InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Biden administration releases National Cybersecurity Strategy
On March 2, the Biden administration announced the release of its National Cybersecurity Strategy (Strategy) in a continued effort to provide a safe and secure digital ecosystem for Americans. The Strategy, which expands on other steps taken by the administration in this space (covered by InfoBytes here), focuses on several key pillars for building and enhancing collaboration, including:
- Defending critical infrastructure. The Strategy will expand the use of minimum cybersecurity requirements in critical sectors, harmonize regulations to reduce compliance burdens, ensure public-private collaboration is able to defend critical infrastructure and essential services, and defend and modernize federal networks and incident response policies.
- Disrupting and dismantling threat actors. Under the Strategy, tools will be strategically employed to disrupt adversaries, and the private sector will be used to disrupt activities. Ransomware threats will also be addressed through a comprehensive federal approach “in lockstep” with international partners.
- Shaping market forces to drive security and resilience. In an effort “to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable,” the Strategy proposes to (i) promote privacy and security of personal data; (ii) “[shift] liability for software products and services to promote secure development practices”; and (iii) ensure investments in new infrastructure are supported by federal grant programs.
- Investing in a resilient future. The Strategy promotes coordinated, collaborative actions for reducing systemic technical vulnerabilities across the digital ecosystem and improving resiliency against transnational digital repression. The Strategy also prioritizes cybersecurity research and development for emerging technologies, including postquantum encryption, digital identity solutions, and clean energy infrastructure, and stresses the importance of developing a diverse, robust national cyber workforce.
- Forging international partnerships to pursue shared goals. The Strategy intends to leverage international coalitions and partnerships to counter threats to the digital ecosystem through the use of joint preparedness, response, and cost imposition, which will enable partners to better defend themselves against cyber threats. The U.S. will also work with international partners to create secure, reliable global information and communications technology supply chains and operational technology products and services.
While “next-generation technologies are reaching maturity at an accelerating pace, creating new pathways for innovation while increasing digital interdependencies,” the announcement warned that state and non-state actors are developing and executing campaigns that threaten the digital ecosystem. The Biden administration’s Strategy aims to address those threats.
Illinois announces new consumer protections for digital assets, proposes new money transmitter licensing provisions
On February 21, the Illinois Department of Financial and Professional Regulation (IDFPR) announced several legislative initiatives to establish consumer protections for cryptocurrencies and other digital assets and provide regulatory oversight of the broader digital asset marketplace. The Fintech-Digital Asset Bill (see HB 3479) would create the Uniform Money Transmission Modernization Act and provide for the regulation of digital asset businesses and modernize regulations for money transmission in the state. Among other things, the Fintech-Digital Asset Bill would require digital asset exchanges and other digital asset businesses to obtain a license from IDFPR to operate in the state. The bill also establishes various requirements for businesses, including investment disclosures, customer asset safeguards, and customer service standards. Companies would also be required to implement cybersecurity measures, as well as procedures for addressing business continuity, fraud, and money laundering. Notably, the Fintech-Digital Asset Bill replaces and supersedes the Transmitters of Money Act (see 205 ILCS 657) with the Money Transmission Modernization Act, in order to harmonize the licensing, regulation, and supervision of money transmitters operating across state lines. Provisions also amend the Corporate Fiduciary Act to allow for the creation of trust companies for the special purpose of acting as a fiduciary to safeguard customers’ digital assets, the announcement noted.
The Consumer Financial Protection Bill (see HB 3483) would grant the IDFPR authority to enforce the Fintech-Digital Asset Bill and strengthen the department’s authority and resources for enforcing existing consumer financial protections. Modeled after the Dodd-Frank Act, the Consumer Financial Protection Bill empowers the IDFPR with the ability to target unfair, deceptive, and abusive acts and practices by unlicensed financial services providers. The bill creates the Consumer Financial Protection Law and the Financial Protection Fund, and establishes provisions related to supervision, registration requirements, consumer protection, cybersecurity, anti-fraud and anti-money laundering, enforcement, procedures, and rulemaking. The Consumer Financial Protection Bill also includes provisions concerning court orders, penalty of perjury, character and fitness of licensees, and consent orders and settlement agreements, and makes amendments to various application, license, and examination fees. The bill does so by amending the Collection Agency Act, Currency Exchange Act, Sales Finance Agency Act, Debt Management Service Act, Consumer Installment Loan Act, and Debt Settlement Consumer Protection Act.
