b"<html>\n<title> - OVERSIGHT OF FINANCIAL STABILITY AND DATA SECURITY</title>\n<body><pre>[Senate Hearing 113-306]\n[From the U.S. Government Publishing Office]\n\n\n\n                                                        S. Hrg. 113-306\n\n\n           OVERSIGHT OF FINANCIAL STABILITY AND DATA SECURITY\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                              COMMITTEE ON\n                              \n                   BANKING,HOUSING,AND URBAN AFFAIRS\n                   \n                          UNITED STATES SENATE\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                                   ON\n\n EXAMINING REGULATORY EFFORTS TO IMPROVE FINANCIAL STABILITY AND DATA \n    SECURITY REGULATORY STANDARDS, UPDATING THE FINALIZATION OF THE \n   ``VOLCKER RULE'', AND RECEIVING A PROGRESS REPORT ON OTHER RULES \n REQUIRED BY THE DODD-FRANK WALL STREET REFORM AND CONSUMER PROTECTION \n                                  ACT\n\n                               __________\n\n                            FEBRUARY 6, 2014\n\n                               __________\n\n  Printed for the use of the Committee on Banking, Housing, and Urban \n                                Affairs\n\n\n                 Available at: http: //www.fdsys.gov /\n\n\n                                   ______\n\n                       U.S. GOVERNMENT PRINTING OFFICE \n\n91-489 PDF                     WASHINGTON : 2014 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Printing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS\n\n                  TIM JOHNSON, South Dakota, Chairman\n\nJACK REED, Rhode Island              MIKE CRAPO, Idaho\nCHARLES E. SCHUMER, New York         RICHARD C. SHELBY, Alabama\nROBERT MENENDEZ, New Jersey          BOB CORKER, Tennessee\nSHERROD BROWN, Ohio                  DAVID VITTER, Louisiana\nJON TESTER, Montana                  MIKE JOHANNS, Nebraska\nMARK R. WARNER, Virginia             PATRICK J. TOOMEY, Pennsylvania\nJEFF MERKLEY, Oregon                 MARK KIRK, Illinois\nKAY HAGAN, North Carolina            JERRY MORAN, Kansas\nJOE MANCHIN III, West Virginia       TOM COBURN, Oklahoma\nELIZABETH WARREN, Massachusetts      DEAN HELLER, Nevada\nHEIDI HEITKAMP, North Dakota\n\n                       Charles Yi, Staff Director\n\n                Gregg Richard, Republican Staff Director\n\n                  Laura Swanson, Deputy Staff Director\n\n                   Glen Sears, Deputy Policy Director\n\n                    Phil Rudd, Legislative Assistant\n\n                  Greg Dean, Republican Chief Counsel\n\n              Jelena McWilliams, Republican Senior Counsel\n\n                       Dawn Ratliff, Chief Clerk\n\n                       Taylor Reed, Hearing Clerk\n\n                      Shelvin Simmons, IT Director\n\n                          Jim Crowell, Editor\n\n                                  (ii)\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                       THURSDAY, FEBRUARY 6, 2014\n\n                                                                   Page\n\nOpening statement of Chairman Johnson............................     1\n\nOpening statements, comments, or prepared statements of:\n    Senator Crapo................................................     2\n    Senator Reed.................................................     3\n\n                               WITNESSES\n\nMary J. Miller, Under Secretary for Domestic Finance, Department \n  of the Treasury................................................     4\n    Prepared statement...........................................    33\n    Responses to written questions of:\n        Senator Crapo............................................   105\n        Senator Kirk.............................................   106\nDaniel K. Tarullo, Governor, Board of Governors of the Federal \n  Reserve System.................................................     5\n    Prepared statement...........................................    37\n    Responses to written questions of:\n        Senator Crapo............................................   109\n        Senator Menendez.........................................   116\n        Senator Kirk.............................................   121\nMartin J. Gruenberg, Chairman, Federal Deposit Insurance \n  Corporation....................................................     7\n    Prepared statement...........................................    44\n    Responses to written questions of:\n        Senator Crapo............................................   123\n        Senator Menendez.........................................   130\n        Senator Kirk.............................................   133\nThomas J. Curry, Comptroller of the Currency, Office of the \n  Comptroller of the Currency....................................     8\n    Prepared statement...........................................    56\n    Responses to written questions of:\n        Senator Crapo............................................   136\n        Senator Menendez.........................................   140\n        Senator Kirk.............................................   144\nMary Jo White, Chair, Securities and Exchange Commission.........    10\n    Prepared statement...........................................    68\n    Responses to written questions of:\n        Senator Crapo............................................   146\n        Senator Merkley..........................................   149\n        Senator Kirk.............................................   154\nMark P. Wetjen, Acting Chairman, Commodity Futures Trading \n  Commission.....................................................    11\n    Prepared statement...........................................    97\n    Responses to written questions of:\n        Senator Crapo............................................   156\n        Senator Merkley..........................................   160\n        Senator Kirk.............................................   163\n\n                                 (iii)\n \n           OVERSIGHT OF FINANCIAL STABILITY AND DATA SECURITY\n\n                              ----------                              \n\n\n                       THURSDAY, FEBRUARY 6, 2014\n\n                                       U.S. Senate,\n          Committee on Banking, Housing, and Urban Affairs,\n                                                    Washington, DC.\n    The Committee met at 10:14 a.m. in room SD-538, Dirksen \nSenate Office Building, Hon. Tim Johnson, Chairman of the \nCommittee, presiding.\n\n           OPENING STATEMENT OF CHAIRMAN TIM JOHNSON\n\n    Chairman Johnson. I call this hearing to order.\n    Today, the Committee continues its oversight of the \nimplementation of the Dodd-Frank Wall Street Reform and \nConsumer Protection Act. There has been good progress since our \nlast hearing, including the completion of the long-awaited \nVolcker Rule. I believe our economy is on much more stable \nfooting, in part due to the efforts of our witnesses and their \nstaffs.\n    However, there is still work to be done, and oversight will \ncontinue to be a top priority for this Committee. Some of the \npending work includes enhanced capital, leverage, and liquidity \nrules for the largest banks, a new regulatory framework for \nnonbank financial companies designated as SIFIs, QRM, and the \nnew derivatives rules. I have asked the witnesses to outline \ntheir timeline for completing these and other rules and to \nprovide information on how each agency's rules will reduce \nsystemic risk and enhance financial stability.\n    To date, the regulators have been thoughtful and \nresponsive. For example, they worked quickly to address a \nconcern raised by community banks that the Volcker Rule \nunintentionally could have resulted in large, unexpected losses \nfor some. I ask that the agencies continue to monitor the \nimpact of their actions and to coordinate their ongoing work. \nAgency implementation of Wall Street Reform should also \ncontinue to be focused on institutions and activities that pose \nthe greatest systemic risks. Final rules should not be one-\nsize-fits-all for banks and insurance companies, nor should \nthey impose unnecessary burdens on community banks and credit \nunions.\n    In recent weeks, American consumers have been victims of \nlarge data breaches at national retailers, their personal \ninformation exposed to identity theft and fraud. Those \nresponsible must be held accountable, and we must examine what \nmore can be done to better safeguard consumer information going \nforward. I have asked each agency to detail its coordination \nwith other regulators and law enforcement on data breaches, as \nwell as each agency's role in the retail payment system.\n    Wall Street Reform created an important financial stability \nwatchdog, the FSOC. In its most recent annual report, the FSOC \nidentified securities threats in cyberspace as a potential \nsystemic risk. I want to hear what each agency testifying today \nis doing to mitigate cyber and other data security risks, as \nwell as protect consumer data at the agencies they regulate.\n    I now turn to Ranking Member Crapo for his opening \nstatement.\n\n                STATEMENT OF SENATOR MIKE CRAPO\n\n    Senator Crapo. Thank you, Mr. Chairman.\n    I have repeatedly stressed the need for the U.S. banking \nsystem and capital markets to remain the preferred destination \nfor investors throughout the world. While it is too early to \ntell the extent to which our overall Dodd-Frank rules will make \nour financial system more stable, Federal regulators must \nensure that we do not tip the balance of the scales with too \nheavy a hand. Otherwise, the cumulative effect of the rules and \ntheir interaction with each other may burden the economy far \nmore than any stabilizing benefit.\n    In addition, it is paramount that the regulators understand \nthe full spectrum of the rules they are implementing and any \nconsequences before finalizing the rules. This was evident in \nDecember when the regulators issued the final Volcker Rule and, \nas the Chairman mentioned, did not realize that the accounting \nrules would force community banks to recognize unrealized \nmarket losses. Regulators worked hard over the holidays to fix \nthis for community banks, but the bigger question is why, after \n3 years of promulgating the rule, did no regulator foresee this \nsituation.\n    This incident with the Volcker Rule only reinforces my \nbelief that we need targeted fixes of various Dodd-Frank \nprovisions. Some of those fixes include the end-user exemption, \nthe swaps push-out, and community banks relief, as identified \nby Chairman Bernanke last year.\n    In addition to ensuring that regulators take appropriate \nactions on the rulemaking front, they must also take necessary \nsteps to ensure that our payment system and financial data are \nadequately protected. One of the top priorities for this \nCommittee is protection of consumer financial data and the \nintegrity of the U.S. payment system. Even the Financial \nStability Oversight Council, FSOC, has identified data security \nas an emerging threat to our financial stability.\n    At the Subcommittee hearing on Monday, Members started a \ndiscussion about the standards used to protect consumer data, \nthe payment technologies available, and the roles of all \nparties in the payment system. The U.S. payment system is a \nshared enterprise. While parties approach the system from \ndifferent positions, everyone recognizes and benefits from the \nfast, safe, and accurate transmission of consumer financial \ndata.\n    Whether we use credit cards at the gas station, the grocery \nstore, or even use our smartphones to purchase a sandwich or a \nbook, everyone expects a safe and secure system for our \nfinancial information. Recent data breaches reveal just how \nmuch information different entities collect about consumers.\n    Financial institutions of all sizes face a thorough \nexamination process and oversight by regulators when it comes \nto data security, but there are many entry points that could be \nattacked in our payment system. We must answer three key \nquestions.\n    First, are the existing regulatory tools adequate to \nprotect all actors in the payment system and capable of \nsafeguarding our financial information?\n    Second, with so many stakeholders affected by recent data \nbreaches, how can we minimize the damage to consumers and make \nthe system less vulnerable?\n    And, third, should industry participants consider new \ntechnologies that may improve the safety of the payment system, \nand if so, what technologies are most appropriate?\n    Recent hearings have also unveiled that Federal regulators, \nincluding the witnesses before us today, collect vast amounts \nof consumer financial data and information. Regulators still \nhave not provided a sound rationale, in my opinion, for all of \nthe data they collect. Their data collection needs to be as \nsafe and as secure as possible so consumers will not have to \nfear a data breach at the Federal Government level, and I will \nadd, so consumers do not have to fear the misuse of that data \nbeing collected by the Government.\n    Today, our witnesses will address some of these issues and \ntheir role in protecting consumers' financial information and \nthe stability of our payment system, and I look forward to the \ndiscussion.\n    Thank you, Mr. Chairman, for holding this hearing.\n    Chairman Johnson. Thank you, Senator Crapo.\n    I would like to allow for more time for questions, but \nwould any Member like to make a brief opening statement? \nSenator Reed.\n\n                 STATEMENT OF SENATOR JACK REED\n\n    Senator Reed. Well, thank you very much, Mr. Chairman. I \nwill make a very brief opening statement. I have to shortly go \nto the floor to continue to work for the extension of \nunemployment benefits for 1.7 million Americans. But, before I \ndo, I wanted to make some very brief comments.\n    As I have said previously, it is important to finish \nimplementing Dodd-Frank such as the SEC's need to finish its \nshare of the derivatives rules relating to security-based \nswaps, and I would urge moving as quickly and diligently as \npossible.\n    Lastly, in light of the Target data breach and its \nwidespread impact on our constituents, I urge and expect all of \nthe regulators here today to take a fresh and careful look at \nbeefing up their cyber and data security standards to ensure \nthat the regulators themselves and those entities under this \njurisdiction are ahead of the curve and do not fall victim to \ncyber and data breaches.\n    And with that, thank you, Mr. Chairman, for your \nconsideration.\n    Chairman Johnson. Anyone else?\n    [No response.]\n    Chairman Johnson. I would like to remind my colleagues that \nthe record will be open for the next 7 days for opening \nstatements and any other materials you would like to submit.\n    Now, I would like to introduce our witnesses. Mary Miller \nis the Under Secretary for Domestic Finance at the U.S. \nDepartment of the Treasury.\n    Dan Tarullo is a member of the Board of Governors of the \nFederal Reserve System.\n    Martin Gruenberg is the Chairman of the Federal Deposit \nInsurance Corporation.\n    Tom Curry is the Comptroller of the Currency.\n    Mary Jo White is the Chair of the Securities and Exchange \nCommission.\n    Mark Wetjen is the Acting Chairman of the Commodities \nFutures Trading Commission.\n    I thank all of you for being here today. I would like to \nask the witnesses to please keep your remarks to 5 minutes. \nYour full written statements will be included in the hearing \nrecord.\n    Under Secretary Miller, you may begin your testimony.\n\n   STATEMENT OF MARY J. MILLER, UNDER SECRETARY FOR DOMESTIC \n              FINANCE, DEPARTMENT OF THE TREASURY\n\n    Ms. Miller. Chairman Johnson, Ranking Member Crapo, and \nMembers of the Committee, thank you for inviting me to testify \ntoday on behalf of the Treasury Department.\n    I would like to update the Committee on several important \nregulatory developments since I appeared before you last July, \nTreasury's role in enhancing cybersecurity in the financial \nsector, and our 2014 priorities.\n    From his first day in office, Secretary Lew stressed the \nimportance of finishing work on the Volcker Rule and the \nimportance of having a single, strong final rule that was true \nto President Obama's proposal and the statute's intent. The \nfinal rule adopted in December will protect taxpayers by ending \nbanks' speculative proprietary trading and restricting their \ninvestments in private equity and hedge funds, while \nmaintaining deep liquid financial markets and allowing banks to \nhedge those risks.\n    We also made progress implementing Title II of Dodd-Frank. \nAll of the firms required to submit living wills have now done \nso, and the largest bank holding companies submitted their \nsecond round of living wills last fall.\n    In December, the FDIC sought public comment on an important \ndocument detailing the single point-of-entry strategy to \nfacilitate the orderly liquidation of a failing financial \ncompany.\n    Last summer, the Financial Stability Oversight Council \ndesignated American International Group, General Electric \nCapital Corporation, and Prudential Financial for enhanced \nprudential standards and consolidated supervision by the \nFederal Reserve. In September, the Office of Financial Research \nreleased a study of asset management activities to help inform \nthe Council's understanding of potential risks in this sector.\n    We also continued to make progress on derivatives reform. \nThe CFTC finalized its guidance on how Dodd-Frank applies to \ncross-border transactions, and the CFTC and European Commission \nagreed on a path forward, laying out their joint understanding \nregarding those issues.\n    In September, an international working group finalized \nmargin standards for noncentrally cleared derivatives \ntransactions. U.S. regulators are now working to adopt these \nstandards domestically and we expect these rules to be \nfinalized this year.\n    In addition, later this month, trading in several interest \nrate and credit derivatives markets will be required to take \nplace on new electronic trading platforms.\n    In December, Treasury's Federal Insurance Office released a \nreport setting out 27 recommendations designed to bring our \ninsurance regulatory system into the 21st century.\n    Another area of growing concern for Treasury and the \nCouncil is the vulnerability of our financial sector \ninfrastructure to cyber events. I want to thank the Committee \nfor choosing to focus part of today's hearing on this topic. \nThe changing nature of these cyber threats prompted the \nFinancial Stability Oversight Council last year to highlight \ncybersecurity as worthy of heightened risk management and \nsupervisory attention. Under the President's Executive Order on \ncybersecurity, Treasury also serves as a sector-specific agency \nfor the financial sector, with a leading role in information \nsharing and a coordinating role in incident response.\n    Finally, I would like to highlight for the Committee a few \nareas where Treasury intends to direct significant attention \nthis year to complete outstanding pieces of financial reform. \nWe will take steps to promote consistent implementation of \nglobal capital and liquidity standards. We have forged ahead in \nimplementing key derivatives reforms, and we need to make sure \nsimilar reforms are put in place around the globe. Treasury and \nthe regulators will continue to closely collaborate with our \ninternational counterparts through forums like the Financial \nStability Board and on a bilateral basis to address obstacles \nto resolving large cross-border firms.\n    Of course, there is still much to be done domestically, as \nwell. As was the case with the Volcker Rule, Secretary Lew, as \nChairperson of the FSOC, is responsible for coordinating the \njoint rulemaking to implement the risk retention rule. The rule \nwas re-proposed last year, and completion of these regulations \nin 2014 is a key priority for the Treasury.\n    The last year was a busy one and we made substantial \nprogress in financial regulatory reform. These reforms have \nmade our financial system stronger, more stable, and more \nfocused on fulfilling its core function of facilitating growth \nof the broader economy. That does not mean we will be able to \nrelax our guard. The crisis revealed that regulation and \noversight failed to keep pace with an evolving financial system \nand demonstrated why we must always remain vigilant to \npotential emerging risks in financial institutions and markets.\n    Thank you, and I look forward to taking your questions.\n    Chairman Johnson. Thank you.\n    Governor Tarullo, you may proceed.\n\nSTATEMENT OF DANIEL K. TARULLO, GOVERNOR, BOARD OF GOVERNORS OF \n                   THE FEDERAL RESERVE SYSTEM\n\n    Mr. Tarullo. Thank you, Mr. Chairman, Senator Crapo, and \nother Members of the Committee.\n    Let me make four quick points in beginning today. First, \nwith respect to the rulemaking agenda, in a hearing before this \nCommittee just about a year ago, I expressed the hope and the \nexpectation that 2013 would be the beginning of the end of the \nmajor portion of rulemakings implementing Dodd-Frank and \nstrengthening capital rules. Specifically, at that time, I \nanticipated, first, that we would issue final regulations on \nthe Volcker Rule, capital rules, Section 716, some of the \nspecial prudential requirements for systemically important \nfirms, and, second, that we would issue proposed rules on the \ncapital surcharge for systemically important banks and the \nliquidity coverage ratio.\n    In the event, we did get final rules on Section 716, the \nVolcker Rule, and the LCR proposal done in 2013. We also issued \na final rule implementing Section 318, which requires an \nassessment on large financial institutions for supervisory \nexpenses. We did not get the additional Section 165 final rule \nor the SIFI surcharge proposed rule out, but these, along with \ncompletion of the additional leverage ratio for systemically \nimportant firms, are the priorities to be taken up in the near \nterm.\n    Second, we continue to refine our stress testing and our \nannual comprehensive capital analysis exercise. We have \nbroadened the nature of risks incorporated into the scenarios \nwe develop. We have issued a policy statement describing our \napproach to scenario development. And we have issued a paper \ncovering expectations for internal capital planning at large \nfirms. These and other refinements which have been informed by \nthe extensive commentary and advice we get from banks, \ntechnical experts, and policy analysts, continue to improve \nwhat I think is the single most important change in supervisory \npractice since the financial crisis.\n    Third, as I have said before, we need to address more \ncomprehensively the systemic risks potentially posed by heavy \nreliance on short-term wholesale funding, both by the largest \ninstitutions and more generally in financial markets, \nparticularly those arrangements for securities finance \ntransactions. We have been discussing internally ideas for \ndoing so, some of which I have sketched out in some recent \nspeeches. I do not want to give a timeframe for when we may \nhave proposals in this area, but I do want to reiterate the \nimportance we attach to this issue.\n    Finally, with respect to cybersecurity, I would make a few \ngeneral observations. First, the recent data breaches at some \nretailers and Internet service providers underscore the extent \nto which the effective scope of the payment system involves \nmany more intermediaries than just regulated depository \ninstitutions. The weakest links in any part of that chain will \nbe exploited by criminals and other malefactors.\n    Second, while the recent episodes involve data security \nbreaches resulting in the theft of card and other consumer \ninformation, they should also remind us that cybersecurity is \nan even broader concern, implicating the integrity of our \nfinancial system and the rest of the economy. You all remember, \nI am sure, the denial of service attacks on numerous U.S. banks \nover the past couple of years.\n    Third, we should not think of either the recent data \nbreaches or any other cybersecurity problems as discrete \nproblems susceptible to solutions, but rather as new conditions \nof continuing vulnerability that will require adaptive, dynamic \nresponses by both Government and the private sector.\n    Thank you for your attention. I would be pleased to answer \nany questions you might have.\n    Chairman Johnson. Thank you.\n    Chairman Gruenberg, please proceed.\n\n  STATEMENT OF MARTIN J. GRUENBERG, CHAIRMAN, FEDERAL DEPOSIT \n                     INSURANCE CORPORATION\n\n    Mr. Gruenberg. Chairman Johnson, Ranking Member Crapo, \nMembers of the Committee, thank you for the opportunity to \ntestify today on the FDIC's actions to implement the Dodd-Frank \nAct and to provide oversight of financial institutions' data \nintegrity efforts.\n    The adoption of the final Volcker Rule in December by the \nagencies testifying today was a significant milestone in the \nimplementation of the Dodd-Frank Act. The purpose of the \nVolcker Rule, as you know, is to limit certain risky activities \nof banking entities that are supported by the public safety \nnet, whether through deposit insurance or access to the Federal \nReserve's discount window. In general, the rule prohibits \nbanking entities from engaging in proprietary trading \nactivities and places limits on the ability of banking entities \nto invest in or have certain relationships with hedge funds and \nprivate equity funds. The proprietary trading restrictions of \nthe rule seek to balance the prudential restrictions of the \nVolcker Rule while preserving permissible underwriting, market \nmaking, and risk-mitigating hedging activities.\n    In response to concerns raised by commentors, the final \nrule provides compliance requirements that vary based on the \nsize of the banking entity and the amount of covered activities \nit conducts. For example, the final rule imposes no compliance \nburden on banking entities that do not engage in activities \nthat are covered by the Volcker Rule. Most community banks will \nnot need to make changes to their policies and procedures and \nwill have no new reporting requirements, provided they do not \nengage in activities covered by the rule.\n    We also recognize that clear and consistent application of \nthe final rule across all banking entities will be extremely \nimportant. To help ensure this consistency, the five agencies \nhave formed an interagency Volcker Rule Implementation Working \nGroup. The Working Group has begun meeting and will meet \nregularly to address reporting, guidance and interpretation \nissues to facilitate compliance with the rule.\n    The FDIC has made additional progress in other areas of the \nDodd-Frank Act that are described in my written statement, \nincluding the risk retention requirement, which seeks to ensure \nthat securitization sponsors have appropriate incentives for \nprudent underwriting.\n    In addition, the FDIC continued to make progress on the \nprovisions of the Dodd-Frank Act relating to the resolution of \nsystemically important financial institutions, or SIFIs. Using \nthe standards provided in the statute, the FDIC and the Federal \nReserve are currently reviewing the revised resolution plans \nrequired under Title I of Dodd-Frank for the largest most \nsystemically significant financial institutions.\n    The FDIC also issued a Federal Register notice for public \ncomment providing a detailed description of the Single Point of \nEntry strategy developed by the FDIC to implement the Title II \nresolution authorities under the Act.\n    Finally, we have continued our active engagement with \nforeign jurisdictions that will be important to the cross-\nborder resolution of a SIFI, including the United Kingdom, \nGermany, Switzerland, Japan, and the European Commission.\n    The FDIC also joined with the Federal Reserve and the OCC \nin issuing rules that significantly revise and strengthen risk-\nbased capital regulations through implementation of the Basel \nIII international accord. The agencies also issued an NPR that \nwould significantly strengthen the supplementary leverage \ncapital requirements in the Basel III rulemaking for the eight \nlargest bank holding companies and their insured banks. \nCompletion of this NPR is a top priority for the FDIC.\n    In regard to the issue of data integrity, the FDIC treats \ndata security as a significant risk area due to its potential \nto disrupt bank operations, harm consumers, and undermine \nconfidence in the banking system and the economy. The FDIC's \nmost direct role in ensuring cybersecurity within the financial \nsector is through its onsite examination programs of financial \ninstitutions and third-party service providers. These \nexaminations are designed to ensure that financial institutions \nprotect both bank and customer information.\n    The FDIC is actively providing our supervised banks with \nassistance in planning and training for cyber threats. This \nincludes a new program directly designed to assist community \nbanks in planning for cyber threats. We are also working with \nour FFIEC colleagues through the Cybersecurity and Critical \nInfrastructure Working Group to strengthen examination policy, \ntraining, information sharing, and incident communication and \ncoordination.\n    Mr. Chairman, that concludes my remarks. I would be glad to \nrespond to questions.\n    Chairman Johnson. Thank you.\n    Comptroller Curry, please proceed.\n\n  STATEMENT OF THOMAS J. CURRY, COMPTROLLER OF THE CURRENCY, \n           OFFICE OF THE COMPTROLLER OF THE CURRENCY\n\n    Mr. Curry. Chairman Johnson, Ranking Member Crapo, and \nMembers of the Committee, thank you for the opportunity to \nappear before you today.\n    Your invitation asked for our thoughts on a range of \nimportant issues, and my written testimony covers those matters \nin detail. In the time I have now, I would like to speak \nbriefly about what the OCC is doing to improve the security of \nconsumer financial information held by banks, implement the \nDodd-Frank Act, and improve our own supervisory processes.\n    First, let me say that there are few issues of greater \nconcern to me or to the OCC than the increasing risk of cyber \nattacks. The data breaches at Target, Neiman Marcus, as well as \nrecent denial of service attacks on some banks, are more than \njust an inconvenience for banks and their customers. The \naffected customers pay a price in terms of the time lost \nmonitoring accounts as well as the very real expense incurred \nin restoring their credit information, even though they are \ngenerally protected against fraudulent charges by their \nfinancial institutions. Banks bear the expense of replacing \ncards, providing credit monitoring services, and reimbursing \ncustomers for fraud losses.\n    Moreover, every data breach raises questions about the \nsecurity of our retail payment systems, which can diminish \npublic confidence. Further, I am concerned that these cyber \nattacks are becoming increasingly sophisticated and may impair \nour financial sector's critical infrastructure.\n    The banking sector is highly regulated and subject to \nstringent information security requirements. Banks and their \nservice providers must protect both their own systems and their \ncustomers' data and respond promptly when any breach of \ncustomer information occurs. Moreover, the OCC regularly \nupdates our supervisory practices and industry guidance to keep \npace with the rapidly changing nature of cyber threats. For \nexample, we recently issued updated guidance on third-party \nvendors to stress our expectation that banks have appropriate \nrisk management practices in place for these relationships. We \nalso encourage ongoing outreach to bankers to share information \non emerging threats.\n    One of my first initiatives as Chairman of the Federal \nFinancial Institutions Examination Council was to establish a \nworking group on cybersecurity issues. This group has already \nmet with intelligence, law enforcement, and homeland security \nofficials to share information and is exploring additional \nactions we can take to ensure that banks of all sizes have the \nability to safeguard their systems.\n    We have also made great progress in implementing the Dodd-\nFrank Act and in strengthening the resiliency of the banking \nsystem by requiring enhanced capital reserves and liquidity. \nFor example, we finalized a rule requiring that an \ninstitution's lending limit calculation account for credit \nexposure arising from derivatives and securities financing \ntransactions.\n    Last year, the OCC along with the other rulemaking agencies \nadopted final regulations implementing the Volcker Rule, which \nbars banks from engaging in proprietary trading and limits \ntheir ability to invest in or sponsor hedge funds or private \nequity funds. Throughout the interagency rulemaking, the OCC \nworked to minimize the compliance burden on community banks \nthat are engaged in limited activities while ensuring that the \nlargest banks are subject to robust compliance and reporting \nrequirements.\n    But, while Congress gave us a number of important tools to \nhelp preserve the stability of the banking and financial \nsystem, it would be a mistake to overlook the important role of \nsupervision to the health of the banking industry. Since the \ncrisis, the OCC has taken a number of steps to help ensure the \nfuture strength of the industry.\n    For example, we developed a set of heightened standards for \nlarge bank management and boards of directors. We expect large \nbanks to meet the highest standards for risk management and \ncorporate governance. We have proposed to include these \nstandards as enforceable guidelines in our Part 30 regulation, \nwhich will improve our ability to enforce them.\n    At the same time, we have also taken a hard look at our own \nsupervision program. Last year, I asked a team of senior \ninternational supervisors to provide a frank and independent \nassessment of the way we supervise large institutions. Their \nthoughtful response notes strengths in our program and \nidentifies areas in which we can improve. We are evaluating how \nbest to implement their recommendations.\n    This is not an easy thing for an agency to do, and I have \nbeen impressed with the willingness of OCC staff to embrace \nevery opportunity to improve. That attitude is the mark of a \nhealthy organization, and it is one of the reasons I believe \nthat the OCC continues to be ready to meet the challenges of \nsupervising a rapidly changing industry.\n    Thank you, and I look forward to your questions.\n    Chairman Johnson. Thank you.\n    Chair White, please proceed.\n\n  STATEMENT OF MARY JO WHITE, CHAIR, SECURITIES AND EXCHANGE \n                           COMMISSION\n\n    Ms. White. Chairman Johnson, Ranking Member Crapo, and \nMembers of the Committee, thank you for inviting me to testify \nabout the SEC's ongoing implementation of the Dodd-Frank Act \nand the important issue of data security.\n    The Dodd-Frank Act significantly expanded the regulatory \nresponsibilities of the SEC. It enhanced the SEC's authority \nover credit rating agencies and clearing agencies and \nstrengthened our regulation of asset-backed securities. It gave \nthe SEC new responsibilities over municipal advisors and hedge \nfund and other private fund advisors, and required a new \noversight regime for over-the-counter derivatives. It also \ncreated a whistleblower program and provided the SEC with \nadditional enforcement tools, which we are using.\n    Implementing the Dodd-Frank Act has required the SEC, as \nyou know, to undertake one of the largest and most complex \nagendas in the history of the agency, with more than 90 \nprovisions requiring rulemaking and more than 20 others \nrequiring studies or reports. In addition, the Dodd-Frank Act \nand the financial crisis that preceded it have focused the \nSEC's efforts more directly on enhancing financial stability \nand reducing systemic risks.\n    While certainly more work remains, we have made substantial \nprogress implementing this agenda. Since I arrived at the \nCommission in April 2013, we have advanced rules and other \ninitiatives across the wide range of regulatory objectives set \nby the Dodd-Frank Act for the SEC.\n    We have adopted final rules for the registration of \nmunicipal advisors. We have analyzed the first complete set of \ndata from registered advisors to private funds so that the SEC \nand Financial Stability Oversight Council can better assess \ntheir impact on financial stability. We have issued a \ncomprehensive rule proposal for the cross-border application of \nour regulatory framework for security-based swaps. We have \nadopted a rule to further safeguard customer funds and \nsecurities held by broker-dealers.\n    We have removed references to credit ratings in our broker-\ndealer and investment company regulations. We have proposed a \nrule to disclose the ratio of compensation a public company \npays its CEO relative to what it pays its median employee. We \nhave finalized a rule disqualifying felons and other bad actors \nfrom an important private securities offering exemption.\n    We and others have re-proposed a rule concerning the \nretention of certain credit risk by securitizers of asset-\nbacked securities. And, we and others here today have adopted a \nfinal Volcker Rule that is consistent with the language and \npurpose of the Dodd-Frank Act and that preserves the benefits \nof diverse and competitive markets.\n    These measures are in addition to the rules we have \nadvanced and reports we have completed to implement the JOBS \nAct, including by permitting the use of general solicitation in \ncertain private offerings, crowdfunding, and updating and \nexpanding Regulation A, and they are also in addition to other \nsignificant initiatives, including our proposals to reform \nmoney market funds and to enhance the responsibilities of key \nmarket participants over their technological systems. \nCompleting the rulemakings and studies mandated by the Dodd-\nFrank and JOBS Act remains among my top priorities for 2014.\n    Under the Dodd-Frank Act, the Commission also has taken \nadditional steps to protect customer data. Last April, the SEC \nand CFTC jointly adopted Regulation SID, which requires certain \nregulated financial institutions and creditors to adopt and \nimplement policies and procedures designed to identify and \naddress red flags signaling the possible theft of a customer or \nclient's identity. Regulation SID built upon the SEC's existing \nRegulation SP, which requires registered broker-dealers, \ninvestment companies, and investment advisors to adopt written \npolicies and procedures instituting safeguards for the \nprotection of customer records and information.\n    The SEC monitors and enforces compliance with these rules \nand regulations through our examination and enforcement \nprograms. Examinations of registrants relating to data \nprotection and information security continues to be an exam \npriority for the SEC's National Exam Program, and in recent \nyears, the SEC has also brought enforcement actions for a \nregistrant's failure to adopt reasonable policies and \nprocedures to protect customer information from imminent \nthreats and for failure to respond or follow up on security \nthreats despite red flags. There is no question that data \nprotection is a critical national and global priority on which \nboth the private and public sectors must continue to closely \nfocus.\n    Thank you again for the opportunity to testify today. I \nwould be pleased to answer any questions.\n    Chairman Johnson. Thank you.\n    Chairman Wetjen, please proceed.\n\nSTATEMENT OF MARK P. WETJEN, ACTING CHAIRMAN, COMMODITY FUTURES \n                       TRADING COMMISSION\n\n    Mr. Wetjen. Good morning, Chairman Johnson, Ranking Member \nCrapo, and Members of the Committee. I am pleased to join my \nfellow regulators in testifying today, and it is great to be \nback in the Senate.\n    As this Committee is well aware, the Commodities Futures \nTrading Commission was given significant new responsibilities \nthrough the passage of the Dodd-Frank Act. The Commission has \nsubstantially met those responsibilities with only a few \nrulemakings remaining. As a result, nearly a hundred swap \ndealers and major swap participants have registered with the \nCommission and become subject to new risk management and \nbusiness conduct requirements. Counterparty credit risk has \nbeen reduced through the Commission's clearing mandate. And \npre- and post-trade transparency in the swaps market exists \nwhere it did not before.\n    The Commission also has adopted cross-border policies that \naccount for the varied ways that risk can be imported into the \nUnited States. Congress recognized in Dodd-Frank that even when \nactivities do not obviously implicate U.S. interests, they can \nstill create less obvious but legally binding obligations that \nare significant and directly relevant to the health of a U.S. \nfirm and that, in aggregate, could have a material impact on \nthe U.S. financial system.\n    In a matter of days, the compliance date for one of the \nremaining hallmarks of the financial reform effort will arrive, \nas well, the effective date of the swap trading mandate. The \nCommission also is working to complete in the coming months \nrulemakings for capital and margin requirements for uncleared \nswaps, rulemakings intended to harmonize global regulations for \nclearinghouses and trading venues, and rules establishing final \nposition limits under the Commission's newest proposal.\n    Looking forward, the agency will continue its efforts to \nensure an orderly transition to the new market structure for \nswaps. The agency staff is presently exploring whether to \nrecommend a number of new proposals to address remaining end-\nuser concerns.\n    In recent weeks, the Commission also finalized the Volcker \nRule. Through this effort, the market regulators went beyond \nthe Congressional requirement to simply coordinate. In fact, \nthe Commission's final rule includes the same substantive rule \ntext adopted by the other agencies. The rule strikes an \nappropriate balance in prohibiting the types of proprietary \ntrading that Congress contemplated while protecting liquidity \nand risk management through legitimate market making and \nhedging activities.\n    Compliance with the Volcker Rule, including the reporting \nof key metrics, will provide the Commission important new \ninformation that will buttress its oversight of swap dealers \nand Futures Commission merchants, which are banking entities \nunder Dodd-Frank that are subject to the Commission's \nregistration rules.\n    To ensure consistent, efficient implementation of the \nVolcker Rule, the agencies have established an implementation \ntask force. One of the Commission's goals for this task force \nwill be to avoid unnecessary compliance and enforcement efforts \nby the agency. Indeed, this goal is one of necessity for the \nCommission. Our agency remains resource constrained and cannot \nreasonably be expected to effectively police compliance to the \nfullest extent. The Commission is also analyzing whether it can \nleverage the use of self-regulatory organizations, such as the \nNational Futures Association, to assist with its \nresponsibilities under the rule.\n    Regarding the interim final rule relating to TruPS, the \nCommission last month quickly and unanimously adopted the \nmeasure in an effort to protect liquidity and markets that are \nimportant to community banks. In doing so, the agency sought to \navoid what could have been significant capital and funding \nconsequences for community banks. This is another example of \nthe Commission responding promptly to compliance challenges \npresented to it and also demonstrated the enduring commitment \nof all the agencies here to ongoing coordination.\n    Related to the Committee's concerns about customer data \nbreaches, the Commission takes seriously its responsibility to \nprotect against the loss or theft of customer information. I \nmust note that the Commission's limited examinations staff has \nan impact on its ability to examine and enforce critical rules \nthat protect customer privacy and ensure firms have robust \ninformation security and other risk management policies in \nplace.\n    Nonetheless, the Commission has taken several steps in this \narea, including jointly adopted with the SEC the final rules \nrequiring our registrants to adopt programs to identify and \naddress the risk of identity theft. The Commission also adopted \nnew risk management requirements for firms, including policies \naddressing risks related to retail payment systems, including \nidentity theft, unauthorized access, and cybersecurity.\n    Additionally, the agency staff is poised to release a staff \nadvisory outlining best practices for compliance with \nprovisions of Gramm-Leach-Bliley designed to ensure financial \ninstitutions protect customer information. In light of recent \nevents, the Commission also is presently considering \nimplementing rules under Gramm-Leach-Bliley to expand upon our \ncurrent customer protection regulations with more specificity \nregarding the security of customer information.\n    Thank you for inviting me today. I would be happy to answer \nany questions.\n    Chairman Johnson. Thank you for your testimony.\n    As we begin questions, I will ask the Clerk to put 5 \nminutes on the clock for each Member.\n    Secretary Miller, what steps will Treasury take to promote \ncooperation between industry, law enforcement, the intelligence \ncommunity, and regulators so that American consumers' financial \ninformation is better protected from threats, including cyber \nattacks and data breaches?\n    Ms. Miller. Thank you for the question and for the focus on \nthat issue at this hearing today. I think I would mention a few \nthings.\n    First of all, as you have recognized, the FSOC has \nhighlighted this issue in its annual report to call attention \nto the operational risks of financial sector infrastructure in \ncybersecurity attacks, and I think the FSOC will continue to \nfocus on that in terms of bringing it to the attention of all \nof its members.\n    At the Treasury, we are the sector-specific agency for the \nfinancial sector on this issue. As such, we have an important \nrole in coordinating incident responses, but also making sure \nthere is very strong information sharing between the private \nsector itself and between the private sector and regulators, \nand Treasury has stepped up to make sure that we can translate \ninformation from the intelligence and the security agencies to \nthe private sector.\n    One of the ways we have done that this year is to make sure \nthat we have current security clearances for people both in the \nGovernment and in the private sector so we can very quickly \nshare information to make sure that there are no delays in \nresponding to a cybersecurity incident.\n    Finally, we work with the Executive Order that the \nPresident has put out on this issue, but we also think it would \nbe very valuable to have comprehensive legislation on \ncybersecurity. Thank you.\n    Chairman Johnson. Comptroller Curry, as current Chair of \nthe FFIEC, is there more than can be done to help financial \nregulators better protect Americans' financial information \nregardless of where they bank or shop?\n    Mr. Curry. Thank you, Mr. Chairman. One of the major \nfocuses of our cybersecurity effort at the FFIEC is to make \nsure that the regulated financial institutions are up to the \ntask in the area of cybersecurity. The FFIEC is a unique forum \nthat has present in it the Federal banking agencies, the \nconsumer protection agency, as well as State bank supervisors. \nSo, our focus has been on making sure that all financial \ninstitutions, including community banks and credit unions, are \nmeeting our expectations from a regulatory standpoint.\n    As part of our program, we are making an assessment of \nwhether the overall regulatory structure is effective, from \ncommunicating awareness of cyber threats, making sure our \nexamination procedures, our enforcement authorities, which \nwould also include the statutory framework, are effective, \ngiven the nature of the ongoing cyber threats. We will also be, \ngiven the incidents relative to the data security breaches, \nfocusing on whether or not existing regulatory standards for \ntechnology for data security are sufficient and whether or not \nthere is a need for greater coordination with other players in \nthe ecosystem. Thank you.\n    Chairman Johnson. Chair White and Chairman Wetjen, in your \ntestimony, you highlight a lack of resources as significant \nchallenges to your agency. So, specifically, how would the \ncurrent funding levels impact your efforts to protect data and \nimplement and enforce Wall Street Reform? Chair White.\n    Ms. White. Yes. We do have significant budget challenges \nwhich impacts a number of our very important IT initiatives. \nThere is nothing we value more importantly, however, than data \nsecurity. I think the sophistication of the perpetrators \ncontinually evolves, and threats to both governments and market \nparticipants alike increase in complexity, really, on a daily \nbasis. And so we do want to keep pace with those challenges.\n    We clearly will prioritize our resources so as not to \ncompromise on data security, but it does present quite a \nchallenge. You know, clearly, we are also devoting resources to \nour examination program directed at data security, and to our \nenforcement program, as well, in that space, and the FY 2014 \nbudget request actually asked for 450 additional positions in \nenforcement and examination, so, obviously, not receiving \nfunding for that, that has an impact. But, we intend to keep \ndata security very much in the forefront of our priorities.\n    Chairman Johnson. Chairman Wetjen.\n    Mr. Wetjen. Thanks, Mr. Chairman. I would echo what Chair \nWhite said. The main tool that we have is to examine the \npractices of our registered entities. They have a variety of \nrisk management requirements that relate to keeping customer \ninformation safe and secure, and because we are resource \nconstrained, it is very likely we are not going to be able to \nreview and examine those systems that the registered entities \nhave in place and so we cannot be sure that the data that is \nbeing kept by our registered entities is going to be as secure \nas we would like. So, that is the real world explanation or \nreason why the challenges we continue to face on the resource \nfront could have an impact on consumers.\n    Chairman Johnson. Chairman Gruenberg, I commend you and \nyour fellow regulators for acting quickly to fix a Volcker Rule \nissue that could have unintentionally harmed community banks. \nAs you analyze other rules, what are you doing to minimize \nunintended consequences and monitor the impact on community \nbanks?\n    Mr. Gruenberg. Thank you, Mr. Chairman. I think it is fair \nto say that in all of the rulemakings we have been undertaking, \nthe agencies across the board have paid particular attention to \nthe impact on community banks. In the two major rulemakings we \ndid last year on the Basel III capital accord as well as the \nVolcker Rule, we made significant changes in the final \nrulemakings to be responsive to comments and concerns raised by \ncommunity banks. We made three significant changes in the Basel \nIII rules responsive to the comments. As I noted, in the \nVolcker Rule, we made adjustments in the final rule so that for \nthe large majority of community banks that do not engage in \nactivities subject to the Volcker Rule, that large majority of \ncommunity banks will have no compliance requirements under \nVolcker.\n    I would note the importance of the cybersecurity issue to \ncommunity banks, and perhaps it has been less appreciated \nbecause most of the focus on cybersecurity has been on the \nlarge institutions. But, I can tell you, we have an advisory \ncommittee of community banks from around the country that our \nboard meets with three times a year, and when we went through \nissues of concern to them, cybersecurity was near the top of \ntheir list. All of them related incidences that their \ninstitutions experienced. As the larger institutions have \nstrengthened their defensive positions, there really has been a \nmovement down the system.\n    So, this, I think, is really an area that needs particular \nconcern, and we have developed a number of tools to assist \ncommunity banks in this area.\n    Chairman Johnson. Senator Crapo.\n    Senator Crapo. Thank you, Mr. Chairman.\n    Under Secretary Miller, I have a lot of questions that \nrelate to Dodd-Frank implementation and data security, but I \nwould be remiss if I did not first raise the issue of housing \nfinance reform that is a critical issue before this country.\n    As you know, in the State of the Union, the President \ncalled on Congress to send him legislation that protects \ntaxpayers from footing the bill for a housing crisis ever again \nand keeps the dream of home ownership alive for future \ngenerations. I just want to ask you, as a representative of the \nAdministration here, to confirm that the President has, indeed, \ncalled on Congress to send him housing finance reform \nlegislation and that this is a top priority which we need to \nhandle now.\n    Ms. Miller. Thank you for the question. I could not agree \nwith you more. This has been a priority of the Treasury since \nthe day I arrived, to make sure that we are planning for a safe \nand stable housing finance system. As you know, last summer, \nthe President articulated four important points: One, that we \nneed to design a system that brings more private capital back \ninto the housing finance market; two, that we design something \nthat winds down the GSEs as they performed and make sure that \nwe are protecting the taxpayers in a future housing finance \nsystem; that we provide broad access to credit for creditworthy \nborrowers who want to own a home; and that we also make sure \nthat we provide adequate financing for rental options in this \ncountry.\n    We are very heartened that the improvement in the housing \nmarket, the recovery we are seeing in housing prices, the \nslowing or diminution of loan delinquencies and foreclosures is \ngiving us the opportunity and the platform now to move forward \nwith housing finance reform, and we very much look forward to \nworking with Members of this Committee on a bipartisan piece of \nlegislation. Thank you.\n    Senator Crapo. Well, thank you, and I just wanted to get \nthat out there so that it is clear that this is a priority, and \nI appreciate your emphasis on that and your work on this.\n    My next question really is not a question, it is more of a \nstatement about the Volcker Rule, and the reason is because \nthere is so much that I want to ask, there is just not time for \nme to get into it right here, so I am simply going to make a \nstatement and then I will, with follow-up questions on the \nrecord, engage with each of you on the Volcker Rule and what we \nhave seen.\n    The concern I have is one that I know was raised yesterday \nin hearings and that has been raised significantly, which is \nthat I think we are just beginning to see the unintended \nconsequences of the Volcker Rule. And, as I mentioned in my \nopening statement, I am a little bit baffled that after 3 years \nof work on the Volcker Rule, none of the agencies foresaw the \nunintended consequence related to CDOs that was fixed, but I am \nnot sure it has been completely resolved and properly yet, but \nat least the issue is the concern about unintended consequences \nwith the Volcker Rule and the problems that we are now seeing \nhighlighted there with the multiple regulators having to \ncoordinate with each other and fully consider all of the \ndynamics of a very major rule such as this.\n    So, I am going to leave it at that right now and not ask \nyou to engage with me right now, because I have got a lot of \nother questions to try to get to, but I will, with questions on \nthe record, be engaging with you.\n    For the next question, Chair White, I would like to turn to \nyou. I understand that FSOC is evaluating whether and how to \nconsider asset management firms for designation as SIFIs. As a \npart of that evaluation process, the FSOC asked the Office of \nFinancial Research to draft a study of the asset management \nindustry, and unfortunately, the OFR report failed to fully \ntake into account the perspectives of and the data from the SEC \nand market participants, as I see it. The asset management \nindustry is squarely within the SEC's jurisdiction and core \nexpertise.\n    What additional work and data gathering do you believe \nshould be done to further understand the asset management \nindustry and to achieve the right result in this context?\n    Ms. White. I should say, I guess, at the outset, the SEC is \nvery actively working in the FSOC setting with our fellow \nagencies in following up on concentrating exactly on those \nissues. We provided technical assistance to OFR before that \nstudy was completed, commented extensively, some of those \ncomments taken, some of those not, as is usual, but agreed to \ndisagree on a number of things. So, I think it is very \nimportant that we have complete data, complete expertise \napplied to all these issues and focus on what differences there \nare in terms of asset managers, which are obviously based on an \nagency model, business model. But, I think that discussion is \ngoing on.\n    Senator Crapo. Thank you very much.\n    And one more question. This goes to both Chairman White and \nChairman Wetjen. I have a lot more questions, but this will be \nthe last one I get to get at here, and that is that over the \nlast year, I have repeatedly expressed my view that the SEC and \nthe CFTC, to move in a more coordinated way with regard to \nDodd-Frank implementation and cross-border initiatives for \nderivatives. Some argue that the CFTC's implementation is \nlargely complete, while the SEC has a fair amount of work left \nto be done.\n    As the landscape for Title VII continues to develop, what \nare the concrete steps that your agencies are taking to ensure \ncoordination from both rulemaking and compliance perspectives?\n    Ms. White. Let me just, I guess, take that first, which is \nthat, A, we are prioritizing the completion of our rules in \n2014 for Title VII. Our staffs are in pretty much constant \ncontact about implementation issues. We are also actually \nlooking at the possibility of accelerating on some issues that \ndo not require full rulemaking, and we are also engaged at the \nprincipal level, which I think is very important, as well.\n    Senator Crapo. Thank you.\n    Mr. Wetjen.\n    Mr. Wetjen. Thanks, Senator Crapo. I agree with Chair \nWhite. It is a priority for our agency to coordinate closely \nwith the SEC. At a personal level, I have been involved in that \nsince joining the agency. Of course, as you alluded to, our \ncross-border guidance is currently in place, but there are \nstill some issues that continue to arise related to it and we \ncontinue to consult with the SEC as those arise.\n    And to give you a specific example, there is some interest \nin some subsequent staff advisories concerning our guidance. We \nare hosting a Global Markets Advisory Committee meeting at the \nCommission next week and the SEC will be participating in that \nmeeting, as well as some foreign regulators from both the FCA \nin the United Kingdom and the European Commission in Brussels. \nSo, we will have regulators from around the globe, including \nthe SEC, providing their input, all in an effort to, as you \nsay, coordinate as best we can.\n    Senator Crapo. Thank you.\n    I have a number of additional questions, but I will submit \nthose for the record, Mr. Chairman, and I look forward to \nworking with the witnesses here on those. Thank you.\n    Chairman Johnson. Senator Menendez.\n    Senator Menendez. Thank you, Mr. Chairman, and thank you \nfor adding data security to today's topics.\n    I would like to ask those who I understand are most \ninvolved in this, but anyone who feels that they have a role, \nas well, Governor Tarullo and Chairman Gruenberg and \nComptroller Curry, and exactly what roles are your agencies \nplaying as it relates to data security standards that in my \nunderstanding are largely set by the industry? I get the sense \nthat your role is generally outlining general principles and \nleaving the private sector to fill in the details, or maybe if \nI am wrong, I would be interested in what you are doing beyond \nthat.\n    This past Monday, we had a Subcommittee hearing that \nSenator Warner held with the retailers, the banks, the card \nindustry, consumer advocates, and what not, and I am wondering, \nshould we not be establishing a Federal standard, one that does \nnot lock in a specific technology, because that can be eclipsed \nin time, but one that certainly looks at the question of a \nregulatory standard based on performance. For example, could we \nnot say that at some point, it has to be considered an \nunreasonable security risk for a company not to be using, for \nexample, chip and PIN technology, or something that performs \nequivalently, if that is the highest standard that exists in \nthe marketplace at a given time, so that at least companies \nwould understand what that standard is that they are being held \naccountable to and we could respond accordingly with the FTC or \nothers as it relates to violating that standard on behalf of \nconsumers.\n    Mr. Curry. Senator, I think the basic framework is in place \nfor the financial institutions regulated by the banking \nagencies. We have standards for information security. We have \nan ongoing oversight program in terms of examining the \nindividual institutions under our jurisdiction. And we also \nsupervise certain institution-affiliated parties, independent \nservice organizations. The agencies, the OCC, in particular, \nhas also set out detailed expectations with respect to third-\nparty vendors that are used by those service providers.\n    Senator Menendez. Do those standards serve us well in the \ndata breaches in Target and Neiman Marcus and others?\n    Mr. Curry. Well, in that particular instance, the breaches \ndid not occur at the bank end, and I think what you pointed out \ncorrectly is there are different standards between different \nplayers within the system. The banking industry does have basic \nstandards in place that are not necessarily existing in the \nmerchant or retail space, so that in order to provide a \nconsumer with the same breach notification rights, it may be \nnecessary to impose legal or other requirements on retailers or \nmerchants, and that is the situation.\n    Senator Menendez. Governor Tarullo.\n    Mr. Tarullo. Senator, let me supplement a bit. I agree with \nComptroller Curry, obviously, about the mechanisms the three \nbanking regulators have put in place. But, I think your \nquestion gets to a broader issue, and I agree with what I think \nis the premise of your question, which is we cannot look at \njust the banks right now. I think we need to think in terms of \na consumer who uses a credit card, and at that point, her \ninformation starts on a trail which may go through a retailer \nand a processor and one or more banks before the final payment \nis eventually made. And I think right now, we do not have any \nmechanism for taking that view of what I would characterize as \na very extended payment system and making sure that the kind of \nstandards which would assure protections at each step of the \nway are actually realized. As I said in my introductory \nremarks, the weakest link in the chain is where the attention \nis going to be directed by criminals or others.\n    You know, there are a lot of people doing a lot of work \nthroughout the U.S. Government on this----\n    Senator Menendez. So----\n    Mr. Tarullo.----but I think you are going to need some more \ngeneral standards. Let me just give you one example, which is \nsort of helpful. I think we probably need some uniform \nrequirements on disclosure when breaches have actually taken \nplace. You know, the three banking agencies require \nremediation, particular remediation efforts and notification \nand the like, but that is not true generally. And until the \nbanks and customers are assured that they know whenever \nanything has happened with their data, it is going to be hard \nfor people to respond.