InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Crypto platform reaches $1.2 million settlement on alleged compliance failures
On May 1, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of the state’s cybersecurity regulation (23 NYCRR Part 500). According to the consent order, during examinations conducted in 2018 and 2020, NYDFS identified multiple alleged deficiencies in the respondent’s cybersecurity program, as required by both the cybersecurity regulation and the state’s virtual currency regulation (23 NYCRR Part 200). Following the examinations, NYDFS initiated an investigation into the respondent’s cybersecurity program. The Department concluded that the respondent failed to conduct periodic cybersecurity risk assessments “sufficient to inform the design of the cybersecurity program,” and failed to establish and maintain an effective cybersecurity program and implement a reviewed and board-approved written cybersecurity policy. Moreover, NYDFS claimed the respondent’s policies and procedures were not customized to meet the company’s needs and risks. Under the terms of the consent order, the respondent must pay a $1.2 million civil monetary penalty and submit quarterly progress reports to NYDFS detailing its remediation efforts.
Kansas enacts financial institutions information security act
On April 20, the Kansas governor signed SB 44 to enact the Kansas financial institutions information security act. The Act establishes information security standards for covered entities, and applies to credit service organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions. A covered entity will be required to develop, implement, and maintain a cybersecurity system to protect consumer information, and must ensure its information security program is maintained as part of its books and records in compliance with established record retention requirements. Additionally, the state bank commissioner is granted the authority to adopt “all rules and regulations necessary to govern and administer the [Act’s] provisions.” The commissioner is also given an assortment of enforcement tools to administer the Act, including: conducting routine examinations; investigating a covered entity’s operations; issuing subpoenas; assessing fines and civil penalties not to exceed $5,000 per violation, as well as investigation and enforcement costs; censuring registered or licensed covered entities; entering into memorandums of understanding or consent orders; revoking, suspending, or refusing to renew the registration or license of covered entities; issuing cease-and-desist orders; filing for injunctions; or issuing emergency orders to prevent harm to consumers. The Act takes effect July 1.
FSOC seeks feedback on risk framework, nonbank determinations
On April 21, the Financial Stability Oversight Council (FSOC) released a proposed analytic framework for financial stability risks, “intended to provide greater transparency to the public about how [FSOC] identifies, assesses, and addresses potential risks to financial stability, regardless of whether the risk stems from activities or firms.” FSOC explained in a fact sheet that the proposed framework would not impose any obligations on any entity, but is instead designed to provide guidance on how FSOC expects to perform certain duties. This includes: (i) identifying potential risks covering a broad range of asset classes, institutions, and activities, including new and evolving financial products and practices as well as developments affecting financial resiliency such as cybersecurity and climate-related financial risks; (ii) assessing certain vulnerabilities that most commonly contribute to financial stability risk and considering how adverse effects stemming from these risks could be transmitted to financial markets/market participants, including what impact this can have on the financial system; and (iii) responding to potential risks to U.S. financial stability, which may involve interagency coordination and information sharing, recommendations to financial regulators or Congress, nonbank financial company determinations, and designations relating to financial market utility/payment, clearing, and settlement activities that are, or are likely to become, systemically important.
The same day, FSOC also released for public comment proposed interpretive guidance relating to procedures for designating systemically important nonbank financial companies for Federal Reserve supervision and enhanced prudential standards. (See also FSOC fact sheet here.) The guidance would revise and update previous guidance from 2019, and “is intended to enhance [FSOC’s] ability to address risks to financial stability, provide transparency to the public, and ensure a rigorous and clear designation process.” FSOC explained that the proposed guidance would include a two-stage evaluation and analysis process for making a designation, during which time companies under review would engage in significant communication with FSOC and be provided an opportunity to request a hearing, among other things. Designated companies will be subject to annual reevaluations and may have their designations rescinded should FSOC determine that the company no longer meets the statutory standards for designation.
Comments on both proposals are due 60 days after publication in the Federal Register.
Both CFPB Director Rohit Chopra and OCC acting Comptroller Michael J. Hsu issued statements supporting the issuance of the proposed interpretive guidance. Chopra commented that, if finalized, the proposed guidance “will create a clear path for the FSOC to identify and designate systemically important nonbank financial institutions” and “will accelerate efforts to identify potential shadow banks to be candidates for designation.” Hsu also noted that sharing additional details to improve the balance and transparency of FSOC’s work “would both make it easier for [FSOC] to explain its analysis of potential risks and create an opportunity for richer public input on the analysis.”
FSB: Greater convergence needed in cyber-incident reporting
On April 13, the Financial Stability Board (FSB) released a series of recommendations for achieving “greater convergence” in cyber-incident reporting (CIR). Issued at the request of the G-20, the final report draws from FSB’s body of work on cybersecurity, as well as its engagement with external stakeholders. In order to promote greater convergence in CIR, the report focuses on three components: (i) recommendations for addressing the issues identified as impediments to achieving greater harmonization in cyber incident reporting; (ii) an updated and enhanced cyber lexicon to include new CIR terms and encourage the use of “common language”; and (iii) a common, flexible format for incident reporting exchange (FIRE) that would allow a range of adoption choices and include the most relevant data elements for financial authorities.
