plans for the failure 
of a global SIFI that has operations in the United States and the 
United Kingdom of the 28 G-SIFIs designated by the Financial Stability 
Board (FSB) of the G-20 countries, four are headquartered in the United 
Kingdom, and another eight are headquartered in the United States. 
Moreover, approximately 70 percent of the reported foreign activities 
of the eight U.S. G-SIFIs emanates from the United Kingdom. The 
magnitude of these financial relationships makes the U.S.-U.K. 
bilateral relationship by far the most significant with regard to the 
resolution of G-SIFIs. Because of the magnitude of these institutions' 
operations, our two countries have a strong mutual interest in ensuring 
that the failure of such an institution could be resolved at no cost to 
taxpayers and without placing the financial system at risk.
    The FDIC and U.K. authorities released a joint paper on resolution 
strategies in December 2012, reflecting the close working relationship 
between the two authorities. This joint paper focuses on the 
application of ``top-down'' resolution strategies for a U.S. or a U.K. 
financial group in a cross-border context and addresses several common 
considerations to these resolution strategies. In December 2013, the 
FDIC and the Bank of England, including the Prudential Regulation 
Authority, in conjunction with the Federal Reserve Board and the 
Federal Reserve Bank of New York, held a staff-level tabletop exercise 
exploring cross-border issues and potential mitigating actions that 
could be taken by regulators in the event of a resolution.
    The FDIC also is coordinating with representatives from European 
authorities to discuss issues of mutual interest, including the 
resolution of European global SIFIs and ways in which we can harmonize 
receivership actions. The FDIC and the European Commission (E.C.) have 
established a joint Working Group composed of senior executives from 
the FDIC and the E.C. to focus on both resolution and deposit insurance 
issues. The agreement establishing the Working Group provides for 
meetings twice a year with other interim interchanges and the exchange 
of detailees. In 2013, the Working Group convened formally twice, and 
there has been ongoing collaboration at the staff level. The FDIC and 
the E.C. have had in-depth discussions regarding the FDIC's experience 
with resolution as well as the SPOE strategy that we are developing. We 
also have discussed the E.C.'s proposed EU-wide Credit Institution and 
Investment Firm Recovery and Resolution Directive, the E.C.'s proposed 
amendment to harmonize further deposit guarantee schemes EU-wide, and 
the E.C.'s proposal for a Single Resolution Mechanism that would apply 
to Euro-area Member States, as well as any others that would opt-in. 
The FDIC and the E.C. also have exchanged staff members for short 
periods to enhance staff experience with respective resolution 
authorities. In 2014, at the request of the E.C., the FDIC is planning 
to conduct a training seminar on resolutions for E.C. staff.
    The FDIC continues to foster its relationships with other 
jurisdictions that regulate global SIFIs, including Switzerland, 
Germany, and Japan. In 2013, the FDIC had significant principal and 
staff-level engagements with these countries to discuss cross-border 
issues and potential impediments that would affect the resolution of a 
global SIFI. We will continue this work in 2014 with plans to host 
tabletop exercises with staff from these authorities. We also have 
discussed developing joint resolution strategy papers, similar to the 
one with the United Kingdom, as well as possible exchanges of 
detailees.
    In a significant demonstration of cross-border cooperation on 
resolution issues, the FDIC signed a November 2013 joint letter with 
the Bank of England, the Swiss Financial Market Supervisory Authority 
and the German Federal Financial Supervisory Authority, to the 
International Swaps and Derivatives Association, Inc. (ISDA). This 
letter encouraged ISDA to develop provisions in derivatives contracts 
that would provide for short-term suspension of early termination 
rights and other remedies in the event of a G-SIFI resolution. The 
adoption of such changes would allow derivatives contracts to remain in 
effect throughout the resolution process following the implementation 
of a number of potential resolution strategies.
    We anticipate continuation of our international coordination and 
outreach and will continue to work to resolve impediments to an orderly 
resolution of a global SIFI.
Capital and Liquidity Requirements
Interagency Rulemakings on Basel III and the Supplementary Leverage 
        Ratio
    In July 2013, the FDIC Board acted on two important regulatory 
capital rulemakings. First, the FDIC joined the Federal Reserve, and 
the OCC in issuing rulemakings that significantly revise and strengthen 
risk-based capital regulations through implementation of the Basel III 
international accord (``Basel III rulemaking''). Second, these agencies 
also issued an NPR that would strengthen leverage capital requirements 
for the eight largest U.S. bank holding companies (BHCs) and their 
insured banks.
    The Basel III rulemaking substantially strengthens both the quality 
and the quantity of risk-based capital for all banks in the U.S. by 
placing greater emphasis on tier 1 common equity capital. Tier 1 common 
equity capital is widely recognized as the most loss-absorbing form of 
capital, and the Basel III changes are expected to result in a 
stronger, more resilient industry better able to withstand periods of 
economic stress in the future.
    The Basel III rulemaking also includes a new supplementary leverage 
ratio requirement, an issue agreed in the Basel III international 
accord. This represents an important enhancement to the international 
capital framework. Prior to this rule, there was no international 
leverage ratio requirement. For the first time, the Basel III accord 
included an international minimum leverage ratio, and consistent with 
the agreement, the Basel III rulemaking includes a 3-percent minimum 
supplementary leverage ratio that applies only to the 17 large banking 
organizations subject to the advanced approaches rule.
    As noted above, the NPR would strengthen the supplementary leverage 
requirements encompassed in the Basel III rulemaking for the eight 
largest BHCs and their insured banks. The NPR would require covered 
insured depository institutions (IDIs) to satisfy a 6-percent 
supplementary leverage ratio to be considered well capitalized for 
prompt corrective action (PCA) purposes. BHCs covered by the NPR would 
need to maintain a supplementary leverage ratio of at least 5 percent 
(a 3 percent minimum plus a 2-percent buffer) to avoid restrictions on 
capital distributions and executive compensation.
    As the NPR points out, maintaining a strong capital base at the 
largest, most systemically important institutions is particularly 
important because capital shortfalls at these institutions can 
contribute to systemic distress and have material adverse economic 
effects. The agencies' analysis suggests that a 3-percent minimum 
supplementary leverage ratio contained in the Basel III accord would 
not have appreciably mitigated the growth in leverage among 
systemically important institutions in the years preceding the recent 
crisis. The FDIC views this as problematic because one of the most 
important objectives of the capital reforms was to address the buildup 
of excessive leverage.
    While the Basel III rulemaking raises risk-based capital 
requirements significantly, the minimum supplementary leverage ratio 
provided in Basel III does not raise leverage capital comparably. From 
a safety and soundness perspective, leverage capital requirements and 
risk-based capital requirements are complementary. Each offsets the 
potential weaknesses of the other, and the two working together--as 
they have in the U.S. for over 20 years--are more effective than either 
by itself. For example, risk-weighted asset calculations are subject to 
modeling error, subjectivity, and other uncertainties. These weaknesses 
can be offset by a more robust leverage ratio. On the other hand, risk-
based capital measures are useful because they may better capture the 
risk posed by different kinds of assets. The NPR is intended to 
increase leverage capital to maintain rough comparability with the 
increase in risk-based capital required under Basel III.
    Higher capital requirements would help offset systemic risk and 
would also put additional private capital at risk before the Deposit 
Insurance Fund (DIF) and the Federal Government's resolution mechanisms 
would be called upon. This proposed rulemaking is one of the most 
important steps the banking agencies could take to strengthen the 
safety and soundness of the U.S. banking and financial systems.
Rule on the Liquidity Coverage Ratio and the Net Stable Funding Ratio 
        Proposal
    A number of large financial institutions experienced significant 
liquidity problems during the financial crisis that exacerbated stress 
on the banking system, and more broadly, compromised financial 
stability. In response, the U.S. banking agencies have made a concerted 
effort, both domestically and internationally, to strengthen liquidity 
and short-term funding requirements for the largest U.S. banking 
organizations.
    In October 2013, the FDIC, together with the OCC and the Federal 
Reserve, issued an interagency proposed rule to implement a 
quantitative liquidity requirement consistent with the Liquidity 
Coverage Ratio (LCR) developed by the Basel Committee on Banking 
Supervision on which the U.S. banking agencies serve as members. The 
LCR rule would apply to large, internationally active banking 
organizations and their consolidated subsidiary depository institutions 
with $10 billion or more in total consolidated assets and is an 
important step in helping to bolster the resilience of these 
organizations during periods of financial stress. The proposal requires 
banks to hold a minimum level of liquid assets to withstand contingent 
liquidity events and provides a standard way of expressing a bank's on-
balance sheet liquidity position to stakeholders and supervisors. The 
proposal establishes a transition schedule under which covered 
companies must fully meet the minimum LCR by January 1, 2017, 2 years 
earlier than the Basel deadline. The comment period on this proposal 
closed on January 31, 2014.
    In January 2014, the Basel Committee issued a related proposal to 
establish a Net Stable Funding Ratio (NSFR). The NSFR proposal 
complements the LCR by promoting stable funding profiles over the 
longer term by limiting over-reliance on short-term wholesale funding, 
improving the assessment of funding risk for on- and off-balance sheet 
items, and encouraging stable sources of funding. To meet the proposed 
NSFR requirement, the largest U.S. banks would have to maintain a 
minimum level of stable funding given the liquidity characteristics of 
their assets and off-balance sheet exposures. The FDIC strongly 
supports the Basel Committee's NSFR proposal, and we anticipate that 
the U.S. banking agencies will develop a similar domestic rule once the 
Basel Committee's consultation period ends in April of this year.
Data Integrity
    Recent highly publicized data breaches have highlighted payment 
card data integrity issues at merchants. Compromised payment card data 
can affect millions of consumers and thousands of issuing banks 
globally. Consequently, payment card data integrity has been, and 
remains, a concern of the Federal banking regulators. Although the 
Federal banking agencies do not have the authority to regulate the 
payment card operations of retail merchants, such as those subject to 
the recent breaches in the news, the FDIC and the other Federal banking 
regulators are able to examine merchant acceptance and payment card 
issuing operations that occur under the direct control of a bank.
    The FDIC treats data security as a significant risk area due to its 
potential to disrupt bank operations, harm consumers, and undermine 
confidence in the banking system and economy. The failure or misuse of 
technology can impact the safety and soundness of an institution with 
sudden and severe losses, directly harm consumers, or both.
    In its role as supervisor of insured institutions, the FDIC 
analyzes emerging cyber threats, occurrences of bank security breaches, 
and other incidents. The FDIC monitors security issues in the banking 
industry on a regular basis through onsite examinations and regulatory 
reports. The FDIC, through its membership in the Financial and Banking 
Information Infrastructure Committee (FBIIC), works with groups such as 
the Financial Services Sector Coordinating Council (FSSCC), other 
regulatory agencies, law enforcement and others to share information 
regarding emerging issues and coordinate our responses.
    Additionally, the Federal Financial Institutions Examination 
Council formed a Cybersecurity and Critical Infrastructure Working 
Group in June 2013. This working group will serve as a liaison with the 
intelligence community, law enforcement and homeland security agencies 
on cybersecurity and critical infrastructure protection-related issues. 
It also will conduct programs to create cyber risk awareness and 
consider additional industry guidance on specific threats. Finally, the 
group is pursuing an agenda for the member agencies to collaborate on 
cybersecurity and critical infrastructure issues related to examination 
policy, training, information sharing and incident communication and 
coordination.
    The FDIC has issued guidance to financial institutions with respect 
to keeping data secure, protecting customers, and responding to 
breaches of data security. In 2001, the Federal banking agencies issued 
Interagency Guidelines Establishing Information Security Standards, as 
required by Section 501(b) of the Gramm-Leach-Bliley Act, requiring 
every financial institution to have an information security program, 
approved by the institution's board of directors, to protect customer 
information.
    The FDIC's most direct role in ensuring cyber security within the 
financial sector is through its onsite examination programs. The FDIC 
regularly and routinely evaluates all of its regulated financial 
institutions' information security programs through our information 
technology (IT) examinations. The Federal banking agencies also conduct 
IT examinations of major technology service providers that provide 
services to financial institutions. These examinations are designed, in 
part, to ensure that financial institutions protect both bank and 
customer information. Depending on the findings from our examinations, 
informal or formal enforcement action may be pursued to achieve 
corrective actions.
    The Federal Financial Institutions Examination Council (FFIEC), 
which includes the FDIC, publishes a series of Information Technology 
Examination Handbooks. Banks and their service providers are examined 
by their appropriate Federal banking agency using the standards in the 
FFIEC books, which includes an assessment of their information security 
and protection of customer information, among other things. The 
handbooks address objectives, standards, resources, roles and 
responsibilities, best practices, and examination procedures. These 
handbooks are available to examiners, bankers, and the public.
    With respect to retail payments in particular, the Federal banking 
agencies' supervisory programs assess acquiring banks to ensure that 
appropriate payment operations risk mitigation efforts are in place. 
Included as part of the FFIEC IT Examination Handbook are two booklets, 
``Retail Payment Systems'' and ``Wholesale Payment Systems,'' to 
address regulatory expectations for risk management of these systems.
    The Federal banking agencies issued guidance in March 2005 for 
financial institutions to develop and implement a Response Program 
designed to address incidents of unauthorized access to sensitive 
customer information.
    Recognizing that addressing cyber risks can be especially 
challenging for community banks, the FDIC is taking steps to assist 
them with planning and training. At the November 19, 2013 meeting of 
its Advisory Committee on Community Banking, we shared with members, an 
exercise that institutions can use to initiate discussions about 
operational risk and the potential impact of IT disruptions on common 
banking functions. This exercise, named ``Cyber Challenge,'' provides 
financial institutions with four exercise scenarios via short videos. 
Each video represents a standalone scenario so users may choose to 
consider any number of the scenarios in any order they desire. Each 
video has associated challenge questions that have been developed to 
promote discussion on topics relevant to the specific scenarios and to 
assist institutions in the development of proper responses. 
Additionally, financial institutions may discuss how they would react 
to the scenario, how they would handle the situation in their 
respective institution, and what controls their institution has in 
place to prevent the situation. Cyber Challenge will be distributed to 
all FDIC-supervised institutions in the near future.
Conclusion
    Thank you for the opportunity to share with the Committee the work 
that the FDIC has been doing to implement the Dodd-Frank Act and 
address systemic risk in the aftermath of the financial crisis. I would 
be glad to respond to your questions.
Status of FDIC Dodd-Frank Act Rulemakings
Completed FDIC-only Rulemakings
    FDIC has met all applicable deadlines in issuing those required 
regulations in the Dodd-Frank Wall Street Reform and Consumer 
Protection Act for which it is solely responsible. These include:

    Orderly Liquidation Authority (OLA) Regulations

      Inflation adjustment for wage claims against financial 
        company in receivership;

      Executive compensation clawbacks and definition of 
        compensation; and

      Definition of `predominantly engaged in activities 
        financial in nature' for title II purposes.

    Deposit Insurance Fund Management Regulations

      Regulations establishing an asset-based assessment base;

      Regulations implementing permanent $250,000 coverage;

      Elimination of pro-cyclical assessments; dividend 
        regulations;

      Restoration plan to increase the minimum reserve ratio 
        from 1.15 to 1.35 percent by Sept. 30, 2020; and

      Regulations implementing temporary full Deposit Insurance 
        coverage for noninterest bearing transaction accounts (Program 
        expired 12/31/12).

    The FDIC has also issued several optional rules, including the 
following OLA rules:

    Rules governing payment of post-insolvency interest to 
        creditors;

    Rules establishing the proper measure of actual, direct, 
        compensatory damages caused by repudiation of contingent 
        claims;

    Rules governing the priority of creditors and the treatment 
        of secured creditors;

    Rules governing the administrative claims process;

    Rules governing the treatment of mutual insurance holding 
        companies; and

    Rules providing for enforcement of contracts of 
        subsidiaries or affiliates of a covered financial company.

Completed Interagency Rules:

    FDIC and its fellow agencies have issued a number of joint or 
interagency regulations. These include:

    Title I resolution plan requirements;

    Regulations implementing self-administered stress tests for 
        financial companies;

    Minimum leverage capital requirements for IDIs (Collins 
        Sec.  171(b)(1));

    Minimum risk-based capital requirements (Collins Sec.  
        171(b)(2));

    Capital requirements for activities that pose risks to the 
        financial system (Collins Sec.  171(b)(7)) (as of July 9, 
        2013);

    Rules providing for calculation of the ``maximum obligation 
        limitation'';

    Regulations on foreign currency futures;

    Removing regulatory references to credit ratings;

    Property appraisal requirements for higher cost mortgages;

    Appraisals for higher priced mortgages supplemental rule;

    Appraisal independence requirements;

    Volcker Rule Prohibition on Proprietary Trading and 
        Investments in Covered Funds; and

    Interim final rule authorizing Retention of Interests in 
        CDOs backed by Bank-Issued Trust Preferred Securities
Rulemakings in process--FDIC-only:

    A few regulations without statutory deadlines remain in process. 
These include:

    OLA regulations implementing post-appointment requirements 
        and establishing eligibility requirements for asset purchasers; 
        and

    Integration and Streamlining of adopted OTS regulations.

Interagency Rulemakings in process:

    Additional OLA Rules:

      Orderly liquidation of covered brokers and dealers;

      Regulations regarding treatment of officers and directors 
        of companies resolved under Title II; and

      QFC recordkeeping rules;

    Regulations implementing the credit exposure reporting 
        requirement for large BHCs and nonbank financial companies 
        supervised by the FRB;

    Regulations implementing the ``source of strength'' 
        requirement for BHCs, S&LHCs, and other companies that control 
        IDIs;

    Capital and margin requirements for derivatives that are 
        not cleared OTC;

    Regulations governing credit risk retention in asset-backed 
        securitizations, including ABS backed by residential mortgages;

    Regulations governing enhanced compensation structure 
        reporting and prohibiting inappropriate incentive-based payment 
        arrangements;

    Rulemaking prohibiting retaliation against an IDI or other 
        covered person that institutes an appeal of conflicting 
        supervisory determinations by the CFPB and the appropriate 
        prudential regulator; and

    Additional appraisals and related regulations:

      Minimum requirements for registration of appraisal 
        management companies and for the reporting of the activities of 
        appraisal management companies to Appraisal Subcommittee;

      Regulations to implement quality controls standards for 
        automated valuation models; and

      Regulations providing for appropriate appraisal review.

Other DFA Regulations and Guidance:

    OMWI--Proposed Standards for Assessing Diversity in 
        Regulated Entities;

    Stress Testing Guidance, including:

      Economic Scenarios for 2014 Stress Testing;

      Policy Statement on the Principles for Development and 
        Distribution of Annual Stress Test Scenarios (FDIC-supervised 
        institutions); and

      Proposed Interagency Supervisory Guidance on Implementing 
        Dodd-Frank Act Company-Run Stress Tests for Banking 
        Organizations With Total Consolidated Assets of More Than $10 
        Billion But Less Than $50 Billion; and

    Interagency Statement on Supervisory Approach for Qualified 
        and Non-Qualified Mortgage Loans
                                 ______
                                 
