Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 15, the SEC announced it issued its fiscal year 2019 whistleblower program annual report to Congress, which states that since the program’s inception, the SEC has ordered over $2 billion in total monetary sanctions in enforcement actions that resulted from information brought by meritorious whistleblowers. As for FY 2019, the SEC received over 5,200 whistleblower tips, with over 300 tips relating to cryptocurrencies, and awarded approximately $60 million in whistleblower awards to eight individuals. Since the program’s inception, the SEC has awarded approximately $387 million to 67 whistleblowers. The report acknowledges that FY 2019 was an “unusual year” due to the lapse in appropriations, referring to the government shutdown from the end of December 2018 through most of January 2019, and includes a summary of the six actions leading to the eight awards of FY 2019. The report notes that the agency anticipates final rules to be adopted in FY 2020 related to the July 2018 proposed amendments to the whistleblower program (covered by InfoBytes here). The proposed amendments, among other things, address the Supreme Court ruling in Digital Realty Trust, Inc. v. Somers (covered in a Buckley Special Alert) and authorize the SEC to adjust an award’s percentage as appropriate to advance the goals of rewarding and incentivizing whistleblowers.
On the same day, the SEC announced a collective award of over $260,000 to three whistleblowers who submitted a joint tip “alerting the agency to a well-concealed fraud targeting retail investors,” which led to a successful enforcement action. The order does not provide any additional details regarding the whistleblower or the company involved in the enforcement action. With this new action, the SEC has now awarded approximately $387 million to 70 whistleblowers.
On November 18, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against two Islamic State of Iraq and Syria (ISIS) procurement agents based in Turkey and four ISIS-linked entities operating in Syria, Turkey, and across the Gulf and Europe for allegedly providing financial and logistical support to ISIS. OFAC also took action against an Afghanistan-based organization, as well as two affiliated senior officials, for “using false charitable pretenses as a cover to facilitate the transfer of funds and support the activities of the terrorist group’s branch in Afghanistan, ISIS – Khorasan.” OFAC noted that these sanctions coincide with the twelfth meeting of the Counter ISIS Finance Group, which coordinates efforts to isolate ISIS from the international financial system and eliminate revenue sources. As a result of the sanctions, all property and interests in property of the designated entities and individuals within U.S. jurisdiction are blocked and must be reported to OFAC. OFAC further noted that its regulations “generally prohibit” U.S. persons from participating in transactions with the designated persons, and warned foreign financial institutions that if they knowingly facilitate significant transactions for any Specially Designated Global Terrorists, they may be subject to U.S. correspondent account or payable-through account sanctions.
On November 14, NYDFS announced a proposed regulation, which would allow regulated entities to share confidential supervisory information with legal counsel or with independent auditors without obtaining prior written approval from the agency. Currently, entities are required to receive prior written approval for each instance in which they want to share confidential supervisory information with hired legal counsel or independent auditors. The proposal would allow a regulated entity to share this information without prior written approval from NYDFS as long as there is a written agreement between the parties, in which the hired legal counsel or independent auditor agrees to, among other things, (i) only use the information for the purposes of legal representation or auditing services; (ii) not to disclose the information to its employees except on a “need to know” basis; (iii) promptly notify NYDFS of any requests for the information; and (iv) maintain records for all information disclosed pursuant to the regulation. Comments on the proposal will be accepted for 60 days following publication in the state register on November 27.
On November 15, the U.S. Court of Appeals for the Eleventh Circuit vacated the district court’s certification order of a class action alleging a national satellite TV company violated the TCPA by contacting individuals who had previously asked to not be contacted. According to the opinion, a consumer filed a class action against the company alleging that the company failed to maintain an “internal do-not-call list,” which allowed the company and its telemarketing service provider to contact him eighteen times after he repeatedly asked to not be contacted. The consumer sought certification “of all persons who received more than one telemarketing call from [the telemarketing service provider] on behalf of [the company] while it failed to maintain an internal do-not-call list.” The district court certified the class and the company appealed.
