InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CISA issues RFI on new cyber incident reporting requirements
On September 9, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) from critical infrastructure owners and operators on how to develop new data breach reporting regulations related to ransomware and other malicious attacks. The RFI will inform CISA’s promulgation of proposed regulations as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Specifically, the agency is requesting feedback on definitions and terminology for the proposed rules, the form and content of reports, incident reporting requirements, enforcement procedures, and information protection policies. Once the final regulation is published, CISA will use information obtained from cyber-incident reports submitted by covered entities to “deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends and understand how malicious cyber actors are perpetrating their attacks, and quickly share that information with network defenders to warn other potential victims,” the RFI explained. CISA will also host a series of public listening sessions across the country to receive additional input as it develops the proposed regulations. Comments on the RFI are due November 14.
Agencies push to implement Basel III
On September 9, the FDIC, OCC, and Federal Reserve Board reaffirmed their commitment to implementing enhanced regulatory capital requirements that align with Basel III standards issued by the Basel Committee on Banking Supervision in 2017. The agencies announced they are currently developing—and will issue “as soon as possible”—a joint proposed rule on new capital standards for large banking organizations. The agencies noted that community banks are subject to different capital requirements and will not be affected by the proposal.
Treasury issues guidance on Russian oil sales cap
On September 9, the U.S. Treasury Department announced preliminary guidance on implementing a maritime services policy and related price exception for seaborne Russian oil. As previously covered by InfoBytes, OFAC recently announced that it planned to publish preliminary guidance on implementing the price cap to provide a high-level overview of the directive, including how U.S. persons can comply in advance of formal guidance and legal implementation. According to the preliminary guidance, the policy is intended to establish a framework for Russian oil to be exported by sea under a capped price, and establish a ban on services for any shipments of seaborne Russian oil above the capped price. Objectives of the guidance include: (i) maintaining a reliable supply of seaborne Russian oil to the global market; (ii) reducing upward pressure on energy prices; and (iii) reducing the revenues the Russian Federation earns from oil after its own war of choice in Ukraine has inflated global energy prices. The policy contains an exception, which applies to “jurisdictions or actors that purchase seaborne Russian oil at or below a price cap to be established by the coalition (the “price exception”).” The policy, which relates to a broad range of services in connection with the maritime transportation of Russian Federation origin crude oil and petroleum products, will become effective December 5, 2022 for the maritime transportation of crude oil and on February 5, 2023 for the maritime transportation of petroleum products.
FTC hosts forum on commercial surveillance and lax data security practices
On September 8, the FTC hosted a forum regarding its Advance Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security practices. As previously covered by InfoBytes, the ANPR was issued in August to solicit public comment on “the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.” The ANPR noted that there is increasing evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms. The forum featured remarks by FTC Chair Lina M. Khan, Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, as well as a staff presentation, two panel discussions, and comments from the public. Chair Khan noted in her remarks that the discussion and comments at the forum will be critical in determining the evidentiary basis for proceeding with a rulemaking and whether legal requirements needed for crafting any particular type of rule. However, some observers expressed concern that the FTC’s ANPR could undermine efforts to pass federal privacy legislation. Slaughter noted in her remarks that she “support[s] strong federal privacy legislation, but until there’s a law on the books, the commission has a duty to use all the tools we have to investigate and address unlawful behavior in the market.” Commissioners Slaughter and Bedoya also expressed the need for public engagement to understand commercial surveillance.
The first panel focused on industry perspectives on commercial surveillance and data security. When asked about some of the best practices or potential business models developed by businesses to mitigate consumer harm and protect data, a panelist noted that there are many approaches underway, but the guiding principle is that the process of documentation supports transparency by prompting processes and critical thinking of each step in the mission learning lifecycle. One panelist expressed concerns about businesses tracking personal data, stating that because retailers collect information about their customers when they make purchases online and may recommend related offerings, regulators “should not interfere with these direct relationships.” Another panelist warned against treating all data collection and processes equally, stressing that the FTC should use its enforcement tools against third parties.
The second panel featured consumer advocates discussing interests, concerns, risks, and harms related to commercial surveillance, in addition to mitigating consumer harms and protecting data. The advocates noted, among other things, that the FTC should impose heightened safeguards on sensitive data, such as precise location records and information associated with children. Additionally, the panelists advocated for establishing a regulation and broadening the FTC’s Section 5 unfairness authority that limits widescale tracking. Specifically, one panelist discussed how the FTC should approach a data minimization rule under Section 5, recommending that such a rule should ban secondary use and third-party disclosures. In regard to combating discrimination through data collection and advertising, a panelist noted that shifting data protection responsibilities from individuals onto companies could play an important part to ensure that data-driven algorithms that deliver ads or content are not discriminating against consumers.