                PREPARED STATEMENT OF THOMAS J. CURRY *
                      Comptroller of the Currency
               Office of the Comptroller of the Currency
                            February 6, 2014
    Chairman Johnson, Ranking Member Crapo, and Members of the 
Committee, thank you for the opportunity to appear before you today. As 
the national economy continues to improve, so do the balance sheets of 
the financial institutions that the Office of the Comptroller of the 
Currency (OCC) supervises. The industry's improved strength is 
reflected in stronger capital, improved liquidity, and timely 
recognition and resolution of problem loans. We are mindful, however, 
of the lessons of the financial crisis, and we have learned from that 
experience. We have taken a close look at how we supervise national 
banks and Federal savings associations (collectively, banks) and have 
devoted considerable time and resources to improving the way we do our 
job.
---------------------------------------------------------------------------
     * Statement Required by 12 U.S.C. Sec.  250:
    The views expressed herein are those of the Office of the 
Comptroller of the Currency and do not necessarily represent the views 
of the President.
---------------------------------------------------------------------------
    With this in mind, I will begin my testimony today by describing 
the independent peer review study, which was undertaken at my 
direction, to assess the effectiveness of OCC's supervision of large 
and midsize banks. I will also discuss the OCC's recently proposed 
heightened expectations guidelines, designed to strengthen the risk 
management and governance practices of our large banks. We are setting 
a high bar for the institutions we supervise, and, as our international 
peer review project demonstrates, we are asking no less of ourselves.
    In addition, as the Committee requested, I will discuss the OCC's 
expectations of the banks that we supervise with regard to their 
ability to defend both their systems and their customers' confidential 
information from cyber threats, as well as our role in supervising the 
retail payment system activities of banks. While banks are highly 
regulated, the financial services industry is an attractive target for 
cyber attacks, and therefore, we recognize the need to ensure that 
banks are doing everything necessary to protect themselves and their 
customers' information. To ensure we stay on top of the evolving 
threats to the financial services industry, the OCC is committed to 
refining our supervisory processes on an ongoing basis and to 
participating in public-private partnerships to help keep abreast of 
and respond to emerging threats.
    Finally, my testimony will address our ongoing efforts to implement 
the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-
Frank Act or Act) and to strengthen bank capital. Specifically, I will 
discuss the newly finalized risk-based capital rules, as well as the 
proposed liquidity rules and enhanced leverage capital ratio 
requirement. I also will provide an overview of the finalized 
``Volcker'' rules and our progress in implementing specific provisions 
of Title VII of the Act. I will conclude with a summary of other 
rulemaking projects required by the Act on which we have made 
substantial progress, including the appraisal and credit risk retention 
rules.
I. Improving Financial Stability through Enhanced Prudential Regulation 
        and Supervision
A. International Peer Review Study
    Throughout our 150-year history, effective supervision of national 
banks has been the core mission of the OCC. While the scope of that 
mission has expanded to include Federal savings associations, our focus 
on quality supervision has not changed.
    To do our job effectively, we must maintain controls and a review 
program that is every bit as rigorous as what we expect of our banks. 
This proposition underlies the OCC's new Enterprise Governance unit, 
which will conduct independent reviews of each OCC business line. These 
reviews will enhance existing processes, including quality assurance 
programs that each business line maintains.
    The financial crisis showed how important supervision is to the 
soundness of the banking system, and I feel strongly that we need to do 
everything possible to ensure the effectiveness of OCC supervision. 
Last year, I brought together a team of senior international regulators 
to provide an independent and unvarnished assessment of the OCC's 
supervision program for large and midsize banks. Even the very best 
organizations have room to improve, and in fact, one of the hallmarks 
of a healthy culture is an organization's willingness to engage in a 
process of continual improvement. This is something the OCC has done 
throughout its 150 years. However, in the wake of the financial crisis, 
I believed it was particularly important to establish a process to 
assess our strengths and weaknesses and evaluate where we could do 
better.
    The peer review team was comprised of veteran bank regulators from 
countries whose financial systems proved to be particularly resilient 
during the financial crisis. It was chaired by Jonathan Fiechter, a 
former OCC Senior Deputy Comptroller who, until recently, served as a 
senior official with the International Monetary Fund, where he headed 
the Monetary and Capital Markets Department's financial supervision and 
crisis management group.
    In December 2013, I received and released to the public the peer 
review team's report.\1\ Its recommendations cover six key areas: 
mission, vision, and strategic goals; identification of risk; ratings 
systems; staffing; scope and consistency of the OCC's supervisory 
strategies; and our enterprise governance function. I am gratified that 
the report highlighted a number of areas in which the OCC has been very 
successful. As the chair of the peer review team noted in his 
transmittal letter to me, ``The OCC is fortunate to have such a highly 
motivated, experienced, and professional staff dedicated to carrying 
out the work of the OCC.'' The report praised the lead expert program 
\2\ in our Midsize Bank Supervision business line, as well as the work 
of our National Risk Committee.\3\ The peer review team also noted that 
our supervisory staff demonstrated a strong commitment to rigorous 
supervision of the institutions we regulate and pride in the OCC as a 
supervisory agency. Further, the team validated a number of initiatives 
that we had already begun, including eight strategic initiatives to 
address challenges and opportunities facing the agency. These strategic 
initiatives focus on retention and recruitment, bank and thrift 
supervision, leadership, agency funding, technology, internal and 
external communication, and an enterprise-wide self-assessment process 
focused on continuous improvement.
---------------------------------------------------------------------------
    \1\ See OCC News Release 2013-184 for a copy of the report, 
available at: http://www.occ.gov/news-issuances/news-releases/2013/nr-
occ-2013-184.html.
    \2\ The lead expert program assigns an expert to each key risk 
area. These experts, who are independent from exam staff, review and 
opine on our annual supervisory strategy and supervisory communications 
for each large and midsize bank we supervise. This program ensures that 
the OCC consistently handles issues across the agency's portfolio.
    \3\ The OCC's National Risk Committee (NRC) monitors the condition 
of the Federal banking system, as well as emerging threats to the 
system's safety and soundness. The NRC also monitors evolving business 
practices and financial market issues and helps to shape supervisory 
efforts to address emerging risk issues. NRC members include senior 
agency officials who supervise banks of all sizes, as well as officials 
from the legal, policy, and economics departments. The NRC helps to 
formulate the OCC's annual bank supervision operating plan that guides 
our supervisory strategies for the coming year. The NRC also publishes 
the Semiannual Risk Perspective report to provide information to the 
industry and the general public on issues that may pose threats to the 
safety and soundness of OCC-regulated financial institutions.
---------------------------------------------------------------------------
    While the peer review team found much to praise, its report also 
highlighted areas in which its members believe the OCC could improve. 
For example, the report addresses the OCC's resident examination 
program and the relationship between the OCC's Risk Assessment System 
and the interagency CAMELS \4\ rating system. After receiving the 
report, I set up senior-level working groups to evaluate and prioritize 
the recommendations and develop specific implementation plans for areas 
where the groups conclude that there are opportunities for improvement. 
I am committed to a full review of the issues and recommendations 
identified in the report and to continuous improvement in the way the 
OCC does business.
---------------------------------------------------------------------------
    \4\ The OCC's risk assessment system provides a framework that OCC 
examiners use to measure, document, and communicate the OCC's 
conclusions about the quantity of risk, quality of risk management, and 
direction of risk for eight risk categories. The interagency CAMELS 
rating system integrates six component areas: capital adequacy, asset 
quality, management, earnings, liquidity, and sensitivity to market 
risk. Evaluations of these component areas take into consideration an 
institution's size and sophistication, the nature and complexity of its 
activities, and its risk profile.
---------------------------------------------------------------------------
B. Heightened Expectations
    Because of their size, activities, and implications for the U.S. 
financial system, large banks require more rigorous regulation and 
supervision. To support this objective, the OCC recently issued a 
proposal that would provide additional supervisory tools to examiners 
aimed at strengthening risk management practices and governance of 
large banks. This proposal codifies and builds on a set of supervisory 
``heightened expectations'' that embody critical lessons learned from 
the financial crisis.
    The financial crisis taught us the importance of comprehensive and 
effective risk management; the need for an engaged board of directors 
that exercises independent judgment; the need for a robust audit 
function; the importance of talent development, recruitment, and 
succession planning; and a compensation structure that will not 
incentivize inappropriate risk taking. In 2010, we began communicating 
our heightened expectations to the banks through discussions at board 
meetings and in writing. We continued to refine and reinforce these 
heightened expectations through our ongoing supervisory activities and 
frequent communication with bank management and boards of directors. We 
spent time educating our examiners and bankers to clarify our 
expectations and specifically noted our requirement for a frank 
assessment of the gaps between existing and desired practices. The OCC 
also began to examine each large institution for compliance with the 
expectations and has included in each bank's Report of Examination an 
overall rating of how the bank meets these heightened expectations.
    Our recent proposal builds upon and formalizes the heightened 
expectations program in the form of enforceable guidelines that would 
generally apply to insured national banks, insured Federal savings 
associations, and insured Federal branches of foreign banks with 
average total consolidated assets of $50 billion or more.
    The proposed guidelines set forth minimum standards for the design 
and implementation of a bank's risk governance framework and provide 
minimum standards for the board's oversight of the framework. The 
bank's risk governance framework should address all risks to a bank's 
earnings, capital and liquidity, and reputation that arise from the 
bank's activities. The proposal also sets out roles and 
responsibilities for the organizational units that are fundamental to 
the design and implementation of the framework. These units, often 
referred to as a bank's three lines of defense, are front line business 
units, independent risk management, and internal audit. Together, these 
units should establish an appropriate system to control risk taking. 
Underlying the framework is a risk appetite statement that articulates 
the aggregate level and types of risk a bank is willing to assume in 
order to achieve its strategic objectives, consistent with applicable 
capital, liquidity, and other regulatory requirements.
    The proposed guidelines also contain standards for boards of 
directors regarding oversight of the design and implementation of a 
bank's risk governance framework. It is vitally important that each 
director be engaged in order to understand the risks being taken by his 
or her institution and to ensure that those risks are well managed. 
Informed directors who exercise independent judgment can better 
question the propriety of strategic initiatives and assess the balance 
between risk taking and reward. An effective board also should actively 
oversee management. Directors should be in a position to present a 
credible challenge to bank management while fulfilling their duty to 
preserve the sanctity of the national bank or Federal savings 
association charter. By sanctity of the charter, I mean that directors 
must ensure that the institution operates in a safe and sound manner. 
The national bank or Federal thrift should not simply function as a 
booking entity for the holding company. It is a special corporate 
franchise that is the gateway to Federal deposit insurance and access 
to the discount window.
    The guidelines are proposed as a new appendix to Part 30 of our 
regulations. Part 30 codifies an enforcement process set out in a 
statutory provision that authorizes the OCC to prescribe operational 
and managerial standards. If a bank fails to satisfy a standard, the 
OCC may require it to submit a compliance plan detailing how it will 
correct the deficiencies and how long that will take. The OCC can issue 
an enforceable order if the bank fails to submit an acceptable 
compliance plan or fails in any material way to implement an OCC-
approved plan.
    Higher supervisory standards for the large banks we oversee, such 
as those in the proposed guidelines, along with bank management's 
implementation of these standards, are consistent with the Dodd-Frank 
Act's broad objective of strengthening the financial system. We believe 
that this increased focus on strong risk management and corporate 
governance will help banks maintain the balance sheet improvements 
achieved since the financial crisis and make them better able to 
withstand the impact of future crises.
II. Data Security
    There are few issues more important to me or to the OCC than the 
emerging risks posed by the increasing sophistication of cyber attacks. 
One of my highest priorities is to ensure that banks continue to 
improve their ability to protect both their systems and their 
customers' data against cyber attacks. While the banking sector is 
highly regulated and has been subject to stringent information security 
requirements for decades, we recognize that both our supervision and 
our guidance to banks must be regularly updated to keep pace with the 
rapidly changing nature of cyber threats. For this reason, when I 
became Chairman of the Federal Financial Institutions Examination 
Council (FFIEC), I called for the creation of a working group on 
cybersecurity issues to be housed under the FFIEC's task force on 
supervision. The working group has already begun to meet with 
intelligence, law enforcement, and homeland security officials, and it 
is exploring additional approaches bank regulators can take to ensure 
that institutions of all sizes have the ability to safeguard their 
systems.
    Recent events, such as the Distributed Denial of Service attacks on 
banks and the information security breaches at Target and Neiman 
Marcus, highlight the sophisticated nature of evolving cyber threats, 
as well as the interdependencies that exist in today's payment systems. 
They also remind us of the impact that cyber attacks have on consumers 
and financial institutions. When accounts are compromised, the affected 
consumers often pay a stiff price in terms of lost time and the expense 
of restoring their credit information, even though they are protected 
against fraudulent card charges by their financial institutions. In 
addition to the inconvenience to and burden on consumers, financial 
institutions, including community banks that issue credit and debit 
cards, often end up bearing the costs when bank customer information 
maintained by merchants is compromised. Banks have borne the expense of 
replacing cards, providing credit monitoring services, responding to 
high volumes of customer inquiries, monitoring for fraudulent 
transactions, and reimbursing customers for fraud losses.
    Information security has long been an integral part of the OCC's 
supervisory process. We have a variety of tools and broad authority to 
require the banks we regulate and their service providers to protect 
their own systems and their customers' data and to take steps to 
identify, prevent, and mitigate identity theft, no matter how a 
customer's information was acquired. Over the years, the OCC, on its 
own and through the FFIEC, has published guidance and handbooks that 
have made clear our expectations about acceptable risk management 
processes and procedures for safeguarding information.
A. Information Security Guidelines and Guidance on Response Programs 
        for Unauthorized Access to Customer Information and Customer 
        Notice
    Following the 1999 enactment of the Gramm-Leach-Bliley Act, the 
OCC, in conjunction with the Federal Deposit Insurance Corporation 
(FDIC) and the Board of Governors of the Federal Reserve System 
(Federal Reserve) (collectively, the Federal banking agencies) 
published enforceable information security guidelines that set forth 
standards for administrative, technical, and physical safeguards 
financial institutions must have to ensure the security and 
confidentiality of customer information. These interagency guidelines 
require banks to develop and implement formal information security 
programs.
    These programs need to be tailored to the bank's assessment of the 
risks it faces. These risks include internal and external threats to 
customer information and any method used to access, collect, store, 
use, transmit, protect, or dispose of the information. Each bank must 
consider the specific security measures set forth in the guidelines and 
adopt those that are appropriate for the institution. Given the 
evolving threat and technology environment, the guidelines require a 
bank's information security program to be dynamic--to continually adapt 
to address new threats, changes in technology, and new business 
arrangements. We also expect banks to routinely test their systems for 
vulnerabilities and to address the weaknesses they discover.
    To ensure effective oversight, the guidelines require that 
information security programs be approved by an institution's board of 
directors. The board must also oversee the program's development, 
implementation, and maintenance, and it must review annual reports that 
describe the bank's compliance with the guidelines.
    Since banks often depend upon service providers to conduct critical 
banking activities, the guidelines also address how banks must manage 
the risks associated with their service providers that have access to 
customer information. This past October, the OCC released updated 
guidance that emphasizes the importance of risk management practices 
for critical activities throughout the lifecycle of the third-party 
relationship.\5\ The guidance also stresses our expectation that the 
board and management ensure that appropriate risk management practices 
are in place, establish clear accountability for day-to-day management 
of these relationships, and periodically conduct independent reviews of 
these relationships.
---------------------------------------------------------------------------
    \5\ See OCC Bulletin 2013-29 ``Third Party Relationships: Risk 
Management Guidance'' available at: http://www.occ.gov/news-issuances/
bulletins/2013/bulletin-2013-29.html.
---------------------------------------------------------------------------
    While strong and resilient information security programs are 
critical, the evolving nature and sophistication of cyber attacks also 
require banks to have strong and well-coordinated incident response 
programs that can be put into action when a cyber attack or security 
breach does occur. Nearly a decade ago, the OCC, in conjunction with 
the FDIC and Federal Reserve, issued guidance to supplement the 
information security guidelines titled ``Response Programs for 
Unauthorized Access to Customer Information and Customer Notice.'' This 
guidance addresses breaches of customer information maintained by or on 
behalf of banks and makes clear that the OCC expects each bank to 
implement an incident response program with specific policies and 
procedures to address unauthorized access to customer information. We 
expect a bank's incident response program to include a process for 
notifying customers and taking appropriate steps, not only to contain 
and control the incident, but also to prevent further unauthorized 
access to or use of the customer information. The bank is expected to 
notify both law enforcement and its primary regulator and to provide 
customers with information they need, such as how to place a fraud 
alert on their credit reports.
    During and following cyber attacks on the financial sector, the OCC 
plays an important role in identifying risks to bank systems and bank 
customer information and conveying appropriate risk management 
practices to the industry, including defensive strategies and tactics 
to contain attacks. The OCC gathers information from our affected banks 
and shares information with other Government agencies. We have 
participated in briefings for our banks, service providers, and 
examiners on specific cyber threats. In addition, through our 
membership in both the Financial and Banking Information Infrastructure 
Committee and the Financial Services Information Sharing and Analysis 
Center, which are part of the financial sector's public-private 
partnerships, we share information regarding cyber threats and discuss 
various means to improve the security and resiliency of the financial 
sector.
B. Identity Theft Red Flags
    While the information security guidelines require banks to 
safeguard the customer information that they maintain or that is 
maintained on their behalf, banks also are required to be on the alert 
for identity theft involving their customers' information, no matter 
how and where an identity thief acquired the information. Pursuant to 
section 114 of the FACT Act, the Federal banking agencies, together 
with the National Credit Union Administration (NCUA) and the Federal 
Trade Commission, issued regulations in 2007 titled ``Identity Theft 
Red Flags and Address Discrepancies.'' The final rules require each 
financial institution and creditor to develop and implement a formal 
identity theft prevention program that includes policies and procedures 
for detecting, preventing, and mitigating identity theft in connection 
with account openings and existing accounts. The program must cover any 
consumer account or any other account that the financial institution or 
creditor offers or maintains for which there is a reasonably 
foreseeable risk to consumers or to the safety and soundness of the 
financial institution or creditor from identity theft. In addition, it 
must include policies and procedures to identify relevant red flags, 
detect red flags incorporated into the program, respond appropriately 
to the red flags that are detected, and ensure the program is updated 
periodically to reflect changes in risks to customers and to the 
institution from identity theft.
    The agencies also issued guidelines to assist covered entities in 
developing and implementing an identity theft prevention program. The 
guidelines include a supplement that identifies 26 patterns, practices, 
and specific forms of activity that are ``red flags'' signaling 
possible identity theft. These include alerts, notifications, or other 
warnings received from consumer reporting agencies or service 
providers, the presentation of suspicious documents or suspicious 
personal identifying information, the unusual use of or other 
suspicious activity related to a covered account, or notice from 
customers, victims of identity theft, or law enforcement authorities. 
When a bank detects identity theft red flags, the bank is expected to 
respond by taking steps that include monitoring accounts, contacting 
the customer, changing passwords, closing and reopening the account, 
and notifying law enforcement, as appropriate.
C. Retail Payment Systems
    Banks provide essential retail payment transactions and services to 
businesses and consumers, including the acceptance, collection, and 
processing of a variety of payment instruments and participation in 
clearing and settlement systems. From the initiation of a retail 
payment transaction to its final settlement, banks are exposed to 
certain risks, such as credit, liquidity, compliance, reputation, and 
operational risks, including fraud, particularly during settlement 
activities. These risks may arise from interactions with payment system 
operators and other third parties.
    Recent technological advances are expanding the opportunities for 
the development of innovative payment products and services. New 
electronic payment instruments and systems offer gains in efficiency by 
allowing for the rapid and convenient transmission of payment 
information among system participants. However, without appropriate 
safeguards, these new products and services can also permit fraud, 
money laundering, and operational disruption to occur. In addition, 
nonbank third parties are increasingly participating in retail payment 
systems, contributing to innovation but also adding complexity to the 
transaction chain, which may increase risk in payment processes. Retail 
payment risk management is increasingly difficult, requiring close 
attention to the changing nature of risk and robust oversight.
    The OCC, on its own and through the FFIEC, has issued guidance on 
identifying and controlling risks associated with retail payment 
systems and related banking activities. Risk profiles vary 
significantly based on the size and complexity of a bank's retail 
payment products and services, expertise, technology infrastructure, 
and dependence on third parties. The OCC expects banks engaging in 
these activities to be aware of the inherent risks of their activities 
and implement appropriate risk management processes. OCC examiners also 
assess risk levels and risk management practices at banks and schedule 
oversight activities based upon the risk profile of the bank and the 
complexity of the products and services offered.
    Banks not only must comply with Federal requirements but also with 
State laws and regulations relating to payment systems and with the 
operating rules of clearing houses and bank card networks, such as 
Payment Card Industry-Data Security Standards (PCI-DSS). In addition, 
we expect all banks to maintain effective internal controls, including 
robust fraud detection systems and financial, accounting, technical, 
procedural, and administrative controls necessary to minimize risks in 
the retail payment transaction, clearing, and settlement processes. 
These measures, when effectively employed, reduce payment system risk, 
ensure that individual transactions are valid, and mitigate processing 
and other errors. Effective controls also ensure that the retail 
payments infrastructure operates with integrity, confidentiality, and 
availability.
D. The OCC's Supervision Program
    The OCC's ongoing supervision program addresses information 
security and identity theft prevention for banks, including with 
respect to bank participation in the payment system. The supervisory 
program involves teams of examiners who evaluate information security 
and identity theft controls and risk management during their 
examinations of banks. Our most experienced examiners supervise the 
largest institutions and also participate, with the FDIC and Federal 
Reserve, in examinations of the largest bank technology service 
providers. The OCC's supervision, including of information technology, 
continues to evolve as the risks facing the industry change. Both on 
our own and through the FFIEC, we update examiner training, regulatory 
guidance, and examiner booklets. We also issue alerts to address risks 
stemming from increasingly complex bank operations and third-party 
relationships, new technologies, and the increasing volume and 
sophistication of cyber threats.
    When necessary, the OCC uses our enforcement process to ensure 
compliance with our standards. When we have found serious gaps in 
meeting our supervisory expectations, we have taken enforcement actions 
that include cease and desist orders and civil money penalties. In some 
cases, the OCC has also found it necessary to compel banks to notify 
their customers of breaches involving personal information.
    The OCC also has taken enforcement actions against bank insiders 
who were engaged in identity theft-related activities or were otherwise 
involved in serious breaches or compromises of customer information. 
These enforcement actions have included orders prohibiting individuals 
from working in the banking industry, personal cease and desist orders 
restricting the use of customer information, significant civil money 
penalties, and orders requiring restitution.
    The OCC is committed to maintaining a robust regulatory framework 
that requires banks to protect their systems and their customers' 
information. The volume and sophistication of the cyber threats to our 
payment systems and other financial infrastructures are evolving 
rapidly. Furthermore, these systems are dependent on other critical 
infrastructures that are also vulnerable to these threats, such as 
telecommunications and energy, which are outside of the industry's 
direct control. For this reason, we will continue to look for ways to 
improve our supervisory processes and make the system stronger, through 
collaboration and cooperation with industry participants, as well as 
other regulatory and Government agencies, such as law enforcement.
III. Capital and Liquidity
A. Capital
    Last year, the OCC, FDIC, and Federal Reserve finalized a rule that 
comprehensively revises U.S. capital standards. This rule strengthens 
the definition of regulatory capital, increases risk-based capital 
requirements, and amends the methodologies for determining risk-
weighted assets. It also adds a new, stricter leverage ratio 
requirement for large, internationally active banks. These revisions 
reflect enhancements to the international capital framework published 
by the Basel Committee on Banking Supervision and are a result of 
lessons learned from the financial crisis. The standards are consistent 
with and complement the Dodd-Frank Act by strengthening our Nation's 
financial system. They reduce systemic risk and improve the safe and 
sound operation of the banks we regulate.
    Some of the revisions applicable to large, internationally active 
banks became fully effective on January 1 of this year. Most revisions, 
including the narrowing of instruments that count as regulatory 
capital, will be phased in over several years. For the largest, 
internationally active banks, this phase-in has already begun. For all 
other banks, the phase-in will begin in 2015.
Leverage Ratio Capital Requirements
    Regulatory capital standards in the United States have long 
included both risk-based capital and leverage requirements, which work 
together, each offsetting the other's potential weaknesses while 
minimizing incentives for regulatory capital arbitrage. Among the more 
important revisions to the domestic capital rules was the addition of 
stricter leverage ratio requirements applicable to the largest, 
internationally active banks.
    Under longstanding domestic capital requirements, all banking 
organizations \6\ must meet a minimum leverage ratio. Our recent 
revisions to the capital rules now require certain large banking 
organizations also to meet a ``supplementary leverage ratio'' 
requirement. Unlike the more broadly applicable leverage ratio, this 
supplementary leverage ratio incorporates off-balance sheet exposures 
into the measure of leverage. It is expected to be more demanding 
because large banking organizations often have significant off-balance 
sheet exposures that arise from different types of lending commitments, 
derivatives, and other activities.
---------------------------------------------------------------------------
    \6\ The U.S. ``banking organizations'' subject to minimum capital 
rules include national banks, State member banks, Federal savings 
associations, and top-tier bank holding companies domiciled in the 
United States not subject to the Federal Reserve's Small Bank Holding 
Company Policy Statement (12 CFR part 225, appendix C), as well as top-
tier savings and loan holding companies domiciled in the United States, 
except certain savings and loan holding companies that are 
substantially engaged in insurance underwriting or commercial 
activities.
---------------------------------------------------------------------------
    To further strengthen the resiliency of the banking sector, in 
August of last year, the Federal banking agencies published a notice of 
proposed rulemaking (NPR) that would increase substantially the 
supplementary leverage ratio requirement for the largest and most 
systemically important banking organizations. Under the NPR, these 
banking organizations would be required to maintain even more tier 1 
capital for every dollar of exposure in order to be deemed ``well 
capitalized.''
    In January, the Basel Committee finalized revisions to the 
international leverage ratio standards upon which the Federal banking 
agencies based the supplementary leverage ratio NPR.
    While some reports have suggested these revisions amounted to a 
watering down of the international standards, a more accurate depiction 
of the changes relative to U.S. standards requires more elaboration. 
Although these standards have been relaxed relative to a Basel 
Committee proposal issued in June 2013, the committee's final standards 
are generally comparable to the final U.S. standards published last 
year and the measure of exposure used in the NPR.
    Two areas where the final Basel standards differ from the U.S. 
standards are the treatment of credit derivatives and off-balance sheet 
commitments. With respect to credit derivatives, the final Basel 
standards require a bank to treat a promise to pay a counterparty in 
the event of a credit default as the equivalent of providing a loan to 
the counterparty, because both transactions effectively involve the 
extension of credit. This requirement is more stringent than the 
current U.S. rules, which focus only on the counterparty credit risk 
associated with credit derivatives. With respect to off-balance sheet 
commitments, the Basel leverage calculation includes a portion of the 
potential exposure amount for certain off-balance sheet commitments, 
rather than the entire potential exposure amount. This change reduces 
the exposure measure relative to the current U.S. standards, which 
generally assume that all of these commitments will be completely drawn 
at the same time.
    Even considering the change to the exposure measure for certain 
commitments, our preliminary analysis suggests that, in the aggregate, 
the final Basel standards will generate a larger measure of exposure--
and will therefore be more stringent--than the current and proposed 
U.S. standards. However, this is likely to vary by bank. Banks with 
large credit derivatives portfolios likely will see greater increases 
in their exposure measures relative to other banks.
    Additionally, when considering the impact of the Basel standards, 
it is important to keep in mind that the NPR would increase the minimum 
supplementary leverage ratio requirements for systemically important 
banking organizations in the U.S. to 6 percent at the bank level and 5 
percent at the bank holding company level. While we are still 
considering comments received on this proposal, the OCC continues to 
support stronger leverage ratio standards than the 3 percent 
international minimum. The Federal banking agencies will consider the 
revisions to the Basel Committee's leverage ratio framework, as well as 
the comments received in response to the NPR, as we continue with our 
work. The OCC supports the interagency efforts to ensure that the 
supplementary leverage ratio will serve as an effective backstop to the 
risk-based ratios and will work with the FDIC and the Federal Reserve 
to move forward with the rulemaking process in the near term.
B. Enhanced Liquidity Standards
    Adequate and appropriate liquidity standards for the banks we 
regulate are an important post-financial crisis tool that is central to 
the proper functioning of financial markets and the banking sector in 
general. The Federal banking agencies, working together, have made 
significant progress in implementing the Basel Committee's Liquidity 
Coverage Ratio in the United States. These liquidity standards will 
help ensure that banking organizations maintain sufficient liquidity 
during periods of acute short-term financial distress.
    In November of last year, the Federal banking agencies issued a 
proposal that would require certain large financial companies, 
including large national banks and Federal savings associations, to 
hold high-quality liquid assets on each business day in an amount equal 
to or greater than its projected cash outflows minus its projected 
inflows over a 30-day period of significant stress. The comment period 
for the proposed rule ended on January 31, 2014. The agencies are 
reviewing the comments and will be developing a final rule that I hope 
can be issued by the end of the year.
    The Federal banking agencies also are working with the Basel 
Committee to develop another liquidity requirement, the Net Stable 
Funding Ratio, to complement the Liquidity Coverage Ratio and enhance 
long-term structural funding. The Net Stable Funding Ratio would 
require banks to maintain a stable funding profile in relation to the 
composition of their assets and off-balance sheet activities. The Basel 
Committee recently published a consultative paper for comment that 
defines the requirements for this ratio. Once finalized, the Federal 
banking agencies will work to implement a U.S. rule, which is planned 
to go into effect on January 1, 2018.
    It is expected that these standards, once fully implemented, will 
complement existing liquidity risk guidance and enhanced liquidity 
standards to be issued by the Federal Reserve, in consultation with the 
OCC, as part of the heightened prudential standards required under 
section 165 of the Dodd-Frank Act.
IV. Volcker Rule
    The statutory provision referred to as the Volcker Rule is set 
forth in section 619 of the Dodd-Frank Act. Section 619 prohibits a 
banking entity from engaging in short-term proprietary trading of 
financial instruments and from owning, sponsoring, or having certain 
relationships with hedge funds or private equity funds (referred to 
here, and in the final regulations, as covered funds).\7\ 
Notwithstanding these prohibitions, section 619 permits certain 
financial activities, including market making, underwriting, risk-
mitigating hedging, trading in Government obligations, and organizing 
and offering a covered fund.
---------------------------------------------------------------------------
    \7\ The statute defines the term ``banking entity'' to cover 
generally any insured depository institution (other than a limited 
purpose trust bank), any affiliate or subsidiary of an insured 
depository institution, and any company that controls an insured 
depository institution. See 12 U.S.C. 1851(h)(1).
---------------------------------------------------------------------------
    On December 10, 2013, the OCC, Federal Reserve, FDIC, Securities 
and Exchange Commission (SEC), and the Commodity Futures Trading 
Commission (CFTC) adopted final regulations implementing the 
requirements of section 619.\8\ In accordance with the statute, the 
final regulations prohibit banking entities from engaging in 
impermissible proprietary trading and strictly limit their ability to 
invest in covered funds. At the same time, the regulations are designed 
to preserve market liquidity and allow banks to continue to provide 
important client-oriented services.
---------------------------------------------------------------------------
    \8\ See 79 FR 5536 (Jan. 31, 2014). The OCC, Federal Reserve, FDIC, 
and SEC issued a joint regulation, and the CFTC issued a separate 
regulation adopting the same common rule text and a substantially 
similar preamble.
---------------------------------------------------------------------------
    In developing the final regulations, the agencies carefully 
considered the more than 18,000 comments received on the proposed 
regulations from a diverse group of interests--including banks, 
securities firms, consumer and public interest groups, Members of 
Congress, foreign governments, and the general public.\9\ Commenters 
raised numerous significant and complex issues with respect to the 
proposed regulations, and provided many--sometimes conflicting--
recommendations. For example, the agencies heard from various 
commenters regarding the distinction between impermissible proprietary 
trading and permitted market making, and with respect to the definition 
of a covered fund. These comments often highlighted key differences in 
the markets and asset classes subject to regulation by the respective 
agencies under the Volcker Rule. In contrast, other commenters urged 
the agencies to construe the statutory mandate narrowly to avoid the 
potential for evasion of the proprietary trading and covered fund 
prohibitions.
---------------------------------------------------------------------------
    \9\ Of the 18,000 comment letters, more than 600 were unique 
comment letters, and the remaining letters were from individuals who 
used a form letter. The agencies each also met with a number of the 
commenters to discuss issues raised by the proposed regulations and 
have published summaries of these meetings.
---------------------------------------------------------------------------
    To meet these challenges, the agencies worked closely with each 
other in developing the final regulations, from the principal level 
down to staff at all the agencies who worked long days, nights, and 
weekends, to grapple with extraordinarily complex and important policy 
issues. Though the final regulations have been published, the OCC is 
continuing to work closely and cooperatively with the other agencies as 
we work on our supervisory implementation of the final regulations 
during the conformance period, which runs through July 21, 2015.\10\
---------------------------------------------------------------------------
    \10\ Section 619 authorized a 2-year conformance period, until July 
21, 2014, for banking entities to conform their activities and 
investments to the requirement of the statute. The statute also permits 
the Federal Reserve to extend this conformance period, one year at a 
time, for a total of no more than three additional years. In a separate 
action, the Federal Reserve has extended the conformance period for an 
additional year until July 21, 2015, and has indicated that it plans to 
monitor developments to determine whether additional extensions of the 
conformance period are in the public interest.
---------------------------------------------------------------------------
    The statute applies to all banking entities, regardless of size; 
however, not all banking entities engage in activities presenting the 
risks the statute sought to curb. One of my priorities in the Volcker 
rulemaking was to make sure that the final regulations imposed 
compliance obligations on banking entities in proportion to their 
involvement in covered activities and investments. The final 
regulations appropriately recognize that not all banking entities pose 
the same risk and impose compliance obligations accordingly. So, a 
community bank that only trades in ``plain vanilla'' Government 
obligations has no compliance obligations whatsoever under the final 
regulations. Community banks that engage in other low-risk covered 
activities will be subject to only minimal requirements.
    All banking entities, including community banks, will need to 
divest impermissible covered fund investments under the final 
regulations. Recently, however, the agencies heard, and promptly 
responded to, a concern raised by community institutions that the final 
regulations treated certain investments in a way that was inconsistent 
with another important provision of the Dodd-Frank Act. Banking 
entities of all sizes hold collateralized debt obligations backed 
primarily by trust preferred securities (TruPS CDOs). These TruPS CDOs, 
originally issued some years ago as a means to facilitate capital 
raising efforts of small banks and mutual holding companies, would have 
been subject to eventual divestiture and immediate write-downs under 
the applicable accounting treatment under generally accepted accounting 
principles. As a number of community institutions pointed out to the 
agencies, this result was inconsistent with the Collins Amendment to 
the Dodd-Frank Act,\11\ where Congress expressly protected existing 
TruPS as a component of regulatory capital for the issuing institution 
so long as the securities were issued by bank holding companies with 
less than $15 billion in consolidated assets or by mutual holding 
companies.
---------------------------------------------------------------------------
    \11\ See 12 U.S.C. 5371(b)(4)(C).
---------------------------------------------------------------------------
    To mitigate the unintended consequences of the final regulations 
and harmonize them with the Collins Amendment, the agencies, on January 
14, 2014, adopted an interim final rule to permit banking entities to 
retain an interest in or sponsor a TruPS CDO acquired before the final 
regulations were approved, provided certain requirements are met.\12\ 
Among others, the banking entity must reasonably believe that the 
offering proceeds from the TruPS CDO were invested primarily in trust 
preferred securities issued prior to May 19, 2010, by a depository 
institution holding company below a $15 billion threshold or by a 
mutual holding company. To help community institutions identify which 
CDO issuances remain permissible, the OCC, FDIC, and Federal Reserve 
have also issued a nonexclusive list of TruPS CDOs that meet the 
requirements of the interim final rule.
---------------------------------------------------------------------------
    \12\ See 79 FR 5223 (Jan. 31, 2014).
---------------------------------------------------------------------------
    For banking entities that engage in a high volume of trading and 
covered fund activities, namely, the largest banks, the final 
regulations will impose some significant changes. These large firms 
have been preparing for these changes since the statute became 
effective in July 2012, and have been shutting down impermissible 
proprietary trading operations. Now that the final regulations have 
been released, these institutions will need to take steps during the 
conformance period to bring their permitted trading and covered fund 
activities, such as market making, underwriting, hedging, and 
organizing and offering covered funds, into compliance with the 
requirements of the final regulations. Large banking entities must 
develop robust compliance programs, and they will be required to 
compile and report quantitative metrics on their trading activities 
that may serve as an indicator of potential impermissible proprietary 
trading or a high-risk trading strategy. Banking entities will not be 
able to use covered funds to circumvent the proprietary trading 
restrictions, and they will not be able to bail out covered funds they 
sponsor or invest in.
    Of course, issuing a final regulation is only the beginning of the 
agencies' implementation process. Equally important is how the agencies 
will enforce it. The OCC is committed to developing a robust 
examination and enforcement program that ensures the banking entities 
we supervise come into compliance and remain compliant with the Volcker 
Rule. In the near term, our priority is implementing examination 
procedures and training to help our examiners assess whether banks are 
taking the necessary steps to come into compliance with the final 
regulations by the end of the conformance period, and we are actively 
engaged in these efforts. Using these procedures, examiners will direct 
banks they examine to identify the range and size of activities and 
investments covered by the final regulations, and will assess banks' 
processes and systems for metrics reporting and their project plans for 
bringing their trading activities and investments into conformance with 
the final regulations. Moreover, key OCC subject matter experts across 
our policy and supervision divisions are developing training for our 
examiners to be held later in 2014. We will build upon these initial 
procedures and training through the course of the conformance period as 
we further assess the progress and needs of our examiners.
    The agencies also are working to ensure consistency in application 
of the final regulations. I am pleased to report that the OCC has led 
the formation of an interagency working group to address and 
collaborate on developing responses to key supervisory issues that 
arise under the final regulations. That interagency group held its 
first meeting in late January and will continue to meet on a regular 
basis going forward. The OCC is also participating in interagency 
training on the final regulations this spring and summer under the 
auspices of the FFIEC.
    When fully implemented, I believe the final regulations will 
achieve the legislative purpose for which the Volcker Rule was enacted. 
The final regulations will limit the risks the prohibited activities 
pose to the safety and soundness of banking entities and the U.S. 
financial system in a way that will permit banking entities to continue 
to engage in activities that are critical to capital generation for 
businesses of all sizes, households, and individuals, and that 
facilitate liquid markets.
V. Derivatives--Title VII
    Pursuant to sections 731 and 763 of the Dodd-Frank Act, banks that 
are ``swap dealers'' must register with the CFTC, and those that are 
``securities-based swap dealers'' must register with the SEC. The swap 
activities of banks that must register are subject to substantive 
requirements under Title VII of the Act. At this time, nine national 
banks have provisionally registered as swap dealers.
    Sections 731 and 763 also require the Federal banking agencies, 
together with the Federal Housing Finance Agency (FHFA) and the Farm 
Credit Administration (FCA), to impose minimum margin requirements on 
noncleared swaps and security-based swaps for swap dealers, major swap 
participants, security-based swap dealers, and major security-based 
swap participants that are banks. These agencies published a proposal 
to implement these requirements on May 11, 2011.
    After issuing the U.S. proposal, the Federal banking agencies 
participated in efforts by the Basel Committee and International 
Organization of Securities Commissions (IOSCO) to address coordinated 
implementation of margin requirements across the G-20 nations. 
Following extensive public comment, the Basel Committee and IOSCO 
finalized an international framework in September of 2013.
    The Federal banking agencies, together with the FHFA and the FCA, 
have reviewed this framework and the comments received on the U.S. 
proposal. The Federal banking agencies received more than 100 comments 
from banks, asset managers, commercial end users, trade associations, 
and others. Many commenters focused on the treatment of commercial end 
users, urging the agencies to exempt transactions with such entities 
from the margin requirements in a manner consistent with the approach 
taken in the Basel Committee-IOSCO framework. The Federal banking 
agencies are currently evaluating the changes indicated under the 
framework and suggested by commenters and expect to issue a final rule 
in the coming months.
    Additionally, banks that are registered swap dealers are subject to 
the derivatives push-out requirements in section 716 of the Dodd-Frank 
Act. This provision, which became effective on July 16, 2013, generally 
prohibits Federal assistance to swap dealers. The statute required the 
OCC to grant banks it supervises a transition period of up to 24 months 
to comply. We have granted a 24-month transition period to nine 
national banks and four Federal branches. We concluded that the 
transition period is necessary to allow banks to develop a transition 
plan for an orderly cessation or divestiture of certain swap activities 
that does not unduly disrupt lending activities and other functions 
that the statute required us to consider.
VI. Other Dodd-Frank Rulemakings
    The OCC has made considerable progress on other Dodd-Frank 
requirements. In August of last year, we issued a final rule to 
implement a provision in section 610 of the Act, which requires that an 
institution's lending limit calculation account for credit exposure 
arising from derivatives and securities financing transactions. The new 
rule specifies methods to calculate this credit exposure. In addition, 
we joined the other members of the FFIEC and the SEC in November to 
propose Joint Standards for Assessing Diversity Policies and Practices 
of Regulated Entities. These proposed standards implement a provision 
in section 342 of the Dodd-Frank Act and are intended to promote 
transparency and awareness of diversity within these entities.
A. Appraisals
    The Dodd-Frank Act contains a number of provisions relating to 
appraisals, and the Federal banking agencies, along with the NCUA, 
FHFA, and the Bureau of Consumer Financial Protection (CFPB), continue 
to work to implement these provisions. As I have previously reported, 
these agencies issued a final rule last year requiring all creditors, 
subject to certain exceptions, to comply with additional appraisal 
requirements before advancing credit for higher-risk mortgage loans. 
This past December, these agencies issued a supplemental final rule to 
revise one of the exemptions and include two additional exemptions. 
These changes reduce regulatory burden and reflect comments the 
agencies received from the public.
    In the coming months, the agencies plan to publish a proposal to 
establish minimum requirements for State registration of appraisal 
management companies, known as AMCs, which serve as intermediaries 
between appraisers and lenders. This rule will ensure that appraisals 
coordinated by AMCs adhere to applicable quality control standards and 
will facilitate State oversight of AMCs. The proposal also will 
implement the Dodd-Frank Act requirement that the States' report to the 
FFIEC's Appraisal Subcommittee information needed to administer a 
national AMC registry.
    The agencies also are working collaboratively on a proposal to 
implement specific quality control standards for automated valuation 
models, which are computer models used to assess the value of real 
estate that serves as collateral for loans or pools of loans. We expect 
to issue this proposal later in 2014. Finally, the agencies are 
considering rulemaking options to complement an interim final rule 
issued by the Federal Reserve in 2010 that implements statutory 
appraisal independence requirements.
B. Credit Risk Retention
    The Federal banking agencies, together with FHFA, the SEC, and the 
Department of Housing and Urban Development, continue to work on 
implementing the credit risk retention requirements for asset 
securitization in section 941 of the Dodd-Frank Act. In 2011, these 
agencies proposed a rule to implement section 941 and received over 
10,000 comments, which offered many thoughtful suggestions. These 
agencies concluded that the rulemaking would benefit from a second 
round of public review and comment, and we reproposed the rule in 
September 2013. Although the reproposal includes significant changes 
from the original proposal, its focus is the same--to ensure that 
sponsors are held accountable for the performance of the assets they 
securitize.
    The comment period for the reproposal has now closed, and we are 
working on a final rule. While we expect to complete this project in 
the near future, the interagency group is working through some 
significant issues. For example, the agencies received a substantial 
number of comments regarding the definition of ``qualified residential 
mortgage'' and the extent to which it should incorporate the CFPB's 
definition of ``qualified mortgage.'' The agencies also received 
numerous comments, including some from Members of this Committee, 
regarding the treatment of collateralized loan obligations. We are 
carefully considering these and other issues, with the goal of 
balancing meaningful risk retention with the availability of credit to 
individuals and businesses.
C. Incentive-Based Compensation Arrangements
    Finally, the OCC continues to work on the implementation of section 
956 of the Dodd-Frank Act, which requires us to prescribe regulations 
or guidelines regarding incentive-based compensation. The Federal 
banking agencies, along with the NCUA and the SEC, proposed a rule that 
would require the reporting of certain incentive-based compensation 
arrangements by a covered financial institution and would prohibit 
incentive-based compensation arrangements at a covered financial 
institution that provides excessive compensation or could expose the 
institution to inappropriate risks leading to a material financial 
loss. The agencies received thousands of comments on this proposal and 
will address the issues raised by the commenters in the final rule.
Conclusion
    Thank you again for the opportunity to appear before you and to 
update the Committee on the OCC's continued work to implement the Dodd-
Frank Act and enhance our efforts to regulate our country's national 
banks and Federal savings associations.
                                 ______
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                                 
                  PREPARED STATEMENT OF MARK P. WETJEN
         Acting Chairman, Commodity Futures Trading Commission
                            February 6, 2014
    Good morning Chairman Johnson, Ranking Member Crapo and Members of 
the Committee. Thank you for inviting me to today's hearing on the 
Dodd-Frank Wall Street Reform and Consumer Protection Act (``Dodd-
Frank'') and customer information security. I am honored to testify as 
Acting Chairman of the Commodity Futures Trading Commission (``CFTC''). 
I also am pleased to join my fellow regulators in testifying today.
    Now is a good time for not only this Committee, but all 
stakeholders in the CFTC to reflect on the agency's progress in 
implementing financial reform and what the future might bring for this 
agency and the markets it oversees.
    Due to Dodd-Frank and the efforts of my colleagues and staff at the 
CFTC, today there is both pre-trade and post-trade transparency in the 
swaps market that did not exist before. The public now can see the 
price and volume of swap transactions in real-time, and the CFTC's 
Weekly Swaps Report provides a snapshot of the swaps market each week. 
The most liquid swaps are being traded on regulated platforms and 
exchanges, with a panoply of protections for those depending on the 
markets, and regulators themselves have a new window into the 
marketplace through swap data repositories (``SDRs'').
    Transparency, of course, is helpful only if the information 
provided to the public and regulators can be usefully employed. 
Therefore, the CFTC also is taking steps to protect the integrity of 
that data and ensure that it continues to be reliable and useful for 
surveillance, systemic risk monitoring, and the enforcement of 
important financial reforms.
    These transparency rules complement a number of equally important 
financial reforms. For example, the counterparty credit risks in the 
swaps market have been reduced as a large segment of the swaps market 
is now being cleared--as of last month, about 70 percent of new, arm's-
length swaps transactions were being cleared. Additionally, nearly 100 
swap dealers and major swap participants (``MSPs'') have registered 
with the CFTC, bringing their swaps activity and internal risk-
management programs under the CFTC's oversight for the first time. We 
also have strengthened a range of futures and swaps customer 
protections.
    As it has put these reforms in place, the CFTC has consistently 
worked to protect liquidity in the markets and ensure that end users 
can continue using them to hedge risk as Congress directed.
    The CFTC, in short, has completed most of its initial mandate under 
Dodd-Frank and has successfully ushered in improvements to the over-
the-counter derivatives market structure for swaps, while balancing 
countervailing objectives.
Volcker Rule
    In recent weeks, the Commission finalized the Volcker Rule, which 
was one of our last major rules under Dodd-Frank. The Volcker Rule was 
exceptional on account of the unprecedented coordination among the five 
financial regulators.
    Congress required the banking regulators to adopt a joint Volcker 
Rule, but it also provided that the market regulators--the Securities 
and Exchange Commission (``SEC'') and the CFTC--need only coordinate 
with the prudential banking regulators in their rulemaking efforts. One 
of the hallmarks of the final rule is that the market regulators went 
beyond the congressional requirement to simply coordinate. In fact, the 
CFTC's final rule includes the same rule text as that adopted by the 
other agencies. Building a consensus among five different Government 
agencies was no easy task, and the level of coordination by the 
financial regulators on this complicated rulemaking was exceptional.
    This coordination was thanks in no small part to leadership at the 
Department of the Treasury. Secretary Lew, Acting Deputy Secretary 
Miller, and others were instrumental in keeping the agencies on task 
and seeing this rulemaking over the finish line. Along with the other 
agencies, the CFTC received more than 18,000 comments addressing 
numerous aspects of the proposal. CFTC staff hosted a public roundtable 
on the proposed rule and met with a number of commenters. Through 
weekly inter-agency staff meetings, along with more informal 
discussions, the CFTC staff and the other agencies carefully considered 
the comments in formulating the final rule.
Differences with Proposal
    The agencies were responsive to the comments when appropriate, 
which led to several changes from the proposed Volcker Rule I would 
like to highlight.
    The final Volcker Rule included some alterations to certain parts 
of the hedging--exemption requirements found in the proposal. For 
instance, the final rule requires banking entities to have controls in 
place through their compliance programs to demonstrate that hedges 
would likely be correlated with an underlying position. The final rule 
also requires ongoing recalibration of hedging positions in order for 
the entities to remain in compliance.
    Additionally, the final rule provides that hedging related to a 
trading desk's market-making activities is part of the trading desk's 
financial exposure, which can be managed separately from the risk-
mitigating hedging exemption.
    Another modification to the proposal was to include under ``covered 
funds'' only those commodity pools that resemble, in terms of type of 
offering and investor base, a typical hedge fund.
CFTC Volcker Rule Implementation and Enforcement
    The CFTC estimates that, under its Volcker regulations, it has 
authority over more than 100 registered swap dealers and futures 
commission merchants (``FCMs'') that meet the definition of ``banking 
entity.'' In addition, under Section 619, some of these banking 
entities may be subject to oversight by other regulators. For example, 
a joint FCM/broker-dealer would be subject to both CFTC and SEC 
jurisdiction and in such circumstances, the CFTC will monitor the 
activities of the entity directly and also coordinate closely with the 
other functional regulator(s).
    In this regard, Section 619 of the Dodd-Frank Act amended the 
Banking Holding Company Act to direct the CFTC itself to write rules 
implementing Volcker Rule requirements for banking entities ``for which 
the CFTC is the primary financial regulatory agency'' as that term was 
defined by Congress in Dodd-Frank. Accordingly, as Congress directed, 
the CFTC's final rule applies to entities that are subject to CFTC 
registration and that are banking entities, under the Volcker 
provisions of the statute.
    To ensure consistent, efficient implementation of the Volcker Rule, 
and to address, among other things, the jurisdiction issues I just 
mentioned, the agencies have established a Volcker Rule implementation 
task force. That task force also will be the proper vehicle to examine 
the means for coordinated enforcement of the rule. Although compliance 
requirements under the Volcker Rule do not take effect until July 2015, 
the CFTC is exploring now whether to take additional steps, including 
whether to adopt formal procedures for enforcement of the rule. As part 
of this process, I have directed CFTC staff to consider whether the 
agency should adopt such procedures and to make recommendations in the 
near future.
Volcker Rule: Lowering Risk in Banking Entities
    The final Volcker Rule closely follows the mandates of Section 619 
and strikes an appropriate balance in prohibiting banking entities from 
engaging in the types of proprietary trading activities that Congress 
contemplated when considering Section 619 and in protecting liquidity 
and risk management through legitimate market making and hedging 
activities. In adopting the final rule, the CFTC and other regulators 
were mindful that exceptions to the prohibitions or restrictions in the 
statute, if not carefully defined, could conceivably swallow the rule.
    Banking entities are permitted to continue market making--an 
important activity for providing liquidity to financial markets--but 
the agencies reasonably confined the meaning of the term ``market 
making'' to the extent necessary to maintain a market-making inventory 
to meet near-term client, customer or counterparty demands.
    Likewise, the final rule permits hedging that reduces specific 
risks from individual or aggregated positions of the banking entity.
    The final Volcker Rule also prohibits banking entities from 
engaging in activities that result in conflicts of interest with 
clients, customers or counterparties, or that pose threats to the 
safety and soundness of these entities, and potentially therefore to 
the U.S. financial system.
    The final Volcker rule also limits banking entities from sponsoring 
or owning ``covered funds,'' which include hedge funds, private equity 
funds or certain types of commodity pools, other than under certain 
limited circumstances. The final rule focuses the prohibition on 
certain types of pooled investment vehicles that trade or invest in 
securities or derivatives.
    Finally, and importantly, the final Volcker Rule requires banking 
entities to put in place a compliance program, with special attention 
to the firm's compliance with the rule's restrictions on market making, 
underwriting and hedging. It also requires the larger banking entities 
to report key metrics to regulators each month. This new transparency, 
once phased-in, will buttress the CFTC's oversight of swap dealers and 
FCMs by providing it additional information regarding the risk levels 
at these registrants.
TruPS Interim Final Rule
    Even with resource constraints, the CFTC has been responsive to 
public input and willing to explore course corrections, when 
appropriate. With respect to the Volcker Rule, the CFTC, along with the 
other agencies, last month unanimously finalized an interim final rule 
to allow banks to retain collateralized debt obligations backed 
primarily by trust-preferred securities (TruPS) issued by community 
banks. The agencies acted quickly to address concerns about 
restrictions in the final rule, demonstrating again the commitment of 
the agencies at this table to ongoing coordination. In doing so, the 
CFTC and the other agencies protected important markets for community 
banks, as Congress directed.
Implementation Stage of Dodd-Frank
    Looking ahead through the lens of what already has been done, it is 
clear that the Commission and all stakeholders will need to closely 
monitor and, if appropriate, address the inevitable challenges that 
will come with implementing the new regulatory framework under Dodd-
Frank.
    For the CFTC, only a few rulemakings remain to be re-proposed or 
finalized in order to complete the implementation of Dodd-Frank. 
Indeed, in just a matter of days, the compliance date for perhaps the 
last remaining, major hallmark of the reform effort will arrive: the 
effective date of the swap-trading mandate.
    Rules the Commission is working to address in the coming months 
include capital and margin requirements for uncleared swaps, 
rulemakings intended to harmonize global regulations for clearinghouses 
and trading venues, and finalizing position limits.
    There are other important matters in the months ahead as well.
    Allow me to mention some of these matters before the Commission as 
we move forward with Dodd-Frank implementation.
Made Available to Trade Determinations
    As a result of the trade execution mandate, many swaps will, for 
the first time, trade on regulated platforms and benefit from market-
wide, pre-trade transparency. These platforms are designed to improve 
pricing for the buy-side, commercial end users, and other participants 
that use these markets to manage risk. Additionally, SEFs, as 
registered entities, are required to establish and enforce 
comprehensive compliance and surveillance programs.
    The Commission's trade execution rules complement our other efforts 
to streamline participation in the markets by doing away with the need 
to negotiate bilateral credit arrangements and removing impediments to 
accessing liquidity. This not only benefits the end users that the 
markets are intended to serve, but also new entrants seeking to compete 
for liquidity who now are able to access the markets on impartial 
terms. In essence, the Commission's implementation of the trade 
execution mandate supports a transparent, risk-reducing swap-market 
structure under CFTC oversight.
    In recent weeks, the ``Made Available to Trade Determinations'' 
filed by four swap execution facilities (``SEFs'') have been deemed 
certified, making mandatory the trading of a number of interest rate 
and credit default swaps on regulated platforms.
    There have been some questions in this context about the trading of 
so-called ``package transactions,'' which often include a combination 
of financial instruments and at least one swap that is subject to the 
trade execution requirement. I have directed Division of Market 
Oversight (``DMO'') staff to hold an open-to-the-public roundtable, 
which will take place February 12, and to further examine these issues 
so that the CFTC can further consider the appropriate regulatory 
treatment of basis trades falling within the meaning of a ``package 
transaction.''
Data
    In order for the Commission to enforce the significant Dodd-Frank 
reforms, the agency must have accurate data and a clear picture of 
activity in the marketplace.
    Last month, with the support of my fellow commissioners, I directed 
an interdivisional staff working group to review certain swap 
transaction data, recordkeeping and reporting provisions under Dodd-
Frank. The working group, led by the director of DMO, will formulate 
and recommend questions for public comment regarding compliance with 
Part 45 reporting rules and related provisions, as well as consistency 
in regulatory reporting among market participants.
    We have seen an incredible shift to a transparent, regulated swaps 
marketplace, and this is an appropriate review to ensure the data we 
are receiving is of the best possible quality so the Commission can 
effectively oversee the marketplace. I have asked the working group to 
review the incoming public comments and make recommendations to the 
Commission in June.
Concept Release on Risk Controls and System Safeguards for Automated 
        Trading Environments
    The CFTC's Concept Release on Risk Controls and System Safeguards 
for Automated Trading Environments provides an overview of the 
automated trading environment, including its principal actors, 
potential risks, and responsive measures taken to date by the 
Commission or industry participants. It also discusses pre-trade risk 
controls; post-trade reports; system safeguards related to the design, 
testing and supervision of automated trading systems; and additional 
protections designed to promote safe and orderly markets. Within the 
release, the Commission asks 124 questions and is seeking extensive 
public input.
    To give the public more time to provide comments, the CFTC extended 
the comment period, which continues through February 14.
Position Limits
    The futures markets have a long history of embracing speculative 
position limits as a tool to reduce unwarranted price fluctuations and 
minimize the risk of manipulation, particularly in the spot month, such 
as corners and squeezes. Our proposed position limits rule builds on 
that history, increases transparency, and lessens the likelihood that a 
trader will accumulate excessively large speculative positions.
    The Commission's proposed rule respects congressional intent and 
addresses a district court decision related to the Commission's new 
position--limits authority under Dodd-Frank.
    The comment period on the re-proposed rule closes February 10, and 
I look forward to reviewing the public input.
International Coordination
    Given that the U.S. has nearly delivered on its G20 commitments to 
derivatives reform, and the European Union is close behind, financial 
regulators recently have focused more time on the developing global 
market structure for swaps.
    The G20 commitments were a reaction to a global financial crisis. 
Although the causes of that crisis are not as clear as some suggest, 
few would disagree that liquidity constraints at certain firms were at 
least exacerbated by exposures to derivatives.
    The plain truth is that risk associated with derivatives is mobile 
and can migrate rapidly across borders in modern financial markets. An 
equally plain truth is that any efforts to monitor and manage global 
systemic risk therefore must be global in nature.
    Risk mobility means that regulators in the United States and abroad 
do not have the luxury of limiting their oversight to financial 
activities occurring solely within their borders. Financial activities 
abroad may be confined to local markets in some cases, but the 
financial crisis, and more recent events, make clear that the rights 
and responsibilities that flow from these activities often are not.
    Perhaps as important, Congress reacted to the financial crisis by 
authorizing the CFTC to oversee activities conducted beyond its borders 
in appropriate cases. It could have limited the CFTC's oversight to 
only those entities and activities located or occurring within our 
shores, but it did not. In fact, Congress recognized in Dodd-Frank that 
even when activities do not obviously implicate U.S. interests, they 
can still create less obvious but legally binding obligations that are 
significant and directly relevant to the health of a U.S. firm; and 
which in the aggregate could have a material impact on the U.S. 
financial system as a whole.
    So it is clear to me that the CFTC took the correct approach in 
adopting cross-border policies that account for the varied ways that 
risk can be imported into the U.S. At the same time, the CFTC's 
policies tried to respect the limits of U.S. law and the resource 
constraints of U.S. and global regulators. That is in part why, last 
December, the CFTC approved a series of determinations allowing non-
U.S. swap dealers and MSPs to comply with Dodd-Frank by relying on 
comparable and comprehensive home country regulations, otherwise known 
as ``substituted compliance.''
    Those approvals by the CFTC reflect a collaborative effort with 
authorities and market participants from each of the six jurisdictions 
with registered swap dealers. Working closely with authorities in 
Australia, Canada, the EU, Hong Kong, Japan, and Switzerland, the CFTC 
issued comparability determinations for a broad range of entity-level 
requirements. And in two jurisdictions, the EU and Japan, the CFTC also 
issued comparability determinations for a number of key transaction-
level requirements.
    It appears at this time that the substituted compliance approach 
has been successful in supporting financial reform efforts around the 
globe and a race-to-the-top in global derivatives regulation. Last 
month, for example, the European Union (``EU'') agreed on updated rules 
for markets in financial derivatives, or the Markets in Financial 
Instruments Directive II (``MiFiD II''), reflecting great progress on 
derivatives reform in the EU. Other jurisdictions that host a 
substantial market for swap activity are still working on their 
reforms, and certainly will be informed by the EU's work and the CFTC's 
ongoing coordination with foreign regulators.
    As jurisdictions outside the U.S. continue to strengthen their 
regulatory regimes and meet their G20 commitments, the CFTC may 
determine that additional foreign regulatory requirements are 
comparable to and as comprehensive as certain requirements under Dodd-
Frank.
    The CFTC also has made great progress with the European Commission 
since both regulators issued the Path Forward statement last summer, 
and we are actively working with the Europeans to ensure that 
harmonized regulations on the two continents promote liquidity 
formation and sound risk management. Fragmented liquidity, and the 
regulatory and financial arbitrage that both drives and follows it, can 
lead to increased operational costs and risks as entities structure 
around the rules in primary swap markets.
    Harmonizing regulations governing clearinghouses and trading 
venues, in particular, is critical to sound and efficient market 
structure. Even if firms are able to navigate the conflicts and 
complexities of differing regulatory regimes, regulators here and 
abroad must do what they can to avoid incentivizing corporate 
structures and inter-affiliate relationships that will only make global 
financial firms more difficult to understand, manage, and unwind during 
a period of market distress.
    Conversely, this translates to open, competitive derivatives 
markets. It means efficient and liquid markets. A global regime is the 
best means to avoid balkanization of risk and risk management that may 
expose the U.S. financial system over time to risks that are 
unnecessary, needlessly complex, and difficult to predict and contain.
    In light of the CFTC's swaps authority, and the complexities of 
implementing a global regulatory regime, the Commission is working with 
numerous foreign authorities to negotiate and sign supervisory 
arrangements that address regulator-to-regulator cooperation and 
information sharing in a supervisory context. We currently are 
negotiating such arrangements with respect to swap dealers and MSPs, 
SDRs, SEFs, and derivatives clearing organizations.
    As a final note on cross-border issues, on February 12 the Global 
Markets Advisory Committee (``GMAC''), which I sponsor, will meet to 
discuss the November 14, 2013, CFTC staff advisory on applicability of 
transaction-level requirements in certain cross-border situations.
The CFTC and Customer Information Security
    The CFTC takes our responsibility to protect against the loss or 
theft of customer information seriously. However, the CFTC's funding 
challenges, and thus our limited examinations staff, have an impact on 
the agency's ability to examine and enforce critical rules that protect 
customer privacy and ensure firms have robust information security and 
other risk management policies in place.
    The Gramm-Leach-Bliley Act was enacted in 1999 to ensure that 
financial institutions respect the privacy of their customers. Part 160 
of the CFTC's regulations was adopted pursuant to the Gramm-Leach-
Bliley Act and addresses privacy and security safeguards for customer 
information. Under the law, swap dealers, FCMs and other CFTC 
registrants must have ``policies and procedures that address 
administrative, technical and physical safeguards for the protection of 
customer records and information.'' These policies and procedures are 
designed to protect against unauthorized access to customer records or 
information.
    The CFTC is working to strengthen our registrants' compliance with 
the law. The agency is poised to release a staff advisory to market 
participants outlining best practices for compliance. The advisory 
recommends, among other best practices, that registrants should assess 
existing privacy and security risks; design and implement a system of 
procedures and controls to minimize such risks; regularly test privacy 
and security controls, including periodic testing by an independent 
party; annually report to the board on these issues; and implement an 
incident response program that includes notifying the Commission and 
individuals whose information was or may be misused. In addition, the 
CFTC has recently issued new customer protection regulations that 
include, among other regulations, new requirements for risk management 
by firms. Security safeguards are an element of risk management that 
needs to be addressed by this new regulation.
    Last year, the CFTC also issued interpretive guidance, mirroring 
that of other financial agencies, clarifying that reporting of 
suspected financial abuse of older Americans to appropriate law 
enforcement agencies does not violate the privacy provisions within 
Part 160 of the Commission's rules.
    Though enforcement of CFTC Part 160 rules is a challenge given our 
limited resources, we have enforced them in the past. In one instance, 
the CFTC settled a case with an FCM when an employee of that FCM placed 
files containing sensitive personally identifiable information on a 
public Web site, and the FCM did not have effective procedures in place 
to safeguard customer information.
    In addition to Part 160, the CFTC's Dodd-Frank rules for DCMs, SEFs 
and SDRs require these entities to notify the CFTC of all cybersecurity 
incidents that could potentially or actually jeopardize the security of 
information.
    Last spring, the CFTC and SEC adopted final ``red flags'' rules 
under the Dodd-Frank Act requiring CFTC and SEC registrants to adopt 
programs to identify and address the risk of identity theft. As the law 
required, our rules establish special requirements for credit and debit 
card issuers to assess the validity of change of address, but 
currently, the CFTC entities that must follow these identity theft 
rules do not issue credit or debit cards. A number of firms, however, 
do accept credit and debit cards for payment, which presents a 
different type of risk.
    The CFTC also has adopted a rule regarding the proper disposal of 
consumer information requiring reasonable measures, such as shredding, 
to protect against unauthorized access.
Retail Payment Systems
    The Commission's new customer protection rules on risk management 
require FCMs to develop risk management policies that address risks 
related to retail payment systems, such as anti-money laundering, 
identity theft, unauthorized access, and cybersecurity.
    The CFTC currently does not have the resources to conduct any 
direct examinations of retail payment systems. The CFTC does indirectly 
look at the risks of retail payment systems through designated self-
regulatory organizations (DSRO). The DSRO covers the operational 
aspects of the money movement through their risk-based programs. 
Additionally, DSROs perform a review of anti-money laundering at FCMs 
looking at a number of aspects of a retail payment system--source of 
funds, cash transactions, customer identity, money laundering and staff 
training.
    For the vast majority of our registrants, the retail payment system 
is through normal banking channels, such as wire transfers. Only a few 
of our registrants accept credit or debit cards, and none currently 
accept virtual currency payment systems. Virtual currency, however, 
does present new risk, as a firm would be interacting outside of bank 
payment channels, increasing the risk of hacking or fraud, among other 
cybersecurity issues. The CFTC is working with registrants that are 
seeking to accept virtual currencies to educate them about best 
practices.
Data Breach Response
    The CFTC's response to a data breach incident would include 
immediately assessing the situation with the registrant to understand 
the magnitude of the breach and its implications on customers and the 
marketplace. We would coordinate with other regulators and law 
enforcement and together determine the appropriate course of action. 
Our response would include an analysis of the data compromised, 
immediate notification to affected customers (unless law enforcement 
prohibits that notification), supporting customers by having the firm 
provide free credit monitoring services, ensuring customers know how to 
change user IDs and passwords, and having the firm closely monitor 
customer activity to look for signs of identity theft.
    Looking ahead, the Commission is considering implementing rules 
under Gramm-Leach-Bliley to expand upon our current customer protection 
regulations with more specificity regarding the security of customer 
information.
Resources
    To be effective, the CFTC's oversight of these registrants requires 
technological tools and staff with expertise to analyze complex 
financial information. On that note, I am pleased that the House and 
Senate have agreed to an appropriations bill that includes a modest 
budgetary increase to $215 million for the CFTC, lifting the agency's 
appropriations above the sequestration level that has been challenging 
for planning and orderly operation of the agency. The new funding level 
is a step in the right direction. We will continue working with 
Congress to secure resources that match the agency's critical 
responsibilities in protecting the safety and integrity of the 
financial markets under its jurisdiction. We need additional staff for 
surveillance, examinations, and enforcement, as well as investments in 
technology, to give the public confidence in our ability to oversee the 
vast derivatives markets.
Conclusion
    For the CFTC, the Volcker Rule was one of the last remaining 
rulemakings required by Dodd-Frank. Only a few rulemakings remain to be 
re-proposed or finalized in order to complete the implementation of the 
legislation. Indeed, in just a matter of days, the compliance date for 
perhaps the last remaining major hallmark of the reform effort will 
arrive: the effective date of the swap-trading mandate. Looking 
forward, the agency will continue working to ensure an orderly 
transition to, and adoption of, the new market structure for swaps, and 
adjusting as necessary.
    Thank you again for inviting me today. I would be happy to answer 
any questions from the Committee.
  RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO FROM MARY J. 
                             MILLER