On appeal, the 11th Circuit disagreed with the district court, concluding the court incorrectly determined that issues common to the class predominated over issues individual to each member. Specifically, the appellate court noted that the class consisted of unnamed class members who may not have asked the company to stop calling and therefore, would never have been on an internal do-not-call list, had one been properly maintained. Thus, these members were not injured by the company’s failure to comply and their injuries are then “not fairly traceable to [the company’s] alleged wrongful conduct,” resulting in a lack of Article III standing to sue. The appellate court emphasized that recertification is still possible, but the district court would need to determine which of the class members made the request to not be contacted. However, if “few made [the] request, or if it will be extraordinarily difficult to identify those who did, then the class would be overbroad” and individualized issues may “overwhelm issues common to the class.”
On November 15, the U.S. District Court for the Northern District of Georgia entered a stipulated final judgment and order to resolve allegations concerning one of the defendants cited in a 2015 action taken against an allegedly illegal debt collection operation. As previously covered by InfoBytes, the CFPB claimed that several individuals and the companies they formed attempted to collect debt that consumers did not owe or that the collectors were not authorized to collect. The complaint further alleged uses of harassing and deceptive techniques in violation of the CFPA and FDCPA, and named certain payment processors used by the collectors to process payments from consumers. While the claims against the payment processors were dismissed in 2017 (covered by InfoBytes here), the allegations against the outstanding defendants remained open. The November 15 stipulated final judgment and order is issued against one of the defendants who—as an officer and sole owner of the debt collection company that allegedly engaged in the prohibited conduct—was found liable in March for violations of the FDCPA, as well as deceptive and unfair practices and substantial assistance under CFPA.
Among other things, the defendant, who neither admitted nor denied the allegations except as stated in the order, is (i) banned from engaging in debt collection activities; (ii) permanently restrained and enjoined from making misrepresentations or engaging in unfair practices concerning consumer financial products or services; and (iii) prohibited from engaging in business ventures with the other defendants; using, disclosing or benefitting from certain consumer information; or allowing third parties to use merchant processing accounts owned or controlled by the defendant to collect consumer payments. The stipulated order requires the defendant to pay a $1 civil money penalty and more than $5.2 million in redress, although full payment of the judgment is suspended upon satisfaction of specified obligations and the defendant’s limited ability to pay.
On November 14, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Business Continuity Management booklet, one of a series of booklets that make up the FFIEC Information Technology Examination Handbook. The revised booklet replaces the 2015 version, and provides enterprise-wise guidance for examiners on the principles of business continuity management and approaches toward business continuity planning and resilience, including those designed to “achieve safety and soundness, consumer financial protection, and compliance with applicable laws, regulations, and rules.” It also provides examination procedures intended to help examiners assess the effectiveness of business continuity and resilience frameworks for entities including depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers.
The same day, the OCC also issued Bulletin 2019-57 to note that the revised booklet rescinds Bulletin 2015-9, “FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet.”
On November 15, the CFPB issued an interpretive rule, which clarifies the screening and training requirements for mortgage loan originators (MLOs) with temporary authority under Regulation Z. As previously covered by InfoBytes, Section 106 of Economic Growth, Regulatory Relief, and Consumer Protection Act amends the Secure and Fair Enforcement for Mortgage Licensing Act of 2008 (SAFE Act) to establish temporary authority, providing a way for eligible MLOs who have applied for a new state loan originator license to act as a loan originator in the application state while the state considers the application. Regulation Z currently requires organizations to perform criminal screenings (including whether the applicant has been convicted of enumerated felonies within specified timeframes) and training requirements before permitting the individual to originate loans. According to the Bureau, Regulation Z is “ambiguous” as to whether these requirements would apply to MLOs with temporary authority and therefore, the interpretive rule clarifies that an organization is not required to conduct the criminal screening or ensure the training of any MLOs with temporary authority under the SAFE Act.
The interpretive rule is effective November 24, the same day the SAFE Act amendments take effect.
On November 14, the FDIC released its latest issue of the FDIC Quarterly, which analyzes the U.S. banking system and focuses on changes occurring since the 2008 financial crisis, particularly within nonbank lending growth. The three reports—published by the FDIC’s Division of Insurance and Research—“address the shift in some lending from banks to nonbanks; how corporate borrowing has moved between banks and capital markets; and the migration of some home mortgage origination and servicing from banks to nonbanks.”
