InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS amends cybersecurity regs
On November 9, NYDFS proposed expanded amendments to the state’s cybersecurity regulation (23 NYCRR 500) to strengthen the Department’s risk-based approach for ensuring cybersecurity risk is integrated into regulated entities’ business planning, decision making, and ongoing risk management. NYDFS’ cybersecurity regulation took effect in March 2017 (covered by InfoBytes here) and imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. NYDFS is proposing the new amendments via a data-driven approach to ensure regulated entities implement effective controls and best practices to protect consumers and businesses. “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Superintendent Adrienne A. Harris said in the announcement. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”
Some changes within the proposed amended regulation include:
- New Obligations for Larger Companies. The proposed amended regulation adds a new subcategory of larger covered entities called “Class A companies,” which would be subject to additional security and external auditing requirements in addition to the general requirements that apply to all covered entities. This includes, among other things, a requirement to have an external audit of a Class A company’s cybersecurity program annually. Class A companies are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years (generated from the business operations of a covered entity and its affiliates in New York) that have either (i) more than 2,000 employees averaged over the last two fiscal years (includes both the covered entity and all affiliates despite the location); or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years (generated from all business operations of a covered entity and all of its affiliates).
- Cybersecurity Governance. The proposed amended regulation provides several enhancements to the Part 500 governance requirements including:
- The chief information security officer (CISO) must have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
- The CISO must present an annual written report to the covered entity’s senior governing body that addresses the covered entity’s cybersecurity program as well as five topics described in the regulation and the company’s plans for remediating material inadequacies.
- The CISO must timely report to the senior governing body material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cyber events.
- If the covered entity has a board of directors or equivalent, the board or an appropriate committee shall have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyber risk management.
- Notice of Compliance. The annual certification of compliance must be signed by the covered entity’s highest-ranking executive and its CISO. The proposed amended regulation would allow a covered entity to choose to alternatively provide written acknowledgement that a covered entity did not fully comply with the regulation by describing the areas of noncompliance, including areas, systems, and processes that require material improvement, updating, or redesign, and a remedial plan and timeline for their implementation.
- Requirements for Resiliency, Business Continuity, and Disaster Recovery Plans. The proposed amended regulation adds significant documentation and technical requirements for business continuity and disaster recovery plans, including: (i) designation of essential data and personnel; (ii) communication preparations; (iii) back-up facilities; and (iv) identification of necessary third parties.
- Risk Assessments. The proposed amended regulation expands the definition of risk assessment. A covered entity’s risk assessment shall be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. Class A companies are required to use external experts to conduct a risk assessment at least once every three years.
- Technology. The proposed amended regulation adds several significant mandatory security control requirements, including:
- Asset Inventory: Each covered entity will be required to implement written policies and procedures to ensure a complete, accurate, and documented asset inventory. At a minimum, the policies and procedures should include a method to track key information for each asset, including, as applicable, the owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
- Privilege Management: The proposed amended regulation introduces additional standards for privilege management, including, among other things, that covered entities must (i) limit privileged accounts to only those that are necessary and to conduct only specific functions; (ii) conduct access reviews on at least an annual basis; (iii) disable or securely configure remote access protocols; and (iv) promptly terminate access privileges for departing users.
- Multi-Factor Authentication: The proposed amendment expands the type of accounts and access types that require multi-factor authentication, to include all privileged accounts.
- Vulnerability Management: Cybersecurity programs must now, through policies and procedures, explicitly address internal and external vulnerabilities, remediate issues in a timely manner, and report material issues to senior management.
- Reporting Requirements. The proposed amended regulation contains provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or “deployment of ransomware within a material part of the covered entity’s information system.” This timeframe also applies to cybersecurity events that occur at a third-party service provider. Entities would also be directed to provide the superintendent within 90 days of the notice of the cybersecurity event “any information requested regarding the investigation of the cybersecurity event.” Additionally, entities would also be directed to alert the Department within 24 hours of making a ransom payment. Within 30 days, entities must also explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations, including federal sanctions implications.