Q.1. When a data breach happens at a merchant level, Federal 
banking regulators generally do not have jurisdiction to 
investigate and take action. However, collateral consequences 
of such breaches are that regulated financial institutions are 
impacted and face reputational and financial setbacks as a 
result. What are your expectations for the regulated entities 
when a breach occurs at a third party? What are some of the 
challenges financial institutions face as a result of the 
breach? How can those challenges be addressed while minimizing 
consequences of, and cost for, affected financial institutions?

A.1. Attacks on retail payment systems have gained heightened 
attention over the past months, following the widely reported 
data breach of the Target Corporation. Cyber criminals have 
taken advantage of cybersecurity vulnerabilities within the 
networks of retail merchants and financial services firms to 
unlawfully obtain credit card information and other payment 
card data from Point-of-Sale terminals. While the theft of 
credit card information has resulted in fraud against financial 
institutions, much of the liability for these losses will be 
borne by the retailers where the original breach took place. 
This is a result of the structure of contracts between banks 
and merchants, which rely upon industry imposed standards.
    Because technology continues to evolve and malicious actors 
adapt their techniques, no one security solution is likely to 
resolve the cybersecurity challenges banks face. As the sector 
specific agency for financial services, Treasury strongly 
supports the financial sector's efforts to take a comprehensive 
approach to cybersecurity, including by using the National 
Institute of Standards and Technology's Framework for Improving 
Critical Infrastructure Cybersecurity. This Framework provides 
firms with a methodology that can be used to review their own 
risk management activities and could be useful in managing 
their supply chain vendors. For this reason, we have been 
working closely with the financial services sector to promote 
use of the Framework.

Q.2. At the Subcommittee hearing on data security and breach 
held on February 3, 2014, Members learned that the payment 
networks have set an October 2015 timeframe for moving industry 
participants to adoption of new, more secure payment 
technology. Can you discuss how quickly your regulated entities 
are moving to this technology, and identify some of the 
obstacles that still exist?

A.2. Though Treasury does not have regulatory authority in this 
area, we closely monitor developments in payments technology. 
Treasury has observed that many banks have already begun to 
issue chip cards to better secure payments. In addition, many 
retailers have purchased terminals that are Europay, MasterCard 
and Visa (EMV) compliant. Industry participants have expressed 
that the primary barrier to adoption of these new standards is 
the cost of conversion.

Q.3. In July of 2013, I requested that the Government 
Accountability Office (GAO) review the SIFI designation process 
at FSOC for both transparency and clarity, and to examine the 
criteria used to designate companies as SIFIs. Would you all be 
willing to support more reliance on measurable metrics in 
FSOC's designation process?

A.3. Under Section 113 of the Dodd-Frank Act, the Financial 
Stability Oversight Council (Council) may determine that a 
nonbank financial company shall be subject to Federal Reserve 
supervision and enhanced prudential standards if the company's 
material financial distress, or the nature, scope, size, scale, 
concentration, interconnectedness, or mix of activities of the 
company, could pose a threat to U.S. financial stability.
    The Council provided considerable public transparency into 
its process for considering nonbank financial companies for 
designation by voluntarily publishing a rule and guidance 
outlining how it would apply the statutory criteria and review 
firms for potential designation. The Council's rule and 
guidance on nonbank designations benefited from multiple rounds 
of public comment, even though the Council was not required to 
conduct a rulemaking process. The Council's public guidance 
established clear, quantitative metrics that the Council uses 
to identify firms for evaluation and extensively described the 
firm-specific analysis that the Council conducts.
    The Council's guidance also includes sample metrics the 
Council may consider in its in-depth analysis of companies for 
potential designation. However, the guidance notes that a 
designation decision cannot be reduced to a formula. Due to the 
diverse types of nonbank financial companies and the unique 
threats that these nonbank financial companies may pose to U.S. 
financial stability, the Council's analysis will depend on the 
particular circumstances of each nonbank financial company 
under consideration and the unique nature of the threat it may 
pose to U.S. financial stability.
    The Council appreciates the important oversight role of the 
GAO. We are confident that our process has been consistent with 
the Council's statutory duties and that the Council has 
provided the public and affected companies with extensive 
opportunities for input.

  RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM MARY J. 
                             MILLER

Q.1. FSOC has been in existence for more than 3 years. Since 
that time, three companies have been deemed systemically 
significant and a second round of companies appear to be under 
consideration. Despite the numerous calls from Congress, a 
number of industry and consumer groups and even the GAO for the 
FSOC to provide greater transparency about the process used for 
designation, (including the metrics OFR should measure in their 
analysis), the criteria followed, as well as the implications 
and process to be followed after a firm has been designated a 
SIFI. Can you provide greater details on why more transparency 
has not been achieved and how the FSOC plans to improve these 
issues?

A.1. The Council has provided tremendous public transparency 
into its process for considering nonbank financial companies 
for designation by voluntarily publishing a rule and guidance 
outlining how it would apply the statutory criteria and review 
firms for potential designation. In addition, the Council has 
reported to Congress and released to the public explanations of 
the basis for each of the three nonbank designations that it 
has completed.
    The Council's rule and guidance on nonbank designations 
benefited from multiple rounds of public comment, even though 
the Council was not required to conduct a rulemaking process. 
The Council's public guidance established clear, quantitative 
metrics that the Council uses to identify firms for evaluation 
and extensively described the firm-specific analysis that the 
Council conducts.
    Firms under review for potential designation have numerous 
and extensive opportunities to engage directly with the Council 
before any designation. First, the Council provides the company 
with a notice that it is under consideration and an opportunity 
to submit materials to contest the Council's consideration. 
This goes beyond what is required by the statute. Second, 
before any proposed designation, there is extensive interaction 
between Council staff and the company, including a number of 
meetings and information requests. After the Council makes a 
proposed designation, the Council sends the company a written 
explanation, and the company is entitled to a hearing to 
contest the proposed designation. To date, there has been only 
one company that has requested an oral hearing; the Council 
granted it, and the Council members themselves presided over 
the hearing and heard directly from the company's 
representatives.
    In addition, any designated company has a right to seek 
judicial review of the designation. The Council also reviews 
all nonbank designations annually, based on a process set forth 
in the Council's rule that allows any designated company to 
participate in the process.
    Due to the preliminary nature of the Council's evaluation 
of any nonbank financial company prior to a final designation 
and the potential for market participants to misinterpret such 
an announcement, the Council does not publicly announce the 
name of any company that is under review prior to a final 
designation of the company.

