InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Treasury reports on risks to financial firms adopting cloud services
On February 8, the U.S. Treasury Department launched the interagency Cloud Services Steering Committee in an effort to improve regulatory and private sector cooperation and develop best practices for cloud-adoption frameworks and contracts. As part of the announcement, Treasury released a first-of-its-kind report discussing potential benefits and challenges associated with the adoption of cloud services technology by financial services firms. While recognizing that cloud-based technologies can improves access and reliability for local communities and help community banks compete with financial technology firms, Treasury found that financial services firms that rely on these technologies need more visibility, staff support, and cybersecurity incident response engagement from cloud service providers (CSPs).
The report identified several significant challenges resulting from the use of cloud-based technologies in the financial sector. These include: (i) insufficient transparency to support due diligence and monitoring by financial institutions (financial institutions must fully understand the risks associated with cloud services in order to implement appropriate protections for consumers); (ii) gaps in human capital and tools to securely deploy cloud services (CSPs should engage experts and improve tools and frameworks to ensure financial institutions are able to implement resilient, secure platforms for customers); (iii) exposure to potential operational incidents (financial institutions have expressed concerns that cyber vulnerabilities originating at a CSP could have a cascading impact); (iv) potential impact of market concentration in cloud service offerings on the financial sector’s resilience (the current market relies on a small number of CSPs that likely exists across banking, securities, and insurance markets); (v) dynamics in contract negotiations given market concentration (the small number of CSPs could affect financial institutions’ bargaining power); and (vi) international landscape and regulatory fragmentation (regulatory conflicts could result from the patchwork of global regulatory and supervisory approaches to cloud technology).
The report, which received extensive input from U.S. regulators, private sector stakeholders, trade associations, and think tanks, does not impose any requirements, nor does it endorse or discourage firms from using a specific provider or cloud service. It does, however, recommend that Treasury and the broader financial regulatory community further evaluate the financial risks associated with having a limited number of CSPs offer cloud services.
Biden administration presents roadmap for mitigating crypto risks
On January 27, the Biden administration presented a roadmap for mitigating cryptocurrency risks to ensure that cryptocurrencies do not undermine financial stability, investors are protected, and bad actors are held accountable. At President Biden’s direction, the administration previously laid out a comprehensive framework for developing digital assets in a safe, responsible way that also identifies clear risks. (Covered by InfoBytes here.) The administration identified clear risks taken by some crypto entities, such as ignoring applicable financial regulations and basic risk controls, misleading consumers, having conflicts of interest, failing to provide adequate disclosures, or committing fraud. The roadmap also outlined actions taken by the federal banking agencies, including a recently issued joint interagency statement that highlighted key risks banks should consider when choosing to engage in crypto-related services and a notice of proposed rulemaking issued by the FDIC warning companies against making false or misleading claims about digital assets being insured by the agency (covered by InfoBytes here and here). The administration also noted that agencies across the government are developing public-awareness programs to help consumers understand the risks associated with digital assets.
The administration stressed, however, that further action is needed. Priorities for digital asset research and development will be unveiled in the coming months, the administration said, adding that Congress should also step up efforts in this space. This includes expanding regulators’ powers to prevent misuses of customers’ assets, “strengthen[ing] transparency and disclosure requirements for cryptocurrency companies so that investors can make more informed decisions about financial and environmental risks,” “strengthen[ing] penalties for violating illicit-finance rules and subject cryptocurrency intermediaries to bans against tipping off criminals,” and limiting crypto risks to the financial system by following steps outlined in a recent Financial Stability Oversight Council report (covered by InfoBytes here), the administration said.
CFTC commissioner discusses crypto exchange’s collapse
On January 18, CFTC Commissioner Christy Goldsmith Romero spoke before the Wharton School and the University of Pennsylvania Carey Law School on lessons learned from the recent bankruptcy of a cryptocurrency exchange, calling the collapse a “violation of trust.” Specifically, Goldsmith Romero mentioned that the digitization of financial services and products brought convenience but also a presumed trust in crypto exchanges with name recognition, which was violated by the collapse. She pointed to the collapsed exchange’s reliance on the name recognition it made through marketing campaigns and explained that such advertising “played up the exchange’s safety and convenience for people that may be new to crypto.”