- Small Business Exemption. NYDFS noted in its announcement that based on industry feedback as well as the operating realities facing small businesses, it is proposing to raise the exemption threshold for small companies. If adopted, limited exemptions will be provided to covered entities with (i) fewer than 20 employees, including any of the entity’s independent contractors or its affiliates located in the state or that are responsible for the business of a covered entity; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of a covered entity and its affiliates in the state; and (iii) less than $15 million in year-end total assets, including the assets of all affiliates.
The proposed amended regulation is subject to a 60-day comment period beginning on November 8th upon publication in the State Register. NYDFS stated it looks forward to receiving feedback on the proposed amended regulation during this comment period. As the comment period ends, NYDFS will then review received comments and either repropose a revised version or adopt the final regulation. Covered entities will have 180 days from the effective date to comply except as otherwise specified.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.
Fed asks for comments on publicizing FRB master accountholders
On November 4, the Federal Reserve Board issued a notice and request for comment seeking feedback on proposed amendments to its Guidelines for Evaluating Account and Services Requests. Specifically, the proposed amendments would require the Federal Reserve Banks to publish a periodic list of depository institutions that have access to Reserve Bank accounts (often known as “master accounts”) and payment services. In August, the Fed adopted final guidance establishing “a transparent, risk-based, and consistent set of factors for Reserve Banks to use in reviewing requests to access these accounts and payment services.” Recognizing that the longstanding practice of both the Fed and the Reserve Banks “has been to not disclose account-related information to the general public on the basis that such information is considered confidential business information,” the Fed said it is considering “the potential benefits of expanding the disclosure of the names of institutions that have access to accounts and services” following comments received from stakeholders that called for greater public disclosure of account-related information. Comments are due 60 days after publication in the Federal Register.
FDIC’s Gruenberg discusses CRA rulemaking
On November 2, FDIC acting Chairman Martin J. Gruenberg delivered remarks before the National Association of Affordable Housing Lenders to address ongoing Community Reinvestment Act (CRA) rulemaking, the results of the FDIC’s most recent National Survey of Unbanked and Underbanked Households, and challenges from nonbank payment services. In his remarks, Gruenberg referenced the pending notice of proposed rulemaking (NPR) on the CRA issued in May by the FDIC, OCC, and the Federal Reserve Board (collectively, “agencies”). As previously covered by InfoBytes, the NPR would update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. Gruenberg stated that the agencies are committed to strengthening the law’s impact and “increasing transparency and predictability in its application,” and said the FDIC is currently reviewing approximately 1,000 unique comments received in response to the NPR. Gruenberg also discussed the results of the FDIC’s most recent National Survey of Unbanked and Underbanked Households. According to the biennial survey, an estimated 4.5 percent of U.S. households (representing 5.9 million households) lack a bank or credit union account, the lowest national unbanked rate since the FDIC survey began in 2009 (covered by InfoBytes here). Gruenberg noted that the survey found that the rate of unbanked households decreased consistently over the past decade, from 8.2 percent in 2011 to 4.5 percent in 2021. He also said that the survey indicated that 14.1 percent of households were underbanked, although demand for several nonbank products and services decreased. Gruenberg further commented that the survey revealed regulatory challenges in light of the array of options available to consumers, specifically nonbank online payment services. He explained that though “banked households were significantly more likely to use nonbank online payments services than unbanked households, the most common use cases were quite different between the two groups. Banked households most commonly reported that they used these services primarily to send or receive money from family or friends and to make online purchases, as a complement to a bank account. In contrast, the most common use cases among unbanked households revealed that they were using these services as they might otherwise have used bank accounts: paying bills, receiving income and as a vehicle to save or keep money safe.”
FDIC releases September enforcement actions
On October 28, the FDIC released a list of administrative enforcement actions taken against banks and individuals in September. During the month, the FDIC made public 12 orders consisting of “two consent orders, five orders of prohibition, two orders to pay a civil money penalty, two orders of termination of insurance, and one section 19 order.” The FDIC also publicly released an order to pay a civil money penalty taken against an Illinois-based bank related to alleged violations of the Flood Disaster Protection Act and the National Flood Insurance Act for failure to follow lender placement flood insurance procedures in 13 instances. The order requires the payment of an $11,625 civil money penalty.