Q.2. I, along with a number of other Republicans, introduced 
legislation to fix an unintended consequence on collateralized 
debt obligations (CDOs). In their January 13th interim final 
rule, regulators crafted a rule that largely mirrored what my 
bill sought to do; provide relief to a majority of community 
banks. While we appreciate the agencies' efforts on this issue, 
one issue that we included in our legislation that the 
regulators did not address was collateralized loan obligations 
(CLOs). The CLO market provides about $300 billion in financing 
to U.S. companies and U.S. banks currently hold between $70 and 
$80 billion of senior notes issued by existing CLOs and foreign 
banks subject to the Volcker Rule hold about another $60 
billion. Because the final rules implementing the Volcker Rule 
improperly treat these debt securities as ``ownership 
interests'', the banks holding these notes will either have to 
divest or restructure these securities. Because restructuring 
well over $130 billion of CLO securities is neither feasible 
nor under the control of the banks holding these notes, 
divestment is the most likely result. This, in turn, could lead 
to a fire sale scenario that could put incredible downward 
pressure on CLO securities prices leading to significant losses 
for U.S. banks. If prices decline by only 10 percent, U.S. 
banks would have to recognize losses of almost $8 billion 
driven not by the underlying securities but solely because of 
the overreach of the Volcker Rule. Indeed, the final rules are 
already wreaking havoc on the CLO market. Since the final rules 
were announced, new CLO formation was down nearly 90 percent in 
January 2014, the lowest issuance in 23 months. If this 
situation is not remedied and CLO issuance remains moribund, 
corporate borrowers could face higher credit costs. At the 
hearing of the House Financial Services Committee on January 
15, 2014, a number of both Democrats and Republicans asked 
questions about how to fix the issue with the CLO market that 
was not addressed in the interim final rule released on January 
13, 2014. The representatives of the agencies noted that the 
CLO issue was at the top of the list of matters to be 
considered by the inter-agency working group that has been 
established to review issues such as this and publish guidance. 
The issue is urgent. Bank CFOs are struggling with how to treat 
their CLO debt securities. Can you commit to a tight timeframe 
to issue guidance on CLOs?

A.2. The Federal Reserve Board recently announced that it 
intends to exercise its authority to give banking entities two 
additional 1-year extensions to conform their ownership 
interests in, and sponsorship of CLOs covered by, the Volcker 
Rule. The Federal Reserve Board also noted that the four other 
agencies charged with enforcing the requirements of the Volcker 
Rule plan to administer their oversight of banking entities in 
accordance with the Federal Reserve Board's extension of the 
conformance period applicable to CLOs. In April 2014, the 
Federal Reserve Board, in consultation with the other rule-
writing agencies, announced that it intends to exercise its 
authority to give banking entities two additional 1-year 
extensions to bring into conformance with the Volcker Rule 
their ownership interests in and sponsorship of CLOs. This 
relief should reduce pressure on banking entities to sell CLOs 
before the deadline for conformance.

Q.3. Can you speak to other reports/studies that the OFR may do 
and if there will be some kind of open/regular process that 
will be followed for the public to review and comment? In terms 
of the OFR's Study on Asset Management and Financial Stability, 
do you know how many comments were received and the general 
nature/issues raised in these comments?

A.3. There are no pending requests from the Council to the OFR 
for reports at this time. However, the OFR Director sets the 
agenda of the OFR and has the discretion to explore matters 
that might have an impact on the financial stability of the 
United States. After the OFR delivered the report to the 
Council and posted it on the OFR Web site, the Securities and 
Exchange Commission solicited public comment on the OFR report 
and posted the comment letters on its Web site.
                                ------                                


 RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO FROM DANIEL K. 
                            TARULLO

Q.1. When a data breach happens at a merchant level, Federal 
banking regulators generally do not have jurisdiction to 
investigate and take action. However, collateral consequences 
of such breaches are that regulated financial institutions are 
impacted and face reputational and financial setbacks as a 
result. What are your expectations for the regulated entities 
when a breach occurs at a third party? What are some of the 
challenges financial institutions face as a result of the 
breach? How can those challenges be addressed while minimizing 
consequences of, and cost for, affected financial institutions?

A.1. The presence of numerous and varied participants in 
payment processing, such as banks, merchants, and service 
providers, increases the complexity of securing financial and 
customer information throughout the payment process. The 
Federal Reserve guidance sets expectations for financial 
institutions to tailor and implement risk assessment and 
mitigation plans for material business lines that include 
processes ranging from layered security architectures to 
heightened monitoring of customer account activity. Financial 
institutions are expected to maintain robust and flexible 
incident response and management programs, with the goal of 
minimizing the effects, both financial and reputational, of 
merchant data breaches. When a breach does occur, financial 
institutions are expected to assess the risks to the 
institution and its customers and to implement plans to 
mitigate those risks. Risk mitigation plans typically include 
enhanced account and systems monitoring and reporting to detect 
unusual activity and to obtain information to mitigate the 
effects of the security incident. Depending on the details of a 
specific incident, additional actions may include customer 
notification and card reissuance.
    When responding to a third-party data breach, participants 
in the payment system face the challenge of devising an 
appropriate response with incomplete information about the 
extent and origin of the particular compromise. For example, 
information regarding the scope of merchant data breaches, 
including the extent and type of compromised data, is generally 
limited initially, requiring decisions regarding the monitoring 
of customer accounts, notification of customers, and the 
reissuance of cards based upon minimal and evolving 
information. Depending upon the characteristics of the specific 
breach, additional challenges may result from the use of 
external providers of technology and other services to support 
payment processing functions.
    The Federal Reserve guidance on information security and 
payment systems outlines expectations for financial 
institutions regarding information security programs and 
controls, including ongoing assessments of application and 
business line needs as business activities evolve and the use 
of metrics to assess the effectiveness of controls. Financial 
institutions should address the challenges of merchant data 
breaches by continuously advancing their risk management 
capabilities to minimize the risk of breaches occurring and to 
mitigate the impact of breaches when they do occur. Financial 
institutions should maintain effective information security 
programs, including controls, systems, and resources to detect 
customer data breaches and to mitigate any resulting financial 
and reputational losses. The Federal Reserve's 2013 Guidance on 
Managing Outsourcing Risk, SR 13-19/CR 13-21, directs financial 
institutions to appropriately manage risk associated with 
vendors and subcontractors.

Q.2. At the Subcommittee hearing on data security and breach 
held on February 3, 2014, Members learned that the payment 
networks have set an October 2015 timeframe for moving industry 
participants to adoption of new, more secure payment 
technology. Can you discuss how quickly your regulated entities 
are moving to this technology, and identify some of the 
obstacles that still exist?

A.2. Regulated entities are moving forward with Europay, 
MasterCard and Visa (EMV) for payment cards according to their 
own business needs and strategic plans. EMV cards contain 
embedded microprocessors that provide transaction security 
features and other capabilities which cannot be provided with 
magnetic stripe cards. A card issuer's decision to implement 
EMV is influenced by the timing of merchant's plans to upgrade 
their point-of-sale (POS) terminals and systems to read the EMV 
chip, and, similarly, merchant's decisions to upgrade their 
systems are influenced by the timing of the issuance of EMV-
enabled cards.
    One of the largest obstacles to EMV adoption is the cost 
that card system participants must incur to implement the new 
standard: merchants must consider the cost of chip-enabled POS 
terminals and related systems; processors must coordinate with 
merchants to manage the new transaction format and data stream 
from EMV terminals; and banks must issue new chip-based credit 
and debit cards to their customers.
    The recent high-profile breaches have generated renewed 
interest in EMV adoption. Although breaches remind payment 
system participants that magnetic stripe cards are vulnerable 
to fraud, there is a low likelihood that more fraud will 
significantly accelerate EMV migration because of the time and 
cost required to build out the necessary infrastructure.

Q.3. In July of 2013, I requested that the Government 
Accountability Office (GAO) review the SIFI designation process 
at FSOC for both transparency and clarity, and to examine the 
criteria used to designate companies as SIFIs. Would you all be 
willing to support more reliance on measurable metrics in 
FSOC's designation process?

A.3. I agree that objective, numerical criteria should be a 
central part of the systematically important financial 
institutions (SIFI) designation process. Reliance on such 
criteria increases the transparency of the process and reduces 
market participants' uncertainty regarding the potential for a 
firm's designation as a nonbank SIFI. Such increased certainty 
improves the efficient functioning of U.S. financial markets 
and contributes to financial stability.
    The SIFI designation process assesses the potential harm to 
U.S. financial stability from the material financial distress 
of a firm and whether the nature, scope, size, scale, 
concentration, interconnectedness, or activity mix of a firm 
could pose a threat to U.S. financial stability. Many important 
factors in these assessments, such as a firm's size and 
leverage, can clearly be measured using objective, numerical 
calculations that can be replicated by firms and market 
participants using publicly available data.
    However, while some factors may be summarized with 
measurable metrics, computing these metrics may rely on 
nonpublic information, such as detailed data on assets, 
liabilities and counterparty relationships. Further, other 
factors, such as the potential harm from forced asset sales, 
may best be summarized using a range of metrics, some of which 
may rely on somewhat complex, albeit standard, models such as 
value-at-risk measures. Finally, certain factors, such as the 
relationship of a firm with other significant intermediaries, 
may require a measure of judgment that cannot yet be fully 
captured by any agreed-upon statistic or model.

Q.4. Please explain how and why the agencies failed to foresee 
the accounting issue with the treatment of the Trust Preferred 
Collateralized Debt Obligations (TruPS CDOs) in the final 
Volcker Rule. Did the proposed rule include requisite language 
seeking public comment on TruPS CDOs, as finalized? If so, 
please provide that language from the proposed rule. If not, 
please explain why the proposal did not seek that specific 
information and whether the agencies believe they satisfied the 
notice-and-comment requirements under the Administrative 
Procedure Act.

A.4. In November 2011, the Federal Reserve, the Office of the 
Comptroller of the Currency (OCC), the Federal Deposit 
Insurance Corporation (FDIC), the Security Exchange Commission 
(SEC), and the U.S. Commodity Futures Trading Commission (CFTC) 
(collectively, the Agencies) issued a proposed rule that asked 
a number of questions seeking public comment regarding the 
treatment of securitizations. See, e.g., Fed. Reg. 68,846 at 
68,898-90, 68,912, 68,914-15. Among other issues, these 
questions specifically sought comment on the impact of section 
13 of the Bank Holding Company Act (BHCA) and the proposal, on 
securitization vehicles, which includes collateralized debt 
obligations (CDOs) and Trust Preferred Collateralized Debt 
Obligations (TruPS CDOs). The proposal also included questions 
seeking comment about including securitizations within the 
definition of covered fund, as well as regarding the legal, 
accounting and tax treatment of interests in securitizations 
and how debt interests should be treated. In total, the 
proposal asked approximately 15 questions specifically about 
these issues related to securitizations. Notwithstanding these 
questions, no comments were received on securitizations backed 
by trust preferred securities under the proposed rule.
    To address the costs associated with the requirement in the 
statute and rule requiring divestiture of nonconforming 
investments in covered funds, the Federal Reserve gave an 
extended conformance period until July 21, 2015. The accounting 
rules, which are outside of the purview of the Agencies, 
brought forward accounting losses for certain investments 
notwithstanding the Federal Reserve's extension of time to 
conform the investment.
    After approval of the final rule implementing section 13 on 
December 10, 2013, a number of community banking organizations 
and trade groups expressed concern that the final rule 
conflicts with section 171 of the Dodd-Frank Wall Street Reform 
and Consumer Protection Act (the Collins Amendment). Section 
171 (b)(4)(C) specifically permits any community banking 
organization to continue to rely for regulatory capital 
purposes on any debt or equity instruments issued before May 
19, 2010. This exemption includes trust preferred securities, 
which are assets held by a number of issuers of CDOs. To 
address these concerns, on January 14, 2014, the Agencies 
approved an interim final rule to permit banking entities to 
retain interests in certain collateralized debt obligations 
backed primarily by trust preferred securities and other 
instruments identified in section 171(b)(4)(C). Although the 
Agencies believe the interim final rule addresses the concerns 
expressed related to TruPS CDOs, the interim final rule invited 
comment for a period of 30 days after its publication in the 
Federal Register. The Agencies will carefully consider all 
comments that relate to the interim final rule.

Q.5. What specific efforts are the regulators considering to 
address the issue with the Collateralized Loan Obligations 
(CLOs) in the final Volcker rule? In Governor Tarullo's 
testimony before the House Financial Services Committee, he 
stated that the CLO issue is ``already at the top of the list'' 
for regulators to consider and fix. How many financial 
institutions are impacted by the final rule's treatment of 
CLOs?

A.5. In keeping with the statute, the final rule excludes from 
the definition of covered fund all securitizations backed 
entirely by loans, including CLOs backed entirely by loans. 
Data reported by insured depository institutions, bank holding 
companies and certain savings and loan holding companies in the 
Call Report and Y9-C forms indicate that only about 50 domestic 
banking organizations held CLOs, including both conforming and 
nonconforming, as of December 31, 2013. The data also indicate 
that aggregate CLO holdings of these banking entities reflect 
an overall unrealized net gain, and unrealized losses reported 
by individual banking entities are not significant relative to 
their tier 1 capital or income. Additionally, new issuances of 
CLOs in late 2013 and early 2014 appear to be conforming to the 
final rule, and some CLOS issued before December 31, 2013, are 
conforming their investments to the provisions of section 13. 
Based on discussions with industry representatives and a review 
of data provided by market participants, it appears that the 
current volume of new CLO issuances is higher as compared to 
CLOs issued prior to the adoption of the final rule, with U.S. 
CLO issuances during the 3-month stretch from March through May 
2014 increasing to an all-time high of approximately $35.3 
billion.
    On April 7, 2014, the Federal Reserve issued a statement 
that it intends to grant two additional 1-year extensions of 
the conformance period under section 13 of the BHC Act that 
would allow banking entities additional time to conform to the 
statute ownership interests in and sponsorship of CLOs in place 
as of December 31, 2013, that do not qualify for the exclusion 
in the final rule for loan securitizations.\1\ This would 
permit banking entities to retain until July 21, 2017 ownership 
interests in and sponsorship of CLOs that are not backed 
entirely by loans that were held as of December 31, 2013. All 
of the agencies charged with implementing section 13 of the BHC 
Act support the Federal Reserve's statement.\2\
---------------------------------------------------------------------------
    \1\ See Board Statement Regarding the Treatment of Collateralized 
Loan Obligations Under Section 13 of the Bank Holding Company Act (Apr. 
7, 2014).
    \2\ See Letter to Chairman Hensarling re: CLOs (Apr. 7, 2014).

Q.6. Since the final Volcker rule was issued in December, the 
affected entities have recognized two issues with the final 
rule (TruPS CDOs and CLOs). What other issues with the final 
Volcker rule are your agencies aware of that may be raised by 
affected entities? How do you intend to coordinate efforts on 
---------------------------------------------------------------------------
clarifying such issues in the future?

A.6. It is not unexpected that rules implementing a complex 
statute that require changes in existing activities would raise 
questions during the implementation process. In part to 
facilitate resolution of these types of issues, the Federal 
Reserve exercised authority provided under section 13 to extend 
until July 21, 2015, the period for banking entities to conform 
their activities and investments to the statute and 
implementing rules. The Federal Reserve will work with the 
other implementing agencies to address questions regarding 
implementation as they arise.

Q.7. How do you plan to coordinate with other agencies 
regarding enforcement matters and the final Volcker rule, given 
that your agencies have varied jurisdictions?

A.7. Authority for issuing regulations and implementing the 
Volcker rule is by statute allocated between five Federal 
regulators. As a general matter, the OCC is charged with 
supervising and enforcing the final rule for national banks and 
Federal branches of foreign banks, the FDIC for State nonmember 
banks, the SEC for U.S. broker-dealers and securities-based 
swap dealers, and the CFTC for futures commission merchants and 
swaps dealers. The Federal Reserve's primary responsibilities 
are for depository institution holding companies, State member 
banks, certain unregulated and foreign subsidiaries of 
depositor institution holding companies, and State-chartered 
branches of foreign banks.
    Staff of the Federal Reserve will continue to engage with 
staff of the other Agencies, and the Agencies will work 
together, to the extent appropriate and practicable, to help 
ensure consistency in application of the final rule to banking 
entities covered by the rule. In pursuit of our goals for a 
consistent application of the rule across Agencies and across 
banking entities, staffs of the implementing Agencies meet 
regularly to address implementation issues as they arise.

Q.8. Governor Tarullo, you head the Committee on Supervisory 
and Regulatory Cooperation at the Financial Stability Board 
(FSB). There is concern that the FSB will implement bank-
centric capital standards on insurance companies that are 
inconsistent with U.S. risk-based capital standards. What are 
you doing to ensure that bank-centric standards are not set for 
insurance companies, and for other nonbank noninsurance 
financial institutions more generally?

A.8. One of the lessons learned from the recent financial 
crisis was the need for appropriate consolidated supervision of 
systemically important financial firms to ensure that the risks 
of the overall firms, including those present in both regulated 
and unregulated financial entities, are appropriately 
capitalized, measured, and supervised. The primary focus of the 
FSB is financial stability. It works with international 
sectoral standard setting bodies such as the Basel Committee on 
Banking Supervision (BCBS) and the International Association of 
Insurance Supervisors (IAIS) to help ensure that regulators are 
identifying and addressing risks within those sectors with 
potential financial stability impact. The decisionmaking and 
responsibility for the development of appropriate supervisory 
and regulatory measures rests with the BCBS and the IAIS.
    The International Association of Insurance Supervisors 
(IAIS), an organization comprised of over 130 authorities with 
responsibilities for insurance supervision from around the 
world, including the National Association of Insurance 
Commissioners (NAIC), State insurance regulators, Federal 
Reserve Board, and Federal Insurance Office, is in the process 
of developing international capital standards for global 
systemically important insurers and internationally active 
insurance groups. The IAIS periodically provides updates on the 
IAIS capital projects to the FSB.
    The capital standards being developed by the IAIS would be 
designed to measure capital adequacy for relevant firms' 
financial activities, including their insurance business, as 
well as other regulated and unregulated financial operations. 
This IAIS project, staffed by international supervisors with 
insurance expertise, has, as a goal, the establishment of 
overall international capital standards that would be 
appropriate for the risks facing financial companies with 
substantial insurance underwriting activities. Once the 
standards are adopted by the IAIS, U.S. regulators, including 
the Federal Reserve and State insurance regulators, would 
consider if and how to implement in the United States the 
standards for the companies that they regulate, consistent with 
applicable law. Any standards the Federal Reserve would seek to 
implement would be proposed to the public with opportunity for 
public comment.
    Separately, the Board is considering the appropriate 
capital framework for savings and loan holding companies 
(SLHCs) and FSOC designated nonbank financial companies 
supervised by the Board that are substantially engaged in 
insurance underwriting activities, consistent with section 171 
of the Dodd-Frank Act. Insurance companies that are SLHCs or 
that are FSOC designated nonbank financial companies have 
different business models and risks than bank holding companies 
that are not substantially engaged in insurance activities. 
However, section 171 of the Dodd-Frank Act requires that the 
Board establish minimum risk-based and leverage capital 
requirements on a consolidated basis for bank holding companies 
and savings and loan holding companies, and for nonbank 
financial companies that it supervises. Section 171 
specifically provides that these minimum requirements be not 
less than the ``generally applicable'' minimum risk-based and 
leverage capital requirements that apply to insured depository 
institutions (regardless of their asset size or foreign 
exposure). In addition, these minimum requirements cannot be 
quantitatively lower than the ``generally applicable'' minimum 
risk-based and leverage capital requirements that applied to 
insured depository institutions when the Dodd-Frank Act was 
adopted in 2010. Section 171 therefore limits the scope of the 
Board's discretion in establishing minimum capital requirements 
for these companies.
    Under State law, capital requirements for insurance 
companies apply on a legal entity basis, and there are no 
State-based, consolidated capital requirements that cover 
subsidiaries and noninsurance affiliates of insurance 
companies. In addition, even among regulated insurance 
companies (primary insurers, captive insurers, etc.) there is a 
degree in variation of the applicable capital and supervisory 
standards.
    The final rule regarding enhanced prudential standards that 
the Board adopted on February 18, 2014, does not include 
requirements for nonbank financial companies, including 
insurance companies, designated by the Financial Stability 
Oversight Council for Board supervision. Instead, the Board 
will apply enhanced prudential standards to designated nonbank 
financial companies through a subsequently issued order or rule 
following an evaluation of the business model, capital 
structure, and risk profile of each designated nonbank 
financial company, consistent with the requirements of section 
171 of the Dodd-Frank Act, as discussed above. The Board plans 
to implement requirements for designated nonbank financial 
companies through a transparent process with an opportunity for 
notice and comment.
    The Board continues to carefully consider how to design 
capital rules for Board-regulated companies that are insurance 
companies, that have subsidiaries engaged in insurance 
underwriting, or that are substantially engaged in commercial 
activities, consistent with section 171 of the Dodd-Frank Act.

Q.9. On January 10, 2014, the Federal Reserve and the FDIC made 
available the public portions of resolution plans for 116 
institutions that submitted plans for the first time in 
December 2013, the latest group to file resolution plans with 
the agencies. These living wills are based on a premise that 
when a financial firm is near the brink, there will be a 
marketplace where buyers for assets and operations are 
available, but that may not be the case as was evident with 
Lehman's 2008 collapse when no one wanted to touch what was 
perceived as Lehman's ``toxic assets.'' What specifically gives 
you confidence that these living wills will work in the first 
place and that there will be willing buyers for the troubled 
firm's assets?

A.9. The resolution plan regulation jointly issued by the 
Federal Reserve and the FDIC provides that in preparing its 
initial resolution plan, a company may assume that its material 
financial distress or failure occurs under the baseline 
economic scenario outlined in the Federal Reserve's stress 
testing rule, 12 CFR Part 252.\3\ The baseline economic 
scenario describes a functioning market where there would 
likely be available buyers for assets and operations. However, 
the joint regulation also provides that the next iteration of 
these plans will also have to take into account that the 
material financial distress or failure of the company may occur 
under the adverse and severely adverse economic scenarios 
outlined in the Federal Reserve's stress testing rule.\4\ In 
preparing future iterations of their plans, currently due in 
December 2014, the institutions that filed their initial plans 
in December 2013, will therefore have to take into account that 
their material financial distress or failure may occur under 
the adverse and severely adverse economic scenarios, which 
reflect conditions where buyers for the companies' assets and 
operations are less likely to be available.
---------------------------------------------------------------------------
    \3\ 12 CFR parts 243.4(a)(4) and 381.4(a)(4). The stress scenarios 
applicable to the December 2013 resolution plan submissions of the 116 
institutions were issued on November 15, 2012. http://
www.federalreserve.gov/newsevents/press/bcreg!bcreg2012111Sa1.pdf.
    \4\ Id.
---------------------------------------------------------------------------
                                ------                                


 RESPONSE TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM DANIEL 
                           K. TARULLO

Q.1. Are you comfortable with the extent to which the consumer 
payments industry currently sets its own data security 
standards? Currently, most standards are set by contract--with 
the card companies playing a significant role--and an industry 
body known as PCI determines most of the details and certifies 
compliance examiners. Should Federal regulators be playing a 
greater role?

A.1. The Payment Card Industry (PCI) Security Standards Council 
released version 3 of the Data Security Standard in November 
2013. PCI's philosophy has been to drive new compliance 
requirements as the risk landscape changes. Version 3 includes 
two new key requirements related to data flows and device 
inventory, which incrementally enhance the control environment 
and protect consumers from fraud. The industry relies on the 
PCI Security Standards Council to balance cost and 
effectiveness, which it does by assessing threats and 
identifying controls that most effectively address evolving 
payment card risks. The Federal Reserve and other financial 
regulators have relied on the expertise of the PCI Security 
Standards Council in setting technical data security standards. 
The regulators approach has been to identify broad, outcome-
based security objectives that supervised entities are expected 
to meet through a mix of technical and nontechnical approaches.
    Regarding the role of Federal regulators, the complexity of 
the regulatory environment mirrors the complexity of the 
payment processing landscape, with regulators focused within 
their statutory domains. However, we are aware of the 
considerable need for, and benefits of, coordination and 
collaboration across domains in order to effectively mitigate 
both firm and systemic risks. The Federal Reserve continues to 
monitor payment system risk and collaborate with the private 
sector and public-private partnerships such as the Financial 
and Banking Information Infrastructure Committee (FBIIC), 
Financial Services Sector Coordinating Council (FSSCC), and 
Financial Services Information Sharing and Analysis Center (FS-
ISAC).

Q.2.a. When a financial data breach occurs with a merchant (as 
seems to be the case with the current wave of data breaches) or 
other source outside of a financial institution, financial 
institutions still very clearly feel the effects. Credit and 
debit card issuers, for example, must notify affected customers 
and issue new cards, and will likely end up bearing some 
portion of the financial losses that occur from fraudulent 
transactions using stolen card information. In the chain of a 
retail payment transaction, security is only as strong as its 
weakest link.
    In addition to the examinations the Fed conducts regarding 
regulated institutions' own data security, can you describe the 
Fed's oversight with respect to the security of consumer data 
across the entire chain of consumer payment transactions?

A.2.a. Federal Reserve oversight of consumer payment 
transactions is limited to our role as a supervisor of 
financial institutions. Federal Reserve staff examine the data 
security programs of supervised banks for compliance with the 
information security standards required by section 501(b) of 
the Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)) and the identity 
theft red flags rule required by section 615(e) of the Fair 
Credit Reporting Act (15 U.S.C. 1681m(e)), as well as with 
Federal Reserve information security and payment systems 
guidance. The Federal Reserve's supervisory process includes an 
assessment of the adequacy of financial institution data 
security programs in supporting the security and reliability of 
customer data. Financial institutions are required to address 
deficiencies in a timely manner to mitigate risks to both the 
institution and its customers.

Q.2.b. Should Federal regulators be taking a greater interest 
in the data security standards applicable to other entities 
that possess consumer financial data, beyond just regulated 
financial institutions? Are legislative changes necessary or 
are there legislative changes that would help?

A.2.b. Protecting the safe and sound operation of the Nation's 
financial systems is a key priority for the Federal Reserve. To 
accomplish this, the Federal Reserve works with other 
regulators to promote the implementation of effective 
information security programs and protocols by supervised 
institutions. However, sensitive consumer data are frequently 
collected and stored by nonregulated firms, and these firms may 
not be held to the same level of information security 
expectations as financial institutions. As cyber threats become 
increasingly sophisticated, effective security and fraud-
mitigation measures must evolve to include all players in the 
payment system, including financial institutions, nonfinancial 
firms, and consumers. The security of the payment system is 
only as strong as its weakest link and it is the weakest link 
that criminals will exploit. Given the broad reach of these 
threats, the Congress would appear to be the appropriate body 
to address these matters holistically. For example, a national 
standard that sets forth requirements for protecting sensitive 
consumer data and tracking and reporting incidents may help to 
protect consumers and financial systems more broadly. Payment 
system participants should be encouraged to cooperate with each 
other in preventing, detecting, and mitigating cyber-attacks. 
In addition, the Congress may consider investigating ways to 
leverage the technical capabilities of law enforcement and 
national security agencies with respect to cyber threats and 
attacks, and to encourage continued coordination across 
Government agencies to ensure the safety and security of the 
financial system. Federal Reserve staff would be available to 
participate in discussions regarding these matters.

Q.3. In our economy today, companies are collecting and storing 
growing amounts of consumer information, often without 
consumers' knowledge or consent. The financial industry is no 
exception. We have heard reports of lenders, for example, 
mining online data sources to help inform underwriting 
decisions on consumer loans. As companies aggregate more data, 
however, the consequences of a breach or improper use become 
greater.
    The Target breach illustrates the risks consumers face--not 
just of fraud, but also identity theft and other hardships. 
Compromised information included both payment card data and 
personal information such as names, email addresses, and phone 
numbers. But what if the next breach also involves account 
payment histories or Social Security numbers?
    As the ways companies use consumer information changes, and 
the amount of consumer data they hold grows, how is the Fed's 
approach evolving? Are there steps regulators are taking--or 
that Congress should take--to require stronger protections 
against breaches and improper use, and to mitigate harm to 
consumers?

A.3. On an ongoing basis, the Federal Reserve evaluates the 
need for additional guidance to financial institutions, jointly 
with other banking regulators, to promote effective information 
security programs and practices in an environment characterized 
by rapid technological change. The Federal Reserve participates 
in the Federal Financial Institutions Examination Councils 
(FFIEC) efforts to develop and update guidance on a range of 
information technology topics, including information technology 
management, security, and payments. In December 2013, the 
Federal Reserve issued Guidance on Managing Outsourcing Risk, 
SR 13-19/CA 13-21, to address risks related to banks increasing 
reliance on third-party service providers. In this guidance, 
the Federal Reserve acknowledges that third-party outsourcing 
represents a heightened level of risk and complexity and banks 
must protect against loss of customer data and exploits of 
networks that may expose financial institutions to data 
breaches. The.Federal Reserve is monitoring financial 
institution performance relative to the expectations in the 
newly released outsourcing risk guidance to ensure that third-
party contract oversight includes: 1) an appropriate level of 
due diligence based on complexity and criticality; 2) business 
resumption and contingency plans; 3) an assessment of the 
third-party information security programs; and, 4) incident 
reporting, management, and response programs.
    Given the increasingly broad threats to consumer 
information, privacy, and security, the Congress may be the 
appropriate body to address this matter. Potential actions that 
Congress could consider are discussed above in our response to 
question 2b.

Q.4.a. A lot of the discussion in the aftermath of the recent 
data breaches has focused on credit and debit card ``smart'' 
chip technology, since the U.S. seems to have fallen behind 
other parts of the world such as Western Europe in adopting it. 
But while card chips help to reduce fraud for transactions 
where a card is physically present, and make it harder for 
thieves to print fake cards using stolen information, they do 
little to reduce fraud for online, ``card-not-present'' 
transactions.
    Are you comfortable with the steps industry is taking to 
improve security and reduce fraud for ``card-not-present'' 
transactions?

A.4.a. The complex and evolving nature of technology and 
business processes ensures that threat and fraud environments 
are dynamic and that payment system participants must continue 
to evolve and enhance security processes over time. Tools, 
technologies, and procedures employed in the industry to reduce 
card-not-present (CNP) fraud at this point in time include:

   LAddress verification requires the customer to 
        provide the cardholder's address on record with the 
        card issuer.

