InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Third Circuit Affirms District Court's Decision Asserting FTC's Authority over Companies' Data Security Practices
On August 24, the U.S. Court of Appeals for the Third Circuit affirmed the Federal Trade Commission’s authority to hold companies accountable for their data security practices under Section 5 of the FTC Act (15 U.S.C. § 45(a)), which declares unlawful “unfair or deceptive acts or practices in or affecting commerce.” FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd Cir. Aug. 24, 2015). The unanimous ruling found that deficient cybersecurity practices that fail to protect consumer data against hackers may be found to be “unfair” practices under the Act, subject to FTC enforcement. The FTC had sued Wyndham for allegedly deficient cybersecurity practices that enabled hackers to obtain payment card information from over 619,000 consumers. Wyndham argued that it lacked fair notice that the FTC had the authority to police data security practices under Section 5, but the Third Circuit disagreed, pointing out that the FTC has offered specific public guidance on data security over the years, and has filed multiple complaints and consent decrees raising unfairness claims based on inadequate cybersecurity that put companies on notice of its enforcement authority in this space.
OCC Comptroller Talks Future of Financial Services, Eyes FinTech Industry
On August 7, OCC Comptroller Thomas Curry delivered remarks at the Federal Home Loan Bank of Chicago, which was hosting a conference highlighting the future of financial services. Specifically, Curry discussed innovation in the emerging financial technology industry, or “fintech,” noting the risks and benefits associated with mobile payments, virtual currency, and peer-to-peer lending products within the U.S. banking system. With respect to virtual currency, Curry stressed how important it is for financial institutions to implement adequate procedures to deter money laundering and terrorist financing. Curry also recognized that the OCC is “still early in the process” of evaluating a regulatory framework to examine some new and innovative products and services. Rounding out his remarks, Curry expressed his growing concerns with so called “neobanks,” which operate primarily online but provide similar services to brick and mortar retail branch banks, including the heightened privacy risks that neobanks present in light of recent cybersecurity attacks.
Comptroller Talks Interest Rate, Compliance, and Cybersecurity Risks Facing Financial Institutions
On July 24, OCC Comptroller Curry delivered remarks before the New England Council in Boston, MA regarding the risks that financial institutions face today. Rising interest rates and regulatory compliance were two of the three risks discussed. Curry emphasized that the inevitable rise in interest rates could greatly affect loan quality, particularly loans that were not carefully underwritten to begin with, and that ”[l]oans that are typically refinanced, such as leveraged loans,” would be particularly severely affected. Recognizing the impact that Dodd-Frank continues to have on banks, Curry said that financial institutions face two categories of risk from new regulations: (i) “banks run afoul of the new regulations, possibly damaging their reputations and subjecting themselves to regulatory penalties”; and (ii) banks devote their time and money to regulatory compliance, rather than putting those resources toward serving their customers and communities. The final and “perhaps the foremost risk facing banks today,” according to Curry, is cyber threats. Curry outlined the agency’s efforts to curtail cyber intrusion in the banking industry, highlighting the June 30 release of its Semiannual Risk Assessment and the creation of a Cybersecurity and Critical Infrastructure Working Group, which was designed to (i) increase cybersecurity awareness; (ii) promote best practices; and (iii) strengthen regulatory oversight of cybersecurity readiness. Curry noted, however, that information-sharing is just as important as self-assessment and supervisory oversight: “We strongly recommend … that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center, a non-profit information-sharing forum established by financial services industry participants to facilitate the sharing of physical and cyber threat and vulnerability information.” Collaboration among banks of all sizes and non-bank providers, Curry stated, can be a “game-changer” in more ways than one: “By promoting the discovery of common interests and common responses to the risks that you face in your businesses and we all face together, you provide an invaluable service to New England and to the United States.”
U.S. Senators Introduce Automobile-Focused Cybersecurity Legislation
On July 21, Senators Blumenthal (D-CT) and Markey (D-MA) introduced legislation, the Security and Privacy in Your Car Act (“SPY Car" Act), that would protect drivers’ privacy while allowing them to remain connected to the growing technological advances in the automobile industry. In addition to directing the National Highway Traffic Safety Administration (NHTSA) and the FTC to develop federal cybersecurity and privacy standards that would secure motor vehicles manufactured for sale in the United States and protect drivers, the SPY Car Act seeks to establish a rating system, or “cyber dashboard,” that “informs consumers about how well the vehicle protects drivers’ security and privacy” beyond the minimum standards potentially set by the NHTSA and the FTC. The requirements that motor vehicles: (i) be equipped with reasonable measures to protect against hacking attacks; (ii) maintain the ability to reasonably secure data collected within electronic systems; and (iii) be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle, are among the cybersecurity standards outlined in the SPY Car Act. In regards to privacy standards, the legislation proposes the following: (i) transparency, such that owners or lessees are explicitly aware of the collection, transmission, retention, and use of driving data; (ii) consumer choice, allowing owners or lessees to opt out of data collection and retention without losing access to other features, such as key navigation; and (iii) marketing prohibition, which would ban companies from using personal driving information for advertising purposes without obtaining the affirmative express consent of the owner or lessee. The introduction of the SPY Car Act follows Senator Markey’s 2015 Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk report, which showed gaps in the auto industry’s ability to prevent hackers from accessing internet-connected features in vehicles.