\n    Senator Menendez. Well, we look forward to your work on \nwhat I think should be a standard that we can--across the \nuniverse of those who ultimately hold consumer information.\n    If I may, one final question, Mr. Chairman.\n    Chairman Johnson. Yes.\n    Senator Menendez. Again, to the three of you, we have seen \nreports in the press of regulated financial institutions \npurchasing credit protection, often using credit default swaps, \nfrom unregulated entities like hedge funds or entities formed \noffshore to avoid regulation in order to reduce the amount of \ncapital that they need to hold an investment on the book. And, \nin fact, these trades are transferring risk from a regulated \nentity, institution, that are subject to capital requirements, \nto unregulated entities that are not subject to capital \nrequirements. And instead of raising equity to pay for an \ninvestment, the bank is taking an exposure to an entity that \nmay or may not be able to pay up if the investment goes bad. \nAnd if that story sounds familiar, it is because it is very \nstrikingly similar to what we saw happen with AIG before the \nfinancial crisis.\n    So, the question is, when a regulated financial institution \npurchases credit protection, can you describe how you take into \naccount counterparty credit risk when determining how much \ncredit the financial institution gets toward its capital \ncalculations and what is required of banks to monitor their \ncounterparties' ability to perform on a trade, because \notherwise, I just see us, as we are talking about financial \nsecurity here and stability and systemic risk, we are almost \nback in this element to the same type of risk possibility that \nwe were before Dodd-Frank.\n    Mr. Curry. Senator, we share your concerns from a \nsupervisory standpoint on the risks from credit transfer \ntransactions, as you have described them. So, as a result, it \nis something that we scrutinize carefully from an examination \nstandpoint at the OCC. Our position is that we are looking to \nsee that it is actually a true transfer, and if it is not, we \nwill not accord it the more favorable capital treatment.\n    Senator Menendez. Chairman.\n    Mr. Gruenberg. Senator, I would just comment. We have not \napproved requests for these kind of arrangements for our \nsupervised institutions, and I would note that under the \nleverage ratio, firms would not receive any capital benefits \nfrom these kinds of interactions, which underscores the value \nof the strong leverage ratio requirement, as well.\n    Senator Menendez. Well, we look forward to your continuing \nwork in that regard.\n    Thank you, Mr. Chairman.\n    Chairman Johnson. Senator Brown.\n    Senator Brown. Thank you, Mr. Chairman.\n    Governor Tarullo said in his testimony that, quote, ``work \nremains to be done to address the problems of too-big-to-fail \nand systemic risk.'' I would like to ask each of you to give me \na simple yes or no, starting with you, Ms. Miller, if you \nbelieve that too-big-to-fail--if you agree with Governor \nTarullo, that we have not ended too-big-to-fail. A simple yes \nor no, if each of you would do that. Ms. Miller.\n    Ms. Miller. I do not think we have ended the perception of \ntoo-big-to-fail, but I think we have gone a long way to ending \ntoo-big-to-fail with the regulations.\n    Senator Brown. Governor Tarullo, I assume you agree with \nGovernor Tarullo's statement.\n    Mr. Tarullo. [Nodding head.]\n    Senator Brown. OK.\n    [Laughter.]\n    Senator Brown. Mr. Gruenberg.\n    Mr. Gruenberg. Yes, I agree.\n    Senator Brown. I am sorry?\n    Mr. Gruenberg. Yes, I agree with the question that you \nraised.\n    Senator Brown. OK. Mr. Curry.\n    Mr. Curry. Yes, I also agree. Thank you.\n    Senator Brown. We have not ended it. OK. Ms. White.\n    Ms. White. Too soon to tell. I agree.\n    Senator Brown. Mr. Wetjen.\n    Mr. Wetjen. I also agree with Under Secretary Miller's \ncomments.\n    Senator Brown. OK. If too-big-to-fail is not over, and most \nof you agree with that--some of you, I am not sure on either \nend where you sit exactly--I want to ask about two ways to \naddress it. One is living wills. Yesterday, Chairman Gruenberg \nand Governor Tarullo answered Representative McHenry, you are \nwilling to say living wills are deficient as you evaluate the \nsecond round submitted by the biggest banks. Both Ms. Miller \nand Chairman Gruenberg note that bankruptcy is the standard \nagainst living wills are supposed to be measured. I doubt that \nall of the largest banks, those with more than--those 8 to 10 \nbanks that are $250 billion up in assets--I doubt that those \nlargest banks can be resolved through an orderly process, so it \nis clear we all have work to do.\n    The other issue of the other of the two ways to address \ntoo-big-to-fail is the supplemental leverage ratio. I was \nencouraged a number of months ago when OCC, FDIC, and the Fed \nproposed their supplemental leverage ratio requiring the \nlargest insured banks and bank holding companies to have the \nability to produce tens of billions of dollars, to have initial \ntens of billions of dollars in capital to protect against \nfailure. Governor Tarullo notes that the Basel Committee's \nrevisions for measuring bank assets under Basel III leverage \nratios will be incorporated into your proposed leverage ratio.\n    So, my question is about how soon and how we do this. For \nGovernor Tarullo and Comptroller Curry and Chairman Gruenberg, \nhow do you do this? Will the United States finalize its \nsupplemental leverage ratio first and then revise the asset \ndefinitions once Basel has completed its process, or will you \nwait until there is an international standard in finance, an \ninternational standard to finalize the leverage ratio? In other \nwords, are we going to move first or are we going to continue \nto wait? Ms. Miller.\n    Ms. Miller. I think I would actually prefer to defer to the \nregulators to talk about the work that they are doing in this \nparticular area because I think it is really their charge to \nadopt these standards and put them into----\n    Senator Brown. There is no Treasury recommendation here?\n    Ms. Miller. No, we certainly support the proposals on \nsupplemental leverage ratio and making sure that we have a very \neffective regime here in terms of----\n    Senator Brown. But you do not have a position on the timing \nof these rules?\n    Ms. Miller. The only thing that I think we have been clear \nabout is we want to make sure that we are coordinating well \nwith our international counterparts. So, for example, some of \nthe meetings that took place in January were quite helpful, I \nthink, in articulating common standards. So, I think we would \nlike to make sure we are moving in concert with our \ninternational partners, but we would like to see these things \ndone as quickly as possible----\n    Senator Brown. I hope that ``in concert'' and ``working \nwith'' does not imply an abdication of leadership and we will \nnot go first. But, the three regulators. I think Ms. Miller is \nright. Governor Tarullo, if you would go first.\n    Mr. Tarullo. I think the redefinition of the denominator, \nwhich was basically what the international work was about, is \nessentially done. I mean, we know where they have come out. The \nquestion that remains is what is the required minimum ratio \ngoing to be given that work. And as I think you know, because \nyou alluded to the proposed regulation, it is the intention of \nthe three bank regulatory agencies to have a higher minimum \nratio than that that prevails in the international forum right \nnow.\n    So, what we have been able to do is to move toward a point \nwhere we have got our definitions harmonized, but we will \nindependently put in a higher leverage ratio than the \ninternational standard. And as I said in my opening remarks, \nfor us, that is one of the three regulatory initiatives that is \nthe top priority in the near term.\n    Senator Brown. Chairman Gruenberg, timing and action and \nwhat are you going to do.\n    Mr. Gruenberg. Yeah. I think--I am hopeful we can move \nforward quickly to finalize the supplementary leverage ratio \nproposal, and we will need to also act to incorporate the \nchanges to the denominator, as Governor Tarullo indicated, that \nwere finalized by the Basel----\n    Senator Brown. And that means we are going to move first?\n    Mr. Gruenberg. Yes, I believe so.\n    Senator Brown. Comptroller Curry.\n    Mr. Curry. Yes. I think Chairman Gruenberg described the \nprocess. My own view of what should happen is that we should \nadopt both provisions, the final version of the NPR and the \nsupplemental leverage ratio, and also adopt the--consider \nadopting the changes in the denominator coming out of the Basel \nCommittee and do that as quickly as possible. It is a real high \npriority for me and the OCC.\n    Senator Brown. Good. Last July, in response to my question, \nChairman Bernanke told this Committee that he believes the \nUnited States has a leadership position and other countries are \nlikely to follow our example. You can cite--he did not, but you \ncan cite a number of issues. The EU just proposed its own \nversion of the Volcker Rule. It is important we lead, and I \nurge all of you in positions to do this to move quickly and \ndecisively.\n    Thank you, Mr. Chairman.\n    Chairman Johnson. Senator Shelby.\n    Senator Shelby. Thank you.\n    Governor Tarullo, we have been talking about--I was gone a \nfew minutes, but the Senator from Ohio was talking about, I \nthink, the Volcker Rule and the implementation, at least that \nis what I got. Let us go back just a minute. How will the \nVolcker Rule when it is fully implemented differ from what we \nhad under Glass-Steagall?\n    Mr. Tarullo. So, under Glass-Steagall, Senator, there could \nnot be an affiliation, that is, a corporate affiliation, \nbetween a commercial bank, an insured depository institution, \non the one hand, and, for example, a broker-dealer trading \ngenerally, doing underwriting of equities and trading in \nequities and----\n    Senator Shelby. Separation of commercial banking from \ninvestment banking?\n    Mr. Tarullo. Exactly. That is sort of the distilled version \nof what Glass-Steagall was.\n    Senator Shelby. OK.\n    Mr. Tarullo. The Volcker Rule prohibits the proprietary \ntrading activity within any part of a bank holding company----\n    Senator Shelby. We understand that.\n    Mr. Tarullo.----but it does not require that there be a \nseparation between investment banking and----\n    Senator Shelby. They can still trade from their customers, \ncan they not?\n    Mr. Tarullo. Correct. Full agents----\n    Senator Shelby. But they could not trade proprietary for \nthemselves.\n    Mr. Tarullo. That is correct.\n    Senator Shelby. And risk--the idea was to risk capital to \nthe bank, right?\n    Mr. Tarullo. That it is kind of a moral hazard----\n    Senator Shelby. And ultimately to the taxpayers.\n    Mr. Tarullo. It is a moral hazard motivation, exactly, \nSenator.\n    Senator Shelby. OK. What can, say, a commercial bank do \nnow, including the Volcker Rule, what can they do that they \ncould not do before Glass-Steagall was----\n    Mr. Tarullo. Oh, what can the commercial bank do----\n    Senator Shelby. Yes. What can they do that they could not--\n--\n    Mr. Tarullo. So----\n    Senator Shelby.----including the restrictions put on them \nby proprietary trading by the Volcker Rule.\n    Mr. Tarullo. Right. There was a parallel movement over the \ntime the Glass-Steagall was in effect whereby banks got more \npowers. They were allowed to do things that they had not been \nallowed to do in 1933. Neither Glass-Steagall nor Gramm-Leach-\nBliley really changed that so much. So, I do not actually think \nthat either Gramm-Leach-Bliley or the Volcker Rule has \nbasically changed what national banks can do, and Comptroller \nCurry may want to weigh in on this. All it has done is put a \nconstraint on----\n    Senator Shelby. And you emphasized national banks, did you?\n    Mr. Tarullo. No, it would--well, so no----\n    Senator Shelby. Or all banks?\n    Mr. Tarullo.----under the FDI Act----\n    Senator Shelby. OK.\n    Mr. Tarullo.----no bank can do--no insured depository \ninstitution----\n    Senator Shelby. Right.\n    Mr. Tarullo.----can do as principal anything that a \nnational bank----\n    Senator Shelby. Right. Right. On the European banks that do \nbusiness in this country, and a lot of them do, the big ones, \nthey, as I understand it, will come under the Volcker Rule, \ntoo, here.\n    Mr. Tarullo. Here in the United States, yes, sir.\n    Senator Shelby. Now, how is that coming along?\n    Mr. Tarullo. Well, of course----\n    Senator Shelby. Because in Europe, they have got a \ndifferent deal, have they not?\n    Mr. Tarullo. That is right. We are just----\n    Senator Shelby. Like, if it was a Deutsche Bank, an HSBC, \nthe Volcker Rule in the European Union there does not apply to \nthem, but it would apply to them doing business in the United \nStates.\n    Mr. Tarullo. That is right. The rules enacted by the five \nagencies would apply to any banking organizations within the \nUnited States, and so they would apply. There is, as you know, \nan exception in the Volcker Rule for activity done solely \noutside the United States by a foreign bank, and so there are \nstandards for meeting that. As you suggest, the European Union \nis now thinking about their own version of the Volcker Rule, \nbut that is a proposal at this juncture, so we do not know \nexactly how it would line up.\n    Senator Shelby. I know all of you watch what is going on in \nEurope, and you should. They have a number of so-called stress \ntests coming up. How do those stress tests compare to the \nstress tests that you folks put our banks through? We have \nalways thought and heard and read that they are not as \nstringent or strict.\n    Mr. Tarullo. Well, as you can tell, we have paid a lot of \nattention to our stress tests in the United States and we try \nto improve them every year. I think what you are seeing in \nEurope now is a somewhat different approach to the stress \ntesting exercise, and importantly, it is now being done at the \nEuropean Central Bank, and the European Central Bank is doing \nit as the soon-to-be umbrella supervisor for all the large \nbanks in Europe. They have the capacity to do scenarios the way \nwe do, and so I think we are going to see a somewhat different \napproach.\n    They do have a big task, though. You know, we do about 30 \nof our institutions and they have got over 100 that they have \nto cover. So, it is a big task and it is going to take them \nabout a year to do it. But I think here, as in many other \nareas, we are starting to converge more on practice.\n    Senator Shelby. I will direct--this is my last question--to \nboth you and the Chairman, Marty, of FDIC. Today, 2014, how do \nyou feel about the capitalization of our banking system \noverall? First, Marty, I will ask you, and then--that is very \nimportant. And how far has it come, and is it where you want it \nor are you going--they are going to have to jump through some \nmore hoops?\n    Mr. Gruenberg. I would say, Senator, we are getting there.\n    Senator Shelby. Mm-hmm.\n    Mr. Gruenberg. We have made real improvements.\n    Senator Shelby. Absolutely.\n    Mr. Gruenberg. I think, it is fair to say as a general \nproposition over these last 4 years since the crisis, our banks \nacross the board, from large to small, have significantly \nrebuilt their balance sheets and are in a stronger capital \nposition today. I also think, and Governor Tarullo certainly \nwill comment on this, that we are moving, in particular, to \nstrengthen the capital requirements for our largest, most \nsystemically significant institutions. That is still a work in \nprogress, but I think we are moving in the right direction.\n    Senator Shelby. Governor.\n    Mr. Tarullo. Senator, with respect to the smaller banks, \nwhich I would say is all but the biggest 30, the expectations \nthat we have with respect to the new capital rules, I think \nthose are all now in place and most banks already meet those, \nand those that are not, do not, I think will be coming up to do \nso.\n    As Chairman Gruenberg mentioned, we are still focused on \nthe largest institutions, and it will not surprise you to hear \nme say that I am particularly focused on institutions that have \na heavy reliance on short-term wholesale funding. And I believe \nthat we need to think in terms of potentially more capital at \nthe very largest institutions which have that vulnerability to \nruns from short-term wholesale funding.\n    The second thing I would say is, what the stress tests do \nis give us a dynamic capital measure as opposed to a static \none. We give a scenario. We project forward what losses will be \nrather than just rely on backward-looking measures. And the \ncontinued improvements on that, the rigor in the scenario, the \ntaking into account new things like interest rate shocks are a \nway to assure that, regardless of the capital ratios required \non the books, that we do have the kind of resiliency in the \nsystem which we have all been striving for.\n    Senator Shelby. What about flexibility of capital? How \nimportant is that? You can have the capital, but you have got \nto be able to use it at stressful times, have you not?\n    Mr. Tarullo. That is correct, Senator, and that is why the \nemphasis that all three of us have had on common equity, which \nis the most loss absorbent form of capital. You know, over the \nyears--we should just call it as it was--there were some games \nplayed with the kind of things that could qualify as capital.\n    Senator Shelby. Sure.\n    Mr. Tarullo. I think we saw in the crisis that when stress \nhits, the markets will see right through those sorts of things, \nand that is why common equity needs to be at the center of our \ncalculation.\n    Senator Shelby. But you ought to be able to see through it \nfirst, as a regulator, right?\n    Mr. Tarullo. That is correct, Senator.\n    Senator Shelby. Thank you. Thank you, Mr. Chairman.\n    Chairman Johnson. Senator Warren.\n    Senator Warren. Thank you, Mr. Chairman.\n    All of our regulators have conceded that our largest banks \nare still too-big-to-fail. Perhaps this is a time to note that \na 21st century Glass-Steagall would reduce both the size of the \nfinancial institutions, so there would not be so many that are \ntoo big, and reduce the risk by separating their banking \nactivities and help us bring too-big-to-fail under control. I \ndo not think we should be waiting longer to do this.\n    But, I also want to talk about another part while we have \ngot you here, and that is in 2013 alone, J.P. Morgan spent \nnearly $17 billion to settle claims with the Federal \nGovernment, claims relating to its sale of fraudulent mortgage-\nbacked securities, its illegal foreclosure practices, like \nrobo-signing, its manipulation of energy markets in California \nand the Midwest, and its handling of the disastrous London \nWhale trade. And at the end of the year, J.P. Morgan gave its \nCEO, Jamie Dimon, a 75 percent raise, bringing his total \ncompensation to $20 million.\n    Now, you might think that presiding over activities that \nresulted in $17 billion in payouts for illegal conduct would \nhurt your case for a fat pay bump, but according to the New \nYork Times, members of the J.P. Morgan Board of Directors \nthought that Jamie Dimon earned the raise, in part, and I am \nquoting here, ``by acting as chief negotiator as J.P. Morgan \nworked out a string of banner government settlements.'' I think \nthis raises questions about whether our enforcement strategy is \nworking or whether it is actually so bad that we are making it \nmore likely for big banks to break the law.\n    Neil Weinberg, the Editor-in-Chief of the American Banker \nmagazine, said that in the current environment, quote, ``Bank \nexecutives would be crazy to hold back. If they get caught, \nthey can pay their way out of the problem with shareholders' \nmoney. And if their misdeeds pay off as expected, the profits \nwill goose their pay.'' I will add, even if they do get caught, \nthe executives might still get a raise.\n    So, here is my question. Does anyone on this panel \nseriously think that the Government's current enforcement \nsystem for financial crimes is actually working in the sense of \ndeterring future law breaking? Anyone?\n    Mr. Tarullo. Well, I think we are going to have to wait and \nsee, Senator, as to whether the magnitude of those fines will, \nin fact, have a deterrent effect going forward. As you noted, \nany dollar paid in compensation to any employee comes out of \nthe capital available for distribution to shareholders.\n    Senator Warren. I am not quite sure I am following the last \npoint, though, Governor Tarullo. Jamie Dimon got a raise after \nhe negotiated $17 billion to pay off for activities that were \nillegal that he presided over. So, I am not quite sure how this \nis a deterrent for other CEOs.\n    Mr. Tarullo. Again, I am not going to comment on the \nspecifics of that case other than to make the point that I do \nnot know whether it is going to be a deterrent. I can say from \nour point of view, we are concerned with the healthy \ncapitalization of the firm and the question in making sure that \nno payment of executive compensation or distribution to \nshareholders threatens that. The issue is between the \nshareholders and the executive, as long as it does not run \nafoul of those kind of safety and soundness considerations, \nthat is not something that we get directly involved in. I do \nnot know if you are asking whether you think the fines need to \nbe even larger.\n    Senator Warren. So, no, the question I am asking is whether \nor not there is adequate deterrence to prevent the largest \nfinancial institutions in this country from breaking the law, \nand I am just reading what evidence we have to go on right now.\n    You know, in the criminal system, we try to defer future \nmisconduct by sending people to jail. In the civil system, we \ntry to deter future conduct, bad conduct, by having treble \ndamages and other things that will be sufficient deterrents. \nBut right now, if financial institutions can just settle their \nclaims out of court and get a raise for settling them, then \nwhere is the deterrent? That is the part I am having trouble \nunderstanding. Anyone?\n    Mr. Wetjen. Senator, I will make one observation in the \ncontext of the LIBOR settlements that the CFTC has engaged in. \nIt has been brought to the attention of the agency that a lot \nof modifications of behavior have resulted in the wake of those \nsettlements and in the wake of those enforcement actions, which \ncollected more than a billion dollars for the taxpayer. I am \nnot suggesting that there might not be other ways to enhance \nour enforcement program or the enforcement program of other \nregulatory agencies, but there does seem to be some \nmodification of behavior that is very, very positive for the \nmarkets.\n    Senator Warren. Well, I am glad to see there is some \nmodification of behavior, but we have to worry about this. You \nknow, I want to say, I thought that SEC Chairwoman Mary Jo \nWhite took the right step when she changed the SEC's ``no \nadmit, no deny rule'' so that there was at least less room for \nfinancial institutions.\n    I guess we can stop this now, but I think the public has \nlittle confidence in regulators' willingness to seek the kind \nof penalties that will actually deter future financial crimes, \nand I do not blame them. I know that many of your agencies have \nbeen starved for the financial resources that you need to be \naggressive in your enforcement actions.\n    I know it is tough to go up against a big financial \ninstitution that seems to have unlimited resources. But Jamie \nDimon himself said on CNBC a couple of weeks ago that J.P. \nMorgan could never afford a public trial. He said--I am quoting \nhere--``Banks have a very tough time doing that. That would \nhave been criminal for me to subject our company to.'' If Jamie \nDimon sees that he could not go to trial and it is totally up \nto him, this should enhance your leverage.\n    It tells me that if regulators are even slightly willing to \ntake a large financial institution to trial, that will have an \nimpact on future behavior of these financial institutions and \non the meaningfulness of any settlement. Until that time comes, \nI am not confident that our enforcement system is doing nearly \nenough to protect the public from financial crimes.\n    Thank you, Mr. Chairman.\n    Chairman Johnson. Senator Menendez, and then Senator Shelby \nto wrap it up.\n    Senator Menendez. Thank you, Mr. Chairman. I appreciate the \nopportunity again.\n    I understand totally what Senator Warren is raising, and \nthe question of the terms--I just want to go back to the three \nwitnesses that I was talking to--data breach again, because it \nis the same concern about making sure that there is a \ndeterrence. When you look at a financial institution's data \nsecurity measures, to what extent are you evaluating based on \nrisk of harm to the financial institution versus risk of harm \nto the consumer?\n    Mr. Curry. Senator, I think it is both. In terms of the \nrisk to the system, that is part of the examination and \nsupervision that we do. I mean, it is critically important that \nthe financial plumbing works, so that is one of our focuses. We \nare enforcing, basically, consumer protection laws with respect \nto notification, assistance if there are breaches and making \nsure that controls and systems are in place to prevent future \nincidences. So, I would say it is both. The focus is to protect \nthe consumer as well as to protect the system itself.\n    Senator Menendez. Mm-hmm. Do any of you have a comment?\n    Ms. White. I could just add, Senator Menendez, I think that \nis why enforcement and examination is so important in this \nspace, too, in order to make sure that you at least are \nbringing to bear maximum deterrence. It is really for the \nbenefit of the client or the customer where you have the \nauthority to act, even though your jurisdiction is over the \nentity.\n    Senator Menendez. Chairman, do you----\n    Mr. Gruenberg. Senator, I agree with the points that have \nbeen made. It both goes to the financial institution and to the \ncustomer. I think the authorities in this area are strong for \nthe financial institution. One area that may be worth some \nreview is the Bank Service Company Act, which was enacted in \n1961. It goes to the third-party service providers, which have \nbecome a more important factor in this whole system and may be \nworth some attention. I think the gap here is for the \nnonbanking sector that needs focus and attention.\n    Senator Menendez. Well, at the hearing the other day, we \nhad the banks, the retailers, and the card companies, and it \nwas interesting to see the bankers and the retailers pointing \nto each other as the ones who should be requiring greater \nliability consequences. The only problem with that is they are \ngoing like this. The consumer is in the middle and not being \nprotected. So, going back to the Governor's comments, I really \ndo believe we need to create a standard that has a common \nthread across all of this universe to protect the consumer at \nthe end of the day.\n    Finally, on a different topic, Under Secretary Miller, I \nrecently asked Treasury nominee Sarah Bloom Raskin in her \nconfirmation hearing about the tasks that financial regulators \nset in setting capital requirements for new types of companies \nunder the Wall Street Reform legislation. And as I asked her in \nher hearing, I said, I support strong capital requirements and \nbelieve they are an important component for both safety and \nsoundness and systemic risk regulation, but I have heard \nconcerns from, for example, insurance companies about \nregulators applying bank-specific capital requirements to them, \ndespite the fact that many insurance companies have very \ndifferent business models, balance sheets, and risk profiles \nfrom banks.\n    And in her hearing, Ms. Bloom Raskin agreed that capital \nstandards for insurance companies have to be properly tailored, \nsaying a one-size-fits-all is not going to work, and \nrecognizing that they have a very different set of asset \nliability structures than banks do. Do you agree with her \nstatement, and what is Treasury doing in its role on the \nFinancial Stability Oversight Council to ensure that we do not \nmistakenly take a one-size-fits-all approach, that we use the \nright tool for the right circumstances?\n    Ms. Miller. Thank you, Senator Menendez. I am not sure I \ncan add a lot to what Governor Raskin elucidated in her \nresponse to you before, but I would say, at the FSOC, in the \nprocess of designating nonbank financial institutions, a lot of \nattention has been paid to the business models. A lot of \nattention has been paid to the fact that you cannot have that \none-size-fits-all approach to capital. I think that the Federal \nReserve is charged with the appropriate calibration of \nrulemaking to these institutions, and I think that we have \ngiven them all the support we can to make sure that we get this \nright.\n    Senator Menendez. Yes, but you have a role at FSOC.\n    Do you want to comment, Governor? I know this is an area \nwhere----\n    Mr. Tarullo. Yes. Thank you, Senator. We share your view \nthat the liability structure on the financial institution \naffects the amount of capital it needs. It does not affect how \nrisky a particular asset is. It does not matter who holds it. \nAn asset is an asset. But the liability structure does affect \nhow much capital is needed.\n    Both with respect to the savings and loan holding \ncompanies, which are owned in some cases by insurance \ncompanies, and with respect to any institutions designated by \nFSOC as systemically important, including AIG and Prudential, \nwe are trying to tailor, as best we can, the capital \nrequirements to take account of, A, the particular products \nthat insurance companies offer that banks do not, and, B, the \ndifferent business model.\n    A is pretty straightforward. Sometimes, it is technically \ncomplex, but conceptually, it is pretty straightforward and we \nare in the process of doing that. It is a little harder to do \nwith B, in some cases, because of the Collins Amendment, which \ndoes place a bank-generated floor under capital requirements \nfor all institutions.\n    So, we are continuing to work as best we can. That is one \nof the reasons we delayed the capital requirements for S&L \nholding companies, because we want to take as much time as we \ncan to use the authority we do have to tailor these provisions \nas best we can.\n    Senator Menendez. Well, we look forward to hopefully \ngetting it right, because it is going to make a big difference \nin terms of the consequences to not only insurance companies, \nbut that as a product for Americans to be able to create both \nsecurity for themselves and time and opportunity.\n    So, thank you, Mr. Chairman.\n    Chairman Johnson. Senator Shelby.\n    Senator Shelby. Yes. I would like to direct this, first, to \nChairman White. It seems in recent months that the SEC has \nbecome a lot more aggressive on its enforcement, which I think \nis more than welcome in this country. Of course, you bring \nunique qualifications as a former U.S. Attorney to the SEC. \nWhat has bothered a lot of people in this country for a long \ntime, that when you enforce something and people pay huge \nfines--huge--and they do it without admitting any wrongdoing, \neither criminal or civil, you know, sometimes. And sometimes, I \nknow, you punish people by fines. We understand that. It hurts.\n    But sometimes it seems to me that people, if they are \nguilty of wrongdoing, criminal or civil, that that should be \npart of the deal in your law enforcement, because at the \nbeginning of the day and end of the day, the financial system, \nthe banking system, securities, everything that goes with it, \nthe integrity of that system is so important, not just the \nperception, but a lot of times reality, too.\n    How are you working--I know you set a different tone over \nthere yourself, and I commend you for that. How are you working \nwith the other regulators in ferreting out wrongdoing----\n    Ms. White. We work--I am sorry.\n    Senator Shelby.----jurisdiction, dealing with securities, \nbecause it overlaps everywhere.\n    Ms. White. Yes, it does overlap. We have very close working \nrelationships, I think, with all of the criminal enforcement \nagencies as well as civil enforcement agencies where there is \nthat overlapping jurisdiction, because you certainly can get \nsynergies and do more.\n    As you know, Senator, shortly after I got to the \nCommission, I did change our settlement protocol to, in \nappropriate cases--I could talk about parameters, but in \ncertain cases where I think public accountability is \nparticularly important, that we will require admissions, \nbecause it does give that public accountability, particularly \nin cases of egregious conduct, that I think the public deserves \nand, frankly, is important to the credibility of law \nenforcement and deterrence. I think----\n    Senator Shelby. And for the justice system of America.\n    Ms. White. Yes, and for the justice system, and I come from \nthat----\n    Senator Shelby. Because if the perception is, if you are so \nrich and you are so powerful that you can get by with this and \nthat, that undermines everything, does it not?\n    Ms. White. I think that it certainly can do that, without \nquestion.\n    Senator Shelby. Mm-hmm.\n    Ms. White. We still, in many cases, and I think wisely so, \ndo follow the ``no admit, no deny'' protocol to settle cases. \nIt results in returning monies to harmed shareholders more \nquickly. It does eliminate litigation risk. But at the same \ntime, we have to be cognizant of, I think, in all cases, \nfrankly, is this one where there will be no settlement unless \nthere is that admission of wrongdoing.\n    Senator Shelby. OK. Thank you very much.\n    Chairman Johnson. Senator Schumer.\n    Senator Schumer. Thank you. Thank you, Mr. Chairman. I \nthank the witnesses.\n    My first question is for Governor Tarullo. It is a general \nquestion. It a little bit relates to what Senator Menendez was \nsaying.\n    Now, I know we have Collins and the $15 billion and the \nVolcker Rule, and I know how that passed at the last minute and \nall of that. But, it is a more general problem, and that is \nthere all too often, both here and in the regulatory world, \nsort of a cutoff that is a numerical number, even when it does \nnot apply to the Collins rule.\n    And what I am finding is there are a good number of banks \nthat are fairly large but are pretty much plain vanilla banks, \nand this is, in general, how they are regulated. In other \nwords, they are not the huge banks in New York City that do all \nkinds--they are investment banks as well as regular banks, and \nhaving high capital requirements and making sure the mistakes \nof 2007 and 2008 are not repeated, making sure the Volcker Rule \napplies and all of that, I have no problem with.\n    But, oftentimes, it is also applied to banks that might \nhave $30, $40, $50 billion in assets but are plain vanilla \nbanks. They do not do all of the investment banking activities, \nthe trading activities that the largest banks do, and yet they \nseem regulatorily often to be lumped in with them And some of \nthese institutions are in Upstate New York and they are really \ngood for the economy. They are doing lending to businesses, \nsmall business lending, just what a traditional bank was.\n    And I was just wondering, do you think that, too often, the \nregulators and even the rulemaking process--look, we just had \nit here. Senator Merkley had an amendment on conflict of \ninterest in flood insurance, if the bank--banks below $15 \nbillion were exempt. Well, conflict of interest could occur in \na small community bank just as easily in the largest bank in \nthe country. There was no reason to exempt all the community \nbanks from this or to treat them differently than the larger \nbanks.\n    So, my question is, how is the Fed and how are the \nregulators, since you are the bank regulation guy, \ndifferentiating and not treating larger banks who are plain \nvanilla banks and do the same types of activities as smaller \nbanks like the ones that do the much riskier types of \nactivities? I am hearing this complaint constantly, not just \nfrom New York, but from around the country.\n    Mr. Tarullo. So, I think a couple of things, Senator. One, \nas you know, Section 165 of the Dodd-Frank Act put into law the \nproposition that with the increasing size and complexity of \nbanks, there should be increasingly stringent regulation. It \nsounds simple, but that has not always been a precept of \nfinancial regulation, and I think it is quite central to what \nwe should be trying to do.\n    A second point which builds on that is at the Fed, we have \ncreated a special mechanism, including the Large Institution \nSupervision Coordinating Committee--for the very largest, most \ncomplex banks, and many of the regulations which we talked \nabout earlier in the hearing--I know you were not present for \nit, but many of the regulations we are proposing to do now, \nsome of the ones in my prepared testimony, we will be applying \nonly to those institutions, things like the requirement for a \nminimum amount of subordinated debt, things like the \nsupplementary leverage ratio.\n    So, having said that, though, coming to the third point. It \nis the case that as we adapt and make more stringent and more \nhorizontal and more interdisciplinary our regulation and \nsupervision of the very largest institutions, I have noticed \nthere is an unintentional trickle down effect, which is to say \nsupervisors may look and say, gee, you know--they are requiring \nthe biggest banks to do this. That must be state-of-the-art \nsupervision.\n    And I have tried to impress on people that I think we need \nto develop a state-of-the-art supervision for the largest \ninstitutions. We need to develop a state-of-the-art supervision \nfor community banks and for the regionals and the super-\nregionals, each of which is not a paler or stronger version of \nthe other but is instead customized to those institutions.\n    And it is something that I have been thinking about more \nand more over the last year because I keep hearing it, and it \nis--you know, we have seen it with stress testing, that we are \nsupposed to have different expectations for the different size \ninstitutions, and I realize that the senior people in our \nBanking Supervision and Regulation Division need to keep making \nclear they are different expectations. So, it is almost a \nnatural instinct of people to say, we want the best or the \ntoughest.\n    So, I agree with the premise behind your question. You \nknow, my perspective on banks that are essentially lending \ninstitutions of a traditional sort is that strong capital, good \nexamination, and some of the traditional activities \nrestrictions are really the core of what we need. And some of \nthe other things, if I can put it in cost-benefit terms, \nSenator Crapo, cost more than they are worth----\n    Senator Schumer. Right.\n    Mr. Tarullo.----in terms of increased safety.\n    Senator Schumer. Good. I am glad to hear that from you. As \nyou said, it is size and complexity. None of these institutions \nwill bring down the country if, God forbid, they were to fail. \nSo, it is not size alone. It is complexity that ought to be \nplaying a role here. Thank you.\n    Chairman Johnson. I want to thank today's witnesses for \ntestifying about oversight of both financial stability and data \nsecurity. Both are incredibly important to today's economy.\n    This hearing is adjourned.\n    [Whereupon, at 11:57 a.m., the hearing was adjourned.]\n    [Prepared statements and responses to written questions \nsupplied for the record follow]:\n                  PREPARED STATEMENT OF MARY J. MILLER\n    Under Secretary for Domestic Finance, Department of the Treasury\n                            February 6, 2014\n    Chairman Johnson, Ranking Member Crapo, and Members of the \nCommittee, thank you for inviting me to testify today on behalf of the \nTreasury Department.\n    Just over three and a half years ago, Congress passed and President \nObama signed into law a historic set of reforms to make our financial \nsystem stronger and more stable. We have made considerable progress \ntoward achieving those objectives through implementation of the Dodd-\nFrank Wall Street Reform and Consumer Protection Act, and related \nreforms. The crisis revealed that regulation and oversight failed to \nkeep pace with an evolving financial system, and demonstrated why we \nmust always remain vigilant to potential emerging risks in financial \ninstitutions and markets.\n    Most of the foundational reforms laid out in the Dodd-Frank Act \nhave now been finalized, and intensive work on the remaining pieces \ncontinues. The new Consumer Financial Protection Bureau has taken up \nits mission quickly, acting to strengthen consumer protections in the \nmortgage market; establish Federal supervision over large payday \nlenders and debt collectors for the first time; and provide assistance \nto the elderly and military families who are so often targeted by \nunscrupulous lenders. Last year, the bank regulatory agencies finalized \nkey rules strengthening the quality and quantity of capital that banks \nare required to hold, and proposed new rules that will require the \nlargest firms to decrease their leverage. A new framework for \nregulatory oversight of the over-the-counter derivatives market is \nlargely in place, for those swap dealers registering with the Commodity \nFutures Trading Commission (CFTC) and certain interest-rate and credit-\nindex swap transactions moving to central clearinghouses, reducing \noverall risk to the financial system. Starting this month, new classes \nof swaps transactions will begin to be traded on swap execution \nfacilities, bringing much-needed transparency to these markets.\n    The United States has moved quickly to put these critical reforms \nin place, and the American people are beginning to feel the benefits of \nreform through a safer and stronger financial system and a broader \neconomic recovery. Although financial markets have recovered more \nquickly than the overall economy, the economic recovery is gaining \ntraction. Private sector payrolls have increased by more than 8 million \njobs from the low point in February 2010, and December marked the 46th \nconsecutive month of private-sector job growth. The unemployment rate, \nwhile still too high at 6.7 percent, has fallen to 3.3 percentage \npoints since its October 2009 peak of 10.0 percent, and almost a full \npercentage point since my last testimony before this Committee. The \nrecovery in the housing market appears to be taking firm hold as \nmeasured by rising home prices, and a declining number of delinquencies \nand defaults.\n    Although we have made good progress, we must continue our efforts \nto complete the remaining pieces of financial reform and stand ready to \nidentify and respond to new threats to financial stability. We must \nalso continue to work with our international counterparts to promote \nstrong and consistent global approaches to financial regulation and \nencourage them to move swiftly toward the completion and implementation \nof key reforms in their jurisdictions, preventing firms from evading \nreforms through regulatory arbitrage.\n    I would like to update the Committee on several important \nregulatory developments since I appeared before you last July.\n    Secretary Lew, in his capacity as Chairperson of the Financial \nStability Oversight Council, was responsible for coordinating the \nregulations issued by the five rulemaking agencies--the Board of \nGovernors of the Federal Reserve System (Federal Reserve), the Federal \nDeposit Insurance Corporation (FDIC), the Office of the Comptroller of \nthe Currency (OCC), the Securities and Exchange Commission (SEC), and \nthe CFTC--to implement Section 619 of the Dodd-Frank Act, commonly \nreferred to as the Volcker Rule. Starting from his first day in office, \nSecretary Lew stressed the importance of finishing work on the Volcker \nRule, and the importance of having a single, strong final rule that was \ntrue to President Obama's proposal and the statute's intent. The final \nrule adopted in December will protect taxpayers and the Federal safety \nnet by ending banks' speculative trading activities for their own \nbenefit rather than for the benefit of their customers, and restricting \ntheir investment in private equity and hedge funds, while preserving \nbanks' ability to maintain deep, liquid financial markets and hedge \ntheir risks. The rule's requirement that the largest firms' CEOs attest \nto the maintenance and enforcement of compliance programs will help \nfoster a ``tone at the top'' for a culture of compliance. The rule also \ncontains a tiered compliance regime, to help ensure that smaller banks \nthat do not engage in impermissible proprietary trading or private fund \nactivities do not face unnecessary compliance burdens.\n    Our progress in 2013 was not limited to completion of the Volcker \nRule. Last summer, the Federal Reserve, FDIC, and OCC finalized an \nimportant set of rules implementing the Basel Committee's risk-based \ncapital standards, which will increase both the quantity and quality of \ncapital held by banks and bank holding companies. The banking \nregulators also proposed complementary enhanced leverage standards that \nwill act as a backstop to the risk-based capital requirements, and will \nrequire the largest banks and bank holding companies to reduce their \noverall leverage. An international group of regulators recently made \nsignificant progress toward consistent application of the leverage \nrequirement across different jurisdictions by agreeing on a global \nframework for calculating the leverage ratio. The United States \ncontinues to lead international efforts to raise regulatory standards \naround the world.\n    The Federal Reserve is also poised to issue additional enhanced \nprudential standards that will increase safety and soundness at the \nlargest and most complex banks and designated nonbank financial \ncompanies.\n    The bankruptcy process, aided by the Dodd-Frank Act's living wills \nrequirement, continues to be the primary method for resolving failing \nfinancial companies. All of the firms that are required to submit \nliving wills have done so, and the largest bank holding companies \nsubmitted their second round of living wills last fall, providing a \nmore refined tool to facilitate their orderly resolution through \nbankruptcy should they fail.\n    However, in the case where bankruptcy cannot be relied on to \nresolve a failing financial company without imposing serious adverse \neffects on U.S. financial stability, the Dodd-Frank Act's orderly \nliquidation authority provides critical new authorities so that firms \ncan safely be allowed to fail, no matter how large and complex.\n    In December, the FDIC issued and sought public comment on an \nimportant document detailing its strategy for resolving a financial \ncompany using its orderly liquidation authority. The document provides \ngreater detail on the FDIC's ``single point-of-entry'' strategy that \nthe FDIC developed to implement its authority. The single point-of-\nentry strategy is designed to accomplish the goals of orderly \nliquidation by allowing critical operating subsidiaries of a failing \nfirm to remain in business during the resolution, while also preserving \nmarket discipline in accordance with the law's requirements--that \nlosses are borne by shareholders and creditors, that culpable \nmanagement are held accountable and removed, and that taxpayers bear no \nlosses. International cooperation is critical to ensure workability \nacross borders, a topic discussed in more detail below.\n    The Financial Stability Oversight Council (Council) remains focused \non its authority to determine that certain large, complex nonbank \nfinancial companies whose material financial distress could threaten \nU.S. financial stability will be subject to more stringent prudential \nstandards and oversight. This past summer, the Council designated \nAmerican International Group, Inc. and General Electric Capital \nCorporation, Inc., subjecting them to enhanced prudential standards and \nconsolidated supervision by the Federal Reserve. And, after company \nmanagement had a formal hearing with the Council to contest the \nCouncil's proposed designation of the company, the Council also \nfinalized its designation of Prudential Financial, Inc. These \ndesignations are in addition to the eight financial market utilities \nthat the Council designated in 2012.\n    The Council's review of nonbank financial companies is an ongoing \nprocess, and the Council will continue to evaluate other companies for \npotential designation.\n    The progress we have made on instituting a significantly stronger \ncapital regime and creating a credible resolution process, and the \nexpansion of the supervisory umbrella to cover designated nonbank \nfinancial companies, are key developments in making the failure of \nlarge, complex firms less likely and making our financial system more \nresilient in the event of such a failure.\n    We also continued to make progress on derivatives reform in 2013. \nThe implementation of reporting and clearing rules were critical steps \nforward in improving the safety and transparency of the derivatives \nmarket. We understand that for derivative reforms to work correctly, \nthey must align globally. Last summer, the CFTC finalized its guidance \nwith respect to the applicability of the Dodd-Frank Act's derivatives \nreforms to cross-border derivatives transactions and, together with the \nEuropean Commission, announced a ``Path Forward,'' laying out their \njoint understandings regarding the regulation of cross-border \nderivatives transactions. In September, an international working group, \nco-chaired by the Federal Reserve and including the SEC and CFTC, \nfinalized margin standards for noncleared derivative transactions. U.S. \nregulators are now working to adopt these standards domestically, and \nwe expect these rules to be finalized this year. In addition, by the \nend of last year, 22 swap execution facilities were registered with the \nCFTC, and the trading volume on those platforms is expected to increase \nsignificantly later this month when trading in several interest rate \nand credit derivatives will be required to take place on SEFs.\n    Treasury's Federal Insurance Office (FIO) also made significant \nprogress in fulfilling its mission in 2013. In December, the FIO \nreleased its report on the modernization and improvement of the system \nof insurance regulation in the United States. The report made 27 \nrecommendations designed to bring our insurance regulatory system into \nthe 21st century and make it more responsive to the needs of consumers, \nmarket participants, and host supervisors in a global environment. The \nFIO will also release a report on the reinsurance market, and the \nPresident's Working Group on Financial Markets, with input from the \nFIO, will release its analysis of the long-term availability and \naffordability of terrorism risk insurance this year.\n    In addition, the FIO continues its work on the international front \nto represent U.S. interests in the development of international \ninsurance standard-setting and financial stability activities. The FIO \nhas worked and will continue to work closely and consult with other \nFederal agencies and with State insurance regulators on these efforts. \nThe FIO is involved in the work of the International Association of \nInsurance Supervisors (IAIS) to develop a common supervisory framework, \nincluding a capital standard, for internationally active insurance \ngroups.\n    Treasury and the Financial Stability Oversight Council also remain \nfocused on emerging threats that might arise outside, or on the \nperiphery of, the traditional banking sector. To that end, the Council \nis actively analyzing the extent to which there are potential threats \nto U.S. financial stability arising from asset management companies or \ntheir activities, and whether such threats could be mitigated by \nCouncil designations or whether they would be better addressed through \nother regulatory measures. As part of this analysis, the Council \nrequested that the Office of Financial Research conduct a study of \nasset management activities to help determine whether these activities \ncould create, transmit, or amplify stress through the financial system. \nThe OFR released its study at the end of September following a careful \nanalysis that included discussions with a number of market participants \nand input from Council member agencies with relevant expertise.\n    The Council's focus on emerging risks outside the core banking \nsystem led it to issue, at the end of 2012, proposed recommendations \nfor money market mutual fund (MMF) reforms. Throughout this process, \nthe Council has made it clear that the SEC is the primary regulator of \nMMFs and should take the lead in driving reform. Last June, the SEC \nproposed regulations intended to reduce the risks presented by MMFs, \nand we expect that the SEC will issue a final rule later this year that \nwill address the vulnerabilities identified by the Council.\n    Another area of growing concern for Treasury and the Council is the \nvulnerability of our financial sector infrastructure to cyber events. \nCyber threats to financial institutions and markets are growing in both \nfrequency and sophistication. The changing nature of these cyber \nthreats prompted the Council last year to highlight operational risk, \nand cybersecurity in particular, as worthy of heightened risk \nmanagement and supervisory attention. Council member agencies are \nproviding guidance to financial firms concerning appropriate governance \nmechanisms, information security procedures and testing, adequate \nbackup systems, and emergency business continuity and recovery plans.\n    To maintain data security, safeguard the integrity of markets, and \npreserve consumer and investor confidence, the U.S. Government and the \nfinancial sector have come together to identify financial system \nvulnerabilities, improve the resilience of our financial system, and \nrefine incident management protocols. A public-private partnership is \nnecessary to combine the resources and capabilities of the Government \nwith those of the private sector. In a public meeting in December, the \nCouncil highlighted this partnership by engaging both public sector and \nprivate sector leaders to discuss their efforts. They emphasized \ninformation sharing, declassification of threat information, and \nstrengthening the resilience of firms outside the financial services \nsector that are integral to the functioning of the sector.\n    In addition to its role as a Council member agency, Treasury serves \nas the sector-specific agency for the financial sector with a leading \nrole in policy development and a coordinating role in incident \nresponse. In this role, Treasury has sought to increase engagement, \nimprove coordination, and facilitate information-sharing on \ncybersecurity issues with colleagues across the Federal Government, \nparticularly those involved with national security, homeland security, \nand law enforcement. We communicate regularly with senior officials in \nthese areas on matters specific to cybersecurity, both in the context \nof incidents and on more general operations and policy matters. \nImportantly, Treasury is focused on protecting the financial sector as \na whole, from the largest financial institutions and exchanges to \ncommunity banks and credit unions. Accordingly, we work to reach \ninstitutions of all sizes.\n    I would also like to highlight for the Committee a few areas where \nTreasury intends to direct significant attention and resources this \nyear to complete key outstanding pieces of reform. The United States \nresponded to the financial crisis aggressively and on a bipartisan \nbasis to make our domestic system safer and more secure. But given the \nglobal nature of our financial system, we must continue working with \nother regulators to forge compatible rules so that reforms in other \njurisdictions are as strong as our own. From the outset of the crisis, \nthe time and energy we put in to domestic regulatory reform have been \npaired with international efforts to promote high-quality standards, \nbuild a level playing field, and reduce risk. We have made considerable \nprogress through the G-20 and the Financial Stability Board in \ndesigning a more stable and resilient global financial system. But \ndesign is not sufficient. Implementation and follow-through are key.\n    Later this month, the G-20 finance ministers will meet in Australia \nand the United States will use that opportunity to call on the world's \nlargest economies to bear down even more forcefully on implementation. \nAnd next week I will be making a trip to several countries in Asia to \ndiscuss their progress on financial regulatory reform.\n    In 2014, we will take steps to make sure that global banks meet the \nhigh standards we have set. That means moving swiftly to build strong \nand high-quality capital, properly risk-weight assets, curb leverage, \nand build strong liquidity buffers to protect themselves in times of \ncrisis. Several years ago, the G-20 recommended that trading, \nreporting, and clearing of over-the-counter derivatives be in place by \nnow. The United States has forged ahead in getting that done. We need \nto make sure these recommendations are put in place around the globe. \nThere will be difficult cross-border issues to manage, and these are \nmade more complex because other nations are moving far more slowly than \nthe United States.\n    One area that will require significant international cooperation is \nthe task of ensuring not only that all derivatives transactions are \nreported to trade repositories, but that the information collected can \nbe used for the purposes it was intended: bringing transparency to our \nderivatives markets and helping regulators and market participants \ndevelop more insight into the types and levels of exposure throughout \nthe financial system. A great deal of work still needs to be done to \nensure that the data reported by industry and collected by regulators \nwill be as useful as possible, or we will be at risk of not achieving \nthat goal. The data are fragmented, with many different trade \nrepositories, within and across jurisdictions, collecting different \nkinds of information in different ways, keeping us from putting all of \nthat information together to develop a full picture of the market. We \nneed to roll up our sleeves and address any obstacles to making these \ndata useful for market participants and for regulators who are \nmonitoring financial stability.\n    Treasury will also continue to engage closely with regulators in \nthe United States and abroad to strengthen our ability to wind down \nfailing financial companies while minimizing the negative impact on the \nrest of the financial system and the global economy. Major financial \ninstitutions operate globally, and cross-border coordination is \nnecessary for resolution of these firms to be effective. Our agenda in \nthe coming year will focus heavily on completing the work underway on \ninternational arrangements that establish how home and host authorities \nwill cooperate to wind down a globally active firm in an orderly way. \nTreasury and the regulators will continue to closely collaborate with \nour international counterparts through forums like the Financial \nStability Board and on a bilateral basis to address obstacles to \nresolving large, cross-border firms.\n    In addition to this critical international reform agenda, there is \nstill much to be done domestically. As was the case with the Volcker \nRule, Secretary Lew, as the Chairperson of the Financial Stability \nOversight Council, is responsible for coordinating the joint \nrulemakings to implement Section 941 of the Dodd-Frank Act, the so-\ncalled ``risk-retention'' rule. This rule generally requires issuers of \nasset-backed securities to retain an interest in the securities they \nsell to third parties. The rule was re-proposed last year, and staff \nfrom Treasury, the banking agencies, the Federal Housing Finance \nAgency, the Department of Housing and Urban Development, and the SEC \nhave met regularly--including just last week--to review comments, \nanalyze data, and coordinate on drafting the final rule. Completion of \nthese regulations in 2014 is a priority for Treasury.\n    And finally, in considering risks to financial stability, we cannot \nignore fiscal developments at home. Last year, Congress passed a \ntemporary suspension of the debt limit, and that temporary suspension \nlasts only through February 7, which is tomorrow. After that, in the \nabsence of Congressional action, Treasury will be forced to use \nextraordinary measures to continue to meet its obligations. We now \nforecast that we are likely to exhaust these measures by the end of \nthis month. And even though this is an estimate, it is clear that \nextraordinary measures will not last for an extended period.\n    It would be a mistake to wait until the 11th hour to get this done. \nThe fact is, simply delaying action on the debt limit can cause harm to \nour economy, financial markets, and taxpayers. We are already seeing \nsome volatility in Treasury bills that mature after February 7. Around \nthe time of last year's delay, we saw consumer and business confidence \ndrop, and investors and market participants publicly question whether \nit was too risky to hold certain types of U.S. Government debt. Such a \nquestion should be unthinkable.\n\n                                      * * * * *\n\n    Given these realities, it is important that Congress move right \naway to increase our borrowing authority.\n    The last year was a busy one, and we made substantial progress \ntoward the goal of implementing the reforms set forth in the Dodd-Frank \nAct and adopting related reforms to make our financial system stronger, \nmore stable and more focused on fulfilling its core function of \nfacilitating the growth of the broader economy. That does not mean we \nwill be able to relax our guard. To quote Winston Churchill: ``This is \nnot the end. It is not even the beginning of the end. But it is, \nperhaps, the end of the beginning.'' Constant evolution in the \nfinancial system and the activities of financial institutions will \nrequire regulators to be flexible and ready to address new threats to \nthe financial system.\n                                 ______\n                                 \n                PREPARED STATEMENT OF DANIEL K. TARULLO\n        Member, Board of Governors of the Federal Reserve System\n                            February 6, 2014\n    Chairman Johnson, Ranking Member Crapo, and other Members of the \nCommittee, thank you for the opportunity to testify on the Federal \nReserve's activities in mitigating systemic risk and implementing the \nDodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank \nAct). In today's testimony, I will provide an update on the Federal \nReserve's recent activities pertaining to the implementation of the \nDodd-Frank Act and describe our key regulatory and supervisory \npriorities for 2014. I will also discuss the Federal Reserve's \nexpectations with regard to information security at the financial \ninstitutions it oversees. Since testifying before this Committee in \nJuly 2013, the Federal Reserve and other banking supervisors have made \nconsiderable progress in implementing the congressional mandates in the \nDodd-Frank Act and otherwise improving financial stability and \nmitigating systemic risks. While these efforts have helped to produce a \nsounder, more stable, and more resilient financial system, work remains \nto be done to address the problems of ``too-big-to-fail'' and systemic \nrisk.\nRecent Dodd-Frank Act Implementation Milestones\n    Since your last oversight hearing, the Federal Reserve, often in \ntandem with some or all of the other agencies represented at this \nhearing, has made progress on a number of important Dodd-Frank Act \nreforms.