   LCard security verification requires the customer to 
        provide a 3- or 4-digit CVV2 code printed on the card. 
        Requiring this number at checkout helps to ensure that 
        the customer is in possession of the physical card 
        since the number is generally not encoded on a magnetic 
        stripe or chip.

   LGeolocation services provide information about a 
        device's location during transaction processing based 
        on an IP address (on a computer) or GPS signal (on a 
        mobile device). The device's location can be compared 
        to the customer's billing or shipping address.

   LNeural network technologies use customer and past 
        transaction data to assess the likelihood that a given 
        transaction is fraudulent.

   LPCI standards places controls on the storage and 
        handling of cardholder information. In addition to the 
        measures listed above, the industry is developing 
        several promising technologies to address new threats. 
        For example, tokenization solutions could replace a 
        card's primary account number with a proxy number that 
        is valid for a single transaction. End-to-end 
        encryption technologies that transmit encoded card data 
        across the payment chain are also under development. 
        The use of tokenization and end-to-end encryption are 
        potential tools to combat threats, such as data 
        breaches.

    The payment card industry is a complex market, and 
implementing a new security technology may require investments 
and process changes by merchants, financial institutions, card 
networks, payment processors, as well as behavioral changes by 
consumers. These stakeholders often face different incentives 
when deciding to implement a new technology. Given the 
constantly changing threat environment, the complexity of the 
market, and the varying incentives among stakeholders, the 
Federal Reserve supports a layered, technology-neutral, 
guidance-based approach to CNP security. Stakeholders should 
implement several layers of technologies and procedures to 
mitigate threats. And, as the fraud environment changes, 
stakeholders should revise their approaches to CNP fraud and 
implement updated, cost-effective measures to address the 
latest threats. The Federal Reserve will continue to work with 
the institutions under its supervision, as well as with other 
regulators, to encourage payment system participants to improve 
measures to detect and prevent fraud.

Q.4.b. Banks and other industry participants need to be 
proactive here, rather than waiting for a major breach to 
happen before making protective investments. Do you feel that 
regulated institutions are paying sufficient attention to all 
areas of data security risk, and are making the necessary 
investments to protect consumers rather than treating fraud as 
simply a cost of doing business?

A.4.b. An effective payment system involves many participants, 
not just depository institutions, and all industry participants 
should take proactive measures to protect consumer data. The 
increasing sophistication of cyber threats makes it difficult 
to ensure that current investments provide adequate protection 
against new threats. Payment system participants need to employ 
multiple layers of security as well as nontechnology-based 
policies and procedures (such as notifying customers of 
potentially fraudulent transactions) that complement 
technology-based solutions. Participants need to assess the 
robustness of their information security infrastructures, 
policies, and practices on an ongoing basis in light of the 
evolving threat environment and to make enhancements as 
appropriate.
    The Federal Reserve expects supervised institutions to 
continually monitor their security systems in the face of 
evolving threats and to upgrade those systems when necessary. 
To this end, the Federal Reserve and other bank regulatory 
agencies have issued several interagency guidance documents 
that pertain to data breach prevention and incident response. 
The Interagency Guidelines Establishing Information Security 
Standards (12 CFR part 208, App. D-2 (2013)) summarizes the 
standards that financial institutions are expected to use in 
establishing a comprehensive, risk-based program to protect 
customer information. The Interagency Supplement to 
Authentication in an Internet Banking Environment (June 28, 
2011; SR 11-09) sets out expectations about minimum security 
controls required to prevent loss of customer information by 
data breach, reflecting banks' increased reliance on internet-
based technology and the simultaneous increase in attacker 
sophistication. The Interagency Guidance on Response Programs 
for Unauthorized Access to Customer Information and Customer 
Notice (12 CFR part 208, App. D-2 (2013)) describes the 
incident response program that a financial institution should 
establish to address unauthorized access to or misuse of 
customer information. Supervised institutions are expected to 
review and assess their procedures and technologies on an 
ongoing basis and to make appropriate changes and investments 
to ensure an adequate and effective level of data protection.
    Based on the results of Federal Reserve examination 
activities, in general, regulated financial institutions have 
placed a high priority on securing information, including 
corporate, customer, and counterparty data. Investments 
necessary to maintain technology, systems, and staff resources 
to support effective information security programs are being 
made. However, where necessary, the Federal Reserve leverages 
its supervisory processes to promote the correction of 
deficiencies identified at specific institutions.
                                ------                                


  RESPONSE TO WRITTEN QUESTION OF SENATOR KIRK FROM DANIEL K. 
                            TARULLO

Q.1. FSOC has been in existence for more than 3 years. Since 
that time, three companies have been deemed systemically 
significant and a second round of companies appear to be under 
consideration. Despite the numerous calls from Congress, a 
number of industry and consumer groups and even the GAO for the 
FSOC to provide greater transparency about the process used for 
designation, (including the metrics OFR should measure in their 
analysis), the criteria followed, as well as the implications 
and process to be followed after a firm has been designated a 
SIFI. Can you provide greater details on why more transparency 
has not been achieved and how the FSOC plans to improve these 
issues?

A.1. The Financial Stability Oversight Committee (FSOC)--
chaired by the Secretary of the Treasury and composed of 10 
voting members--is charged by Congress with designating 
systemically important financial institutions. The FSOC has 
established a robust process, after seeking public notice and 
comment on an initial and revised proposal, for exercising its 
designation authority. The process contains three stages during 
which the FSOC screens companies for review and conducts an in-
depth analysis of companies that pass the screen.
    In developing this process, the FSOC sought to maximize 
transparency with respect to the Determination Process by 
providing a detailed description of (i) the profile of those 
nonbank financial companies likely to be evaluated by the FSOC 
for a potential determination, and (ii) the metrics that the 
FSOC intends to use when analyzing companies at various stages 
of the Determination Process. There are numerous opportunities 
during this process for a nonbank financial company to 
communicate with the FSOC and its staff and submit information 
regarding the company's activities and its potential to pose a 
threat to U.S. financial stability.
    The FSOC applies quantitative metrics to a broad group of 
nonbank financial companies in determining whether a firm 
should be considered for designation. A nonbank financial 
company will be evaluated in Stage 2 if it meets both a size 
threshold ($50 billion in total consolidated assets) and any 
one of five thresholds that measure a company's 
interconnectedness, leverage, and liquidity risk and maturity 
mismatch. During Stage 2, a nonbank financial company is 
analyzed based on a wide range of quantitative and qualitative 
information available to the FSOC primarily through public and 
regulatory sources.
    A nonbank financial company that is advanced to Stage 3 
receives a notice that the company is under consideration for a 
Proposed Determination, which also may include a request that 
the nonbank financial company provide information relevant to 
the FSOC's evaluation. In addition, the nonbank financial 
company is provided an opportunity to submit written materials 
to the FSOC. Following a Proposed Determination, a nonbank 
financial company is provided a written notice of the Proposed 
Determination, which includes an explanation of the basis of 
the Proposed Determination. A nonbank financial company that is 
subject to a Proposed Determination may request a written or 
oral hearing to contest the Proposed Determination. If the FSOC 
determines to subject a company to supervision by the Board of 
Governors and prudential standards, the FSOC will provide the 
nonbank financial company with written notice of the FSOC's 
final determination, including an explanation of the basis for 
the FSOC's decision.
    In 2013, the FSOC determined that material financial 
distress at each of three nonbank financial companies--American 
International Group, Inc., General Electric Capital 
Corporation, and Prudential Financial, Inc.--could pose a 
threat to U.S. financial stability and that those companies 
should be subject to Federal Reserve Board supervision and 
enhanced prudential standards. The FSOC released the bases of 
its determinations on its Web site. The FSOC evaluated these 
firms using the three-stage process.
    The Federal Reserve Board recognizes the critical 
importance of transparency and will continue to pursue ways to 
promote further transparency that are consistent with the 
FSOC's central mission to monitor emerging threats to the 
financial system.

Q.2. I, along with a number of other Republicans, introduced 
legislation to fix an unintended consequence on collateralized 
debt obligations (CDOs). In their January 13th interim final 
rule, regulators crafted a rule that largely mirrored what my 
bill sought to do; provide relief to a majority of community 
banks. While we appreciate the agencies' efforts on this issue, 
one issue that we included in our legislation that the 
regulators did not address was collateralized loan obligations 
(CLOs). The CLO market provides about $300 billion in financing 
to U.S. companies and U.S. banks currently hold between $70 and 
$80 billion of senior notes issued by existing CLOs and foreign 
banks subject to the Volcker Rule hold about another $60 
billion. Because the final rules implementing the Volcker Rule 
improperly treat these debt securities as ``ownership 
interests'', the banks holding these notes will either have to 
divest or restructure these securities. Because restructuring 
well over $130 billion of CLO securities is neither feasible 
nor under the control of the banks holding these notes, 
divestment is the most likely result. This, in turn, could lead 
to a fire sale scenario that could put incredible downward 
pressure on CLO securities prices leading to significant losses 
for U.S. banks. If prices decline by only 10 percent, U.S. 
banks would have to recognize losses of almost $8 billion 
driven not by the underlying securities but solely because of 
the overreach of the Volcker Rule. Indeed, the final rules are 
already wreaking havoc on the CLO market. Since the final rules 
were announced, new CLO formation was down nearly 90 percent in 
January 2014, the lowest issuance in 23 months. If this 
situation is not remedied and CLO issuance remains moribund, 
corporate borrowers could face higher credit costs. At the 
hearing of the House Financial Services Committee on January 
15, 2014, a number of both Democrats and Republicans asked 
questions about how to fix the issue with the CLO market that 
was not addressed in the interim final rule released on January 
13, 2014. The representatives of the agencies noted that the 
CLO issue was at the top of the list of matters to be 
considered by the inter-agency working group that has been 
established to review issues such as this and publish guidance. 
The issue is urgent. Bank CFOs are struggling with how to treat 
their CLO debt securities. Can you commit to a tight timeframe 
to issue guidance on CLOs?

A.2. In keeping with the statute, the final rule excludes from 
the definition of covered fund all securitizations backed 
entirely by loans, including CLOs backed entirely by loans.
    Data reported by insured depository institutions, bank 
holding companies and certain savings and loan holding 
companies in the Call Report and Y9-C forms indicate that only 
about 50 banking organizations owned an interest in a CLO that 
was backed by assets that include assets that are not loans, 
and thus are covered by the statute and implementing rules. The 
data also indicate that, as of December 31, 2013, aggregate CLO 
holdings of these banking entities reflect an overall 
unrealized net gain, and unrealized losses reported by 
individual banking entities are not significant relative to 
their tier 1 capital or income. Based on discussions with 
industry representatives and a review of data provided by 
market participants, it appears that new issuances of CLOs in 
late 2013 and early 2014 are conforming to the final rule. 
Moreover, the current volume of new CLO issuances is higher as 
compared to CLOs issued prior to the adoption of the 
implementing rules, with monthly U.S. CLO activity increasing 
to a post-crisis high of $13.3 billion in April 2014, the third 
highest monthly total on record.
    On April 7, 2014, the Federal Reserve issued a statement 
that it intends to grant two additional 1-year extensions of 
the conformance period under section 13 of the Bank Holding 
Company Act that would allow banking entities additional time 
to conform to the statute ownership interests in and 
sponsorship of CLOs in place as of December 31, 2013, that do 
not qualify for the exclusion in the final rule for loan 
securitizations. This would permit banking entities to retain 
ownership interests in and sponsorship of CLOs held as of that 
date until July 21, 2017. All of the agencies charged with 
implementing section 13 support the Federal Reserve's 
statement.
                                ------                                


 RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO FROM MARTIN J. 
                           GRUENBERG

Q.1. When a data breach happens at a merchant level, Federal 
banking regulators generally do not have jurisdiction to 
investigate and take action. However, collateral consequences 
of such breaches are that regulated financial institutions are 
impacted and face reputational and financial setbacks as a 
result. What are your expectations for the regulated entities 
when a breach occurs at a third party? What are some of the 
challenges financial institutions face as a result of the 
breach? How can those challenges be addressed while minimizing 
consequences of, and cost for, affected financial institutions?

A.1. Responsibility for security of financial institutions' 
customer information held at third parties is addressed through 
contractual terms between the two parties. The Federal banking 
agencies developed the Interagency Guidelines Establishing 
Information Security Standards (12 C.F.R. 364, Appendix B et 
al.) in response to the Gramm-Leach-Bliley Act, Section 50l(B). 
These standards direct all insured financial institutions to 
require service providers, by contract, to implement 
appropriate measures to protect against unauthorized access to 
or use of customer information that could result in substantial 
harm or inconvenience to any customer.
    Each financial institution is expected to manage financial 
and reputational risk related to the products they offer and 
ensure that adequate controls are in place to mitigate that 
risk. Risk management responsibilities related to potential 
payment card data breaches are addressed through contractual 
terms and policies among the issuing banks, acquiring banks 
(banks that sponsor merchants' access to the payment card 
networks), and card networks (Visa and MasterCard). The 
contractual terms and policies describe the responsibility of 
the parties to implement controls, loss liability of the 
parties, and loss recovery processes. Issuing banks and 
acquiring banks receive fees for their participation in this 
partnership, in part, to offset risks. The extent to which fees 
and loss recovery models adequately cover card re-issuing costs 
or costs for protecting data at the merchant also is a 
contractual arrangement.
    The card networks have established notification processes 
to alert the issuing banks of suspected compromised accounts. 
Issuing banks are responsible for limiting the potential for 
fraud on any accounts suspected of being compromised once the 
issuing bank is notified.
    Conversely, the acquiring banks' merchants may be fined by 
the card network due to misconduct (such as poor security) to 
support recovery of fraud losses, in addition to direct 
responsibility for fraud due to card-not-present (online) 
transactions, or card-present transactions that are not 
authorized by the issuer. The acquiring bank remains at risk 
for the merchant's fines and losses to the extent the merchant 
is unable to meet its responsibilities. The FDIC's role is to 
ensure the safety and soundness of the issuing banks and 
acquiring banks, including the ensuring of adequate reserves 
against losses, appropriate security controls, and protection 
of customer accounts against unauthorized charges or 
withdrawals.
    A significant challenge that financial institutions face as 
a result of data breaches is notification to potentially 
affected customers and the potential for customers to become 
desensitized by the notices. Given the frequency that data 
breaches occur and the goal to notify potentially affected 
customers as soon as possible, customers may discard the 
notices and fail to follow the instructions provided to protect 
their credit rating. Financial institutions can address this 
challenge by providing notices that are written in plain 
language with clear and direct instructions.

Q.2. At the Subcommittee hearing on data security and breach 
held on February 3, 2014, Members learned that the payment 
networks have set an October 2015 timeframe for moving industry 
participants to adoption of new, more secure payment 
technology. Can you discuss how quickly your regulated entities 
are moving to this technology, and identify some of the 
obstacles that still exist?

A.2. The FDIC does not mandate specific technologies for data 
security as technology and threats evolve very rapidly. 
However, the FDIC expects financial institutions to establish 
an information security program that will adjust to any 
relevant changes in technology, the sensitivity of its customer 
information, and internal or external threats to information. 
The FDIC welcomes the industry initiative to strengthen card 
security technology through the implementation of the Europay, 
MasterCard, and Visa (EMV) global standard for card 
authentication. However, while the new EMV standard improves 
the card-present aspect of fraud prevention, it does not make 
it more difficult to steal the card data from merchant 
databases, nor does it address online fraud or fraud at 
merchants still accepting credit cards with customer data 
stored in the magnetic stripes (commonly referred to as ``mag-
stripe'') for purchases.
    As part of the examination process, the FDIC does not 
identify which financial institutions will offer the new EMV 
enhanced cards. However, to encourage EMV chip card issuance 
and acceptance, the card brands/networks (Visa, MasterCard, 
Discover, and AMEX) have announced that beginning in October 
2015, entities, including financial institutions and merchants, 
that do not use the new EMV standard will face increased 
liability for fraud. We agree with their assumption that the 
potential for increased fraud liability will encourage adoption 
of the technology.

Q.3. In July of 2013, I requested that the Government 
Accountability Office (GAO) review the SIFI designation process 
at FSOC for both transparency and clarity, and to examine the 
criteria used to designate companies as SIFIs. Would you all be 
willing to support more reliance on measurable metrics in 
FSOC's designation process?

A.3. The current FSOC framework for the designation of nonbank 
SIFIs addresses the specific statutory considerations set forth 
in Section 113 of the Dodd-Frank Act Wall Street Reform and 
Consumer Protection Act (Dodd-Frank Act). It combines 
measurable, quantitative thresholds and metrics with 
qualitative analysis to address the nature of the unique 
threats that FSOC seeks to mitigate. Nonbank financial 
companies engage in a wide variety of complex activities and 
possess material differences in operating and financial 
characteristics. For example, these firms may be holding 
companies or operating companies, and they may have differing 
business models, risk profiles, funding sources, capital 
structures, and interconnections that may make evaluating the 
systemic risk they pose to the U.S. financial system more 
difficult using solely quantitative metrics.
    In April 2012, after notice and public comment, the FSOC 
issued interpretative guidance setting forth both quantitative 
thresholds and qualitative information that the FSOC had 
determined to be relevant in the designation process in order 
to provide transparency and clarity to companies, market 
participants, and the public. The FSOC's interpretative 
guidance addresses, among other things, the uniform 
quantitative thresholds that the FSOC uses to identify nonbank 
financial companies for further evaluation and the six-category 
framework used to consider whether a nonbank financial company 
meets either of the statutory standards for a determination, 
including examples of quantitative metrics for assessing each 
category. In addition, the interpretative guidance includes a 
three-stage process for the review of a nonbank financial 
company, which incorporates quantitative thresholds in the 
first stage and more qualitative company-specific analyses in 
the second and third stages.
    Generally, as reporting requirements evolve and new 
information about certain industries and nonbank financial 
companies become available, the FSOC will be better able to 
consider whether to establish additional metrics and 
thresholds.

Q.4. Please explain how and why the agencies failed to foresee 
the accounting issue with the treatment of the Trust Preferred 
Collateralized Debt Obligations (TruPS CDOs) in the final 
Volcker Rule. Did the proposed rule include requisite language 
seeking public comment on TruPS CDOs, as finalized? If so, 
please provide that language from the proposed rule. If not, 
please explain why the proposal did not seek that specific 
information and whether the agencies believe they satisfied the 
notice-and-comment requirements under the Administrative 
Procedure Act.

A.4. It is fair to say that everyone missed the immediacy of 
the accounting issues associated with CDOs backed by bank-
issued trust preferred securities. As part of developing the 
final rule, the agencies clearly missed the immediacy; however, 
the industry and other commenters missed the immediacy of this 
issue as well. For example, throughout the rather extended 
notice and comment period, none of the over 18,000 comment 
letters raised this issue.
    An important take-away from this episode is how the 
agencies responded when the issue was identified. The agencies 
worked closely together and, with input from the industry, 
developed an effective and timely response to the majority of 
the bankers' concerns. Importantly, the agencies were able to 
do so in a manner that reconciled the broader policy objectives 
of the Dodd-Frank Act without jeopardizing the robustness of 
the implementation of the Volcker Rule.
    As part of the notice-and-comment process, the agencies 
sought robust public comment on the proposed Volcker Rule. 
Included in the notice of proposed rulemaking were several 
questions seeking comments on any concerns or challenges to 
issuers of asset-backed securities and/or securitization 
vehicles. For example, Question 227 asked whether certain asset 
classes, including collateralized debt obligations, are more 
likely to be impacted by the proposed definition of ``covered 
fund.'' Question 229 asked if there are entities that issue 
asset-backed securities that should be exempted from the 
requirements of the proposed rule. Question 231 stated that 
many issuers of asset-backed securities have features and 
structures that resemble some of the features of hedge funds 
and private equity funds, including CDOs, and asked if the 
proposed definition of ``covered fund'' were to exempt any 
entity issuing asset-backed securities, would this allow for 
interests in hedge funds or private equity funds to be 
structured as asset-backed securities and circumvent the 
proposed rule. Commenters did not raise concerns about TruPS 
CDOs in their responses to the proposed rule.

Q.5. What specific efforts are the regulators considering to 
address the issue with the Collateralized Loan Obligations 
(CLOs) in the final Volcker rule? In Governor Tarullo's 
testimony before the House Financial Services Committee, he 
stated that the CLO issue is ``already at the top of the list'' 
for regulators to consider and fix. How many financial 
institutions are impacted by the final rule's treatment of 
CLOs?

A.5. The agencies are carefully considering all requests that 
have been received related to CLOs. These requests have ranged 
from the very narrow--requesting a grandfathering of a well-
defined, limited number of CLOs issued before publication of 
the Volcker Rule--to the very broad--requesting a change to the 
definition of ownership interest that would potentially allow 
banks to expand their holdings of other types of securitization 
positions, such as synthetic CDOs and structured investment 
vehicles (SIVs), which caused significant financial losses 
during the crisis.
    The agencies' staffs jointly have met with representatives 
of the Loan Syndication Trade Association, the American Bankers 
Association, the Structured Finance Industry Group, the 
Financial Services Roundtable, and the Securities Industry and 
Financial Markets Association. Based on these discussions with 
the industry representatives, a review of data provided by 
market participants, and discussions among the staffs of the 
agencies, the agencies found:

   LBanking entities that hold legacy CLOs are 
        undertaking a review of their particular holdings to 
        evaluate where they fit within the treatment of covered 
        funds under the agencies' implementing regulations. 
        Industry representatives have advised the staffs of the 
        agencies that there is a great amount of variation from 
        deal to deal in the restrictions applicable to 
        investments permitted for CLOs and the rights granted 
        to CLO investors. In addition, staffs of the agencies 
        understand from the industry that many legacy CLOs may 
        not satisfy the exclusion from the definition of 
        covered fund for loan securitizations because they may 
        hold a certain amount of nonconforming assets (such as 
        bonds or other securities).

   LNew CLO issuances have been comparable in volume to 
        the CLOs issued prior to the adoption of the 
        implementing rules and sponsors have revised their new 
        CLO deals to conform to the Volcker Rule's exception 
        for loan securitizations. In particular, market 
        participants have represented that new issuances of 
        CLOs in late 2013 and early 2014 after issuance of the 
        final rule are conforming to the final rule.\1\
---------------------------------------------------------------------------
    \1\ According to S&P, the majority of CLOs issued since the final 
rule have been structured as loan-only securitizations. Year to date, 
CLO issuance stands at approximately $21 billion, according to Thomson 
Reuters PLC.

   LData contained in the Call Report and Y9-C forms 
        for asset-backed securities or structured financial 
        products secured by corporate and similar loans 
        indicate that U.S. banking entities hold between 
        approximately $84 billion and $105 billion in CLO 
        investments.\2\ Of this amount, between approximately 
        94 and 96 percent are held by banking entities with 
        total assets of $50 billion or more. Holdings of CLOs 
        by domestic banking entities represent between 
        approximately 28 to 35 percent of the $300 billion 
        market for U.S. CLOs, with these holdings skewed toward 
        the senior tranches.\3\ These aggregate holdings 
        reflect an unrealized net gain. Unrealized losses 
        reported by individual banking entities are not 
        significant relative to their tier 1 capital or income. 
        Up to 52 domestic insured depository institutions (all 
        charters) reported holdings of CLOs in their held-to-
        maturity, AFS and trading portfolios.\4\
---------------------------------------------------------------------------
    \2\ This information is based on data compiled as of December 31, 
2013, by the Federal banking agencies, which undertook a review and 
analysis of CLO holdings of banking entities that are subject to filing 
Call Report or Y-9C data, including insured depository institutions, 
bank holding companies and certain savings and loan holdings companies.
    \3\ OCC supervised institutions hold the majority (95 percent) of 
this CLO exposure. These positions are concentrated in the largest 
institutions and are held mainly in the AFS portfolio.
    \4\ Based on Call Report data as of December 31, 2013.

    To address the concerns regarding CLOs, the Federal Reserve 
Board issued a statement that it intends to grant two 
additional 1-year extensions of the conformance period under 
the Volcker Rule that allow banking entities additional time to 
conform to the statute ownership interests in and sponsorship 
of CLOs in place as of December 31, 2013, that do not qualify 
for the exclusion in the final rule for loan 
securitizations.\5\ The FDIC supports the statement issued by 
the Federal Reserve Board.
---------------------------------------------------------------------------
    \5\ See Board Statement regarding the Treatment of Collateralized 
Loan Obligations Under Section 13 of the Bank Holding Company Act 
(April 3, 2014).

Q.6. Since the final Volcker rule was issued in December, the 
affected entities have recognized two issues with the final 
rule (TruPS CDOs and CLOs). What other issues with the final 
Volcker rule are your agencies aware of that may be raised by 
affected entities? How do you intend to coordinate efforts on 
---------------------------------------------------------------------------
clarifying such issues in the future?

A.6. In the agencies' release for community banks that 
accompanied the Final Rule, the agencies noted that a few 
community banks held TruPS CDOs and CLOs that would be affected 
by the rule.\6\ The TruPS CDO issue was the most pressing 
because the TruPS CDOs had lost so much value that the 
immediate accounting impact was substantial. The agencies 
worked together on the TruPS CDO issue and approved the January 
14, 2014, Interim Final Rule to address bank investments in 
certain TruPS CDOs. With respect to the CLO issues raised by 
industry, the agencies conducted extensive analysis and met 
with a number of banking and financial services industry 
groups, as described in more detail in the answer to question 
5. As a result of this process, the Federal Reserve recently 
issued a statement which announced its intent to offer two 1-
year extensions to the Final Rule conformance period for 
certain CLOs. The agencies believe that the extension should 
address the compliance issues for many of the legacy CLOs that 
do not meet the loan securitization exemption, allowing many of 
them to mature or be called by investors, and should provide 
more time for CLO managers to evaluate and possibly change the 
composition of the underlying assets to bring the CLOs into 
conformance.
---------------------------------------------------------------------------
    \6\ http://fdic.gov/regulations/reforrn/volcker/summary.pdf.
---------------------------------------------------------------------------
    The agencies are committed to continued coordination 
efforts to clarify any additional issues or concerns that may 
be raised with respect to the implementation of the Volcker 
Rule. To better effectuate coordination and help ensure a 
consistent application of the Final Rule, the agencies have 
established an interagency Volcker Rule implementation working 
group consisting of senior-level managers and subject matter 
experts. This working group has been meeting weekly to discuss 
coordination matters as well as issues such as those related to 
technical interpretations and specific activities, like those 
raised on TruPS CDOs and CLOs.

Q.7. How do you plan to coordinate with other agencies 
regarding enforcement matters and the final Volcker rule, given 
that your agencies have varied jurisdictions?

A.7. Each agency is ultimately responsible for its own 
enforcement of the Volcker Rule; however, as noted previously, 
the agencies are committed to continued coordination efforts to 
help ensure a consistent application of the rule. As noted 
above, the agencies have established a Volcker Rule 
implementation working group to facilitate interagency 
coordination on a wide variety of issues.

Q.8. On January 10, 2014, the Federal Reserve and the FDIC made 
available the public portions of resolution plans for 116 
institutions that submitted plans for the first time in 
December 2013, the latest group to file resolution plans with 
the agencies. These living wills are based on a premise that 
when a financial firm is near the brink, there will be a 
marketplace where buyers for assets and operations are 
available, but that may not be the case as was evident with 
Lehman's 2008 collapse when no one wanted to touch what was 
perceived as Lehman's ``toxic assets.'' What specifically gives 
you confidence that these living wills will work in the first 
place and that there will be willing buyers for the troubled 
firm's assets?

A.8. The 116 plans represent the latest set of institutions to 
file their initial plans. The FDIC and the Federal Reserve 
currently are in the process of reviewing these resolution 
plans (or ``living wills''), as we have done for the plans 
filed earlier in 2013 and in 2012. Under the standards provided 
in section 165(d) of the Dodd-Frank Act, certain firms, known 
as ``covered companies,'' are required to submit plans for 
their rapid and orderly resolution under the Bankruptcy Code in 
the event of their material financial distress or failure. The 
resolution plan rule jointly promulgated by the FDIC and the 
Federal Reserve, which implements the statutory requirement of 
section 165(d), directs covered companies to include, among 
other items, a discussion of key assumptions and supporting 
analysis underlying the covered company's resolution plan and 
the processes the company employs to assess the feasibility of 
any sales, restructurings, or divestures contemplated in the 
resolution plan. Therefore, to the extent that a firm presents 
a resolution plan in which certain assets of a troubled firm 
will be sold as a key part of its resolution strategy, the firm 
would need to provide supporting analysis. In addition, the 
resolution plans may present options for resolution other than 
asset sales that are consistent with bankruptcy (such as 
restructurings, for example). If the FDIC and the Federal 
Reserve jointly determine that a resolution plan would not 
facilitate an orderly resolution of the covered company under 
the Bankruptcy Code, the FDIC and the Federal Reserve will 
notify the filer of the aspects of the plan that were jointly 
determined to be deficient. The filer must re-submit within 90 
days (or other specified timeframe) a revised plan that 
addresses the deficiencies.
                                ------                                


 RESPONSE TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM MARTIN 
                          J. GRUENBERG

Q.1. Are you comfortable with the extent to which the consumer 
payments industry currently sets its own data security 
standards? Currently, most standards are set by contract--with 
the card companies playing a significant role--and an industry 
body known as PCI determines most of the details and certifies 
compliance examiners. Should Federal regulators be playing a 
greater role?

A.1. The FDIC recognizes the importance of effective self-
regulatory standards such as PCI data security standards that 
set expectations between regulated card companies and 
businesses that handle payment card data, including retailers, 
payment processors, and others. While such self-regulatory 
models are an important part of data security, the Federal 
banking agencies also established data security standards for 
financial institutions and those companies that do business 
with financial institutions including payment processors. These 
regulatory standards require financial institutions to develop 
and implement effective risk assessment and mitigation 
processes to protect customer information. These regulatory 
standards also require financial institutions to ensure that 
any third-party they do business with is also required 
contractually to comply with the same security rules for 
protecting customer information. Further, banking rules such as 
the Federal Reserve's Regulation E and Regulation Z are 
designed to protect consumers from payment card fraud, 
regardless of where a data breach occurs. The setting of 
standards for other aspects of the consumer payments industry 
is outside the Federal financial regulatory structure. Whether 
additional involvement by the Federal banking agencies should 
be authorized when those standards impact supervised 
institutions is a fair question for Congress to consider.

Q.2.a. When a financial data breach occurs with a merchant (as 
seems to be the case with the current wave of data breaches) or 
other source outside of a financial institution, financial 
institutions still very clearly feel the effects. Credit and 
debit card issuers, for example, must notify affected customers 
and issue new cards, and will likely end up bearing some 
portion of the financial losses that occur from fraudulent 
transactions using stolen card information. In the chain of a 
retail payment transaction, security is only as strong as its 
weakest link.
    In addition to the examinations the FDIC conducts regarding 
regulated institutions' own data security, can you describe the 
FDIC's oversight with respect to the security of consumer data 
across the entire chain of consumer payment transactions?

