InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
European Union Approves Cybersecurity Rules
On July 6, the European Union (EU) approved cybersecurity rules that will require certain businesses, including those in financial service and digital service providers, to maintain security and report cybersecurity incidents. The new laws, referred to as the Network and Information Security (NIS) Directive, are intended to establish “harmonized” security and reporting requirements for “operators of essential services,” which EU member states will identify based on certain criteria, such as whether the service is “critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service.” Certain digital service providers, such as online marketplaces, search engines, and cloud services, will also have to maintain security measures and report major incidents. The requirements are “lighter for these providers.” The NIS Directive will become effective on the twentieth day after publication in the EU Official Journal; member states “will have 21 months to transpose the directive into their national laws and six additional months to identify operators of essential services.”
Comptroller Curry Lends Perspective on Responsible Innovation
Recently, OCC Comptroller Curry delivered remarks regarding the agency's March 2016 white paper titled “Supporting Responsible Innovation in the Federal Banking System: An OCC Perspective.” In his opening remarks at the OCC’s June 23 forum on this topic, Curry noted a “need for heightened risk management to keep pace with the rapid changes in technology, products, services, and processes.” While recognizing that innovation remains an integral part of the banking system and has the ability to strengthen the financial services industry, Curry also emphasized its potential harm to consumers, banks, and the federal banking system at large. In order to limit the risks – such as cyber threats, phishing schemes, fraud, and identity theft – that innovation may pose to the banking industry, the OCC is developing a comprehensive framework to “improve [its] ability to identify and understand trends and innovations in the financial services industry, as well as the evolving needs of consumers of financial services.” According to the March 2016 paper, the OCC has formulated the following eight guiding principles to ensure that its framework supports responsible innovation consistent with safety and soundness, protection of consumer rights, and compliance with appropriate laws and regulations: (i) support responsible innovation; (ii) foster an internal culture receptive to responsible innovation; (iii) leverage agency experience and expertise; (iv) encourage responsible innovation that provides fair access to financial services and fair treatment of consumers; (v) further safe and sound operations through effective risk management; (vi) encourage banks of all sizes to integrate responsible innovation into their strategic planning; (vii) promote ongoing dialogue through formal outreach; and (viii) collaborate with other regulators. According to Curry’s remarks, the OCC’s forum helped “crystalize [] ideas for implementing a framework for innovation in the most effective way.”
FSOC Publishes 2016 Annual Report, Highlights Marketplace Lending as Emerging Risk
On June 21, the Financial Stability Oversight Council (FSOC) released its 2016 annual report. The report reviews financial market and regulatory developments, identifies emerging risks, and offers recommendations to enhance the U.S. financial markets, promote market discipline, and maintain investor confidence. Among other things, the report focuses on threats and vulnerabilities related to cybersecuritry, marketplace lending, and distributed ledger systems/blockchain technology. Addressing the need for heightened cybersecurity, the report advises financial institutions to work together with government agencies to better understand risks associated with destructive malware attacks and to “improve cybersecurity, engage in information sharing efforts, and prepare to respond to, and recover from, a major incident.” Regarding marketplace lending, the report stresses that, as the industry continues to grow, “financial regulators will need to be attentive to signs of erosion in lending standards.” Finally, according to the report, distributed ledger systems pose operational vulnerabilities that “may not become apparent until they are deployed at scale,” and cautions that a “considerable degree of coordination among regulators may be required to effectively identify and address risks associated with distributed ledger systems.”
FTC Submits Comment to the FCC on Proposal Relating to Debt Collection Robocalls
On June 6, the FTC submitted a comment to the FCC on its Notice of Proposed Rulemaking (NPR) regarding the implementation of recent changes to provisions of the Telephone Consumer Protection Act (TCPA) that permit robocalls “made solely to collect a debt owed or guaranteed by the United States.” Recommending that the FCC proceed cautiously with the expansion of permissible robocalling, the FTC instructed the FCC to establish standards for the collection of government debt that are consistent with the FDCPA, Section 5 of the FTC Act, and the Telemarketing Sales Rule (TSR). Specifically, the FTC’s comment advises the FCC to limit permitted robocalls to only (i) those relating to debts in default status; (ii) persons who actually owe the debts; (iii) those relating to the collection of the government debt; and (iv) collection purposes exclusively. In addition, the FTC’s comment on the NPR suggests that the FCC (i) maintain reasonable security practices over the data collected during covered robocalls; (ii) limit robocalls to the hours of 8:00 am to 9:00 pm; and (iii) require covered callers to “transmit caller ID information that includes a caller number that connects to a live agent representing the debt collector.”
Department of Homeland Security and DOJ Issue Operational Rules to Implement Provisions of CISA
On June 15, the Department of Homeland Security and the DOJ (collectively, Departments) issued final procedures to implement certain provisions of the Cybersecurity Information Sharing Act (CISA) of 2015. The rules establish operational procedures “relating to the receipt of cyber threat indicators and defensive measures by all federal entities under CISA.” The recently issued procedures finalize interim guidance released by the Departments in February 2016.
