AGENCY:

Board of Governors of the Federal Reserve System.

ACTION:

Supplemental notice and request for comment.

SUMMARY:

The Board of Governors of the Federal Reserve System (Board) is issuing a supplemental notice and request for comment on updates to its proposed guidelines (Account Access Guidelines) for Federal Reserve Banks (Reserve Banks) to utilize in evaluating requests for access to Reserve Bank master accounts and services (accounts and services). The supplemental notice includes a new section of the proposed Account Access Guidelines that would establish a tiered-review framework to provide additional clarity on the level of due diligence and scrutiny to be applied to requests for Reserve Bank accounts and services.

DATES:

Comments must be received on or before April 22, 2022.

FOR FURTHER INFORMATION CONTACT:

Jason Hinkle, Assistant Director (202-912-7805), Division of Reserve Bank Operations and Payment Systems, or Sophia H. Allison, Senior Special Counsel (202-452-3565) or Gavin Smith, Senior Counsel (202-872-7578), Legal Division, Board of Governors of the Federal Reserve System. For users of TTY-TRS, please call 711 from any telephone, anywhere in the United States.

ADDRESSES:

You may submit comments, identified by Docket No. OP-1765, by any of the following methods:

Agency Website: http://www.federalreserve.gov. Follow the instructions for submitting comments at http://www.federalreserve.gov/​apps/​foia/​proposedregs.aspx.

Email: regs.comments@federalreserve.gov. Include docket number in the subject line of the message.

Fax: (202) 452-3819 or (202) 452-3102.

Mail: Ann E. Misback, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue NW, Washington, DC 20551.

All public comments are available from the Board's website at http://www.federalreserve.gov/​generalinfo/​foia/​ProposedRegs.cfm as submitted, unless modified for technical reasons or to remove personally identifiable information at the commenter's request. Accordingly, comments will not be edited to remove any identifying or contact information. Public comments may also be viewed in-person in Room M-4365A, 2001 C St. NW, Washington, DC 20551, between 9:00 a.m. and 5:00 p.m. during federal business weekdays.

SUPPLEMENTARY INFORMATION:

I. Background

On May 5, 2021, the Board requested comment on proposed guidelines to be used by Reserve Banks in evaluating requests for accounts and services (Original Proposal).^[1] The Original Proposal reflected the Board's policy goals of (1) ensuring the safety and soundness of the banking system, (2) effectively implementing monetary policy, (3) promoting financial stability, (4) protecting consumers, and (5) promoting a safe, efficient, inclusive, Start Printed Page 12958 and innovative payment system. The Original Proposal was also intended to ensure that Reserve Banks apply a transparent and consistent set of factors when reviewing requests for accounts and services (access requests).

The Original Proposal consisted of six principles. The first principle specified that only institutions that are legally eligible for access to Reserve Bank accounts and services would be considered for access. The remaining five principles addressed specific risks, ranging from narrow risks (such as risk to an individual Reserve Bank) to broader risks (such as risk to the U.S. financial system).^[2] For each of these five principles, the Original Proposal set forth factors that Reserve Banks should consider when evaluating an institution's access request against the specific risk targeted by the principle. The identified factors are commonly used in the regulation and supervision of federally-insured institutions. The Board notes that, when applying the proposed Account Access Guidelines, the Reserve Bank would integrate to the extent possible the assessments of an institution by its state and/or federal supervisors into the Reserve Bank's own independent assessment of the institution's risk profile.

The Original Proposal noted that the application of the Guidelines to requests by federally-insured institutions should be fairly straightforward, while requests from non-federally insured institutions may require more extensive due diligence. This supplemental notice (Updated Proposal) includes the Original Proposal substantially as proposed but includes a new section 2 of the Account Access Guidelines that would incorporate a tiering framework based on an institution's characteristics. The three tiers would provide additional clarity on how the Reserve Banks would apply the principles in section 1 of the Account Access Guidelines to different types of institutions.