The report presents 16 recommendations for addressing issues associated with the collection of cyber incident information from financial institutions, including the importance of establishing clearly defined objectives for incident reporting (and practical measures for sharing such information), aligning CIR regimes on a cross-border/cross-sectoral basis to reduce fragmentation and improve interoperability, and adopting common data requirements and standardized reporting formats. The report observes that financial institutions operating across multiple jurisdictions and sectors often face operational challenges due to the current process of having to report cyber incidents to multiple authorities. FSB states it will continue to work on a concept for a common format for FIRE to enable authorities to collect information from financial institutions in a more consistent manner. “Financial authorities and institutions can choose to adopt these recommendations as appropriate and relevant, consistent with their legal and regulatory framework,” FSB states in the report.
Treasury recommends stronger DeFi supervision
On April 6, the U.S. Treasury Department published a report on illicit finance risks in the decentralized finance (DeFi) sector, building upon Treasury’s other risk assessments, and continuing the work outlined in Executive Order 14067, Ensuring Responsible Development of Digital Assets (covered by InfoBytes here).
Written by Treasury’s Office of Terrorist Financing and Financial Crimes, in consultation with numerous federal agencies, the Illicit Finance Risk Assessment of Decentralized Finance is the first report of its kind in the world. The report explained that, while there is no generally accepted definition of DeFi, the term has broadly referred to virtual asset protocols and services that allow for automated peer-to-peer transactions through the use of blockchain technology. Used by a host of illicit actors to transfer and launder funds, the report found that “the most significant current illicit finance risk in this domain is from DeFi services that are not compliant with existing AML/CFT [anti-money laundering and countering the financing of terrorism] obligations.” These obligations include establishing effective AML programs, assessing illicit finance risks, and reporting suspicious activity, the report said.
The report made several recommendations for strengthening AML/CFT supervision and regulation of DeFi services, such as “closing any identified gaps in the [Bank Secrecy Act (BSA)] to the extent that they allow certain DeFi services to fall outside the scope of the BSA’s definition of financial institutions.” The report also recommended, “when relevant,” the “enforcement of virtual asset activities, including DeFi services, to increase compliance by virtual asset firms with BSA obligations,” and suggested continued research and engagement with the private sector on this subject.
In addition, the report pointed to a lack of implementation of international AML/CFT standards by foreign countries, “which enables illicit actors to use DeFi services with impunity in jurisdictions that lack AML/CFT requirements,” and commented that “poor cybersecurity practices by DeFi services, which enable theft and fraud of consumer assets, also present risks for national security, consumers, and the virtual asset industry.” To address these concerns, the report recommended “stepping up engagements with foreign partners to push for stronger implementation of international AML/CFT standards and advocating for improved cybersecurity practices by virtual asset firms to mitigate these vulnerabilities.” The report seeks input from the public sector to inform next steps.
NYDFS, crypto payment company reach AML/cybersecurity settlement
On March 16, NYDFS issued a consent order against a payment service provider for allegedly failing to comply with the state’s virtual currency and cybersecurity regulations. The company was licensed to engage in virtual currency business activity in the state pursuant to 23 NYCRR Part 200. Licensees under Part 200 are required to, among other things, comply with federal and state laws mandating effective controls to guard against money laundering and certain other illegal activities. A 2022 NYDFS examination revealed that, although the company made improvements to address deficiencies within its AML and cybersecurity compliance programs that were identified during a 2018 examination, the programs still required additional improvements to achieve regulatory compliance. NYDFS concluded that the company violated sections of Part 200 by allegedly failing to develop adequate internal policies and controls to maintain compliance with applicable AML laws or to develop procedures to ensure compliance with necessary risk management requirements under applicable OFAC regulations. Furthermore, the company violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to conduct periodic cybersecurity risk assessments and failing to timely appoint a designated chief information security officer responsible for overseeing, implementing, and reporting on the company’s cybersecurity program. Under the terms of the consent order, the company agreed to pay a $1 million civil monetary penalty and submit an action plan to NYDFS within 180 days detailing its remediation efforts. The company also agreed to conduct a comprehensive cybersecurity risk assessment within 150 days and to continue to strengthen its controls, policies, and procedures to prevent future violations.
California OAL approves CCPA regulations
On March 30, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) approved the agency’s first substantive rulemaking package for implementing the California Consumer Privacy Act (CCPA). The approved regulations are effective immediately. The CPPA noted that the approved regulations update existing CCPA regulations to harmonize them with amendments adopted under the California Privacy Rights Act (CPRA), which was approved by ballot measure in November 2020 to amend and build on the CCPA. In February, the CPPA voted unanimously to adopt and approve the regulations, which have not been substantively changed since the CPPA voted on modifications last year (covered by InfoBytes here). The final regulations and supporting materials are now available on the CPPA’s website.