FFIEC updates 2018 Cybersecurity Resource Guide for Financial Institutions
On October 27, the FDIC issued FIL-50-2022 related to recent updates made to the Federal Financial Institutions Examination Council’s (FFIEC) 2018 Cybersecurity Resource Guide for Financial Institutions. The FFIEC guide is designed to assist financial institutions in meeting their security control objectives and preparing to respond to cyber incidents. The FFIEC guide includes updates to certain references as well as new ransomware-specific resources to address the ongoing threat of ransomware incidents.
OCC to establish Office of Financial Technology
On October 27, the OCC announced it intends to establish an Office of Financial Technology early next year that will build on and incorporate the agency’s Office of Innovation (established in 2016 and covered by InfoBytes here). Intended to strengthen the OCC’s expertise and ability to adapt to a rapidly evolving banking landscape, the Office of Financial Technology will provide strategic leadership, vision, and perspective for the agency’s financial technology activities and related supervision. The new office will be led by a chief financial technology officer who will be a deputy comptroller reporting to the senior deputy comptroller for bank supervision policy. “Financial technology is changing rapidly and bank-fintech partnerships are likely to continue growing in number and complexity. To ensure that the federal banking system is safe, sound, and fair today and well into the future, we need to have a deep understanding of financial technology and the financial technology landscape,” acting Comptroller of the Currency Michael J. Hsu said. “The establishment of this office will enable us to be more agile and to promote responsible innovation, consistent with our mission.”
NYDFS revises state CRA regulations
On October 26, NYDFS released revisions to its proposed state Community Reinvestment Act regulation, which would allow the Department to obtain the necessary data to evaluate the extent to which New York-regulated banking institutions are serving minority- and women-owned businesses in their communities. The revised proposed regulation addresses comments received during a prior 60-day comment period that began last November (covered by InfoBytes here), and is intended to minimize compliance burdens by making sure the regulation’s proposed language complements requirements in the CFPB’s proposed rulemaking for collecting data on credit access for small and minority- and women-owned businesses. Among other things, the revised proposed regulation would require regulated entities to inquire as to whether a business applying for a loan or credit is minority- or women-owned or both, and submit a report to the Department providing application details, such as the date, type of credit applied for and the amount, whether the application was approved or denied, and the size and location of the business. Additionally, the revised proposed regulation (i) establishes processes for regulated entities when soliciting, collecting, storing, and reporting information related to their provision of credit to minority- and women-owned businesses, including when requests for information should be made, and notifications informing applicants of their right to refuse to offer information in response to a request and that the provided information may not be used for any discriminatory purpose; (ii) provides that, to the extent feasible, underwriters should not be able to access information provided by an applicant; (iii) stipulates how long a regulated entity is required to preserve gathered information; and (iv) provides a sample data collection form that regulated entities may choose to use. According to NYDFS, the revisions are designed to make sure regulated entities abide by fair lending laws when collecting and submitting the necessary data. Comments will be accepted for 45 days following publication in the State Register.