- Bank and Nonbank Lending Over the Past 70 Years notes that total lending in the U.S. has grown dramatically since the 1950s, with a shift in bank lending that reflects the growth of nonbank loan holders as nonbanks have gained market share in residential mortgage and corporate lending. The report states that in 2017, nonbanks represented 53 percent of mortgages originated by HMDA filers, and originated a significant volume of loans for sale to the GSEs. Mortgage servicing also saw a shift from banks to nonbanks, with nonbanks holding “42 percent of mortgage servicing rights held by the top 25 servicers in 2018.” The report also discusses shifts in lending for commercial real estate, agricultural loans, consumer credit, and auto loans, and notes that bank lending to nondepository financial institutions has grown from roughly $50 billion in 2010 to $442 billion in the second quarter of 2019.
- Leveraged Lending and Corporate Borrowing: Increased Reliance on Capital Markets, With Important Bank Links examines the shift in corporate borrowing from banks to nonbanks, with nonfinancial corporations “relying more on capital markets and less on bank loans as a funding source.” The report also, among other things, discusses resulting risks and notes that “[d]espite the concentration of corporate debt in nonbank credit markets, banks still face both direct and indirect exposure to corporate debt risks.”
- Trends in Mortgage Origination and Servicing: Nonbanks in the Post-Crisis Period examines changes to the mortgage market post 2007, including the migration outside of the banking system of a substantive share of mortgage origination and servicing. The report also discusses trends within the mortgage industry, key characteristics of nonbank originators and servicers, potential risks posed by nonbanks, as well as potential implications the migration to nonbanks may pose for banks and the financial system. Specifically, the report lists several factors contributing to the resurgence of nonbanks in mortgage origination and servicing, including (i) crisis-era legacy portfolio litigation at bank originators; (ii) more aggressive nonbank expansion (iii) nonbanks’ technological innovations and mortgage-focused business models; (iv) large banks’ sales of crisis-era legacy servicing portfolios due to servicing deficiencies and other difficulties; and (v) capital treatment changes to mortgage servicing assets applicable to banks. The report emphasizes, however, that “[c]hanging mortgage market dynamics and new risks and uncertainties warrant investigation of potential implications for systemic risk.”
The FTC Safeguards Rule, FFIEC Cybersecurity and IT Guidance, and other OCC guidelines (here and here) emphasize the need for cyber threat intelligence (CIT) and threat identification to inform an organization’s overall cyber risk identification, assessment, and mitigation program. Indeed, to successfully implement a risk-based information security program, an organization must be aware of both general cybersecurity risks across all industries, as well as both business-sector risks and organizational risks unique to the organization. Furthermore, proposed revisions to the FTC Safeguards Rule (previously covered by InfoBytes here) emphasize the need for a “through and complete risk assessment” that is informed by “possible vectors through which the security, confidentiality, and integrity of that information could be threatened.”
Threat modeling is generally understood as a formal process by which an organization identifies specific cyber threats to an organization’s information systems and sensitive information, which provides the management insight regarding the defenses needed; the critical risk areas within and across an information system, network, or business process; and the best allocation of scarce resources to address the critical risks. Even today, generally an accepted threat modeling process involves comprehensive system, application, and network mapping and data flow diagrams. Many threat modeling tools are available free to the public, such as Microsoft’s Threat Modeling Tool, which provides diagramming and analytical resources for network and data flow diagrams, utilizing the STRIDE model (spoofing, tampering, repudiation, information disclosure, denial of service, and escalation of privilege) to inform the user of general cyber-attack vectors that each organization should consider. Generally, between cybersecurity frameworks, such as the NIST Cybersecurity Framework (for risk-based analytical approaches), and threat modeling tools identifying generic cyber threats such as STRIDE (for general or sector-specific cyber risks), an organization can achieve a risk-informed information security program.