Bowman discusses bank and third-party cyber risk management expectations
On February 15, Federal Reserve Board Governor Michelle W. Bowman delivered remarks at the Midwest Cyber Workshop, during which she discussed topics related to third-party service provider reliance and regulatory expectations concerning cyber risk management. “While we expect banks to be in touch with us when an event happens, cyber events should not be the first time a cyber-risk conversation occurs between a bank and its regulator.” Community banks frequently cite cybersecurity as one of the top risks facing the banking industry, Bowman said, adding that bankers have mentioned difficulties in attracting and retaining the staff needed to mitigate cyber risk. She also noted that ransomware disproportionately impacts smaller banks that might not “have sufficient resources to protect against these attacks.”
Pointing out that banks are becoming increasingly reliant on third-party service providers, Bowman said regulators should “consider the appropriateness of shifting the regulatory burden from community banks to more efficiently focus directly on service providers.” Regulators have authority to do so under the Bank Service Company Act, Bowman said, adding that “[i]n a world where third parties are providing far more of these services, it seems to me that these providers should bear more responsibility to ensure the outsourced activities are performed in a safe and sound manner.” She also referenced a 2021 final rule that requires banks to timely notify their primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place (covered by InfoBytes here). The reporting process, Bowman said, is also intended to streamline small banks’ efforts to monitor service providers (which are required to notify a bank-designated point of contact at each affected customer bank when a computer-security incident has occurred).
“We look forward to working with you to assist in clarifying expectations, applying regulatory guidance or seeking feedback on cyber-risk management strategies,” Bowman said. “We encourage bank management teams to engage with regulatory points of contact whenever questions arise on cybersecurity matters just as with any other regulatory matter.”
California’s privacy agency finalizes CPRA regulations
On February 3, the California Privacy Protection Agency (CPPA) Board voted unanimously to adopt and approve updated regulations for implementing the California Privacy Rights Act (CPRA). The proposed final regulations will now go to the Office of Administrative Law, who will have 30 working days to review and approve or disapprove the regulations. As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July 2022, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here).
According to the CPPA’s final statement of reasons, the proposed final regulations (which are substantially similar to the version of the proposed regulations circulated in November) address comments received by stakeholders, and include the following modifications from the initial proposed text:
- Amending certain definitions. The proposed changes would, among other things, modify the definition of “disproportionate effort” to apply to service providers, contractors, and third parties in addition to businesses, as such term is used throughout the regulations, to limit the obligation of businesses (and other entities) with respect to certain consumer requests. The term is further defined as “when the time and/or resources expended to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding to the request,” and has been modified “to operationalize the exception to complying with certain CCPA requests when it requires ‘disproportionate effort.’” The proposed changes also introduce the definition of “unstructured” personal information, which describes personal information that could not be retrieved or organized in a predefined manner without disproportionate effort on behalf of the business, service provider, contractor, or third party as it relates to the retrieval of text, video, and audio files.
- Outlining restrictions on how a consumer’s personal information is collected or used. The proposed changes outline factors for determining whether the collection or processing of personal information is consistent with a consumer’s “reasonable expectations.” The modifications also add language explaining how a business should “determine whether another disclosed purpose is compatible with the context in which the personal information was collected,” and present factors such as the reasonable expectation of the consumer at the time of collection, the nature of the other disclosed purpose, and the strength of the link between such expectation and the nature of the other disclosed purpose, for assessing compatibility. Additionally, a section has been added to reiterate requirements “that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be ‘reasonably necessary and proportionate’ for each identified purpose.” The CPPA explained that this guidance is necessary for ensuring that businesses do not create unnecessary and disproportionate negative impacts on consumers.
- Providing disclosure and communications requirements. The proposed changes also introduce formatting and presentation requirements, clarifying that disclosures must be easy to read and understandable and conform to applicable industry standards for persons with disabilities, and that conspicuous links for websites should appear in a similar manner as other similarly-posted links, and, for mobile applications, that conspicuous links should be accessible in the business’ privacy policy.
