InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Senate Committee reports on AI use by hedge fund traders
On June 14, the U.S. Senate Committee on Homeland Security and Governmental Affairs released a report on the use of artificial intelligence (AI) by hedge funds to inform trading decisions. The report suggested that the increased use and reliance upon AI in the financial services sector could lead to greater risks to financial investors and markets. On par with these findings included, for instance, an observation that hedge funds and regulators may use inconsistent or unclear terms to define AI systems that could make it difficult to understand what types of systems are in use and how existing and proposed regulations could apply. The report also suggested this may complicate efforts to audit and assess hedge funds’ review processes and human moderation efforts. The report also suggested that the use of AI for trading purposes could amplify traditional investment industry risks.
The Committee made several recommendations, including calling upon regulators to consider potential gaps in existing and proposed regulatory frameworks. The report concluded that Congress and regulators should seek to improve the public’s understanding of AI and establish guardrails to address risks related to the use of this technology in the financial services sector.
New York Fed risk head delivers speech on emergent risks in finance
On June 11, the New York Fed’s Chief Risk Officer and head of the risk group, Mihaela Nistor, delivered a speech on the evolving landscape of risk management and emphasized the complexities of modern risks within the financial system. Nistor highlighted an increase in new risks around the world, from geopolitical conflicts and economic uncertainties to cyber threats, data privacy issues, and disruptive technologies. She then categorized these risks internal or external threats.
Nistor first addressed the internal risk landscape within organizations and emphasized the need for organizations to develop a comprehensive view of risk within an enterprise, to identify priorities and allocate resources accordingly. The speech described the importance of building a strong risk culture within organizations to identify and mitigate risks proactively. One way to strengthen risk-management culture, according to Nistor, would be through a “portfolio view” that evaluated risks collectively across projects within an organization rather than in isolation. Nistor stated that this approach facilitated a better understanding of interdependencies and cumulative risk exposure. However, the remarks stress the importance of different management approaches that were tailored to allow flexibility to mitigate an identified risk.
For external risk, Nistor focused on the importance of building resilience within organizations. Nistor noted that while external threats are often unpredictable, an organization can build resilience to meet emerging external risks by identifying critical assets and processes and developing contingency plans.
Treasury requests information on AI in financial services sector
On June 6, the Department of the Treasury released a request for information (RFI) to collect from financial institutions, consumers, advocates, academics, and other stakeholders’ data on the uses, opportunities and risks presented by artificial intelligence (AI). The Treasury’s release stated that the Department will be interested in gaining greater insight into how AI would be used in risk management, capital markets, internal operations, customer service, regulatory compliance, and marketing. The RFI posed 19 questions related to general topics such as types of models, AI use, and barriers to entry, as well as questions focused on potential opportunities and risks associated with AI.
The Secretary of the Treasury, Janet Yellen, discussed the RFI in her remarks at the Financial Stability Oversight Council (FSOC) Conference on AI and Financial Stability. Yellen noted that the Treasury would be convening a roundtable on AI and insurance and would support FSOC’s monitoring and analysis of AI’s impact on financial stability.
FHA issues reporting requirements on significant cybersecurity incidents
On May 23, HUD issued Mortgagee Letter (ML) 2024-10 titled “Significant Cybersecurity Incident (Cyber Incident) Reporting Requirements” which required FHA-approved mortgagees to notify HUD when a “Cyber Incident” occurs. A Cyber Incident would be any unauthorized event that could harm information or computer systems, breaching security rules, and affecting a mortgagee’s ability to meet FHA program requirements. It also would include actions that threaten data confidentiality, integrity, or availability, potentially disrupting mortgage operations. Mortgagees must report all suspected Cyber Incidents to HUD's FHA Resource Center and Security Operations Center within 12 hours of detection. The report must include several details, including the mortgagee's name and ID, contact information, a description of the incident (including the date, cause, and impact to PII, login credentials, and IT systems), any affected subsidiary or parent companies, and the status of the mortgagee’s incident response, including whether law enforcement has been notified. The provisions of this ML are effective immediately and will be reflected in a forthcoming update to the HUD Handbook 4000.1.
Maryland enacts child consumer protection laws
On May 9, the Governor of Maryland approved SB 571 (the “Act) to provide consumer online protections for children. The Act will afford protections from online products aimed at children or that are likely accessed by children. Specifically, the Act will require companies that provide online products “reasonably likely to be access[ed] by children” to prepare a data protection impact assessment (DPIA) for the online product. The DPIA will identify the purpose of the online product, how the product uses children’s data, determine if the product would be in children’s best interests, and include a description of the compliance steps the company will have taken to comply with the duty to act in a manner consistent with the best interests of children, among other requirements. The Act outlined several violations, including against processing data not in children’s best interests, profiling children, processing geolocation, using of dark patterns, or monitoring of children’s activities without first notifying the parent/guardian. The Act will go into effect on October 1.