II. Overview of Comments on Original Proposal

The Board received 46 individual comment letters and 281 duplicate form letters in response to the Original Proposal. Nearly all the comment letters expressed general support for the proposed Account Access Guidelines, and most letters also made recommendations for improvements. Commenters represented several types of institutions, including (1) institutions with traditional charters, such as banks and credit unions, and their trade associations; (2) institutions with novel charters, such as cryptocurrency custody banks, and their trade associations; and (3) think tanks and non-profit advocacy groups. The views expressed by the first category of commenters often conflicted with the views expressed by the second category of commenters.^[3] The duplicate form letters included recommendations that mirrored those submitted by trade associations for institutions with traditional charters.

III. Updated Proposal

The Account Access Guidelines listed in this Updated Proposal consist of two sections. Proposed section 1—which describes the six principles that the Reserve Banks would use in evaluating requests for accounts and services—is substantially the same as the Account Access Guidelines described in the Original Proposal.^[4]

The Original Proposal noted that the application of the Account Access Guidelines to requests by federally-insured institutions should be fairly straightforward, while requests from non-federally insured institutions may require more extensive due diligence. The Updated Proposal includes a new section 2 of the Account Access Guidelines, which would establish a three-tiered review framework to provide additional clarity regarding the review process for different types of institutions.

Tier 1 would consist of eligible institutions that are federally-insured. These institutions are already subject to a comprehensive set of federal banking regulations, and, in most cases, detailed regulatory and financial information about these firms would be readily available. Accordingly, access requests by Tier 1 institutions would generally be subject to a less intensive and more streamlined review. In cases where the application of the Guidelines to Tier 1 institutions identifies potentially higher risk profiles, the institutions would receive additional attention.

Tier 2 would consist of eligible institutions that are not federally-insured but (i) are subject (by statute) to prudential supervision by a federal banking agency; and (ii) any holding company of which would be subject to Federal Reserve oversight (by statute or by commitments).^[5] Tier 2 institutions would be subject to similar but not identical regulations as federally-insured institutions, and as a result, may present greater risks than Tier 1 institutions. Additionally, detailed regulatory and financial information regarding Tier 2 institutions is less likely to be available and may not be available in public form. Accordingly, access requests by Tier 2 institutions would generally receive an intermediate level of review.

Tier 3 would consist of eligible institutions that are not federally insured and not subject to prudential supervision by a federal banking agency at the institution or holding company level. Tier 3 institutions may be subject to a supervisory or regulatory framework that is substantially different from, and possibly weaker than, the supervisory and regulatory framework that applies to federally-insured institutions, and as a result may pose the highest level of risk. Detailed regulatory and financial information regarding Tier 3 institutions may not exist or may be unavailable. Accordingly, access requests by Tier 3 institutions would generally receive the strictest level of review.

The Board seeks comment on all aspects of the Updated Proposal.

IV. Updated Account Access Guidelines

Guidelines Covering Access to Accounts and Services at Federal Reserve Banks (Account Access Guidelines)

Section 1: Principles

The Board of Governors of the Federal Reserve System (Board) is adopting account access guidelines comprised of six principles to be used by Federal Reserve Banks (Reserve Banks) in evaluating requests for master accounts and access to Federal Reserve Bank financial services (access requests).^[1 2] The account access guidelines apply to requests from all institutions that are legally eligible to receive an account or services, as discussed in more detail in the first principle.^[3] The Board expects the Reserve Banks to collaborate on reviews of account and service requests, as well as ongoing monitoring of accountholders, to ensure that the guidelines are implemented in a consistent and timely manner.

The Federal Reserve System's (Federal Reserve) approach to providing institutions with accounts and services depends on, among other things, whether the institution is legally eligible to obtain an account and on the Federal Reserve's policy goals of ensuring the safety and soundness of the banking system, effectively implementing monetary policy, promoting financial stability, protecting consumers, and promoting a safe, effective, efficient, accessible, and innovative payment system. The Board believes it is important to make clear that legal eligibility does not bestow a right to obtain an account and services. While decisions regarding individual access requests remain at the discretion of the individual Reserve Banks, the Board believes it is important that the Reserve Banks apply a consistent set of guidelines when reviewing such access requests to promote consistent outcomes across Reserve Banks and to facilitate equitable treatment across institutions.^[4]

These account access guidelines also serve to inform requestors of the factors that a Reserve Bank will review in any access request and thereby allow a requestor to make any enhancements to its risk management, documentation, or other practices to attempt to demonstrate how it meets each of the principles.