Goldsmith Romero urged Congress to avoid permitting newly-regulated crypto exchanges to self-certify products for listing under the current process that limits CFTC oversight. She stressed it “is critical to institute guardrails against regulatory arbitrage," including prohibiting self-certification.
Goldsmith Romero also called on lawyers, accountants, compliance professionals, and other gatekeepers to “step up and call for compliance, controls, and other governance.” She expressed that these gatekeepers failed their “essential duties” to protect crypto customers and market integrity, and noted that they have allowed “the promise of riches and the company’s marketing pitch to silence their objections to obvious deficiencies.” Ultimately, Goldsmith Romero advised that “[s]ound custody practices and strong cybersecurity are necessary to restore trust and protect customers.”
District Court approves $11 million data breach settlement
On January 4, the U.S. District Court for the Northern District of Texas granted final approval of an $11 million class action settlement resolving allegations related to a February 2021 data breach that compromised more than 4.3 million customers’ personally identifiable information, including names, Social Security numbers, driver’s license numbers, dates of birth, and username/password information. According to plaintiffs’ amended complaint, the defendant insurance software providers failed to notify affected individuals about the data breach until on or after May 10, 2021, despite commencing an investigation in March. Plaintiffs maintained that the defendants’ alleged failure to comply with FTC cybersecurity guidelines and industry data protection standards put at risk their financial and personal records, and said they now face years of constant surveillance to prevent potential identity theft and fraud. Under the terms of the settlement (see also plaintiffs’ memorandum of law in support of the motion for final approval), class members will each receive up to $5,000 for out-of-pocket expenses, including up to eight hours of lost time at $25/hour, as well as 12 months of financial fraud protection. Members of a California subclass will receive additional benefits of between $100 and $300 each. The defendants are also responsible for paying each named plaintiff a $2,000 service award and must pay over $3 million in attorney fees, costs, and expenses.
Crypto platform reaches $100 million settlement to resolve alleged compliance failures
On January 4, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of New York virtual currency, anti-money laundering, transaction monitoring, and cybersecurity regulations. According to the consent order, in 2020, NYDFS found significant deficiencies across the respondent’s compliance program, including its Know-Your Customer/Customer Due Diligence (KYC/CDD) procedures, Transaction Monitoring System (TMS), OFAC screening program, and AML risk assessments. As a result of these findings, the respondent agreed to improve its BSA/AML and OFAC compliance programs, including engaging an independent consultant to develop a remediation plan and improve its compliance program.
In 2021, NYDFS launched an investigation to determine whether the respondent’s compliance deficiencies had resulted in any legal violations. The investigation found “substantial lapses in [the respondent’s] KYC/CDD program, its TMS, and in its AML and OFAC sanctions controls systems, as well as issues concerning [the respondent’s] retention of books and records, and with respect to meeting certain of its reporting obligations to the Department.” NYDFS noted that in late 2020 and 2021, the respondent took steps to remediate the issues identified by the Department and the independent consultant; however, substantial weaknesses remained, and its compliance system was inadequate to handle the growing volume of the respondent’s business.
Under the terms of the consent order, the respondent must pay a $50 million civil penalty to NYDFS and invest $50 million in its compliance program. Additionally, an independent third party will continue to work with the respondent for another year, which may be extended at the Department’s sole discretion. NYDFS noted that the respondent has already taken steps to build a more effective and robust compliance program under the supervision of NYDFS and the NYDFS-appointed independent monitor. According to the respondent’s press release, the company “has taken substantial measures to address these historical shortcomings” and “remains committed to being a leader and role model in the crypto space, including partnering with regulators when it comes to compliance and other areas.”