However, with the increasing amount of large-scale data breaches occurring and with the evolving complexity of cybersecurity threats, many regulatory agencies and other industry-based standards institutions have called for a need to go one step further and understand the techniques, tactics, and procedures (TTPs) utilized by hackers using CIT. By using CIT and other threat-based models, organizations can gain insight into potential attack vectors through red-teaming and penetration testing by simulating each phase of a hypothetical attack into the organization’s information system and determine potential countermeasures that can be employed at each step of the kill chain. For instance, Lockheed Martin’s formal kill chain model involves seven steps (reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective) and proposes six potential defensive measures at each step (detect, deny, disrupt, degrade, deceive, and contain). Consequently, an organization can layer its defenses along each step in the kill chain to increase the probability of detection or prevention of the attack. Kill Chain was used as part of a U.S. Senate investigation into the data breach of a major corporation in 2013, identifying several stages along the chain where the attack could have been prevented or detected.
This threat identification process requires greater detail on adversarial TTPs. Fortunately, MITRE has provided for public consumption its ATT&CK (adversarial tactics, techniques, and common knowledge) platform. ATT&CK collects and streamlines adversarial TTPs in specific detail and provides information on each technique and potential mitigating procedures, including commonly used attack patterns for each. For instance, one tactic identified by ATT&CK is to encrypt data being exfiltrated to avoid detection by data loss prevention (DLP) tools or other network anomaly detection tools and identifies more than forty known techniques and tools that have been used to achieve encrypted transmission. ATT&CK also identifies potential detection and mitigation options, such as scanning unencrypted channels for encrypted files using DLP or intrusion detection software. Thus, instead of a generic data breach risk analysis, organizations can understand specific TTPs that may make data breach detection and analysis more difficult, and possibly take measures to prevent it.
By leveraging open-source CIT from tools such as ATT&CK and other reports from third-party sources such as government and industry alerts, organizations can begin the process of designing proactive defenses against cyber threats. It is important to note, however, that ATT&CK can only inform an organization’s threat modeling, and is not a threat model itself; additionally, ATT&CK focuses on penetration and hacking TTPs and, therefore, does not examine other threats that organizations may face, including distributed denial of services (DDoS) attacks that threaten the availability of its systems. Such threats will still need to be accounted for in any financial organization’s risk assessment, particularly if such DDoS prevent its clients from accessing their financial accounts and ultimately, their money.
AG coalition calls on Department of Education to discharge loans for students who attended closed for-profit school
On November 13, a coalition of 22 state attorneys general led by the Massachusetts attorney general sent a letter to the Department of Education’s Federal Student Aid Chief Operating Officer to determine whether the Department has complied with federal regulations that allow student borrowers to qualify for automatic discharge relief if they attended a school within 120 days of its closure date and have not continued their education elsewhere. The letter referred to an estimate provided by the Department in May, which stated that approximately 52,000 former students of a now-closed for-profit college qualified for automatic closed-school discharge relief. The letter notes, however, that recent information obtained from Congress indicates that only 7,000 student borrowers have been granted automatic discharges. Among other things, the AGs ask the Department to clarify whether all eligible students are now receiving automatic discharges, and request that the 120-day window be expanded “due to the deeply compromised nature of the school and its offerings in the months before its national collapse.” In addition, the letter requests details about the number of students with discharged loans and the methodology the Department is using to implement the automatic closed-school discharge.
- Sherry-Maria Safchuk to speak on the "California Consumer Privacy Act (CCPA) Workshop" panel at the California Mortgage Banker's 2019 Legal Issues & Regulatory Compliance Conference
- Jon David D. Langlois to discuss "Legal and operational considerations" at the Mortgage Bankers Association's Whole Loan Trading Workshop
- Daniel P. Stipano to discuss “Connecting the dots on your CDD program” at the ABA/ABA Financial Crimes Enforcement Conference
- Daniel P. Stipano to discuss “Beneficial Ownership: You have questions – We have quick answers” at the ABA/ABA Financial Crimes Enforcement Conference
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at an American Bar Association webinar
- Kari K. Hall and Christopher M. Walczyszyn to speak on the "Understanding updates to Regulation CC to ensure effective check processing" at a National Association of Federal Credit Unions webinar