\nLiquidity rules for large banking firms\n    In October, the Federal Reserve and the other U.S. banking agencies \nissued a proposed rule, consistent with the enhanced prudential \nstandards requirements in section 165 of the Dodd-Frank Act, which \nwould implement the first broadly applicable quantitative liquidity \nrequirement for U.S. banking firms. Liquidity standards for large U.S. \nbanking firms are a key contributor to financial stability, as they \nwork in concert with capital standards, stress testing, and other \nenhanced prudential standards to help ensure that large banking firms \nhave a sufficiently strong liquidity risk profile to prevent creditor \nand counterparty runs.\n    The proposed rule's liquidity coverage ratio, or LCR, would require \ncovered banking firms to hold minimum amounts of high-quality liquid \nassets, such as central bank reserves and high-quality Government and \ncorporate debt, that could be converted quickly and easily into cash \nsufficient to meet expected net cash outflows over a short-term stress \nperiod. The proposed LCR would apply to internationally active banking \norganizations--that is, to bank holding companies and savings and loan \nholding companies with $250 billion or more in total consolidated \nassets or $10 billion or more in on-balance-sheet foreign exposures. \nThe proposal would also apply a less stringent, modified LCR to bank \nholding companies and savings and loan holding companies that are not \ninternationally active, but that have more than $50 billion in total \nassets. The proposal would not apply to bank holding companies with \nless than $50 billion in total assets.\n    The proposal's LCR is based upon a liquidity standard agreed to by \nthe Basel Committee on Banking Supervision, but is more stringent than \nthe Basel Committee standard in several areas, including the range of \nassets that will qualify as high-quality liquid assets and the assumed \nrate of outflows for certain kinds of funding. In addition, the \nproposed rule's transition period is shorter than that in the Basel \nCommittee standard. The proposed accelerated phase-in of the U.S. LCR \nreflects our objective that large U.S. banking firms maintain the \nimproved liquidity positions that they built following the financial \ncrisis, in part due to our supervisory oversight. We believe the \nproposed LCR should help ensure that these improved liquidity positions \nwill not weaken as memories of the financial crisis fade.\nStress testing and capital planning requirements\n    The comprehensive stress testing conducted by the Federal Reserve, \npursuant to the Dodd-Frank Act and in connection with the annual \nComprehensive Capital Analysis and Review (CCAR), has become a key part \nof our supervisory efforts for large banking firms, and we are \ncontinuing to develop and expand the scope of this exercise. Most \nrecently, the Federal Reserve issued proposed supervisory guidance \nregarding internal stress testing by banking firms with total \nconsolidated assets between $10 billion and $50 billion as mandated by \nthe Dodd-Frank Act and issued interim final rules clarifying how \nbanking firms should incorporate the revised Basel III regulatory \ncapital framework into their capital projections for the CCAR and Dodd-\nFrank Act stress testing cycles that began in the fall.\n    We are continuing to improve the implementation of our stress \ntesting framework by refining the formulation of the hypothetical \nmacroeconomic scenarios that form the basis of the stress tests. In \ndesigning coherent stress scenarios, we draw on many of the modeling \ntools used to inform monetary policy, but also aim to reflect the fact \nthat not all significant risks facing banks arise in typical \nrecessions. As a result, our scenarios now generally incorporate other \nadverse developments, such as an exceptionally large decline in housing \nprices, the default of the largest counterparty, and a worsening of \nglobal economic conditions more severe than might normally be expected \nto accompany a deep recession in the United States. In order for our \nstress testing to remain focused on key vulnerabilities facing the \nbanking system, our stress scenarios will evolve further over time as \nbanking firms' risk characteristics and business models evolve, the \nrelationship between scenario variables and banking firm performance \nshifts, and the economic and market environment in which banking firms \noperate changes. Over the past 6 months, the Federal Reserve also has \nincreased the transparency of our capital planning and stress testing \nwork. We have published both a policy statement describing the scenario \ndevelopment process for future capital planning and stress testing \nexercises and a paper discussing our expectations for internal capital \nplanning at large banking firms and the range of practices we have \nobserved at these companies during the past three CCAR exercises. The \ntransparency of our stress testing processes complements our enhanced \ntransparency around the results of the exercises and our assessments of \nfirms' capital planning, all of which aim to give investors, analysts, \nand the public valuable information about firms' financial conditions \nand resiliency to stress.\nVolcker Rule\n    In December, the U.S. banking agencies, the Securities and Exchange \nCommission (SEC), and the Commodity Futures Trading Commission \nfinalized the Volcker Rule to implement section 619 of the Dodd-Frank \nAct. As you know, the Volcker Rule prohibits banking entities from \nengaging in short-term proprietary trading of certain securities and \nderivatives for their own account. The Volcker Rule also imposes limits \non banking entities' investments in, and relationships with, hedge \nfunds and private equity funds. The finalization of this rule took a \nsubstantial amount of time and effort in part because of the intrinsic \nchallenges in distinguishing between the proprietary trading that is \noutlawed by the Dodd-Frank Act and the hedging and market making \nactivities that are allowed by the Act.\n    The ultimate success of the final rule will depend on how well the \nimplementing agencies supervise and enforce the rule. While the Federal \nReserve's supervisory role will be less than that of the Office of the \nComptroller of the Currency and the SEC, we will continue to work with \nthe other implementing agencies to develop an effective and consistent \nsupervisory framework and to ensure that the Volcker Rule is \nimplemented in a manner that upholds the aims of the statute, while not \njeopardizing important activities such as market making and hedging. In \npursuit of this goal, shortly after the adoption of the Volcker Rule, \nthe Federal Reserve and the other implementing agencies agreed to \ncreate an interagency working group, which has already begun to meet. \nIn mid-January, the five implementing agencies approved an interim \nfinal rule to permit banking entities to retain interests in certain \ncollateralized debt obligations backed primarily by trust preferred \nsecurities that would otherwise be subject to the Volcker Rule's \ncovered fund investment prohibitions.\nDerivatives push-out\n    In December, the Federal Reserve also approved a final rule \nclarifying the treatment of uninsured U.S. branches and agencies of \nforeign banks under section 716 of the Dodd-Frank Act, which is \ncommonly known as the derivatives push-out provision. The provision, \nwhich became effective in July 2013, generally prohibits certain types \nof Federal assistance, such as discount window lending and deposit \ninsurance, to swap entities such as swap dealers and major swap \nparticipants. Insured depository institutions that are swap entities \nmay avail themselves of certain statutory exceptions and are eligible \nfor a transition period of up to 2 years to comply with the provision. \nUnder the final rule, uninsured U.S. branches and agencies of foreign \nbanks are treated as insured depository institutions for the purposes \nof section 716 and therefore qualify for the same statutory exceptions \nas insured depository institutions and are eligible to apply for the \nsame transition period relief. The final rule also establishes a \nprocess for State member banks and uninsured State branches or agencies \nof foreign banks to apply to the Federal Reserve for the transition \nperiod relief.\nFederal Reserve emergency lending authority\n    Also in December, the Federal Reserve issued a proposal relating to \nits emergency lending authority in section 13(3) of the Federal Reserve \nAct that would implement sections 1101 and 1103 of the Dodd-Frank Act. \nAs required by these statutory provisions, the proposed rule is \ndesigned to ensure that any emergency lending program or facility is \nadequately secured by collateral to protect taxpayers from loss and is \nfor the purpose of providing liquidity to the financial system, and not \nto aid an individual failing financial company.\nRisk retention\n    Section 941 of the Dodd-Frank Act generally requires firms to \nretain credit risk in securitization transactions that they sponsor. In \nAugust, the U.S. banking agencies, the Federal Housing Finance Agency, \nthe Department of Housing and Urban Development, and the SEC revised a \nproposed rule issued in 2011 to implement that statutory provision. The \nproposed rule would provide securitization sponsors with several \noptions to satisfy the risk retention requirements in section 941 and, \nas required by the Dodd-Frank Act, would exempt certain \nsecuritizations, including securitizations of ``qualified residential \nmortgages'' (QRM), from risk retention. The revised proposal would \ndefine QRM to have the same meaning as the term ``qualified mortgage'' \nestablished by the Consumer Financial Protection Bureau in January \n2013, and, as such, would include a maximum back-end debt-to-income \nratio of 43 percent, a 30-year limit on the term of the mortgage, and a \n3 percent cap on points and fees. While the revised proposal's \ndefinition of QRM has been broadened as compared to that in the \noriginal proposal, it continues to exclude many loans with riskier \nproduct features, such as home-equity lines of credit; reverse \nmortgages; and loans with negative amortization, interest-only, and \nballoon payments. The revised proposal also requested comment on an \nalternative, stricter definition of QRM that would include a maximum 70 \npercent loan-to-value ratio requirement and certain credit history \nstandards in addition to the qualified mortgage criteria. The comment \nperiod for the revised proposal closed at the end of October, and the \nagencies are now carefully reviewing comments.\nAssessment fees\n    Section 318 of the Dodd-Frank Act directs the Federal Reserve to \ncollect assessment fees equal to the expenses it estimates are \nnecessary or appropriate for the supervision and regulation of large \nfinancial companies. The Federal Reserve issued a final rule \nimplementing this statutory provision in August of last year. The rule, \nwhich became effective in October, sets forth how the Federal Reserve \ndetermines which companies are charged, estimates the applicable \nsupervisory expenses of the Federal Reserve related to covered \ncompanies, determines each covered company's assessment fee, and bills \nfor and collects the assessment fees. Payments for the 2012 assessment \nperiod were due in December, and the Board collected approximately $433 \nmillion from 72 companies. As required by law, these fees were \ntransferred to the U.S. Treasury.\nKey Regulatory Priorities for 2014\n    The Federal Reserve's regulatory program in 2014 will concentrate \non establishing enhanced prudential standards for large U.S. banking \nfirms and foreign banks operating in the United States pursuant to \nsection 165 of the Dodd-Frank Act and on further enhancing the \nresiliency and resolvability of U.S.-based global systemically \nimportant banks, or GSIBs.\nEnhanced prudential standards/or large U.S. and foreign banking firms\n    The Federal Reserve has issued proposed rules, pursuant to section \n165 of the Dodd-Frank Act, which would establish enhanced prudential \nstandards for U.S. bank holding companies and foreign banking \norganizations with total global consolidated assets of $50 billion or \nmore. We anticipate that these rules will be finalized in the near \nterm. For the large U.S. bank holding companies, the outstanding \nproposed standards include liquidity requirements, risk-management \nrequirements, single-counterparty credit limits, and an early \nremediation regime. Finalizing these outstanding proposals would \ncomplement the capital planning, resolution planning, and stress \ntesting requirements for large U.S. bank holding companies that the \nBoard previously finalized.\n    The Federal Reserve has also proposed enhanced prudential standards \nfor large foreign banking organizations with a U.S. banking presence. \nPrior to the financial crisis, the Federal Reserve's approach to \nregulating the U.S. operations of foreign banks rested on substantial \nstructural flexibility for the foreign bank, substantial reliance by \nthe Federal Reserve on the supervisory and regulatory framework of the \nforeign bank's home country, and substantial expectations of support by \nthe parent foreign bank of its U.S. operations. A number of \ndevelopments since the 1990s prompted a reevaluation of this approach \nto the regulation of foreign banks in the United States, just as the \nFederal Reserve had in the past reevaluated its approach in response to \nchanges in the size and scope of foreign banking activities and \nfinancial market changes. Most notably, the U.S. operations of foreign \nbanks in the years leading up to the financial crisis grew much larger \nand became much more complex and interconnected with the rest of the \nU.S. financial system. For example, 5 of the top 10 U.S. broker-dealers \nare currently owned by foreign banks and together hold almost $1.2 \ntrillion in assets. The U.S. operations of large foreign banks also \nbecame much more dependent on the most unstable sources of short-term \nwholesale funding and established very substantial net credit exposures \nto the parent foreign bank in the years leading up to the financial \ncrisis. As a result, during the crisis, these banks were heavy users of \nthe Federal Reserve's liquidity facilities.\n    Under the proposed rule, foreign banking organizations with a large \nU.S. presence would be required to organize their U.S. subsidiaries \nunder a single U.S. intermediate holding company that would serve as a \nplatform for consistent supervision and regulation. These U.S. \nintermediate holding companies would be subject to the same generally \napplicable risk-based capital, leverage, and capital planning \nrequirements that apply to U.S. bank holding companies. In addition, \nU.S. intermediate-holding companies and the U.S. branches and agencies \nof foreign banks with a large U.S. presence would be required to meet \nliquidity requirements similar to those applicable to large U.S. bank \nholding companies. The Federal Reserve issued the proposed rule to \npromote the resiliency of the U.S. operations of foreign banking \norganizations and, in turn, U.S. financial stability.\nOther regulatory efforts to improve the resiliency and resolvability of \n        GSIBs\n    The financial crisis made clear that policymakers must devote \nsignificant attention to the potential threat to financial stability \nposed by our most systemic financial firms. Accordingly, the Federal \nReserve has been focused on developing regulatory proposals that are \ndesigned to reduce the probability of failure of a GSIB to levels that \nare meaningfully below those for less systemically important firms and \nmaterially reduce the consequences to the broader financial system and \neconomy in the event of failure of a GSIB. Our goal has been to \nestablish regulations that force GSIBs to internalize the large \nnegative externalities associated with their disorderly failure and \nthat aim to offset any remaining too-big-to-fail subsidies these firms \nmay enjoy.\nGSIB risk-based capital surcharges\n    A key component of the Federal Reserve's program to improve GSIB \nresiliency is our forthcoming proposal to impose graduated common \nequity risk-based capital surcharges on GSIBs. This proposal will be \nbased on the GSIB capital surcharge framework developed by the Basel \nCommittee, under which the size of the surcharge for an individual GSIB \nis a function of the firm's systemic importance. We currently are \nworking on the implementing regulation for the Basel Committee GSIB \nrisk-based capital surcharge framework and expect to issue a proposal \nfairly soon. By further increasing the amount of the most loss-\nabsorbing form of capital that is required to be held by the firms that \npotentially pose the greatest risk to financial stability, we intend to \nreduce the probability of failure of these firms to offset the greater \nnegative externalities their failure would have on the financial system \nand to offset any funding advantage such firms may have because of \ntheir perceived status as too-big-to-fail.\nGSIB leverage surcharges\n    To further bolster the regulatory capital regime for the most \nsystemic U.S. banking firms, the Federal Reserve and the other U.S. \nbanking agencies have proposed to strengthen the internationally \nagreed-upon Basel III leverage ratio as applied to U.S. GSIBs. This \nproposal would require U.S. GSIBs to maintain a tier 1 capital buffer \nof at least 2 percent above the minimum Basel III supplementary \nleverage ratio of 3 percent, for a total of 5 percent. In light of the \nsignificantly higher risk-based capital rules for GSIBs under Basel \nIII, imposing a stricter leverage requirement on these firms is \nappropriate to help ensure that the leverage ratio remains a relevant \nbackstop for these firms. And we have calibrated the proposed GSIB \nleverage surcharge thresholds to raise the leverage standards for these \nfirms by an amount that is roughly commensurate with the Basel III \nincrease in the risk-based capital thresholds for these firms. We \nexpect to finalize this proposal in the coming months.\n    We also intend to incorporate in the United States the revisions to \nthe Basel III leverage ratio recently agreed to by the Basel Committee. \nThese changes would strengthen the ratio in a number of ways, including \nby introducing a much stricter treatment of credit derivatives.\nResolvability of GSIBs\n    Our enhanced regulation of GSIBs also includes efforts to improve \ntheir resolvability. The Federal Reserve's resolvability efforts \ninclude work with the Federal Deposit Insurance Corporation (FDIC) to \nimprove the bankruptcy resolution planning of large banking firms and \nwork to assist the FDIC in making large banking firms more resolvable \nunder the Orderly Liquidation Authority (OLA) of the Dodd-Frank Act.\n    The Federal Reserve is consulting with the FDIC on a proposal that \nwould require the largest, most complex U.S. banking firms to maintain \na minimum amount of long-term unsecured debt outstanding at the holding \ncompany level. While minimum capital requirements are designed to cover \nlosses up to a certain statistical probability, in the event that the \nequity of a financial firm is wiped out, successful resolution without \ntaxpayer assistance would be most effectively accomplished if a firm \nhas sufficient long-term, unsecured debt to absorb additional losses \nand to recapitalize the business transferred to a bridge operating \ncompany. The presence of debt explicitly identified for possible bail-\nin on a ``gone concern'' basis should help other creditors clarify \ntheir positions in an orderly liquidation process.\n    A requirement for long-term debt could have the benefit of \nimproving market discipline, since the holders of that debt would know \nthey faced the prospect of loss should the firm enter resolution. In \naddition, this requirement should have the effect of preventing the \nerosion of the current long-term debt holdings of GSIBs, which, by \nhistorical standards, are currently at fairly high levels. Absent a \nminimum requirement of this sort, there likely would be declines in \nthese levels as the flatter yield curve of recent years steepens. We \nhave recently seen some evidence of the beginnings of such declines. At \nthe international level, the Federal Reserve is working through the \nBasel Committee and the Financial Stability Board (FSB) to develop an \ninternational proposal for gone concern loss absorbency requirements \nfor GSIBs.\nRegulatory Reform, Shadow Banking, and Short-term Wholesale Funding\n    ``Shadow banking'' is a term used to describe a wide variety of \nactivities involving credit intermediation and maturity transformation \noutside the insured depository system. These activities are often \nfunded through collateralized borrowing arrangements known as \n``securities financing transactions,'' a term that generally refers to \nrepos and reverse repos, securities lending and borrowing, and \nsecurities margin lending. Some of this activity involves the short-\nterm funding of highly liquid securities, and directly supports the \ncurrent functioning of important markets, including those in which \nmonetary policy is executed. Securities financing transactions can also \ndirectly or indirectly fund less liquid instruments.\n    In normal times, lending through securities financing transactions, \neven when backed by less-liquid instruments, appears low-risk because \nof the fact that the transactions are usually short-term, over-\ncollateralized, and exempt from the automatic stay in insolvency \nproceedings. But during times of stress, lenders may become unwilling \nto lend against a wide range of assets, including very high-quality \nsecurities, forcing liquidity-strained institutions to rapidly \nliquidate positions. The rapid constriction of large amounts of short-\nterm wholesale funding and associated asset liquidations in times of \nstress in the financial markets can result in large fire sale \nexternalities, direct and indirect contagion to other financial firms, \nand disruptions to financial stability. A dynamic of this type engulfed \nthe financial system in 2008.\n    While the term ``shadow banking'' suggests activity outside of the \nbanking system, reality is more complex. In many cases, shadow banking \ntakes place within, or in close proximity to, regulated financial \ninstitutions. Most of the largest banking organizations rely to a \nsignificant extent on securities financing transactions and other forms \nof short-term wholesale funding to finance their operations, and if \nsuch a firm were to come under stress, the fire sale externalities \ncould be very similar to those we saw during the financial crisis. \nBanking organizations also participate in shadow banking by lending to \nunregulated shadow banks, and by providing shadow banks with credit and \nliquidity support that enhances their ability to borrow from other \nmarket participants. In still other cases, unregulated shadow banks are \nable to operate without coming into contact with the banking system. As \nprudential requirements for regulated firms become more stringent, it \nis likely that market participants will face increasing incentives to \nmove additional activity beyond the regulatory perimeter.\n    Since the crisis, regulators have collectively made progress in \naddressing some of the close linkages between shadow banking and \ntraditional banking organizations. We have increased the regulatory \ncharges on support that banks provide to shadow banks; for example, by \nincluding within the LCR requirements for banks to hold liquidity \nbuffers when they provide credit or liquidity facilities to \nsecuritization vehicles or other special purpose entities. Changes have \nalso been made to accounting and capital rules that make it more \ndifficult for banks to reduce the amount of capital they are required \nto hold by shifting assets off balance sheet.\n    We are also addressing risks from derivatives transactions, which \ncan pose some of the same contagion and financial stability risks as \nshort-term wholesale funding in the event that large volumes of \nderivatives positions must be liquidated quickly. Standardized \nderivatives transactions are currently in the process of moving to \ncentral clearing, while nonstandardized trades will be subject to \nmargin requirements. In September 2013, the Basel Committee and the \nInternational Organization of Securities Commissions adopted final \nstandards on margin requirements that will require financial firms and \nsystemically important nonfinancial entities to exchange initial and \nvariation margin on a bilateral basis for noncleared derivatives \ntrades. The Federal Reserve and other Federal financial regulatory \nagencies are now working to modify the outstanding U.S. proposals on \nnoncleared derivatives margin requirements to more closely align them \nwith the requirements in this landmark global agreement.\n    Still, we have yet to address head-on the financial stability risks \nfrom securities financing transactions and other forms of short-term \nwholesale funding that lie at the heart of shadow banking. There are \ntwo fundamental goals that policy should be designed to achieve. The \nfirst is to address the specific financial stability risks posed by the \nuse of large amounts of short-term wholesale funding by the largest, \nmost complex banking organizations. The second is to respond to the \nmore general macroprudential concerns raised by short-term \ncollateralized borrowing arrangements throughout the financial system.\n    One option to address concerns specific to large, complex banking \nfirms would be to pursue modifications to bank liquidity standards that \nwould require firms that have matched books of securities financing \ntransactions to hold larger liquid asset buffers or maintain more \nstable funding structures. The Basel Committee has recently proposed \nchanges to its Net Stable Funding Ratio that would move in this \ndirection.\n    A complementary bank regulatory option would be to require banking \nfirms that rely on greater amounts of short-term wholesale funding to \nhold higher levels of capital. The rationale behind this approach would \nbe that while solid requirements are needed for both capital and \nliquidity adequacy at large banking firms, the relationship between the \ntwo also matters. For example, a firm with little reliance on short-\nterm wholesale funding is less susceptible to runs and, thus, to need \nto engage in fire sales that can depress capital levels at the firm and \nimpose externalities on the broader financial system. A capital \nsurcharge based on short-term wholesale funding levels would add an \nincentive for firms to use more stable funding and, where a firm \nconcluded that higher levels of such funding were nonetheless \neconomically sensible, the surcharge would increase the loss absorbency \nof the firm. Such a requirement would be consistent with, though \ndistinct from, the long-term debt requirement that the Federal Reserve \nis developing to enhance prospects for resolving large firms without \ntaxpayer assistance.\n    Turning to policies that could be used to address concerns about \nshort-term collateralized borrowing arrangements more broadly \nthroughout the financial system, the Federal Reserve is also carefully \nanalyzing proposals to establish minimum numerical floors for \ncollateral haircuts in securities financing transactions. In its most \nuniversal form, a system of numerical haircut floors for securities \nfinancing transactions would require any entity that wants to borrow \nagainst a security to post a minimum amount of excess margin to its \nlender that would vary depending on the asset class of the collateral. \nLike minimum margin requirements for derivatives, numerical haircut \nfloors for securities financing transactions would serve as a mechanism \nfor limiting the buildup of leverage at the transaction level, and \ncould mitigate the risk of pro-cyclical margin calls.\n    In August, the FSB issued a consultative document that outlined a \nframework of minimum margin requirements for securities financing \ntransactions. The FSB's current proposal has some significant \nlimitations, however, including (1) a scope of application that is \nlimited to transactions in which a regulated entity lends to an \nunregulated entity against nonsovereign collateral, and (2) a \nrelatively low calibration. If the scope of the FSB's proposal was \nexpanded to cover a much broader range of firms and securities and the \ncalibration of the proposal was strengthened, the FSB proposal could \nrepresent a significant step toward addressing financial stability \nrisks in short-term wholesale funding markets.\nInformation Security at Financial Institutions\n    Before closing, I would like to discuss briefly the Federal \nReserve's expectations with regard to information security at the \nfinancial institutions it oversees, as recent events have led to an \nincreased focus on the potential for cyber attacks on the information \ntechnology infrastructures of these institutions.\n    Cyber attacks on financial institutions and the data they house \npose significant risks to the economy and to national security more \nbroadly. While some attacks are conducted with the intent of disrupting \ncustomer access and normal business operations of financial \ninstitutions, other attacks include malicious software implanted to \ndestroy data and systems, intrusions to gain access to unauthorized \ninformation, and account takeovers for financial fraud. The varied and \nevolving nature of these attacks make them a continuing challenge to \naddress.\n    The Federal Reserve requires the financial institutions it \nregulates to develop and maintain effective information security \nprograms that are tailored to the complexity of each institution's \noperations and that include steps to protect the security and \nconfidentiality of customer information. In addition, to address any \ndata breaches that occur, the Federal Reserve requires supervised \nfinancial institutions to develop and implement programs to respond to \nevents in which individuals or firms obtain unauthorized access to \ncustomer information held by the institution or its service providers. \nSpecifically, when a financial institution becomes aware of an incident \nof unauthorized access to sensitive customer information, the \ninstitution should conduct a reasonable investigation to promptly \ndetermine the likelihood that the information has been or will be \nmisused; assess the nature and scope of the incident; identify the \ntypes of information that have been accessed or misused; and undertake \nrisk mitigation, which can include notifying customers, monitoring for \nunusual account activity, and re-issuing credit and debit cards.\n    The Federal Reserve's approach to information security supervision \nleverages internal firm expertise, published guidance, and \ncollaboration between the Board, the Reserve Banks, and other U.S. \nbanking agencies to promote effective protection of data and systems by \nsupervised institutions. The Reserve Banks employ examiners \nspecializing in information technology supervision to conduct the bulk \nof their information security examination activities. Federal Reserve \nstaff has also developed guidance, some collaboratively with other \nbanking regulators, to define expectations for information security and \ndata breach management. Nine significant information security guidance \ndocuments have been issued since July 2001. We are continuing to focus \non this risk through our participation in the Federal Financial \nInstitutions Examination Council's recently established working group \naimed at enhancing supervisory initiatives on cybersecurity and \ncritical infrastructure protection.\n    Although many agencies throughout the U.S. Government are working \nto address problems posed by cyber attacks--in part as a result of \ninitiatives such as the executive order issued last February that \ndirected the National Institute of Standards and Technology to develop \na cybersecurity framework--we believe there should be increased \nattention and coordination across the Federal Government to support the \nsecurity of the Nation's financial infrastructure. In particular, we \nsupport efforts to leverage the technical capabilities of law \nenforcement and national security agencies with respect to cyber \nthreats and attacks at financial institutions. Financial regulators set \nexpectations for security programs and controls at financial \ninstitutions, and they help to validate that these expectations are \nbeing met. However, financial regulators do not maintain the technical \ncapacity to identify many of the most sophisticated threats, to respond \nto threats as they occur, or to evaluate the alternatives for immediate \nand effective responses to new types of viruses or attacks. We \nappreciate the efforts of U.S. Government agencies to date and \nencourage continued coordination across agencies to ensure the safety \nand security of the financial system.\nConclusion\n    The financial regulatory architecture is considerably stronger \ntoday than it was in the years leading up to the crisis, but work \nremains to complete the post-crisis global financial reform program. \nOver the coming year, the Federal Reserve will be working with other \nU.S. financial regulatory agencies, and with foreign central banks and \nregulators, to propose and finalize a number of the important remaining \ninitiatives. In this continuing endeavor, our goal is to preserve \nfinancial stability at the least cost to credit availability and \neconomic growth. We are focused on reducing the probability of failure \nof systemic financial firms, improving the resolvability of systemic \nfinancial firms, and monitoring and mitigating emerging systemic risks.\n    Thank you for your attention. I would be pleased to answer any \nquestions you might have.\n                                 ______\n                                 \n               PREPARED STATEMENT OF MARTIN J. GRUENBERG\n            Chairman, Federal Deposit Insurance Corporation\n                            February 6, 2014\n    Chairman Johnson, Ranking Member Crapo and Members of the \nCommittee, thank you for the opportunity to testify today on the \nFederal Deposit Insurance Corporation's (FDIC) actions to implement the \nDodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank \nAct).\n    The FDIC has made significant progress in recent months in \nimplementing the new authorities granted by the Act.\\1\\ My testimony \nwill address several topics. First, I will discuss the recently adopted \nregulation implementing the Volcker Rule and the actions we have taken \non the risk retention and qualified mortgage rules. I will then provide \nan update on our progress in implementing the authority provided to the \nFDIC to resolve systemically important financial institutions and \nproposals to improve the quantity and quality of capital. Finally, I \nwill address data integrity issues for the banking industry.\n---------------------------------------------------------------------------\n    \\1\\ A summary of the FDIC's progress implementing the provisions of \nthe Dodd-Frank Act is attached to this testimony.\n---------------------------------------------------------------------------\nThe Volcker Rule\n    Section 619 of the Dodd-Frank Act, also known as ``the Volcker \nRule,'' requires the Securities and Exchange Commission (SEC), the \nCommodities Futures Trading Commission (CFTC), and the Federal banking \nagencies to adopt regulations to prohibit banking entities from \nengaging in proprietary trading activities and to limit the ability of \nbanking entities to invest in, or have certain relationships with, \nhedge funds and private equity funds. In general terms, proprietary \ntrading occurs when an entity places its own capital at risk to engage \nin the short-term buying and selling of securities primarily to profit \nfrom short-term price movements, or enters into derivative products for \nsimilar purposes.\n    On December 10, 2013, the FDIC, along with the Federal Reserve \nBoard (FRB), the Office of the Comptroller of the Currency (OCC), the \nSEC, and the CFTC, adopted a final rule implementing Section 619. The \nVolcker Rule is designed to strengthen the financial system and \nconstrain the level of risk undertaken by firms that benefit, directly \nor indirectly, from the Federal safety net provided by Federal deposit \ninsurance or access to the Federal Reserve's discount window. The \nchallenge to the agencies in implementing the Volcker Rule was to \nprohibit the types of proprietary trading and investment activity that \nCongress intended to limit, while allowing banking organizations to \nprovide legitimate intermediation in the capital markets.\n    In finalizing this rule, the agencies carefully reviewed more than \n18,000 comments and made changes to the original proposal to address \ncommenters' concerns. The final rule is intended to preserve legitimate \nmarket making and hedging activities while maintaining market liquidity \nand vibrancy. The final rule also is designed to reduce overall burden \nby focusing requirements on those institutions that are more likely to \nengage in proprietary trading and covered fund activities.\n    The final rule is structured around the three main elements of \nSection 619: 1) the proprietary trading prohibition, 2) the covered \nfunds prohibition, and 3) the compliance requirements.\nProprietary Trading Prohibition\n    In general, the final rule prohibits proprietary trading by banking \nentities. However, consistent with Section 619, the final rule includes \nexemptions for underwriting, market making, and risk-mitigating \nhedging, among other exemptions provided in the final rule.\n    The underwriting exemption requires that a banking entity act as an \nunderwriter for a distribution of securities and that the trading \ndesk's underwriting position be related to that distribution. The \nunderwriting position must be designed not to exceed the reasonably \nexpected near-term demands of customers.\n    The exemption for market making-related activities requires that a \ntrading desk routinely stand ready to purchase and sell one or more \ntypes of financial instruments. The trading desk's inventory of these \ninstruments must be designed not to exceed the reasonably expected \nnear-term demands of customers.\n    Under the final rule, determining customer demand is based on such \nthings as historical demand and consideration of current market \nfactors. A market-making desk may hedge the risks of its market-making \nactivity under this exemption, provided it is acting in accordance with \ncertain risk management procedures required under the final rule.\n    The requirements of the risk-mitigating hedging exemption are \ngenerally designed to ensure that hedging activity is limited to risk-\nmitigating hedging in purpose and effect. For instance, hedging \nactivity must be designed to demonstrably reduce or significantly \nmitigate specific, identifiable risks of individual or aggregated \npositions of the banking entity. In addition, the banking entity must \nconduct an analysis (including a correlation analysis) supporting its \ndocumented hedging strategy, and the effectiveness of hedges must be \nmonitored and, as necessary, recalibrated on an ongoing basis.\n    Under the final rule, a banking entity would be allowed to hedge \nindividual exposures or aggregate exposures--for example, a specific \nloan book. However, a banking entity would not be allowed to engage in \nso-called ``macro hedging.'' The result is to allow cost-effective, \nrisk-reducing hedging while preventing banking entities from entering \ninto speculative transactions under the guise of hedging.\n    The final rule allows a bank to engage in proprietary trading in \ncertain Government obligations and generally does not prohibit certain \ntrading activities of foreign banking entities, provided the trading \ndecisions and principal risks of the foreign banking entity occur and \nare held outside of the United States. Such transactions may involve \nU.S. entities only under particular circumstances. The final rule also \nclarifies other exclusions and exempts certain other permitted \nactivities.\nCovered Funds Prohibition\n    The final rule prohibits banking entities from owning and \nsponsoring ``hedge funds'' and ``private equity funds,'' referred to in \nthe final rule as ``covered funds.'' The final rule follows the \nstatutory definition of covered funds and encompasses any issuer that \nwould be an investment company under the Investment Company Act if it \nwere not otherwise excluded by two provisions of that Act (section \n3(c)(1) or 3(c)(7)). The final rule also includes in the definition of \ncovered funds other similar funds such as certain foreign funds and \ncommodity pools, which are defined in a more limited manner than under \nthe proposed rule.\n    The final rule includes a number of exclusions from the definition \nof covered funds. These exclusions cover certain entities having more \ngeneral corporate purposes (such as wholly owned subsidiaries or joint \nventures), registered investment companies and business development \ncompanies regulated by the SEC and any issue of securities backed \nentirely by loans subject to certain asset restrictions.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ Accordingly, covered funds do not generally include \nsecuritizations such as residential mortgage-backed securities \n(including GSE exposures), commercial mortgage-backed securities, auto \nsecuritizations, credit card securitizations, and commercial paper \nbacked by conforming asset-backed commercial paper conduits. Certain \nother securitizations, such as collateralized loan obligations or \ncollateralized debt obligations, will likely meet the definition of \ncovered funds if they are unable to divest impermissible assets during \nthe conformance period.\n---------------------------------------------------------------------------\n    Consistent with the Dodd-Frank Act, the final rule designates \ncertain activities as permissible. The final rule permits a banking \nentity, subject to appropriate conditions, to invest in or sponsor a \ncovered fund in connection with organizing and offering the covered \nfund, underwriting or market making-related activities, certain types \nof risk-mitigating hedging activities, activities that occur solely \noutside of the United States, and insurance company activities.\n    The final rule places a number of limitations on permitted \nownership interests in covered funds. In general, consistent with the \nstatute, the final rule provides that a banking entity may not have any \nownership in a covered fund unless it qualifies for an exemption such \nas organizing and offering the fund in accordance with requirements of \nthe final rule or acting as a market maker for the fund. A banking \nentity that organizes and offers a covered fund must limit its total \ninterest in each covered fund to no more than 3 percent of the \nownership interests issued by the covered fund, and to no more than 3 \npercent of the value of the entire covered fund. However, if the \ncovered fund is subject to risk retention requirements that must be \nsatisfied by the banking entity, the final rule provides that the \nbanking entity may retain additional ownership interests in the covered \nfund in order to satisfy any minimum risk retention requirement that \nmay be established by the agencies by regulation. In addition, the \naggregate of all interests the banking entity has in all covered funds \nmay not exceed 3 percent of the banking entity's tier 1 capital. \nFinally, the banking entity must deduct the value of all of its \ninterests in covered funds and any retained earnings from its capital \nfor purposes of applying the regulatory capital standards.\n    Certain other securitizations, such as collateralized loan \nobligations, will be excluded from the definition of a covered fund if \nthey are backed exclusively by loans. However, securitizations that \ncurrently include assets other than loans can be excluded from the \ndefinition of covered funds if they divest impermissible assets during \nthe conformance period. For securitizations that are covered funds, the \nconditions for a banking entity to be permitted an ownership interest \nin these types of securitizations are, with one exception described \nbelow, the same conditions that apply to any other covered fund--for \ninstance, it organizes and offers the securitization or engages in \nunderwriting or market making-related activities.\nCompliance Requirements\n    In order to ensure compliance with the final rule, institutions \nengaged in covered practices will be required to have compliance \nprograms in place commensurate with their size and level of activity. \nThe agencies will monitor compliance through the compliance programs \nestablished by the institutions they regulate. To ensure consistent \napplication of the final rule across all banking entities, the FDIC, \nFRB, OCC, SEC and CFTC have formed an interagency Volcker Rule \nImplementation Working Group (Working Group). The Working Group will \naddress implementation issues on an ongoing basis and will provide the \nindustry with additional guidance or clarity as necessary. The Working \nGroup has begun meeting and will meet regularly to address reporting, \nguidance and interpretation issues to facilitate compliance with the \nrule.\n    The final rule generally requires banking entities to establish an \ninternal compliance program reasonably designed to ensure and monitor \ncompliance with the final rule. In response to concerns raised by some \ncommenters, the final rule provides compliance requirements that vary \nbased on the size of the banking entity and the amount of covered \nactivities it conducts. For example, banking entities that do not \nengage in activities covered by the final rule will have no compliance \nprogram requirements.\n    Under the final rule, larger banking entities with $50 billion or \nmore in total consolidated assets must establish a more detailed \ncompliance program as described in Appendix B of the final rule, \nincluding requirements that:\n\n  <bullet>  The banking entity adopt a written compliance program \n        approved by the board of directors;\n\n  <bullet>  The board of directors and senior management are \n        responsible for setting and communicating an appropriate \n        culture of compliance and ensuring that appropriate policies \n        regarding the management of trading activities and covered fund \n        activities or investments are adopted to comply with the \n        requirements of the final rule; and\n\n  <bullet>  The chief executive officer of the banking entity must \n        annually attest in writing to its primary Federal regulator \n        that the banking entity has in place processes to establish, \n        maintain, enforce, review, test, and modify the compliance \n        program in a manner reasonably designed to achieve compliance \n        with the final rule.\n\n    Banking entities with total consolidated assets between $10 billion \nand $50 billion will be subject to the minimum compliance program \nrequirements included in section 20(b) of the final rule.\n    Finally, the final rule requires banking entities with significant \ntrading operations to report certain quantitative metrics related to \ntrading activities, in accordance with section 20(d) and Appendix A of \nthe final rule. These metrics are designed to monitor certain trading \nactivities and. will be phased in over a period of time based on the \ntype and size of the firm's trading activities.\nBurden Reduction\n    While the requirements of Section 619 apply to all banking entities \nregardless of size, the prohibited proprietary trading activities and \ninvestments in, and relationships with, hedge funds and private equity \nfunds that are covered by the final rule are generally conducted by \nlarger, more complex banking organizations. As a result, the final rule \nis designed to avoid placing needless requirements on banks that do not \nengage in these activities or have only limited exposure.\n    The final rule focuses compliance requirements on those \ninstitutions that are more likely to engage in prohibited proprietary \ntrading and covered fund activities. Under the final rule, a bank is \nexempt from all of the compliance program requirements, and all of the \nassociated costs, if it limits its covered activities to activities \nthat are excluded from the definition of proprietary trading, such as \ntrading in certain Government, agency, State, and municipal \nobligations. In particular, the final rule provides that a banking \nentity is not required to implement a compliance program if it does not \nengage in activities or investments covered by the rule. This \neliminates the compliance burden on banking entities that do not engage \nin covered activities or investments.\n    A banking entity with total consolidated assets of $10 billion or \nless that engages in covered activities can meet the compliance \nrequirements of the final rule simply by including in its existing \ncompliance policies and procedures references to the requirements of \nsection 13 of the Bank Holding Company Act and subpart D of the final \nrule as appropriate given the activities, size, scope and complexity of \nthe banking entity. This significantly reduces the compliance burden on \nsmaller banking entities that engage in a limited amount of covered \nactivities or investments.\n    The final rule requires all other banking entities to establish a \ncompliance program designed to ensure compliance with Section 619 and \nthe requirements set forth in the final rule. Even for banking entities \nthat must establish a compliance program, the final rule makes changes \nfrom the NPR to reduce the burden of the metrics reporting \nrequirements. For example, the final rule raised the threshold for \nmetrics reporting from $1 billion in trading assets and liabilities \nthreshold originally proposed to $10 billion in trading assets and \nliabilities, thereby capturing only firms that engage in very \nsignificant trading activity. The final rule also reduced the number of \nmandatory trading metrics required to be reported to the agencies from \naround 20 in the original proposal to 7 in the final rule. \nAdditionally, the final rule provided for metrics reporting to be \nphased-in based on the size of the banking entity's trading assets and \nliabilities, with banks with more than $50 billion in trading assets \nand liabilities reporting first, following banks with more than $25 \nbillion in trading assets and liabilities, and then banks with more \nthan $10 billion in trading assets and liabilities.\nTreatment of TruPS CDOs\n    Following the issuance of the final rule implementing section 619, \na number of community banking organizations expressed concern that the \nfinal rule conflicts with the Congressional determination under section \n171(b)(4)(C) of the Dodd-Frank Act to grandfather trust preferred \nsecurities (TruPS). On December 19 and December 27, 2013, the banking \nagencies issued joint statements providing guidance to financial \ninstitutions regarding the potential impact of the final rule on the \ntreatment of TruPS held in collateralized debt obligations (CDOs). \nThese statements outlined some of the issues that must be resolved in \norder to determine whether ownership of an interest in a securitization \nvehicle that holds primarily TruPS would be subject to the provisions \nof section 619 of the Dodd-Frank Act and the final implementing \nrules.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ http://www.fdic.gov/news/news/press/2013/pr13123.html; http://\nwww.fdic.gov/news/news/press/2013/pr13126a.pdf.\n---------------------------------------------------------------------------\n    Following additional review, the agencies determined that it is \nappropriate and consistent with the provisions of the Dodd-Frank Act to \nexempt certain collateralized debt obligations backed primarily by \ntrust preferred securities (TruPS CDOs) from the investment \nprohibitions of section 619 of the Act. Section 171 of the Dodd-Frank \nAct provides for the grandfathering of TruPS issued before May 19, \n2010, by certain depository institution holding companies with total \nassets of less than $15 billion as of December 31, 2009, and by mutual \nholding companies established as of May 19, 2010. The TruPS CDO \nstructure was the vehicle that gave effect to the use of TruPS as a \nregulatory capital instrument prior to May 19, 2010, and was part of \nthe status quo that Congress preserved with the grandfathering \nprovision of section 171.\n    The interim final rule (IFR) adopted by the agencies on January 14, \n2014 \\4\\ is consistent with the relief the agencies believe Congress \nintended to provide community banking organizations under section \n171(b)(4)(C) of the Dodd-Frank Act. Under the IFR, the agencies have \nexempted TruPS CDOs that meet specific criteria from the prohibition on \nthe acquisition or retention of any interest in or sponsorship of \ncovered funds by banking entities. The Federal banking agencies also \nreleased a nonexclusive list of issuers that meet the requirements for \nthe exemption.\\5\\ The IFR is clear that banking organizations can rely \nsolely on this list for compliance purposes. The agencies will accept \npublic comment on the IFR for 30 days following its publication in the \nFederal Register.\n---------------------------------------------------------------------------\n    \\4\\ http://www.fdic.gov/news/news/press/2014/pr14003a.pdf.\n    \\5\\ http://www.fdic.gov/news/news/press/2014/pr14003b.pdf.\n---------------------------------------------------------------------------\nRisk Retention\n    On August 28, 2013, the FDIC Board approved an NPR issued jointly \nwith five other Federal agencies to implement the credit risk retention \nrequirement set forth in Section 941 of the Dodd-Frank Act, which seeks \nto ensure that securitization sponsors have appropriate incentives for \nprudent underwriting. The proposed rule generally requires that the \nsponsor of any asset-backed security (ABS) retain an economic interest \nequal to at least 5 percent of the aggregate credit risk of the \ncollateral. This is the second proposal under Section 941; the first \nwas issued in April 2011.\n    The current NPR provides the sponsors of ABSs with various options \nfor meeting the risk retention requirements. As required by the Dodd-\nFrank Act, the proposed rule defines a ``qualified residential \nmortgage'' (QRM), that is, a mortgage which is statutorily exempt from \nrisk retention requirements. The NPR would align the definition of QRM \nwith the definition of ``qualified mortgage'' (QM) as prescribed by the \nConsumer Financial Protection Bureau (CFPB) in 2013. The NPR also \nincludes a request for public comment on an alternative QRM definition \nthat would add certain underwriting standards to the existing QM \ndefinition. Similar to the prior proposal, the current proposal sets \nforth criteria for securitizations of commercial real estate loans, \ncommercial loans, and automobile loans that meet certain conservative \ncredit quality standards to be exempt from risk retention requirements.\n    The FDIC has received approximately 150 comments on the current \nNPR. A number of comments relate to risk retention issues regarding \nopen market collateralized loan obligations (CLOs).\\6\\ The proposed \nrule considers an open market CLO manager to be a securitization \nsponsor and, therefore, the manager would generally be required to \nretain 5 percent of the credit risk of CLO issuances. As an \nalternative, managers or sponsors could satisfy the risk retention \nrequirement if the lead arrangers of the loans (typically the main \nlender) purchased by the open market CLO retained the required risk. \nSome commenters have argued that the lead arranger option is unworkable \nand that the proposal would significantly affect the formation and \ncontinued operation of CLOs, and that this could reduce the volume of \ncommercial lending. The agencies are continuing to review comments and \nmeet with interested groups to discuss their concerns and will give \nfull consideration to all issues raised before we issue the final rule.\n---------------------------------------------------------------------------\n    \\6\\ An open market CLO is defined as one (i) whose assets consist \nof senior, secured syndicated loans acquired directly from the sellers \nin open market transactions and of servicing assets, (ii) that is \nmanaged by a CLO manager, and (iii) that holds less than 50 percent of \nits assets, by aggregate outstanding principal amount, in loans \nsyndicated by lead arrangers that are affiliates of the CLO or \noriginated by originators that are affiliates of the CLO.\n---------------------------------------------------------------------------\nExamination Treatment of Qualified Mortgages\n    Recognizing that many institutions are assessing how to implement \nthe Ability-to-Repay and QM rules issued by the CFPB, the Federal \nfinancial regulators jointly issued interagency statements on their \nsupervisory approach for residential mortgage loans. The agencies \nemphasize that an institution may originate both QM and non-QM \nresidential mortgage loans. A bank's decision to offer only QM loans, \nabsent other factors, should not elevate a supervised institution's \nfair lending risk and is compatible with meeting Community Reinvestment \nAct obligations. The interagency statements emphasize that the agencies \nwill not subject a residential mortgage loan to regulatory criticism--\neither from a safety and soundness or consumer protection perspective--\nbased solely on the loan's status as a QM or a non-QM.\nResolution of Systemically Important Financial Institutions\nResolution Plans--``Living Wills''\n    Under the framework of the Dodd-Frank Act, bankruptcy is the \npreferred option in the event of the failure of a SIFI. To make this \nobjective achievable, Title I of the Dodd-Frank Act requires that all \nbank holding companies with total consolidated assets of $50 billion or \nmore, and nonbank financial companies that the Financial Stability \nOversight Council (FSOC) determines could pose a threat to the \nfinancial stability of the United States, prepare resolution plans, or \n``living wills,'' to demonstrate how the company could be resolved in a \nrapid and orderly manner under the Bankruptcy Code in the event of the \ncompany's financial distress or failure. The living will process is an \nimportant new tool to enhance the resolvability of large financial \ninstitutions through the bankruptcy process.\n    The 165(d) Rule, jointly issued by the FDIC and the Federal Reserve \nBoard in 2011, implemented the requirements for resolution plans and \nprovided for staggered annual submission deadlines based on the size \nand complexity of the companies. Eleven of the largest, most complex \ninstitutions submitted initial plans in 2012 and revised plans in 2013. \nDuring 2013, the remaining 120 institutions submitted their initial \nresolution plans under the 165(d) rule. In addition, in 2013, the FSOC \ndesignated three nonbank financial institutions for Federal Reserve \nBoard supervision. These firms are expected to submit their initial \nresolution plans in 2014.\n2013 Guidance on Living Wills\n    Following the review of the initial resolution plans submitted in \n2012, the agencies developed Guidance for the firms to detail the \ninformation that should be included in their 2013 resolution plan \nsubmissions. The agencies identified an initial set of significant \nobstacles to rapid and orderly resolution which covered companies are \nexpected to address in the plans, including the actions or steps the \ncompany has taken or proposes to take to remediate or otherwise \nmitigate each obstacle and a timeline for any proposed actions. These \neleven institutions submitted their revised resolution plans in October \n2013.\n    As required by the statute, the resolution plans submitted in 2013 \nwill be subject to informational completeness reviews and reviews for \nresolvability under the Bankruptcy Code. The agencies are reviewing how \neach resolution plan addresses a set of benchmarks outlined in the \nGuidance which represent the key impediments to an orderly resolution. \nThe benchmarks are as follows:\n\n  <bullet>  Multiple Competing Insolvencies: Multiple jurisdictions, \n        with the possibility of different insolvency frameworks, raise \n        the risk of discontinuity of critical operations and uncertain \n        outcomes.\n\n  <bullet>  Global Cooperation: The risk that lack of cooperation could \n        lead to ring-fencing of assets or other outcomes that could \n        exacerbate financial instability in the United States and/or \n        loss of franchise value, as well as uncertainty in the markets.\n\n  <bullet>  Operations and Interconnectedness. The risk that services \n        provided by an affiliate or third party might be interrupted, \n        or access to payment and clearing capabilities might be lost;\n\n  <bullet>  Counterparty Actions. The risk that counterparty actions \n        may create operational challenges for the company, leading to \n        systemic market disruption or financial instability in the \n        United States; and\n\n  <bullet>  Funding and Liquidity. The risk of insufficient liquidity \n        to maintain critical operations arising from increased margin \n        requirements, acceleration, termination, inability to roll over \n        short-term borrowings, default interest rate obligations, loss \n        of access to alternative sources of credit, and/or additional \n        expenses of restructuring.\n\n    The FDIC and the Federal Reserve are charged with reviewing the \n165(d) plans and may jointly find that a plan is not credible or would \nnot facilitate an orderly resolution under the Bankruptcy Code. If a \nplan is found to be deficient in either case, the FDIC and the Federal \nReserve must notify the filer of the areas in which the plan is \ndeficient. The filer must resubmit a revised plan that addresses the \ndeficiencies within 90 days (or other specified timeframe). The FDIC \nand the Federal Reserve currently are in the process of reviewing the \nplans under the standards provided in the statute.\nOrderly Liquidation Authority\n    In cases where resolution under the Bankruptcy Code may result in \nserious adverse effects on financial stability in the United States, \nthe Orderly Liquidation Authority set out in Title II of the Dodd-Frank \nAct serves as the last resort alternative. Upon recommendations by a \ntwo-thirds vote of the Federal Reserve Board and the FDIC Board and a \ndetermination by the Treasury Secretary in consultation with the \nPresident, a financial company whose failure is deemed to pose a risk \nto the financial system may be placed into an FDIC receivership. Under \nthe Act, key findings and recommendations must be made before the \nOrderly Liquidation Authority can be considered as an option. These \ninclude a determination that the financial company is in default or \ndanger of default, that failure of the financial company and its \nresolution under applicable Federal or State law, including bankruptcy, \nwould have serious adverse effects on financial stability in the United \nStates and that no viable private sector alternative is available to \nprevent the default of the financial company.\n    In my July 11, 2013 testimony before this Committee, I described \nhow the FDIC is developing a strategic approach, referred to as Single \nPoint-of-Entry (SPOE), to carry out its Orderly Liquidation Authority \nfor resolving a SIFI. Under the SPOE strategy, the FDIC would be \nappointed receiver of the top-tier parent holding company of the \nfinancial group following the company's failure and the completion of \nthe recommendation, determination, and expedited judicial review \nprocess set forth in Title II of the Act. The FDIC would organize a \nbridge financial company into which assets from the receivership \nestate, including the failed holding company's investments in, and \nloans to subsidiaries, would be transferred.