California privacy agency holds public meeting on CPRA
On December 16, the California Privacy Protection Agency (CPPA) Board held a public meeting to discuss the ongoing status of the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here). The CPPA stated it anticipates conducting additional preliminary rulemaking in early 2023. After public input is received, the CPPA will discuss proposed regulatory frameworks for risk assessments, cybersecurity audits, and automated decisionmaking.
During the board meeting, the CPPA introduced sample questions and subject areas for preliminary rulemaking that will be provided to the public at some point in 2023, and finalized and approved at a later meeting. The questions and topics relate to, among other things, (i) privacy and security risk assessment requirements, including whether the CPPA should follow the approach outlined in the European Data Protection Board’s Guidelines on Data Protection Impact Assessment, as well as other models or factors the agency should consider; (ii) benefits and drawbacks for businesses should the CPPA accept a business’s risk assessment submission that was completed in compliance with GDPR’s or the Colorado Privacy Act’s requirements for these assessments; (iii) how the CPPA can ensure cybersecurity audits, assessments, and evaluations are thorough and independent; and (iv) how to address profiling and logic in automated decisionmaking, the prevalence of algorithmic discrimination, and whether opt-out rights with respect to a business’s use of automated decisionmaking technology differ across industries and technologies. The CPPA said it is also considering different rules for businesses making under $25 million in annual gross revenues.
FSOC annual report highlights digital asset, cybersecurity, and climate risks
On December 16, the Financial Stability Oversight Council (FSOC or the Council) released its 2022 annual report. The report reviewed financial market developments, identified emerging risks, and offered recommendations to mitigate threats and enhance financial stability. The report noted that “amid heightened geopolitical and economic shocks and inflation, risks to the U.S. economy and financial stability have increased even as the financial system has exhibited resilience.” The report also noted that significant unaddressed vulnerabilities could potentially disrupt institutions’ ability to provide critical financial services, including payment clearings, liquidity provisions, and credit availability to support economic activity. FSOC identified 14 specific financial vulnerabilities and described mitigation measures. Highlights include:
- Nonbank financial intermediation. FSOC expressed support for initiatives taken by the SEC and other agencies to address investment fund risks. The Council encouraged banking agencies to continue monitoring banks’ exposure to nonbank financial institutions, including reviewing how banks manage their exposure to leverage in the nonbank financial sector.
- Digital assets. FSOC emphasized the importance of enforcing existing rules and regulations applicable to the crypto-asset ecosystem, but commented that there are gaps in the regulation of digital asset activities. The Council recommended that legislation be enacted to grant rulemaking authority to the federal banking agencies over crypto-assets that are not securities. The Council said that regulatory arbitrage needs to be addressed as crypto-asset entities offering services similar to those offered by traditional financial institutions do not have to comply with a consistent or comprehensive regulatory framework. FSOC further recommended that “Council members continue to build capacities related to data and the analysis, monitoring, supervision, and regulation of digital asset activities.”
- Climate-related financial risks. FSOC recommended that state and federal agencies should continue to work to advance appropriately tailored supervisory expectations for regulated entities’ climate-related financial risk management practices. The Council encouraged federal banking agencies “to continue to promote consistent, comparable, and decision-useful disclosures that allow investors and financial institutions to consider climate-related financial risks in their investment and lending decisions.”
- Treasury market resilience. FSOC recommended that member agencies review Treasury’s market structure and liquidity challenges, and continue to consider policies “for improving data quality and availability, bolstering the resilience of market intermediation, evaluating expanded central clearing, and enhancing trading venue transparency and oversight.”
- Cybersecurity. FSOC stated it supports partnerships between state and federal agencies and private firms to assess cyber vulnerabilities and improve cyber resilience. Acknowledging the significant strides made by member agencies this year to improve data collection for managing cyber risk, the Council encouraged agencies to continue gathering any additional information needed to monitor and assess cyber-related financial stability risks.
- LIBOR transition. FSOC recommended that firms should “take advantage of any existing contractual terms or opportunities for renegotiation to transition their remaining legacy LIBOR contracts before the publication of USD LIBOR ends.” The Council emphasized that derivatives and capital markets should continue transitioning to the Secured Overnight financing Rate.