FFIEC Issues Cybersecurity Statement, Comments on Recent Attacks on Interbank Messaging and Payment Networks
On June 7, the FFIEC issued a statement on behalf of its members (the OCC, Federal Reserve, FDIC, NCUA, CFPB, and State Liaison Committee) advising financial institutions to “actively manage the risks associated with interbank messaging and wholesale payment networks.” According to the statement, recent cyber attacks against interbank networks and wholesale payment systems have demonstrated the ability to: (i) bypass information security controls and compromise a financial institution’s wholesale payment origination environment; (ii) “obtain and use valid operator credentials with the authority to create, approve, and submit messages”; (iii) make use of sophisticated understanding of funds transfer operations and operational controls; (iv) disable security logging and reporting by using highly customized malware, as well as conceal and delay detection of fraudulent transactions with the use of other operational controls; and (v) quickly transfer stolen funds across multiple jurisdictions. Due to the potential financial loss and compliance risk associated with the unauthorized transactions, the statement reminds financial institutions to consider the following steps to ensure compliance with regulatory requirements and FFIEC guidance: (i) establish and maintain an information security risk assessment program that “considers new and evolving threat intelligence related to online accounts and adjust customer authentication, layered security, and other controls in response to identified risks”; (ii) implement and maintain protection and detection systems, including antivirus protection and intrusion detection systems, and properly monitor system alerts; (iii) protect against unauthorized access to critical systems by, among other things, “limiting the number or credentials with elevated privileges across institutions” and establishing authentication rules; (iv) implement and regularly test controls around critical systems, and report test results to senior management, as well as the board of directors, if appropriate; (v) validate business continuity planning and ensure that the institution is able to “quickly recover and maintain payment processing operations”; (vi) strengthen information security awareness by conducting regular and mandatory training; and (vii) participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.
In light of the FFIEC’s statement, the OCC simultaneously released Bulletin 2016-08, cautioning financial institutions that use interbank messaging and wholesale payment networks to take the aforementioned risk mitigation steps.
SEC Settles with New York Financial Firm and Employee Over Alleged Failure to Protect Customer Data
On June 8, the SEC announced that a New York-based financial services firm agreed to pay a $1 million civil monetary penalty to resolve allegations that it violated the “Safeguards Rule,” Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)). According to the SEC, the firm “failed to ensure the reasonable design and proper operation of its policies and procedures in safeguarding confidential customer data.” The SEC further contends that the firm failed to audit or test the authorization models that allowed employees to access the portals hosting customer data. The financial services firm settled the charges without admitting or denying the SEC’s findings. As of result of the company’s alleged failures, between 2011 and 2014, a then-current employee of the firm gained access to and copied data regarding approximately 730,000 customer accounts to his personal server. The SEC alleges that the employee’s personal server was hacked, and portions of the misappropriated data were posted to at least three Internet sites, with an offer to sell more of the stolen data in exchange for payment in digital currency. Per the employee’s separate consent order, the employee agreed to an industry and penny stock bar with the right to apply for reentry after five years. He was previously criminally convicted for his actions and received 36 months of probation and $600,000 in restitution.
FTC to Host Fourth Start with Security Event
On June 15, the FTC will host its fourth Start with Security event in Chicago, Illinois. Featuring agency representatives Todd Kossow, Maureen Ohlhausen, Cora Han, Jim Trilling, Steve Wernikoff, and Andrea Arias, as well as security experts from various industries, the Start with Security event is intended to provide companies with tips for implementing effective data security. The event will host the following four panels: (i) Building a Security Culture; (ii) Integrating Security into the Development Pipeline; (iii) Considering Security when Working with Third Parties; and (iv) Recognizing and Addressing Network Security Challenges. A full day event, the panels “will address how companies can create and prioritize a culture of security, how to integrate security into the development pipeline, what security issues to consider when a company works with third parties, and how to recognize and address network security challenges.”
As recently noted in its 2015 Annual Highlights report, the FTC’s Start with Security efforts, including its June 2015 Guide for Business, are part of the agency’s education outreach programs designed to promote good data security practices within businesses.
SEC Names Christopher Hetner Senior Advisor to the Chair for Cybersecurity Policy
On June 2, the SEC named Christopher Hetner Senior Advisor to the Chair for Cybersecurity Policy. In this capacity, Hetner will serve as a senior advisor to Chair Mary Jo White on all policy matters relating to cybersecurity. Having joined the SEC in January 2015, Hetner currently serves as Cybersecurity Lead for the Technology Control Program within the SEC’s Office of Compliance Inspections and Examinations (OCIE), coordinating cybersecurity efforts across OCIE and lending advice on enforcement matters. As Senior Advisor, Hetner “will be responsible for coordinating efforts across the agency to address cybersecurity policy, engaging with external stakeholders, and further enhancing the SEC’s mechanisms for assessing broad-based market risk.”
CSBS Publishes Annual Report
Recently, the Conference of State Bank Supervisors (CSBS) published its 2015 Annual Report to provide an overview of its activities and initiatives in 2015. The report highlights that, throughout 2015, state regulators (i) increased coordination and collaboration between state regulators and other stakeholders, including federal regulators and Congress; (ii) developed research and analytical tools, such as risk profiling tools to assist with the examination selection process, as well as tools to address emerging non-depository regulatory issues; (iii) developed “right-sized” policy solutions for an ever-changing financial services industry, acknowledging that “community banks play a vital and necessary role in [the] diverse financial services ecosystem”; and (iv) provided education and training for examiners and supervisors, noting that “more than 1,000 examiners from 43 agencies representing 41 states had been certified through the CSBS Certification Program.” Importantly, the report notes that cybersecurity remains a “major issue facing the financial services industry.” In an effort to encourage executive leadership and raise awareness, CSBS launched the Executive Leadership of Cybersecurity (ELOC) initiative, which emphasizes that cybersecurity is “more than a ‘back office’ issue, but an executive issue that requires CEO and Board level attention.”