\n    The FDIC would oversee operations of the bridge financial company \nand would retain control over certain high-level key matters of the \nbridge financial company's governance. Shareholders would be wiped out, \nunsecured debt holders would have their claims written down to reflect \nany losses that shareholders cannot cover, and culpable senior \nmanagement would be replaced. The FDIC would appoint a board of \ndirectors and nominate a new chief executive officer and other key \nmanagers to operate the bridge financial company under the FDIC's \noversight. The plan for restructuring the company could include \nchanging business, shrinking businesses, breaking the company into \nsmaller entities, and liquidating certain assets or closing certain \noperations. The FDIC also would likely require the restructuring of the \nfirm into one or more smaller nonsystemic firms that could be resolved \nunder bankruptcy.\n    During the operation of the bridge financial company, the healthy \nsubsidiaries of the company would remain open, allowing them to \ncontinue business. In this manner the resolution strategy would protect \nagainst contagion in the financial system by maintaining vital linkages \namong critical operating subsidiaries, ensuring continuity of services, \nand avoiding the disruption that would likely accompany failure. At the \nsame time, the strategy would protect against moral hazard by holding \naccountable the failed company's owners and management responsible for \nits failure.\n    On December 10, 2013, the FDIC Board approved publication of a \nFederal Register notice \\7\\ which provides greater detail on the SPOE \nstrategy and discusses the key issues that will be faced in the \nresolution of a SIFI. The notice seeks public comment and views as to \nhow the policy objectives set forth in the Dodd-Frank Act could better \nbe achieved.\n---------------------------------------------------------------------------\n    \\7\\ FDIC, Resolution of Systemically Important Financial \nInstitutions: The Single Point of Entry Strategy, 78 Fed. Reg. 76,614 \n(Dec. 18, 2013).\n---------------------------------------------------------------------------\n    In addition, the Federal Reserve, in consultation with the FDIC, is \nconsidering the merits of a regulatory requirement that the largest, \nmost complex U.S. banking firms maintain a minimum amount of unsecured \ndebt at the holding company level. Such a requirement would ensure that \nthere are creditors at the holding company level to absorb losses at \nthe failed firm.\nCross-border Issues\n    Advance planning and cross-border coordination for the resolution \nof globally active SIFIs will be essential to minimizing disruptions to \nglobal financial markets. Recognizing that global SIFIs create complex \ninternational legal and operational concerns, the FDIC continues to \nreach out to foreign regulators to establish frameworks for effective \ncross-border cooperation.\n    As part of our bilateral efforts, the FDIC and the Bank of England, \nin conjunction with the prudential regulators in our respective \njurisdictions, have been developing contingency plans for the failure \nof a global SIFI that has operations in the United States and the \nUnited Kingdom of the 28 G-SIFIs designated by the Financial Stability \nBoard (FSB) of the G-20 countries, four are headquartered in the United \nKingdom, and another eight are headquartered in the United States. \nMoreover, approximately 70 percent of the reported foreign activities \nof the eight U.S. G-SIFIs emanates from the United Kingdom. The \nmagnitude of these financial relationships makes the U.S.-U.K. \nbilateral relationship by far the most significant with regard to the \nresolution of G-SIFIs. Because of the magnitude of these institutions' \noperations, our two countries have a strong mutual interest in ensuring \nthat the failure of such an institution could be resolved at no cost to \ntaxpayers and without placing the financial system at risk.\n    The FDIC and U.K. authorities released a joint paper on resolution \nstrategies in December 2012, reflecting the close working relationship \nbetween the two authorities. This joint paper focuses on the \napplication of ``top-down'' resolution strategies for a U.S. or a U.K. \nfinancial group in a cross-border context and addresses several common \nconsiderations to these resolution strategies. In December 2013, the \nFDIC and the Bank of England, including the Prudential Regulation \nAuthority, in conjunction with the Federal Reserve Board and the \nFederal Reserve Bank of New York, held a staff-level tabletop exercise \nexploring cross-border issues and potential mitigating actions that \ncould be taken by regulators in the event of a resolution.\n    The FDIC also is coordinating with representatives from European \nauthorities to discuss issues of mutual interest, including the \nresolution of European global SIFIs and ways in which we can harmonize \nreceivership actions. The FDIC and the European Commission (E.C.) have \nestablished a joint Working Group composed of senior executives from \nthe FDIC and the E.C. to focus on both resolution and deposit insurance \nissues. The agreement establishing the Working Group provides for \nmeetings twice a year with other interim interchanges and the exchange \nof detailees. In 2013, the Working Group convened formally twice, and \nthere has been ongoing collaboration at the staff level. The FDIC and \nthe E.C. have had in-depth discussions regarding the FDIC's experience \nwith resolution as well as the SPOE strategy that we are developing. We \nalso have discussed the E.C.'s proposed EU-wide Credit Institution and \nInvestment Firm Recovery and Resolution Directive, the E.C.'s proposed \namendment to harmonize further deposit guarantee schemes EU-wide, and \nthe E.C.'s proposal for a Single Resolution Mechanism that would apply \nto Euro-area Member States, as well as any others that would opt-in. \nThe FDIC and the E.C. also have exchanged staff members for short \nperiods to enhance staff experience with respective resolution \nauthorities. In 2014, at the request of the E.C., the FDIC is planning \nto conduct a training seminar on resolutions for E.C. staff.\n    The FDIC continues to foster its relationships with other \njurisdictions that regulate global SIFIs, including Switzerland, \nGermany, and Japan. In 2013, the FDIC had significant principal and \nstaff-level engagements with these countries to discuss cross-border \nissues and potential impediments that would affect the resolution of a \nglobal SIFI. We will continue this work in 2014 with plans to host \ntabletop exercises with staff from these authorities. We also have \ndiscussed developing joint resolution strategy papers, similar to the \none with the United Kingdom, as well as possible exchanges of \ndetailees.\n    In a significant demonstration of cross-border cooperation on \nresolution issues, the FDIC signed a November 2013 joint letter with \nthe Bank of England, the Swiss Financial Market Supervisory Authority \nand the German Federal Financial Supervisory Authority, to the \nInternational Swaps and Derivatives Association, Inc. (ISDA). This \nletter encouraged ISDA to develop provisions in derivatives contracts \nthat would provide for short-term suspension of early termination \nrights and other remedies in the event of a G-SIFI resolution. The \nadoption of such changes would allow derivatives contracts to remain in \neffect throughout the resolution process following the implementation \nof a number of potential resolution strategies.\n    We anticipate continuation of our international coordination and \noutreach and will continue to work to resolve impediments to an orderly \nresolution of a global SIFI.\nCapital and Liquidity Requirements\nInteragency Rulemakings on Basel III and the Supplementary Leverage \n        Ratio\n    In July 2013, the FDIC Board acted on two important regulatory \ncapital rulemakings. First, the FDIC joined the Federal Reserve, and \nthe OCC in issuing rulemakings that significantly revise and strengthen \nrisk-based capital regulations through implementation of the Basel III \ninternational accord (``Basel III rulemaking''). Second, these agencies \nalso issued an NPR that would strengthen leverage capital requirements \nfor the eight largest U.S. bank holding companies (BHCs) and their \ninsured banks.\n    The Basel III rulemaking substantially strengthens both the quality \nand the quantity of risk-based capital for all banks in the U.S. by \nplacing greater emphasis on tier 1 common equity capital. Tier 1 common \nequity capital is widely recognized as the most loss-absorbing form of \ncapital, and the Basel III changes are expected to result in a \nstronger, more resilient industry better able to withstand periods of \neconomic stress in the future.\n    The Basel III rulemaking also includes a new supplementary leverage \nratio requirement, an issue agreed in the Basel III international \naccord. This represents an important enhancement to the international \ncapital framework. Prior to this rule, there was no international \nleverage ratio requirement. For the first time, the Basel III accord \nincluded an international minimum leverage ratio, and consistent with \nthe agreement, the Basel III rulemaking includes a 3-percent minimum \nsupplementary leverage ratio that applies only to the 17 large banking \norganizations subject to the advanced approaches rule.\n    As noted above, the NPR would strengthen the supplementary leverage \nrequirements encompassed in the Basel III rulemaking for the eight \nlargest BHCs and their insured banks. The NPR would require covered \ninsured depository institutions (IDIs) to satisfy a 6-percent \nsupplementary leverage ratio to be considered well capitalized for \nprompt corrective action (PCA) purposes. BHCs covered by the NPR would \nneed to maintain a supplementary leverage ratio of at least 5 percent \n(a 3 percent minimum plus a 2-percent buffer) to avoid restrictions on \ncapital distributions and executive compensation.\n    As the NPR points out, maintaining a strong capital base at the \nlargest, most systemically important institutions is particularly \nimportant because capital shortfalls at these institutions can \ncontribute to systemic distress and have material adverse economic \neffects. The agencies' analysis suggests that a 3-percent minimum \nsupplementary leverage ratio contained in the Basel III accord would \nnot have appreciably mitigated the growth in leverage among \nsystemically important institutions in the years preceding the recent \ncrisis. The FDIC views this as problematic because one of the most \nimportant objectives of the capital reforms was to address the buildup \nof excessive leverage.\n    While the Basel III rulemaking raises risk-based capital \nrequirements significantly, the minimum supplementary leverage ratio \nprovided in Basel III does not raise leverage capital comparably. From \na safety and soundness perspective, leverage capital requirements and \nrisk-based capital requirements are complementary. Each offsets the \npotential weaknesses of the other, and the two working together--as \nthey have in the U.S. for over 20 years--are more effective than either \nby itself. For example, risk-weighted asset calculations are subject to \nmodeling error, subjectivity, and other uncertainties. These weaknesses \ncan be offset by a more robust leverage ratio. On the other hand, risk-\nbased capital measures are useful because they may better capture the \nrisk posed by different kinds of assets. The NPR is intended to \nincrease leverage capital to maintain rough comparability with the \nincrease in risk-based capital required under Basel III.\n    Higher capital requirements would help offset systemic risk and \nwould also put additional private capital at risk before the Deposit \nInsurance Fund (DIF) and the Federal Government's resolution mechanisms \nwould be called upon. This proposed rulemaking is one of the most \nimportant steps the banking agencies could take to strengthen the \nsafety and soundness of the U.S. banking and financial systems.\nRule on the Liquidity Coverage Ratio and the Net Stable Funding Ratio \n        Proposal\n    A number of large financial institutions experienced significant \nliquidity problems during the financial crisis that exacerbated stress \non the banking system, and more broadly, compromised financial \nstability. In response, the U.S. banking agencies have made a concerted \neffort, both domestically and internationally, to strengthen liquidity \nand short-term funding requirements for the largest U.S. banking \norganizations.\n    In October 2013, the FDIC, together with the OCC and the Federal \nReserve, issued an interagency proposed rule to implement a \nquantitative liquidity requirement consistent with the Liquidity \nCoverage Ratio (LCR) developed by the Basel Committee on Banking \nSupervision on which the U.S. banking agencies serve as members. The \nLCR rule would apply to large, internationally active banking \norganizations and their consolidated subsidiary depository institutions \nwith $10 billion or more in total consolidated assets and is an \nimportant step in helping to bolster the resilience of these \norganizations during periods of financial stress. The proposal requires \nbanks to hold a minimum level of liquid assets to withstand contingent \nliquidity events and provides a standard way of expressing a bank's on-\nbalance sheet liquidity position to stakeholders and supervisors. The \nproposal establishes a transition schedule under which covered \ncompanies must fully meet the minimum LCR by January 1, 2017, 2 years \nearlier than the Basel deadline. The comment period on this proposal \nclosed on January 31, 2014.\n    In January 2014, the Basel Committee issued a related proposal to \nestablish a Net Stable Funding Ratio (NSFR). The NSFR proposal \ncomplements the LCR by promoting stable funding profiles over the \nlonger term by limiting over-reliance on short-term wholesale funding, \nimproving the assessment of funding risk for on- and off-balance sheet \nitems, and encouraging stable sources of funding. To meet the proposed \nNSFR requirement, the largest U.S. banks would have to maintain a \nminimum level of stable funding given the liquidity characteristics of \ntheir assets and off-balance sheet exposures. The FDIC strongly \nsupports the Basel Committee's NSFR proposal, and we anticipate that \nthe U.S. banking agencies will develop a similar domestic rule once the \nBasel Committee's consultation period ends in April of this year.\nData Integrity\n    Recent highly publicized data breaches have highlighted payment \ncard data integrity issues at merchants. Compromised payment card data \ncan affect millions of consumers and thousands of issuing banks \nglobally. Consequently, payment card data integrity has been, and \nremains, a concern of the Federal banking regulators. Although the \nFederal banking agencies do not have the authority to regulate the \npayment card operations of retail merchants, such as those subject to \nthe recent breaches in the news, the FDIC and the other Federal banking \nregulators are able to examine merchant acceptance and payment card \nissuing operations that occur under the direct control of a bank.\n    The FDIC treats data security as a significant risk area due to its \npotential to disrupt bank operations, harm consumers, and undermine \nconfidence in the banking system and economy. The failure or misuse of \ntechnology can impact the safety and soundness of an institution with \nsudden and severe losses, directly harm consumers, or both.\n    In its role as supervisor of insured institutions, the FDIC \nanalyzes emerging cyber threats, occurrences of bank security breaches, \nand other incidents. The FDIC monitors security issues in the banking \nindustry on a regular basis through onsite examinations and regulatory \nreports. The FDIC, through its membership in the Financial and Banking \nInformation Infrastructure Committee (FBIIC), works with groups such as \nthe Financial Services Sector Coordinating Council (FSSCC), other \nregulatory agencies, law enforcement and others to share information \nregarding emerging issues and coordinate our responses.\n    Additionally, the Federal Financial Institutions Examination \nCouncil formed a Cybersecurity and Critical Infrastructure Working \nGroup in June 2013. This working group will serve as a liaison with the \nintelligence community, law enforcement and homeland security agencies \non cybersecurity and critical infrastructure protection-related issues. \nIt also will conduct programs to create cyber risk awareness and \nconsider additional industry guidance on specific threats. Finally, the \ngroup is pursuing an agenda for the member agencies to collaborate on \ncybersecurity and critical infrastructure issues related to examination \npolicy, training, information sharing and incident communication and \ncoordination.\n    The FDIC has issued guidance to financial institutions with respect \nto keeping data secure, protecting customers, and responding to \nbreaches of data security. In 2001, the Federal banking agencies issued \nInteragency Guidelines Establishing Information Security Standards, as \nrequired by Section 501(b) of the Gramm-Leach-Bliley Act, requiring \nevery financial institution to have an information security program, \napproved by the institution's board of directors, to protect customer \ninformation.\n    The FDIC's most direct role in ensuring cyber security within the \nfinancial sector is through its onsite examination programs. The FDIC \nregularly and routinely evaluates all of its regulated financial \ninstitutions' information security programs through our information \ntechnology (IT) examinations. The Federal banking agencies also conduct \nIT examinations of major technology service providers that provide \nservices to financial institutions. These examinations are designed, in \npart, to ensure that financial institutions protect both bank and \ncustomer information. Depending on the findings from our examinations, \ninformal or formal enforcement action may be pursued to achieve \ncorrective actions.\n    The Federal Financial Institutions Examination Council (FFIEC), \nwhich includes the FDIC, publishes a series of Information Technology \nExamination Handbooks. Banks and their service providers are examined \nby their appropriate Federal banking agency using the standards in the \nFFIEC books, which includes an assessment of their information security \nand protection of customer information, among other things. The \nhandbooks address objectives, standards, resources, roles and \nresponsibilities, best practices, and examination procedures. These \nhandbooks are available to examiners, bankers, and the public.\n    With respect to retail payments in particular, the Federal banking \nagencies' supervisory programs assess acquiring banks to ensure that \nappropriate payment operations risk mitigation efforts are in place. \nIncluded as part of the FFIEC IT Examination Handbook are two booklets, \n``Retail Payment Systems'' and ``Wholesale Payment Systems,'' to \naddress regulatory expectations for risk management of these systems.\n    The Federal banking agencies issued guidance in March 2005 for \nfinancial institutions to develop and implement a Response Program \ndesigned to address incidents of unauthorized access to sensitive \ncustomer information.\n    Recognizing that addressing cyber risks can be especially \nchallenging for community banks, the FDIC is taking steps to assist \nthem with planning and training. At the November 19, 2013 meeting of \nits Advisory Committee on Community Banking, we shared with members, an \nexercise that institutions can use to initiate discussions about \noperational risk and the potential impact of IT disruptions on common \nbanking functions. This exercise, named ``Cyber Challenge,'' provides \nfinancial institutions with four exercise scenarios via short videos. \nEach video represents a standalone scenario so users may choose to \nconsider any number of the scenarios in any order they desire. Each \nvideo has associated challenge questions that have been developed to \npromote discussion on topics relevant to the specific scenarios and to \nassist institutions in the development of proper responses. \nAdditionally, financial institutions may discuss how they would react \nto the scenario, how they would handle the situation in their \nrespective institution, and what controls their institution has in \nplace to prevent the situation. Cyber Challenge will be distributed to \nall FDIC-supervised institutions in the near future.\nConclusion\n    Thank you for the opportunity to share with the Committee the work \nthat the FDIC has been doing to implement the Dodd-Frank Act and \naddress systemic risk in the aftermath of the financial crisis. I would \nbe glad to respond to your questions.\nStatus of FDIC Dodd-Frank Act Rulemakings\nCompleted FDIC-only Rulemakings\n    FDIC has met all applicable deadlines in issuing those required \nregulations in the Dodd-Frank Wall Street Reform and Consumer \nProtection Act for which it is solely responsible. These include:\n\n  <bullet>  Orderly Liquidation Authority (OLA) Regulations\n\n    <bullet>  Inflation adjustment for wage claims against financial \n        company in receivership;\n\n    <bullet>  Executive compensation clawbacks and definition of \n        compensation; and\n\n    <bullet>  Definition of `predominantly engaged in activities \n        financial in nature' for title II purposes.\n\n  <bullet>  Deposit Insurance Fund Management Regulations\n\n    <bullet>  Regulations establishing an asset-based assessment base;\n\n    <bullet>  Regulations implementing permanent $250,000 coverage;\n\n    <bullet>  Elimination of pro-cyclical assessments; dividend \n        regulations;\n\n    <bullet>  Restoration plan to increase the minimum reserve ratio \n        from 1.15 to 1.35 percent by Sept. 30, 2020; and\n\n    <bullet>  Regulations implementing temporary full Deposit Insurance \n        coverage for noninterest bearing transaction accounts (Program \n        expired 12/31/12).\n\n    The FDIC has also issued several optional rules, including the \nfollowing OLA rules:\n\n  <bullet>  Rules governing payment of post-insolvency interest to \n        creditors;\n\n  <bullet>  Rules establishing the proper measure of actual, direct, \n        compensatory damages caused by repudiation of contingent \n        claims;\n\n  <bullet>  Rules governing the priority of creditors and the treatment \n        of secured creditors;\n\n  <bullet>  Rules governing the administrative claims process;\n\n  <bullet>  Rules governing the treatment of mutual insurance holding \n        companies; and\n\n  <bullet>  Rules providing for enforcement of contracts of \n        subsidiaries or affiliates of a covered financial company.\n\nCompleted Interagency Rules:\n\n    FDIC and its fellow agencies have issued a number of joint or \ninteragency regulations. These include:\n\n  <bullet>  Title I resolution plan requirements;\n\n  <bullet>  Regulations implementing self-administered stress tests for \n        financial companies;\n\n  <bullet>  Minimum leverage capital requirements for IDIs (Collins \n        Sec.  171(b)(1));\n\n  <bullet>  Minimum risk-based capital requirements (Collins Sec.  \n        171(b)(2));\n\n  <bullet>  Capital requirements for activities that pose risks to the \n        financial system (Collins Sec.  171(b)(7)) (as of July 9, \n        2013);\n\n  <bullet>  Rules providing for calculation of the ``maximum obligation \n        limitation'';\n\n  <bullet>  Regulations on foreign currency futures;\n\n  <bullet>  Removing regulatory references to credit ratings;\n\n  <bullet>  Property appraisal requirements for higher cost mortgages;\n\n  <bullet>  Appraisals for higher priced mortgages supplemental rule;\n\n  <bullet>  Appraisal independence requirements;\n\n  <bullet>  Volcker Rule Prohibition on Proprietary Trading and \n        Investments in Covered Funds; and\n\n  <bullet>  Interim final rule authorizing Retention of Interests in \n        CDOs backed by Bank-Issued Trust Preferred Securities\nRulemakings in process--FDIC-only:\n\n    A few regulations without statutory deadlines remain in process. \nThese include:\n\n  <bullet>  OLA regulations implementing post-appointment requirements \n        and establishing eligibility requirements for asset purchasers; \n        and\n\n  <bullet>  Integration and Streamlining of adopted OTS regulations.\n\nInteragency Rulemakings in process:\n\n  <bullet>  Additional OLA Rules:\n\n    <bullet>  Orderly liquidation of covered brokers and dealers;\n\n    <bullet>  Regulations regarding treatment of officers and directors \n        of companies resolved under Title II; and\n\n    <bullet>  QFC recordkeeping rules;\n\n  <bullet>  Regulations implementing the credit exposure reporting \n        requirement for large BHCs and nonbank financial companies \n        supervised by the FRB;\n\n  <bullet>  Regulations implementing the ``source of strength'' \n        requirement for BHCs, S&LHCs, and other companies that control \n        IDIs;\n\n  <bullet>  Capital and margin requirements for derivatives that are \n        not cleared OTC;\n\n  <bullet>  Regulations governing credit risk retention in asset-backed \n        securitizations, including ABS backed by residential mortgages;\n\n  <bullet>  Regulations governing enhanced compensation structure \n        reporting and prohibiting inappropriate incentive-based payment \n        arrangements;\n\n  <bullet>  Rulemaking prohibiting retaliation against an IDI or other \n        covered person that institutes an appeal of conflicting \n        supervisory determinations by the CFPB and the appropriate \n        prudential regulator; and\n\n  <bullet>  Additional appraisals and related regulations:\n\n    <bullet>  Minimum requirements for registration of appraisal \n        management companies and for the reporting of the activities of \n        appraisal management companies to Appraisal Subcommittee;\n\n    <bullet>  Regulations to implement quality controls standards for \n        automated valuation models; and\n\n    <bullet>  Regulations providing for appropriate appraisal review.\n\nOther DFA Regulations and Guidance:\n\n  <bullet>  OMWI--Proposed Standards for Assessing Diversity in \n        Regulated Entities;\n\n  <bullet>  Stress Testing Guidance, including:\n\n    <bullet>  Economic Scenarios for 2014 Stress Testing;\n\n    <bullet>  Policy Statement on the Principles for Development and \n        Distribution of Annual Stress Test Scenarios (FDIC-supervised \n        institutions); and\n\n    <bullet>  Proposed Interagency Supervisory Guidance on Implementing \n        Dodd-Frank Act Company-Run Stress Tests for Banking \n        Organizations With Total Consolidated Assets of More Than $10 \n        Billion But Less Than $50 Billion; and\n\n  <bullet>  Interagency Statement on Supervisory Approach for Qualified \n        and Non-Qualified Mortgage Loans\n                                 ______\n                                 \n                PREPARED STATEMENT OF THOMAS J. CURRY *\n                      Comptroller of the Currency\n               Office of the Comptroller of the Currency\n                            February 6, 2014\n    Chairman Johnson, Ranking Member Crapo, and Members of the \nCommittee, thank you for the opportunity to appear before you today. As \nthe national economy continues to improve, so do the balance sheets of \nthe financial institutions that the Office of the Comptroller of the \nCurrency (OCC) supervises. The industry's improved strength is \nreflected in stronger capital, improved liquidity, and timely \nrecognition and resolution of problem loans. We are mindful, however, \nof the lessons of the financial crisis, and we have learned from that \nexperience. We have taken a close look at how we supervise national \nbanks and Federal savings associations (collectively, banks) and have \ndevoted considerable time and resources to improving the way we do our \njob.\n---------------------------------------------------------------------------\n     * Statement Required by 12 U.S.C. Sec.  250:\n    The views expressed herein are those of the Office of the \nComptroller of the Currency and do not necessarily represent the views \nof the President.\n---------------------------------------------------------------------------\n    With this in mind, I will begin my testimony today by describing \nthe independent peer review study, which was undertaken at my \ndirection, to assess the effectiveness of OCC's supervision of large \nand midsize banks. I will also discuss the OCC's recently proposed \nheightened expectations guidelines, designed to strengthen the risk \nmanagement and governance practices of our large banks. We are setting \na high bar for the institutions we supervise, and, as our international \npeer review project demonstrates, we are asking no less of ourselves.\n    In addition, as the Committee requested, I will discuss the OCC's \nexpectations of the banks that we supervise with regard to their \nability to defend both their systems and their customers' confidential \ninformation from cyber threats, as well as our role in supervising the \nretail payment system activities of banks. While banks are highly \nregulated, the financial services industry is an attractive target for \ncyber attacks, and therefore, we recognize the need to ensure that \nbanks are doing everything necessary to protect themselves and their \ncustomers' information. To ensure we stay on top of the evolving \nthreats to the financial services industry, the OCC is committed to \nrefining our supervisory processes on an ongoing basis and to \nparticipating in public-private partnerships to help keep abreast of \nand respond to emerging threats.\n    Finally, my testimony will address our ongoing efforts to implement \nthe Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-\nFrank Act or Act) and to strengthen bank capital. Specifically, I will \ndiscuss the newly finalized risk-based capital rules, as well as the \nproposed liquidity rules and enhanced leverage capital ratio \nrequirement. I also will provide an overview of the finalized \n``Volcker'' rules and our progress in implementing specific provisions \nof Title VII of the Act. I will conclude with a summary of other \nrulemaking projects required by the Act on which we have made \nsubstantial progress, including the appraisal and credit risk retention \nrules.\nI. Improving Financial Stability through Enhanced Prudential Regulation \n        and Supervision\nA. International Peer Review Study\n    Throughout our 150-year history, effective supervision of national \nbanks has been the core mission of the OCC. While the scope of that \nmission has expanded to include Federal savings associations, our focus \non quality supervision has not changed.\n    To do our job effectively, we must maintain controls and a review \nprogram that is every bit as rigorous as what we expect of our banks. \nThis proposition underlies the OCC's new Enterprise Governance unit, \nwhich will conduct independent reviews of each OCC business line. These \nreviews will enhance existing processes, including quality assurance \nprograms that each business line maintains.\n    The financial crisis showed how important supervision is to the \nsoundness of the banking system, and I feel strongly that we need to do \neverything possible to ensure the effectiveness of OCC supervision. \nLast year, I brought together a team of senior international regulators \nto provide an independent and unvarnished assessment of the OCC's \nsupervision program for large and midsize banks. Even the very best \norganizations have room to improve, and in fact, one of the hallmarks \nof a healthy culture is an organization's willingness to engage in a \nprocess of continual improvement. This is something the OCC has done \nthroughout its 150 years. However, in the wake of the financial crisis, \nI believed it was particularly important to establish a process to \nassess our strengths and weaknesses and evaluate where we could do \nbetter.\n    The peer review team was comprised of veteran bank regulators from \ncountries whose financial systems proved to be particularly resilient \nduring the financial crisis. It was chaired by Jonathan Fiechter, a \nformer OCC Senior Deputy Comptroller who, until recently, served as a \nsenior official with the International Monetary Fund, where he headed \nthe Monetary and Capital Markets Department's financial supervision and \ncrisis management group.\n    In December 2013, I received and released to the public the peer \nreview team's report.\\1\\ Its recommendations cover six key areas: \nmission, vision, and strategic goals; identification of risk; ratings \nsystems; staffing; scope and consistency of the OCC's supervisory \nstrategies; and our enterprise governance function. I am gratified that \nthe report highlighted a number of areas in which the OCC has been very \nsuccessful. As the chair of the peer review team noted in his \ntransmittal letter to me, ``The OCC is fortunate to have such a highly \nmotivated, experienced, and professional staff dedicated to carrying \nout the work of the OCC.'' The report praised the lead expert program \n\\2\\ in our Midsize Bank Supervision business line, as well as the work \nof our National Risk Committee.\\3\\ The peer review team also noted that \nour supervisory staff demonstrated a strong commitment to rigorous \nsupervision of the institutions we regulate and pride in the OCC as a \nsupervisory agency. Further, the team validated a number of initiatives \nthat we had already begun, including eight strategic initiatives to \naddress challenges and opportunities facing the agency. These strategic \ninitiatives focus on retention and recruitment, bank and thrift \nsupervision, leadership, agency funding, technology, internal and \nexternal communication, and an enterprise-wide self-assessment process \nfocused on continuous improvement.\n---------------------------------------------------------------------------\n    \\1\\ See OCC News Release 2013-184 for a copy of the report, \navailable at: http://www.occ.gov/news-issuances/news-releases/2013/nr-\nocc-2013-184.html.\n    \\2\\ The lead expert program assigns an expert to each key risk \narea. These experts, who are independent from exam staff, review and \nopine on our annual supervisory strategy and supervisory communications \nfor each large and midsize bank we supervise. This program ensures that \nthe OCC consistently handles issues across the agency's portfolio.\n    \\3\\ The OCC's National Risk Committee (NRC) monitors the condition \nof the Federal banking system, as well as emerging threats to the \nsystem's safety and soundness. The NRC also monitors evolving business \npractices and financial market issues and helps to shape supervisory \nefforts to address emerging risk issues. NRC members include senior \nagency officials who supervise banks of all sizes, as well as officials \nfrom the legal, policy, and economics departments. The NRC helps to \nformulate the OCC's annual bank supervision operating plan that guides \nour supervisory strategies for the coming year. The NRC also publishes \nthe Semiannual Risk Perspective report to provide information to the \nindustry and the general public on issues that may pose threats to the \nsafety and soundness of OCC-regulated financial institutions.\n---------------------------------------------------------------------------\n    While the peer review team found much to praise, its report also \nhighlighted areas in which its members believe the OCC could improve. \nFor example, the report addresses the OCC's resident examination \nprogram and the relationship between the OCC's Risk Assessment System \nand the interagency CAMELS \\4\\ rating system. After receiving the \nreport, I set up senior-level working groups to evaluate and prioritize \nthe recommendations and develop specific implementation plans for areas \nwhere the groups conclude that there are opportunities for improvement. \nI am committed to a full review of the issues and recommendations \nidentified in the report and to continuous improvement in the way the \nOCC does business.\n---------------------------------------------------------------------------\n    \\4\\ The OCC's risk assessment system provides a framework that OCC \nexaminers use to measure, document, and communicate the OCC's \nconclusions about the quantity of risk, quality of risk management, and \ndirection of risk for eight risk categories. The interagency CAMELS \nrating system integrates six component areas: capital adequacy, asset \nquality, management, earnings, liquidity, and sensitivity to market \nrisk. Evaluations of these component areas take into consideration an \ninstitution's size and sophistication, the nature and complexity of its \nactivities, and its risk profile.\n---------------------------------------------------------------------------\nB. Heightened Expectations\n    Because of their size, activities, and implications for the U.S. \nfinancial system, large banks require more rigorous regulation and \nsupervision. To support this objective, the OCC recently issued a \nproposal that would provide additional supervisory tools to examiners \naimed at strengthening risk management practices and governance of \nlarge banks. This proposal codifies and builds on a set of supervisory \n``heightened expectations'' that embody critical lessons learned from \nthe financial crisis.\n    The financial crisis taught us the importance of comprehensive and \neffective risk management; the need for an engaged board of directors \nthat exercises independent judgment; the need for a robust audit \nfunction; the importance of talent development, recruitment, and \nsuccession planning; and a compensation structure that will not \nincentivize inappropriate risk taking. In 2010, we began communicating \nour heightened expectations to the banks through discussions at board \nmeetings and in writing. We continued to refine and reinforce these \nheightened expectations through our ongoing supervisory activities and \nfrequent communication with bank management and boards of directors. We \nspent time educating our examiners and bankers to clarify our \nexpectations and specifically noted our requirement for a frank \nassessment of the gaps between existing and desired practices. The OCC \nalso began to examine each large institution for compliance with the \nexpectations and has included in each bank's Report of Examination an \noverall rating of how the bank meets these heightened expectations.\n    Our recent proposal builds upon and formalizes the heightened \nexpectations program in the form of enforceable guidelines that would \ngenerally apply to insured national banks, insured Federal savings \nassociations, and insured Federal branches of foreign banks with \naverage total consolidated assets of $50 billion or more.\n    The proposed guidelines set forth minimum standards for the design \nand implementation of a bank's risk governance framework and provide \nminimum standards for the board's oversight of the framework. The \nbank's risk governance framework should address all risks to a bank's \nearnings, capital and liquidity, and reputation that arise from the \nbank's activities. The proposal also sets out roles and \nresponsibilities for the organizational units that are fundamental to \nthe design and implementation of the framework. These units, often \nreferred to as a bank's three lines of defense, are front line business \nunits, independent risk management, and internal audit. Together, these \nunits should establish an appropriate system to control risk taking. \nUnderlying the framework is a risk appetite statement that articulates \nthe aggregate level and types of risk a bank is willing to assume in \norder to achieve its strategic objectives, consistent with applicable \ncapital, liquidity, and other regulatory requirements.\n    The proposed guidelines also contain standards for boards of \ndirectors regarding oversight of the design and implementation of a \nbank's risk governance framework. It is vitally important that each \ndirector be engaged in order to understand the risks being taken by his \nor her institution and to ensure that those risks are well managed. \nInformed directors who exercise independent judgment can better \nquestion the propriety of strategic initiatives and assess the balance \nbetween risk taking and reward. An effective board also should actively \noversee management. Directors should be in a position to present a \ncredible challenge to bank management while fulfilling their duty to \npreserve the sanctity of the national bank or Federal savings \nassociation charter. By sanctity of the charter, I mean that directors \nmust ensure that the institution operates in a safe and sound manner. \nThe national bank or Federal thrift should not simply function as a \nbooking entity for the holding company. It is a special corporate \nfranchise that is the gateway to Federal deposit insurance and access \nto the discount window.\n    The guidelines are proposed as a new appendix to Part 30 of our \nregulations. Part 30 codifies an enforcement process set out in a \nstatutory provision that authorizes the OCC to prescribe operational \nand managerial standards. If a bank fails to satisfy a standard, the \nOCC may require it to submit a compliance plan detailing how it will \ncorrect the deficiencies and how long that will take. The OCC can issue \nan enforceable order if the bank fails to submit an acceptable \ncompliance plan or fails in any material way to implement an OCC-\napproved plan.\n    Higher supervisory standards for the large banks we oversee, such \nas those in the proposed guidelines, along with bank management's \nimplementation of these standards, are consistent with the Dodd-Frank \nAct's broad objective of strengthening the financial system. We believe \nthat this increased focus on strong risk management and corporate \ngovernance will help banks maintain the balance sheet improvements \nachieved since the financial crisis and make them better able to \nwithstand the impact of future crises.\nII. Data Security\n    There are few issues more important to me or to the OCC than the \nemerging risks posed by the increasing sophistication of cyber attacks. \nOne of my highest priorities is to ensure that banks continue to \nimprove their ability to protect both their systems and their \ncustomers' data against cyber attacks. While the banking sector is \nhighly regulated and has been subject to stringent information security \nrequirements for decades, we recognize that both our supervision and \nour guidance to banks must be regularly updated to keep pace with the \nrapidly changing nature of cyber threats. For this reason, when I \nbecame Chairman of the Federal Financial Institutions Examination \nCouncil (FFIEC), I called for the creation of a working group on \ncybersecurity issues to be housed under the FFIEC's task force on \nsupervision. The working group has already begun to meet with \nintelligence, law enforcement, and homeland security officials, and it \nis exploring additional approaches bank regulators can take to ensure \nthat institutions of all sizes have the ability to safeguard their \nsystems.\n    Recent events, such as the Distributed Denial of Service attacks on \nbanks and the information security breaches at Target and Neiman \nMarcus, highlight the sophisticated nature of evolving cyber threats, \nas well as the interdependencies that exist in today's payment systems. \nThey also remind us of the impact that cyber attacks have on consumers \nand financial institutions. When accounts are compromised, the affected \nconsumers often pay a stiff price in terms of lost time and the expense \nof restoring their credit information, even though they are protected \nagainst fraudulent card charges by their financial institutions. In \naddition to the inconvenience to and burden on consumers, financial \ninstitutions, including community banks that issue credit and debit \ncards, often end up bearing the costs when bank customer information \nmaintained by merchants is compromised. Banks have borne the expense of \nreplacing cards, providing credit monitoring services, responding to \nhigh volumes of customer inquiries, monitoring for fraudulent \ntransactions, and reimbursing customers for fraud losses.\n    Information security has long been an integral part of the OCC's \nsupervisory process. We have a variety of tools and broad authority to \nrequire the banks we regulate and their service providers to protect \ntheir own systems and their customers' data and to take steps to \nidentify, prevent, and mitigate identity theft, no matter how a \ncustomer's information was acquired. Over the years, the OCC, on its \nown and through the FFIEC, has published guidance and handbooks that \nhave made clear our expectations about acceptable risk management \nprocesses and procedures for safeguarding information.\nA. Information Security Guidelines and Guidance on Response Programs \n        for Unauthorized Access to Customer Information and Customer \n        Notice\n    Following the 1999 enactment of the Gramm-Leach-Bliley Act, the \nOCC, in conjunction with the Federal Deposit Insurance Corporation \n(FDIC) and the Board of Governors of the Federal Reserve System \n(Federal Reserve) (collectively, the Federal banking agencies) \npublished enforceable information security guidelines that set forth \nstandards for administrative, technical, and physical safeguards \nfinancial institutions must have to ensure the security and \nconfidentiality of customer information. These interagency guidelines \nrequire banks to develop and implement formal information security \nprograms.\n    These programs need to be tailored to the bank's assessment of the \nrisks it faces. These risks include internal and external threats to \ncustomer information and any method used to access, collect, store, \nuse, transmit, protect, or dispose of the information. Each bank must \nconsider the specific security measures set forth in the guidelines and \nadopt those that are appropriate for the institution. Given the \nevolving threat and technology environment, the guidelines require a \nbank's information security program to be dynamic--to continually adapt \nto address new threats, changes in technology, and new business \narrangements. We also expect banks to routinely test their systems for \nvulnerabilities and to address the weaknesses they discover.\n    To ensure effective oversight, the guidelines require that \ninformation security programs be approved by an institution's board of \ndirectors. The board must also oversee the program's development, \nimplementation, and maintenance, and it must review annual reports that \ndescribe the bank's compliance with the guidelines.\n    Since banks often depend upon service providers to conduct critical \nbanking activities, the guidelines also address how banks must manage \nthe risks associated with their service providers that have access to \ncustomer information. This past October, the OCC released updated \nguidance that emphasizes the importance of risk management practices \nfor critical activities throughout the lifecycle of the third-party \nrelationship.\\5\\ The guidance also stresses our expectation that the \nboard and management ensure that appropriate risk management practices \nare in place, establish clear accountability for day-to-day management \nof these relationships, and periodically conduct independent reviews of \nthese relationships.\n---------------------------------------------------------------------------\n    \\5\\ See OCC Bulletin 2013-29 ``Third Party Relationships: Risk \nManagement Guidance'' available at: http://www.occ.gov/news-issuances/\nbulletins/2013/bulletin-2013-29.html.\n---------------------------------------------------------------------------\n    While strong and resilient information security programs are \ncritical, the evolving nature and sophistication of cyber attacks also \nrequire banks to have strong and well-coordinated incident response \nprograms that can be put into action when a cyber attack or security \nbreach does occur. Nearly a decade ago, the OCC, in conjunction with \nthe FDIC and Federal Reserve, issued guidance to supplement the \ninformation security guidelines titled ``Response Programs for \nUnauthorized Access to Customer Information and Customer Notice.'' This \nguidance addresses breaches of customer information maintained by or on \nbehalf of banks and makes clear that the OCC expects each bank to \nimplement an incident response program with specific policies and \nprocedures to address unauthorized access to customer information. We \nexpect a bank's incident response program to include a process for \nnotifying customers and taking appropriate steps, not only to contain \nand control the incident, but also to prevent further unauthorized \naccess to or use of the customer information. The bank is expected to \nnotify both law enforcement and its primary regulator and to provide \ncustomers with information they need, such as how to place a fraud \nalert on their credit reports.\n    During and following cyber attacks on the financial sector, the OCC \nplays an important role in identifying risks to bank systems and bank \ncustomer information and conveying appropriate risk management \npractices to the industry, including defensive strategies and tactics \nto contain attacks. The OCC gathers information from our affected banks \nand shares information with other Government agencies. We have \nparticipated in briefings for our banks, service providers, and \nexaminers on specific cyber threats. In addition, through our \nmembership in both the Financial and Banking Information Infrastructure \nCommittee and the Financial Services Information Sharing and Analysis \nCenter, which are part of the financial sector's public-private \npartnerships, we share information regarding cyber threats and discuss \nvarious means to improve the security and resiliency of the financial \nsector.\nB. Identity Theft Red Flags\n    While the information security guidelines require banks to \nsafeguard the customer information that they maintain or that is \nmaintained on their behalf, banks also are required to be on the alert \nfor identity theft involving their customers' information, no matter \nhow and where an identity thief acquired the information. Pursuant to \nsection 114 of the FACT Act, the Federal banking agencies, together \nwith the National Credit Union Administration (NCUA) and the Federal \nTrade Commission, issued regulations in 2007 titled ``Identity Theft \nRed Flags and Address Discrepancies.'' The final rules require each \nfinancial institution and creditor to develop and implement a formal \nidentity theft prevention program that includes policies and procedures \nfor detecting, preventing, and mitigating identity theft in connection \nwith account openings and existing accounts. The program must cover any \nconsumer account or any other account that the financial institution or \ncreditor offers or maintains for which there is a reasonably \nforeseeable risk to consumers or to the safety and soundness of the \nfinancial institution or creditor from identity theft. In addition, it \nmust include policies and procedures to identify relevant red flags, \ndetect red flags incorporated into the program, respond appropriately \nto the red flags that are detected, and ensure the program is updated \nperiodically to reflect changes in risks to customers and to the \ninstitution from identity theft.\n    The agencies also issued guidelines to assist covered entities in \ndeveloping and implementing an identity theft prevention program. The \nguidelines include a supplement that identifies 26 patterns, practices, \nand specific forms of activity that are ``red flags'' signaling \npossible identity theft. These include alerts, notifications, or other \nwarnings received from consumer reporting agencies or service \nproviders, the presentation of suspicious documents or suspicious \npersonal identifying information, the unusual use of or other \nsuspicious activity related to a covered account, or notice from \ncustomers, victims of identity theft, or law enforcement authorities. \nWhen a bank detects identity theft red flags, the bank is expected to \nrespond by taking steps that include monitoring accounts, contacting \nthe customer, changing passwords, closing and reopening the account, \nand notifying law enforcement, as appropriate.\nC. Retail Payment Systems\n    Banks provide essential retail payment transactions and services to \nbusinesses and consumers, including the acceptance, collection, and \nprocessing of a variety of payment instruments and participation in \nclearing and settlement systems. From the initiation of a retail \npayment transaction to its final settlement, banks are exposed to \ncertain risks, such as credit, liquidity, compliance, reputation, and \noperational risks, including fraud, particularly during settlement \nactivities. These risks may arise from interactions with payment system \noperators and other third parties.\n    Recent technological advances are expanding the opportunities for \nthe development of innovative payment products and services. New \nelectronic payment instruments and systems offer gains in efficiency by \nallowing for the rapid and convenient transmission of payment \ninformation among system participants. However, without appropriate \nsafeguards, these new products and services can also permit fraud, \nmoney laundering, and operational disruption to occur. In addition, \nnonbank third parties are increasingly participating in retail payment \nsystems, contributing to innovation but also adding complexity to the \ntransaction chain, which may increase risk in payment processes. Retail \npayment risk management is increasingly difficult, requiring close \nattention to the changing nature of risk and robust oversight.\n    The OCC, on its own and through the FFIEC, has issued guidance on \nidentifying and controlling risks associated with retail payment \nsystems and related banking activities. Risk profiles vary \nsignificantly based on the size and complexity of a bank's retail \npayment products and services, expertise, technology infrastructure, \nand dependence on third parties. The OCC expects banks engaging in \nthese activities to be aware of the inherent risks of their activities \nand implement appropriate risk management processes. OCC examiners also \nassess risk levels and risk management practices at banks and schedule \noversight activities based upon the risk profile of the bank and the \ncomplexity of the products and services offered.\n    Banks not only must comply with Federal requirements but also with \nState laws and regulations relating to payment systems and with the \noperating rules of clearing houses and bank card networks, such as \nPayment Card Industry-Data Security Standards (PCI-DSS). In addition, \nwe expect all banks to maintain effective internal controls, including \nrobust fraud detection systems and financial, accounting, technical, \nprocedural, and administrative controls necessary to minimize risks in \nthe retail payment transaction, clearing, and settlement processes. \nThese measures, when effectively employed, reduce payment system risk, \nensure that individual transactions are valid, and mitigate processing \nand other errors. Effective controls also ensure that the retail \npayments infrastructure operates with integrity, confidentiality, and \navailability.\nD. The OCC's Supervision Program\n    The OCC's ongoing supervision program addresses information \nsecurity and identity theft prevention for banks, including with \nrespect to bank participation in the payment system. The supervisory \nprogram involves teams of examiners who evaluate information security \nand identity theft controls and risk management during their \nexaminations of banks. Our most experienced examiners supervise the \nlargest institutions and also participate, with the FDIC and Federal \nReserve, in examinations of the largest bank technology service \nproviders. The OCC's supervision, including of information technology, \ncontinues to evolve as the risks facing the industry change. Both on \nour own and through the FFIEC, we update examiner training, regulatory \nguidance, and examiner booklets. We also issue alerts to address risks \nstemming from increasingly complex bank operations and third-party \nrelationships, new technologies, and the increasing volume and \nsophistication of cyber threats.\n    When necessary, the OCC uses our enforcement process to ensure \ncompliance with our standards. When we have found serious gaps in \nmeeting our supervisory expectations, we have taken enforcement actions \nthat include cease and desist orders and civil money penalties. In some \ncases, the OCC has also found it necessary to compel banks to notify \ntheir customers of breaches involving personal information.\n    The OCC also has taken enforcement actions against bank insiders \nwho were engaged in identity theft-related activities or were otherwise \ninvolved in serious breaches or compromises of customer information. \nThese enforcement actions have included orders prohibiting individuals \nfrom working in the banking industry, personal cease and desist orders \nrestricting the use of customer information, significant civil money \npenalties, and orders requiring restitution.\n    The OCC is committed to maintaining a robust regulatory framework \nthat requires banks to protect their systems and their customers' \ninformation. The volume and sophistication of the cyber threats to our \npayment systems and other financial infrastructures are evolving \nrapidly. Furthermore, these systems are dependent on other critical \ninfrastructures that are also vulnerable to these threats, such as \ntelecommunications and energy, which are outside of the industry's \ndirect control. For this reason, we will continue to look for ways to \nimprove our supervisory processes and make the system stronger, through \ncollaboration and cooperation with industry participants, as well as \nother regulatory and Government agencies, such as law enforcement.\nIII. Capital and Liquidity\nA. Capital\n    Last year, the OCC, FDIC, and Federal Reserve finalized a rule that \ncomprehensively revises U.S. capital standards. This rule strengthens \nthe definition of regulatory capital, increases risk-based capital \nrequirements, and amends the methodologies for determining risk-\nweighted assets. It also adds a new, stricter leverage ratio \nrequirement for large, internationally active banks. These revisions \nreflect enhancements to the international capital framework published \nby the Basel Committee on Banking Supervision and are a result of \nlessons learned from the financial crisis. The standards are consistent \nwith and complement the Dodd-Frank Act by strengthening our Nation's \nfinancial system. They reduce systemic risk and improve the safe and \nsound operation of the banks we regulate.\n    Some of the revisions applicable to large, internationally active \nbanks became fully effective on January 1 of this year. Most revisions, \nincluding the narrowing of instruments that count as regulatory \ncapital, will be phased in over several years. For the largest, \ninternationally active banks, this phase-in has already begun. For all \nother banks, the phase-in will begin in 2015.\nLeverage Ratio Capital Requirements\n    Regulatory capital standards in the United States have long \nincluded both risk-based capital and leverage requirements, which work \ntogether, each offsetting the other's potential weaknesses while \nminimizing incentives for regulatory capital arbitrage. Among the more \nimportant revisions to the domestic capital rules was the addition of \nstricter leverage ratio requirements applicable to the largest, \ninternationally active banks.\n    Under longstanding domestic capital requirements, all banking \norganizations \\6\\ must meet a minimum leverage ratio. Our recent \nrevisions to the capital rules now require certain large banking \norganizations also to meet a ``supplementary leverage ratio'' \nrequirement. Unlike the more broadly applicable leverage ratio, this \nsupplementary leverage ratio incorporates off-balance sheet exposures \ninto the measure of leverage. It is expected to be more demanding \nbecause large banking organizations often have significant off-balance \nsheet exposures that arise from different types of lending commitments, \nderivatives, and other activities.\n---------------------------------------------------------------------------\n    \\6\\ The U.S. ``banking organizations'' subject to minimum capital \nrules include national banks, State member banks, Federal savings \nassociations, and top-tier bank holding companies domiciled in the \nUnited States not subject to the Federal Reserve's Small Bank Holding \nCompany Policy Statement (12 CFR part 225, appendix C), as well as top-\ntier savings and loan holding companies domiciled in the United States, \nexcept certain savings and loan holding companies that are \nsubstantially engaged in insurance underwriting or commercial \nactivities.\n---------------------------------------------------------------------------\n    To further strengthen the resiliency of the banking sector, in \nAugust of last year, the Federal banking agencies published a notice of \nproposed rulemaking (NPR) that would increase substantially the \nsupplementary leverage ratio requirement for the largest and most \nsystemically important banking organizations. Under the NPR, these \nbanking organizations would be required to maintain even more tier 1 \ncapital for every dollar of exposure in order to be deemed ``well \ncapitalized.''\n    In January, the Basel Committee finalized revisions to the \ninternational leverage ratio standards upon which the Federal banking \nagencies based the supplementary leverage ratio NPR.\n    While some reports have suggested these revisions amounted to a \nwatering down of the international standards, a more accurate depiction \nof the changes relative to U.S. standards requires more elaboration. \nAlthough these standards have been relaxed relative to a Basel \nCommittee proposal issued in June 2013, the committee's final standards \nare generally comparable to the final U.S. standards published last \nyear and the measure of exposure used in the NPR.\n    Two areas where the final Basel standards differ from the U.S. \nstandards are the treatment of credit derivatives and off-balance sheet \ncommitments. With respect to credit derivatives, the final Basel \nstandards require a bank to treat a promise to pay a counterparty in \nthe event of a credit default as the equivalent of providing a loan to \nthe counterparty, because both transactions effectively involve the \nextension of credit. This requirement is more stringent than the \ncurrent U.S. rules, which focus only on the counterparty credit risk \nassociated with credit derivatives. With respect to off-balance sheet \ncommitments, the Basel leverage calculation includes a portion of the \npotential exposure amount for certain off-balance sheet commitments, \nrather than the entire potential exposure amount. This change reduces \nthe exposure measure relative to the current U.S. standards, which \ngenerally assume that all of these commitments will be completely drawn \nat the same time.\n    Even considering the change to the exposure measure for certain \ncommitments, our preliminary analysis suggests that, in the aggregate, \nthe final Basel standards will generate a larger measure of exposure--\nand will therefore be more stringent--than the current and proposed \nU.S. standards. However, this is likely to vary by bank. Banks with \nlarge credit derivatives portfolios likely will see greater increases \nin their exposure measures relative to other banks.\n    Additionally, when considering the impact of the Basel standards, \nit is important to keep in mind that the NPR would increase the minimum \nsupplementary leverage ratio requirements for systemically important \nbanking organizations in the U.S. to 6 percent at the bank level and 5 \npercent at the bank holding company level. While we are still \nconsidering comments received on this proposal, the OCC continues to \nsupport stronger leverage ratio standards than the 3 percent \ninternational minimum. The Federal banking agencies will consider the \nrevisions to the Basel Committee's leverage ratio framework, as well as \nthe comments received in response to the NPR, as we continue with our \nwork. The OCC supports the interagency efforts to ensure that the \nsupplementary leverage ratio will serve as an effective backstop to the \nrisk-based ratios and will work with the FDIC and the Federal Reserve \nto move forward with the rulemaking process in the near term.