CFPB Director Rohit Chopra issued a statement following the report’s release, flagging risks posed by the financial sector’s growing reliance on big tech cloud service providers. “Financial institutions are looking to move more data and core services to the cloud in coming years,” Chopra said. “The operational resilience of these large technology companies could soon have financial stability implications. A material disruption could one day freeze parts of the payments infrastructure or grind other critical services to a halt.” Chopra also commented that FSOC should determine next year whether to grant the agency regulatory authority over stablecoin activities under Dodd-Frank. He noted that “[t]hrough the stablecoin inquiry, it has become clear that nonbank peer-to-peer payments firms serving millions of American consumers could pose similar financial stability risks” as these “funds may not be protected by deposit insurance and the failure of such a firm could lead to millions of American consumers becoming unsecured creditors of the bankruptcy estate, similar to the experience with [a now recently collapsed crypto exchange].”
FINRA alerts firms about rising ransomware risks
On December 14, FINRA issued Regulatory Notice 22-29, alerting member firms about the increasing number and sophistication of ransomware incidents. FINRA explained that the proliferation in ransomware attacks can be attributed in part to the increased use of technology and continued adoption of cryptocurrencies that bad actors use to conceal their identities when collecting ransom payments. Moreover, bad actors who purchase attack services on the dark web “have helped execute attacks on a much larger scale and make attacks available to less technologically savvy bad actors,” FINRA said. Under Rule 30 of the SEC’s Regulation S-P, firms are required to maintain written policies and procedures designed to reasonably safeguard customer records and information, FINRA stated, adding that FINRA Rule 4370 (related to business continuity plans and emergency contact information) also applies to ransomware attacks that include service denials and other interruptions to firms’ operations. The notice provides questions for firms to consider when evaluating their cybersecurity programs and outlines common attack types and considerations for firms’ ransomware threat defenses, as well as additional ransomware controls and relevant resources.
NYDFS's Harris to serve as the state banking representative on the FSOC
On December 13, the Conference of State Bank Supervisors (CSBS) announced that NYDFS Superintendent Adrienne A. Harris will serve as the state banking representative on the Financial Stability Oversight Council (FSOC). According to the announcement, in 2013, Superintendent Harris joined the Obama Administration as a Senior Advisor in the U.S. Department of Treasury prior to being appointed as the Special Assistant to the President for Economic Policy. In this role, she managed the financial services portfolio, focusing on the implementation of Dodd-Frank, and developed strategies for financial reform, consumer protections, cybersecurity and housing finance reform. According to James M. Cooper, president and CEO of CSBS, Harris’s “background and experience at both the federal and state level will be an asset for the council as it manages emerging risk during a time of economic uncertainty.”
G7 Cyber Expert Group releases reports on ransomware and third-party risk
On December 8, the G7 Cyber Expert Group (CEG) – co-chaired by the Bank of England and the U.S. Treasury Department’s Office of Cybersecurity and Critical Infrastructure – released two reports addressing ransomware and third-party risk in the financial sector. According to the announcement, the reports “are intended to help financial sector entities better understand cybersecurity topics as agreed upon by a multilateral consensus.”
The Fundamental Elements of Ransomware Resilience for the Financial Sector provides financial entities with high-level building blocks for addressing ransomware threats. The “non-prescriptive and non-binding” report is meant to guide public and private financial institutions for their own internal ransomware mitigation activities and “provide[s] an overview of the current policy approaches, industry guidance, and best practices in place throughout the G7.”
The Fundamental Elements of Third-Party Risk Management for the Financial Sector updates a previous version published in 2018. According to the announcement, the updated report was necessary due to the increase in use of service providers by financial institutions in their central operational functions and subsequent vulnerabilities as a result of such reliance. The update includes explicit recommendations for monitoring risks along the supply chain and identifying systemically important third-party providers and concentration risks.