The CPPA has already begun additional rulemaking. The agency issued a preliminary request for comments on cybersecurity audits, risk assessments, and automated decision-making to inform future rulemaking in February. Comments were due at the end of March.
Law firm settles breach claims related to health care data
On March 27, the New York attorney general announced a settlement with a law firm to resolve claims that it allegedly failed to protect individuals’ personal and health care data. According to the announcement, an attacker was able to exploit a vulnerability in the law firm’s email server and gained access to the sensitive private information, including names, dates of birth, social security numbers, and/or health data, of nearly 115,000 individuals, including more than 60,000 New Yorkers. According to the AG, the law firm’s data security failures not only violated state law, but also violated HIPAA requirements relating to the adherence to certain advance data security practices. The law firm, which represents New York City area hospitals and maintains patients’ sensitive private information, is required to adopt several measures required by HIPAA, including conducting regular system risk assessments, encrypting private information housed on its servers, and adopting appropriate data minimization practices—all of which it failed to do prior to the breach.
Under the terms of the assurance of discontinuance, the law firm is required to pay $200,000 in penalties to the state and strengthen its cybersecurity measures. Required actions include encrypting private information, monitoring and logging network activity, establishing a reasonable patch management policy, developing a penetration testing program, updating its data collection and retention practices, and permanently deleting data “when there is no reasonable business or legal purpose to retain it.”
Utah amends disclosure requirements for data breaches
On March 23, the Utah governor signed SB 127, which, among other things, requires additional disclosure requirements for system security breaches and creates the Utah Cyber Center. For example, it mandates additional notice requirements to the office of the Utah attorney general (AG) and the Utah Cyber Center where an investigation “reveals that the misuse of personal information relating to 500 or more Utah residents, for identity theft or fraud purposes, has occurred or is reasonably likely to occur.” If the investigation reveals the misuse of personal information relating to 1,000 or more Utah residents, the notification must also be sent “to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.”
The Utah Cyber Center will be responsible for, among other things, developing a statewide strategic cybersecurity plan for executive branches and other governmental agencies; identifying, analyzing, and mitigating cyber threats and vulnerabilities; coordinating cybersecurity resilience planning; providing cybersecurity incident response capabilities; developing incident response plans to coordinate federal, state, local, and private sector activities; and developing and promoting cybersecurity best practices.
The amendments are effective 60 days follow adjournment of the legislature.
CSBS seeks comments on uniform mortgage licensing standards
On March 16, the Conference of State Bank Supervisors (CSBS), on behalf of the NMLS Policy Committee, issued a request for public comments on proposed uniform state licensing standards for mortgage companies. The Proposal: Mortgage Business-Specific Requirements would create a national standard for mortgage industry licensing to help improve uniformity within the state system and streamline the licensing process for mortgagees seeking licensure in multiple states.
The proposal is broken down into eight components:
- Contacts. All licensees will be required to provide contacts within the company for accounting, legal, licensing, data breach/cybersecurity, exam billing, exam delivery, and mortgage call reports, in addition to a primary company contact and a primary consumer complaint contact. If a licensee chooses to list a third-party contact, “the company will be deemed to have expressly authorized a state agency to contact the third party without further approval from the company” and “the company is ultimately responsible for the area of responsibility.”
- Periodic reporting. All licensees will be required to complete periodic reports covering mortgage call reports, audited financial statements, and reportable incidents.
- Data requirements. All licensees will be required to “provide numbers for any approvals or designations the company holds[,]” as well as business bank account information for accounts held in the name of the applicant and used for mortgage activities.
- Document requirements. Required documentation includes financial statements; policies and certifications; current Bank Secrecy Act/anti-money laundering and Gramm-Leach Bliley Privacy Act policies; current disaster recovery or business continuity plans; a current consumer grievance/complaint policy (as well as the required certification); and documents used in the regular course of business such as operating agreements, consumer complaint notices, customer agreements, and third-party contracts.
- Required functionality. All licensees must abide by a three-party electronic surety bond agreement in order to guarantee “the surety’s performance or monetary compensation to the obligee should there be a failure by the principal to perform specified acts within a stated time period.” The surety bond will be electronically managed by NMLS.
- Location reporting. All licenses will be required to provide locations where licensed activity will be performed, where records will be stored, or where support staff for licensed activities will be located. Licensees must also provide the primary location for accounting services, regardless of whether they are provided in house or by a third-party accounting firm, cloud storage services (including services used to collect data from customers), and the primary location for legal services, regardless of whether they are provided in house or by a third-party law firm.
- Company operated work locations’ information. The proposal outlines information required for each company operated work location, including business activities, licensing authorities, addresses, books and records information, and “doing business as” names.
- Key individual requirements. Licensees will be required to identify key individuals in the areas of management, ownership, functional risk areas, and industry specific roles. The proposal explains that the key individual inquiry focuses on key risk and functional areas (operations, finance, compliance, and information security), rather than titles. Key individuals for mortgages must also submit credit reports and complete an FBI criminal background check. Key individuals who have lived outside the United States at any time in the past 10 years must also provide an investigative background report.
Comments on the proposal are due May 15.