\nB. Enhanced Liquidity Standards\n    Adequate and appropriate liquidity standards for the banks we \nregulate are an important post-financial crisis tool that is central to \nthe proper functioning of financial markets and the banking sector in \ngeneral. The Federal banking agencies, working together, have made \nsignificant progress in implementing the Basel Committee's Liquidity \nCoverage Ratio in the United States. These liquidity standards will \nhelp ensure that banking organizations maintain sufficient liquidity \nduring periods of acute short-term financial distress.\n    In November of last year, the Federal banking agencies issued a \nproposal that would require certain large financial companies, \nincluding large national banks and Federal savings associations, to \nhold high-quality liquid assets on each business day in an amount equal \nto or greater than its projected cash outflows minus its projected \ninflows over a 30-day period of significant stress. The comment period \nfor the proposed rule ended on January 31, 2014. The agencies are \nreviewing the comments and will be developing a final rule that I hope \ncan be issued by the end of the year.\n    The Federal banking agencies also are working with the Basel \nCommittee to develop another liquidity requirement, the Net Stable \nFunding Ratio, to complement the Liquidity Coverage Ratio and enhance \nlong-term structural funding. The Net Stable Funding Ratio would \nrequire banks to maintain a stable funding profile in relation to the \ncomposition of their assets and off-balance sheet activities. The Basel \nCommittee recently published a consultative paper for comment that \ndefines the requirements for this ratio. Once finalized, the Federal \nbanking agencies will work to implement a U.S. rule, which is planned \nto go into effect on January 1, 2018.\n    It is expected that these standards, once fully implemented, will \ncomplement existing liquidity risk guidance and enhanced liquidity \nstandards to be issued by the Federal Reserve, in consultation with the \nOCC, as part of the heightened prudential standards required under \nsection 165 of the Dodd-Frank Act.\nIV. Volcker Rule\n    The statutory provision referred to as the Volcker Rule is set \nforth in section 619 of the Dodd-Frank Act. Section 619 prohibits a \nbanking entity from engaging in short-term proprietary trading of \nfinancial instruments and from owning, sponsoring, or having certain \nrelationships with hedge funds or private equity funds (referred to \nhere, and in the final regulations, as covered funds).\\7\\ \nNotwithstanding these prohibitions, section 619 permits certain \nfinancial activities, including market making, underwriting, risk-\nmitigating hedging, trading in Government obligations, and organizing \nand offering a covered fund.\n---------------------------------------------------------------------------\n    \\7\\ The statute defines the term ``banking entity'' to cover \ngenerally any insured depository institution (other than a limited \npurpose trust bank), any affiliate or subsidiary of an insured \ndepository institution, and any company that controls an insured \ndepository institution. See 12 U.S.C. 1851(h)(1).\n---------------------------------------------------------------------------\n    On December 10, 2013, the OCC, Federal Reserve, FDIC, Securities \nand Exchange Commission (SEC), and the Commodity Futures Trading \nCommission (CFTC) adopted final regulations implementing the \nrequirements of section 619.\\8\\ In accordance with the statute, the \nfinal regulations prohibit banking entities from engaging in \nimpermissible proprietary trading and strictly limit their ability to \ninvest in covered funds. At the same time, the regulations are designed \nto preserve market liquidity and allow banks to continue to provide \nimportant client-oriented services.\n---------------------------------------------------------------------------\n    \\8\\ See 79 FR 5536 (Jan. 31, 2014). The OCC, Federal Reserve, FDIC, \nand SEC issued a joint regulation, and the CFTC issued a separate \nregulation adopting the same common rule text and a substantially \nsimilar preamble.\n---------------------------------------------------------------------------\n    In developing the final regulations, the agencies carefully \nconsidered the more than 18,000 comments received on the proposed \nregulations from a diverse group of interests--including banks, \nsecurities firms, consumer and public interest groups, Members of \nCongress, foreign governments, and the general public.\\9\\ Commenters \nraised numerous significant and complex issues with respect to the \nproposed regulations, and provided many--sometimes conflicting--\nrecommendations. For example, the agencies heard from various \ncommenters regarding the distinction between impermissible proprietary \ntrading and permitted market making, and with respect to the definition \nof a covered fund. These comments often highlighted key differences in \nthe markets and asset classes subject to regulation by the respective \nagencies under the Volcker Rule. In contrast, other commenters urged \nthe agencies to construe the statutory mandate narrowly to avoid the \npotential for evasion of the proprietary trading and covered fund \nprohibitions.\n---------------------------------------------------------------------------\n    \\9\\ Of the 18,000 comment letters, more than 600 were unique \ncomment letters, and the remaining letters were from individuals who \nused a form letter. The agencies each also met with a number of the \ncommenters to discuss issues raised by the proposed regulations and \nhave published summaries of these meetings.\n---------------------------------------------------------------------------\n    To meet these challenges, the agencies worked closely with each \nother in developing the final regulations, from the principal level \ndown to staff at all the agencies who worked long days, nights, and \nweekends, to grapple with extraordinarily complex and important policy \nissues. Though the final regulations have been published, the OCC is \ncontinuing to work closely and cooperatively with the other agencies as \nwe work on our supervisory implementation of the final regulations \nduring the conformance period, which runs through July 21, 2015.\\10\\\n---------------------------------------------------------------------------\n    \\10\\ Section 619 authorized a 2-year conformance period, until July \n21, 2014, for banking entities to conform their activities and \ninvestments to the requirement of the statute. The statute also permits \nthe Federal Reserve to extend this conformance period, one year at a \ntime, for a total of no more than three additional years. In a separate \naction, the Federal Reserve has extended the conformance period for an \nadditional year until July 21, 2015, and has indicated that it plans to \nmonitor developments to determine whether additional extensions of the \nconformance period are in the public interest.\n---------------------------------------------------------------------------\n    The statute applies to all banking entities, regardless of size; \nhowever, not all banking entities engage in activities presenting the \nrisks the statute sought to curb. One of my priorities in the Volcker \nrulemaking was to make sure that the final regulations imposed \ncompliance obligations on banking entities in proportion to their \ninvolvement in covered activities and investments. The final \nregulations appropriately recognize that not all banking entities pose \nthe same risk and impose compliance obligations accordingly. So, a \ncommunity bank that only trades in ``plain vanilla'' Government \nobligations has no compliance obligations whatsoever under the final \nregulations. Community banks that engage in other low-risk covered \nactivities will be subject to only minimal requirements.\n    All banking entities, including community banks, will need to \ndivest impermissible covered fund investments under the final \nregulations. Recently, however, the agencies heard, and promptly \nresponded to, a concern raised by community institutions that the final \nregulations treated certain investments in a way that was inconsistent \nwith another important provision of the Dodd-Frank Act. Banking \nentities of all sizes hold collateralized debt obligations backed \nprimarily by trust preferred securities (TruPS CDOs). These TruPS CDOs, \noriginally issued some years ago as a means to facilitate capital \nraising efforts of small banks and mutual holding companies, would have \nbeen subject to eventual divestiture and immediate write-downs under \nthe applicable accounting treatment under generally accepted accounting \nprinciples. As a number of community institutions pointed out to the \nagencies, this result was inconsistent with the Collins Amendment to \nthe Dodd-Frank Act,\\11\\ where Congress expressly protected existing \nTruPS as a component of regulatory capital for the issuing institution \nso long as the securities were issued by bank holding companies with \nless than $15 billion in consolidated assets or by mutual holding \ncompanies.\n---------------------------------------------------------------------------\n    \\11\\ See 12 U.S.C. 5371(b)(4)(C).\n---------------------------------------------------------------------------\n    To mitigate the unintended consequences of the final regulations \nand harmonize them with the Collins Amendment, the agencies, on January \n14, 2014, adopted an interim final rule to permit banking entities to \nretain an interest in or sponsor a TruPS CDO acquired before the final \nregulations were approved, provided certain requirements are met.\\12\\ \nAmong others, the banking entity must reasonably believe that the \noffering proceeds from the TruPS CDO were invested primarily in trust \npreferred securities issued prior to May 19, 2010, by a depository \ninstitution holding company below a $15 billion threshold or by a \nmutual holding company. To help community institutions identify which \nCDO issuances remain permissible, the OCC, FDIC, and Federal Reserve \nhave also issued a nonexclusive list of TruPS CDOs that meet the \nrequirements of the interim final rule.\n---------------------------------------------------------------------------\n    \\12\\ See 79 FR 5223 (Jan. 31, 2014).\n---------------------------------------------------------------------------\n    For banking entities that engage in a high volume of trading and \ncovered fund activities, namely, the largest banks, the final \nregulations will impose some significant changes. These large firms \nhave been preparing for these changes since the statute became \neffective in July 2012, and have been shutting down impermissible \nproprietary trading operations. Now that the final regulations have \nbeen released, these institutions will need to take steps during the \nconformance period to bring their permitted trading and covered fund \nactivities, such as market making, underwriting, hedging, and \norganizing and offering covered funds, into compliance with the \nrequirements of the final regulations. Large banking entities must \ndevelop robust compliance programs, and they will be required to \ncompile and report quantitative metrics on their trading activities \nthat may serve as an indicator of potential impermissible proprietary \ntrading or a high-risk trading strategy. Banking entities will not be \nable to use covered funds to circumvent the proprietary trading \nrestrictions, and they will not be able to bail out covered funds they \nsponsor or invest in.\n    Of course, issuing a final regulation is only the beginning of the \nagencies' implementation process. Equally important is how the agencies \nwill enforce it. The OCC is committed to developing a robust \nexamination and enforcement program that ensures the banking entities \nwe supervise come into compliance and remain compliant with the Volcker \nRule. In the near term, our priority is implementing examination \nprocedures and training to help our examiners assess whether banks are \ntaking the necessary steps to come into compliance with the final \nregulations by the end of the conformance period, and we are actively \nengaged in these efforts. Using these procedures, examiners will direct \nbanks they examine to identify the range and size of activities and \ninvestments covered by the final regulations, and will assess banks' \nprocesses and systems for metrics reporting and their project plans for \nbringing their trading activities and investments into conformance with \nthe final regulations. Moreover, key OCC subject matter experts across \nour policy and supervision divisions are developing training for our \nexaminers to be held later in 2014. We will build upon these initial \nprocedures and training through the course of the conformance period as \nwe further assess the progress and needs of our examiners.\n    The agencies also are working to ensure consistency in application \nof the final regulations. I am pleased to report that the OCC has led \nthe formation of an interagency working group to address and \ncollaborate on developing responses to key supervisory issues that \narise under the final regulations. That interagency group held its \nfirst meeting in late January and will continue to meet on a regular \nbasis going forward. The OCC is also participating in interagency \ntraining on the final regulations this spring and summer under the \nauspices of the FFIEC.\n    When fully implemented, I believe the final regulations will \nachieve the legislative purpose for which the Volcker Rule was enacted. \nThe final regulations will limit the risks the prohibited activities \npose to the safety and soundness of banking entities and the U.S. \nfinancial system in a way that will permit banking entities to continue \nto engage in activities that are critical to capital generation for \nbusinesses of all sizes, households, and individuals, and that \nfacilitate liquid markets.\nV. Derivatives--Title VII\n    Pursuant to sections 731 and 763 of the Dodd-Frank Act, banks that \nare ``swap dealers'' must register with the CFTC, and those that are \n``securities-based swap dealers'' must register with the SEC. The swap \nactivities of banks that must register are subject to substantive \nrequirements under Title VII of the Act. At this time, nine national \nbanks have provisionally registered as swap dealers.\n    Sections 731 and 763 also require the Federal banking agencies, \ntogether with the Federal Housing Finance Agency (FHFA) and the Farm \nCredit Administration (FCA), to impose minimum margin requirements on \nnoncleared swaps and security-based swaps for swap dealers, major swap \nparticipants, security-based swap dealers, and major security-based \nswap participants that are banks. These agencies published a proposal \nto implement these requirements on May 11, 2011.\n    After issuing the U.S. proposal, the Federal banking agencies \nparticipated in efforts by the Basel Committee and International \nOrganization of Securities Commissions (IOSCO) to address coordinated \nimplementation of margin requirements across the G-20 nations. \nFollowing extensive public comment, the Basel Committee and IOSCO \nfinalized an international framework in September of 2013.\n    The Federal banking agencies, together with the FHFA and the FCA, \nhave reviewed this framework and the comments received on the U.S. \nproposal. The Federal banking agencies received more than 100 comments \nfrom banks, asset managers, commercial end users, trade associations, \nand others. Many commenters focused on the treatment of commercial end \nusers, urging the agencies to exempt transactions with such entities \nfrom the margin requirements in a manner consistent with the approach \ntaken in the Basel Committee-IOSCO framework. The Federal banking \nagencies are currently evaluating the changes indicated under the \nframework and suggested by commenters and expect to issue a final rule \nin the coming months.\n    Additionally, banks that are registered swap dealers are subject to \nthe derivatives push-out requirements in section 716 of the Dodd-Frank \nAct. This provision, which became effective on July 16, 2013, generally \nprohibits Federal assistance to swap dealers. The statute required the \nOCC to grant banks it supervises a transition period of up to 24 months \nto comply. We have granted a 24-month transition period to nine \nnational banks and four Federal branches. We concluded that the \ntransition period is necessary to allow banks to develop a transition \nplan for an orderly cessation or divestiture of certain swap activities \nthat does not unduly disrupt lending activities and other functions \nthat the statute required us to consider.\nVI. Other Dodd-Frank Rulemakings\n    The OCC has made considerable progress on other Dodd-Frank \nrequirements. In August of last year, we issued a final rule to \nimplement a provision in section 610 of the Act, which requires that an \ninstitution's lending limit calculation account for credit exposure \narising from derivatives and securities financing transactions. The new \nrule specifies methods to calculate this credit exposure. In addition, \nwe joined the other members of the FFIEC and the SEC in November to \npropose Joint Standards for Assessing Diversity Policies and Practices \nof Regulated Entities. These proposed standards implement a provision \nin section 342 of the Dodd-Frank Act and are intended to promote \ntransparency and awareness of diversity within these entities.\nA. Appraisals\n    The Dodd-Frank Act contains a number of provisions relating to \nappraisals, and the Federal banking agencies, along with the NCUA, \nFHFA, and the Bureau of Consumer Financial Protection (CFPB), continue \nto work to implement these provisions. As I have previously reported, \nthese agencies issued a final rule last year requiring all creditors, \nsubject to certain exceptions, to comply with additional appraisal \nrequirements before advancing credit for higher-risk mortgage loans. \nThis past December, these agencies issued a supplemental final rule to \nrevise one of the exemptions and include two additional exemptions. \nThese changes reduce regulatory burden and reflect comments the \nagencies received from the public.\n    In the coming months, the agencies plan to publish a proposal to \nestablish minimum requirements for State registration of appraisal \nmanagement companies, known as AMCs, which serve as intermediaries \nbetween appraisers and lenders. This rule will ensure that appraisals \ncoordinated by AMCs adhere to applicable quality control standards and \nwill facilitate State oversight of AMCs. The proposal also will \nimplement the Dodd-Frank Act requirement that the States' report to the \nFFIEC's Appraisal Subcommittee information needed to administer a \nnational AMC registry.\n    The agencies also are working collaboratively on a proposal to \nimplement specific quality control standards for automated valuation \nmodels, which are computer models used to assess the value of real \nestate that serves as collateral for loans or pools of loans. We expect \nto issue this proposal later in 2014. Finally, the agencies are \nconsidering rulemaking options to complement an interim final rule \nissued by the Federal Reserve in 2010 that implements statutory \nappraisal independence requirements.\nB. Credit Risk Retention\n    The Federal banking agencies, together with FHFA, the SEC, and the \nDepartment of Housing and Urban Development, continue to work on \nimplementing the credit risk retention requirements for asset \nsecuritization in section 941 of the Dodd-Frank Act. In 2011, these \nagencies proposed a rule to implement section 941 and received over \n10,000 comments, which offered many thoughtful suggestions. These \nagencies concluded that the rulemaking would benefit from a second \nround of public review and comment, and we reproposed the rule in \nSeptember 2013. Although the reproposal includes significant changes \nfrom the original proposal, its focus is the same--to ensure that \nsponsors are held accountable for the performance of the assets they \nsecuritize.\n    The comment period for the reproposal has now closed, and we are \nworking on a final rule. While we expect to complete this project in \nthe near future, the interagency group is working through some \nsignificant issues. For example, the agencies received a substantial \nnumber of comments regarding the definition of ``qualified residential \nmortgage'' and the extent to which it should incorporate the CFPB's \ndefinition of ``qualified mortgage.'' The agencies also received \nnumerous comments, including some from Members of this Committee, \nregarding the treatment of collateralized loan obligations. We are \ncarefully considering these and other issues, with the goal of \nbalancing meaningful risk retention with the availability of credit to \nindividuals and businesses.\nC. Incentive-Based Compensation Arrangements\n    Finally, the OCC continues to work on the implementation of section \n956 of the Dodd-Frank Act, which requires us to prescribe regulations \nor guidelines regarding incentive-based compensation. The Federal \nbanking agencies, along with the NCUA and the SEC, proposed a rule that \nwould require the reporting of certain incentive-based compensation \narrangements by a covered financial institution and would prohibit \nincentive-based compensation arrangements at a covered financial \ninstitution that provides excessive compensation or could expose the \ninstitution to inappropriate risks leading to a material financial \nloss. The agencies received thousands of comments on this proposal and \nwill address the issues raised by the commenters in the final rule.\nConclusion\n    Thank you again for the opportunity to appear before you and to \nupdate the Committee on the OCC's continued work to implement the Dodd-\nFrank Act and enhance our efforts to regulate our country's national \nbanks and Federal savings associations.\n                                 ______\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                                 <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n                                 \n                  PREPARED STATEMENT OF MARK P. WETJEN\n         Acting Chairman, Commodity Futures Trading Commission\n                            February 6, 2014\n    Good morning Chairman Johnson, Ranking Member Crapo and Members of \nthe Committee. Thank you for inviting me to today's hearing on the \nDodd-Frank Wall Street Reform and Consumer Protection Act (``Dodd-\nFrank'') and customer information security. I am honored to testify as \nActing Chairman of the Commodity Futures Trading Commission (``CFTC''). \nI also am pleased to join my fellow regulators in testifying today.\n    Now is a good time for not only this Committee, but all \nstakeholders in the CFTC to reflect on the agency's progress in \nimplementing financial reform and what the future might bring for this \nagency and the markets it oversees.\n    Due to Dodd-Frank and the efforts of my colleagues and staff at the \nCFTC, today there is both pre-trade and post-trade transparency in the \nswaps market that did not exist before. The public now can see the \nprice and volume of swap transactions in real-time, and the CFTC's \nWeekly Swaps Report provides a snapshot of the swaps market each week. \nThe most liquid swaps are being traded on regulated platforms and \nexchanges, with a panoply of protections for those depending on the \nmarkets, and regulators themselves have a new window into the \nmarketplace through swap data repositories (``SDRs'').\n    Transparency, of course, is helpful only if the information \nprovided to the public and regulators can be usefully employed. \nTherefore, the CFTC also is taking steps to protect the integrity of \nthat data and ensure that it continues to be reliable and useful for \nsurveillance, systemic risk monitoring, and the enforcement of \nimportant financial reforms.\n    These transparency rules complement a number of equally important \nfinancial reforms. For example, the counterparty credit risks in the \nswaps market have been reduced as a large segment of the swaps market \nis now being cleared--as of last month, about 70 percent of new, arm's-\nlength swaps transactions were being cleared. Additionally, nearly 100 \nswap dealers and major swap participants (``MSPs'') have registered \nwith the CFTC, bringing their swaps activity and internal risk-\nmanagement programs under the CFTC's oversight for the first time. We \nalso have strengthened a range of futures and swaps customer \nprotections.\n    As it has put these reforms in place, the CFTC has consistently \nworked to protect liquidity in the markets and ensure that end users \ncan continue using them to hedge risk as Congress directed.\n    The CFTC, in short, has completed most of its initial mandate under \nDodd-Frank and has successfully ushered in improvements to the over-\nthe-counter derivatives market structure for swaps, while balancing \ncountervailing objectives.\nVolcker Rule\n    In recent weeks, the Commission finalized the Volcker Rule, which \nwas one of our last major rules under Dodd-Frank. The Volcker Rule was \nexceptional on account of the unprecedented coordination among the five \nfinancial regulators.\n    Congress required the banking regulators to adopt a joint Volcker \nRule, but it also provided that the market regulators--the Securities \nand Exchange Commission (``SEC'') and the CFTC--need only coordinate \nwith the prudential banking regulators in their rulemaking efforts. One \nof the hallmarks of the final rule is that the market regulators went \nbeyond the congressional requirement to simply coordinate. In fact, the \nCFTC's final rule includes the same rule text as that adopted by the \nother agencies. Building a consensus among five different Government \nagencies was no easy task, and the level of coordination by the \nfinancial regulators on this complicated rulemaking was exceptional.\n    This coordination was thanks in no small part to leadership at the \nDepartment of the Treasury. Secretary Lew, Acting Deputy Secretary \nMiller, and others were instrumental in keeping the agencies on task \nand seeing this rulemaking over the finish line. Along with the other \nagencies, the CFTC received more than 18,000 comments addressing \nnumerous aspects of the proposal. CFTC staff hosted a public roundtable \non the proposed rule and met with a number of commenters. Through \nweekly inter-agency staff meetings, along with more informal \ndiscussions, the CFTC staff and the other agencies carefully considered \nthe comments in formulating the final rule.\nDifferences with Proposal\n    The agencies were responsive to the comments when appropriate, \nwhich led to several changes from the proposed Volcker Rule I would \nlike to highlight.\n    The final Volcker Rule included some alterations to certain parts \nof the hedging--exemption requirements found in the proposal. For \ninstance, the final rule requires banking entities to have controls in \nplace through their compliance programs to demonstrate that hedges \nwould likely be correlated with an underlying position. The final rule \nalso requires ongoing recalibration of hedging positions in order for \nthe entities to remain in compliance.\n    Additionally, the final rule provides that hedging related to a \ntrading desk's market-making activities is part of the trading desk's \nfinancial exposure, which can be managed separately from the risk-\nmitigating hedging exemption.\n    Another modification to the proposal was to include under ``covered \nfunds'' only those commodity pools that resemble, in terms of type of \noffering and investor base, a typical hedge fund.\nCFTC Volcker Rule Implementation and Enforcement\n    The CFTC estimates that, under its Volcker regulations, it has \nauthority over more than 100 registered swap dealers and futures \ncommission merchants (``FCMs'') that meet the definition of ``banking \nentity.'' In addition, under Section 619, some of these banking \nentities may be subject to oversight by other regulators. For example, \na joint FCM/broker-dealer would be subject to both CFTC and SEC \njurisdiction and in such circumstances, the CFTC will monitor the \nactivities of the entity directly and also coordinate closely with the \nother functional regulator(s).\n    In this regard, Section 619 of the Dodd-Frank Act amended the \nBanking Holding Company Act to direct the CFTC itself to write rules \nimplementing Volcker Rule requirements for banking entities ``for which \nthe CFTC is the primary financial regulatory agency'' as that term was \ndefined by Congress in Dodd-Frank. Accordingly, as Congress directed, \nthe CFTC's final rule applies to entities that are subject to CFTC \nregistration and that are banking entities, under the Volcker \nprovisions of the statute.\n    To ensure consistent, efficient implementation of the Volcker Rule, \nand to address, among other things, the jurisdiction issues I just \nmentioned, the agencies have established a Volcker Rule implementation \ntask force. That task force also will be the proper vehicle to examine \nthe means for coordinated enforcement of the rule. Although compliance \nrequirements under the Volcker Rule do not take effect until July 2015, \nthe CFTC is exploring now whether to take additional steps, including \nwhether to adopt formal procedures for enforcement of the rule. As part \nof this process, I have directed CFTC staff to consider whether the \nagency should adopt such procedures and to make recommendations in the \nnear future.\nVolcker Rule: Lowering Risk in Banking Entities\n    The final Volcker Rule closely follows the mandates of Section 619 \nand strikes an appropriate balance in prohibiting banking entities from \nengaging in the types of proprietary trading activities that Congress \ncontemplated when considering Section 619 and in protecting liquidity \nand risk management through legitimate market making and hedging \nactivities. In adopting the final rule, the CFTC and other regulators \nwere mindful that exceptions to the prohibitions or restrictions in the \nstatute, if not carefully defined, could conceivably swallow the rule.\n    Banking entities are permitted to continue market making--an \nimportant activity for providing liquidity to financial markets--but \nthe agencies reasonably confined the meaning of the term ``market \nmaking'' to the extent necessary to maintain a market-making inventory \nto meet near-term client, customer or counterparty demands.\n    Likewise, the final rule permits hedging that reduces specific \nrisks from individual or aggregated positions of the banking entity.\n    The final Volcker Rule also prohibits banking entities from \nengaging in activities that result in conflicts of interest with \nclients, customers or counterparties, or that pose threats to the \nsafety and soundness of these entities, and potentially therefore to \nthe U.S. financial system.\n    The final Volcker rule also limits banking entities from sponsoring \nor owning ``covered funds,'' which include hedge funds, private equity \nfunds or certain types of commodity pools, other than under certain \nlimited circumstances. The final rule focuses the prohibition on \ncertain types of pooled investment vehicles that trade or invest in \nsecurities or derivatives.\n    Finally, and importantly, the final Volcker Rule requires banking \nentities to put in place a compliance program, with special attention \nto the firm's compliance with the rule's restrictions on market making, \nunderwriting and hedging. It also requires the larger banking entities \nto report key metrics to regulators each month. This new transparency, \nonce phased-in, will buttress the CFTC's oversight of swap dealers and \nFCMs by providing it additional information regarding the risk levels \nat these registrants.\nTruPS Interim Final Rule\n    Even with resource constraints, the CFTC has been responsive to \npublic input and willing to explore course corrections, when \nappropriate. With respect to the Volcker Rule, the CFTC, along with the \nother agencies, last month unanimously finalized an interim final rule \nto allow banks to retain collateralized debt obligations backed \nprimarily by trust-preferred securities (TruPS) issued by community \nbanks. The agencies acted quickly to address concerns about \nrestrictions in the final rule, demonstrating again the commitment of \nthe agencies at this table to ongoing coordination. In doing so, the \nCFTC and the other agencies protected important markets for community \nbanks, as Congress directed.\nImplementation Stage of Dodd-Frank\n    Looking ahead through the lens of what already has been done, it is \nclear that the Commission and all stakeholders will need to closely \nmonitor and, if appropriate, address the inevitable challenges that \nwill come with implementing the new regulatory framework under Dodd-\nFrank.\n    For the CFTC, only a few rulemakings remain to be re-proposed or \nfinalized in order to complete the implementation of Dodd-Frank. \nIndeed, in just a matter of days, the compliance date for perhaps the \nlast remaining, major hallmark of the reform effort will arrive: the \neffective date of the swap-trading mandate.\n    Rules the Commission is working to address in the coming months \ninclude capital and margin requirements for uncleared swaps, \nrulemakings intended to harmonize global regulations for clearinghouses \nand trading venues, and finalizing position limits.\n    There are other important matters in the months ahead as well.\n    Allow me to mention some of these matters before the Commission as \nwe move forward with Dodd-Frank implementation.\nMade Available to Trade Determinations\n    As a result of the trade execution mandate, many swaps will, for \nthe first time, trade on regulated platforms and benefit from market-\nwide, pre-trade transparency. These platforms are designed to improve \npricing for the buy-side, commercial end users, and other participants \nthat use these markets to manage risk. Additionally, SEFs, as \nregistered entities, are required to establish and enforce \ncomprehensive compliance and surveillance programs.\n    The Commission's trade execution rules complement our other efforts \nto streamline participation in the markets by doing away with the need \nto negotiate bilateral credit arrangements and removing impediments to \naccessing liquidity. This not only benefits the end users that the \nmarkets are intended to serve, but also new entrants seeking to compete \nfor liquidity who now are able to access the markets on impartial \nterms. In essence, the Commission's implementation of the trade \nexecution mandate supports a transparent, risk-reducing swap-market \nstructure under CFTC oversight.\n    In recent weeks, the ``Made Available to Trade Determinations'' \nfiled by four swap execution facilities (``SEFs'') have been deemed \ncertified, making mandatory the trading of a number of interest rate \nand credit default swaps on regulated platforms.\n    There have been some questions in this context about the trading of \nso-called ``package transactions,'' which often include a combination \nof financial instruments and at least one swap that is subject to the \ntrade execution requirement. I have directed Division of Market \nOversight (``DMO'') staff to hold an open-to-the-public roundtable, \nwhich will take place February 12, and to further examine these issues \nso that the CFTC can further consider the appropriate regulatory \ntreatment of basis trades falling within the meaning of a ``package \ntransaction.''\nData\n    In order for the Commission to enforce the significant Dodd-Frank \nreforms, the agency must have accurate data and a clear picture of \nactivity in the marketplace.\n    Last month, with the support of my fellow commissioners, I directed \nan interdivisional staff working group to review certain swap \ntransaction data, recordkeeping and reporting provisions under Dodd-\nFrank. The working group, led by the director of DMO, will formulate \nand recommend questions for public comment regarding compliance with \nPart 45 reporting rules and related provisions, as well as consistency \nin regulatory reporting among market participants.\n    We have seen an incredible shift to a transparent, regulated swaps \nmarketplace, and this is an appropriate review to ensure the data we \nare receiving is of the best possible quality so the Commission can \neffectively oversee the marketplace. I have asked the working group to \nreview the incoming public comments and make recommendations to the \nCommission in June.\nConcept Release on Risk Controls and System Safeguards for Automated \n        Trading Environments\n    The CFTC's Concept Release on Risk Controls and System Safeguards \nfor Automated Trading Environments provides an overview of the \nautomated trading environment, including its principal actors, \npotential risks, and responsive measures taken to date by the \nCommission or industry participants. It also discusses pre-trade risk \ncontrols; post-trade reports; system safeguards related to the design, \ntesting and supervision of automated trading systems; and additional \nprotections designed to promote safe and orderly markets. Within the \nrelease, the Commission asks 124 questions and is seeking extensive \npublic input.\n    To give the public more time to provide comments, the CFTC extended \nthe comment period, which continues through February 14.\nPosition Limits\n    The futures markets have a long history of embracing speculative \nposition limits as a tool to reduce unwarranted price fluctuations and \nminimize the risk of manipulation, particularly in the spot month, such \nas corners and squeezes. Our proposed position limits rule builds on \nthat history, increases transparency, and lessens the likelihood that a \ntrader will accumulate excessively large speculative positions.\n    The Commission's proposed rule respects congressional intent and \naddresses a district court decision related to the Commission's new \nposition--limits authority under Dodd-Frank.\n    The comment period on the re-proposed rule closes February 10, and \nI look forward to reviewing the public input.\nInternational Coordination\n    Given that the U.S. has nearly delivered on its G20 commitments to \nderivatives reform, and the European Union is close behind, financial \nregulators recently have focused more time on the developing global \nmarket structure for swaps.\n    The G20 commitments were a reaction to a global financial crisis. \nAlthough the causes of that crisis are not as clear as some suggest, \nfew would disagree that liquidity constraints at certain firms were at \nleast exacerbated by exposures to derivatives.\n    The plain truth is that risk associated with derivatives is mobile \nand can migrate rapidly across borders in modern financial markets. An \nequally plain truth is that any efforts to monitor and manage global \nsystemic risk therefore must be global in nature.\n    Risk mobility means that regulators in the United States and abroad \ndo not have the luxury of limiting their oversight to financial \nactivities occurring solely within their borders. Financial activities \nabroad may be confined to local markets in some cases, but the \nfinancial crisis, and more recent events, make clear that the rights \nand responsibilities that flow from these activities often are not.\n    Perhaps as important, Congress reacted to the financial crisis by \nauthorizing the CFTC to oversee activities conducted beyond its borders \nin appropriate cases. It could have limited the CFTC's oversight to \nonly those entities and activities located or occurring within our \nshores, but it did not. In fact, Congress recognized in Dodd-Frank that \neven when activities do not obviously implicate U.S. interests, they \ncan still create less obvious but legally binding obligations that are \nsignificant and directly relevant to the health of a U.S. firm; and \nwhich in the aggregate could have a material impact on the U.S. \nfinancial system as a whole.\n    So it is clear to me that the CFTC took the correct approach in \nadopting cross-border policies that account for the varied ways that \nrisk can be imported into the U.S. At the same time, the CFTC's \npolicies tried to respect the limits of U.S. law and the resource \nconstraints of U.S. and global regulators. That is in part why, last \nDecember, the CFTC approved a series of determinations allowing non-\nU.S. swap dealers and MSPs to comply with Dodd-Frank by relying on \ncomparable and comprehensive home country regulations, otherwise known \nas ``substituted compliance.''\n    Those approvals by the CFTC reflect a collaborative effort with \nauthorities and market participants from each of the six jurisdictions \nwith registered swap dealers. Working closely with authorities in \nAustralia, Canada, the EU, Hong Kong, Japan, and Switzerland, the CFTC \nissued comparability determinations for a broad range of entity-level \nrequirements. And in two jurisdictions, the EU and Japan, the CFTC also \nissued comparability determinations for a number of key transaction-\nlevel requirements.\n    It appears at this time that the substituted compliance approach \nhas been successful in supporting financial reform efforts around the \nglobe and a race-to-the-top in global derivatives regulation. Last \nmonth, for example, the European Union (``EU'') agreed on updated rules \nfor markets in financial derivatives, or the Markets in Financial \nInstruments Directive II (``MiFiD II''), reflecting great progress on \nderivatives reform in the EU. Other jurisdictions that host a \nsubstantial market for swap activity are still working on their \nreforms, and certainly will be informed by the EU's work and the CFTC's \nongoing coordination with foreign regulators.\n    As jurisdictions outside the U.S. continue to strengthen their \nregulatory regimes and meet their G20 commitments, the CFTC may \ndetermine that additional foreign regulatory requirements are \ncomparable to and as comprehensive as certain requirements under Dodd-\nFrank.\n    The CFTC also has made great progress with the European Commission \nsince both regulators issued the Path Forward statement last summer, \nand we are actively working with the Europeans to ensure that \nharmonized regulations on the two continents promote liquidity \nformation and sound risk management. Fragmented liquidity, and the \nregulatory and financial arbitrage that both drives and follows it, can \nlead to increased operational costs and risks as entities structure \naround the rules in primary swap markets.\n    Harmonizing regulations governing clearinghouses and trading \nvenues, in particular, is critical to sound and efficient market \nstructure. Even if firms are able to navigate the conflicts and \ncomplexities of differing regulatory regimes, regulators here and \nabroad must do what they can to avoid incentivizing corporate \nstructures and inter-affiliate relationships that will only make global \nfinancial firms more difficult to understand, manage, and unwind during \na period of market distress.\n    Conversely, this translates to open, competitive derivatives \nmarkets. It means efficient and liquid markets. A global regime is the \nbest means to avoid balkanization of risk and risk management that may \nexpose the U.S. financial system over time to risks that are \nunnecessary, needlessly complex, and difficult to predict and contain.\n    In light of the CFTC's swaps authority, and the complexities of \nimplementing a global regulatory regime, the Commission is working with \nnumerous foreign authorities to negotiate and sign supervisory \narrangements that address regulator-to-regulator cooperation and \ninformation sharing in a supervisory context. We currently are \nnegotiating such arrangements with respect to swap dealers and MSPs, \nSDRs, SEFs, and derivatives clearing organizations.\n    As a final note on cross-border issues, on February 12 the Global \nMarkets Advisory Committee (``GMAC''), which I sponsor, will meet to \ndiscuss the November 14, 2013, CFTC staff advisory on applicability of \ntransaction-level requirements in certain cross-border situations.\nThe CFTC and Customer Information Security\n    The CFTC takes our responsibility to protect against the loss or \ntheft of customer information seriously. However, the CFTC's funding \nchallenges, and thus our limited examinations staff, have an impact on \nthe agency's ability to examine and enforce critical rules that protect \ncustomer privacy and ensure firms have robust information security and \nother risk management policies in place.\n    The Gramm-Leach-Bliley Act was enacted in 1999 to ensure that \nfinancial institutions respect the privacy of their customers. Part 160 \nof the CFTC's regulations was adopted pursuant to the Gramm-Leach-\nBliley Act and addresses privacy and security safeguards for customer \ninformation. Under the law, swap dealers, FCMs and other CFTC \nregistrants must have ``policies and procedures that address \nadministrative, technical and physical safeguards for the protection of \ncustomer records and information.'' These policies and procedures are \ndesigned to protect against unauthorized access to customer records or \ninformation.\n    The CFTC is working to strengthen our registrants' compliance with \nthe law. The agency is poised to release a staff advisory to market \nparticipants outlining best practices for compliance. The advisory \nrecommends, among other best practices, that registrants should assess \nexisting privacy and security risks; design and implement a system of \nprocedures and controls to minimize such risks; regularly test privacy \nand security controls, including periodic testing by an independent \nparty; annually report to the board on these issues; and implement an \nincident response program that includes notifying the Commission and \nindividuals whose information was or may be misused. In addition, the \nCFTC has recently issued new customer protection regulations that \ninclude, among other regulations, new requirements for risk management \nby firms. Security safeguards are an element of risk management that \nneeds to be addressed by this new regulation.\n    Last year, the CFTC also issued interpretive guidance, mirroring \nthat of other financial agencies, clarifying that reporting of \nsuspected financial abuse of older Americans to appropriate law \nenforcement agencies does not violate the privacy provisions within \nPart 160 of the Commission's rules.\n    Though enforcement of CFTC Part 160 rules is a challenge given our \nlimited resources, we have enforced them in the past. In one instance, \nthe CFTC settled a case with an FCM when an employee of that FCM placed \nfiles containing sensitive personally identifiable information on a \npublic Web site, and the FCM did not have effective procedures in place \nto safeguard customer information.\n    In addition to Part 160, the CFTC's Dodd-Frank rules for DCMs, SEFs \nand SDRs require these entities to notify the CFTC of all cybersecurity \nincidents that could potentially or actually jeopardize the security of \ninformation.\n    Last spring, the CFTC and SEC adopted final ``red flags'' rules \nunder the Dodd-Frank Act requiring CFTC and SEC registrants to adopt \nprograms to identify and address the risk of identity theft. As the law \nrequired, our rules establish special requirements for credit and debit \ncard issuers to assess the validity of change of address, but \ncurrently, the CFTC entities that must follow these identity theft \nrules do not issue credit or debit cards. A number of firms, however, \ndo accept credit and debit cards for payment, which presents a \ndifferent type of risk.\n    The CFTC also has adopted a rule regarding the proper disposal of \nconsumer information requiring reasonable measures, such as shredding, \nto protect against unauthorized access.\nRetail Payment Systems\n    The Commission's new customer protection rules on risk management \nrequire FCMs to develop risk management policies that address risks \nrelated to retail payment systems, such as anti-money laundering, \nidentity theft, unauthorized access, and cybersecurity.\n    The CFTC currently does not have the resources to conduct any \ndirect examinations of retail payment systems. The CFTC does indirectly \nlook at the risks of retail payment systems through designated self-\nregulatory organizations (DSRO). The DSRO covers the operational \naspects of the money movement through their risk-based programs. \nAdditionally, DSROs perform a review of anti-money laundering at FCMs \nlooking at a number of aspects of a retail payment system--source of \nfunds, cash transactions, customer identity, money laundering and staff \ntraining.\n    For the vast majority of our registrants, the retail payment system \nis through normal banking channels, such as wire transfers. Only a few \nof our registrants accept credit or debit cards, and none currently \naccept virtual currency payment systems. Virtual currency, however, \ndoes present new risk, as a firm would be interacting outside of bank \npayment channels, increasing the risk of hacking or fraud, among other \ncybersecurity issues. The CFTC is working with registrants that are \nseeking to accept virtual currencies to educate them about best \npractices.\nData Breach Response\n    The CFTC's response to a data breach incident would include \nimmediately assessing the situation with the registrant to understand \nthe magnitude of the breach and its implications on customers and the \nmarketplace. We would coordinate with other regulators and law \nenforcement and together determine the appropriate course of action. \nOur response would include an analysis of the data compromised, \nimmediate notification to affected customers (unless law enforcement \nprohibits that notification), supporting customers by having the firm \nprovide free credit monitoring services, ensuring customers know how to \nchange user IDs and passwords, and having the firm closely monitor \ncustomer activity to look for signs of identity theft.\n    Looking ahead, the Commission is considering implementing rules \nunder Gramm-Leach-Bliley to expand upon our current customer protection \nregulations with more specificity regarding the security of customer \ninformation.\nResources\n    To be effective, the CFTC's oversight of these registrants requires \ntechnological tools and staff with expertise to analyze complex \nfinancial information. On that note, I am pleased that the House and \nSenate have agreed to an appropriations bill that includes a modest \nbudgetary increase to $215 million for the CFTC, lifting the agency's \nappropriations above the sequestration level that has been challenging \nfor planning and orderly operation of the agency. The new funding level \nis a step in the right direction. We will continue working with \nCongress to secure resources that match the agency's critical \nresponsibilities in protecting the safety and integrity of the \nfinancial markets under its jurisdiction. We need additional staff for \nsurveillance, examinations, and enforcement, as well as investments in \ntechnology, to give the public confidence in our ability to oversee the \nvast derivatives markets.\nConclusion\n    For the CFTC, the Volcker Rule was one of the last remaining \nrulemakings required by Dodd-Frank. Only a few rulemakings remain to be \nre-proposed or finalized in order to complete the implementation of the \nlegislation. Indeed, in just a matter of days, the compliance date for \nperhaps the last remaining major hallmark of the reform effort will \narrive: the effective date of the swap-trading mandate. Looking \nforward, the agency will continue working to ensure an orderly \ntransition to, and adoption of, the new market structure for swaps, and \nadjusting as necessary.\n    Thank you again for inviting me today. I would be happy to answer \nany questions from the Committee.\n  RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO FROM MARY J. \n                             MILLER\n\nQ.1. When a data breach happens at a merchant level, Federal \nbanking regulators generally do not have jurisdiction to \ninvestigate and take action. However, collateral consequences \nof such breaches are that regulated financial institutions are \nimpacted and face reputational and financial setbacks as a \nresult. What are your expectations for the regulated entities \nwhen a breach occurs at a third party? What are some of the \nchallenges financial institutions face as a result of the \nbreach? How can those challenges be addressed while minimizing \nconsequences of, and cost for, affected financial institutions?\n\nA.1. Attacks on retail payment systems have gained heightened \nattention over the past months, following the widely reported \ndata breach of the Target Corporation. Cyber criminals have \ntaken advantage of cybersecurity vulnerabilities within the \nnetworks of retail merchants and financial services firms to \nunlawfully obtain credit card information and other payment \ncard data from Point-of-Sale terminals. While the theft of \ncredit card information has resulted in fraud against financial \ninstitutions, much of the liability for these losses will be \nborne by the retailers where the original breach took place. \nThis is a result of the structure of contracts between banks \nand merchants, which rely upon industry imposed standards.\n    Because technology continues to evolve and malicious actors \nadapt their techniques, no one security solution is likely to \nresolve the cybersecurity challenges banks face. As the sector \nspecific agency for financial services, Treasury strongly \nsupports the financial sector's efforts to take a comprehensive \napproach to cybersecurity, including by using the National \nInstitute of Standards and Technology's Framework for Improving \nCritical Infrastructure Cybersecurity. This Framework provides \nfirms with a methodology that can be used to review their own \nrisk management activities and could be useful in managing \ntheir supply chain vendors. For this reason, we have been \nworking closely with the financial services sector to promote \nuse of the Framework.\n\nQ.2. At the Subcommittee hearing on data security and breach \nheld on February 3, 2014, Members learned that the payment \nnetworks have set an October 2015 timeframe for moving industry \nparticipants to adoption of new, more secure payment \ntechnology. Can you discuss how quickly your regulated entities \nare moving to this technology, and identify some of the \nobstacles that still exist?\n\nA.2. Though Treasury does not have regulatory authority in this \narea, we closely monitor developments in payments technology. \nTreasury has observed that many banks have already begun to \nissue chip cards to better secure payments. In addition, many \nretailers have purchased terminals that are Europay, MasterCard \nand Visa (EMV) compliant. Industry participants have expressed \nthat the primary barrier to adoption of these new standards is \nthe cost of conversion.\n\nQ.3. In July of 2013, I requested that the Government \nAccountability Office (GAO) review the SIFI designation process \nat FSOC for both transparency and clarity, and to examine the \ncriteria used to designate companies as SIFIs. Would you all be \nwilling to support more reliance on measurable metrics in \nFSOC's designation process?\n\nA.3. Under Section 113 of the Dodd-Frank Act, the Financial \nStability Oversight Council (Council) may determine that a \nnonbank financial company shall be subject to Federal Reserve \nsupervision and enhanced prudential standards if the company's \nmaterial financial distress, or the nature, scope, size, scale, \nconcentration, interconnectedness, or mix of activities of the \ncompany, could pose a threat to U.S. financial stability.\n    The Council provided considerable public transparency into \nits process for considering nonbank financial companies for \ndesignation by voluntarily publishing a rule and guidance \noutlining how it would apply the statutory criteria and review \nfirms for potential designation. The Council's rule and \nguidance on nonbank designations benefited from multiple rounds \nof public comment, even though the Council was not required to \nconduct a rulemaking process. The Council's public guidance \nestablished clear, quantitative metrics that the Council uses \nto identify firms for evaluation and extensively described the \nfirm-specific analysis that the Council conducts.\n    The Council's guidance also includes sample metrics the \nCouncil may consider in its in-depth analysis of companies for \npotential designation. However, the guidance notes that a \ndesignation decision cannot be reduced to a formula. Due to the \ndiverse types of nonbank financial companies and the unique \nthreats that these nonbank financial companies may pose to U.S. \nfinancial stability, the Council's analysis will depend on the \nparticular circumstances of each nonbank financial company \nunder consideration and the unique nature of the threat it may \npose to U.S. financial stability.\n    The Council appreciates the important oversight role of the \nGAO. We are confident that our process has been consistent with \nthe Council's statutory duties and that the Council has \nprovided the public and affected companies with extensive \nopportunities for input.\n\n  RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM MARY J. \n                             MILLER\n\nQ.1. FSOC has been in existence for more than 3 years. Since \nthat time, three companies have been deemed systemically \nsignificant and a second round of companies appear to be under \nconsideration. Despite the numerous calls from Congress, a \nnumber of industry and consumer groups and even the GAO for the \nFSOC to provide greater transparency about the process used for \ndesignation, (including the metrics OFR should measure in their \nanalysis), the criteria followed, as well as the implications \nand process to be followed after a firm has been designated a \nSIFI. Can you provide greater details on why more transparency \nhas not been achieved and how the FSOC plans to improve these \nissues?\n\nA.1. The Council has provided tremendous public transparency \ninto its process for considering nonbank financial companies \nfor designation by voluntarily publishing a rule and guidance \noutlining how it would apply the statutory criteria and review \nfirms for potential designation. In addition, the Council has \nreported to Congress and released to the public explanations of \nthe basis for each of the three nonbank designations that it \nhas completed.\n    The Council's rule and guidance on nonbank designations \nbenefited from multiple rounds of public comment, even though \nthe Council was not required to conduct a rulemaking process. \nThe Council's public guidance established clear, quantitative \nmetrics that the Council uses to identify firms for evaluation \nand extensively described the firm-specific analysis that the \nCouncil conducts.\n    Firms under review for potential designation have numerous \nand extensive opportunities to engage directly with the Council \nbefore any designation. First, the Council provides the company \nwith a notice that it is under consideration and an opportunity \nto submit materials to contest the Council's consideration. \nThis goes beyond what is required by the statute. Second, \nbefore any proposed designation, there is extensive interaction \nbetween Council staff and the company, including a number of \nmeetings and information requests. After the Council makes a \nproposed designation, the Council sends the company a written \nexplanation, and the company is entitled to a hearing to \ncontest the proposed designation. To date, there has been only \none company that has requested an oral hearing; the Council \ngranted it, and the Council members themselves presided over \nthe hearing and heard directly from the company's \nrepresentatives.\n    In addition, any designated company has a right to seek \njudicial review of the designation. The Council also reviews \nall nonbank designations annually, based on a process set forth \nin the Council's rule that allows any designated company to \nparticipate in the process.\n    Due to the preliminary nature of the Council's evaluation \nof any nonbank financial company prior to a final designation \nand the potential for market participants to misinterpret such \nan announcement, the Council does not publicly announce the \nname of any company that is under review prior to a final \ndesignation of the company.\n\nQ.2. I, along with a number of other Republicans, introduced \nlegislation to fix an unintended consequence on collateralized \ndebt obligations (CDOs). In their January 13th interim final \nrule, regulators crafted a rule that largely mirrored what my \nbill sought to do; provide relief to a majority of community \nbanks. While we appreciate the agencies' efforts on this issue, \none issue that we included in our legislation that the \nregulators did not address was collateralized loan obligations \n(CLOs). The CLO market provides about $300 billion in financing \nto U.S. companies and U.S. banks currently hold between $70 and \n$80 billion of senior notes issued by existing CLOs and foreign \nbanks subject to the Volcker Rule hold about another $60 \nbillion. Because the final rules implementing the Volcker Rule \nimproperly treat these debt securities as ``ownership \ninterests'', the banks holding these notes will either have to \ndivest or restructure these securities. Because restructuring \nwell over $130 billion of CLO securities is neither feasible \nnor under the control of the banks holding these notes, \ndivestment is the most likely result. This, in turn, could lead \nto a fire sale scenario that could put incredible downward \npressure on CLO securities prices leading to significant losses \nfor U.S. banks. If prices decline by only 10 percent, U.S. \nbanks would have to recognize losses of almost $8 billion \ndriven not by the underlying securities but solely because of \nthe overreach of the Volcker Rule. Indeed, the final rules are \nalready wreaking havoc on the CLO market. Since the final rules \nwere announced, new CLO formation was down nearly 90 percent in \nJanuary 2014, the lowest issuance in 23 months. If this \nsituation is not remedied and CLO issuance remains moribund, \ncorporate borrowers could face higher credit costs. At the \nhearing of the House Financial Services Committee on January \n15, 2014, a number of both Democrats and Republicans asked \nquestions about how to fix the issue with the CLO market that \nwas not addressed in the interim final rule released on January \n13, 2014. The representatives of the agencies noted that the \nCLO issue was at the top of the list of matters to be \nconsidered by the inter-agency working group that has been \nestablished to review issues such as this and publish guidance. \nThe issue is urgent. Bank CFOs are struggling with how to treat \ntheir CLO debt securities. Can you commit to a tight timeframe \nto issue guidance on CLOs?\n\nA.2. The Federal Reserve Board recently announced that it \nintends to exercise its authority to give banking entities two \nadditional 1-year extensions to conform their ownership \ninterests in, and sponsorship of CLOs covered by, the Volcker \nRule. The Federal Reserve Board also noted that the four other \nagencies charged with enforcing the requirements of the Volcker \nRule plan to administer their oversight of banking entities in \naccordance with the Federal Reserve Board's extension of the \nconformance period applicable to CLOs. In April 2014, the \nFederal Reserve Board, in consultation with the other rule-\nwriting agencies, announced that it intends to exercise its \nauthority to give banking entities two additional 1-year \nextensions to bring into conformance with the Volcker Rule \ntheir ownership interests in and sponsorship of CLOs. This \nrelief should reduce pressure on banking entities to sell CLOs \nbefore the deadline for conformance.\n\nQ.3. Can you speak to other reports/studies that the OFR may do \nand if there will be some kind of open/regular process that \nwill be followed for the public to review and comment? In terms \nof the OFR's Study on Asset Management and Financial Stability, \ndo you know how many comments were received and the general \nnature/issues raised in these comments?\n\nA.3. There are no pending requests from the Council to the OFR \nfor reports at this time. However, the OFR Director sets the \nagenda of the OFR and has the discretion to explore matters \nthat might have an impact on the financial stability of the \nUnited States. After the OFR delivered the report to the \nCouncil and posted it on the OFR Web site, the Securities and \nExchange Commission solicited public comment on the OFR report \nand posted the comment letters on its Web site.