OCC issues expectations for protecting non-public information
On September 7, the OCC issued Bulletin 2022-21, Information Security: Expectations for Protecting Non-public OCC Information on Institution- or Other Non-OCC-Owned or Managed Video Teleconferencing Services, outlining its expectations for protecting non-public OCC information shared on video teleconferencing services that are operated or managed by an institution or any other party. The OCC reiterated that banks and other parties in possession of such information are prohibited from disclosure without the agency’s prior approval, except under certain limited circumstances. Further, the prohibition extends to the disclosure of information displayed, processed, stored, or transmitted by information systems, including video teleconferencing services. The Bulletin states that non-public OCC information is the property of the OCC and includes, among other things: (i) “OCC reports of examination, including ratings such as CAMELS and the Uniform Rating System for Information Technology ratings”; (ii) “supervisory correspondence”; (iii) “institution responses to supervisory correspondence”; (iv) “investigatory files”; and (v) “certain enforcement-related information, including matters requiring attention.” The OCC also listed several security expectations for any videoconference in which non-public OCC information will be communicated, which includes using an encrypted connection, moderating the meetings, making no recordings or transcriptions, and ensuring the videoconference service is securely configured and routinely patched to protect against cyber intrusion and data loss.
SEC warns Chinese companies against switching auditors to avoid compliance
On September 6, SEC acting Chief Accountant Paul Munter issued a warning to Chinese companies that they may face enforcement actions if they switch auditing firms to remain listed in the U.S. that do not follow applicable standards. Munter pointed to instances of foreign issuers, especially those located in China or Hong Kong, “changing their lead auditor from a local registered public accounting firm to a registered public accounting firm located either in the U.S. or elsewhere, generally within the same network.” According to Munter, these types of arrangements create “special challenges that raise questions about whether the newly engaged registered public accounting firms—whether located in the U.S. or elsewhere—will be able to satisfy their responsibilities to serve as the lead auditor.” Munter noted that the U.S. Public Company Accounting Oversight Board (PCAOB), the China Securities Regulatory Commission, and the Ministry of Finance of the People’s Republic of China, recently signed a Statement of Protocol governing inspections and investigations of audit firms based in China or Hong Kong. He said, however, that certain issuers based in China and Hong Kong have started structuring audits with registered public accounting firms located either in the U.S. or elsewhere “to avoid the potential of consecutive PCAOB [Holding Foreign Companies Accountable Act] determinations and a potential resultant trading prohibition.” Issuers and firms looking to avoid compliance could result in investigations and enforcement actions by the PCAOB, the SEC, or both.
FDIC updates risk management, consumer compliance examination policies
Recently, the FDIC updated Section 2.1 of its Risk Management Manual of Examination Policies related to capital. The FDIC noted that since capital adequacy assessments are central to the supervisory process, examination staff “evaluate all aspects of a financial institution’s risk profile and activities to determine whether its capital levels are appropriate and in compliance with minimum regulatory requirements.” This includes examining a financial institution’s capital ratios, risk-weighted assets, regulatory capital requirements, community bank leverage ratios, capital adequacy (including liquidity, earnings, and market risk), and adherence to laws and regulations. The FDIC also announced updates to the Privacy—Telephone Consumer Protection Act section within its Consumer Compliance Examination Manual (CEM). The CEM includes supervisory policies and examination procedures for FDIC examination staff evaluating financial institutions’ compliance with federal consumer protection laws and regulations.
RHS finalizes changes to Single-Family Housing Guaranteed Loan Program
On August 31, the Rural Housing Service (RHS) issued a final rule in the Federal Register announcing changes to the Single-Family Housing Guaranteed Loan Program (SFHGLP). The final rule, among other things, updates the requirements for federally supervised lenders, minimum net worth and experience for non-supervised lenders, approved lender participation requirements, handling of applicants with delinquent child support payments, and builder credit requirements. Specifically, the rule establishes that lenders not supervised by federal banking agencies must have “a minimum adjusted net worth of $250,000, or at least $50,000 in working capital plus one percent of the total volume in excess of $25 million in guaranteed loans originated, serviced or purchased during the lender’s prior fiscal year, up to a maximum $2.5 million.” The final rule also requires one or more lines of credit with a minimum aggregate of $1 million, and clarifies that lenders must meet applicable requirements in order to begin and continue participation in the SFHGLP. The final rule is effective November 29.
SEC releases draft regulatory strategic plan
Recently, the SEC released its draft FY 2022-2026 strategic plan, which focuses on goals related to protecting families against fraud and misconduct, supporting a diverse and inclusive workforce, and developing a regulatory framework that keeps pace with ever-evolving markets, business models, and technologies. The SEC noted that it plans to continue to update its disclosure framework to meet investors’ demands for information related to issuers’ climate risks and cybersecurity hygiene policies to ensure informed investment decisions are made. The draft strategic plan also discussed market risks associated with cybersecurity threats and cross-border challenges, and called on the SEC to coordinate with foreign financial regulators. The SEC also stated it plans to update existing rules and approaches to better “reflect evolving technologies, business models, and capital markets,” and intends to examine strategies for addressing systemic and infrastructure risks faced by capital markets and market participants.
FINRA reminds firms of their obligation to supervise digital signatures
Recently, FINRA issued Regulatory Notice 22-18 reminding member firms of their obligation to supervise for digital signature forgery and falsification. FINRA reported it has received a rising number of reports claiming registered representatives and associated persons have been forging or falsifying customer signatures, as well as those of colleagues or supervisors in some instances. Issues have been flagged in “account opening documents and updates, account activity letters, discretionary trading authorizations, wire instructions and internal firm documents related to the review of customer transactions.” FINRA advised member firms to review outlined methods and scenarios for identifying digital signature forgery or falsification in order to mitigate risk and meet regulatory obligations.