A.2.a. The FDIC's authority does not span the entire payment 
network. However, the Federal banking agencies examine a number 
of nonbank payment processing companies that provide direct 
services to our regulated financial institutions as authorized 
by the Bank Service Company Act (12 U.S.C. 1867). Examination 
of these service providers attempts to identify potential 
systemic risks to the banking system and potential downstream 
risks to client banks.
    When financial institutions partner with an outside party, 
they are exposed to additional risks, including reputation and 
financial risk if their customers' data is compromised. Given 
these risks, the FDIC seeks to ensure that the financial risk 
from third-party data breaches does not undermine the safety 
and soundness of the financial institutions.

Q.2.b. Should Federal regulators be taking a greater interest 
in the data security standards applicable to other entities 
that posses consumer financial data, beyond just regulated 
financial institutions? Are legislative changes necessary or 
are there legislative changes that would help?

A.2.b. Regulatory standards for protecting customer information 
(12 C.F.R. 364, Appendix B) address financial institution 
responsibilities for data security. Our oversight, through 
onsite examination programs and enforcement authority for 
compliance failures, is designed to ensure data security 
standards for customer information are effectively implemented. 
Similarly, the Federal Trade Commission (FTC) can enforce 
standards for protection of customer information (16 C.F.R. 
314) by all other financial institutions that are not insured 
depository institutions.
    While financial institutions are subject to both industry 
standards and regulatory standards, others, such as merchants, 
are not subject to any national regulatory requirements to 
protect consumer data. If Congress chooses to review the Gramm-
Leach-Bliley Act, or any other law, to determine whether 
customer protections should be expanded to nonfinancial 
institutions, the FDIC stands ready to assist. Further, the 
FDIC would recommend a review of the Bank Service Company Act 
to determine whether additional enforcement authority is 
necessary for the Federal banking agencies with respect to 
nonbank financial institutions that provide direct services to 
banks.

Q.3. In our economy today, companies are collecting and storing 
growing amounts of consumer information, often without 
consumers' knowledge or consent. The financial industry is no 
exception. We have heard reports of lenders, for example, 
mining online data sources to help inform underwriting 
decisions on consumer loans. As companies aggregate more data, 
however, the consequences of a breach or improper use become 
greater.
    The Target breach illustrates the risks consumers face--not 
just of fraud, but also identity theft and other hardships. 
Compromised information included both payment card data and 
personal information such as names, email addresses, and phone 
numbers. But what if the next breach also involves account 
payment histories or Social Security numbers? As the ways 
companies use consumer information changes, and the amount of 
consumer data they hold grows, how is the FDIC's approach 
evolving? Are there steps regulators are taking--or that 
Congress should take--to require stronger protections against 
breaches and improper use, and to mitigate harm to consumers?

A.3. Many nonbank companies aggregate consumer data, including 
credit reporting bureaus, tax preparers, health care providers, 
insurers, universities, and Government agencies. The FDIC 
concurs that protection of consumer data is critical across all 
entities. The FDIC is charged with ensuring that banks protect 
consumer data as authorized by the Gramm-Leach-Bliley Act 
(GLBA), Section 501(b). In response to GLBA, the FDIC and the 
other Federal bank regulatory agencies developed the 
Interagency Guidelines Establishing Information Security 
Standards (12 C.F.R. 364, Appendix B) to protect customer 
information. With respect to protecting customer information, 
GLBA limits the FDIC's scope of enforcement authority to 
insured depository institutions. As discussed above, Congress 
might wish to review the Bank Service Company Act to determine 
if the Act adequately addresses third-party risk with respect 
to companies that provide direct services to banks.

Q.4.a. A lot of the discussion in the aftermath of the recent 
data breaches has focused on credit and debit card ``smart'' 
chip technology, since the United States seems to have fallen 
behind other parts of the world such as Western Europe in 
adopting it. But while card chips help to reduce fraud for 
transactions where a card is physically present, and make it 
harder for thieves to print fake cards using stolen 
information, they do little to reduce fraud for online, ``card-
not-present'' transactions.
    Are you comfortable with the steps industry is taking to 
improve security and reduce fraud for ``card-not-present'' 
transactions?

A.4.a. As you indicate, card-not-present transactions may pose 
a higher risk to the merchant and the issuing bank. Absent 
adequate transaction authorization, the merchant may hold a 
greater degree of liability should fraud occur. Issuing banks 
that authorize transactions without sufficient fraud monitoring 
tools, or fail to respond to suspected compromised account 
notices from the card networks, could take on greater 
liability. However, the industry continues to struggle to 
provide effective security for ``card-not-present'' 
transactions. More needs to be done to ensure that there are 
protections in place to ensure proper authorization for these 
kinds of transactions, and to ensure that customer data remains 
protected. As online commerce continues to grow, so does this 
risk. With the upcoming implementation of the Europay, 
MasterCard and Visa (EMV) standard, there could potentially be 
a shift in fraud toward card-not-present transactions. To 
counter that potential, the industry should consider adopting 
new standards and technology. Examples include tokenization and 
end-to-end encryption as potential solutions.

Q.4.b. Banks and other industry participants need to be 
proactive here, rather than waiting for a major breach to 
happen before making protective investments. Do you feel that 
regulated institutions are paying sufficient attention to all 
areas of data security risk, and are making the necessary 
investments to protect consumers rather than treating fraud as 
simply a cost of doing business?

A.4.b. As a general matter, the FDIC believes that the banks it 
supervises are complying with data security requirements and 
making necessary investments to protect customers from fraud. 
The FDIC assesses a financial institution's efforts to protect 
itself from financial risks such as fraud losses through risk 
mitigation processes, such as credit risk management and 
establishing credit risk reserves. Further, the Interagency 
Guidelines Establishing Information Security Standards require 
financial institutions to implement an information security 
program that assesses risks to customer information, regardless 
of the potential for fraud losses. Such a program must assess 
risks to the confidentiality, integrity, and availability of 
customer information. The FDIC assesses the effectiveness of 
this program in banks we supervise as part of the FDIC's onsite 
examination process.
                                ------                                


 RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM MARTIN J. 
                           GRUENBERG

Q.1. FSOC has been in existence for more than 3 years. Since 
that time, three companies have been deemed systemically 
significant and a second round of companies appear to be under 
consideration. Despite the numerous calls from Congress, a 
number of industry and consumer groups and even the GAO for the 
FSOC to provide greater transparency about the process used for 
designation, (including the metrics OFR should measure in their 
analysis), the criteria followed, as well as the implications 
and process to be followed after a firm has been designated a 
SIFI. Can you provide greater details on why more transparency 
has not been achieved and how the FSOC plans to improve these 
issues?

A.1. The FSOC has worked to ensure that the designation of 
firms follows processes that provide transparency and certainty 
to companies, market participants, and members of the public 
and incorporates the specific statutory considerations of 
Section 113 of the Dodd-Frank Act governing designation of 
nonbank companies. At the same time, the FSOC is mindful of 
nonbank financial companies' concerns that sensitive firm-
specific nonpublic information be protected from disclosure. To 
provide transparency and clarity regarding its designation 
process, the FSOC issued, after notice and public comment, a 
final rule and interpretative guidance in April 2012. The 
public comment process helped to ensure that key issues were 
fully considered and transparent to the public.
    The interpretative guidance details the FSOC's analytical 
framework for designation of nonbank financial companies and 
includes quantitative metrics. The analysis performed on each 
individual company considered for designation requires analysis 
of nonpublic information, which may be provided by the 
company's regulators and by the company itself in response to 
requests from the FSOC. The company is provided with the basis 
for the FSOC's proposed determination and may request a hearing 
to contest the determination. In addition, the FSOC has adopted 
policies to ensure that the processes are as transparent as 
practicable to the public. After a final designation, a 
document explaining the basis for its determination to 
designate a company and minutes of the designation votes are 
posted to the FSOC's public Web site.
    Following a firm's designation as a SIFI, the implications 
and process to be followed are set out in the Dodd-Frank Act. 
The Federal Reserve, as primary Federal regulator, develops the 
prudential standards that will be applicable to nonbank 
designated firms, under section 165 of the Dodd-Frank Act, for 
its ongoing supervision of these firms. In addition, the FDIC 
and the Federal Reserve Board meet with the newly designated 
firms to provide guidance for the preparation of their 
resolution plans under Title I of the Dodd-Frank Act.
    The FDIC, as a member of the FSOC, is committed to the 
issue of transparency and takes these concerns as well as 
suggestions for improvement very seriously. As reporting 
requirements evolve and new information about certain 
industries and nonbank financial companies become available, 
the FSOC will be better able to consider whether changes to 
assure transparency of the designation process are needed.

Q.2. I, along with a number of other Republicans, introduced 
legislation to fix an unintended consequence on collateralized 
debt obligations (CDOs). In their January 13th interim final 
rule, regulators crafted a rule that largely mirrored what my 
bill sought to do; provide relief to a majority of community 
banks. While we appreciate the agencies' efforts on this issue, 
one issue that we included in our legislation that the 
regulators did not address was collateralized loan obligations 
(CLOs). The CLO market provides about $300 billion in financing 
to U.S. companies and U.S. banks currently hold between $70 and 
$80 billion of senior notes issued by existing CLOs and foreign 
banks subject to the Volcker Rule hold about another $60 
billion. Because the final rules implementing the Volcker Rule 
improperly treat these debt securities as ``ownership 
interests'', the banks holding these notes will either have to 
divest or restructure these securities. Because restructuring 
well over $130 billion of CLO securities is neither feasible 
nor under the control of the banks holding these notes, 
divestment is the most likely result. This, in turn, could lead 
to a fire sale scenario that could put incredible downward 
pressure on CLO securities prices leading to significant losses 
for U.S. banks. If prices decline by only 10 percent, U.S. 
banks would have to recognize losses of almost $8 billion 
driven not by the underlying securities but solely because of 
the overreach of the Volcker Rule. Indeed, the final rules are 
already wreaking havoc on the CLO market. Since the final rules 
were announced, new CLO formation was down nearly 90 percent in 
January 2014, the lowest issuance in 23 months. If this 
situation is not remedied and CLO issuance remains moribund, 
corporate borrowers could face higher credit costs. At the 
hearing of the House Financial Services Committee on January 
15, 2014, a number of both Democrats and Republicans asked 
questions about how to fix the issue with the CLO market that 
was not addressed in the interim final rule released on January 
13, 2014. The representatives of the agencies noted that the 
CLO issue was at the top of the list of matters to be 
considered by the inter-agency working group that has been 
established to review issues such as this and publish guidance. 
The issue is urgent. Bank CFOs are struggling with how to treat 
their CLO debt securities. Can you commit to a tight timeframe 
to issue guidance on CLOs?

A.2. The agencies have taken the industry concerns regarding 
the treatment of CLOs under the Volcker Rule very seriously 
and, since the issue was first raised, have devoted 
considerable effort and staff resources to examining the 
industry concerns. For example, the agencies' staffs jointly 
have met with representatives of the Loan Syndication Trade 
Association, the American Bankers Association, the Structured 
Finance Industry Group, the Financial Services Roundtable and 
the Securities Industry and Financial Markets Association. 
Based on these discussions with the industry representatives, a 
review of data provided by market participants and discussions 
among the staffs of the agencies, we have found:

   LBanking entities that hold legacy CLOs are 
        undertaking a review of their particular holdings to 
        evaluate where they fit within the treatment of covered 
        funds under the agencies' implementing regulations. 
        Industry representatives have advised the staffs of the 
        agencies that there is a great amount of variation from 
        deal to deal in the restrictions applicable to 
        investments permitted for CLOs and the rights granted 
        to CLO investors. In addition, staffs of the agencies 
        understand from the industry that many legacy CLOs may 
        not satisfy the exclusion from the definition of 
        covered fund for loan securitizations because they may 
        hold a certain amount of nonconforming assets (such as 
        bonds or other securities).

   LNew CLO issuances have been comparable in volume to 
        the CLOs issued prior to the adoption of the 
        implementing rules and sponsors have revised their new 
        CLO deals to conform to the Volcker Rule's exception 
        for loan securitizations. In particular, market 
        participants have represented that new issuances of 
        CLOs in late 2013 and early 2014 after issuance of the 
        final rule are conforming to the final rule.\1\
---------------------------------------------------------------------------
    \1\ According to S&P, the majority of CLOs issued since the final 
rule have been structured as loan-only securitizations. First quarter 
2014 CLO issuance stands at approximately $21 billion, according to 
Thomson Reuters PLC.

   LData contained in the Call Report and Y9-C forms 
        for asset-backed securities or structured financial 
        products secured by corporate and similar loans 
        indicate that U.S. banking entities hold between 
        approximately $84 billion and $105 billion in CLO 
        investments.\2\ Of this amount, between approximately 
        94 and 96 percent are held by banking entities with 
        total assets of $50 billion or more. Holdings of CLOs 
        by domestic banking entities represent between 
        approximately 28 to 35 percent of the $300 billion 
        market for U.S. CLOs, with these holdings skewed toward 
        the senior tranches.\3\ These aggregate holdings 
        reflect an unrealized net gain. Unrealized losses 
        reported by individual banking entities are not 
        significant relative to their tier 1 capital or income. 
        Up to 52 domestic insured depository institutions (all 
        charters) reported holdings of CLOs in their held-to-
        maturity, AFS and trading portfolios.\4\
---------------------------------------------------------------------------
    \2\ This information is based on data compiled as of December 31, 
2013, by the Federal banking agencies, which undertook a review and 
analysis of CLO holdings of banking entities that are subject to filing 
Call Report or Y-9C data, including insured depository institutions, 
bank holding companies and certain savings and loan holdings companies.
    \3\ OCC supervised institutions hold the majority (95 percent) of 
this CLO exposure. These positions are concentrated in the largest 
institutions and are held mainly in the AFS portfolio.
    \4\ Based on Call Report data as of December 31, 2013.

    To address the concerns regarding CLOs, the Federal Reserve 
Board issued a statement that it intends to grant two 
additional 1-year extensions of the conformance period under 
section 619 that allow banking entities additional time to 
conform to the statute ownership interests in and sponsorship 
of CLOs in place as of December 31, 2013, that do not qualify 
for the exclusion in the final rule for loan 
securitizations.\5\ The FDIC supports the statement issued by 
the Federal Reserve Board.
---------------------------------------------------------------------------
    \5\ See Board Statement regarding the Treatment of Collateralized 
Loan Obligations Under Section 13 of the Bank Holding Company Act 
(April 3, 2014).

Q.3. On a related point, we have heard that some are of the 
view that the guidance being sought by industry in connection 
with CLO debt securities is too broad. Isn't it the case that 
all the agencies have to do is issue extremely narrow guidance 
that states that a CLO debt security that has the right to 
replace a manager for cause, without any other indicia of 
ownership, will not be treated as an ``ownership interest'' 
under the Volcker Rule? Even if we were to concede (which we do 
not) that it would be difficult for the agencies to grant the 
requested relief, couldn't the agencies address the issue of 
legacy CLO securities by simply agreeing (as they did in the 
context of CDOs of Trumps) to grandfather all existing CLO debt 
securities for CLOs issued prior to the publication of the 
final rules in the Federal Register? Wouldn't this very narrow 
relief fix the problem for banks that purchased CLO debt 
securities in good faith prior to the issuance of the final 
---------------------------------------------------------------------------
rule but are now facing potentially material losses?

A.3. As noted above in the answer to question 2, the agencies 
have carefully considered the banking industry's concerns 
regarding bank CLO investments and their treatment under the 
Volcker Rule. After extensive interagency review of these 
issues, the Federal Reserve issued its statement announcing it 
would extend the conformance period for two additional years 
for certain CLOs. The agencies believe that the extension 
should address the compliance issues for many of the legacy 
CLOs that do not meet the loan securitization exemption, 
allowing many of them to mature or be called by investors, and 
should provide more time for CLO managers to evaluate and 
possibly change the composition of the underlying assets to 
bring the CLOs into conformance.
                                ------                                


 RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO FROM THOMAS J. 
                             CURRY

Q.1. When a data breach happens at a merchant level, Federal 
banking regulators generally do not have jurisdiction to 
investigate and take action. However, collateral consequences 
of such breaches are that regulated financial institutions are 
impacted and face reputational and financial setbacks as a 
result. What are your expectations for the regulated entities 
when a breach occurs at a third party? What are some of the 
challenges financial institutions face as a result of the 
breach? How can those challenges be addressed while minimizing 
consequences of, and cost for, affected financial institutions?

A.1. Banks and Federal savings associations (referenced here as 
``banks'') are required to be on the alert for identity theft 
involving its customers' information, no matter how and where 
the identity thief acquired the information, even if the 
information was acquired from a third party that has no 
relationship with the bank. Following the enactment of the Fair 
and Accurate Credit Transactions Act (FACT Act), the Federal 
banking agencies together with the Federal Trade Commission 
issued regulations in 2008 titled ``Identity Theft Red Flags 
and Address Discrepancies.'' The final rules require each 
financial institution and creditor to develop and implement a 
written identity theft prevention program that includes 
policies and procedures for detecting, preventing, and 
mitigating identity theft in connection with new and existing 
accounts. The program must cover any consumer account, or any 
other account that the financial institution or creditor offers 
or maintains for which there is a reasonably foreseeable risk 
to consumers or to the safety and soundness of the financial 
institution or creditor from identity theft. In addition, it 
must include policies and procedures to identify relevant red 
flags signaling possible identity theft, detect the red flags 
incorporated into the program, respond appropriately to the red 
flags that are detected, and ensure the program is updated 
periodically to reflect changes in risks to customers and to 
the institution from identity theft.
    The agencies also issued guidelines to assist financial 
institutions to develop and implement an identity theft 
prevention program. These guidelines state that when a bank 
detects identity theft red flags, it is expected to respond 
appropriately by taking steps that include monitoring accounts, 
contacting the customer, changing passwords, closing and 
reopening the account, and notifying law enforcement, as 
appropriate.
    The guidelines also include a supplement that identifies 26 
patterns, practices, and specific forms of activity that are 
``identity theft red flags.'' These include alerts, 
notifications, or other warnings received from consumer 
reporting agencies or service providers, the presentation of 
suspicious documents or suspicious personal identifying 
information, the unusual use of, or other suspicious activity 
related to, a covered account, or notice from customers, 
victims of identity theft, or law enforcement authorities.
    Recent events, such as the information security breaches at 
Target and Neiman Marcus, highlight the sophisticated nature of 
evolving cyber threats, as well as the interdependencies that 
exist in today's payment systems. They underscore the 
challenges and costs that banks can face when their customers' 
data is breached through technologies controlled and overseen 
by a third party such as point-of-sale card readers at a 
merchant. Banks have borne the expense of replacing cards, 
providing credit-monitoring services, responding to high 
volumes of customer inquiries, monitoring for fraudulent 
transactions, and reimbursing customers for fraud losses.
    Because of the interdependencies within retail payment 
systems, solutions to these issues will require cooperation 
among multiple entities and oversight bodies. The OCC supports 
recent efforts by the industry to work with the different 
stakeholders within the retail payment systems to develop 
approaches to minimize the risks and address challenges faced 
by banks. This includes efforts to develop new technologies and 
tools that will enhance the overall security of the retail 
payment systems.

Q.2. At the Subcommittee hearing on data security and breach 
held on February 3, 2014, Members learned that the payment 
networks have set an October 2015 timeframe for moving industry 
participants to adoption of new, more secure payment 
technology. Can you discuss how quickly your regulated entities 
are moving to this technology, and identify some of the 
obstacles that still exist?

A.2. The payment technology discussed in the February 3 hearing 
is known as EMV, also called ``chip and pin'' and ``chip and 
signature.'' While some banks and credit unions already issue 
chip cards, implementing a fully functioning EMV system is 
complex and will require a coordinated approach across retail 
payment systems, and among financial institutions, merchants 
and consumers. For example, ATM networks and point-of-sale 
systems must be reconfigured to accept the new cards. In many 
cases, existing hardware may need to be replaced to accept 
newer technologies. Given the multifaceted challenges and 
interdependent systems that must be successfully coordinated 
across banks and merchants, we understand that full 
implementation may extend beyond the 2015 timeframe.

Q.3. In July of 2013, I requested that the Government 
Accountability Office (GAO) review the SIFI designation process 
at FSOC for both transparency and clarity, and to examine the 
criteria used to designate companies as SIFIs. Would you all be 
willing to support more reliance on measurable metrics in 
FSOC's designation process?

A.3. I believe the designation process used by the FSOC strikes 
an appropriate balance in using a combination of uniform 
metrics, supplemented with more in-depth quantitative and 
qualitative assessments to make a designation determination. To 
provide transparency and clarity, the FSOC published for 
comment its proposed rule and interpretative guidance that 
explained the process, factors and key metrics the Council 
would use in its designation process. The Council's 
interpretative guidance set forth the Council's three-stage 
process and analytical framework for analyzing firms. Within 
that guidance and as part of its stage 1 analysis, the guidance 
identified a set of measurable, uniform metrics that are used 
to identify firms that warrant more in-depth review and 
analysis. Firms that meet the stage 1 metrics laid out in the 
guidance are subject to further review and analysis based on 
six key categories of risk factors. Those factors, and examples 
of metrics that FSOC will use to evaluate those risks factors, 
were also described in the guidance.
    As noted in the preamble to the final designation rule and 
interpretative guidance, the Council intends to review the 
quantitative thresholds as reporting requirements evolve and 
new information about certain industries and nonbank financial 
data becomes available. While I would support such refinements 
to the designation process, I believe it would be a mistake to 
design a framework that relies solely on a set of quantitative 
metrics or algorithms to make a determination decision. I 
believe each firm must be evaluated with respect to its 
individual risk profile and the nature of its operations. This 
need for a tailored analysis is why the Council's process 
includes substantial opportunities for communications with, and 
responses by, firms that are under consideration for 
determination.

Q.4. Please explain how and why the agencies failed to foresee 
the accounting issue with the treatment of the Trust Preferred 
Collateralized Debt Obligations (TruPS CDOs) in the final 
Volcker Rule. Did the proposed rule include requisite language 
seeking public comment on TruPS CDOs, as finalized? If so, 
please provide that language from the proposed rule. If not, 
please explain why the proposal did not seek that specific 
information and whether the agencies believe they satisfied the 
notice-and-comment requirements under the Administrative 
Procedure Act.

A.4. The TruPS CDOs that raised the accounting issue were 
covered by the Agencies' implementing regulations because they 
have features that bring them within the definition of 
``ownership interest.'' The Notice of Proposed Rulemaking (76 
Fed. Reg. 68,846) discussed the Agencies' proposed definition 
of ``ownership interest'' in covered funds, in connection with 
implementing the Volcker Rule's prohibition against banking 
entity holdings of covered funds (p. 68,897). The proposal went 
on to request comment on whether the proposed definitions of 
``ownership interest'' in covered funds posed unique concerns 
or challenges with respect to specific classes of instruments, 
specifically including Collateralized Debt Obligations (p. 
68,899). Commenters did not raise concerns about TruPS CDOs.

Q.5. What specific efforts are the regulators considering to 
address the issue with the Collateralized Loan Obligations 
(CLOs) in the final Volcker rule? In Governor Tarullo's 
testimony before the House Financial Services Committee, he 
stated that the CLO issue is ``already at the top of the list'' 
for regulators to consider and fix. How many financial 
institutions are impacted by the final rule's treatment of 
CLOs?

A.5. Based on Call Report information for year-end 2013, 51 
domestic banks reported CLO holdings. The OCC is the supervisor 
of 26 of these banks, which hold 95 percent of the CLO holdings 
reported by all 51 banks in the Call Reports. Holding of CLOs 
is extremely concentrated in large banks, two of which hold far 
more than the other banks combined. Although some banks 
reported unrealized losses on their CLO portfolios, they were 
the exception to the rule, and the unrealized losses were not 
significant relative to tier 1 capital or earnings. On April 7, 
2014, the Federal Reserve Board issued a statement announcing 
its intention, consistent with the statute, to grant two 
additional 1-year extensions of the conformance period--until 
July 2017--for legacy CLOs. A number of these legacy CLOs will 
have matured under their own terms and repaid their principal 
balances by that time. With respect to those that have not 
matured, the OCC does not anticipate significant adverse 
effects on capital or earnings overall with respect to the 
institutions we supervise.

Q.6. Since the final Volcker rule was issued in December, the 
affected entities have recognized two issues with the final 
rule (TruPS CDOs and CLOs). What other issues with the final 
Volcker rule are your agencies aware of that may be raised by 
affected entities? How do you intend to coordinate efforts on 
clarifying such issues in the future?

A.6. The Agencies are receiving requests for further guidance 
on a range of matters. For example, the OCC has received 
questions regarding the metrics reporting requirements, 
including about (i) the timeframes for when the largest trading 
banking entities must begin collecting metrics and filing their 
first reports; and (ii) the systems necessary for collecting 
and reporting metrics. The OCC has led the formation of an 
interagency working group to address and collaborate on 
developing responses to key supervisory issues that arise under 
the final regulations. The interagency group held its first 
meeting in late January and is continuing to meet on a regular 
basis. The Agencies are working to ensure consistency in 
application of the final regulations. Through our examination 
and supervisory staff, the OCC also is working with the 
institutions we supervise to ensure that they are preparing to 
conform with the implementing regulations when the conformance 
period concludes.

Q.7. How do you plan to coordinate with other agencies 
regarding enforcement matters and the final Volcker rule, given 
that your agencies have varied jurisdictions?

A.7. As noted in the response to the previous question, through 
our examination and supervisory staff, the OCC also is working 
with the institutions we supervise to ensure that they are 
preparing to conform with the implementing regulations. After 
the close of the conformance period, we will examine for 
compliance with the Volcker Rule and, in a case of 
noncompliance, will take appropriate supervisory or enforcement 
action. In cases where our work implicates institutions subject 
to regulation or supervision by other agencies, we will 
coordinate closely with those agencies.
                                ------                                


 RESPONSE TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM THOMAS 
                            J. CURRY

Q.1. Are you comfortable with the extent to which the consumer 
payments industry currently sets its own data security 
standards? Currently, most standards are set by contract--with 
the card companies playing a significant role--and an industry 
body known as PCI determines most of the details and certifies 
compliance examiners. Should Federal regulators be playing a 
greater role?

A.1. The OCC sets standards for financial institutions that we 
supervise. We are following the industry led efforts to respond 
to the evolving cybersecurity threats. The Payment Card 
Industry (PCI) Security Standards Council develops, maintains 
and manages the PCI Security Standards, such as the PCI-Data 
Security Standards (PCI-DSS). The PCI security standards are 
detailed and have been recently updated (November 2013). The 
bank regulators have an important role in evaluating the risk 
exposure of the banks in the system and consider PCI-DSS 
compliance in addition to compliance with the Federal Financial 
Institutions Examination Council (FFIEC) and OCC-related 
guidance in the examination process.
    The OCC is in the process of assessing the existing 
regulatory structure, enforcement authorities, and statutory 
authorities to ensure they are adequate for the existing 
cybersecurity threat.

Q.2.a. When a financial data breach occurs with a merchant (as 
seems to be the case with the current wave of data breaches) or 
other source outside of a financial institution, financial 
institutions still very clearly feel the effects. Credit and 
debit card issuers, for example, must notify affected customers 
and issue new cards, and will likely end up bearing some 
portion of the financial losses that occur from fraudulent 
transactions using stolen card information. In the chain of a 
retail payment transaction, security is only as strong as its 
weakest link.
    In addition to the examinations the OCC conducts regarding 
regulated institutions' own data security, can you describe the 
OCC's oversight with respect to the security of consumer data 
across the entire chain of consumer payment transactions?

A.2.a. Banks provide essential retail payment transaction 
services to businesses and customers; issuing credit and debit 
cards to customers, authorizing transactions for merchants, and 
then acquiring those transactions. A few provide clearing and 
settlement services for merchants. The OCC supervises banks and 
their services providers. However, the OCC does not oversee the 
security of consumer data across the entire chain of consumer 
payment transactions.
    The OCC examines banks and their service providers for 
compliance with the interagency information security guidelines 
issues by the OCC pursuant to the Gramm-Leach-Bliley Act, in 
conjunction with the Federal Deposit Insurance Corporation 
(FDIC) and the Board of Governors of the Federal Reserve System 
(Federal Reserve) (collectively, the FBAs). These interagency 
guidelines require each bank to develop and implement a formal 
information security program. Banks and their service providers 
are examined for the capacity to safeguard their systems 
against cyber attacks and their ability to ensure the security 
and confidentiality of customer information. The OCC also 
ascertains whether banks have strong and well-coordinated 
incident response programs that can be implemented if a cyber 
attack or security breach does occur.
    While the guidelines require a bank to safeguard the 
customer information it maintains or that is maintained by a 
third party on its behalf, each bank is also required to be on 
the alert for identity theft involving its customers' 
information, no matter how and where the information was 
acquired. The OCC examines banks for compliance with 
interagency regulations issued by the OCC pursuant to the Fair 
and Accurate Credit Transactions Act (FACT Act), by the FBAs 
together with the Federal Trade Commission titled ``Identity 
Theft Red Flags and Address Discrepancies.'' The final rules 
require each financial institution and creditor to develop and 
implement a written identity theft prevention program that 
includes policies and procedures for detecting, preventing, and 
mitigating identity theft in connection with new and existing 
accounts. The program must cover any consumer account, or any 
other account that the financial institution or creditor offers 
or maintains for which there is a reasonably foreseeable risk 
to consumers or to the safety and soundness of the financial 
institution or creditor from identity theft. In addition, it 
must include policies and procedures to identify relevant red 
flags signaling the possibility of identify theft, detect red 
flags incorporated into the program, respond appropriately to 
the red flags that are detected, and ensure the program is 
updated periodically to reflect changes in risks to customers 
and to the institution from identity theft.
    The Agencies also issued guidelines to assist covered 
entities in developing and implementing an identity theft 
prevention program. The guidelines include a supplement that 
identifies 26 patterns, practices, and specific forms of 
activity that are ``red flags.'' These include alerts, 
notifications, or other warnings received from consumer 
reporting agencies or service providers, the presentation of 
suspicious documents or suspicious personal identifying 
information, the unusual use of, or other suspicious activity 
related to, a covered account, or notice from customers, 
victims of identity theft, or law enforcement authorities. When 
a bank detects identity theft red flags, the bank is expected 
to respond appropriately by taking steps that include 
monitoring accounts, contacting the customer, changing 
passwords, closing and reopening the account, and notifying law 
enforcement, as appropriate.

Q.2.b. Should Federal regulators be taking a greater interest 
in the data security standards applicable to other entities 
that possess consumer financial data, beyond just regulated 
financial institutions? Are legislative changes necessary or 
are there legislative changes that would help?

A.2.b. The OCC recognizes the need to protect critical 
infrastructure and customer information across all sectors of 
the economy. We support legislation aimed at achieving these 
goals, except to the extent that such legislation would weaken 
or duplicate the existing information security, data 
protection, and consumer notice requirements already applicable 
to banks.