\n                                ------                                \n\n\n RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO FROM DANIEL K. \n                            TARULLO\n\nQ.1. When a data breach happens at a merchant level, Federal \nbanking regulators generally do not have jurisdiction to \ninvestigate and take action. However, collateral consequences \nof such breaches are that regulated financial institutions are \nimpacted and face reputational and financial setbacks as a \nresult. What are your expectations for the regulated entities \nwhen a breach occurs at a third party? What are some of the \nchallenges financial institutions face as a result of the \nbreach? How can those challenges be addressed while minimizing \nconsequences of, and cost for, affected financial institutions?\n\nA.1. The presence of numerous and varied participants in \npayment processing, such as banks, merchants, and service \nproviders, increases the complexity of securing financial and \ncustomer information throughout the payment process. The \nFederal Reserve guidance sets expectations for financial \ninstitutions to tailor and implement risk assessment and \nmitigation plans for material business lines that include \nprocesses ranging from layered security architectures to \nheightened monitoring of customer account activity. Financial \ninstitutions are expected to maintain robust and flexible \nincident response and management programs, with the goal of \nminimizing the effects, both financial and reputational, of \nmerchant data breaches. When a breach does occur, financial \ninstitutions are expected to assess the risks to the \ninstitution and its customers and to implement plans to \nmitigate those risks. Risk mitigation plans typically include \nenhanced account and systems monitoring and reporting to detect \nunusual activity and to obtain information to mitigate the \neffects of the security incident. Depending on the details of a \nspecific incident, additional actions may include customer \nnotification and card reissuance.\n    When responding to a third-party data breach, participants \nin the payment system face the challenge of devising an \nappropriate response with incomplete information about the \nextent and origin of the particular compromise. For example, \ninformation regarding the scope of merchant data breaches, \nincluding the extent and type of compromised data, is generally \nlimited initially, requiring decisions regarding the monitoring \nof customer accounts, notification of customers, and the \nreissuance of cards based upon minimal and evolving \ninformation. Depending upon the characteristics of the specific \nbreach, additional challenges may result from the use of \nexternal providers of technology and other services to support \npayment processing functions.\n    The Federal Reserve guidance on information security and \npayment systems outlines expectations for financial \ninstitutions regarding information security programs and \ncontrols, including ongoing assessments of application and \nbusiness line needs as business activities evolve and the use \nof metrics to assess the effectiveness of controls. Financial \ninstitutions should address the challenges of merchant data \nbreaches by continuously advancing their risk management \ncapabilities to minimize the risk of breaches occurring and to \nmitigate the impact of breaches when they do occur. Financial \ninstitutions should maintain effective information security \nprograms, including controls, systems, and resources to detect \ncustomer data breaches and to mitigate any resulting financial \nand reputational losses. The Federal Reserve's 2013 Guidance on \nManaging Outsourcing Risk, SR 13-19/CR 13-21, directs financial \ninstitutions to appropriately manage risk associated with \nvendors and subcontractors.\n\nQ.2. At the Subcommittee hearing on data security and breach \nheld on February 3, 2014, Members learned that the payment \nnetworks have set an October 2015 timeframe for moving industry \nparticipants to adoption of new, more secure payment \ntechnology. Can you discuss how quickly your regulated entities \nare moving to this technology, and identify some of the \nobstacles that still exist?\n\nA.2. Regulated entities are moving forward with Europay, \nMasterCard and Visa (EMV) for payment cards according to their \nown business needs and strategic plans. EMV cards contain \nembedded microprocessors that provide transaction security \nfeatures and other capabilities which cannot be provided with \nmagnetic stripe cards. A card issuer's decision to implement \nEMV is influenced by the timing of merchant's plans to upgrade \ntheir point-of-sale (POS) terminals and systems to read the EMV \nchip, and, similarly, merchant's decisions to upgrade their \nsystems are influenced by the timing of the issuance of EMV-\nenabled cards.\n    One of the largest obstacles to EMV adoption is the cost \nthat card system participants must incur to implement the new \nstandard: merchants must consider the cost of chip-enabled POS \nterminals and related systems; processors must coordinate with \nmerchants to manage the new transaction format and data stream \nfrom EMV terminals; and banks must issue new chip-based credit \nand debit cards to their customers.\n    The recent high-profile breaches have generated renewed \ninterest in EMV adoption. Although breaches remind payment \nsystem participants that magnetic stripe cards are vulnerable \nto fraud, there is a low likelihood that more fraud will \nsignificantly accelerate EMV migration because of the time and \ncost required to build out the necessary infrastructure.\n\nQ.3. In July of 2013, I requested that the Government \nAccountability Office (GAO) review the SIFI designation process \nat FSOC for both transparency and clarity, and to examine the \ncriteria used to designate companies as SIFIs. Would you all be \nwilling to support more reliance on measurable metrics in \nFSOC's designation process?\n\nA.3. I agree that objective, numerical criteria should be a \ncentral part of the systematically important financial \ninstitutions (SIFI) designation process. Reliance on such \ncriteria increases the transparency of the process and reduces \nmarket participants' uncertainty regarding the potential for a \nfirm's designation as a nonbank SIFI. Such increased certainty \nimproves the efficient functioning of U.S. financial markets \nand contributes to financial stability.\n    The SIFI designation process assesses the potential harm to \nU.S. financial stability from the material financial distress \nof a firm and whether the nature, scope, size, scale, \nconcentration, interconnectedness, or activity mix of a firm \ncould pose a threat to U.S. financial stability. Many important \nfactors in these assessments, such as a firm's size and \nleverage, can clearly be measured using objective, numerical \ncalculations that can be replicated by firms and market \nparticipants using publicly available data.\n    However, while some factors may be summarized with \nmeasurable metrics, computing these metrics may rely on \nnonpublic information, such as detailed data on assets, \nliabilities and counterparty relationships. Further, other \nfactors, such as the potential harm from forced asset sales, \nmay best be summarized using a range of metrics, some of which \nmay rely on somewhat complex, albeit standard, models such as \nvalue-at-risk measures. Finally, certain factors, such as the \nrelationship of a firm with other significant intermediaries, \nmay require a measure of judgment that cannot yet be fully \ncaptured by any agreed-upon statistic or model.\n\nQ.4. Please explain how and why the agencies failed to foresee \nthe accounting issue with the treatment of the Trust Preferred \nCollateralized Debt Obligations (TruPS CDOs) in the final \nVolcker Rule. Did the proposed rule include requisite language \nseeking public comment on TruPS CDOs, as finalized? If so, \nplease provide that language from the proposed rule. If not, \nplease explain why the proposal did not seek that specific \ninformation and whether the agencies believe they satisfied the \nnotice-and-comment requirements under the Administrative \nProcedure Act.\n\nA.4. In November 2011, the Federal Reserve, the Office of the \nComptroller of the Currency (OCC), the Federal Deposit \nInsurance Corporation (FDIC), the Security Exchange Commission \n(SEC), and the U.S. Commodity Futures Trading Commission (CFTC) \n(collectively, the Agencies) issued a proposed rule that asked \na number of questions seeking public comment regarding the \ntreatment of securitizations. See, e.g., Fed. Reg. 68,846 at \n68,898-90, 68,912, 68,914-15. Among other issues, these \nquestions specifically sought comment on the impact of section \n13 of the Bank Holding Company Act (BHCA) and the proposal, on \nsecuritization vehicles, which includes collateralized debt \nobligations (CDOs) and Trust Preferred Collateralized Debt \nObligations (TruPS CDOs). The proposal also included questions \nseeking comment about including securitizations within the \ndefinition of covered fund, as well as regarding the legal, \naccounting and tax treatment of interests in securitizations \nand how debt interests should be treated. In total, the \nproposal asked approximately 15 questions specifically about \nthese issues related to securitizations. Notwithstanding these \nquestions, no comments were received on securitizations backed \nby trust preferred securities under the proposed rule.\n    To address the costs associated with the requirement in the \nstatute and rule requiring divestiture of nonconforming \ninvestments in covered funds, the Federal Reserve gave an \nextended conformance period until July 21, 2015. The accounting \nrules, which are outside of the purview of the Agencies, \nbrought forward accounting losses for certain investments \nnotwithstanding the Federal Reserve's extension of time to \nconform the investment.\n    After approval of the final rule implementing section 13 on \nDecember 10, 2013, a number of community banking organizations \nand trade groups expressed concern that the final rule \nconflicts with section 171 of the Dodd-Frank Wall Street Reform \nand Consumer Protection Act (the Collins Amendment). Section \n171 (b)(4)(C) specifically permits any community banking \norganization to continue to rely for regulatory capital \npurposes on any debt or equity instruments issued before May \n19, 2010. This exemption includes trust preferred securities, \nwhich are assets held by a number of issuers of CDOs. To \naddress these concerns, on January 14, 2014, the Agencies \napproved an interim final rule to permit banking entities to \nretain interests in certain collateralized debt obligations \nbacked primarily by trust preferred securities and other \ninstruments identified in section 171(b)(4)(C). Although the \nAgencies believe the interim final rule addresses the concerns \nexpressed related to TruPS CDOs, the interim final rule invited \ncomment for a period of 30 days after its publication in the \nFederal Register. The Agencies will carefully consider all \ncomments that relate to the interim final rule.\n\nQ.5. What specific efforts are the regulators considering to \naddress the issue with the Collateralized Loan Obligations \n(CLOs) in the final Volcker rule? In Governor Tarullo's \ntestimony before the House Financial Services Committee, he \nstated that the CLO issue is ``already at the top of the list'' \nfor regulators to consider and fix. How many financial \ninstitutions are impacted by the final rule's treatment of \nCLOs?\n\nA.5. In keeping with the statute, the final rule excludes from \nthe definition of covered fund all securitizations backed \nentirely by loans, including CLOs backed entirely by loans. \nData reported by insured depository institutions, bank holding \ncompanies and certain savings and loan holding companies in the \nCall Report and Y9-C forms indicate that only about 50 domestic \nbanking organizations held CLOs, including both conforming and \nnonconforming, as of December 31, 2013. The data also indicate \nthat aggregate CLO holdings of these banking entities reflect \nan overall unrealized net gain, and unrealized losses reported \nby individual banking entities are not significant relative to \ntheir tier 1 capital or income. Additionally, new issuances of \nCLOs in late 2013 and early 2014 appear to be conforming to the \nfinal rule, and some CLOS issued before December 31, 2013, are \nconforming their investments to the provisions of section 13. \nBased on discussions with industry representatives and a review \nof data provided by market participants, it appears that the \ncurrent volume of new CLO issuances is higher as compared to \nCLOs issued prior to the adoption of the final rule, with U.S. \nCLO issuances during the 3-month stretch from March through May \n2014 increasing to an all-time high of approximately $35.3 \nbillion.\n    On April 7, 2014, the Federal Reserve issued a statement \nthat it intends to grant two additional 1-year extensions of \nthe conformance period under section 13 of the BHC Act that \nwould allow banking entities additional time to conform to the \nstatute ownership interests in and sponsorship of CLOs in place \nas of December 31, 2013, that do not qualify for the exclusion \nin the final rule for loan securitizations.\\1\\ This would \npermit banking entities to retain until July 21, 2017 ownership \ninterests in and sponsorship of CLOs that are not backed \nentirely by loans that were held as of December 31, 2013. All \nof the agencies charged with implementing section 13 of the BHC \nAct support the Federal Reserve's statement.\\2\\\n---------------------------------------------------------------------------\n    \\1\\ See Board Statement Regarding the Treatment of Collateralized \nLoan Obligations Under Section 13 of the Bank Holding Company Act (Apr. \n7, 2014).\n    \\2\\ See Letter to Chairman Hensarling re: CLOs (Apr. 7, 2014).\n\nQ.6. Since the final Volcker rule was issued in December, the \naffected entities have recognized two issues with the final \nrule (TruPS CDOs and CLOs). What other issues with the final \nVolcker rule are your agencies aware of that may be raised by \naffected entities? How do you intend to coordinate efforts on \n---------------------------------------------------------------------------\nclarifying such issues in the future?\n\nA.6. It is not unexpected that rules implementing a complex \nstatute that require changes in existing activities would raise \nquestions during the implementation process. In part to \nfacilitate resolution of these types of issues, the Federal \nReserve exercised authority provided under section 13 to extend \nuntil July 21, 2015, the period for banking entities to conform \ntheir activities and investments to the statute and \nimplementing rules. The Federal Reserve will work with the \nother implementing agencies to address questions regarding \nimplementation as they arise.\n\nQ.7. How do you plan to coordinate with other agencies \nregarding enforcement matters and the final Volcker rule, given \nthat your agencies have varied jurisdictions?\n\nA.7. Authority for issuing regulations and implementing the \nVolcker rule is by statute allocated between five Federal \nregulators. As a general matter, the OCC is charged with \nsupervising and enforcing the final rule for national banks and \nFederal branches of foreign banks, the FDIC for State nonmember \nbanks, the SEC for U.S. broker-dealers and securities-based \nswap dealers, and the CFTC for futures commission merchants and \nswaps dealers. The Federal Reserve's primary responsibilities \nare for depository institution holding companies, State member \nbanks, certain unregulated and foreign subsidiaries of \ndepositor institution holding companies, and State-chartered \nbranches of foreign banks.\n    Staff of the Federal Reserve will continue to engage with \nstaff of the other Agencies, and the Agencies will work \ntogether, to the extent appropriate and practicable, to help \nensure consistency in application of the final rule to banking \nentities covered by the rule. In pursuit of our goals for a \nconsistent application of the rule across Agencies and across \nbanking entities, staffs of the implementing Agencies meet \nregularly to address implementation issues as they arise.\n\nQ.8. Governor Tarullo, you head the Committee on Supervisory \nand Regulatory Cooperation at the Financial Stability Board \n(FSB). There is concern that the FSB will implement bank-\ncentric capital standards on insurance companies that are \ninconsistent with U.S. risk-based capital standards. What are \nyou doing to ensure that bank-centric standards are not set for \ninsurance companies, and for other nonbank noninsurance \nfinancial institutions more generally?\n\nA.8. One of the lessons learned from the recent financial \ncrisis was the need for appropriate consolidated supervision of \nsystemically important financial firms to ensure that the risks \nof the overall firms, including those present in both regulated \nand unregulated financial entities, are appropriately \ncapitalized, measured, and supervised. The primary focus of the \nFSB is financial stability. It works with international \nsectoral standard setting bodies such as the Basel Committee on \nBanking Supervision (BCBS) and the International Association of \nInsurance Supervisors (IAIS) to help ensure that regulators are \nidentifying and addressing risks within those sectors with \npotential financial stability impact. The decisionmaking and \nresponsibility for the development of appropriate supervisory \nand regulatory measures rests with the BCBS and the IAIS.\n    The International Association of Insurance Supervisors \n(IAIS), an organization comprised of over 130 authorities with \nresponsibilities for insurance supervision from around the \nworld, including the National Association of Insurance \nCommissioners (NAIC), State insurance regulators, Federal \nReserve Board, and Federal Insurance Office, is in the process \nof developing international capital standards for global \nsystemically important insurers and internationally active \ninsurance groups. The IAIS periodically provides updates on the \nIAIS capital projects to the FSB.\n    The capital standards being developed by the IAIS would be \ndesigned to measure capital adequacy for relevant firms' \nfinancial activities, including their insurance business, as \nwell as other regulated and unregulated financial operations. \nThis IAIS project, staffed by international supervisors with \ninsurance expertise, has, as a goal, the establishment of \noverall international capital standards that would be \nappropriate for the risks facing financial companies with \nsubstantial insurance underwriting activities. Once the \nstandards are adopted by the IAIS, U.S. regulators, including \nthe Federal Reserve and State insurance regulators, would \nconsider if and how to implement in the United States the \nstandards for the companies that they regulate, consistent with \napplicable law. Any standards the Federal Reserve would seek to \nimplement would be proposed to the public with opportunity for \npublic comment.\n    Separately, the Board is considering the appropriate \ncapital framework for savings and loan holding companies \n(SLHCs) and FSOC designated nonbank financial companies \nsupervised by the Board that are substantially engaged in \ninsurance underwriting activities, consistent with section 171 \nof the Dodd-Frank Act. Insurance companies that are SLHCs or \nthat are FSOC designated nonbank financial companies have \ndifferent business models and risks than bank holding companies \nthat are not substantially engaged in insurance activities. \nHowever, section 171 of the Dodd-Frank Act requires that the \nBoard establish minimum risk-based and leverage capital \nrequirements on a consolidated basis for bank holding companies \nand savings and loan holding companies, and for nonbank \nfinancial companies that it supervises. Section 171 \nspecifically provides that these minimum requirements be not \nless than the ``generally applicable'' minimum risk-based and \nleverage capital requirements that apply to insured depository \ninstitutions (regardless of their asset size or foreign \nexposure). In addition, these minimum requirements cannot be \nquantitatively lower than the ``generally applicable'' minimum \nrisk-based and leverage capital requirements that applied to \ninsured depository institutions when the Dodd-Frank Act was \nadopted in 2010. Section 171 therefore limits the scope of the \nBoard's discretion in establishing minimum capital requirements \nfor these companies.\n    Under State law, capital requirements for insurance \ncompanies apply on a legal entity basis, and there are no \nState-based, consolidated capital requirements that cover \nsubsidiaries and noninsurance affiliates of insurance \ncompanies. In addition, even among regulated insurance \ncompanies (primary insurers, captive insurers, etc.) there is a \ndegree in variation of the applicable capital and supervisory \nstandards.\n    The final rule regarding enhanced prudential standards that \nthe Board adopted on February 18, 2014, does not include \nrequirements for nonbank financial companies, including \ninsurance companies, designated by the Financial Stability \nOversight Council for Board supervision. Instead, the Board \nwill apply enhanced prudential standards to designated nonbank \nfinancial companies through a subsequently issued order or rule \nfollowing an evaluation of the business model, capital \nstructure, and risk profile of each designated nonbank \nfinancial company, consistent with the requirements of section \n171 of the Dodd-Frank Act, as discussed above. The Board plans \nto implement requirements for designated nonbank financial \ncompanies through a transparent process with an opportunity for \nnotice and comment.\n    The Board continues to carefully consider how to design \ncapital rules for Board-regulated companies that are insurance \ncompanies, that have subsidiaries engaged in insurance \nunderwriting, or that are substantially engaged in commercial \nactivities, consistent with section 171 of the Dodd-Frank Act.\n\nQ.9. On January 10, 2014, the Federal Reserve and the FDIC made \navailable the public portions of resolution plans for 116 \ninstitutions that submitted plans for the first time in \nDecember 2013, the latest group to file resolution plans with \nthe agencies. These living wills are based on a premise that \nwhen a financial firm is near the brink, there will be a \nmarketplace where buyers for assets and operations are \navailable, but that may not be the case as was evident with \nLehman's 2008 collapse when no one wanted to touch what was \nperceived as Lehman's ``toxic assets.'' What specifically gives \nyou confidence that these living wills will work in the first \nplace and that there will be willing buyers for the troubled \nfirm's assets?\n\nA.9. The resolution plan regulation jointly issued by the \nFederal Reserve and the FDIC provides that in preparing its \ninitial resolution plan, a company may assume that its material \nfinancial distress or failure occurs under the baseline \neconomic scenario outlined in the Federal Reserve's stress \ntesting rule, 12 CFR Part 252.\\3\\ The baseline economic \nscenario describes a functioning market where there would \nlikely be available buyers for assets and operations. However, \nthe joint regulation also provides that the next iteration of \nthese plans will also have to take into account that the \nmaterial financial distress or failure of the company may occur \nunder the adverse and severely adverse economic scenarios \noutlined in the Federal Reserve's stress testing rule.\\4\\ In \npreparing future iterations of their plans, currently due in \nDecember 2014, the institutions that filed their initial plans \nin December 2013, will therefore have to take into account that \ntheir material financial distress or failure may occur under \nthe adverse and severely adverse economic scenarios, which \nreflect conditions where buyers for the companies' assets and \noperations are less likely to be available.\n---------------------------------------------------------------------------\n    \\3\\ 12 CFR parts 243.4(a)(4) and 381.4(a)(4). The stress scenarios \napplicable to the December 2013 resolution plan submissions of the 116 \ninstitutions were issued on November 15, 2012. http://\nwww.federalreserve.gov/newsevents/press/bcreg!bcreg2012111Sa1.pdf.\n    \\4\\ Id.\n---------------------------------------------------------------------------\n                                ------                                \n\n\n RESPONSE TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM DANIEL \n                           K. TARULLO\n\nQ.1. Are you comfortable with the extent to which the consumer \npayments industry currently sets its own data security \nstandards? Currently, most standards are set by contract--with \nthe card companies playing a significant role--and an industry \nbody known as PCI determines most of the details and certifies \ncompliance examiners. Should Federal regulators be playing a \ngreater role?\n\nA.1. The Payment Card Industry (PCI) Security Standards Council \nreleased version 3 of the Data Security Standard in November \n2013. PCI's philosophy has been to drive new compliance \nrequirements as the risk landscape changes. Version 3 includes \ntwo new key requirements related to data flows and device \ninventory, which incrementally enhance the control environment \nand protect consumers from fraud. The industry relies on the \nPCI Security Standards Council to balance cost and \neffectiveness, which it does by assessing threats and \nidentifying controls that most effectively address evolving \npayment card risks. The Federal Reserve and other financial \nregulators have relied on the expertise of the PCI Security \nStandards Council in setting technical data security standards. \nThe regulators approach has been to identify broad, outcome-\nbased security objectives that supervised entities are expected \nto meet through a mix of technical and nontechnical approaches.\n    Regarding the role of Federal regulators, the complexity of \nthe regulatory environment mirrors the complexity of the \npayment processing landscape, with regulators focused within \ntheir statutory domains. However, we are aware of the \nconsiderable need for, and benefits of, coordination and \ncollaboration across domains in order to effectively mitigate \nboth firm and systemic risks. The Federal Reserve continues to \nmonitor payment system risk and collaborate with the private \nsector and public-private partnerships such as the Financial \nand Banking Information Infrastructure Committee (FBIIC), \nFinancial Services Sector Coordinating Council (FSSCC), and \nFinancial Services Information Sharing and Analysis Center (FS-\nISAC).\n\nQ.2.a. When a financial data breach occurs with a merchant (as \nseems to be the case with the current wave of data breaches) or \nother source outside of a financial institution, financial \ninstitutions still very clearly feel the effects. Credit and \ndebit card issuers, for example, must notify affected customers \nand issue new cards, and will likely end up bearing some \nportion of the financial losses that occur from fraudulent \ntransactions using stolen card information. In the chain of a \nretail payment transaction, security is only as strong as its \nweakest link.\n    In addition to the examinations the Fed conducts regarding \nregulated institutions' own data security, can you describe the \nFed's oversight with respect to the security of consumer data \nacross the entire chain of consumer payment transactions?\n\nA.2.a. Federal Reserve oversight of consumer payment \ntransactions is limited to our role as a supervisor of \nfinancial institutions. Federal Reserve staff examine the data \nsecurity programs of supervised banks for compliance with the \ninformation security standards required by section 501(b) of \nthe Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)) and the identity \ntheft red flags rule required by section 615(e) of the Fair \nCredit Reporting Act (15 U.S.C. 1681m(e)), as well as with \nFederal Reserve information security and payment systems \nguidance. The Federal Reserve's supervisory process includes an \nassessment of the adequacy of financial institution data \nsecurity programs in supporting the security and reliability of \ncustomer data. Financial institutions are required to address \ndeficiencies in a timely manner to mitigate risks to both the \ninstitution and its customers.\n\nQ.2.b. Should Federal regulators be taking a greater interest \nin the data security standards applicable to other entities \nthat possess consumer financial data, beyond just regulated \nfinancial institutions? Are legislative changes necessary or \nare there legislative changes that would help?\n\nA.2.b. Protecting the safe and sound operation of the Nation's \nfinancial systems is a key priority for the Federal Reserve. To \naccomplish this, the Federal Reserve works with other \nregulators to promote the implementation of effective \ninformation security programs and protocols by supervised \ninstitutions. However, sensitive consumer data are frequently \ncollected and stored by nonregulated firms, and these firms may \nnot be held to the same level of information security \nexpectations as financial institutions. As cyber threats become \nincreasingly sophisticated, effective security and fraud-\nmitigation measures must evolve to include all players in the \npayment system, including financial institutions, nonfinancial \nfirms, and consumers. The security of the payment system is \nonly as strong as its weakest link and it is the weakest link \nthat criminals will exploit. Given the broad reach of these \nthreats, the Congress would appear to be the appropriate body \nto address these matters holistically. For example, a national \nstandard that sets forth requirements for protecting sensitive \nconsumer data and tracking and reporting incidents may help to \nprotect consumers and financial systems more broadly. Payment \nsystem participants should be encouraged to cooperate with each \nother in preventing, detecting, and mitigating cyber-attacks. \nIn addition, the Congress may consider investigating ways to \nleverage the technical capabilities of law enforcement and \nnational security agencies with respect to cyber threats and \nattacks, and to encourage continued coordination across \nGovernment agencies to ensure the safety and security of the \nfinancial system. Federal Reserve staff would be available to \nparticipate in discussions regarding these matters.\n\nQ.3. In our economy today, companies are collecting and storing \ngrowing amounts of consumer information, often without \nconsumers' knowledge or consent. The financial industry is no \nexception. We have heard reports of lenders, for example, \nmining online data sources to help inform underwriting \ndecisions on consumer loans. As companies aggregate more data, \nhowever, the consequences of a breach or improper use become \ngreater.\n    The Target breach illustrates the risks consumers face--not \njust of fraud, but also identity theft and other hardships. \nCompromised information included both payment card data and \npersonal information such as names, email addresses, and phone \nnumbers. But what if the next breach also involves account \npayment histories or Social Security numbers?\n    As the ways companies use consumer information changes, and \nthe amount of consumer data they hold grows, how is the Fed's \napproach evolving? Are there steps regulators are taking--or \nthat Congress should take--to require stronger protections \nagainst breaches and improper use, and to mitigate harm to \nconsumers?\n\nA.3. On an ongoing basis, the Federal Reserve evaluates the \nneed for additional guidance to financial institutions, jointly \nwith other banking regulators, to promote effective information \nsecurity programs and practices in an environment characterized \nby rapid technological change. The Federal Reserve participates \nin the Federal Financial Institutions Examination Councils \n(FFIEC) efforts to develop and update guidance on a range of \ninformation technology topics, including information technology \nmanagement, security, and payments. In December 2013, the \nFederal Reserve issued Guidance on Managing Outsourcing Risk, \nSR 13-19/CA 13-21, to address risks related to banks increasing \nreliance on third-party service providers. In this guidance, \nthe Federal Reserve acknowledges that third-party outsourcing \nrepresents a heightened level of risk and complexity and banks \nmust protect against loss of customer data and exploits of \nnetworks that may expose financial institutions to data \nbreaches. The.Federal Reserve is monitoring financial \ninstitution performance relative to the expectations in the \nnewly released outsourcing risk guidance to ensure that third-\nparty contract oversight includes: 1) an appropriate level of \ndue diligence based on complexity and criticality; 2) business \nresumption and contingency plans; 3) an assessment of the \nthird-party information security programs; and, 4) incident \nreporting, management, and response programs.\n    Given the increasingly broad threats to consumer \ninformation, privacy, and security, the Congress may be the \nappropriate body to address this matter. Potential actions that \nCongress could consider are discussed above in our response to \nquestion 2b.\n\nQ.4.a. A lot of the discussion in the aftermath of the recent \ndata breaches has focused on credit and debit card ``smart'' \nchip technology, since the U.S. seems to have fallen behind \nother parts of the world such as Western Europe in adopting it. \nBut while card chips help to reduce fraud for transactions \nwhere a card is physically present, and make it harder for \nthieves to print fake cards using stolen information, they do \nlittle to reduce fraud for online, ``card-not-present'' \ntransactions.\n    Are you comfortable with the steps industry is taking to \nimprove security and reduce fraud for ``card-not-present'' \ntransactions?\n\nA.4.a. The complex and evolving nature of technology and \nbusiness processes ensures that threat and fraud environments \nare dynamic and that payment system participants must continue \nto evolve and enhance security processes over time. Tools, \ntechnologies, and procedures employed in the industry to reduce \ncard-not-present (CNP) fraud at this point in time include:\n\n  <bullet> LAddress verification requires the customer to \n        provide the cardholder's address on record with the \n        card issuer.\n\n  <bullet> LCard security verification requires the customer to \n        provide a 3- or 4-digit CVV2 code printed on the card. \n        Requiring this number at checkout helps to ensure that \n        the customer is in possession of the physical card \n        since the number is generally not encoded on a magnetic \n        stripe or chip.\n\n  <bullet> LGeolocation services provide information about a \n        device's location during transaction processing based \n        on an IP address (on a computer) or GPS signal (on a \n        mobile device). The device's location can be compared \n        to the customer's billing or shipping address.\n\n  <bullet> LNeural network technologies use customer and past \n        transaction data to assess the likelihood that a given \n        transaction is fraudulent.\n\n  <bullet> LPCI standards places controls on the storage and \n        handling of cardholder information. In addition to the \n        measures listed above, the industry is developing \n        several promising technologies to address new threats. \n        For example, tokenization solutions could replace a \n        card's primary account number with a proxy number that \n        is valid for a single transaction. End-to-end \n        encryption technologies that transmit encoded card data \n        across the payment chain are also under development. \n        The use of tokenization and end-to-end encryption are \n        potential tools to combat threats, such as data \n        breaches.\n\n    The payment card industry is a complex market, and \nimplementing a new security technology may require investments \nand process changes by merchants, financial institutions, card \nnetworks, payment processors, as well as behavioral changes by \nconsumers. These stakeholders often face different incentives \nwhen deciding to implement a new technology. Given the \nconstantly changing threat environment, the complexity of the \nmarket, and the varying incentives among stakeholders, the \nFederal Reserve supports a layered, technology-neutral, \nguidance-based approach to CNP security. Stakeholders should \nimplement several layers of technologies and procedures to \nmitigate threats. And, as the fraud environment changes, \nstakeholders should revise their approaches to CNP fraud and \nimplement updated, cost-effective measures to address the \nlatest threats. The Federal Reserve will continue to work with \nthe institutions under its supervision, as well as with other \nregulators, to encourage payment system participants to improve \nmeasures to detect and prevent fraud.\n\nQ.4.b. Banks and other industry participants need to be \nproactive here, rather than waiting for a major breach to \nhappen before making protective investments. Do you feel that \nregulated institutions are paying sufficient attention to all \nareas of data security risk, and are making the necessary \ninvestments to protect consumers rather than treating fraud as \nsimply a cost of doing business?\n\nA.4.b. An effective payment system involves many participants, \nnot just depository institutions, and all industry participants \nshould take proactive measures to protect consumer data. The \nincreasing sophistication of cyber threats makes it difficult \nto ensure that current investments provide adequate protection \nagainst new threats. Payment system participants need to employ \nmultiple layers of security as well as nontechnology-based \npolicies and procedures (such as notifying customers of \npotentially fraudulent transactions) that complement \ntechnology-based solutions. Participants need to assess the \nrobustness of their information security infrastructures, \npolicies, and practices on an ongoing basis in light of the \nevolving threat environment and to make enhancements as \nappropriate.\n    The Federal Reserve expects supervised institutions to \ncontinually monitor their security systems in the face of \nevolving threats and to upgrade those systems when necessary. \nTo this end, the Federal Reserve and other bank regulatory \nagencies have issued several interagency guidance documents \nthat pertain to data breach prevention and incident response. \nThe Interagency Guidelines Establishing Information Security \nStandards (12 CFR part 208, App. D-2 (2013)) summarizes the \nstandards that financial institutions are expected to use in \nestablishing a comprehensive, risk-based program to protect \ncustomer information. The Interagency Supplement to \nAuthentication in an Internet Banking Environment (June 28, \n2011; SR 11-09) sets out expectations about minimum security \ncontrols required to prevent loss of customer information by \ndata breach, reflecting banks' increased reliance on internet-\nbased technology and the simultaneous increase in attacker \nsophistication. The Interagency Guidance on Response Programs \nfor Unauthorized Access to Customer Information and Customer \nNotice (12 CFR part 208, App. D-2 (2013)) describes the \nincident response program that a financial institution should \nestablish to address unauthorized access to or misuse of \ncustomer information. Supervised institutions are expected to \nreview and assess their procedures and technologies on an \nongoing basis and to make appropriate changes and investments \nto ensure an adequate and effective level of data protection.\n    Based on the results of Federal Reserve examination \nactivities, in general, regulated financial institutions have \nplaced a high priority on securing information, including \ncorporate, customer, and counterparty data. Investments \nnecessary to maintain technology, systems, and staff resources \nto support effective information security programs are being \nmade. However, where necessary, the Federal Reserve leverages \nits supervisory processes to promote the correction of \ndeficiencies identified at specific institutions.\n                                ------                                \n\n\n  RESPONSE TO WRITTEN QUESTION OF SENATOR KIRK FROM DANIEL K. \n                            TARULLO\n\nQ.1. FSOC has been in existence for more than 3 years. Since \nthat time, three companies have been deemed systemically \nsignificant and a second round of companies appear to be under \nconsideration. Despite the numerous calls from Congress, a \nnumber of industry and consumer groups and even the GAO for the \nFSOC to provide greater transparency about the process used for \ndesignation, (including the metrics OFR should measure in their \nanalysis), the criteria followed, as well as the implications \nand process to be followed after a firm has been designated a \nSIFI. Can you provide greater details on why more transparency \nhas not been achieved and how the FSOC plans to improve these \nissues?\n\nA.1. The Financial Stability Oversight Committee (FSOC)--\nchaired by the Secretary of the Treasury and composed of 10 \nvoting members--is charged by Congress with designating \nsystemically important financial institutions. The FSOC has \nestablished a robust process, after seeking public notice and \ncomment on an initial and revised proposal, for exercising its \ndesignation authority. The process contains three stages during \nwhich the FSOC screens companies for review and conducts an in-\ndepth analysis of companies that pass the screen.\n    In developing this process, the FSOC sought to maximize \ntransparency with respect to the Determination Process by \nproviding a detailed description of (i) the profile of those \nnonbank financial companies likely to be evaluated by the FSOC \nfor a potential determination, and (ii) the metrics that the \nFSOC intends to use when analyzing companies at various stages \nof the Determination Process. There are numerous opportunities \nduring this process for a nonbank financial company to \ncommunicate with the FSOC and its staff and submit information \nregarding the company's activities and its potential to pose a \nthreat to U.S. financial stability.\n    The FSOC applies quantitative metrics to a broad group of \nnonbank financial companies in determining whether a firm \nshould be considered for designation. A nonbank financial \ncompany will be evaluated in Stage 2 if it meets both a size \nthreshold ($50 billion in total consolidated assets) and any \none of five thresholds that measure a company's \ninterconnectedness, leverage, and liquidity risk and maturity \nmismatch. During Stage 2, a nonbank financial company is \nanalyzed based on a wide range of quantitative and qualitative \ninformation available to the FSOC primarily through public and \nregulatory sources.\n    A nonbank financial company that is advanced to Stage 3 \nreceives a notice that the company is under consideration for a \nProposed Determination, which also may include a request that \nthe nonbank financial company provide information relevant to \nthe FSOC's evaluation. In addition, the nonbank financial \ncompany is provided an opportunity to submit written materials \nto the FSOC. Following a Proposed Determination, a nonbank \nfinancial company is provided a written notice of the Proposed \nDetermination, which includes an explanation of the basis of \nthe Proposed Determination. A nonbank financial company that is \nsubject to a Proposed Determination may request a written or \noral hearing to contest the Proposed Determination. If the FSOC \ndetermines to subject a company to supervision by the Board of \nGovernors and prudential standards, the FSOC will provide the \nnonbank financial company with written notice of the FSOC's \nfinal determination, including an explanation of the basis for \nthe FSOC's decision.\n    In 2013, the FSOC determined that material financial \ndistress at each of three nonbank financial companies--American \nInternational Group, Inc., General Electric Capital \nCorporation, and Prudential Financial, Inc.--could pose a \nthreat to U.S. financial stability and that those companies \nshould be subject to Federal Reserve Board supervision and \nenhanced prudential standards. The FSOC released the bases of \nits determinations on its Web site. The FSOC evaluated these \nfirms using the three-stage process.\n    The Federal Reserve Board recognizes the critical \nimportance of transparency and will continue to pursue ways to \npromote further transparency that are consistent with the \nFSOC's central mission to monitor emerging threats to the \nfinancial system.\n\nQ.2. I, along with a number of other Republicans, introduced \nlegislation to fix an unintended consequence on collateralized \ndebt obligations (CDOs). In their January 13th interim final \nrule, regulators crafted a rule that largely mirrored what my \nbill sought to do; provide relief to a majority of community \nbanks. While we appreciate the agencies' efforts on this issue, \none issue that we included in our legislation that the \nregulators did not address was collateralized loan obligations \n(CLOs). The CLO market provides about $300 billion in financing \nto U.S. companies and U.S. banks currently hold between $70 and \n$80 billion of senior notes issued by existing CLOs and foreign \nbanks subject to the Volcker Rule hold about another $60 \nbillion. Because the final rules implementing the Volcker Rule \nimproperly treat these debt securities as ``ownership \ninterests'', the banks holding these notes will either have to \ndivest or restructure these securities. Because restructuring \nwell over $130 billion of CLO securities is neither feasible \nnor under the control of the banks holding these notes, \ndivestment is the most likely result. This, in turn, could lead \nto a fire sale scenario that could put incredible downward \npressure on CLO securities prices leading to significant losses \nfor U.S. banks. If prices decline by only 10 percent, U.S. \nbanks would have to recognize losses of almost $8 billion \ndriven not by the underlying securities but solely because of \nthe overreach of the Volcker Rule. Indeed, the final rules are \nalready wreaking havoc on the CLO market. Since the final rules \nwere announced, new CLO formation was down nearly 90 percent in \nJanuary 2014, the lowest issuance in 23 months. If this \nsituation is not remedied and CLO issuance remains moribund, \ncorporate borrowers could face higher credit costs. At the \nhearing of the House Financial Services Committee on January \n15, 2014, a number of both Democrats and Republicans asked \nquestions about how to fix the issue with the CLO market that \nwas not addressed in the interim final rule released on January \n13, 2014. The representatives of the agencies noted that the \nCLO issue was at the top of the list of matters to be \nconsidered by the inter-agency working group that has been \nestablished to review issues such as this and publish guidance. \nThe issue is urgent. Bank CFOs are struggling with how to treat \ntheir CLO debt securities. Can you commit to a tight timeframe \nto issue guidance on CLOs?\n\nA.2. In keeping with the statute, the final rule excludes from \nthe definition of covered fund all securitizations backed \nentirely by loans, including CLOs backed entirely by loans.\n    Data reported by insured depository institutions, bank \nholding companies and certain savings and loan holding \ncompanies in the Call Report and Y9-C forms indicate that only \nabout 50 banking organizations owned an interest in a CLO that \nwas backed by assets that include assets that are not loans, \nand thus are covered by the statute and implementing rules. The \ndata also indicate that, as of December 31, 2013, aggregate CLO \nholdings of these banking entities reflect an overall \nunrealized net gain, and unrealized losses reported by \nindividual banking entities are not significant relative to \ntheir tier 1 capital or income. Based on discussions with \nindustry representatives and a review of data provided by \nmarket participants, it appears that new issuances of CLOs in \nlate 2013 and early 2014 are conforming to the final rule. \nMoreover, the current volume of new CLO issuances is higher as \ncompared to CLOs issued prior to the adoption of the \nimplementing rules, with monthly U.S. CLO activity increasing \nto a post-crisis high of $13.3 billion in April 2014, the third \nhighest monthly total on record.\n    On April 7, 2014, the Federal Reserve issued a statement \nthat it intends to grant two additional 1-year extensions of \nthe conformance period under section 13 of the Bank Holding \nCompany Act that would allow banking entities additional time \nto conform to the statute ownership interests in and \nsponsorship of CLOs in place as of December 31, 2013, that do \nnot qualify for the exclusion in the final rule for loan \nsecuritizations. This would permit banking entities to retain \nownership interests in and sponsorship of CLOs held as of that \ndate until July 21, 2017. All of the agencies charged with \nimplementing section 13 support the Federal Reserve's \nstatement.\n                                ------                                \n\n\n RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO FROM MARTIN J. \n                           GRUENBERG\n\nQ.1. When a data breach happens at a merchant level, Federal \nbanking regulators generally do not have jurisdiction to \ninvestigate and take action. However, collateral consequences \nof such breaches are that regulated financial institutions are \nimpacted and face reputational and financial setbacks as a \nresult. What are your expectations for the regulated entities \nwhen a breach occurs at a third party? What are some of the \nchallenges financial institutions face as a result of the \nbreach? How can those challenges be addressed while minimizing \nconsequences of, and cost for, affected financial institutions?\n\nA.1. Responsibility for security of financial institutions' \ncustomer information held at third parties is addressed through \ncontractual terms between the two parties. The Federal banking \nagencies developed the Interagency Guidelines Establishing \nInformation Security Standards (12 C.F.R. 364, Appendix B et \nal.) in response to the Gramm-Leach-Bliley Act, Section 50l(B). \nThese standards direct all insured financial institutions to \nrequire service providers, by contract, to implement \nappropriate measures to protect against unauthorized access to \nor use of customer information that could result in substantial \nharm or inconvenience to any customer.\n    Each financial institution is expected to manage financial \nand reputational risk related to the products they offer and \nensure that adequate controls are in place to mitigate that \nrisk. Risk management responsibilities related to potential \npayment card data breaches are addressed through contractual \nterms and policies among the issuing banks, acquiring banks \n(banks that sponsor merchants' access to the payment card \nnetworks), and card networks (Visa and MasterCard). The \ncontractual terms and policies describe the responsibility of \nthe parties to implement controls, loss liability of the \nparties, and loss recovery processes. Issuing banks and \nacquiring banks receive fees for their participation in this \npartnership, in part, to offset risks. The extent to which fees \nand loss recovery models adequately cover card re-issuing costs \nor costs for protecting data at the merchant also is a \ncontractual arrangement.\n    The card networks have established notification processes \nto alert the issuing banks of suspected compromised accounts. \nIssuing banks are responsible for limiting the potential for \nfraud on any accounts suspected of being compromised once the \nissuing bank is notified.\n    Conversely, the acquiring banks' merchants may be fined by \nthe card network due to misconduct (such as poor security) to \nsupport recovery of fraud losses, in addition to direct \nresponsibility for fraud due to card-not-present (online) \ntransactions, or card-present transactions that are not \nauthorized by the issuer. The acquiring bank remains at risk \nfor the merchant's fines and losses to the extent the merchant \nis unable to meet its responsibilities. The FDIC's role is to \nensure the safety and soundness of the issuing banks and \nacquiring banks, including the ensuring of adequate reserves \nagainst losses, appropriate security controls, and protection \nof customer accounts against unauthorized charges or \nwithdrawals.\n    A significant challenge that financial institutions face as \na result of data breaches is notification to potentially \naffected customers and the potential for customers to become \ndesensitized by the notices. Given the frequency that data \nbreaches occur and the goal to notify potentially affected \ncustomers as soon as possible, customers may discard the \nnotices and fail to follow the instructions provided to protect \ntheir credit rating. Financial institutions can address this \nchallenge by providing notices that are written in plain \nlanguage with clear and direct instructions.\n\nQ.2. At the Subcommittee hearing on data security and breach \nheld on February 3, 2014, Members learned that the payment \nnetworks have set an October 2015 timeframe for moving industry \nparticipants to adoption of new, more secure payment \ntechnology. Can you discuss how quickly your regulated entities \nare moving to this technology, and identify some of the \nobstacles that still exist?\n\nA.2. The FDIC does not mandate specific technologies for data \nsecurity as technology and threats evolve very rapidly. \nHowever, the FDIC expects financial institutions to establish \nan information security program that will adjust to any \nrelevant changes in technology, the sensitivity of its customer \ninformation, and internal or external threats to information. \nThe FDIC welcomes the industry initiative to strengthen card \nsecurity technology through the implementation of the Europay, \nMasterCard, and Visa (EMV) global standard for card \nauthentication. However, while the new EMV standard improves \nthe card-present aspect of fraud prevention, it does not make \nit more difficult to steal the card data from merchant \ndatabases, nor does it address online fraud or fraud at \nmerchants still accepting credit cards with customer data \nstored in the magnetic stripes (commonly referred to as ``mag-\nstripe'') for purchases.\n    As part of the examination process, the FDIC does not \nidentify which financial institutions will offer the new EMV \nenhanced cards. However, to encourage EMV chip card issuance \nand acceptance, the card brands/networks (Visa, MasterCard, \nDiscover, and AMEX) have announced that beginning in October \n2015, entities, including financial institutions and merchants, \nthat do not use the new EMV standard will face increased \nliability for fraud. We agree with their assumption that the \npotential for increased fraud liability will encourage adoption \nof the technology.\n\nQ.3. In July of 2013, I requested that the Government \nAccountability Office (GAO) review the SIFI designation process \nat FSOC for both transparency and clarity, and to examine the \ncriteria used to designate companies as SIFIs. Would you all be \nwilling to support more reliance on measurable metrics in \nFSOC's designation process?\n\nA.3. The current FSOC framework for the designation of nonbank \nSIFIs addresses the specific statutory considerations set forth \nin Section 113 of the Dodd-Frank Act Wall Street Reform and \nConsumer Protection Act (Dodd-Frank Act). It combines \nmeasurable, quantitative thresholds and metrics with \nqualitative analysis to address the nature of the unique \nthreats that FSOC seeks to mitigate. Nonbank financial \ncompanies engage in a wide variety of complex activities and \npossess material differences in operating and financial \ncharacteristics. For example, these firms may be holding \ncompanies or operating companies, and they may have differing \nbusiness models, risk profiles, funding sources, capital \nstructures, and interconnections that may make evaluating the \nsystemic risk they pose to the U.S. financial system more \ndifficult using solely quantitative metrics.\n    In April 2012, after notice and public comment, the FSOC \nissued interpretative guidance setting forth both quantitative \nthresholds and qualitative information that the FSOC had \ndetermined to be relevant in the designation process in order \nto provide transparency and clarity to companies, market \nparticipants, and the public. The FSOC's interpretative \nguidance addresses, among other things, the uniform \nquantitative thresholds that the FSOC uses to identify nonbank \nfinancial companies for further evaluation and the six-category \nframework used to consider whether a nonbank financial company \nmeets either of the statutory standards for a determination, \nincluding examples of quantitative metrics for assessing each \ncategory. In addition, the interpretative guidance includes a \nthree-stage process for the review of a nonbank financial \ncompany, which incorporates quantitative thresholds in the \nfirst stage and more qualitative company-specific analyses in \nthe second and third stages.\n    Generally, as reporting requirements evolve and new \ninformation about certain industries and nonbank financial \ncompanies become available, the FSOC will be better able to \nconsider whether to establish additional metrics and \nthresholds.\n\nQ.4. Please explain how and why the agencies failed to foresee \nthe accounting issue with the treatment of the Trust Preferred \nCollateralized Debt Obligations (TruPS CDOs) in the final \nVolcker Rule. Did the proposed rule include requisite language \nseeking public comment on TruPS CDOs, as finalized? If so, \nplease provide that language from the proposed rule. If not, \nplease explain why the proposal did not seek that specific \ninformation and whether the agencies believe they satisfied the \nnotice-and-comment requirements under the Administrative \nProcedure Act.\n\nA.4. It is fair to say that everyone missed the immediacy of \nthe accounting issues associated with CDOs backed by bank-\nissued trust preferred securities. As part of developing the \nfinal rule, the agencies clearly missed the immediacy; however, \nthe industry and other commenters missed the immediacy of this \nissue as well. For example, throughout the rather extended \nnotice and comment period, none of the over 18,000 comment \nletters raised this issue.\n    An important take-away from this episode is how the \nagencies responded when the issue was identified. The agencies \nworked closely together and, with input from the industry, \ndeveloped an effective and timely response to the majority of \nthe bankers' concerns. Importantly, the agencies were able to \ndo so in a manner that reconciled the broader policy objectives \nof the Dodd-Frank Act without jeopardizing the robustness of \nthe implementation of the Volcker Rule.\n    As part of the notice-and-comment process, the agencies \nsought robust public comment on the proposed Volcker Rule. \nIncluded in the notice of proposed rulemaking were several \nquestions seeking comments on any concerns or challenges to \nissuers of asset-backed securities and/or securitization \nvehicles. For example, Question 227 asked whether certain asset \nclasses, including collateralized debt obligations, are more \nlikely to be impacted by the proposed definition of ``covered \nfund.'' Question 229 asked if there are entities that issue \nasset-backed securities that should be exempted from the \nrequirements of the proposed rule. Question 231 stated that \nmany issuers of asset-backed securities have features and \nstructures that resemble some of the features of hedge funds \nand private equity funds, including CDOs, and asked if the \nproposed definition of ``covered fund'' were to exempt any \nentity issuing asset-backed securities, would this allow for \ninterests in hedge funds or private equity funds to be \nstructured as asset-backed securities and circumvent the \nproposed rule. Commenters did not raise concerns about TruPS \nCDOs in their responses to the proposed rule.\n\nQ.5. What specific efforts are the regulators considering to \naddress the issue with the Collateralized Loan Obligations \n(CLOs) in the final Volcker rule? In Governor Tarullo's \ntestimony before the House Financial Services Committee, he \nstated that the CLO issue is ``already at the top of the list'' \nfor regulators to consider and fix. How many financial \ninstitutions are impacted by the final rule's treatment of \nCLOs?\n\nA.5. The agencies are carefully considering all requests that \nhave been received related to CLOs. These requests have ranged \nfrom the very narrow--requesting a grandfathering of a well-\ndefined, limited number of CLOs issued before publication of \nthe Volcker Rule--to the very broad--requesting a change to the \ndefinition of ownership interest that would potentially allow \nbanks to expand their holdings of other types of securitization \npositions, such as synthetic CDOs and structured investment \nvehicles (SIVs), which caused significant financial losses \nduring the crisis.\n    The agencies' staffs jointly have met with representatives \nof the Loan Syndication Trade Association, the American Bankers \nAssociation, the Structured Finance Industry Group, the \nFinancial Services Roundtable, and the Securities Industry and \nFinancial Markets Association. Based on these discussions with \nthe industry representatives, a review of data provided by \nmarket participants, and discussions among the staffs of the \nagencies, the agencies found:\n\n  <bullet> LBanking entities that hold legacy CLOs are \n        undertaking a review of their particular holdings to \n        evaluate where they fit within the treatment of covered \n        funds under the agencies' implementing regulations. \n        Industry representatives have advised the staffs of the \n        agencies that there is a great amount of variation from \n        deal to deal in the restrictions applicable to \n        investments permitted for CLOs and the rights granted \n        to CLO investors. In addition, staffs of the agencies \n        understand from the industry that many legacy CLOs may \n        not satisfy the exclusion from the definition of \n        covered fund for loan securitizations because they may \n        hold a certain amount of nonconforming assets (such as \n        bonds or other securities).\n\n  <bullet> LNew CLO issuances have been comparable in volume to \n        the CLOs issued prior to the adoption of the \n        implementing rules and sponsors have revised their new \n        CLO deals to conform to the Volcker Rule's exception \n        for loan securitizations. In particular, market \n        participants have represented that new issuances of \n        CLOs in late 2013 and early 2014 after issuance of the \n        final rule are conforming to the final rule.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ According to S&P, the majority of CLOs issued since the final \nrule have been structured as loan-only securitizations. Year to date, \nCLO issuance stands at approximately $21 billion, according to Thomson \nReuters PLC.\n\n  <bullet> LData contained in the Call Report and Y9-C forms \n        for asset-backed securities or structured financial \n        products secured by corporate and similar loans \n        indicate that U.S. banking entities hold between \n        approximately $84 billion and $105 billion in CLO \n        investments.\\2\\ Of this amount, between approximately \n        94 and 96 percent are held by banking entities with \n        total assets of $50 billion or more. Holdings of CLOs \n        by domestic banking entities represent between \n        approximately 28 to 35 percent of the $300 billion \n        market for U.S. CLOs, with these holdings skewed toward \n        the senior tranches.