- Clarifying requirements for consumer requests and obtaining consumer consent. Among other things, the proposed changes introduce technical requirements for the design and implementation of processes for obtaining consumer consent and fulfilling consumer requests, including but not limited to “symmetry-in-choice,” which prohibits businesses from creating more difficult or time consuming paths for more privacy-protective options than paths to exercise a less privacy protective options. The modifications also provide that businesses should avoid choice architecture that impairs or interferes with a consumer’s ability to make a choice, as “consent” under the CCPA requires that it be freely give, specific, informed, and unambiguous. Moreover, the statutory definition of a “dark pattern” does not require that a business “intend to design a user interface to have the substantial effect of subverting or impairing consumer choice.” Additionally, businesses that are aware of, but do not correct, broken links and nonfunctional email addresses may be in violation of the regulation.
- Amending business practices for handling consumer requests. The revisions clarify that a service provider and contractor may use self-service methods that enable the business to delete personal information that the service provider or contractor has collected pursuant to a written contract with the business (additional clarification is also provided on a how a service provider or contractor’s obligations apply to the personal information collected pursuant to its written contract with the business). Businesses can also provide a link to resources that explain how specific pieces of personal information can be deleted.
- Amending requests to correct/know. Among other things, the revisions add language to allow “businesses, service providers, and contractors to delay compliance with requests to correct, with respect to information stored on archived or backup systems until the archived or backup system relating to that data is restored to an active system or is next accessed or used.” Consumers will also be required to make a good-faith effort to provide businesses with all necessary information available at the time of a request. A section has also been added, which clarifies “that implementing measures to ensure that personal information that is the subject of a request to correct remains corrected factors into whether a business, service provider, or contractor has complied with a consumer’s request to correct in accordance with the CCPA and these regulations.” Modifications have also been made to specify that a consumer can request that a business disclose their personal information for a specific time period, and changes have been made to provide further clarity on how a service provider or contractor’s obligations apply to personal information collected pursuant to a written contract with a business.
- Amending opt-out preference signals. The proposed changes clarify that the requirement to process opt-out preference signals applies only to businesses that sell or share personal information. Language has also been added to explain that “the opt-out preference signal shall be treated as a valid request to opt-out of sale/sharing for any consumer profile, including pseudonymous profiles, that are associated with the browser or device for which the opt-out preference signal is given.” When consumers do not respond to a business’s request for more information, a “business must still process the request to opt-out of sale/sharing” to ensure that “a business’s request for more information is not a dark pattern that subverts consumer’s choice.” Additionally, business should not interpret the absence of an opt-out preference signal as a consumer’s consent to opt-in to the sale or sharing of personal information.
- Amending requests to opt-out of sale/sharing. The revisions, among other things, clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods—an interactive form accessible via the “Do No Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy. The revisions also make various changes related to service provider, contractor, and third-party obligations.
- Clarifying requests to limit use and disclosure of sensitive personal information. The regulations require businesses to provide specific disclosures related to the collection, use, and rights of consumers for limiting the use of personal sensitive information in certain cases, including, among other things, requiring the use of a link to “Limit the Use of My Sensitive Personal Information” and honoring any limitations within 15 business days of receipt. The regulations also provide specific enumerated business uses where the right to limit does not apply, including to ensure physical safety and to prevent, detect, and investigate security incidents.
The proposed final regulations also clarify when businesses must provide a notice of right to limit, modify how the alternative opt-out link should be presented, provide clarity on how businesses should address scenarios in which opt-out preference signals may conflict with financial incentive programs, make changes to service provider, contractor, and third party obligations to the collection of personal information, as well as contract requirements, provide clarity on special rules applicable to consumers under 16-years of age, and modify provisions related to investigations and enforcement.
Separately, on February 10, the CPPA posted a preliminary request for comments on cybersecurity audits, risk assessments, and automated decisionmaking to inform future rulemaking. Among other things, the CPPA is interested in learning about steps it can take to ensure cybersecurity audits are “thorough and independent,” what content should be included in a risk assessment (including whether the CPPA should adopt the approaches in the EU GDPR and/or Colorado Privacy Act), and how “automated decisionmaking technology” is defined in other laws and frameworks. The CPPA noted that this invitation for comments is not a proposed rulemaking action, but rather serves as an opportunity for information gathering. Comments are due March 27.
Treasury reports on risks to financial firms adopting cloud services
On February 8, the U.S. Treasury Department launched the interagency Cloud Services Steering Committee in an effort to improve regulatory and private sector cooperation and develop best practices for cloud-adoption frameworks and contracts. As part of the announcement, Treasury released a first-of-its-kind report discussing potential benefits and challenges associated with the adoption of cloud services technology by financial services firms. While recognizing that cloud-based technologies can improves access and reliability for local communities and help community banks compete with financial technology firms, Treasury found that financial services firms that rely on these technologies need more visibility, staff support, and cybersecurity incident response engagement from cloud service providers (CSPs).