Q.3. In our economy today, companies are collecting and storing 
growing amounts of consumer information, often without 
consumers' knowledge or consent. The financial industry is no 
exception. We have heard reports of lenders, for example, 
mining online data sources to help inform underwriting 
decisions on consumer loans. As companies aggregate more data, 
however, the consequences of a breach or improper use become 
greater.
    The Target breach illustrates the risks consumers face--not 
just of fraud, but also identity theft and other hardships. 
Compromised information included both payment card data and 
personal information such as names, email addresses, and phone 
numbers. But what if the next breach also involves account 
payment histories or Social Security numbers? As the ways 
companies use consumer information changes, and the amount of 
consumer data they hold grows, how is the OCC's approach 
evolving? Are there steps regulators are taking--or that 
Congress should take--to require stronger protections against 
breaches and improper use, and to mitigate harm to consumers?

A.3. Ensuring the industry's defenses against cyber attacks is 
an important issue for the OCC. While the banking sector is 
highly regulated and has been subject to stringent information 
security requirements for decades, we recognize that both our 
supervision and our guidance to banks must be regularly updated 
to keep pace with the rapidly changing nature of cyber threats.
    The OCC has an information technology (IT) examination 
program that includes training examiners, updating and 
implementing IT risk management policy through guidance, 
alerts, and handbooks, and regular onsite examination of banks' 
IT programs.
    We have also helped coordinate a series of classified 
briefings for banks, third-party service providers, and 
examiners. These briefings are an effective way to provide the 
industry with information needed to anticipate and prepare for 
attacks. We have also conducted a number of other outreach 
events, including a security and threat awareness 
teleconference for community banks and thrifts that attracted 
over 750 institutions.
    When I became Chairman of the FFIEC, I called for the 
creation of a working group on cybersecurity issues to be 
housed under the FFIEC's task force on supervision. The working 
group has already begun to meet with intelligence, law 
enforcement, and homeland security officials, and it is 
exploring additional approaches bank regulators can take to 
ensure that institutions of all sizes have the ability to 
safeguard their systems. This working group will also consider 
how best to implement the President's Executive Order on 
Cybersecurity, as well as how to address recommendations of the 
FSOC.
    In addition, as mentioned above, the OCC recognizes the 
need to protect critical infrastructure and customer 
information across all sectors of the economy, especially with 
respect to sectors upon which banks are dependent, such as 
telecommunications. We support legislation aimed at achieving 
these goals, except to the extent that such legislation would 
weaken or duplicate the existing information security, data 
protection, and the consumer notice requirements already 
applicable to banks.

Q.4.a. A lot of the discussion in the aftermath of the recent 
data breaches has focused on credit and debit card ``smart'' 
chip technology, since the United States seems to have fallen 
behind other parts of the world such as Western Europe in 
adopting it. But while card chips help to reduce fraud for 
transactions where a card is physically present, and make it 
harder for thieves to print fake cards using stolen 
information, they do little to reduce fraud for online, ``card-
not-present'' transactions.
    Are you comfortable with the steps industry is taking to 
improve security and reduce fraud for ``card-not-present'' 
transactions?

A.4.a. The banking industry is looking into a number of new 
technologies and business processes to improve security and 
reduce fraud. The largest institutions, in particular, have 
made significant investments in ways to improve security and 
reduce fraud. As your question acknowledges, while some 
technologies such as ``chip and pin'' may mitigate one source 
of vulnerability, they could accentuate other vulnerabilities. 
For this reason, there are additional industry efforts underway 
to explore other emerging technologies such as biometrics, 
geolocation and forms of dynamic authentication other than 
``chip and pin.'' Some of these potential solutions however, 
may raise other concerns such as consumer privacy that will 
need to be carefully considered.

Q.4.b. Banks and other industry participants need to be 
proactive here, rather than waiting for a major breach to 
happen before making protective investments. Do you feel that 
regulated institutions are paying sufficient attention to all 
areas of data security risk, and are making the necessary 
investments to protect consumers rather than treating fraud as 
simply a cost of doing business?

A.4.b. Cybersecurity is an important priority for the OCC and 
we have been conducting extensive outreach to our institutions 
to draw their attention to the importance of data security. We 
emphasize that it is an operational risk that needs to be part 
of institutions' overall enterprise risk management and receive 
attention from senior management and the board of directors. 
From our outreach efforts, we believe that senior financial 
institution executives understand that addressing cyber risks 
is a serious priority for their institutions, and, as noted 
above, they are exploring enhancements to existing technology 
to help to protect consumers' information. The OCC supports new 
technologies and tools that will enhance the overall security 
of retail payment systems.
                                ------                                


 RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM THOMAS J. 
                             CURRY

Q.1. FSOC has been in existence for more than 3 years. Since 
that time, three companies have been deemed systemically 
significant and a second round of companies appear to be under 
consideration. Despite the numerous calls from Congress, a 
number of industry and consumer groups and even the GAO for the 
FSOC to provide greater transparency about the process used for 
designation, (including the metrics OFR should measure in their 
analysis), the criteria followed, as well as the implications 
and process to be followed after a firm has been designated a 
SIFI. Can you provide greater details on why more transparency 
has not been achieved and how the FSOC plans to improve these 
issues?

A.1. I believe the designation process used by FSOC strikes an 
appropriate balance in providing transparency to the public 
about the factors used by the Council in making its 
determinations while allowing for a robust evaluation, based on 
each firm's unique circumstances, that also protects the 
confidentiality of firm-specific proprietary and supervisory 
information. For example, to provide transparency and clarity, 
the FSOC published for comment its proposed rule and 
interpretative guidance that explained the process, factors and 
key metrics the Council would use in its designation process. 
The Council's interpretative guidance set forth the Council's 
three-stage process and analytical framework for analyzing 
firms. Within that guidance and as part of its stage 1 
analysis, the guidance identified a set of measurable, uniform 
metrics that are used to identify firms that warrant more in-
depth review and analysis. Firms that meet the stage 1 metrics 
laid out in the guidance are subject to further review and 
analysis based on six key categories of risk factors. Those 
factors, and examples of metrics that FSOC will use to evaluate 
those risks factors, were also described in the guidance.
    With respect to the Council's actions for individual firms, 
a firm that is being actively considered for designation is 
sent a written notice that it is being considered for 
designation. That notice provides the firm with a preliminary, 
in-depth analysis of the Council's assessment of the firm, 
including key risk factors and metrics that the Council used in 
its assessment. During this stage, firms have an extensive 
opportunity to respond to those preliminary assessments through 
the submission of written materials and meetings and 
discussions with Council staff. If, at the conclusion of those 
discussions and analysis, the Council decides to make a 
determination, the firm is provided with a notice of proposed 
determination that includes an explanation of the basis for the 
Council's action and is given the opportunity to request a 
formal hearing before a final determination is made. To provide 
transparency of the Council's final decision to designate a 
firm, the Council's resolution and votes for the decision, 
along with any dissenting opinion, is posted to the Council's 
Web site, along with a summary that provides the basis and 
criteria used and the rationale for the designation.

Q.2. I, along with a number of other Republicans, introduced 
legislation to fix an unintended consequence on collateralized 
debt obligations (CDOs). In their January 13th interim final 
rule, regulators crafted a rule that largely mirrored what my 
bill sought to do; provide relief to a majority of community 
banks. While we appreciate the agencies' efforts on this issue, 
one issue that we included in our legislation that the 
regulators did not address was collateralized loan obligations 
(CLOs). The CLO market provides about $300 billion in financing 
to U.S. companies and U.S. banks currently hold between $70 and 
$80 billion of senior notes issued by existing CLOs and foreign 
banks subject to the Volcker Rule hold about another $60 
billion. Because the final rules implementing the Volcker Rule 
improperly treat these debt securities as ``ownership 
interests'', the banks holding these notes will either have to 
divest or restructure these securities. Because restructuring 
well over $130 billion of CLO securities is neither feasible 
nor under the control of the banks holding these notes, 
divestment is the most likely result. This, in turn, could lead 
to a fire sale scenario that could put incredible downward 
pressure on CLO securities prices leading to significant losses 
for U.S. banks. If prices decline by only 10 percent, U.S. 
banks would have to recognize losses of almost $8 billion 
driven not by the underlying securities but solely because of 
the overreach of the Volcker Rule. Indeed, the final rules are 
already wreaking havoc on the CLO market. Since the final rules 
were announced, new CLO formation was down nearly 90 percent in 
January 2014, the lowest issuance in 23 months. If this 
situation is not remedied and CLO issuance remains moribund, 
corporate borrowers could face higher credit costs. At the 
hearing of the House Financial Services Committee on January 
15, 2014, a number of both Democrats and Republicans asked 
questions about how to fix the issue with the CLO market that 
was not addressed in the interim final rule released on January 
13, 2014. The representatives of the agencies noted that the 
CLO issue was at the top of the list of matters to be 
considered by the inter-agency working group that has been 
established to review issues such as this and publish guidance. 
The issue is urgent. Bank CFOs are struggling with how to treat 
their CLO debt securities. Can you commit to a tight timeframe 
to issue guidance on CLOs?

A.2. On April 7, 2014, the Federal Reserve Board issued a 
statement announcing its intention, consistent with the 
statute, to grant two additional 1-year extensions of the 
conformance period--until July 2017--for legacy CLOs. A number 
of these legacy CLOs will have matured under their own terms 
and repaid their principal balances by that time. With respect 
to those that have not matured, the OCC does not anticipate 
significant adverse effects on capital or earnings overall with 
respect to the institutions we supervise. Market participants 
indicate that new issuances have been structured so as to 
comply with Volcker Rule requirements for banking entity 
portfolio investments. I would note that CLO issuances for 
April were $12.3 billion, the highest monthly volume since the 
financial crisis, and that the total issuance for 2014 is 
already $31.7 billion, putting it on pace to exceed last year's 
total volume.
                                ------                                


  RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO FROM MARY JO 
                             WHITE

Q.1. When a data breach happens at a merchant level, Federal 
banking regulators generally do not have jurisdiction to 
investigate and take action. However, collateral consequences 
of such breaches are that regulated financial institutions are 
impacted and face reputational and financial setbacks as a 
result. What are your expectations for the regulated entities 
when a breach occurs at a third party? What are some of the 
challenges financial institutions face as a result of the 
breach? How can those challenges be addressed while minimizing 
consequences of, and cost for, affected financial institutions?

A.1. The challenges that face financial institutions as a 
result of a breach at a third party are many and varied. The 
sophistication of the perpetrators continually evolves, and the 
threats increase in complexity on a daily basis. Keeping pace 
with the challenges that we face will take a coordinated 
Government and industry effort.
Expectations for Regulated Entities When a Breach Occurs at a Third 
        Party
    The Commission has in place rules addressing privacy and 
identity theft to protect investors. Regulations S-P and S-ID 
work together to require covered firms to implement policies 
and procedures that are reasonably designed to ensure the 
security and confidentiality of customer records and 
information, including the establishment of an identity theft 
program addressing how to identify, detect, and respond to 
potential identity theft red flags.\1\ Entities covered under 
these rules are required to implement measures addressing their 
regulatory obligations, including the oversight of service 
provider arrangements.
---------------------------------------------------------------------------
    \1\ Regulation S-P requires broker-dealers, investment companies 
and registered investment advisers to establish policies and procedures 
reasonably designed to safeguard customer information and records. It 
also limits the ability of these firms to disclose nonpublic personal 
information to unaffiliated third parties. Last year, to implement 
Section 1088 of the Dodd-Frank Act, the SEC and the CFTC jointly 
adopted Regulation S-ID, which requires certain regulated financial 
institutions and creditors to adopt and implement identity theft 
programs. Regulation S-ID is in effect today and requires covered firms 
to implement policies and procedures designed to: identify relevant 
types of identity theft red flags; detect the occurrence of those red 
flags; respond appropriately to the detected red flags; and 
periodically update the identity theft program. Regulation S-ID also 
requires entities to provide staff training, oversight of service 
providers, and guidelines for and examples of red flags to help firms 
administer their programs.
---------------------------------------------------------------------------
    The guidelines contained in Regulation S-ID provide, among 
other things, that regulated entities that engage a service 
provider to perform services related to a covered account 
should take steps to ensure that the service provider has 
policies and procedures designed to detect, prevent and 
mitigate the risk of identity theft.
Challenges Faced by Financial Institutions as a Result of a Breach
    Possibly the greatest challenge faced by financial 
institutions and regulators alike is the need to be ever 
vigilant in guarding against new and unexpected threats. This 
generally necessitates good communication by all affected, as 
well as foresight in allocating resources to data and cyber 
protection. Financial institutions covered under the rules that 
possess customer data, of course, should, and are required to, 
take steps to prevent that data from being placed at risk. By 
way of example, broker-dealers, mutual funds and registered 
investment advisers are required under Regulation S-P and 
Regulation S-ID to implement policies and procedures that 
address safeguarding data and preventing identity theft. Some 
of the challenges facing entities covered under Regulation S-ID 
relate to implementing a program that provides for an 
appropriate response to identity theft red flags commensurate 
with the risk posed. Guidelines contained in Regulation S-ID 
note that an appropriate response should take into account 
aggravating factors that may heighten the risk of identity 
theft, such as a data security incident that results in 
unauthorized access to account records, and include a number of 
examples of appropriate responses that a regulated entity 
should consider. Appropriate responses may include, among 
others:

   LMonitoring a covered account for evidence of 
        identity theft;

   LContacting the customer;

   LChanging any password, security codes, or other 
        security devices that permit access to a covered 
        account; or

   LNotifying law enforcement.
Addressing Challenges While Minimizing Consequences and Costs
    An entity covered under Regulation S-ID is required to 
tailor its particular identity theft program to its size and 
complexity and to the nature and scope of its activities. 
Allowing an entity to tailor its program to fit its particular 
circumstances should enable the entity to better balance an 
appropriate response against any related consequences and 
costs.

Q.2. At the Subcommittee hearing on data security and breach 
held on February 3, 2014, Members learned that the payment 
networks have set an October 2015 timeframe for moving industry 
participants to adoption of new, more secure payment 
technology. Can you discuss how quickly your regulated entities 
are moving to this technology, and identify some of the 
obstacles that still exist?

A.2. It is our understanding that the payment systems industry 
has spearheaded the transition to the use of new, more secure 
payment technology, and major industry participants are working 
to finalize this process by October 2015. The SEC's authority, 
however, generally does not extend to retail payment systems. 
This authority generally resides with banking regulators. For 
instance, although some clients of broker-dealers and mutual 
funds have the ability to obtain debit cards linked to their 
accounts, the cards themselves are issued directly by a bank, 
and any unauthorized transactions processed through retail 
payments systems are subject to the fraud protections of the 
banking regulations. As a result, the Commission has not been 
involved in these activities and is not in a position to 
provide additional details concerning them.

Q.3. In July of 2013, I requested that the Government 
Accountability Office (GAO) review the SIFI designation process 
at FSOC for both transparency and clarity, and to examine the 
criteria used to designate companies as SIFIs. Would you all be 
willing to support more reliance on measurable metrics in 
FSOC's designation process?

A.3. As a voting member of the Financial Stability Oversight 
Council (FSOC), I believe it is important to be data-driven and 
rely on facts throughout the process for consideration of the 
potential designation of systemically important financial 
institutions (SIFI). I therefore support the thorough and 
appropriate use of data and quantifiable, measurable factors in 
the SIFI designations process. In addition, I would note that 
the FSOC as a general matter is focused on the issue of 
transparency and enhancing transparency, which I consider an 
important area of focus.

Q.4. Since the final Volcker rule was issued in December, the 
affected entities have recognized two issues with the final 
rule (TruPS CDOs and CLOs). What other issues with the final 
Volcker rule are your agencies aware of that may be raised by 
affected entities? How do you intend to coordinate efforts on 
clarifying such issues in the future?

A.4. Staffs of the five agencies continue to work together, as 
they did during the rulemaking process, to share information 
and coordinate the agencies' implementation of the Volcker 
rule. The staffs engage in discussions on a regular basis 
concerning technical and other issues concerning the 
implementation of the Volcker rule, including interpretive and 
other issues raised by affected entities, to facilitate 
coordinated responses by the agencies or their staffs as 
appropriate. The staffs are not able to predict all of the 
issues that affected entities may raise with the final Volcker 
rule, but will continue to evaluate issues identified by 
affected entities and facilitate the agencies' coordinated 
consideration of these issues.

Q.5. How do you plan to coordinate with other agencies 
regarding enforcement matters and the final Volcker rule, given 
that your agencies have varied jurisdictions?

A.5. Section 13 of the Bank Holding Company Act (``BHC Act'') 
provides each agency with authority to adopt and administer 
rules with respect to specific types of legal entities. For 
instance, section 13(e)(2) of the BHC Act authorizes the SEC, 
the Federal banking agencies, and the CFTC to take specified 
actions against a banking entity under the respective agency's 
jurisdiction if there is reasonable cause to believe the 
banking entity has made an investment or engaged in activity 
that functions as an evasion or otherwise violates the 
restrictions of that section. Banking entities within the SEC's 
jurisdiction include bank-affiliated, SEC-registered broker-
dealers, investment advisers, and security-based swap dealers. 
The SEC is authorized to enforce the requirements of section 13 
of the BHC Act only with respect to the types of banking entity 
under its jurisdiction. The SEC and the other agencies are 
currently coordinating interpretive guidance and will seek to 
broaden such coordination to include examiner training and 
cooperation in connection with enforcing section 13.
                                ------                                


 RESPONSE TO WRITTEN QUESTIONS OF SENATOR MERKLEY FROM MARY JO 
                             WHITE

    I greatly appreciate the SEC and CFTC's efforts in 
implementing key features of Dodd-Frank's swaps reforms. 
However, I am very concerned about the number and significance 
of exemptions and no-action letters granted by the CFTC and the 
SEC's delay in finalizing the rules. While I appreciate the 
CFTC's commitment to working closely with stakeholders and 
allowing them an adequate opportunity to come into compliance, 
I am concerned that any additional delays would be unreasonably 
exposing Americans to systemic risks and losing invaluable 
momentum in the effort to build a more stable financial system.

    Could you please lay out as of the date of this hearing:

Q.1.a. What percentage of U.S. swaps markets, broken down by 
swap-type, have been subject to Title VII requirements for 
clearing, Swap Execution Facility (SEF)-trading, and reporting?

A.1.a. As you know, the Dodd-Frank Act divided regulatory 
authority over U.S. swaps markets between the SEC and the CFTC, 
with the SEC having authority over security-based swaps, the 
CFTC having authority over swaps, and the SEC and CFTC jointly 
regulating mixed swaps. SEC staff estimates that security-based 
swaps--principally single-name CDS and equity-related security-
based swaps--collectively represent less than 5 percent of the 
overall swaps markets. The CFTC's rules for clearing, SEF 
trading, and reporting for the swaps markets are in effect; the 
CFTC should be better able to provide you with relevant data 
for the products under its jurisdiction.
    To date, the SEC has proposed all of the rules required by 
Title VII, and we have started the process of adopting Title 
VII rules. These efforts include a comprehensive set of 
proposed rules focusing specifically on application of Title 
VII to cross-border security-based swap activity, mandatory 
clearing, and rules related to trading on security-based swap 
execution facility trading and reporting.

Q.1.b. What percentage of the global swaps market, broken down 
by swap-type, have been subject to Title VII-like requirements 
for clearing, SEF-trading, and reporting?

A.1.b. The FSB's OTC Derivatives Market Reforms: Sixth Progress 
Report on Implementation, dated September 2013, reported that 
most G20 jurisdictions had legislation in place that allows for 
adoption of clearing and trading requirements, but mandatory 
clearing requirements and requirements to trade on organized 
trading platforms were only partially in force in a small 
number of jurisdictions. With respect to reporting, the FSB 
reported in September that sixteen G20 jurisdictions had 
legislation and regulations adopted to implement trade 
reporting, of which twelve jurisdictions had at least some 
specific requirements in force.
    The Commission has access to transaction-level data that we 
believe provide reasonably comprehensive information regarding 
single-name CDS transactions and the composition of 
participants in the market for single-name CDS. Analyses of 
these data have played a role in shaping the rules we have 
proposed and adopted under Title VII, and have allowed us to 
quantify certain economic effects of these rules. Summary 
statistics that describe the global nature of transactions and 
market participants are contained on pages 393--through 396 of 
the SEC's cross-border proposing release. We note, however, 
that our data comes with several limitations. While we observe 
all reported transactions in single-name CDS involving U.S. 
underliers, we do not observe CDS transactions involving non-
U.S. underliers where neither counterparty is a U.S. entity. 
The limitation on data involving CDS on non-U.S. underliers 
means that we do not have access to the type of data on foreign 
markets that would be necessary to provide you the specific 
percentages you request both in this question and the questions 
below.
    Based on an analysis of transactions in CDS on U.S. 
underliers, Commission staff believes that the vast majority of 
transactions in these CDS involve at least one U.S. or European 
counterparty, and thus are, or are likely to be, subject to 
Title VII or European requirements.

Q.1.c. How much will that percentage change when Europe 
finalizes its rules?

A.1.c. Based on an analysis of data regarding CDS transactions 
on U.S. underliers, where we believe we have a more complete 
picture of market participation, Commission staff believes that 
the vast majority of those transactions involve at least one 
U.S. or European counterparty and thus are, or are likely to 
be, subject to Title VII or European requirements. As noted 
above, however, the Commission does not have access to data 
necessary to provide a specific percentage for the global 
market in single-name CDS.
    With respect to the specific European requirements, 
reporting to trade repositories under the European Market 
Infrastructure Regulation (EMIR) began on February 12, 2014. 
EMIR also requires counterparties to clear OTC derivative 
contracts that belong to a class that the European Securities 
and Markets Authority (ESMA) has declared subject to the 
clearing obligation and that meet other specified criteria. We 
understand that ESMA is currently working on draft regulatory 
technical standards to determine the asset classes that will be 
subject to this clearing obligation, and that publication of 
draft standards is expected later this year. Legislation 
currently under consideration in the EU is expected to address 
the EU's commitment to require OTC derivatives to be traded on 
an organized trading platform.

Q.1.d. What part of those markets are made up of foreign 
affiliates of U.S. persons?

A.1.d. As noted above, the Commission does not have access to 
the type of comprehensive data about foreign security-based 
swap market participation that would be necessary to answer 
your specific question. Based on analysis of CDS transactions 
on U.S. underliers, however, Commission staff estimates that 
transactions in which one counterparty is either a foreign 
affiliate of a U.S. person or a foreign branch of a U.S. person 
(which is considered part of its U.S. home office under the 
SEC's cross-border proposal) constitute a majority of 
transactions in CDS on U.S. underliers in foreign markets. As 
with the overall market for CDS on U.S. underliers, the staff 
estimates that vast majority of these transactions are with 
European counterparties, and thus are, or are likely to be, 
subject to Title VII requirements, European requirements, or 
potentially both.
    Please also:

Q.1.e. Set out what temporary exemptions your agencies have 
granted.

A.1.e. In June 2011, the Commission provided guidance as to 
which of the requirements of Title VII of the Dodd-Frank Act 
would apply to security-based swap transactions as of the July 
16, 2011 effective date of Title VII, and granted temporary 
relief to market participants from compliance with certain of 
those requirements (Effective Date Order).\1\ The Effective 
Date Order was intended to provide legal certainty and avoid 
unnecessary market disruption while the Commission completes 
the implementation of Title VII.
---------------------------------------------------------------------------
    \1\ See Temporary Exemptions and Other Temporary Relief, Together 
with Information on Compliance Dates for New Provisions of the 
Securities Exchange Act of 1934 Applicable to Security-Based Swaps, 
Exchange Act Release No. 34-34678 (Jun. 15, 2011), 76 FR 36287 (Jun. 
22, 2011).
---------------------------------------------------------------------------
    The Commission also issued a temporary order and interim 
final rules that provided temporary exemptive relief from 
compliance with certain provisions of the Securities Act, the 
Exchange Act, and the Trust Indenture Act in connection with 
the revision of the definition of ``security'' to encompass 
security-based swaps.\2\ The temporary exemptions and interim 
final rules were directed toward maintaining the status quo 
while the Commission implemented Title VII and evaluated the 
implications under the Federal securities laws of including 
security-based swaps in the definition of ``security.''
---------------------------------------------------------------------------
    \2\ See Order Granting Temporary Exemptions under the Securities 
Exchange Act of 1934 in Connection with the Pending Revisions of the 
Definition of ``Security'' to Encompass Security-Based Swaps, Exchange 
Act Release No. 64795 (Jul. 1, 2011), 76 FR 39927 (Jul. 7, 2011); Order 
Extending Temporary Exemptions under the Securities Exchange Act of 
1934 in Connection with the Revision of the Definition of ``Security'' 
to Encompass Security-Based Swaps, and Request for Comment, Exchange 
Act Release No. 71485 (Feb. 5, 2014), 79 FR 7731 (Feb. 10, 2014); 
Exemptions for Security-Based Swaps, Securities Act Release No. 9231 
(Jul. 1, 2011), 76 FR 40605 (Jul. 11, 2011); and Extension of 
Exemptions for Security-Based Swaps, Securities Act Release No. 9545 
(Feb. 5, 2014), 79 FR 7570 (Feb. 10, 2014).
---------------------------------------------------------------------------
    The temporary order generally preserves the application of 
particular Exchange Act requirements that were already 
applicable in connection with instruments that became 
``security-based swaps'' following the effective date of the 
Dodd-Frank Act, but defers the applicability of additional 
Exchange Act requirements in connection with those instruments 
explicitly being defined as ``securities.'' More specifically, 
the Commission's temporary order exempts certain market 
participants who engage in security-based swap activities from 
the application of the Exchange Act other than with respect to: 
(a) certain antifraud and anti-manipulation provisions, (b) all 
Exchange Act provisions related to security-based swaps added 
or amended by subtitle B of Title VII of the Dodd-Frank Act, 
including the amended definition of ``security'' in Section 
3(a)(10), and (c) certain other Exchange Act provisions.
    The interim final rules temporarily exempt offers and sales 
of those security-based swaps that prior to the Title VII 
effective date were security-based swap agreements from all 
provisions of the Securities Act (other than the Section 17(a) 
anti-fraud provisions), the Exchange Act registration 
requirements, and the provisions of the Trust Indenture Act, 
provided certain conditions are met. The exemptions apply only 
to security-based swaps entered into between eligible contract 
participants (as defined prior to the Title VII effective 
date).

Q.1.f. Explain your timeline and planning for ending those 
exemptions and accomplishing full implementation of the Dodd-
Frank rules regarding the swaps markets? Please identify any 
barriers you see that could further slow that implementation.

A.1.f. The temporary exemptions provided under the Effective 
Date Order generally are set to expire on the earliest 
compliance date set forth in the related security-based swap 
rulemaking under Title VII, although in certain cases the 
expiration is tied to another date, such as the effective date 
for the related security-based swap rules or the date a person 
becomes registered under related security-based swap rules. One 
of the temporary exemptions in the Effective Date Order extends 
until a date or dates to be specified by the Commission. The 
approach to this temporary exemption permits the Commission to 
specify an appropriate date or dates for expiration in the 
related security-based swap rulemakings.
    Similarly, under the temporary order, the exemptions under 
the Exchange Act that are related to pending security-based 
swap rulemakings are set to expire on the compliance date for 
the related security-based swap rules. The temporary exemptions 
which are not directly linked to pending security-based swap 
rulemakings are set to expire on the earlier of such time as 
the Commission issues an order or rule determining whether any 
continuing exemptive relief is appropriate for security-based 
swap activities with respect to any of these Exchange Act 
provisions or until February 11, 2017.\3\
---------------------------------------------------------------------------
    \3\ The exemptions provided by the interim final rules will expire 
on February 11, 2017. However, if the Commission adopts further rules 
relating to issues raised by the application of the Securities Act or 
the other Federal securities laws to security-based swaps before 
February 11, 2017, the Commission may well determine to alter the 
expiration dates in the interim final rules as part of that rulemaking.
---------------------------------------------------------------------------
    This approach for extending the exemptions related to 
security-based swap rulemakings is intended to facilitate a 
timely phased-in determination regarding the application of the 
relevant provisions of the Exchange Act to security-based swaps 
based on the development of the relevant rules mandated by the 
Dodd-Frank Act as the Commission moves toward finalizing those 
rules. This approach also provides the Commission flexibility 
while Dodd-Frank Act rulemaking is still in progress to 
determine whether continuing relief should be provided for any 
Exchange Act provisions that are not directly linked to 
specific security-based swap rulemaking.
    The Commission is in the midst of rulemaking under the 
Dodd-Frank Act to provide a robust, comprehensive regulatory 
regime for security-based swaps. To date, the Commission has 
proposed all of the rules related to the new regulatory regime 
for derivatives under Title VII and has begun the process of 
adopting these rules.
    At this point there is not immediately apparent any new 
barriers that could delay implementation. As you know, the 
Commission proposed the rules pertaining to the application of 
Title VII to cross-border security-based swap transactions and 
non-U.S. persons engaged in activities implicating Title VII. 
This was a critical part of the implementation process, given 
the overwhelmingly global nature of the market for security-
based swaps.
    In addition, the staff is working on the next set of 
adoptions under Title VII. The Commission is likely to consider 
certain of the issues presented in the cross-border proposal in 
an initial cross-border adopting release. Under such an 
approach, this initial cross-border adopting release would 
likely focus on adopting key definitions relevant to the 
application of Title VII in the cross-border context. Other 
matters raised in the cross-border proposal would be addressed 
in subsequent releases. Such an approach would allow the 
Commission to consider the cross-border application of the 
substantive requirements imposed by Title VII in conjunction 
with the final rules that will implement those substantive 
requirements. In addition, as noted below in response to 
question 3, I expect the Commission to consider the application 
of mandatory clearing requirements to single-name credit 
default swaps, starting with those that were first cleared 
prior to the enactment of the Dodd-Frank Act.

Q.2. In particular, at the hearing, Acting Chair Wetjen 
identified certain cross-border issues that may be near-term 
challenges--please explain clearly what those might be and why 
continued delays or further weakenings of U.S. standards would 
not continue to expose the U.S. to significant financial 
stability risks, including lack of transparent pricing in the 
swaps market.

A.2. The swaps markets are predominantly global and, therefore, 
resolving cross-border issues appropriately is critical to 
successful regulatory reform of these markets.
    As I noted in my testimony, the Commission is actively 
reviewing public input on its cross-border proposal. The 
Commission also is working through the issues that were raised, 
including, among others, the appropriate treatment of foreign 
affiliates of U.S. persons and how conduct by a non-U.S. person 
in the United States engaging in security-based swap 
transactions with another non-U.S. person should impact the 
application of Title VII requirements.
    In addressing these and other issues both in the cross-
border area and more generally as we continue to adopt final 
rules and take other actions to implement Title VII, I continue 
to believe that we should take a robust and workable approach.