\\3\\ These aggregate holdings \n        reflect an unrealized net gain. Unrealized losses \n        reported by individual banking entities are not \n        significant relative to their tier 1 capital or income. \n        Up to 52 domestic insured depository institutions (all \n        charters) reported holdings of CLOs in their held-to-\n        maturity, AFS and trading portfolios.\\4\\\n---------------------------------------------------------------------------\n    \\2\\ This information is based on data compiled as of December 31, \n2013, by the Federal banking agencies, which undertook a review and \nanalysis of CLO holdings of banking entities that are subject to filing \nCall Report or Y-9C data, including insured depository institutions, \nbank holding companies and certain savings and loan holdings companies.\n    \\3\\ OCC supervised institutions hold the majority (95 percent) of \nthis CLO exposure. These positions are concentrated in the largest \ninstitutions and are held mainly in the AFS portfolio.\n    \\4\\ Based on Call Report data as of December 31, 2013.\n\n    To address the concerns regarding CLOs, the Federal Reserve \nBoard issued a statement that it intends to grant two \nadditional 1-year extensions of the conformance period under \nthe Volcker Rule that allow banking entities additional time to \nconform to the statute ownership interests in and sponsorship \nof CLOs in place as of December 31, 2013, that do not qualify \nfor the exclusion in the final rule for loan \nsecuritizations.\\5\\ The FDIC supports the statement issued by \nthe Federal Reserve Board.\n---------------------------------------------------------------------------\n    \\5\\ See Board Statement regarding the Treatment of Collateralized \nLoan Obligations Under Section 13 of the Bank Holding Company Act \n(April 3, 2014).\n\nQ.6. Since the final Volcker rule was issued in December, the \naffected entities have recognized two issues with the final \nrule (TruPS CDOs and CLOs). What other issues with the final \nVolcker rule are your agencies aware of that may be raised by \naffected entities? How do you intend to coordinate efforts on \n---------------------------------------------------------------------------\nclarifying such issues in the future?\n\nA.6. In the agencies' release for community banks that \naccompanied the Final Rule, the agencies noted that a few \ncommunity banks held TruPS CDOs and CLOs that would be affected \nby the rule.\\6\\ The TruPS CDO issue was the most pressing \nbecause the TruPS CDOs had lost so much value that the \nimmediate accounting impact was substantial. The agencies \nworked together on the TruPS CDO issue and approved the January \n14, 2014, Interim Final Rule to address bank investments in \ncertain TruPS CDOs. With respect to the CLO issues raised by \nindustry, the agencies conducted extensive analysis and met \nwith a number of banking and financial services industry \ngroups, as described in more detail in the answer to question \n5. As a result of this process, the Federal Reserve recently \nissued a statement which announced its intent to offer two 1-\nyear extensions to the Final Rule conformance period for \ncertain CLOs. The agencies believe that the extension should \naddress the compliance issues for many of the legacy CLOs that \ndo not meet the loan securitization exemption, allowing many of \nthem to mature or be called by investors, and should provide \nmore time for CLO managers to evaluate and possibly change the \ncomposition of the underlying assets to bring the CLOs into \nconformance.\n---------------------------------------------------------------------------\n    \\6\\ http://fdic.gov/regulations/reforrn/volcker/summary.pdf.\n---------------------------------------------------------------------------\n    The agencies are committed to continued coordination \nefforts to clarify any additional issues or concerns that may \nbe raised with respect to the implementation of the Volcker \nRule. To better effectuate coordination and help ensure a \nconsistent application of the Final Rule, the agencies have \nestablished an interagency Volcker Rule implementation working \ngroup consisting of senior-level managers and subject matter \nexperts. This working group has been meeting weekly to discuss \ncoordination matters as well as issues such as those related to \ntechnical interpretations and specific activities, like those \nraised on TruPS CDOs and CLOs.\n\nQ.7. How do you plan to coordinate with other agencies \nregarding enforcement matters and the final Volcker rule, given \nthat your agencies have varied jurisdictions?\n\nA.7. Each agency is ultimately responsible for its own \nenforcement of the Volcker Rule; however, as noted previously, \nthe agencies are committed to continued coordination efforts to \nhelp ensure a consistent application of the rule. As noted \nabove, the agencies have established a Volcker Rule \nimplementation working group to facilitate interagency \ncoordination on a wide variety of issues.\n\nQ.8. On January 10, 2014, the Federal Reserve and the FDIC made \navailable the public portions of resolution plans for 116 \ninstitutions that submitted plans for the first time in \nDecember 2013, the latest group to file resolution plans with \nthe agencies. These living wills are based on a premise that \nwhen a financial firm is near the brink, there will be a \nmarketplace where buyers for assets and operations are \navailable, but that may not be the case as was evident with \nLehman's 2008 collapse when no one wanted to touch what was \nperceived as Lehman's ``toxic assets.'' What specifically gives \nyou confidence that these living wills will work in the first \nplace and that there will be willing buyers for the troubled \nfirm's assets?\n\nA.8. The 116 plans represent the latest set of institutions to \nfile their initial plans. The FDIC and the Federal Reserve \ncurrently are in the process of reviewing these resolution \nplans (or ``living wills''), as we have done for the plans \nfiled earlier in 2013 and in 2012. Under the standards provided \nin section 165(d) of the Dodd-Frank Act, certain firms, known \nas ``covered companies,'' are required to submit plans for \ntheir rapid and orderly resolution under the Bankruptcy Code in \nthe event of their material financial distress or failure. The \nresolution plan rule jointly promulgated by the FDIC and the \nFederal Reserve, which implements the statutory requirement of \nsection 165(d), directs covered companies to include, among \nother items, a discussion of key assumptions and supporting \nanalysis underlying the covered company's resolution plan and \nthe processes the company employs to assess the feasibility of \nany sales, restructurings, or divestures contemplated in the \nresolution plan. Therefore, to the extent that a firm presents \na resolution plan in which certain assets of a troubled firm \nwill be sold as a key part of its resolution strategy, the firm \nwould need to provide supporting analysis. In addition, the \nresolution plans may present options for resolution other than \nasset sales that are consistent with bankruptcy (such as \nrestructurings, for example). If the FDIC and the Federal \nReserve jointly determine that a resolution plan would not \nfacilitate an orderly resolution of the covered company under \nthe Bankruptcy Code, the FDIC and the Federal Reserve will \nnotify the filer of the aspects of the plan that were jointly \ndetermined to be deficient. The filer must re-submit within 90 \ndays (or other specified timeframe) a revised plan that \naddresses the deficiencies.\n                                ------                                \n\n\n RESPONSE TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM MARTIN \n                          J. GRUENBERG\n\nQ.1. Are you comfortable with the extent to which the consumer \npayments industry currently sets its own data security \nstandards? Currently, most standards are set by contract--with \nthe card companies playing a significant role--and an industry \nbody known as PCI determines most of the details and certifies \ncompliance examiners. Should Federal regulators be playing a \ngreater role?\n\nA.1. The FDIC recognizes the importance of effective self-\nregulatory standards such as PCI data security standards that \nset expectations between regulated card companies and \nbusinesses that handle payment card data, including retailers, \npayment processors, and others. While such self-regulatory \nmodels are an important part of data security, the Federal \nbanking agencies also established data security standards for \nfinancial institutions and those companies that do business \nwith financial institutions including payment processors. These \nregulatory standards require financial institutions to develop \nand implement effective risk assessment and mitigation \nprocesses to protect customer information. These regulatory \nstandards also require financial institutions to ensure that \nany third-party they do business with is also required \ncontractually to comply with the same security rules for \nprotecting customer information. Further, banking rules such as \nthe Federal Reserve's Regulation E and Regulation Z are \ndesigned to protect consumers from payment card fraud, \nregardless of where a data breach occurs. The setting of \nstandards for other aspects of the consumer payments industry \nis outside the Federal financial regulatory structure. Whether \nadditional involvement by the Federal banking agencies should \nbe authorized when those standards impact supervised \ninstitutions is a fair question for Congress to consider.\n\nQ.2.a. When a financial data breach occurs with a merchant (as \nseems to be the case with the current wave of data breaches) or \nother source outside of a financial institution, financial \ninstitutions still very clearly feel the effects. Credit and \ndebit card issuers, for example, must notify affected customers \nand issue new cards, and will likely end up bearing some \nportion of the financial losses that occur from fraudulent \ntransactions using stolen card information. In the chain of a \nretail payment transaction, security is only as strong as its \nweakest link.\n    In addition to the examinations the FDIC conducts regarding \nregulated institutions' own data security, can you describe the \nFDIC's oversight with respect to the security of consumer data \nacross the entire chain of consumer payment transactions?\n\nA.2.a. The FDIC's authority does not span the entire payment \nnetwork. However, the Federal banking agencies examine a number \nof nonbank payment processing companies that provide direct \nservices to our regulated financial institutions as authorized \nby the Bank Service Company Act (12 U.S.C. 1867). Examination \nof these service providers attempts to identify potential \nsystemic risks to the banking system and potential downstream \nrisks to client banks.\n    When financial institutions partner with an outside party, \nthey are exposed to additional risks, including reputation and \nfinancial risk if their customers' data is compromised. Given \nthese risks, the FDIC seeks to ensure that the financial risk \nfrom third-party data breaches does not undermine the safety \nand soundness of the financial institutions.\n\nQ.2.b. Should Federal regulators be taking a greater interest \nin the data security standards applicable to other entities \nthat posses consumer financial data, beyond just regulated \nfinancial institutions? Are legislative changes necessary or \nare there legislative changes that would help?\n\nA.2.b. Regulatory standards for protecting customer information \n(12 C.F.R. 364, Appendix B) address financial institution \nresponsibilities for data security. Our oversight, through \nonsite examination programs and enforcement authority for \ncompliance failures, is designed to ensure data security \nstandards for customer information are effectively implemented. \nSimilarly, the Federal Trade Commission (FTC) can enforce \nstandards for protection of customer information (16 C.F.R. \n314) by all other financial institutions that are not insured \ndepository institutions.\n    While financial institutions are subject to both industry \nstandards and regulatory standards, others, such as merchants, \nare not subject to any national regulatory requirements to \nprotect consumer data. If Congress chooses to review the Gramm-\nLeach-Bliley Act, or any other law, to determine whether \ncustomer protections should be expanded to nonfinancial \ninstitutions, the FDIC stands ready to assist. Further, the \nFDIC would recommend a review of the Bank Service Company Act \nto determine whether additional enforcement authority is \nnecessary for the Federal banking agencies with respect to \nnonbank financial institutions that provide direct services to \nbanks.\n\nQ.3. In our economy today, companies are collecting and storing \ngrowing amounts of consumer information, often without \nconsumers' knowledge or consent. The financial industry is no \nexception. We have heard reports of lenders, for example, \nmining online data sources to help inform underwriting \ndecisions on consumer loans. As companies aggregate more data, \nhowever, the consequences of a breach or improper use become \ngreater.\n    The Target breach illustrates the risks consumers face--not \njust of fraud, but also identity theft and other hardships. \nCompromised information included both payment card data and \npersonal information such as names, email addresses, and phone \nnumbers. But what if the next breach also involves account \npayment histories or Social Security numbers? As the ways \ncompanies use consumer information changes, and the amount of \nconsumer data they hold grows, how is the FDIC's approach \nevolving? Are there steps regulators are taking--or that \nCongress should take--to require stronger protections against \nbreaches and improper use, and to mitigate harm to consumers?\n\nA.3. Many nonbank companies aggregate consumer data, including \ncredit reporting bureaus, tax preparers, health care providers, \ninsurers, universities, and Government agencies. The FDIC \nconcurs that protection of consumer data is critical across all \nentities. The FDIC is charged with ensuring that banks protect \nconsumer data as authorized by the Gramm-Leach-Bliley Act \n(GLBA), Section 501(b). In response to GLBA, the FDIC and the \nother Federal bank regulatory agencies developed the \nInteragency Guidelines Establishing Information Security \nStandards (12 C.F.R. 364, Appendix B) to protect customer \ninformation. With respect to protecting customer information, \nGLBA limits the FDIC's scope of enforcement authority to \ninsured depository institutions. As discussed above, Congress \nmight wish to review the Bank Service Company Act to determine \nif the Act adequately addresses third-party risk with respect \nto companies that provide direct services to banks.\n\nQ.4.a. A lot of the discussion in the aftermath of the recent \ndata breaches has focused on credit and debit card ``smart'' \nchip technology, since the United States seems to have fallen \nbehind other parts of the world such as Western Europe in \nadopting it. But while card chips help to reduce fraud for \ntransactions where a card is physically present, and make it \nharder for thieves to print fake cards using stolen \ninformation, they do little to reduce fraud for online, ``card-\nnot-present'' transactions.\n    Are you comfortable with the steps industry is taking to \nimprove security and reduce fraud for ``card-not-present'' \ntransactions?\n\nA.4.a. As you indicate, card-not-present transactions may pose \na higher risk to the merchant and the issuing bank. Absent \nadequate transaction authorization, the merchant may hold a \ngreater degree of liability should fraud occur. Issuing banks \nthat authorize transactions without sufficient fraud monitoring \ntools, or fail to respond to suspected compromised account \nnotices from the card networks, could take on greater \nliability. However, the industry continues to struggle to \nprovide effective security for ``card-not-present'' \ntransactions. More needs to be done to ensure that there are \nprotections in place to ensure proper authorization for these \nkinds of transactions, and to ensure that customer data remains \nprotected. As online commerce continues to grow, so does this \nrisk. With the upcoming implementation of the Europay, \nMasterCard and Visa (EMV) standard, there could potentially be \na shift in fraud toward card-not-present transactions. To \ncounter that potential, the industry should consider adopting \nnew standards and technology. Examples include tokenization and \nend-to-end encryption as potential solutions.\n\nQ.4.b. Banks and other industry participants need to be \nproactive here, rather than waiting for a major breach to \nhappen before making protective investments. Do you feel that \nregulated institutions are paying sufficient attention to all \nareas of data security risk, and are making the necessary \ninvestments to protect consumers rather than treating fraud as \nsimply a cost of doing business?\n\nA.4.b. As a general matter, the FDIC believes that the banks it \nsupervises are complying with data security requirements and \nmaking necessary investments to protect customers from fraud. \nThe FDIC assesses a financial institution's efforts to protect \nitself from financial risks such as fraud losses through risk \nmitigation processes, such as credit risk management and \nestablishing credit risk reserves. Further, the Interagency \nGuidelines Establishing Information Security Standards require \nfinancial institutions to implement an information security \nprogram that assesses risks to customer information, regardless \nof the potential for fraud losses. Such a program must assess \nrisks to the confidentiality, integrity, and availability of \ncustomer information. The FDIC assesses the effectiveness of \nthis program in banks we supervise as part of the FDIC's onsite \nexamination process.\n                                ------                                \n\n\n RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM MARTIN J. \n                           GRUENBERG\n\nQ.1. FSOC has been in existence for more than 3 years. Since \nthat time, three companies have been deemed systemically \nsignificant and a second round of companies appear to be under \nconsideration. Despite the numerous calls from Congress, a \nnumber of industry and consumer groups and even the GAO for the \nFSOC to provide greater transparency about the process used for \ndesignation, (including the metrics OFR should measure in their \nanalysis), the criteria followed, as well as the implications \nand process to be followed after a firm has been designated a \nSIFI. Can you provide greater details on why more transparency \nhas not been achieved and how the FSOC plans to improve these \nissues?\n\nA.1. The FSOC has worked to ensure that the designation of \nfirms follows processes that provide transparency and certainty \nto companies, market participants, and members of the public \nand incorporates the specific statutory considerations of \nSection 113 of the Dodd-Frank Act governing designation of \nnonbank companies. At the same time, the FSOC is mindful of \nnonbank financial companies' concerns that sensitive firm-\nspecific nonpublic information be protected from disclosure. To \nprovide transparency and clarity regarding its designation \nprocess, the FSOC issued, after notice and public comment, a \nfinal rule and interpretative guidance in April 2012. The \npublic comment process helped to ensure that key issues were \nfully considered and transparent to the public.\n    The interpretative guidance details the FSOC's analytical \nframework for designation of nonbank financial companies and \nincludes quantitative metrics. The analysis performed on each \nindividual company considered for designation requires analysis \nof nonpublic information, which may be provided by the \ncompany's regulators and by the company itself in response to \nrequests from the FSOC. The company is provided with the basis \nfor the FSOC's proposed determination and may request a hearing \nto contest the determination. In addition, the FSOC has adopted \npolicies to ensure that the processes are as transparent as \npracticable to the public. After a final designation, a \ndocument explaining the basis for its determination to \ndesignate a company and minutes of the designation votes are \nposted to the FSOC's public Web site.\n    Following a firm's designation as a SIFI, the implications \nand process to be followed are set out in the Dodd-Frank Act. \nThe Federal Reserve, as primary Federal regulator, develops the \nprudential standards that will be applicable to nonbank \ndesignated firms, under section 165 of the Dodd-Frank Act, for \nits ongoing supervision of these firms. In addition, the FDIC \nand the Federal Reserve Board meet with the newly designated \nfirms to provide guidance for the preparation of their \nresolution plans under Title I of the Dodd-Frank Act.\n    The FDIC, as a member of the FSOC, is committed to the \nissue of transparency and takes these concerns as well as \nsuggestions for improvement very seriously. As reporting \nrequirements evolve and new information about certain \nindustries and nonbank financial companies become available, \nthe FSOC will be better able to consider whether changes to \nassure transparency of the designation process are needed.\n\nQ.2. I, along with a number of other Republicans, introduced \nlegislation to fix an unintended consequence on collateralized \ndebt obligations (CDOs). In their January 13th interim final \nrule, regulators crafted a rule that largely mirrored what my \nbill sought to do; provide relief to a majority of community \nbanks. While we appreciate the agencies' efforts on this issue, \none issue that we included in our legislation that the \nregulators did not address was collateralized loan obligations \n(CLOs). The CLO market provides about $300 billion in financing \nto U.S. companies and U.S. banks currently hold between $70 and \n$80 billion of senior notes issued by existing CLOs and foreign \nbanks subject to the Volcker Rule hold about another $60 \nbillion. Because the final rules implementing the Volcker Rule \nimproperly treat these debt securities as ``ownership \ninterests'', the banks holding these notes will either have to \ndivest or restructure these securities. Because restructuring \nwell over $130 billion of CLO securities is neither feasible \nnor under the control of the banks holding these notes, \ndivestment is the most likely result. This, in turn, could lead \nto a fire sale scenario that could put incredible downward \npressure on CLO securities prices leading to significant losses \nfor U.S. banks. If prices decline by only 10 percent, U.S. \nbanks would have to recognize losses of almost $8 billion \ndriven not by the underlying securities but solely because of \nthe overreach of the Volcker Rule. Indeed, the final rules are \nalready wreaking havoc on the CLO market. Since the final rules \nwere announced, new CLO formation was down nearly 90 percent in \nJanuary 2014, the lowest issuance in 23 months. If this \nsituation is not remedied and CLO issuance remains moribund, \ncorporate borrowers could face higher credit costs. At the \nhearing of the House Financial Services Committee on January \n15, 2014, a number of both Democrats and Republicans asked \nquestions about how to fix the issue with the CLO market that \nwas not addressed in the interim final rule released on January \n13, 2014. The representatives of the agencies noted that the \nCLO issue was at the top of the list of matters to be \nconsidered by the inter-agency working group that has been \nestablished to review issues such as this and publish guidance. \nThe issue is urgent. Bank CFOs are struggling with how to treat \ntheir CLO debt securities. Can you commit to a tight timeframe \nto issue guidance on CLOs?\n\nA.2. The agencies have taken the industry concerns regarding \nthe treatment of CLOs under the Volcker Rule very seriously \nand, since the issue was first raised, have devoted \nconsiderable effort and staff resources to examining the \nindustry concerns. For example, the agencies' staffs jointly \nhave met with representatives of the Loan Syndication Trade \nAssociation, the American Bankers Association, the Structured \nFinance Industry Group, the Financial Services Roundtable and \nthe Securities Industry and Financial Markets Association. \nBased on these discussions with the industry representatives, a \nreview of data provided by market participants and discussions \namong the staffs of the agencies, we have found:\n\n  <bullet> LBanking entities that hold legacy CLOs are \n        undertaking a review of their particular holdings to \n        evaluate where they fit within the treatment of covered \n        funds under the agencies' implementing regulations. \n        Industry representatives have advised the staffs of the \n        agencies that there is a great amount of variation from \n        deal to deal in the restrictions applicable to \n        investments permitted for CLOs and the rights granted \n        to CLO investors. In addition, staffs of the agencies \n        understand from the industry that many legacy CLOs may \n        not satisfy the exclusion from the definition of \n        covered fund for loan securitizations because they may \n        hold a certain amount of nonconforming assets (such as \n        bonds or other securities).\n\n  <bullet> LNew CLO issuances have been comparable in volume to \n        the CLOs issued prior to the adoption of the \n        implementing rules and sponsors have revised their new \n        CLO deals to conform to the Volcker Rule's exception \n        for loan securitizations. In particular, market \n        participants have represented that new issuances of \n        CLOs in late 2013 and early 2014 after issuance of the \n        final rule are conforming to the final rule.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ According to S&P, the majority of CLOs issued since the final \nrule have been structured as loan-only securitizations. First quarter \n2014 CLO issuance stands at approximately $21 billion, according to \nThomson Reuters PLC.\n\n  <bullet> LData contained in the Call Report and Y9-C forms \n        for asset-backed securities or structured financial \n        products secured by corporate and similar loans \n        indicate that U.S. banking entities hold between \n        approximately $84 billion and $105 billion in CLO \n        investments.\\2\\ Of this amount, between approximately \n        94 and 96 percent are held by banking entities with \n        total assets of $50 billion or more. Holdings of CLOs \n        by domestic banking entities represent between \n        approximately 28 to 35 percent of the $300 billion \n        market for U.S. CLOs, with these holdings skewed toward \n        the senior tranches.\\3\\ These aggregate holdings \n        reflect an unrealized net gain. Unrealized losses \n        reported by individual banking entities are not \n        significant relative to their tier 1 capital or income. \n        Up to 52 domestic insured depository institutions (all \n        charters) reported holdings of CLOs in their held-to-\n        maturity, AFS and trading portfolios.\\4\\\n---------------------------------------------------------------------------\n    \\2\\ This information is based on data compiled as of December 31, \n2013, by the Federal banking agencies, which undertook a review and \nanalysis of CLO holdings of banking entities that are subject to filing \nCall Report or Y-9C data, including insured depository institutions, \nbank holding companies and certain savings and loan holdings companies.\n    \\3\\ OCC supervised institutions hold the majority (95 percent) of \nthis CLO exposure. These positions are concentrated in the largest \ninstitutions and are held mainly in the AFS portfolio.\n    \\4\\ Based on Call Report data as of December 31, 2013.\n\n    To address the concerns regarding CLOs, the Federal Reserve \nBoard issued a statement that it intends to grant two \nadditional 1-year extensions of the conformance period under \nsection 619 that allow banking entities additional time to \nconform to the statute ownership interests in and sponsorship \nof CLOs in place as of December 31, 2013, that do not qualify \nfor the exclusion in the final rule for loan \nsecuritizations.\\5\\ The FDIC supports the statement issued by \nthe Federal Reserve Board.\n---------------------------------------------------------------------------\n    \\5\\ See Board Statement regarding the Treatment of Collateralized \nLoan Obligations Under Section 13 of the Bank Holding Company Act \n(April 3, 2014).\n\nQ.3. On a related point, we have heard that some are of the \nview that the guidance being sought by industry in connection \nwith CLO debt securities is too broad. Isn't it the case that \nall the agencies have to do is issue extremely narrow guidance \nthat states that a CLO debt security that has the right to \nreplace a manager for cause, without any other indicia of \nownership, will not be treated as an ``ownership interest'' \nunder the Volcker Rule? Even if we were to concede (which we do \nnot) that it would be difficult for the agencies to grant the \nrequested relief, couldn't the agencies address the issue of \nlegacy CLO securities by simply agreeing (as they did in the \ncontext of CDOs of Trumps) to grandfather all existing CLO debt \nsecurities for CLOs issued prior to the publication of the \nfinal rules in the Federal Register? Wouldn't this very narrow \nrelief fix the problem for banks that purchased CLO debt \nsecurities in good faith prior to the issuance of the final \n---------------------------------------------------------------------------\nrule but are now facing potentially material losses?\n\nA.3. As noted above in the answer to question 2, the agencies \nhave carefully considered the banking industry's concerns \nregarding bank CLO investments and their treatment under the \nVolcker Rule. After extensive interagency review of these \nissues, the Federal Reserve issued its statement announcing it \nwould extend the conformance period for two additional years \nfor certain CLOs. The agencies believe that the extension \nshould address the compliance issues for many of the legacy \nCLOs that do not meet the loan securitization exemption, \nallowing many of them to mature or be called by investors, and \nshould provide more time for CLO managers to evaluate and \npossibly change the composition of the underlying assets to \nbring the CLOs into conformance.\n                                ------                                \n\n\n RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO FROM THOMAS J. \n                             CURRY\n\nQ.1. When a data breach happens at a merchant level, Federal \nbanking regulators generally do not have jurisdiction to \ninvestigate and take action. However, collateral consequences \nof such breaches are that regulated financial institutions are \nimpacted and face reputational and financial setbacks as a \nresult. What are your expectations for the regulated entities \nwhen a breach occurs at a third party? What are some of the \nchallenges financial institutions face as a result of the \nbreach? How can those challenges be addressed while minimizing \nconsequences of, and cost for, affected financial institutions?\n\nA.1. Banks and Federal savings associations (referenced here as \n``banks'') are required to be on the alert for identity theft \ninvolving its customers' information, no matter how and where \nthe identity thief acquired the information, even if the \ninformation was acquired from a third party that has no \nrelationship with the bank. Following the enactment of the Fair \nand Accurate Credit Transactions Act (FACT Act), the Federal \nbanking agencies together with the Federal Trade Commission \nissued regulations in 2008 titled ``Identity Theft Red Flags \nand Address Discrepancies.'' The final rules require each \nfinancial institution and creditor to develop and implement a \nwritten identity theft prevention program that includes \npolicies and procedures for detecting, preventing, and \nmitigating identity theft in connection with new and existing \naccounts. The program must cover any consumer account, or any \nother account that the financial institution or creditor offers \nor maintains for which there is a reasonably foreseeable risk \nto consumers or to the safety and soundness of the financial \ninstitution or creditor from identity theft. In addition, it \nmust include policies and procedures to identify relevant red \nflags signaling possible identity theft, detect the red flags \nincorporated into the program, respond appropriately to the red \nflags that are detected, and ensure the program is updated \nperiodically to reflect changes in risks to customers and to \nthe institution from identity theft.\n    The agencies also issued guidelines to assist financial \ninstitutions to develop and implement an identity theft \nprevention program. These guidelines state that when a bank \ndetects identity theft red flags, it is expected to respond \nappropriately by taking steps that include monitoring accounts, \ncontacting the customer, changing passwords, closing and \nreopening the account, and notifying law enforcement, as \nappropriate.\n    The guidelines also include a supplement that identifies 26 \npatterns, practices, and specific forms of activity that are \n``identity theft red flags.'' These include alerts, \nnotifications, or other warnings received from consumer \nreporting agencies or service providers, the presentation of \nsuspicious documents or suspicious personal identifying \ninformation, the unusual use of, or other suspicious activity \nrelated to, a covered account, or notice from customers, \nvictims of identity theft, or law enforcement authorities.\n    Recent events, such as the information security breaches at \nTarget and Neiman Marcus, highlight the sophisticated nature of \nevolving cyber threats, as well as the interdependencies that \nexist in today's payment systems. They underscore the \nchallenges and costs that banks can face when their customers' \ndata is breached through technologies controlled and overseen \nby a third party such as point-of-sale card readers at a \nmerchant. Banks have borne the expense of replacing cards, \nproviding credit-monitoring services, responding to high \nvolumes of customer inquiries, monitoring for fraudulent \ntransactions, and reimbursing customers for fraud losses.\n    Because of the interdependencies within retail payment \nsystems, solutions to these issues will require cooperation \namong multiple entities and oversight bodies. The OCC supports \nrecent efforts by the industry to work with the different \nstakeholders within the retail payment systems to develop \napproaches to minimize the risks and address challenges faced \nby banks. This includes efforts to develop new technologies and \ntools that will enhance the overall security of the retail \npayment systems.\n\nQ.2. At the Subcommittee hearing on data security and breach \nheld on February 3, 2014, Members learned that the payment \nnetworks have set an October 2015 timeframe for moving industry \nparticipants to adoption of new, more secure payment \ntechnology. Can you discuss how quickly your regulated entities \nare moving to this technology, and identify some of the \nobstacles that still exist?\n\nA.2. The payment technology discussed in the February 3 hearing \nis known as EMV, also called ``chip and pin'' and ``chip and \nsignature.'' While some banks and credit unions already issue \nchip cards, implementing a fully functioning EMV system is \ncomplex and will require a coordinated approach across retail \npayment systems, and among financial institutions, merchants \nand consumers. For example, ATM networks and point-of-sale \nsystems must be reconfigured to accept the new cards. In many \ncases, existing hardware may need to be replaced to accept \nnewer technologies. Given the multifaceted challenges and \ninterdependent systems that must be successfully coordinated \nacross banks and merchants, we understand that full \nimplementation may extend beyond the 2015 timeframe.\n\nQ.3. In July of 2013, I requested that the Government \nAccountability Office (GAO) review the SIFI designation process \nat FSOC for both transparency and clarity, and to examine the \ncriteria used to designate companies as SIFIs. Would you all be \nwilling to support more reliance on measurable metrics in \nFSOC's designation process?\n\nA.3. I believe the designation process used by the FSOC strikes \nan appropriate balance in using a combination of uniform \nmetrics, supplemented with more in-depth quantitative and \nqualitative assessments to make a designation determination. To \nprovide transparency and clarity, the FSOC published for \ncomment its proposed rule and interpretative guidance that \nexplained the process, factors and key metrics the Council \nwould use in its designation process. The Council's \ninterpretative guidance set forth the Council's three-stage \nprocess and analytical framework for analyzing firms. Within \nthat guidance and as part of its stage 1 analysis, the guidance \nidentified a set of measurable, uniform metrics that are used \nto identify firms that warrant more in-depth review and \nanalysis. Firms that meet the stage 1 metrics laid out in the \nguidance are subject to further review and analysis based on \nsix key categories of risk factors. Those factors, and examples \nof metrics that FSOC will use to evaluate those risks factors, \nwere also described in the guidance.\n    As noted in the preamble to the final designation rule and \ninterpretative guidance, the Council intends to review the \nquantitative thresholds as reporting requirements evolve and \nnew information about certain industries and nonbank financial \ndata becomes available. While I would support such refinements \nto the designation process, I believe it would be a mistake to \ndesign a framework that relies solely on a set of quantitative \nmetrics or algorithms to make a determination decision. I \nbelieve each firm must be evaluated with respect to its \nindividual risk profile and the nature of its operations. This \nneed for a tailored analysis is why the Council's process \nincludes substantial opportunities for communications with, and \nresponses by, firms that are under consideration for \ndetermination.\n\nQ.4. Please explain how and why the agencies failed to foresee \nthe accounting issue with the treatment of the Trust Preferred \nCollateralized Debt Obligations (TruPS CDOs) in the final \nVolcker Rule. Did the proposed rule include requisite language \nseeking public comment on TruPS CDOs, as finalized? If so, \nplease provide that language from the proposed rule. If not, \nplease explain why the proposal did not seek that specific \ninformation and whether the agencies believe they satisfied the \nnotice-and-comment requirements under the Administrative \nProcedure Act.\n\nA.4. The TruPS CDOs that raised the accounting issue were \ncovered by the Agencies' implementing regulations because they \nhave features that bring them within the definition of \n``ownership interest.'' The Notice of Proposed Rulemaking (76 \nFed. Reg. 68,846) discussed the Agencies' proposed definition \nof ``ownership interest'' in covered funds, in connection with \nimplementing the Volcker Rule's prohibition against banking \nentity holdings of covered funds (p. 68,897). The proposal went \non to request comment on whether the proposed definitions of \n``ownership interest'' in covered funds posed unique concerns \nor challenges with respect to specific classes of instruments, \nspecifically including Collateralized Debt Obligations (p. \n68,899). Commenters did not raise concerns about TruPS CDOs.\n\nQ.5. What specific efforts are the regulators considering to \naddress the issue with the Collateralized Loan Obligations \n(CLOs) in the final Volcker rule? In Governor Tarullo's \ntestimony before the House Financial Services Committee, he \nstated that the CLO issue is ``already at the top of the list'' \nfor regulators to consider and fix. How many financial \ninstitutions are impacted by the final rule's treatment of \nCLOs?\n\nA.5. Based on Call Report information for year-end 2013, 51 \ndomestic banks reported CLO holdings. The OCC is the supervisor \nof 26 of these banks, which hold 95 percent of the CLO holdings \nreported by all 51 banks in the Call Reports. Holding of CLOs \nis extremely concentrated in large banks, two of which hold far \nmore than the other banks combined. Although some banks \nreported unrealized losses on their CLO portfolios, they were \nthe exception to the rule, and the unrealized losses were not \nsignificant relative to tier 1 capital or earnings. On April 7, \n2014, the Federal Reserve Board issued a statement announcing \nits intention, consistent with the statute, to grant two \nadditional 1-year extensions of the conformance period--until \nJuly 2017--for legacy CLOs. A number of these legacy CLOs will \nhave matured under their own terms and repaid their principal \nbalances by that time. With respect to those that have not \nmatured, the OCC does not anticipate significant adverse \neffects on capital or earnings overall with respect to the \ninstitutions we supervise.\n\nQ.6. Since the final Volcker rule was issued in December, the \naffected entities have recognized two issues with the final \nrule (TruPS CDOs and CLOs). What other issues with the final \nVolcker rule are your agencies aware of that may be raised by \naffected entities? How do you intend to coordinate efforts on \nclarifying such issues in the future?\n\nA.6. The Agencies are receiving requests for further guidance \non a range of matters. For example, the OCC has received \nquestions regarding the metrics reporting requirements, \nincluding about (i) the timeframes for when the largest trading \nbanking entities must begin collecting metrics and filing their \nfirst reports; and (ii) the systems necessary for collecting \nand reporting metrics. The OCC has led the formation of an \ninteragency working group to address and collaborate on \ndeveloping responses to key supervisory issues that arise under \nthe final regulations. The interagency group held its first \nmeeting in late January and is continuing to meet on a regular \nbasis. The Agencies are working to ensure consistency in \napplication of the final regulations. Through our examination \nand supervisory staff, the OCC also is working with the \ninstitutions we supervise to ensure that they are preparing to \nconform with the implementing regulations when the conformance \nperiod concludes.\n\nQ.7. How do you plan to coordinate with other agencies \nregarding enforcement matters and the final Volcker rule, given \nthat your agencies have varied jurisdictions?\n\nA.7. As noted in the response to the previous question, through \nour examination and supervisory staff, the OCC also is working \nwith the institutions we supervise to ensure that they are \npreparing to conform with the implementing regulations. After \nthe close of the conformance period, we will examine for \ncompliance with the Volcker Rule and, in a case of \nnoncompliance, will take appropriate supervisory or enforcement \naction. In cases where our work implicates institutions subject \nto regulation or supervision by other agencies, we will \ncoordinate closely with those agencies.\n                                ------                                \n\n\n RESPONSE TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM THOMAS \n                            J. CURRY\n\nQ.1. Are you comfortable with the extent to which the consumer \npayments industry currently sets its own data security \nstandards? Currently, most standards are set by contract--with \nthe card companies playing a significant role--and an industry \nbody known as PCI determines most of the details and certifies \ncompliance examiners. Should Federal regulators be playing a \ngreater role?\n\nA.1. The OCC sets standards for financial institutions that we \nsupervise. We are following the industry led efforts to respond \nto the evolving cybersecurity threats. The Payment Card \nIndustry (PCI) Security Standards Council develops, maintains \nand manages the PCI Security Standards, such as the PCI-Data \nSecurity Standards (PCI-DSS). The PCI security standards are \ndetailed and have been recently updated (November 2013). The \nbank regulators have an important role in evaluating the risk \nexposure of the banks in the system and consider PCI-DSS \ncompliance in addition to compliance with the Federal Financial \nInstitutions Examination Council (FFIEC) and OCC-related \nguidance in the examination process.\n    The OCC is in the process of assessing the existing \nregulatory structure, enforcement authorities, and statutory \nauthorities to ensure they are adequate for the existing \ncybersecurity threat.\n\nQ.2.a. When a financial data breach occurs with a merchant (as \nseems to be the case with the current wave of data breaches) or \nother source outside of a financial institution, financial \ninstitutions still very clearly feel the effects. Credit and \ndebit card issuers, for example, must notify affected customers \nand issue new cards, and will likely end up bearing some \nportion of the financial losses that occur from fraudulent \ntransactions using stolen card information. In the chain of a \nretail payment transaction, security is only as strong as its \nweakest link.\n    In addition to the examinations the OCC conducts regarding \nregulated institutions' own data security, can you describe the \nOCC's oversight with respect to the security of consumer data \nacross the entire chain of consumer payment transactions?\n\nA.2.a. Banks provide essential retail payment transaction \nservices to businesses and customers; issuing credit and debit \ncards to customers, authorizing transactions for merchants, and \nthen acquiring those transactions. A few provide clearing and \nsettlement services for merchants. The OCC supervises banks and \ntheir services providers. However, the OCC does not oversee the \nsecurity of consumer data across the entire chain of consumer \npayment transactions.\n    The OCC examines banks and their service providers for \ncompliance with the interagency information security guidelines \nissues by the OCC pursuant to the Gramm-Leach-Bliley Act, in \nconjunction with the Federal Deposit Insurance Corporation \n(FDIC) and the Board of Governors of the Federal Reserve System \n(Federal Reserve) (collectively, the FBAs). These interagency \nguidelines require each bank to develop and implement a formal \ninformation security program. Banks and their service providers \nare examined for the capacity to safeguard their systems \nagainst cyber attacks and their ability to ensure the security \nand confidentiality of customer information. The OCC also \nascertains whether banks have strong and well-coordinated \nincident response programs that can be implemented if a cyber \nattack or security breach does occur.\n    While the guidelines require a bank to safeguard the \ncustomer information it maintains or that is maintained by a \nthird party on its behalf, each bank is also required to be on \nthe alert for identity theft involving its customers' \ninformation, no matter how and where the information was \nacquired. The OCC examines banks for compliance with \ninteragency regulations issued by the OCC pursuant to the Fair \nand Accurate Credit Transactions Act (FACT Act), by the FBAs \ntogether with the Federal Trade Commission titled ``Identity \nTheft Red Flags and Address Discrepancies.'' The final rules \nrequire each financial institution and creditor to develop and \nimplement a written identity theft prevention program that \nincludes policies and procedures for detecting, preventing, and \nmitigating identity theft in connection with new and existing \naccounts. The program must cover any consumer account, or any \nother account that the financial institution or creditor offers \nor maintains for which there is a reasonably foreseeable risk \nto consumers or to the safety and soundness of the financial \ninstitution or creditor from identity theft. In addition, it \nmust include policies and procedures to identify relevant red \nflags signaling the possibility of identify theft, detect red \nflags incorporated into the program, respond appropriately to \nthe red flags that are detected, and ensure the program is \nupdated periodically to reflect changes in risks to customers \nand to the institution from identity theft.\n    The Agencies also issued guidelines to assist covered \nentities in developing and implementing an identity theft \nprevention program. The guidelines include a supplement that \nidentifies 26 patterns, practices, and specific forms of \nactivity that are ``red flags.'' These include alerts, \nnotifications, or other warnings received from consumer \nreporting agencies or service providers, the presentation of \nsuspicious documents or suspicious personal identifying \ninformation, the unusual use of, or other suspicious activity \nrelated to, a covered account, or notice from customers, \nvictims of identity theft, or law enforcement authorities. When \na bank detects identity theft red flags, the bank is expected \nto respond appropriately by taking steps that include \nmonitoring accounts, contacting the customer, changing \npasswords, closing and reopening the account, and notifying law \nenforcement, as appropriate.\n\nQ.2.b. Should Federal regulators be taking a greater interest \nin the data security standards applicable to other entities \nthat possess consumer financial data, beyond just regulated \nfinancial institutions? Are legislative changes necessary or \nare there legislative changes that would help?\n\nA.2.b. The OCC recognizes the need to protect critical \ninfrastructure and customer information across all sectors of \nthe economy. We support legislation aimed at achieving these \ngoals, except to the extent that such legislation would weaken \nor duplicate the existing information security, data \nprotection, and consumer notice requirements already applicable \nto banks.\n\nQ.3. In our economy today, companies are collecting and storing \ngrowing amounts of consumer information, often without \nconsumers' knowledge or consent. The financial industry is no \nexception. We have heard reports of lenders, for example, \nmining online data sources to help inform underwriting \ndecisions on consumer loans. As companies aggregate more data, \nhowever, the consequences of a breach or improper use become \ngreater.\n    The Target breach illustrates the risks consumers face--not \njust of fraud, but also identity theft and other hardships. \nCompromised information included both payment card data and \npersonal information such as names, email addresses, and phone \nnumbers. But what if the next breach also involves account \npayment histories or Social Security numbers? As the ways \ncompanies use consumer information changes, and the amount of \nconsumer data they hold grows, how is the OCC's approach \nevolving? Are there steps regulators are taking--or that \nCongress should take--to require stronger protections against \nbreaches and improper use, and to mitigate harm to consumers?\n\nA.3. Ensuring the industry's defenses against cyber attacks is \nan important issue for the OCC. While the banking sector is \nhighly regulated and has been subject to stringent information \nsecurity requirements for decades, we recognize that both our \nsupervision and our guidance to banks must be regularly updated \nto keep pace with the rapidly changing nature of cyber threats.\n    The OCC has an information technology (IT) examination \nprogram that includes training examiners, updating and \nimplementing IT risk management policy through guidance, \nalerts, and handbooks, and regular onsite examination of banks' \nIT programs.\n    We have also helped coordinate a series of classified \nbriefings for banks, third-party service providers, and \nexaminers. These briefings are an effective way to provide the \nindustry with information needed to anticipate and prepare for \nattacks. We have also conducted a number of other outreach \nevents, including a security and threat awareness \nteleconference for community banks and thrifts that attracted \nover 750 institutions.\n    When I became Chairman of the FFIEC, I called for the \ncreation of a working group on cybersecurity issues to be \nhoused under the FFIEC's task force on supervision. The working \ngroup has already begun to meet with intelligence, law \nenforcement, and homeland security officials, and it is \nexploring additional approaches bank regulators can take to \nensure that institutions of all sizes have the ability to \nsafeguard their systems. This working group will also consider \nhow best to implement the President's Executive Order on \nCybersecurity, as well as how to address recommendations of the \nFSOC.\n    In addition, as mentioned above, the OCC recognizes the \nneed to protect critical infrastructure and customer \ninformation across all sectors of the economy, especially with \nrespect to sectors upon which banks are dependent, such as \ntelecommunications. We support legislation aimed at achieving \nthese goals, except to the extent that such legislation would \nweaken or duplicate the existing information security, data \nprotection, and the consumer notice requirements already \napplicable to banks.\n\nQ.4.a. A lot of the discussion in the aftermath of the recent \ndata breaches has focused on credit and debit card ``smart'' \nchip technology, since the United States seems to have fallen \nbehind other parts of the world such as Western Europe in \nadopting it. But while card chips help to reduce fraud for \ntransactions where a card is physically present, and make it \nharder for thieves to print fake cards using stolen \ninformation, they do little to reduce fraud for online, ``card-\nnot-present'' transactions.\n    Are you comfortable with the steps industry is taking to \nimprove security and reduce fraud for ``card-not-present'' \ntransactions?\n\nA.4.a. The banking industry is looking into a number of new \ntechnologies and business processes to improve security and \nreduce fraud. The largest institutions, in particular, have \nmade significant investments in ways to improve security and \nreduce fraud. As your question acknowledges, while some \ntechnologies such as ``chip and pin'' may mitigate one source \nof vulnerability, they could accentuate other vulnerabilities. \nFor this reason, there are additional industry efforts underway \nto explore other emerging technologies such as biometrics, \ngeolocation and forms of dynamic authentication other than \n``chip and pin.'' Some of these potential solutions however, \nmay raise other concerns such as consumer privacy that will \nneed to be carefully considered.\n\nQ.4.b. Banks and other industry participants need to be \nproactive here, rather than waiting for a major breach to \nhappen before making protective investments. Do you feel that \nregulated institutions are paying sufficient attention to all \nareas of data security risk, and are making the necessary \ninvestments to protect consumers rather than treating fraud as \nsimply a cost of doing business?\n\nA.4.b. Cybersecurity is an important priority for the OCC and \nwe have been conducting extensive outreach to our institutions \nto draw their attention to the importance of data security. We \nemphasize that it is an operational risk that needs to be part \nof institutions' overall enterprise risk management and receive \nattention from senior management and the board of directors. \nFrom our outreach efforts, we believe that senior financial \ninstitution executives understand that addressing cyber risks \nis a serious priority for their institutions, and, as noted \nabove, they are exploring enhancements to existing technology \nto help to protect consumers' information. The OCC supports new \ntechnologies and tools that will enhance the overall security \nof retail payment systems.\n                                ------                                \n\n\n RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM THOMAS J. \n                             CURRY\n\nQ.1. FSOC has been in existence for more than 3 years. Since \nthat time, three companies have been deemed systemically \nsignificant and a second round of companies appear to be under \nconsideration. Despite the numerous calls from Congress, a \nnumber of industry and consumer groups and even the GAO for the \nFSOC to provide greater transparency about the process used for \ndesignation, (including the metrics OFR should measure in their \nanalysis), the criteria followed, as well as the implications \nand process to be followed after a firm has been designated a \nSIFI. Can you provide greater details on why more transparency \nhas not been achieved and how the FSOC plans to improve these \nissues?\n\nA.1. I believe the designation process used by FSOC strikes an \nappropriate balance in providing transparency to the public \nabout the factors used by the Council in making its \ndeterminations while allowing for a robust evaluation, based on \neach firm's unique circumstances, that also protects the \nconfidentiality of firm-specific proprietary and supervisory \ninformation. For example, to provide transparency and clarity, \nthe FSOC published for comment its proposed rule and \ninterpretative guidance that explained the process, factors and \nkey metrics the Council would use in its designation process. \nThe Council's interpretative guidance set forth the Council's \nthree-stage process and analytical framework for analyzing \nfirms. Within that guidance and as part of its stage 1 \nanalysis, the guidance identified a set of measurable, uniform \nmetrics that are used to identify firms that warrant more in-\ndepth review and analysis. Firms that meet the stage 1 metrics \nlaid out in the guidance are subject to further review and \nanalysis based on six key categories of risk factors. Those \nfactors, and examples of metrics that FSOC will use to evaluate \nthose risks factors, were also described in the guidance.\n    With respect to the Council's actions for individual firms, \na firm that is being actively considered for designation is \nsent a written notice that it is being considered for \ndesignation. That notice provides the firm with a preliminary, \nin-depth analysis of the Council's assessment of the firm, \nincluding key risk factors and metrics that the Council used in \nits assessment. During this stage, firms have an extensive \nopportunity to respond to those preliminary assessments through \nthe submission of written materials and meetings and \ndiscussions with Council staff. If, at the conclusion of those \ndiscussions and analysis, the Council decides to make a \ndetermination, the firm is provided with a notice of proposed \ndetermination that includes an explanation of the basis for the \nCouncil's action and is given the opportunity to request a \nformal hearing before a final determination is made. To provide \ntransparency of the Council's final decision to designate a \nfirm, the Council's resolution and votes for the decision, \nalong with any dissenting opinion, is posted to the Council's \nWeb site, along with a summary that provides the basis and \ncriteria used and the rationale for the designation.\n\nQ.2. I, along with a number of other Republicans, introduced \nlegislation to fix an unintended consequence on collateralized \ndebt obligations (CDOs). In their January 13th interim final \nrule, regulators crafted a rule that largely mirrored what my \nbill sought to do; provide relief to a majority of community \nbanks. While we appreciate the agencies' efforts on this issue, \none issue that we included in our legislation that the \nregulators did not address was collateralized loan obligations \n(CLOs). The CLO market provides about $300 billion in financing \nto U.S. companies and U.S. banks currently hold between $70 and \n$80 billion of senior notes issued by existing CLOs and foreign \nbanks subject to the Volcker Rule hold about another $60 \nbillion. Because the final rules implementing the Volcker Rule \nimproperly treat these debt securities as ``ownership \ninterests'', the banks holding these notes will either have to \ndivest or restructure these securities. Because restructuring \nwell over $130 billion of CLO securities is neither feasible \nnor under the control of the banks holding these notes, \ndivestment is the most likely result. This, in turn, could lead \nto a fire sale scenario that could put incredible downward \npressure on CLO securities prices leading to significant losses \nfor U.S. banks. If prices decline by only 10 percent, U.S. \nbanks would have to recognize losses of almost $8 billion \ndriven not by the underlying securities but solely because of \nthe overreach of the Volcker Rule. Indeed, the final rules are \nalready wreaking havoc on the CLO market. Since the final rules \nwere announced, new CLO formation was down nearly 90 percent in \nJanuary 2014, the lowest issuance in 23 months. If this \nsituation is not remedied and CLO issuance remains moribund, \ncorporate borrowers could face higher credit costs. At the \nhearing of the House Financial Services Committee on January \n15, 2014, a number of both Democrats and Republicans asked \nquestions about how to fix the issue with the CLO market that \nwas not addressed in the interim final rule released on January \n13, 2014. The representatives of the agencies noted that the \nCLO issue was at the top of the list of matters to be \nconsidered by the inter-agency working group that has been \nestablished to review issues such as this and publish guidance. \nThe issue is urgent. Bank CFOs are struggling with how to treat \ntheir CLO debt securities. Can you commit to a tight timeframe \nto issue guidance on CLOs?\n\nA.2. On April 7, 2014, the Federal Reserve Board issued a \nstatement announcing its intention, consistent with the \nstatute, to grant two additional 1-year extensions of the \nconformance period--until July 2017--for legacy CLOs. A number \nof these legacy CLOs will have matured under their own terms \nand repaid their principal balances by that time. With respect \nto those that have not matured, the OCC does not anticipate \nsignificant adverse effects on capital or earnings overall with \nrespect to the institutions we supervise. Market participants \nindicate that new issuances have been structured so as to \ncomply with Volcker Rule requirements for banking entity \nportfolio investments. I would note that CLO issuances for \nApril were $12.3 billion, the highest monthly volume since the \nfinancial crisis, and that the total issuance for 2014 is \nalready $31.7 billion, putting it on pace to exceed last year's \ntotal volume.\n                                ------                                \n\n\n  RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO FROM MARY JO \n                             WHITE\n\nQ.1. When a data breach happens at a merchant level, Federal \nbanking regulators generally do not have jurisdiction to \ninvestigate and take action. However, collateral consequences \nof such breaches are that regulated financial institutions are \nimpacted and face reputational and financial setbacks as a \nresult. What are your expectations for the regulated entities \nwhen a breach occurs at a third party? What are some of the \nchallenges financial institutions face as a result of the \nbreach? How can those challenges be addressed while minimizing \nconsequences of, and cost for, affected financial institutions?\n\nA.1. The challenges that face financial institutions as a \nresult of a breach at a third party are many and varied. The \nsophistication of the perpetrators continually evolves, and the \nthreats increase in complexity on a daily basis. Keeping pace \nwith the challenges that we face will take a coordinated \nGovernment and industry effort.\nExpectations for Regulated Entities When a Breach Occurs at a Third \n        Party\n    The Commission has in place rules addressing privacy and \nidentity theft to protect investors. Regulations S-P and S-ID \nwork together to require covered firms to implement policies \nand procedures that are reasonably designed to ensure the \nsecurity and confidentiality of customer records and \ninformation, including the establishment of an identity theft \nprogram addressing how to identify, detect, and respond to \npotential identity theft red flags.