The report identified several significant challenges resulting from the use of cloud-based technologies in the financial sector. These include: (i) insufficient transparency to support due diligence and monitoring by financial institutions (financial institutions must fully understand the risks associated with cloud services in order to implement appropriate protections for consumers); (ii) gaps in human capital and tools to securely deploy cloud services (CSPs should engage experts and improve tools and frameworks to ensure financial institutions are able to implement resilient, secure platforms for customers); (iii) exposure to potential operational incidents (financial institutions have expressed concerns that cyber vulnerabilities originating at a CSP could have a cascading impact); (iv) potential impact of market concentration in cloud service offerings on the financial sector’s resilience (the current market relies on a small number of CSPs that likely exists across banking, securities, and insurance markets); (v) dynamics in contract negotiations given market concentration (the small number of CSPs could affect financial institutions’ bargaining power); and (vi) international landscape and regulatory fragmentation (regulatory conflicts could result from the patchwork of global regulatory and supervisory approaches to cloud technology).
The report, which received extensive input from U.S. regulators, private sector stakeholders, trade associations, and think tanks, does not impose any requirements, nor does it endorse or discourage firms from using a specific provider or cloud service. It does, however, recommend that Treasury and the broader financial regulatory community further evaluate the financial risks associated with having a limited number of CSPs offer cloud services.
Biden administration presents roadmap for mitigating crypto risks
On January 27, the Biden administration presented a roadmap for mitigating cryptocurrency risks to ensure that cryptocurrencies do not undermine financial stability, investors are protected, and bad actors are held accountable. At President Biden’s direction, the administration previously laid out a comprehensive framework for developing digital assets in a safe, responsible way that also identifies clear risks. (Covered by InfoBytes here.) The administration identified clear risks taken by some crypto entities, such as ignoring applicable financial regulations and basic risk controls, misleading consumers, having conflicts of interest, failing to provide adequate disclosures, or committing fraud. The roadmap also outlined actions taken by the federal banking agencies, including a recently issued joint interagency statement that highlighted key risks banks should consider when choosing to engage in crypto-related services and a notice of proposed rulemaking issued by the FDIC warning companies against making false or misleading claims about digital assets being insured by the agency (covered by InfoBytes here and here). The administration also noted that agencies across the government are developing public-awareness programs to help consumers understand the risks associated with digital assets.
The administration stressed, however, that further action is needed. Priorities for digital asset research and development will be unveiled in the coming months, the administration said, adding that Congress should also step up efforts in this space. This includes expanding regulators’ powers to prevent misuses of customers’ assets, “strengthen[ing] transparency and disclosure requirements for cryptocurrency companies so that investors can make more informed decisions about financial and environmental risks,” “strengthen[ing] penalties for violating illicit-finance rules and subject cryptocurrency intermediaries to bans against tipping off criminals,” and limiting crypto risks to the financial system by following steps outlined in a recent Financial Stability Oversight Council report (covered by InfoBytes here), the administration said.
CFTC commissioner discusses crypto exchange’s collapse
On January 18, CFTC Commissioner Christy Goldsmith Romero spoke before the Wharton School and the University of Pennsylvania Carey Law School on lessons learned from the recent bankruptcy of a cryptocurrency exchange, calling the collapse a “violation of trust.” Specifically, Goldsmith Romero mentioned that the digitization of financial services and products brought convenience but also a presumed trust in crypto exchanges with name recognition, which was violated by the collapse. She pointed to the collapsed exchange’s reliance on the name recognition it made through marketing campaigns and explained that such advertising “played up the exchange’s safety and convenience for people that may be new to crypto.”
Goldsmith Romero urged Congress to avoid permitting newly-regulated crypto exchanges to self-certify products for listing under the current process that limits CFTC oversight. She stressed it “is critical to institute guardrails against regulatory arbitrage," including prohibiting self-certification.
Goldsmith Romero also called on lawyers, accountants, compliance professionals, and other gatekeepers to “step up and call for compliance, controls, and other governance.” She expressed that these gatekeepers failed their “essential duties” to protect crypto customers and market integrity, and noted that they have allowed “the promise of riches and the company’s marketing pitch to silence their objections to obvious deficiencies.” Ultimately, Goldsmith Romero advised that “[s]ound custody practices and strong cybersecurity are necessary to restore trust and protect customers.”