Q.3. Finally, can you share any plans for further speeding 
coordinated implementation. For example, shouldn't the SEC 
encourage single-name CDS to be cleared and traded through 
CFTC-registered clearinghouses and SEFs in the interim before 
SEC rules are finalized and implemented?
A.3. Since the Dodd-Frank Act was enacted, the staffs of the 
Commission and the CFTC have consulted and coordinated with 
each other regularly in the development and implementation of 
our respective rules, and we continue to do so.
    My immediate goal is to continue the finalization of the 
rules required by Title VII for the security-based swaps 
market. In the interim, I would emphasize that single-name CDS 
are already being cleared at SEC-registered clearing agencies 
under existing SEC rules. With respect to trading of security-
based swaps, so long as market participants comply with 
applicable Federal securities laws, the SEC does not prohibit 
trading on CFTC-registered SEFs.
                                ------                                


  RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM MARY JO 
                             WHITE

Q.1. FSOC has been in existence for more than 3 years. Since 
that time, three companies have been deemed systemically 
significant and a second round of companies appear to be under 
consideration. Despite the numerous calls from Congress, a 
number of industry and consumer groups and even the GAO for the 
FSOC to provide greater transparency about the process used for 
designation, (including the metrics OFR should measure in their 
analysis), the criteria followed, as well as the implications 
and process to be followed after a firm has been designated a 
SIFI. Can you provide greater details on why more transparency 
has not been achieved and how the FSOC plans to improve these 
issues?

A.1. While I cannot speak for the Financial Stability Oversight 
Council, as a voting member of FSOC I believe it is important 
for FSOC to be mindful of calls for greater transparency and 
provide ways for the public and other interested parties to 
have greater insight and input into issues concerning U.S. 
financial stability. One opportunity for FSOC to provide 
greater public exposure is through the upcoming Public Asset 
Manager Conference that FSOC plans to host on May 19, 2014. The 
Conference will enable the staffs of the member agencies to 
hear directly from the asset management industry and other 
stakeholders, including academics and public interest groups. 
In addition, the Conference will be Web cast live so that it 
can be viewed by members of the public. I am hopeful that FSOC 
will look for additional similar vehicles to promote public 
exposure and input to its work.

Q.2. I, along with a number of other Republicans, introduced 
legislation to fix an unintended consequence on collateralized 
debt obligations (CDOs). In their January 13th interim final 
rule, regulators crafted a rule that largely mirrored what my 
bill sought to do; provide relief to a majority of community 
banks. While we appreciate the agencies' efforts on this issue, 
one issue that we included in our legislation that the 
regulators did not address was collateralized loan obligations 
(CLOs). The CLO market provides about $300 billion in financing 
to U.S. companies and U.S. banks currently hold between $70 and 
$80 billion of senior notes issued by existing CLOs and foreign 
banks subject to the Volcker Rule hold about another $60 
billion. Because the final rules implementing the Volcker Rule 
improperly treat these debt securities as ``ownership 
interests'', the banks holding these notes will either have to 
divest or restructure these securities. Because restructuring 
well over $130 billion of CLO securities is neither feasible 
nor under the control of the banks holding these notes, 
divestment is the most likely result. This, in turn, could lead 
to a fire sale scenario that could put incredible downward 
pressure on CLO securities prices leading to significant losses 
for U.S. banks. If prices decline by only 10 percent, U.S. 
banks would have to recognize losses of almost $8 billion 
driven not by the underlying securities but solely because of 
the overreach of the Volcker Rule. Indeed, the final rules are 
already wreaking havoc on the CLO market. Since the final rules 
were announced, new CLO formation was down nearly 90 percent in 
January 2014, the lowest issuance in 23 months. If this 
situation is not remedied and CLO issuance remains moribund, 
corporate borrowers could face higher credit costs. At the 
hearing of the House Financial Services Committee on January 
15, 2014, a number of both Democrats and Republicans asked 
questions about how to fix the issue with the CLO market that 
was not addressed in the interim final rule released on January 
13, 2014. The representatives of the agencies noted that the 
CLO issue was at the top of the list of matters to be 
considered by the inter-agency working group that has been 
established to review issues such as this and publish guidance. 
The issue is urgent. Bank CFOs are struggling with how to treat 
their CLO debt securities. Can you commit to a tight timeframe 
to issue guidance on CLOs?

A.2. SEC staff, together with staffs of the other agencies, has 
spent considerable time carefully evaluating the concerns 
raised post-adoption by several trade groups and industry 
participants about CLOs. The final rule provides an exclusion 
for CLOs that hold loans and, in connection with such loans, 
may also hold certain interest rate or foreign exchange 
derivatives, cash equivalents, and assets related to holding 
loans or the servicing or timely distribution of proceeds to 
security holders. Ownership interests in loan securitizations 
that fit within this exclusion as of the conformance date may 
be held by banking entities. In the adopting release, however, 
the agencies did not expand the definition of excluded loan 
securitizations to securitizations holding both loans and 
securities, noting that such an expansion would not be 
consistent with the provision of the statute that specifically 
only permitted the ``sale and securitization of loans'' by 
banking entities. In light of these concerns, the Federal 
Reserve Board, after consulting with the staffs of the other 
agencies, recently announced that it intends to exercise its 
authority to give banking entities two additional 1-year 
extensions to conform their ownership interests in and 
sponsorship of certain CLOs.
    It is also worth noting that new CLO issuances have been 
comparable in volume to the CLOs issued prior to the adoption 
of the final rule, and market participants have represented 
that new CLOs are conforming to the loan securitization 
exclusion under the Volcker Rule.

Q.3. When Director Berner testified before the Economic Policy 
Subcommittee in January 2014, he emphasized that OFR's report 
on the asset management industry study focused on activities of 
asset managers, rather than asset management firms. This is 
more appropriate because the size of an asset manager's assets 
under management, which are wholly owned by a fund's investors, 
doesn't make that manager a systemic risk. If activities are 
the main focus, then section 120 of the Dodd-Frank Act suggests 
that the primary regulator--in this case the SEC, is the 
appropriate agency to address these issues. So, when can we 
expect the SEC and its expertise to be brought to bear by the 
FSOC? The current bank centric approach to reviewing asset 
managers simply isn't productive.

A.3. SEC staff is actively engaging with representatives of 
other FSOC members in any analysis of potential financial 
stability risks posed by asset managers or asset management 
activities and is sharing its expertise on asset management and 
the ways in which asset management activities differ from 
banking activities. Separately, the SEC is enhancing its own 
risk monitoring and oversight efforts with respect to asset 
managers. Pursuant to Section 965 of the Dodd-Frank Act, the 
SEC has established a new risk and examinations office (REO) 
for asset managers. REO monitors trends in the asset management 
industry and is also assisting in a larger Commission-wide 
initiative to obtain and analyze data consistent with market 
trends and operational integrity issues, inform policy and 
rulemaking, and assist the staff in examinations of 
registrants.
                                ------                                


  RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO FROM MARK P. 
                             WETJEN

Q.1. When a data breach happens at a merchant level, Federal 
banking regulators generally do not have jurisdiction to 
investigate and take action. However, collateral consequences 
of such breaches are that regulated financial institutions are 
impacted and face reputational and financial setbacks as a 
result. What are your expectations for the regulated entities 
when a breach occurs at a third party? What are some of the 
challenges financial institutions face as a result of the 
breach? How can those challenges be addressed while minimizing 
consequences of, and cost for, affected financial institutions?

A.1. The U.S. Commodity Futures Trading Commission 
(``Commission'' or ``CFTC'') oversees a variety of registrants 
for which data breaches, either in their own systems or third-
party systems, can have serious consequences. In general, the 
Commission expects its registrants to consider the risks of 
data breaches and address them appropriately. The actual 
requirements vary by registrant.
    Commission Regulation 39.18 requires each registered 
derivatives clearing organization (``DCO'') to establish and 
maintain a program of risk analysis and oversight with respect 
to its operations and automated systems which must include a 
risk analysis and oversight of information security. The DCO 
also is required to establish and maintain resources that allow 
for the fulfillment of each of its obligations in light of any 
identified risks. The Commission expects a DCO's information 
security risk analysis to include an analysis of any such risk 
posed by a third party providing services to the DCO. It also 
expects the DCO to maintain sufficient resources to allow for 
the fulfillment of the DCO's obligations in light of such risks 
and to provide the necessary oversight to manage them.
    In addition, Commission Regulation 39.18 requires a DCO to 
notify the Commission's Division of Clearing and Risk (``DCR'') 
promptly in the event of any hardware or software malfunction, 
cyber security incident or targeted threat that materially 
impairs, or creates a significant likelihood of material 
impairment of automated system operation, reliability, 
security, or capacity. A DCO would be required to notify DCR of 
relevant data breaches involving a DCO's third-party service 
provider pursuant to this provision. We further note that 
Section 807(b) of the Dodd-Frank Wall Street Reform and 
Consumer Protection Act (``Dodd-Frank'') provides the 
Commission with additional authority with respect to third-
party services provided to a DCO that has been designated as 
systemically important by the Financial Stability Oversight 
Council (a ``SIDCO''). Specifically, whenever a service 
integral to the operation of a SIDCO is performed for the SIDCO 
by another entity, the Commission is authorized to examine 
whether the provision of that service is in compliance with 
applicable law, rules, orders and standards to the same extent 
as if the SIDCO was performing the service on its own premises.
    Commission Regulations  38.1050 (DCMs), 37.1400 (SEFs), 
and 49.24 (SDRs) require each registered DCM, SEF, or SDR to 
establish and maintain a program of risk analysis and oversight 
with respect to its operations and automated systems. This 
program must include risk analysis and oversight of cyber and 
information security. These registered entities are also 
required to establish and maintain resources that allow for the 
fulfillment of their regulatory obligations. The Commission 
expects DCM, SEF, and SDR analysis of information security 
risks to include analysis of risk relating to third parties 
providing services to them.
    If a third party that performs services for a DCM, SEF, or 
SDR is compromised or loses data for which the DCM, SEF, or SDR 
is responsible, DMO would have oversight concerns. One example 
might be a data storage provider losing trade data in long-term 
storage that might be needed for a DMO examination or a DOE 
investigation. Another example might be loss of login 
credentials due to a security compromise, such as the one that 
occurred a year or two ago with respect to two-factor 
authentication provided by RSA. Still another example could be 
a security breach at a third-party data center used by a DCM, 
SEF, or SDR.
    If a third-party providing services to a DCM, SEF, or SDR 
were compromised in a way that affected the regulatory 
responsibilities of the DCM, SEF, or SDR, CFTC rules would 
require the registrant to notify DMO immediately concerning the 
potential data loss and the extent of the breach, and to notify 
affected parties as appropriate based on the circumstances and 
the type and extent of information lost.
    Challenges that could be faced in such situations might 
include the incomplete nature of available information; the 
possible recalcitrance of the third-party provider; or legal 
issues relating to contracts or service agreements. DMO would 
advise registrants to address such challenges by seeking to 
employ reputable third parties that have significant 
experience, appropriate controls, and effective security 
measures.
    Futures Commodity Merchants (``FCMs'') and Registered 
Foreign Exchange Dealers (``RFEDs''), along with maintaining 
their customer's trade and account data, also process credit 
and debit card payments as a source of funds for initial and 
variation margin, so they are also reliant upon third-party 
payment systems. A data breach of either their own systems or a 
third-party payment system could lead to customers' private and 
proprietary information being compromised. This makes it 
important for FCMs and RFEDs to monitor their systems and 
trading activity and be alert for fraudulent activity that 
might result from compromised customer accounts. For FCMs/RFEDs 
the biggest challenge is identifying a breach and then 
evaluating how to recover funds for any unauthorized 
transactions. Without proper anti-money laundering or know your 
customer controls, the funds could have been laundered already 
or there may be a need to liquidate transactions at a loss to 
the FCM or RFED. While most likely the risk of loss is with the 
card issuer, if substantial, the FCM or RFED may have to cover 
the loss until funds are received from the card issuer which 
may take time.

Q.2. At the Subcommittee hearing on data security and breach 
held on February 3, 2014, Members learned that the payment 
networks have set an October 2015 timeframe for moving industry 
participants to adoption of new, more secure payment 
technology. Can you discuss how quickly your regulated entities 
are moving to this technology, and identify some of the 
obstacles that still exist?

A.2. The Commission does not have a role in regulating specific 
payment systems or technologies. However, as noted above, the 
Commission does expect registrants to address risks associated 
with payment systems.

Q.3. In July of 2013, I requested that the Government 
Accountability Office (GAO) review the SIFI designation process 
at FSOC for both transparency and clarity, and to examine the 
criteria used to designate companies as SIFIs. Would you all be 
willing to support more reliance on measurable metrics in 
FSOC's designation process?

A.3. I am always open to considering how improvements to 
objective metrics could aid the FSOC in its designation 
process.

Q.4. Since the final Volcker rule was issued in December, the 
affected entities have recognized two issues with the final 
rule (TruPS CDOs and CLOs). What other issues with the final 
Volcker rule are your agencies aware of that may be raised by 
affected entities? How do you intend to coordinate efforts on 
clarifying such issues in the future?

A.4. The Commission participates in an interagency working 
group with the other agencies charged with implementing the 
Volcker Rule. The interagency group holds weekly conference 
calls to discuss ongoing implementation issues, and the group 
coordinates responses to queries from industry and Congress. 
The group meets regularly with trade groups and industry to 
better understand and address concerns related to 
implementation. The agencies have also formed several subgroups 
devoted to issues such as metrics reporting and examinations 
that hold regular conference calls and coordinate on guidance 
documents.

Q.5. How do you plan to coordinate with other agencies 
regarding enforcement matters and the final Volcker rule, given 
that your agencies have varied jurisdictions?

A.5. As with any enforcement matter, the Commission places a 
high priority on promoting coordination of enforcement efforts 
with other law enforcement agencies to address Commodity 
Exchange Act violations and other related financial wrongdoing. 
The Commission participates in over 20 regional, national and 
international financial fraud enforcement working groups 
comprised of Federal, State, and local and criminal and civil 
authorities. The Commission's participation in these groups 
provides an opportunity to share information on cooperative 
enforcement matters and to coordinate joint civil and criminal 
Federal and/or State prosecutions. The Commission also meets 
regularly with various agencies to coordinate enforcement 
efforts and leverage resources, including the Department of 
Justice Criminal Division, Department of Homeland Security, 
Department of Treasury, Federal Bureau of Investigation, 
Federal Reserve, Federal Trade Commission, Internal Revenue 
Service, Securities and Exchange Commission, and U.S. 
Attorney's Offices nationwide.
    As noted above, the Commission regularly meets with the 
other agencies charged with implementing the Volcker Rule to 
discuss issues related to implementation, including 
enforcement. The compliance period for the Volcker Rule goes 
into effect in July 2015, subject to further possible 
extensions by the Federal Reserve Bank. Going forward, as we 
near the date implementation, the Commission will continue its 
robust interagency coordination on matters relating to Volcker 
Rule monitoring and enforcement.

Q.6. I am concerned that the CFTC moved too quickly in 
implementing the bulk of its Title VII mandates and that we are 
just starting to see the unintended consequences of such hasty 
action. Considerable numbers of no-action letters and 
interpretive guidance have followed CFTC rulemakings, leading 
to market disruption and uncertainty. Do you agree that more 
could have been done to consider the implications of rules 
prior to their adoption, thereby reducing the need for no-
action and interpretive relief after the fact? Going forward, 
what are some things the CFTC should consider to remedy the 
issues with its rulemaking process?

A.6. Congress set an ambitious deadline for the Commission to 
complete implementation of Dodd-Frank within a year of 
enactment of the legislation. As Acting Chair, and previously 
as a Commissioner, in helping implement Dodd-Frank I have 
worked to be faithful to Congress' mandate while also carefully 
considering input from the public and working closely with 
domestic and international regulators.
    Nonetheless, where appropriate, the Commission should 
determine whether course corrections in its implementation of 
Dodd-Frank are necessary. For example, Congress made clear that 
end users were intended to be exempt from Dodd-Frank, yet the 
end-user community has expressed concerns about compliance 
issues it faces under Dodd-Frank. As Acting Chair, I held two 
public roundtables to consider the regulatory issues facing end 
users under Dodd-Frank. The first roundtable focused on rule 
1.35 recordkeeping requirements, the regulatory treatment of 
forward contracts with embedded volumetric optionality, and the 
treatment of swap dealing to Government-owned electric 
utilities. The second roundtable addressed issues related to 
the position limits proposal, including hedges of physical 
commodities, the setting of spot month limits, and aggregation. 
Based on comments received at the first roundtable, I acted by 
directing staff to provide relief to end users under rule 1.35 
relating to certain recordkeeping requirements.\1\ Further, I 
also directed staff to provide no-action relief to utility 
special entities entering into swaps \2\ and, subsequently, the 
Commission released for public comment a proposal to provide 
more permanent for such entities.\3\
---------------------------------------------------------------------------
    \1\ Time-Limited No-Action Relief for Members of Designated 
Contract Markets and Swap Execution Facilities that Are Not Registered 
with the Commission from the Requirement to Record Written 
Communications, Pursuant to Commission Regulation 1.35(a), in 
Connection with the Execution of a Transaction in a Commodity Interest 
and Related Cash or Forward Transactions (May 22, 2014), available at 
http://www.cftc.gov/ucm/groups/public/@lrlettergeneral/documents/
letter/14-72.pdf.
    \2\ Staff No-Action Relief: Revised Relief from the De Minimis 
Threshold for CertainSwaps with Utility Special Entities (March 21, 
2014), available at http://www.cftc.gov/ucm/groups/public/
@lrlettergeneral/documents/letter/14-34.pdf.
    \3\ Exclusion of Utility Operations-Related Swaps with Utility 
Special Entities from De Minimis Threshold for Swaps with Special 
Entities, available at http://www.cftc.gov/ucm/groups/public/@newsroom/
documents/file/federalregister052214-a1.pdf.
---------------------------------------------------------------------------
    Going forward, the Commission must continue to work closely 
with Congress, the public, and market participants to achieve 
the proper balance of appropriate regulation while ensuring 
that these markets continue to facilitate job creation and the 
growth of the economy by providing a means for managing risk, 
facilitating price discovery, and broadly disseminating pricing 
information.
                                ------                                


 RESPONSE TO WRITTEN QUESTIONS OF SENATOR MERKLEY FROM MARK P. 
                             WETJEN

    I greatly appreciate the SEC and CFTC's efforts in 
implementing key features of Dodd-Frank's swaps reforms. 
However, I am very concerned about the number and significance 
of exemptions and no-action letters granted by the CFTC and the 
SEC's delay in finalizing the rules. While I appreciate the 
CFTC's commitment to working closely with stakeholders and 
allowing them an adequate opportunity to come into compliance, 
I am concerned that any additional delays would be unreasonably 
exposing Americans to systemic risks and losing invaluable 
momentum in the effort to build a more stable financial system.
    Could you please lay out as of the date of this hearing:

Q.1.a. What percentage of U.S. swaps markets, broken down by 
swap-type, have been subject to Title VII requirements for 
clearing, Swap Execution Facility (SEF)-trading, and reporting?

A.1.a. Commission staff are working to determine these 
estimates. For those asset classes that are subject to the 
clearing determination and trade execution mandate, 
unfortunately, the Commission faces challenges in accurately 
assessing all the relevant details of specific transactions due 
to constraints on resources and data quality issues.
    To do its job, the Commission must have accurate data in 
order to have a clear picture of swaps market activity. To help 
resolve the challenges the Commission faces in assessing swap 
data, earlier this year, I was joined by my fellow 
commissioners in announcing the formation of an interdivisional 
Working Group to review the Commission's swaps transaction data 
recordkeeping and reporting provisions. The working group 
formulated and recommended questions for public comment 
regarding, among other things, compliance with part 45 
reporting rules, and related provisions, and consistency in 
regulatory reporting among market participants.
    The Working Group is currently reviewing all comments that 
were submitted in response to the request and will be making 
recommendations to the Commission in the near future.

Q.1.b. What percentage of the global swaps market, broken down 
by swap-type, has been subject to Title VII-like requirements 
for clearing, SEF-trading, and reporting?

A.1.b. Currently, the data required for this request is 
unavailable, primarily, because many other jurisdictions have 
yet to implement transaction reporting requirements. Most 
foreign jurisdictions have lagged the United States in 
finalizing reporting and transactions requirements for swaps. 
Moreover, even in those jurisdictions where reporting rules 
have been finalized, there is a lack of harmonization of data 
reporting standards across jurisdictions. The Financial 
Stability Board, of which we are a member, has set up a task 
force to address these and other issues related to global data 
harmonization. Additionally, please see the response to the 
previous question regarding efforts to improve data collection 
and analysis.

Q.1.c. How much will that percentage change when Europe 
finalizes its rules?

A.1.c. As noted above, the data required to determine the 
percentage of swaps subject to clearing determination and trade 
execution mandates is still unclear. As such, we are unable to 
determine this percentage.

Q.1.d. What part of those markets is made up of foreign 
affiliates of U.S. persons?

A.1.d. Foreign affiliates that are not U.S. persons that are 
engaged in swaps trading activity in the EU or other foreign 
jurisdictions are not required to report their swaps activities 
to the Commission. Moreover, the Commission does not have 
access to data reported to European Swap Data Repositories. As 
a result, the Commission does not have data on the activities 
of such affiliates. For those foreign affiliates that are U.S. 
persons, because of data quality issues, the Commission does 
not have the capability to differentiate between foreign and 
local affiliates of U.S. persons when assessing the data. As 
indicated, efforts are underway to improve data analysis 
capabilities at the Commission.
    Please also:

Q.1.e. Set out what temporary exemptions your agencies have 
granted.

A.1.e. The Commission maintains on its Web site a list of 
currently effective staff no-action letters related to rules 
issued under Dodd-Frank. That list can be found at: http://
www.cftc.gov/LawRegulation/DoddFrankAct/ExpiredNoAction/
index.htm.

Q.1.f. Explain your timeline and planning for ending those 
exemptions and accomplishing full implementation of the Dodd-
Frank rules regarding the swaps markets? Please identify any 
barriers you see that could further slow that implementation.

A.1.f. Staff no-action letters are typically time-limited and 
temporary, although not always. The expiration of time-limited 
no-action letters differs depending on rule implementation 
timing and discussions with market participants, the public, 
and domestic and international regulators.
    I firmly believe that timely, full implementation of Dodd-
Frank is essential to ensuring that the derivatives markets are 
subject to appropriate governmental oversight. In undertaking 
the implementation of these changes, as Acting Chair, I have 
also endeavored to ensure that these regulatory changes do not 
cause unnecessary, potentially harmful disruption of the 
derivatives markets that so many market participants rely on to 
manage risk.

Q.2. In particular, at the hearing, Acting Chair Wetjen 
identified certain cross-border issues that may be near-term 
challenges--please explain clearly what those might be and why 
continued delays or further weakening of U.S. standards would 
not continue to expose the U.S. to significant financial 
stability risks, including lack of transparent pricing in the 
swaps market.

A.2. I believe that the CFTC took the correct approach in 
adopting cross-border policies that account for the varied ways 
that risk can be imported into the U.S. At the same time, the 
CFTC's policies tried to respect the limits of U.S. law and the 
resource constraints of U.S. and global regulators. Attempts to 
weaken Dodd-Frank have not been contemplated or planned.
    In an effort to strengthen our cross-border policies and 
promote effective global oversight, the Commission is 
coordinating closely with foreign regulators. Last December, 
the CFTC approved a series of determinations allowing non-U.S. 
swap dealers and MSPs to comply with Dodd-Frank by relying on 
comparable and comprehensive home country regulations, 
otherwise known as ``substituted compliance.'' Those approvals 
by the CFTC reflected a collaborative effort with authorities 
and market participants from each of the six jurisdictions with 
provisionally registered swap dealers. Working closely with 
authorities in Australia, Canada, the European Union (``EU''), 
Hong Kong, Japan, and Switzerland, the CFTC issued 
comparability determinations for a broad range of entity-level 
requirements. In two jurisdictions, the EU and Japan, the CFTC 
also issued comparability determinations for certain 
transaction-level requirements.
    It appears at this time that the substituted compliance 
approach has had success in supporting financial reform efforts 
around the globe and a ``race-to-the-top'' in global 
derivatives regulation. For example, the EU agreed on updated 
rules for markets in financial derivatives, the Markets in 
Financial Instruments Directive II (``MiFiD II''), reflecting 
great progress on derivatives reform. Other jurisdictions that 
host a substantial market for swap activity are still working 
on their reforms, and certainly will be informed by the EU's 
work and the CFTC's ongoing coordination with foreign 
regulators. As jurisdictions outside the U.S. continue to 
strengthen their regulatory regimes and meet their G20 
commitments, the CFTC may determine that additional foreign 
regulatory requirements are comparable to and as comprehensive 
as certain requirements under Dodd-Frank.
    The CFTC also has made great progress with the European 
Commission since the issuance of the Path Forward statement, 
and we are actively working with the Europeans to ensure that 
harmonized regulations on the two continents ensure financial 
stability and promote sound risk management. Fragmented 
liquidity, and the regulatory and financial arbitrage that both 
drives and follows it, can lead to increased operational costs 
and risks as entities structure around the rules in primary 
swap markets. Harmonizing regulations governing clearinghouses 
and trading venues, in particular, is critical to sound and 
efficient market structure.
    Lastly, in light of the CFTC's swaps authority, and the 
complexities of implementing a global regulatory regime, the 
CFTC is working with numerous foreign authorities to negotiate 
and sign supervisory arrangements that address regulator-to-
regulator cooperation and information sharing in a supervisory 
context. We currently are negotiating such arrangements with 
respect to swap dealers and MSPs, SDRs, SEFs, and derivatives 
clearing organizations.

Q.3. Finally, can you share any plans for further speeding 
coordinated implementation. For example, shouldn't the SEC 
encourage single-name CDS to be cleared and traded through 
CFTC-registered clearinghouses and SEFs in the interim before 
SEC rules are finalized and implemented?

A.3. Generally, clearing and mandatory trading can be helpful 
risk-reducing and competitive enhancements in liquid markets. 
Because single-name CDS fall under the jurisdiction of the SEC, 
the CFTC has no authority to mandate the clearing and mandatory 
trading of single-name CDS on CFTC-registered clearinghouses 
and SEFs. However, to encourage the clearing of CDS 
transactions, both the CFTC and SEC have approved the portfolio 
margining of single-name and index CDS. The SEC has required as 
a condition to portfolio margining for single-name and index 
CDS that their registrants submit their customer margin models 
for SEC approval. The first of these approvals were granted 
earlier this year. We will continue to monitor market data to 
see whether these recent approvals have resulted in increased 
clearing for single-name and index CDS.
    The CFTC regularly coordinates with the Securities and 
Exchange Commission (``SEC'') at the staff and Commissioner 
level regarding the implementation of Dodd-Frank. As the SEC 
continues with its implementation of its rules under Dodd-
Frank, I am always willing to consider regulatory coordination 
that will enhance the safety and competitiveness of the markets 
we oversee.
                                ------                                


  RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM MARK P. 
                             WETJEN

Q.1. FSOC has been in existence for more than 3 years. Since 
that time, three companies have been deemed systemically 
significant and a second round of companies appear to be under 
consideration. Despite the numerous calls from Congress, a 
number of industry and consumer groups and even the GAO for the 
FSOC to provide greater transparency about the process used for 
designation, (including the metrics OFR should measure in their 
analysis), the criteria followed, as well as the implications 
and process to be followed after a firm has been designated a 
SIFI. Can you provide greater details on why more transparency 
has not been achieved and how the FSOC plans to improve these 
issues?

A.1. The Financial Stability Oversight Council (Council), of 
which I am member, has provided public transparency for the 
nonbank designations process through several measures. The 
Council voluntarily published a rule and guidance outlining how 
it would implement the statutory designation provisions and 
review firms for potential designation. For each of the three 
nonbank designations made so far, the Council provided the 
basis for those designations to Congress and the public.
    During the development of the Council's rule and guidance 
on nonbank designations, the Council, even though not required 
to do a rulemaking, provided multiple opportunities for public 
comment. The public guidance described the designation process 
and set forth the quantitative metrics that the Council would 
use in its consideration of firms for designation.
    Under the rule and guidance, firms under review are 
provided with opportunities at each stage of the process to 
engage with the Council. Early in the process, the Council 
provides the company with a notice that it is under 
consideration and an opportunity to submit materials to contest 
the Council's consideration. Following this, before any 
designation is proposed, there are numerous meetings between 
Council staff and the company and opportunities for the company 
to submit additional information for the Council's 
consideration. Following a proposed designation determination 
by the Council, the Council provides the company the written 
basis for the proposed designation and provides the firm the 
opportunity for a hearing. Once a final designation is made, 
the company designated can seek judicial review of that 
designation. The designation rules and guidance provide for an 
annual review of all nonbank designations where the designated 
companies may again participate.
    Due to the preliminary nature of the Council's evaluation 
of any nonbank financial company prior to a final designation 
and the potential for market participants to misinterpret such 
an announcement, the Council does not publicly announce the 
name of any company that is under review prior to a final 
designation of the company.

Q.2. I, along with a number of other Republicans, introduced 
legislation to fix an unintended consequence on collateralized 
debt obligations (CDOs). In their January 13th interim final 
rule, regulators crafted a rule that largely mirrored what my 
bill sought to do; provide relief to a majority of community 
banks. While we appreciate the agencies' efforts on this issue, 
one issue that we included in our legislation that the 
regulators did not address was collateralized loan obligations 
(CLOs). The CLO market provides about $300 billion in financing 
to U.S. companies and U.S. banks currently hold between $70 and 
$80 billion of senior notes issued by existing CLOs and foreign 
banks subject to the Volcker Rule hold about another $60 
billion. Because the final rules implementing the Volcker Rule 
improperly treat these debt securities as ``ownership 
interests'', the banks holding these notes will either have to 
divest or restructure these securities. Because restructuring 
well over $130 billion of CLO securities is neither feasible 
nor under the control of the banks holding these notes, 
divestment is the most likely result. This, in turn, could lead 
to a fire sale scenario that could put incredible downward 
pressure on CLO securities prices leading to significant losses 
for U.S. banks. If prices decline by only 10 percent, U.S. 
banks would have to recognize losses of almost $8 billion 
driven not by the underlying securities but solely because of 
the overreach of the Volcker Rule. Indeed, the final rules are 
already wreaking havoc on the CLO market. Since the final rules 
were announced, new CLO formation was down nearly 90 percent in 
January 2014, the lowest issuance in 23 months. If this 
situation is not remedied and CLO issuance remains moribund, 
corporate borrowers could face higher credit costs. At the 
hearing of the House Financial Services Committee on January 
15, 2014, a number of both Democrats and Republicans asked 
questions about how to fix the issue with the CLO market that 
was not addressed in the interim final rule released on January 
13, 2014. The representatives of the agencies noted that the 
CLO issue was at the top of the list of matters to be 
considered by the inter-agency working group that has been 
established to review issues such as this and publish guidance. 
The issue is urgent. Bank CFOs are struggling with how to treat 
their CLO debt securities. Can you commit to a tight timeframe 
to issue guidance on CLOs?

A.2. On April 7, 2014, the Federal Reserve Board of Governors 
(FRB) exercised its authority to allow banking entities two 
additional 1-year extensions to conform their ownership 
interests in and sponsorship of certain collateralized loan 
obligations (CLOs) covered by section 619 of Dodd-Frank. We 
expect this will allow industry time to come into compliance 
with the Volcker requirements.