These guidelines broadly outline considerations for evaluating access requests but are not intended to provide assurance that any specific institution will be granted an account and services. The individual Reserve Bank will evaluate each access request on a case-by-case basis. When applying these account access guidelines, the Reserve Bank should consider, to the extent possible, the assessments of an institution by state and/or federal supervisors into its independent analysis of the institution's risk profile. The evaluation of an institution's access request should also consider whether the request has the potential to set a precedent that could affect the Federal Reserve's ability to achieve its policy goals now or in the future.

If the Reserve Bank decides to grant an access request, it may impose (at the time of account opening, granting access to service, or any time thereafter) obligations relating to, or conditions or limitations on, use of the account or services as necessary to limit operational, credit, legal, or other risks posed to the Reserve Banks, the payment system, financial stability or the implementation of monetary policy or to address other considerations.^[5] The account-holding Reserve Bank may, at its discretion, decide to place additional risk management controls on the account and services, such as real-time monitoring of account balances, as it may deem necessary to mitigate risks. If the obligations, limitations, or controls are ineffective in mitigating the risks identified or if the obligations, limitations, or controls are breached, the account-holding Reserve Bank may further restrict the institution's use of accounts and services or may close the account. Establishment of an account and provision of services by a Reserve Bank under these guidelines is not an endorsement or approval by the Federal Reserve of the institution. Nothing in the Board's guidelines relieves any institution from compliance with obligations imposed by the institution's supervisors and regulators.

Accordingly, Reserve Banks should evaluate how each institution requesting access to an account and services will meet the following principles.^[6] Each principle identifies factors that Reserve Banks should consider when evaluating an institution against the specific risk targeted by the principle (several factors are pertinent to more than one principle). The identified factors are commonly used in the regulation and supervision of federally-insured institutions. As a result, the Board anticipates the application of the account access guidelines to access requests by federally-insured institutions will be fairly straightforward in most cases. However, Reserve Bank assessments of access requests from non-federally insured institutions may require more extensive due diligence. Reserve Banks monitor and analyze the condition of institutions with access to accounts and services on an ongoing basis. Reserve Banks should use the guidelines to re-evaluate the risks posed by an institution in cases where its condition monitoring and analysis indicate potential changes in the risk profile of an institution, including a significant change to the institution's business model.

1. Each institution requesting an account or services must be eligible under the Federal Reserve Act or other federal statute to maintain an account at a Federal Reserve Bank (Reserve Bank) and receive Federal Reserve services and should have a well-founded, clear, transparent, and enforceable legal basis for its operations.^[7]

a. Unless otherwise specified by federal statute, only those entities that are member banks or meet the definition of a depository institution under section Start Printed Page 12960 19(b) of the Federal Reserve Act are legally eligible to obtain Federal Reserve accounts and financial services.^[8]

b. The Reserve Bank should assess the consistency of the institution's activities and services with applicable laws and regulations, such as Article 4A of the Uniform Commercial Code and the Electronic Fund Transfer Act. The Reserve Bank should also consider whether the design of the institution's services would impede compliance by the institution's customers with U.S. sanctions programs, Bank Secrecy Act (BSA) and anti-money-laundering (AML) requirements or regulations, or consumer protection laws and regulations.