Treasury Deputy Secretary Raskin Delivers Remarks on Cybersecurity in the Financial Sector
On July 14, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the American Bankers Association Summer Leadership meeting in Baltimore. Speaking on cybersecurity and cyber-resiliency in banking and the financial sector generally, Raskin’s remarks continued her December 2014 remarks in Austin at the Executive Leadership Cybersecurity Conference regarding three main areas, including (i) baseline protections, (ii) information sharing, and (iii) response recovery. According to Raskin, since December the growing number of cyberattacks – including against health insurers and the federal government’s Office of Personnel Management – has made the government and public more mindful of the serious threat posed by cyberattacks. Accordingly, cybersecurity has seen a “profoundly positive cultural change,” moving beyond just the purview of IT specialists. Deputy Secretary Raskin’s most recent remarks added 10 follow-up questions for banks and financial entities to consider, including whether cybersecurity is incorporated into the bank’s governance systems, security controls are tailored to specific cyber risks presented (as opposed to a “one-size fits all” approach), enhanced controls are implemented and adequate training provided, and basic “cyber hygiene” practices (including multi-factor authentication) are followed. Raskin also emphasized the need to appropriately tailor cyber risk insurance.
White House Provides Update on 2015 Cybersecurity Initiatives
On July 9, the White House released a fact sheet regarding the Administration’s 2015 cybersecurity efforts “both domestic and international, to improve our cyber defenses, enhance our response capabilities, and upgrade our incident management tools.” More specifically, these include (i) supporting the private sector; (ii) enhancing federal cybersecurity; (iii) developing new policies and capabilities to identify, defend against, and counter malicious cyber actors; and (iv) engaging internationally. Among the private sector achievements is new legislative proposals; the Department of Defense and Department of Homeland (DHS) opening offices in Silicon Valley; and the increase in information sharing between the private sector and government, including DHS’s initiative to develop an automated system for sharing cyber threat indicators. The federal achievements include continual cross-agency efforts to improve how the government conducts background investigations. The new policy achievements includes imposing financial sanctions on those participating in malicious cyber-enabled activities threatening national security, strengthening national defense, and creating new cybersecurity laws. Finally, the international accomplishments include the President’s efforts to bolster international commitments and law enforcement, and to strengthen the country’s global leadership role in cybersecurity.
FFIEC Releases Cybersecurity Assessment Tool
As previously covered in InfoBytes, on June 30, the FFIEC released a Cybersecurity Assessment Tool (Assessment) to provide a “repeatable and measurable process” for financial institutions to measure their cybersecurity readiness. The Assessment aims to help financial institutions determine their cybersecurity preparedness and make informed decisions regarding their risk management practices. In addition to the Assessment, the FFIEC also released an executive overview, a user’s guide, a pre-recorded webinar, a glossary of terms, and appendices to assist financial institutions in understanding supervisory expectations, increasing awareness of cybersecurity risks, and assessing and mitigating the threats facing their institutions. As an interagency body representing the Fed, FDIC, OCC, CFPB, and the NCUA, the FFIEC prescribes uniform principles, standards, and reporting forms for the federal examination of financial institutions, and makes recommendations to promote uniformity in the supervision of financial institutions.
OCC Releases Semiannual Report Highlighting Key Risks Facing National Banks and Federal Savings Associations
Today, the OCC announced the release of its semiannual report, Semiannual Risk Perspective for Spring 2015, highlighting key risk areas affecting national banks and federal savings associations. Based on 2014 year-end data, the report identifies issues that pose a potential threat to the safety and soundness of banks and thrifts. It also sets forth the OCC’s supervisory priorities for the next 12 months, including, among others, (i) cybersecurity awareness and preventative controls, (ii) Bank Secrecy Act/Anti-Money Laundering compliance, (iii) fair access to credit, and (iv) underwriting practices, particularly with respect to leveraged loans, indirect auto lending, HELOCs, and credit related to the oil and gas sector. The report also notes declining revenues and profitability overall in OCC-supervised institutions.
August 10 Deadline Set for New York Virtual Currency Firms to Apply for BitLicense
On June 24, the New York State Register published the Department of Financial Services’ BitLicense framework, requiring companies and individuals who provide virtual currency services involving New York or a New York Resident to apply for a BitLicense by August 10, 2015. Virtual currency firms must submit the 31-page application providing information including, among other things, (i) written policies and procedures including, but not limited to BSA/AML, cybersecurity, privacy and information security, (ii) company information, (iii) biographical information on company directors and stockholders, and (iv) an explanation of the methodology used to calculate the value of virtual currency in fiat currency. In addition, the NYDFS released a set of FAQs to help clarify the BitLicense requirements.
OCC Comptroller Discusses Emerging Payment Systems Technology and Cybersecurity, FFIEC Set to Release Cybersecurity Assessment Tool
On June 3, in prepared remarks delivered at the BITS Emerging Payments Forum, OCC Comptroller Thomas Curry advised that as financial institutions continue to develop payment systems, banks need better preparation for potential cyber-risks. Curry warned that “[c]yber criminals will also probe emerging payment systems for vulnerabilities that they can exploit to engage in money laundering[.]” In addition, Curry advocated for more regulatory oversight of digital currencies and non-bank mobile payment providers, such as ApplePay and Google Wallet. Addressing cybersecurity concerns, Curry called for increased information-sharing to promote best practices and strengthen cybersecurity readiness among the banking industry. In particular, he urged financial institutions – of all sizes – to participate in the Financial Services Information Sharing and Analysis Center, or FS-ISAC, a non-profit founded by the banking industry to facilitate the sharing and dissemination of cybersecurity threat information. Moreover, Curry confirmed that the FFIEC will soon be releasing a Cybersecurity Assessment Tool for financial institutions to use when evaluating their cybersecurity risks and risk management capabilities, observing that the tool will be particularly helpful to community banks as cybersecurity threats continue to increase.