\\1\\ Entities covered under \nthese rules are required to implement measures addressing their \nregulatory obligations, including the oversight of service \nprovider arrangements.\n---------------------------------------------------------------------------\n    \\1\\ Regulation S-P requires broker-dealers, investment companies \nand registered investment advisers to establish policies and procedures \nreasonably designed to safeguard customer information and records. It \nalso limits the ability of these firms to disclose nonpublic personal \ninformation to unaffiliated third parties. Last year, to implement \nSection 1088 of the Dodd-Frank Act, the SEC and the CFTC jointly \nadopted Regulation S-ID, which requires certain regulated financial \ninstitutions and creditors to adopt and implement identity theft \nprograms. Regulation S-ID is in effect today and requires covered firms \nto implement policies and procedures designed to: identify relevant \ntypes of identity theft red flags; detect the occurrence of those red \nflags; respond appropriately to the detected red flags; and \nperiodically update the identity theft program. Regulation S-ID also \nrequires entities to provide staff training, oversight of service \nproviders, and guidelines for and examples of red flags to help firms \nadminister their programs.\n---------------------------------------------------------------------------\n    The guidelines contained in Regulation S-ID provide, among \nother things, that regulated entities that engage a service \nprovider to perform services related to a covered account \nshould take steps to ensure that the service provider has \npolicies and procedures designed to detect, prevent and \nmitigate the risk of identity theft.\nChallenges Faced by Financial Institutions as a Result of a Breach\n    Possibly the greatest challenge faced by financial \ninstitutions and regulators alike is the need to be ever \nvigilant in guarding against new and unexpected threats. This \ngenerally necessitates good communication by all affected, as \nwell as foresight in allocating resources to data and cyber \nprotection. Financial institutions covered under the rules that \npossess customer data, of course, should, and are required to, \ntake steps to prevent that data from being placed at risk. By \nway of example, broker-dealers, mutual funds and registered \ninvestment advisers are required under Regulation S-P and \nRegulation S-ID to implement policies and procedures that \naddress safeguarding data and preventing identity theft. Some \nof the challenges facing entities covered under Regulation S-ID \nrelate to implementing a program that provides for an \nappropriate response to identity theft red flags commensurate \nwith the risk posed. Guidelines contained in Regulation S-ID \nnote that an appropriate response should take into account \naggravating factors that may heighten the risk of identity \ntheft, such as a data security incident that results in \nunauthorized access to account records, and include a number of \nexamples of appropriate responses that a regulated entity \nshould consider. Appropriate responses may include, among \nothers:\n\n  <bullet> LMonitoring a covered account for evidence of \n        identity theft;\n\n  <bullet> LContacting the customer;\n\n  <bullet> LChanging any password, security codes, or other \n        security devices that permit access to a covered \n        account; or\n\n  <bullet> LNotifying law enforcement.\nAddressing Challenges While Minimizing Consequences and Costs\n    An entity covered under Regulation S-ID is required to \ntailor its particular identity theft program to its size and \ncomplexity and to the nature and scope of its activities. \nAllowing an entity to tailor its program to fit its particular \ncircumstances should enable the entity to better balance an \nappropriate response against any related consequences and \ncosts.\n\nQ.2. At the Subcommittee hearing on data security and breach \nheld on February 3, 2014, Members learned that the payment \nnetworks have set an October 2015 timeframe for moving industry \nparticipants to adoption of new, more secure payment \ntechnology. Can you discuss how quickly your regulated entities \nare moving to this technology, and identify some of the \nobstacles that still exist?\n\nA.2. It is our understanding that the payment systems industry \nhas spearheaded the transition to the use of new, more secure \npayment technology, and major industry participants are working \nto finalize this process by October 2015. The SEC's authority, \nhowever, generally does not extend to retail payment systems. \nThis authority generally resides with banking regulators. For \ninstance, although some clients of broker-dealers and mutual \nfunds have the ability to obtain debit cards linked to their \naccounts, the cards themselves are issued directly by a bank, \nand any unauthorized transactions processed through retail \npayments systems are subject to the fraud protections of the \nbanking regulations. As a result, the Commission has not been \ninvolved in these activities and is not in a position to \nprovide additional details concerning them.\n\nQ.3. In July of 2013, I requested that the Government \nAccountability Office (GAO) review the SIFI designation process \nat FSOC for both transparency and clarity, and to examine the \ncriteria used to designate companies as SIFIs. Would you all be \nwilling to support more reliance on measurable metrics in \nFSOC's designation process?\n\nA.3. As a voting member of the Financial Stability Oversight \nCouncil (FSOC), I believe it is important to be data-driven and \nrely on facts throughout the process for consideration of the \npotential designation of systemically important financial \ninstitutions (SIFI). I therefore support the thorough and \nappropriate use of data and quantifiable, measurable factors in \nthe SIFI designations process. In addition, I would note that \nthe FSOC as a general matter is focused on the issue of \ntransparency and enhancing transparency, which I consider an \nimportant area of focus.\n\nQ.4. Since the final Volcker rule was issued in December, the \naffected entities have recognized two issues with the final \nrule (TruPS CDOs and CLOs). What other issues with the final \nVolcker rule are your agencies aware of that may be raised by \naffected entities? How do you intend to coordinate efforts on \nclarifying such issues in the future?\n\nA.4. Staffs of the five agencies continue to work together, as \nthey did during the rulemaking process, to share information \nand coordinate the agencies' implementation of the Volcker \nrule. The staffs engage in discussions on a regular basis \nconcerning technical and other issues concerning the \nimplementation of the Volcker rule, including interpretive and \nother issues raised by affected entities, to facilitate \ncoordinated responses by the agencies or their staffs as \nappropriate. The staffs are not able to predict all of the \nissues that affected entities may raise with the final Volcker \nrule, but will continue to evaluate issues identified by \naffected entities and facilitate the agencies' coordinated \nconsideration of these issues.\n\nQ.5. How do you plan to coordinate with other agencies \nregarding enforcement matters and the final Volcker rule, given \nthat your agencies have varied jurisdictions?\n\nA.5. Section 13 of the Bank Holding Company Act (``BHC Act'') \nprovides each agency with authority to adopt and administer \nrules with respect to specific types of legal entities. For \ninstance, section 13(e)(2) of the BHC Act authorizes the SEC, \nthe Federal banking agencies, and the CFTC to take specified \nactions against a banking entity under the respective agency's \njurisdiction if there is reasonable cause to believe the \nbanking entity has made an investment or engaged in activity \nthat functions as an evasion or otherwise violates the \nrestrictions of that section. Banking entities within the SEC's \njurisdiction include bank-affiliated, SEC-registered broker-\ndealers, investment advisers, and security-based swap dealers. \nThe SEC is authorized to enforce the requirements of section 13 \nof the BHC Act only with respect to the types of banking entity \nunder its jurisdiction. The SEC and the other agencies are \ncurrently coordinating interpretive guidance and will seek to \nbroaden such coordination to include examiner training and \ncooperation in connection with enforcing section 13.\n                                ------                                \n\n\n RESPONSE TO WRITTEN QUESTIONS OF SENATOR MERKLEY FROM MARY JO \n                             WHITE\n\n    I greatly appreciate the SEC and CFTC's efforts in \nimplementing key features of Dodd-Frank's swaps reforms. \nHowever, I am very concerned about the number and significance \nof exemptions and no-action letters granted by the CFTC and the \nSEC's delay in finalizing the rules. While I appreciate the \nCFTC's commitment to working closely with stakeholders and \nallowing them an adequate opportunity to come into compliance, \nI am concerned that any additional delays would be unreasonably \nexposing Americans to systemic risks and losing invaluable \nmomentum in the effort to build a more stable financial system.\n\n    Could you please lay out as of the date of this hearing:\n\nQ.1.a. What percentage of U.S. swaps markets, broken down by \nswap-type, have been subject to Title VII requirements for \nclearing, Swap Execution Facility (SEF)-trading, and reporting?\n\nA.1.a. As you know, the Dodd-Frank Act divided regulatory \nauthority over U.S. swaps markets between the SEC and the CFTC, \nwith the SEC having authority over security-based swaps, the \nCFTC having authority over swaps, and the SEC and CFTC jointly \nregulating mixed swaps. SEC staff estimates that security-based \nswaps--principally single-name CDS and equity-related security-\nbased swaps--collectively represent less than 5 percent of the \noverall swaps markets. The CFTC's rules for clearing, SEF \ntrading, and reporting for the swaps markets are in effect; the \nCFTC should be better able to provide you with relevant data \nfor the products under its jurisdiction.\n    To date, the SEC has proposed all of the rules required by \nTitle VII, and we have started the process of adopting Title \nVII rules. These efforts include a comprehensive set of \nproposed rules focusing specifically on application of Title \nVII to cross-border security-based swap activity, mandatory \nclearing, and rules related to trading on security-based swap \nexecution facility trading and reporting.\n\nQ.1.b. What percentage of the global swaps market, broken down \nby swap-type, have been subject to Title VII-like requirements \nfor clearing, SEF-trading, and reporting?\n\nA.1.b. The FSB's OTC Derivatives Market Reforms: Sixth Progress \nReport on Implementation, dated September 2013, reported that \nmost G20 jurisdictions had legislation in place that allows for \nadoption of clearing and trading requirements, but mandatory \nclearing requirements and requirements to trade on organized \ntrading platforms were only partially in force in a small \nnumber of jurisdictions. With respect to reporting, the FSB \nreported in September that sixteen G20 jurisdictions had \nlegislation and regulations adopted to implement trade \nreporting, of which twelve jurisdictions had at least some \nspecific requirements in force.\n    The Commission has access to transaction-level data that we \nbelieve provide reasonably comprehensive information regarding \nsingle-name CDS transactions and the composition of \nparticipants in the market for single-name CDS. Analyses of \nthese data have played a role in shaping the rules we have \nproposed and adopted under Title VII, and have allowed us to \nquantify certain economic effects of these rules. Summary \nstatistics that describe the global nature of transactions and \nmarket participants are contained on pages 393--through 396 of \nthe SEC's cross-border proposing release. We note, however, \nthat our data comes with several limitations. While we observe \nall reported transactions in single-name CDS involving U.S. \nunderliers, we do not observe CDS transactions involving non-\nU.S. underliers where neither counterparty is a U.S. entity. \nThe limitation on data involving CDS on non-U.S. underliers \nmeans that we do not have access to the type of data on foreign \nmarkets that would be necessary to provide you the specific \npercentages you request both in this question and the questions \nbelow.\n    Based on an analysis of transactions in CDS on U.S. \nunderliers, Commission staff believes that the vast majority of \ntransactions in these CDS involve at least one U.S. or European \ncounterparty, and thus are, or are likely to be, subject to \nTitle VII or European requirements.\n\nQ.1.c. How much will that percentage change when Europe \nfinalizes its rules?\n\nA.1.c. Based on an analysis of data regarding CDS transactions \non U.S. underliers, where we believe we have a more complete \npicture of market participation, Commission staff believes that \nthe vast majority of those transactions involve at least one \nU.S. or European counterparty and thus are, or are likely to \nbe, subject to Title VII or European requirements. As noted \nabove, however, the Commission does not have access to data \nnecessary to provide a specific percentage for the global \nmarket in single-name CDS.\n    With respect to the specific European requirements, \nreporting to trade repositories under the European Market \nInfrastructure Regulation (EMIR) began on February 12, 2014. \nEMIR also requires counterparties to clear OTC derivative \ncontracts that belong to a class that the European Securities \nand Markets Authority (ESMA) has declared subject to the \nclearing obligation and that meet other specified criteria. We \nunderstand that ESMA is currently working on draft regulatory \ntechnical standards to determine the asset classes that will be \nsubject to this clearing obligation, and that publication of \ndraft standards is expected later this year. Legislation \ncurrently under consideration in the EU is expected to address \nthe EU's commitment to require OTC derivatives to be traded on \nan organized trading platform.\n\nQ.1.d. What part of those markets are made up of foreign \naffiliates of U.S. persons?\n\nA.1.d. As noted above, the Commission does not have access to \nthe type of comprehensive data about foreign security-based \nswap market participation that would be necessary to answer \nyour specific question. Based on analysis of CDS transactions \non U.S. underliers, however, Commission staff estimates that \ntransactions in which one counterparty is either a foreign \naffiliate of a U.S. person or a foreign branch of a U.S. person \n(which is considered part of its U.S. home office under the \nSEC's cross-border proposal) constitute a majority of \ntransactions in CDS on U.S. underliers in foreign markets. As \nwith the overall market for CDS on U.S. underliers, the staff \nestimates that vast majority of these transactions are with \nEuropean counterparties, and thus are, or are likely to be, \nsubject to Title VII requirements, European requirements, or \npotentially both.\n    Please also:\n\nQ.1.e. Set out what temporary exemptions your agencies have \ngranted.\n\nA.1.e. In June 2011, the Commission provided guidance as to \nwhich of the requirements of Title VII of the Dodd-Frank Act \nwould apply to security-based swap transactions as of the July \n16, 2011 effective date of Title VII, and granted temporary \nrelief to market participants from compliance with certain of \nthose requirements (Effective Date Order).\\1\\ The Effective \nDate Order was intended to provide legal certainty and avoid \nunnecessary market disruption while the Commission completes \nthe implementation of Title VII.\n---------------------------------------------------------------------------\n    \\1\\ See Temporary Exemptions and Other Temporary Relief, Together \nwith Information on Compliance Dates for New Provisions of the \nSecurities Exchange Act of 1934 Applicable to Security-Based Swaps, \nExchange Act Release No. 34-34678 (Jun. 15, 2011), 76 FR 36287 (Jun. \n22, 2011).\n---------------------------------------------------------------------------\n    The Commission also issued a temporary order and interim \nfinal rules that provided temporary exemptive relief from \ncompliance with certain provisions of the Securities Act, the \nExchange Act, and the Trust Indenture Act in connection with \nthe revision of the definition of ``security'' to encompass \nsecurity-based swaps.\\2\\ The temporary exemptions and interim \nfinal rules were directed toward maintaining the status quo \nwhile the Commission implemented Title VII and evaluated the \nimplications under the Federal securities laws of including \nsecurity-based swaps in the definition of ``security.''\n---------------------------------------------------------------------------\n    \\2\\ See Order Granting Temporary Exemptions under the Securities \nExchange Act of 1934 in Connection with the Pending Revisions of the \nDefinition of ``Security'' to Encompass Security-Based Swaps, Exchange \nAct Release No. 64795 (Jul. 1, 2011), 76 FR 39927 (Jul. 7, 2011); Order \nExtending Temporary Exemptions under the Securities Exchange Act of \n1934 in Connection with the Revision of the Definition of ``Security'' \nto Encompass Security-Based Swaps, and Request for Comment, Exchange \nAct Release No. 71485 (Feb. 5, 2014), 79 FR 7731 (Feb. 10, 2014); \nExemptions for Security-Based Swaps, Securities Act Release No. 9231 \n(Jul. 1, 2011), 76 FR 40605 (Jul. 11, 2011); and Extension of \nExemptions for Security-Based Swaps, Securities Act Release No. 9545 \n(Feb. 5, 2014), 79 FR 7570 (Feb. 10, 2014).\n---------------------------------------------------------------------------\n    The temporary order generally preserves the application of \nparticular Exchange Act requirements that were already \napplicable in connection with instruments that became \n``security-based swaps'' following the effective date of the \nDodd-Frank Act, but defers the applicability of additional \nExchange Act requirements in connection with those instruments \nexplicitly being defined as ``securities.'' More specifically, \nthe Commission's temporary order exempts certain market \nparticipants who engage in security-based swap activities from \nthe application of the Exchange Act other than with respect to: \n(a) certain antifraud and anti-manipulation provisions, (b) all \nExchange Act provisions related to security-based swaps added \nor amended by subtitle B of Title VII of the Dodd-Frank Act, \nincluding the amended definition of ``security'' in Section \n3(a)(10), and (c) certain other Exchange Act provisions.\n    The interim final rules temporarily exempt offers and sales \nof those security-based swaps that prior to the Title VII \neffective date were security-based swap agreements from all \nprovisions of the Securities Act (other than the Section 17(a) \nanti-fraud provisions), the Exchange Act registration \nrequirements, and the provisions of the Trust Indenture Act, \nprovided certain conditions are met. The exemptions apply only \nto security-based swaps entered into between eligible contract \nparticipants (as defined prior to the Title VII effective \ndate).\n\nQ.1.f. Explain your timeline and planning for ending those \nexemptions and accomplishing full implementation of the Dodd-\nFrank rules regarding the swaps markets? Please identify any \nbarriers you see that could further slow that implementation.\n\nA.1.f. The temporary exemptions provided under the Effective \nDate Order generally are set to expire on the earliest \ncompliance date set forth in the related security-based swap \nrulemaking under Title VII, although in certain cases the \nexpiration is tied to another date, such as the effective date \nfor the related security-based swap rules or the date a person \nbecomes registered under related security-based swap rules. One \nof the temporary exemptions in the Effective Date Order extends \nuntil a date or dates to be specified by the Commission. The \napproach to this temporary exemption permits the Commission to \nspecify an appropriate date or dates for expiration in the \nrelated security-based swap rulemakings.\n    Similarly, under the temporary order, the exemptions under \nthe Exchange Act that are related to pending security-based \nswap rulemakings are set to expire on the compliance date for \nthe related security-based swap rules. The temporary exemptions \nwhich are not directly linked to pending security-based swap \nrulemakings are set to expire on the earlier of such time as \nthe Commission issues an order or rule determining whether any \ncontinuing exemptive relief is appropriate for security-based \nswap activities with respect to any of these Exchange Act \nprovisions or until February 11, 2017.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ The exemptions provided by the interim final rules will expire \non February 11, 2017. However, if the Commission adopts further rules \nrelating to issues raised by the application of the Securities Act or \nthe other Federal securities laws to security-based swaps before \nFebruary 11, 2017, the Commission may well determine to alter the \nexpiration dates in the interim final rules as part of that rulemaking.\n---------------------------------------------------------------------------\n    This approach for extending the exemptions related to \nsecurity-based swap rulemakings is intended to facilitate a \ntimely phased-in determination regarding the application of the \nrelevant provisions of the Exchange Act to security-based swaps \nbased on the development of the relevant rules mandated by the \nDodd-Frank Act as the Commission moves toward finalizing those \nrules. This approach also provides the Commission flexibility \nwhile Dodd-Frank Act rulemaking is still in progress to \ndetermine whether continuing relief should be provided for any \nExchange Act provisions that are not directly linked to \nspecific security-based swap rulemaking.\n    The Commission is in the midst of rulemaking under the \nDodd-Frank Act to provide a robust, comprehensive regulatory \nregime for security-based swaps. To date, the Commission has \nproposed all of the rules related to the new regulatory regime \nfor derivatives under Title VII and has begun the process of \nadopting these rules.\n    At this point there is not immediately apparent any new \nbarriers that could delay implementation. As you know, the \nCommission proposed the rules pertaining to the application of \nTitle VII to cross-border security-based swap transactions and \nnon-U.S. persons engaged in activities implicating Title VII. \nThis was a critical part of the implementation process, given \nthe overwhelmingly global nature of the market for security-\nbased swaps.\n    In addition, the staff is working on the next set of \nadoptions under Title VII. The Commission is likely to consider \ncertain of the issues presented in the cross-border proposal in \nan initial cross-border adopting release. Under such an \napproach, this initial cross-border adopting release would \nlikely focus on adopting key definitions relevant to the \napplication of Title VII in the cross-border context. Other \nmatters raised in the cross-border proposal would be addressed \nin subsequent releases. Such an approach would allow the \nCommission to consider the cross-border application of the \nsubstantive requirements imposed by Title VII in conjunction \nwith the final rules that will implement those substantive \nrequirements. In addition, as noted below in response to \nquestion 3, I expect the Commission to consider the application \nof mandatory clearing requirements to single-name credit \ndefault swaps, starting with those that were first cleared \nprior to the enactment of the Dodd-Frank Act.\n\nQ.2. In particular, at the hearing, Acting Chair Wetjen \nidentified certain cross-border issues that may be near-term \nchallenges--please explain clearly what those might be and why \ncontinued delays or further weakenings of U.S. standards would \nnot continue to expose the U.S. to significant financial \nstability risks, including lack of transparent pricing in the \nswaps market.\n\nA.2. The swaps markets are predominantly global and, therefore, \nresolving cross-border issues appropriately is critical to \nsuccessful regulatory reform of these markets.\n    As I noted in my testimony, the Commission is actively \nreviewing public input on its cross-border proposal. The \nCommission also is working through the issues that were raised, \nincluding, among others, the appropriate treatment of foreign \naffiliates of U.S. persons and how conduct by a non-U.S. person \nin the United States engaging in security-based swap \ntransactions with another non-U.S. person should impact the \napplication of Title VII requirements.\n    In addressing these and other issues both in the cross-\nborder area and more generally as we continue to adopt final \nrules and take other actions to implement Title VII, I continue \nto believe that we should take a robust and workable approach.\n\nQ.3. Finally, can you share any plans for further speeding \ncoordinated implementation. For example, shouldn't the SEC \nencourage single-name CDS to be cleared and traded through \nCFTC-registered clearinghouses and SEFs in the interim before \nSEC rules are finalized and implemented?\nA.3. Since the Dodd-Frank Act was enacted, the staffs of the \nCommission and the CFTC have consulted and coordinated with \neach other regularly in the development and implementation of \nour respective rules, and we continue to do so.\n    My immediate goal is to continue the finalization of the \nrules required by Title VII for the security-based swaps \nmarket. In the interim, I would emphasize that single-name CDS \nare already being cleared at SEC-registered clearing agencies \nunder existing SEC rules. With respect to trading of security-\nbased swaps, so long as market participants comply with \napplicable Federal securities laws, the SEC does not prohibit \ntrading on CFTC-registered SEFs.\n                                ------                                \n\n\n  RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM MARY JO \n                             WHITE\n\nQ.1. FSOC has been in existence for more than 3 years. Since \nthat time, three companies have been deemed systemically \nsignificant and a second round of companies appear to be under \nconsideration. Despite the numerous calls from Congress, a \nnumber of industry and consumer groups and even the GAO for the \nFSOC to provide greater transparency about the process used for \ndesignation, (including the metrics OFR should measure in their \nanalysis), the criteria followed, as well as the implications \nand process to be followed after a firm has been designated a \nSIFI. Can you provide greater details on why more transparency \nhas not been achieved and how the FSOC plans to improve these \nissues?\n\nA.1. While I cannot speak for the Financial Stability Oversight \nCouncil, as a voting member of FSOC I believe it is important \nfor FSOC to be mindful of calls for greater transparency and \nprovide ways for the public and other interested parties to \nhave greater insight and input into issues concerning U.S. \nfinancial stability. One opportunity for FSOC to provide \ngreater public exposure is through the upcoming Public Asset \nManager Conference that FSOC plans to host on May 19, 2014. The \nConference will enable the staffs of the member agencies to \nhear directly from the asset management industry and other \nstakeholders, including academics and public interest groups. \nIn addition, the Conference will be Web cast live so that it \ncan be viewed by members of the public. I am hopeful that FSOC \nwill look for additional similar vehicles to promote public \nexposure and input to its work.\n\nQ.2. I, along with a number of other Republicans, introduced \nlegislation to fix an unintended consequence on collateralized \ndebt obligations (CDOs). In their January 13th interim final \nrule, regulators crafted a rule that largely mirrored what my \nbill sought to do; provide relief to a majority of community \nbanks. While we appreciate the agencies' efforts on this issue, \none issue that we included in our legislation that the \nregulators did not address was collateralized loan obligations \n(CLOs). The CLO market provides about $300 billion in financing \nto U.S. companies and U.S. banks currently hold between $70 and \n$80 billion of senior notes issued by existing CLOs and foreign \nbanks subject to the Volcker Rule hold about another $60 \nbillion. Because the final rules implementing the Volcker Rule \nimproperly treat these debt securities as ``ownership \ninterests'', the banks holding these notes will either have to \ndivest or restructure these securities. Because restructuring \nwell over $130 billion of CLO securities is neither feasible \nnor under the control of the banks holding these notes, \ndivestment is the most likely result. This, in turn, could lead \nto a fire sale scenario that could put incredible downward \npressure on CLO securities prices leading to significant losses \nfor U.S. banks. If prices decline by only 10 percent, U.S. \nbanks would have to recognize losses of almost $8 billion \ndriven not by the underlying securities but solely because of \nthe overreach of the Volcker Rule. Indeed, the final rules are \nalready wreaking havoc on the CLO market. Since the final rules \nwere announced, new CLO formation was down nearly 90 percent in \nJanuary 2014, the lowest issuance in 23 months. If this \nsituation is not remedied and CLO issuance remains moribund, \ncorporate borrowers could face higher credit costs. At the \nhearing of the House Financial Services Committee on January \n15, 2014, a number of both Democrats and Republicans asked \nquestions about how to fix the issue with the CLO market that \nwas not addressed in the interim final rule released on January \n13, 2014. The representatives of the agencies noted that the \nCLO issue was at the top of the list of matters to be \nconsidered by the inter-agency working group that has been \nestablished to review issues such as this and publish guidance. \nThe issue is urgent. Bank CFOs are struggling with how to treat \ntheir CLO debt securities. Can you commit to a tight timeframe \nto issue guidance on CLOs?\n\nA.2. SEC staff, together with staffs of the other agencies, has \nspent considerable time carefully evaluating the concerns \nraised post-adoption by several trade groups and industry \nparticipants about CLOs. The final rule provides an exclusion \nfor CLOs that hold loans and, in connection with such loans, \nmay also hold certain interest rate or foreign exchange \nderivatives, cash equivalents, and assets related to holding \nloans or the servicing or timely distribution of proceeds to \nsecurity holders. Ownership interests in loan securitizations \nthat fit within this exclusion as of the conformance date may \nbe held by banking entities. In the adopting release, however, \nthe agencies did not expand the definition of excluded loan \nsecuritizations to securitizations holding both loans and \nsecurities, noting that such an expansion would not be \nconsistent with the provision of the statute that specifically \nonly permitted the ``sale and securitization of loans'' by \nbanking entities. In light of these concerns, the Federal \nReserve Board, after consulting with the staffs of the other \nagencies, recently announced that it intends to exercise its \nauthority to give banking entities two additional 1-year \nextensions to conform their ownership interests in and \nsponsorship of certain CLOs.\n    It is also worth noting that new CLO issuances have been \ncomparable in volume to the CLOs issued prior to the adoption \nof the final rule, and market participants have represented \nthat new CLOs are conforming to the loan securitization \nexclusion under the Volcker Rule.\n\nQ.3. When Director Berner testified before the Economic Policy \nSubcommittee in January 2014, he emphasized that OFR's report \non the asset management industry study focused on activities of \nasset managers, rather than asset management firms. This is \nmore appropriate because the size of an asset manager's assets \nunder management, which are wholly owned by a fund's investors, \ndoesn't make that manager a systemic risk. If activities are \nthe main focus, then section 120 of the Dodd-Frank Act suggests \nthat the primary regulator--in this case the SEC, is the \nappropriate agency to address these issues. So, when can we \nexpect the SEC and its expertise to be brought to bear by the \nFSOC? The current bank centric approach to reviewing asset \nmanagers simply isn't productive.\n\nA.3. SEC staff is actively engaging with representatives of \nother FSOC members in any analysis of potential financial \nstability risks posed by asset managers or asset management \nactivities and is sharing its expertise on asset management and \nthe ways in which asset management activities differ from \nbanking activities. Separately, the SEC is enhancing its own \nrisk monitoring and oversight efforts with respect to asset \nmanagers. Pursuant to Section 965 of the Dodd-Frank Act, the \nSEC has established a new risk and examinations office (REO) \nfor asset managers. REO monitors trends in the asset management \nindustry and is also assisting in a larger Commission-wide \ninitiative to obtain and analyze data consistent with market \ntrends and operational integrity issues, inform policy and \nrulemaking, and assist the staff in examinations of \nregistrants.\n                                ------                                \n\n\n  RESPONSE TO WRITTEN QUESTIONS OF SENATOR CRAPO FROM MARK P. \n                             WETJEN\n\nQ.1. When a data breach happens at a merchant level, Federal \nbanking regulators generally do not have jurisdiction to \ninvestigate and take action. However, collateral consequences \nof such breaches are that regulated financial institutions are \nimpacted and face reputational and financial setbacks as a \nresult. What are your expectations for the regulated entities \nwhen a breach occurs at a third party? What are some of the \nchallenges financial institutions face as a result of the \nbreach? How can those challenges be addressed while minimizing \nconsequences of, and cost for, affected financial institutions?\n\nA.1. The U.S. Commodity Futures Trading Commission \n(``Commission'' or ``CFTC'') oversees a variety of registrants \nfor which data breaches, either in their own systems or third-\nparty systems, can have serious consequences. In general, the \nCommission expects its registrants to consider the risks of \ndata breaches and address them appropriately. The actual \nrequirements vary by registrant.\n    Commission Regulation 39.18 requires each registered \nderivatives clearing organization (``DCO'') to establish and \nmaintain a program of risk analysis and oversight with respect \nto its operations and automated systems which must include a \nrisk analysis and oversight of information security. The DCO \nalso is required to establish and maintain resources that allow \nfor the fulfillment of each of its obligations in light of any \nidentified risks. The Commission expects a DCO's information \nsecurity risk analysis to include an analysis of any such risk \nposed by a third party providing services to the DCO. It also \nexpects the DCO to maintain sufficient resources to allow for \nthe fulfillment of the DCO's obligations in light of such risks \nand to provide the necessary oversight to manage them.\n    In addition, Commission Regulation 39.18 requires a DCO to \nnotify the Commission's Division of Clearing and Risk (``DCR'') \npromptly in the event of any hardware or software malfunction, \ncyber security incident or targeted threat that materially \nimpairs, or creates a significant likelihood of material \nimpairment of automated system operation, reliability, \nsecurity, or capacity. A DCO would be required to notify DCR of \nrelevant data breaches involving a DCO's third-party service \nprovider pursuant to this provision. We further note that \nSection 807(b) of the Dodd-Frank Wall Street Reform and \nConsumer Protection Act (``Dodd-Frank'') provides the \nCommission with additional authority with respect to third-\nparty services provided to a DCO that has been designated as \nsystemically important by the Financial Stability Oversight \nCouncil (a ``SIDCO''). Specifically, whenever a service \nintegral to the operation of a SIDCO is performed for the SIDCO \nby another entity, the Commission is authorized to examine \nwhether the provision of that service is in compliance with \napplicable law, rules, orders and standards to the same extent \nas if the SIDCO was performing the service on its own premises.\n    Commission Regulations \x06\x06 38.1050 (DCMs), 37.1400 (SEFs), \nand 49.24 (SDRs) require each registered DCM, SEF, or SDR to \nestablish and maintain a program of risk analysis and oversight \nwith respect to its operations and automated systems. This \nprogram must include risk analysis and oversight of cyber and \ninformation security. These registered entities are also \nrequired to establish and maintain resources that allow for the \nfulfillment of their regulatory obligations. The Commission \nexpects DCM, SEF, and SDR analysis of information security \nrisks to include analysis of risk relating to third parties \nproviding services to them.\n    If a third party that performs services for a DCM, SEF, or \nSDR is compromised or loses data for which the DCM, SEF, or SDR \nis responsible, DMO would have oversight concerns. One example \nmight be a data storage provider losing trade data in long-term \nstorage that might be needed for a DMO examination or a DOE \ninvestigation. Another example might be loss of login \ncredentials due to a security compromise, such as the one that \noccurred a year or two ago with respect to two-factor \nauthentication provided by RSA. Still another example could be \na security breach at a third-party data center used by a DCM, \nSEF, or SDR.\n    If a third-party providing services to a DCM, SEF, or SDR \nwere compromised in a way that affected the regulatory \nresponsibilities of the DCM, SEF, or SDR, CFTC rules would \nrequire the registrant to notify DMO immediately concerning the \npotential data loss and the extent of the breach, and to notify \naffected parties as appropriate based on the circumstances and \nthe type and extent of information lost.\n    Challenges that could be faced in such situations might \ninclude the incomplete nature of available information; the \npossible recalcitrance of the third-party provider; or legal \nissues relating to contracts or service agreements. DMO would \nadvise registrants to address such challenges by seeking to \nemploy reputable third parties that have significant \nexperience, appropriate controls, and effective security \nmeasures.\n    Futures Commodity Merchants (``FCMs'') and Registered \nForeign Exchange Dealers (``RFEDs''), along with maintaining \ntheir customer's trade and account data, also process credit \nand debit card payments as a source of funds for initial and \nvariation margin, so they are also reliant upon third-party \npayment systems. A data breach of either their own systems or a \nthird-party payment system could lead to customers' private and \nproprietary information being compromised. This makes it \nimportant for FCMs and RFEDs to monitor their systems and \ntrading activity and be alert for fraudulent activity that \nmight result from compromised customer accounts. For FCMs/RFEDs \nthe biggest challenge is identifying a breach and then \nevaluating how to recover funds for any unauthorized \ntransactions. Without proper anti-money laundering or know your \ncustomer controls, the funds could have been laundered already \nor there may be a need to liquidate transactions at a loss to \nthe FCM or RFED. While most likely the risk of loss is with the \ncard issuer, if substantial, the FCM or RFED may have to cover \nthe loss until funds are received from the card issuer which \nmay take time.\n\nQ.2. At the Subcommittee hearing on data security and breach \nheld on February 3, 2014, Members learned that the payment \nnetworks have set an October 2015 timeframe for moving industry \nparticipants to adoption of new, more secure payment \ntechnology. Can you discuss how quickly your regulated entities \nare moving to this technology, and identify some of the \nobstacles that still exist?\n\nA.2. The Commission does not have a role in regulating specific \npayment systems or technologies. However, as noted above, the \nCommission does expect registrants to address risks associated \nwith payment systems.\n\nQ.3. In July of 2013, I requested that the Government \nAccountability Office (GAO) review the SIFI designation process \nat FSOC for both transparency and clarity, and to examine the \ncriteria used to designate companies as SIFIs. Would you all be \nwilling to support more reliance on measurable metrics in \nFSOC's designation process?\n\nA.3. I am always open to considering how improvements to \nobjective metrics could aid the FSOC in its designation \nprocess.\n\nQ.4. Since the final Volcker rule was issued in December, the \naffected entities have recognized two issues with the final \nrule (TruPS CDOs and CLOs). What other issues with the final \nVolcker rule are your agencies aware of that may be raised by \naffected entities? How do you intend to coordinate efforts on \nclarifying such issues in the future?\n\nA.4. The Commission participates in an interagency working \ngroup with the other agencies charged with implementing the \nVolcker Rule. The interagency group holds weekly conference \ncalls to discuss ongoing implementation issues, and the group \ncoordinates responses to queries from industry and Congress. \nThe group meets regularly with trade groups and industry to \nbetter understand and address concerns related to \nimplementation. The agencies have also formed several subgroups \ndevoted to issues such as metrics reporting and examinations \nthat hold regular conference calls and coordinate on guidance \ndocuments.\n\nQ.5. How do you plan to coordinate with other agencies \nregarding enforcement matters and the final Volcker rule, given \nthat your agencies have varied jurisdictions?\n\nA.5. As with any enforcement matter, the Commission places a \nhigh priority on promoting coordination of enforcement efforts \nwith other law enforcement agencies to address Commodity \nExchange Act violations and other related financial wrongdoing. \nThe Commission participates in over 20 regional, national and \ninternational financial fraud enforcement working groups \ncomprised of Federal, State, and local and criminal and civil \nauthorities. The Commission's participation in these groups \nprovides an opportunity to share information on cooperative \nenforcement matters and to coordinate joint civil and criminal \nFederal and/or State prosecutions. The Commission also meets \nregularly with various agencies to coordinate enforcement \nefforts and leverage resources, including the Department of \nJustice Criminal Division, Department of Homeland Security, \nDepartment of Treasury, Federal Bureau of Investigation, \nFederal Reserve, Federal Trade Commission, Internal Revenue \nService, Securities and Exchange Commission, and U.S. \nAttorney's Offices nationwide.\n    As noted above, the Commission regularly meets with the \nother agencies charged with implementing the Volcker Rule to \ndiscuss issues related to implementation, including \nenforcement. The compliance period for the Volcker Rule goes \ninto effect in July 2015, subject to further possible \nextensions by the Federal Reserve Bank. Going forward, as we \nnear the date implementation, the Commission will continue its \nrobust interagency coordination on matters relating to Volcker \nRule monitoring and enforcement.\n\nQ.6. I am concerned that the CFTC moved too quickly in \nimplementing the bulk of its Title VII mandates and that we are \njust starting to see the unintended consequences of such hasty \naction. Considerable numbers of no-action letters and \ninterpretive guidance have followed CFTC rulemakings, leading \nto market disruption and uncertainty. Do you agree that more \ncould have been done to consider the implications of rules \nprior to their adoption, thereby reducing the need for no-\naction and interpretive relief after the fact? Going forward, \nwhat are some things the CFTC should consider to remedy the \nissues with its rulemaking process?\n\nA.6. Congress set an ambitious deadline for the Commission to \ncomplete implementation of Dodd-Frank within a year of \nenactment of the legislation. As Acting Chair, and previously \nas a Commissioner, in helping implement Dodd-Frank I have \nworked to be faithful to Congress' mandate while also carefully \nconsidering input from the public and working closely with \ndomestic and international regulators.\n    Nonetheless, where appropriate, the Commission should \ndetermine whether course corrections in its implementation of \nDodd-Frank are necessary. For example, Congress made clear that \nend users were intended to be exempt from Dodd-Frank, yet the \nend-user community has expressed concerns about compliance \nissues it faces under Dodd-Frank. As Acting Chair, I held two \npublic roundtables to consider the regulatory issues facing end \nusers under Dodd-Frank. The first roundtable focused on rule \n1.35 recordkeeping requirements, the regulatory treatment of \nforward contracts with embedded volumetric optionality, and the \ntreatment of swap dealing to Government-owned electric \nutilities. The second roundtable addressed issues related to \nthe position limits proposal, including hedges of physical \ncommodities, the setting of spot month limits, and aggregation. \nBased on comments received at the first roundtable, I acted by \ndirecting staff to provide relief to end users under rule 1.35 \nrelating to certain recordkeeping requirements.\\1\\ Further, I \nalso directed staff to provide no-action relief to utility \nspecial entities entering into swaps \\2\\ and, subsequently, the \nCommission released for public comment a proposal to provide \nmore permanent for such entities.\\3\\\n---------------------------------------------------------------------------\n    \\1\\ Time-Limited No-Action Relief for Members of Designated \nContract Markets and Swap Execution Facilities that Are Not Registered \nwith the Commission from the Requirement to Record Written \nCommunications, Pursuant to Commission Regulation 1.35(a), in \nConnection with the Execution of a Transaction in a Commodity Interest \nand Related Cash or Forward Transactions (May 22, 2014), available at \nhttp://www.cftc.gov/ucm/groups/public/@lrlettergeneral/documents/\nletter/14-72.pdf.\n    \\2\\ Staff No-Action Relief: Revised Relief from the De Minimis \nThreshold for CertainSwaps with Utility Special Entities (March 21, \n2014), available at http://www.cftc.gov/ucm/groups/public/\n@lrlettergeneral/documents/letter/14-34.pdf.\n    \\3\\ Exclusion of Utility Operations-Related Swaps with Utility \nSpecial Entities from De Minimis Threshold for Swaps with Special \nEntities, available at http://www.cftc.gov/ucm/groups/public/@newsroom/\ndocuments/file/federalregister052214-a1.pdf.\n---------------------------------------------------------------------------\n    Going forward, the Commission must continue to work closely \nwith Congress, the public, and market participants to achieve \nthe proper balance of appropriate regulation while ensuring \nthat these markets continue to facilitate job creation and the \ngrowth of the economy by providing a means for managing risk, \nfacilitating price discovery, and broadly disseminating pricing \ninformation.\n                                ------                                \n\n\n RESPONSE TO WRITTEN QUESTIONS OF SENATOR MERKLEY FROM MARK P. \n                             WETJEN\n\n    I greatly appreciate the SEC and CFTC's efforts in \nimplementing key features of Dodd-Frank's swaps reforms. \nHowever, I am very concerned about the number and significance \nof exemptions and no-action letters granted by the CFTC and the \nSEC's delay in finalizing the rules. While I appreciate the \nCFTC's commitment to working closely with stakeholders and \nallowing them an adequate opportunity to come into compliance, \nI am concerned that any additional delays would be unreasonably \nexposing Americans to systemic risks and losing invaluable \nmomentum in the effort to build a more stable financial system.\n    Could you please lay out as of the date of this hearing:\n\nQ.1.a. What percentage of U.S. swaps markets, broken down by \nswap-type, have been subject to Title VII requirements for \nclearing, Swap Execution Facility (SEF)-trading, and reporting?\n\nA.1.a. Commission staff are working to determine these \nestimates. For those asset classes that are subject to the \nclearing determination and trade execution mandate, \nunfortunately, the Commission faces challenges in accurately \nassessing all the relevant details of specific transactions due \nto constraints on resources and data quality issues.\n    To do its job, the Commission must have accurate data in \norder to have a clear picture of swaps market activity. To help \nresolve the challenges the Commission faces in assessing swap \ndata, earlier this year, I was joined by my fellow \ncommissioners in announcing the formation of an interdivisional \nWorking Group to review the Commission's swaps transaction data \nrecordkeeping and reporting provisions. The working group \nformulated and recommended questions for public comment \nregarding, among other things, compliance with part 45 \nreporting rules, and related provisions, and consistency in \nregulatory reporting among market participants.\n    The Working Group is currently reviewing all comments that \nwere submitted in response to the request and will be making \nrecommendations to the Commission in the near future.\n\nQ.1.b. What percentage of the global swaps market, broken down \nby swap-type, has been subject to Title VII-like requirements \nfor clearing, SEF-trading, and reporting?\n\nA.1.b. Currently, the data required for this request is \nunavailable, primarily, because many other jurisdictions have \nyet to implement transaction reporting requirements. Most \nforeign jurisdictions have lagged the United States in \nfinalizing reporting and transactions requirements for swaps. \nMoreover, even in those jurisdictions where reporting rules \nhave been finalized, there is a lack of harmonization of data \nreporting standards across jurisdictions. The Financial \nStability Board, of which we are a member, has set up a task \nforce to address these and other issues related to global data \nharmonization. Additionally, please see the response to the \nprevious question regarding efforts to improve data collection \nand analysis.\n\nQ.1.c. How much will that percentage change when Europe \nfinalizes its rules?\n\nA.1.c. As noted above, the data required to determine the \npercentage of swaps subject to clearing determination and trade \nexecution mandates is still unclear. As such, we are unable to \ndetermine this percentage.\n\nQ.1.d. What part of those markets is made up of foreign \naffiliates of U.S. persons?\n\nA.1.d. Foreign affiliates that are not U.S. persons that are \nengaged in swaps trading activity in the EU or other foreign \njurisdictions are not required to report their swaps activities \nto the Commission. Moreover, the Commission does not have \naccess to data reported to European Swap Data Repositories. As \na result, the Commission does not have data on the activities \nof such affiliates. For those foreign affiliates that are U.S. \npersons, because of data quality issues, the Commission does \nnot have the capability to differentiate between foreign and \nlocal affiliates of U.S. persons when assessing the data. As \nindicated, efforts are underway to improve data analysis \ncapabilities at the Commission.\n    Please also:\n\nQ.1.e. Set out what temporary exemptions your agencies have \ngranted.\n\nA.1.e. The Commission maintains on its Web site a list of \ncurrently effective staff no-action letters related to rules \nissued under Dodd-Frank. That list can be found at: http://\nwww.cftc.gov/LawRegulation/DoddFrankAct/ExpiredNoAction/\nindex.htm.\n\nQ.1.f. Explain your timeline and planning for ending those \nexemptions and accomplishing full implementation of the Dodd-\nFrank rules regarding the swaps markets? Please identify any \nbarriers you see that could further slow that implementation.\n\nA.1.f. Staff no-action letters are typically time-limited and \ntemporary, although not always. The expiration of time-limited \nno-action letters differs depending on rule implementation \ntiming and discussions with market participants, the public, \nand domestic and international regulators.\n    I firmly believe that timely, full implementation of Dodd-\nFrank is essential to ensuring that the derivatives markets are \nsubject to appropriate governmental oversight. In undertaking \nthe implementation of these changes, as Acting Chair, I have \nalso endeavored to ensure that these regulatory changes do not \ncause unnecessary, potentially harmful disruption of the \nderivatives markets that so many market participants rely on to \nmanage risk.\n\nQ.2. In particular, at the hearing, Acting Chair Wetjen \nidentified certain cross-border issues that may be near-term \nchallenges--please explain clearly what those might be and why \ncontinued delays or further weakening of U.S. standards would \nnot continue to expose the U.S. to significant financial \nstability risks, including lack of transparent pricing in the \nswaps market.\n\nA.2. I believe that the CFTC took the correct approach in \nadopting cross-border policies that account for the varied ways \nthat risk can be imported into the U.S. At the same time, the \nCFTC's policies tried to respect the limits of U.S. law and the \nresource constraints of U.S. and global regulators. Attempts to \nweaken Dodd-Frank have not been contemplated or planned.\n    In an effort to strengthen our cross-border policies and \npromote effective global oversight, the Commission is \ncoordinating closely with foreign regulators. Last December, \nthe CFTC approved a series of determinations allowing non-U.S. \nswap dealers and MSPs to comply with Dodd-Frank by relying on \ncomparable and comprehensive home country regulations, \notherwise known as ``substituted compliance.'' Those approvals \nby the CFTC reflected a collaborative effort with authorities \nand market participants from each of the six jurisdictions with \nprovisionally registered swap dealers. Working closely with \nauthorities in Australia, Canada, the European Union (``EU''), \nHong Kong, Japan, and Switzerland, the CFTC issued \ncomparability determinations for a broad range of entity-level \nrequirements. In two jurisdictions, the EU and Japan, the CFTC \nalso issued comparability determinations for certain \ntransaction-level requirements.\n    It appears at this time that the substituted compliance \napproach has had success in supporting financial reform efforts \naround the globe and a ``race-to-the-top'' in global \nderivatives regulation. For example, the EU agreed on updated \nrules for markets in financial derivatives, the Markets in \nFinancial Instruments Directive II (``MiFiD II''), reflecting \ngreat progress on derivatives reform. Other jurisdictions that \nhost a substantial market for swap activity are still working \non their reforms, and certainly will be informed by the EU's \nwork and the CFTC's ongoing coordination with foreign \nregulators. As jurisdictions outside the U.S. continue to \nstrengthen their regulatory regimes and meet their G20 \ncommitments, the CFTC may determine that additional foreign \nregulatory requirements are comparable to and as comprehensive \nas certain requirements under Dodd-Frank.\n    The CFTC also has made great progress with the European \nCommission since the issuance of the Path Forward statement, \nand we are actively working with the Europeans to ensure that \nharmonized regulations on the two continents ensure financial \nstability and promote sound risk management. Fragmented \nliquidity, and the regulatory and financial arbitrage that both \ndrives and follows it, can lead to increased operational costs \nand risks as entities structure around the rules in primary \nswap markets. Harmonizing regulations governing clearinghouses \nand trading venues, in particular, is critical to sound and \nefficient market structure.\n    Lastly, in light of the CFTC's swaps authority, and the \ncomplexities of implementing a global regulatory regime, the \nCFTC is working with numerous foreign authorities to negotiate \nand sign supervisory arrangements that address regulator-to-\nregulator cooperation and information sharing in a supervisory \ncontext. We currently are negotiating such arrangements with \nrespect to swap dealers and MSPs, SDRs, SEFs, and derivatives \nclearing organizations.\n\nQ.3. Finally, can you share any plans for further speeding \ncoordinated implementation. For example, shouldn't the SEC \nencourage single-name CDS to be cleared and traded through \nCFTC-registered clearinghouses and SEFs in the interim before \nSEC rules are finalized and implemented?\n\nA.3. Generally, clearing and mandatory trading can be helpful \nrisk-reducing and competitive enhancements in liquid markets. \nBecause single-name CDS fall under the jurisdiction of the SEC, \nthe CFTC has no authority to mandate the clearing and mandatory \ntrading of single-name CDS on CFTC-registered clearinghouses \nand SEFs. However, to encourage the clearing of CDS \ntransactions, both the CFTC and SEC have approved the portfolio \nmargining of single-name and index CDS. The SEC has required as \na condition to portfolio margining for single-name and index \nCDS that their registrants submit their customer margin models \nfor SEC approval. The first of these approvals were granted \nearlier this year. We will continue to monitor market data to \nsee whether these recent approvals have resulted in increased \nclearing for single-name and index CDS.\n    The CFTC regularly coordinates with the Securities and \nExchange Commission (``SEC'') at the staff and Commissioner \nlevel regarding the implementation of Dodd-Frank. As the SEC \ncontinues with its implementation of its rules under Dodd-\nFrank, I am always willing to consider regulatory coordination \nthat will enhance the safety and competitiveness of the markets \nwe oversee.\n                                ------                                \n\n\n  RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM MARK P. \n                             WETJEN\n\nQ.1. FSOC has been in existence for more than 3 years. Since \nthat time, three companies have been deemed systemically \nsignificant and a second round of companies appear to be under \nconsideration. Despite the numerous calls from Congress, a \nnumber of industry and consumer groups and even the GAO for the \nFSOC to provide greater transparency about the process used for \ndesignation, (including the metrics OFR should measure in their \nanalysis), the criteria followed, as well as the implications \nand process to be followed after a firm has been designated a \nSIFI. Can you provide greater details on why more transparency \nhas not been achieved and how the FSOC plans to improve these \nissues?\n\nA.1. The Financial Stability Oversight Council (Council), of \nwhich I am member, has provided public transparency for the \nnonbank designations process through several measures. The \nCouncil voluntarily published a rule and guidance outlining how \nit would implement the statutory designation provisions and \nreview firms for potential designation. For each of the three \nnonbank designations made so far, the Council provided the \nbasis for those designations to Congress and the public.\n    During the development of the Council's rule and guidance \non nonbank designations, the Council, even though not required \nto do a rulemaking, provided multiple opportunities for public \ncomment. The public guidance described the designation process \nand set forth the quantitative metrics that the Council would \nuse in its consideration of firms for designation.\n    Under the rule and guidance, firms under review are \nprovided with opportunities at each stage of the process to \nengage with the Council. Early in the process, the Council \nprovides the company with a notice that it is under \nconsideration and an opportunity to submit materials to contest \nthe Council's consideration. Following this, before any \ndesignation is proposed, there are numerous meetings between \nCouncil staff and the company and opportunities for the company \nto submit additional information for the Council's \nconsideration. Following a proposed designation determination \nby the Council, the Council provides the company the written \nbasis for the proposed designation and provides the firm the \nopportunity for a hearing. Once a final designation is made, \nthe company designated can seek judicial review of that \ndesignation. The designation rules and guidance provide for an \nannual review of all nonbank designations where the designated \ncompanies may again participate.\n    Due to the preliminary nature of the Council's evaluation \nof any nonbank financial company prior to a final designation \nand the potential for market participants to misinterpret such \nan announcement, the Council does not publicly announce the \nname of any company that is under review prior to a final \ndesignation of the company.\n\nQ.2. I, along with a number of other Republicans, introduced \nlegislation to fix an unintended consequence on collateralized \ndebt obligations (CDOs). In their January 13th interim final \nrule, regulators crafted a rule that largely mirrored what my \nbill sought to do; provide relief to a majority of community \nbanks. While we appreciate the agencies' efforts on this issue, \none issue that we included in our legislation that the \nregulators did not address was collateralized loan obligations \n(CLOs). The CLO market provides about $300 billion in financing \nto U.S. companies and U.S. banks currently hold between $70 and \n$80 billion of senior notes issued by existing CLOs and foreign \nbanks subject to the Volcker Rule hold about another $60 \nbillion. Because the final rules implementing the Volcker Rule \nimproperly treat these debt securities as ``ownership \ninterests'', the banks holding these notes will either have to \ndivest or restructure these securities. Because restructuring \nwell over $130 billion of CLO securities is neither feasible \nnor under the control of the banks holding these notes, \ndivestment is the most likely result. This, in turn, could lead \nto a fire sale scenario that could put incredible downward \npressure on CLO securities prices leading to significant losses \nfor U.S. banks. If prices decline by only 10 percent, U.S. \nbanks would have to recognize losses of almost $8 billion \ndriven not by the underlying securities but solely because of \nthe overreach of the Volcker Rule. Indeed, the final rules are \nalready wreaking havoc on the CLO market. Since the final rules \nwere announced, new CLO formation was down nearly 90 percent in \nJanuary 2014, the lowest issuance in 23 months. If this \nsituation is not remedied and CLO issuance remains moribund, \ncorporate borrowers could face higher credit costs. At the \nhearing of the House Financial Services Committee on January \n15, 2014, a number of both Democrats and Republicans asked \nquestions about how to fix the issue with the CLO market that \nwas not addressed in the interim final rule released on January \n13, 2014. The representatives of the agencies noted that the \nCLO issue was at the top of the list of matters to be \nconsidered by the inter-agency working group that has been \nestablished to review issues such as this and publish guidance. \nThe issue is urgent. Bank CFOs are struggling with how to treat \ntheir CLO debt securities. Can you commit to a tight timeframe \nto issue guidance on CLOs?\n\nA.2. On April 7, 2014, the Federal Reserve Board of Governors \n(FRB) exercised its authority to allow banking entities two \nadditional 1-year extensions to conform their ownership \ninterests in and sponsorship of certain collateralized loan \nobligations (CLOs) covered by section 619 of Dodd-Frank. We \nexpect this will allow industry time to come into compliance \nwith the Volcker requirements.\n\n                          <all>\n                          \n</pre></body></html>\n"