2. Provision of an account and services to an institution should not present or create undue credit, operational, settlement, cyber or other risks to the Reserve Bank.

a. The Reserve Bank should incorporate, to the extent possible, the assessments of an institution by state and/or federal supervisors into its independent assessment of the institution's risk profile.

b. The Reserve Bank should confirm that the institution has an effective risk management framework and governance arrangements to ensure that the institution operates in a safe and sound manner, during both normal conditions and periods of idiosyncratic and market stress.

i. For these purposes, effective risk management includes having a robust framework, including policies, procedures, systems, and qualified staff, to manage applicable risks. The framework should at a minimum identify, measure, and control the particular risks posed by the institution's business lines, products and services. The effectiveness of the framework should be further supported by internal testing and internal audit reviews.

ii. The framework should be subject to oversight by a board of directors (or similar body) as well as oversight by state and/or federal banking supervisor(s).

iii. The framework should clearly identify all risks that may arise related to the institution's business ( e.g., legal, credit, liquidity, operational, custody, investment) as well as objectives regarding the risk tolerances for the management of such risks.

c. The Reserve Bank should confirm that the institution is in substantial compliance with its supervisory agency's regulatory and supervisory requirements.

d. The institution must, in the Reserve Bank's judgment:

i. Demonstrate an ability to comply, were it to obtain a master account, with Board orders and policies, Reserve Bank agreements and operating circulars, and other applicable Federal Reserve requirements.

ii. Be in sound financial condition, including maintaining adequate capital to continue as a going concern and to meet its current and projected operating expenses under a range of scenarios.

iii. Demonstrate the ability, on an ongoing basis (including during periods of idiosyncratic or market stress), to meet all of its obligations in order to remain a going concern and comply with its agreement for a Reserve Bank account and services, including by maintaining:

A. Sufficient liquid resources to meet its obligations to the Reserve Bank under applicable agreements, operating circulars, and Board policies;

B. The operational capacity to ensure that such liquid resources are available to satisfy all such obligations to the Reserve Bank on a timely basis; and

C. Settlement processes designed to appropriately monitor balances in its Reserve Bank account on an intraday basis, to process transactions through its account in an orderly manner and maintain/achieve a positive account balance before the end of the business day.

iv. Have in place an operational risk framework designed to ensure operational resiliency against events associated with processes, people, and systems that may impair the institution's use and settlement of Reserve Bank services. This framework should consider internal and external factors, including operational risks inherent in the institution's business model, risks that might arise in connection with its use of any Reserve Bank account and services, and cyber-related risks. At a minimum, the operational risk framework should:

A. Identify the range of operational risks presented by the institution's business model ( e.g., cyber vulnerability, operational failure, resiliency of service providers), and establish sound operational risk management objectives to address such risks;

B. Establish sound governance arrangements, rules, and procedures to oversee and implement the operational risk management framework;

C. Establish clear and appropriate rules and procedures to carry out the risk management objectives;

D. Employ the resources necessary to achieve its risk management objectives and implement effectively its rules and procedures, including, but not limited to, sound processes for physical and information security, internal controls, compliance, program management, incident management, business continuity, audit, and well-qualified personnel; and

E. Support compliance with the electronic access requirements, including security measures, outlined in the Reserve Banks' Operating Circular 5 and its supporting documentation.

3. Provision of an account and services to an institution should not present or create undue credit, liquidity, operational, settlement, cyber or other risks to the overall payment system.

a. The Reserve Bank should incorporate, to the extent possible, the assessments of an institution by state and/or federal supervisors into its independent assessment of the institution's risk profile.

b. The Reserve Bank should confirm that the institution has an effective risk management framework and governance arrangements to limit the impact that idiosyncratic stress, disruptions, outages, cyber incidents, or other incidents at the institution might have on other institutions and the payment system broadly. The framework should include:

i. Clearly defined operational reliability objectives and policies and procedures in place to achieve those objectives.

ii. A business continuity plan that addresses events that have the potential to disrupt operations and a resiliency objective to ensure the institution can resume services in a reasonable timeframe.

iii. Policies and procedures for identifying risks that external parties may pose to sound operations, including interdependencies with affiliates, service providers, and others.

c. The Reserve Bank should identify actual and potential interactions between the institution's use of a Reserve Bank account and services and (other parts of) the payment system.

i. The extent to which the institution's use of a Reserve Bank account and services might restrict funds from being available to support the liquidity needs of other institutions should also be considered.