Maryland enshrines its consumer online data privacy act
On May 9, the Governor of Maryland approved SB 541 (the “Act”) which enacted the Maryland Online Data Privacy Act of 2024, setting forth new provisions for businesses and data processors under the state’s UDAP commercial code. The Act will prevent persons or processors from providing access to consumer health data unless contractually required, or from using a geofence within a certain distance from health or mental health facilities. The Act will enable consumers to exercise certain rights with respect to their data, including confirming use, accessing data, correcting inaccuracies, requiring deletion of data (unless protected by law), and opting out of targeted advertising or sales of one’s personal data. Consumers will also be able to designate an agent to opt-out on their behalf.
The Act will prohibit controllers from selling sensitive data and from collecting, processing, or sharing sensitive consumer data unless “the collection or processing is strictly necessary to… maintain a specific product,” among others. The Act will enable controllers to limit collection to what would be “reasonabl[y] necessary” and establish data security practices. Controllers will also be forced to provide consumers with a privacy notice that will outline their use of the data and a consumer’s rights, as well as establish a secure method for a consumer to exercise such rights. The Act will not apply to financial institutions or to consumer credit data that is protected under the FCRA. The Act will go into effect on October 1, 2025.
NIST issues updated security requirements and assessment procedures for protecting controlled unclassified information
On May 14, the National Institute of Standards and Technology (NIST) released “Revision 3” to Special Publication 800-171 (Protecting Controlled Unclassified Information on Nonfederal Systems and Organizations) and 800-171A (Assessing Security Requirements for Controlled Unclassified Information) for federal contractors and other entities that do business with the federal government and handle controlled unclassified information. The revisions were intended to create better alignment with the controls set forth in Special Publication 800-53 Rev. 5 (Security and Privacy Controls for Information Systems and Organizations), realign controls based on new tailoring criteria, and to directly tie specific controls to the handling of controlled unclassified information. The revisions further implemented the framework set forth in Executive Order 13556 – Controlled Unclassified Information, and give the private sector more clarity by tailoring the moderate baseline for controls in Special Publication 800-53 Rev. 5 to withdraw the requirements that are, among other things, primarily the responsibility of the federal government, not directly related to the protection of controlled unclassified information, or are adequately addressed through other related controls. The updates will also allow for more specific tailoring of organizational controls to security standards, increasing flexibility. Finally, the assessment procedures in Special Publication 800-171A for determining whether a contractor or other entity would be compliant with Special Publication 800-171 was updated to align with the new revisions in Special Publication 800-171. These updates will come at a time when the Department of Defense will continue to implement the Cybersecurity Maturity Model Capability, covered by InfoBytes here.
NYDFS releases its Cybersecurity Program Template
On May 13, NYDFS issued a guidance letter informing licensed entities about its Cybersecurity Program Template. NYDFS created the Template to help individual licensees and individually owned businesses licensed by NYDFS to develop a cybersecurity program as required by its cybersecurity regulation (23 NYCRR Part 500). The Template was prepared based on the version of the NYDFS Cybersecurity Regulation in effect as of November 1, 2023 (covered by InfoBytes here). The template does not need to be submitted to NYDFS or any other state agencies for approval.
FTC’s Safeguards Rule notification requirement under GLBA now in effect
On May 14, the FTC published a business blog post announcing the Safeguards Rule, an amendment to the GLBA, is in effect as of May 13. The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and aims to protect customers' private personal information through data breach reporting requirements.
Additional revisions to the Rule related to data breach reporting were announced in October 2023, with amendments requiring covered companies to notify the FTC within 30 days of a security breach impacting at least 500 consumers. For reporting, businesses must use a new online form provided by the FTC. The Rule complements existing business security measures and does not negate other state and federal legal obligations. Businesses can refer to FTC guidance for further details on the rule and compliance requirements.
State attorneys general push Congress on federal consumer privacy legislation
On May 8, the Attorney General of California, Rob Bonta, and 15 other state attorneys general wrote a letter to Congressional leaders following the introduction of the American Privacy Rights Act (APRA) in Congress. The attorneys general encouraged Congress to set a “federal floor, not a ceiling” for consumer privacy rights, as APRA preempts state law under its current draft. The letter highlighted how states have “played a critical role” in setting new data privacy standards without curbing business practices or developments in technology. In addition, the attorneys general expressed concern that the APRA would limit some attorneys general to issue civil investigative demands (CIDs) because their CID authority would require a violation of state or federal law before issuance. The APRA, however, provided that “a violation of [the APRA] or a regulation promulgated under [the APRA] may not be pleaded as an element of any violation of [a state] law.” Despite these concerns, the attorneys general did express their support for other provisions of APRA, such as data minimization by default, stronger consent requirements, and protections for minors.