FDIC finds 96% of U.S. households are banked
On October 25, the FDIC announced that approximately 96 percent of U.S. households had a depository institution account in 2021, according to the FDIC’s 2021 National Survey of Unbanked and Underbanked Households. According to the biennial survey, an estimated 4.5 percent of U.S. households (representing 5.9 million households) lacked a bank or credit union account, the lowest national unbanked rate since the FDIC survey began in 2009. The survey also found that approximately 1.2 million more households were banked since 2019. Nearly half of newly banked households that received government payments said these payments contributed to their decision to open an insured bank or credit union account. The survey also found that while unbanked rates were higher among some racial and ethnic minority groups, the gaps had shrunk since 2019, with the unbanked rate falling by 2.5 percentage points for Black households, 2.9 points for Hispanic households and 9.4 points for Native American and Alaska Native households, compared with a 0.4 point decrease for white households. According to the FDIC, other key findings include that: (i) 4.5 percent of U.S. households were “unbanked” in 2021; (ii) 2.1 percent of White households were unbanked, compared with 11.3 percent of Black households and 9.3 percent of Hispanic households; (iii) mobile banking use increased sharply among banked households between 2017 (15.1 percent) and 2021 (43.5 percent); (iv) 21.7 percent of unbanked households cited “don’t have enough money to meet minimum balance” as the main reason for not having an account; and (v) the use of some nonbank financial transaction services, such as check cashing, and nonbank credit products, including payday or pawn shop loans, continue to decrease. The FDIC noted that its #GetBanked (covered by InfoBytes here) was a way to inform consumers about how to open a bank account online and to facilitate the safe and timely distribution of Economic Impact Payments through direct deposit. The FDIC requested that community groups and government agencies “join the movement and help bring more people into the banking system.”
FDIC announces Illinois disaster relief
On October 25, the FDIC issued FIL-49-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Illinois affected by severe storms and flooding from July 25-28. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements.
FDIC’s Gruenberg discusses the prudential regulation of crypto assets
On October 20, FDIC acting Chairman Martin J. Gruenberg spoke before the Brookings Institution on the prudential regulation of crypto-assets. In his remarks, Gruenberg first discussed banking, innovation, and crypto-assets, which he defined as “private sector digital assets that depend primarily on the use of cryptography and distributed ledger or similar technologies.” He stated that innovation “can be a double-edged sword,” before noting that subprime mortgages, subprime mortgage-backed securities, collateralized debt obligations and credit default swaps were considered financial innovations before they were “at the center of the Global Financial Crisis of 2008.” Gruenberg further discussed that such innovations resulted in catastrophic failure because, among other things, consumers and industry participants did not fully understand their risks, which were downplayed and intentionally ignored. He then provided an overview of the FDIC’s approach to engaging with banks as they consider crypto-asset related activities, and the potential benefits, risks, and policy questions related to the possibility that a stablecoin could be developed that would allow for reliable, real-time consumer and business payments. He stated that “[f]rom the perspective of a banking regulator, before banks engage in crypto-asset related activities, it is important to ensure that: (a) the specific activity is permissible under applicable law and regulation; (b) the activity can be engaged in a safe and sound manner; (c) the bank has put in place appropriate measures and controls to identify and manage the novel risks associated with those activities; and (d) the bank can ensure compliance with all relevant laws, including those related to anti-money laundering/countering the financing of terrorism, and consumer protection.”
Gruenberg pointed to an April financial institution letter from the FDIC (covered by InfoBytes here), which requested banks to notify the agency if they engage in crypto asset-related activities. He added that as the FDIC and other federal banking agencies develop a better understanding of the risks associated with crypto-asset activities, “we expect to provide broader industry guidance on an interagency basis.” Regarding crypto-assets and the current role of stablecoins, Gruenberg noted that payment stablecoins could be significantly safer than available stablecoins if they were subject to prudential regulation, including issuing payment stablecoins through a bank subsidiary. He cautioned that disclosure and consumer protection issues should be “carefully” considered, especially if custodial wallets are allowed outside of the banking system as a means for holding and conducting transactions. Specifically, he said that “payment stablecoin and any associated hosted or custodial wallets should be designed in a manner that eliminates—not creates—barriers for low- and moderate-income households to benefit from a real-time payment system.” Gruenberg added that if a payment stablecoin system is developed, it should complement the Federal Reserve's forthcoming FedNow service—a faster payments network that is on track to launch between May and July of next year—and the potential future development of a U.S. central bank digital currency. In conclusion, Gruenberg stated that although federal banking agencies have significant authority to address the safety, soundness and financial stability risks associated with crypto assets, there are “clear limits to our authority, especially in certain areas of consumer protection as well as the provision of wallets and other related services by non-bank entities.”