d. The institution must, in the Reserve Bank's judgment: Start Printed Page 12961

i. Be in sound financial condition, including maintaining adequate capital to continue as a going concern and to meet its current and projected operating expenses under a range of scenarios.

ii. Demonstrate the ability, on an ongoing basis (including during periods of idiosyncratic or market stress), to meet all of its obligations in order to remain a going concern and comply with its agreement for a Reserve Bank account and services, including by maintaining:

A. Sufficient liquid resources to meet its obligations to the Reserve Bank under applicable agreements, Operating Circulars, and Board policies;

B. The operational capacity to ensure that such liquid resources are available to satisfy all such obligations to the Reserve Bank on a timely basis; and

C. Settlement processes designed to appropriately monitor balances in its Reserve Bank account on an intraday basis, to process transactions through its account in an orderly manner and maintain/achieve a positive account balance before the end of the business day.

iii. Have in place an operational risk framework designed to ensure operational resiliency against events associated with processes, people, and systems that may impair the institution's payment system activities. This framework should consider internal and external factors, including operational risk inherent in the institution's business model, risk that might arise in connection with its use of the payment system, and cyber-related risks. At a minimum, the framework should:

A. Identify the range of operational risks presented by the institution's business model ( e.g., cyber vulnerability, operational failure, resiliency of service providers), and establish sound operational risk-management objectives;

B. Establish sound governance arrangements, rules, and procedures to oversee the operational risk management framework;

C. Establish clear and appropriate rules and procedures to carry out the risk management objectives;

D. Employ the resources necessary to achieve its risk management objectives and implement effectively its rules and procedures, including, but not limited to, sound processes for physical and information security, internal controls, compliance, program management, incident management, business continuity, audit, and well-qualified personnel.

4. Provision of an account and services to an institution should not create undue risk to the stability of the U.S. financial system.

a. The Reserve Bank should incorporate, to the extent possible, the assessments of an institution by state and/or federal supervisors into its independent assessment of the institution's risk profile.

b. The Reserve Bank should determine, in coordination with the other Reserve Banks and Board, whether the access to an account and services by an institution itself or a group of like institutions could introduce financial stability risk to the U.S. financial system.

c. The Reserve Bank should confirm that the institution has an effective risk management framework and governance arrangements for managing liquidity, credit, and other risks that may arise in times of financial or economic stress.

d. The Reserve Bank should consider the extent to which, especially in times of financial or economic stress, liquidity or other strains at the institution may be transmitted to other segments of the financial system.

e. The Reserve Bank should consider the extent to which, especially during times of financial or economic stress, access to an account and services by an institution itself (or a group of like institutions) could affect deposit balances across U.S. financial institutions more broadly and whether any resulting movements in deposit balances could have a deleterious effect on U.S. financial stability.

i. Balances held in Reserve Bank accounts are high-quality liquid assets, making them very attractive in times of financial or economic stress. For example, in times of stress, investors that would otherwise provide short-term funding to nonfinancial firms, financial firms, and state and local governments could rapidly withdraw that funding and instead deposit their funds with an institution holding mostly central bank balances. If the institution is not subject to capital requirements similar to a federally-insured institution, it can more easily expand its balance sheet during times of stress; as a result, the potential for sudden and significant deposit inflows into that institution is particularly large, which could disintermediate other parts of the financial system, greatly amplifying stress.

5. Provision of an account and services to an institution should not create undue risk to the overall economy by facilitating activities such as money laundering, terrorism financing, fraud, cybercrimes, economic or trade sanctions violations, or other illicit activity.

a. The Reserve Bank should incorporate, to the extent possible, the assessments of an institution by state and/or federal supervisors into its independent assessment of the institution's risk profile.

b. The Reserve Bank should confirm that the institution has a BSA/AML compliance program consisting of the components set out below and in relevant regulations.^[9]

i. For these purposes, the Reserve Bank should confirm that the institution's BSA/AML compliance program contains the following elements: ^[10]

A. A system of internal controls, including policies and procedures, to ensure ongoing BSA/AML compliance;

B. Independent audit and testing of BSA/AML compliance to be conducted by bank personnel or by an outside party;

C. Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance (BSA compliance officer);