District Court approves $11 million data breach settlement
On January 4, the U.S. District Court for the Northern District of Texas granted final approval of an $11 million class action settlement resolving allegations related to a February 2021 data breach that compromised more than 4.3 million customers’ personally identifiable information, including names, Social Security numbers, driver’s license numbers, dates of birth, and username/password information. According to plaintiffs’ amended complaint, the defendant insurance software providers failed to notify affected individuals about the data breach until on or after May 10, 2021, despite commencing an investigation in March. Plaintiffs maintained that the defendants’ alleged failure to comply with FTC cybersecurity guidelines and industry data protection standards put at risk their financial and personal records, and said they now face years of constant surveillance to prevent potential identity theft and fraud. Under the terms of the settlement (see also plaintiffs’ memorandum of law in support of the motion for final approval), class members will each receive up to $5,000 for out-of-pocket expenses, including up to eight hours of lost time at $25/hour, as well as 12 months of financial fraud protection. Members of a California subclass will receive additional benefits of between $100 and $300 each. The defendants are also responsible for paying each named plaintiff a $2,000 service award and must pay over $3 million in attorney fees, costs, and expenses.
Crypto platform reaches $100 million settlement to resolve alleged compliance failures
On January 4, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of New York virtual currency, anti-money laundering, transaction monitoring, and cybersecurity regulations. According to the consent order, in 2020, NYDFS found significant deficiencies across the respondent’s compliance program, including its Know-Your Customer/Customer Due Diligence (KYC/CDD) procedures, Transaction Monitoring System (TMS), OFAC screening program, and AML risk assessments. As a result of these findings, the respondent agreed to improve its BSA/AML and OFAC compliance programs, including engaging an independent consultant to develop a remediation plan and improve its compliance program.
In 2021, NYDFS launched an investigation to determine whether the respondent’s compliance deficiencies had resulted in any legal violations. The investigation found “substantial lapses in [the respondent’s] KYC/CDD program, its TMS, and in its AML and OFAC sanctions controls systems, as well as issues concerning [the respondent’s] retention of books and records, and with respect to meeting certain of its reporting obligations to the Department.” NYDFS noted that in late 2020 and 2021, the respondent took steps to remediate the issues identified by the Department and the independent consultant; however, substantial weaknesses remained, and its compliance system was inadequate to handle the growing volume of the respondent’s business.
Under the terms of the consent order, the respondent must pay a $50 million civil penalty to NYDFS and invest $50 million in its compliance program. Additionally, an independent third party will continue to work with the respondent for another year, which may be extended at the Department’s sole discretion. NYDFS noted that the respondent has already taken steps to build a more effective and robust compliance program under the supervision of NYDFS and the NYDFS-appointed independent monitor. According to the respondent’s press release, the company “has taken substantial measures to address these historical shortcomings” and “remains committed to being a leader and role model in the crypto space, including partnering with regulators when it comes to compliance and other areas.”
California privacy agency holds public meeting on CPRA
On December 16, the California Privacy Protection Agency (CPPA) Board held a public meeting to discuss the ongoing status of the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here). The CPPA stated it anticipates conducting additional preliminary rulemaking in early 2023. After public input is received, the CPPA will discuss proposed regulatory frameworks for risk assessments, cybersecurity audits, and automated decisionmaking.
During the board meeting, the CPPA introduced sample questions and subject areas for preliminary rulemaking that will be provided to the public at some point in 2023, and finalized and approved at a later meeting. The questions and topics relate to, among other things, (i) privacy and security risk assessment requirements, including whether the CPPA should follow the approach outlined in the European Data Protection Board’s Guidelines on Data Protection Impact Assessment, as well as other models or factors the agency should consider; (ii) benefits and drawbacks for businesses should the CPPA accept a business’s risk assessment submission that was completed in compliance with GDPR’s or the Colorado Privacy Act’s requirements for these assessments; (iii) how the CPPA can ensure cybersecurity audits, assessments, and evaluations are thorough and independent; and (iv) how to address profiling and logic in automated decisionmaking, the prevalence of algorithmic discrimination, and whether opt-out rights with respect to a business’s use of automated decisionmaking technology differ across industries and technologies. The CPPA said it is also considering different rules for businesses making under $25 million in annual gross revenues.