D. Ongoing training for appropriate personnel, tailored to each individual's specific responsibilities, as appropriate;

E. Appropriate risk-based procedures for conducting ongoing customer due diligence to include, but not limited to, understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information;

c. The Reserve Bank should confirm that the institution has a compliance program designed to support its compliance with the Office of Foreign Assets Control (OFAC) regulations at 31 CFR Chapter V.^[11]

i. For these purposes, the Reserve Bank may review the institution's written OFAC compliance program, provided one has been created, and confirm that it is commensurate with the institution's OFAC risk profile. An OFAC compliance program should identify higher-risk areas, provide for appropriate internal controls for Start Printed Page 12962 screening and reporting, establish independent testing for compliance, designate a bank employee or employees as responsible for OFAC compliance, and create a training program for appropriate personnel in all relevant areas of the institution.

6. Provision of an account and services to an institution should not adversely affect the Federal Reserve's ability to implement monetary policy.

a. The Reserve Bank should incorporate, to the extent possible, the assessments of an institution by state and/or federal supervisors into its independent assessment of the institution's risk profile.

b. The Reserve Bank should determine, in coordination with the other Reserve Banks and the Board, whether access to an account and services by an institution itself or a group of like institutions could have an effect on the implementation of monetary policy.

c. The Reserve Bank should consider, among other things, whether access to a Reserve Bank account and services by the institution could affect the level and variability of the demand for and supply of reserves, the level and volatility of key policy interest rates, the structure of key short-term funding markets, and on the overall size of the consolidated balance sheet of the Reserve Banks. The Reserve Bank should consider the implications of providing an account to the institution in normal times as well as in times of stress. This consideration should occur regardless of the current monetary policy implementation framework in place.

Section 2: Tiered Review Framework

The tiered review framework in this section is meant to serve as a guide to the level of due diligence and scrutiny to be applied by Reserve Banks to different types of institutions. Although institutions in a higher tier will face greater due diligence and scrutiny than institutions in a lower tier, a Reserve Bank has the authority to grant or deny an access request by an institution in any of the three proposed tiers, based on the Reserve Bank's application of the Guidelines in Section 1 to that particular institution.

1. Tier 1: Eligible institutions that are federally insured.

a. As federally-insured depository institutions, Tier 1 institutions are already subject to a standard, strict, and comprehensive set of federal banking regulations.

b. In addition, for most Tier 1 institutions, detailed regulatory and financial information would in most cases be readily available, often in public form.

c. Accordingly, access requests by Tier 1 institutions will generally be subject to a less intensive and more streamlined review.

d. In cases where the application of the Guidelines to Tier 1 institutions identifies potentially higher risk profiles, the institutions will receive additional attention.

2. Tier 2: Eligible institutions that are not federally insured, but that are subject to federal prudential supervision at the institution and, if applicable, at the holding company level.

a. Although not federally insured, Tier 2 institutions are subject to prudential supervision at the institution level by a federal banking agency (by statute). In addition, any holding company of a Tier 2 institution would be subject to Federal Reserve oversight (by statute or by commitments).

b. Tier 2 institutions are subject to a similar, but not identical, set of regulations as federally-insured institutions. As a result, Tier 2 institutions may still present greater risks than Tier 1 institutions.

c. In addition, detailed regulatory and financial information regarding such institutions may be less available or may not be available in public form.

d. Accordingly, account access requests by Tier 2 institutions will generally receive an intermediate level of review.

3. Tier 3: Eligible institutions that are not federally insured and that are not subject to federal prudential supervision at the institution and holding company level.

a. Tier 3 institutions may be subject to a supervisory or regulatory framework that is substantially different from, and less rigorous than, the supervisory and regulatory framework that applies to federally-insured institutions.

b. In addition, detailed regulatory and financial information regarding Tier 3 institutions may not exist or may be unavailable.

c. Accordingly, Tier 3 institutions will generally receive the strictest level of review.

Footnotes