InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NIST group releases drafts on TLS 1.3 best practices aimed at the financial industry
On January 30, the NIST National Cybersecurity Center of Excellence (NCCoE) released a draft practice guide, titled “Addressing Visibility Challenges with TLS 1.3 within the Enterprise.” The protocol in question, Transport Layer Security (TLS) 1.3, is the most recent iteration of the security protocol most widely used to protect communications over the Internet, but its implementation over TLS 1.2 (the prior version) remains challenging for major industries, including finance, that need to inspect incoming network traffic data for evidence of malware or other malicious activity. A full description of the project can be found here.
Compared to TLS 1.2, TLS 1.3 is faster and more secure, but the implementation of forward secrecy, i.e., protecting past sessions against compromises of keys or passwords used in future sessions, creates challenges related to data audit and legitimate inspection of network traffic. As a result, NIST released the practice guide to offer guidance on how to implement TLS 1.3 and meet required audit requirements without compromising the TLS 1.3 protocol itself. The practice guide suggests how businesses improve their technical methods, such as implementing passive inspection architecture either using “rotated bounded-lifetime [Diffie Helman] keys on the destination TLS server” or exported session keys, to support ongoing compliance with financial industry and other regulations––for continuous monitoring for malware and cyberattacks. The draft practice guide is currently under public review with Volumes A and B of the guide open until April 1, 2024. Volume A is a second preliminary draft of an Executive Summary and Volume B is a preliminary draft on the Approach, Architecture, and Security Characteristics.
Securities regulators issue guidance and an RFC on AI trading scams
On January 25, FINRA and the CFTC released advisory guidance on artificial intelligence (AI) fraud, with the latter putting out a formal request for comment. FINRA released an advisory titled “Artificial Intelligence (AI) and Investment Fraud” to make investors aware of the growing popularity of scammers committing investment fraud using AI and other emerging technologies, posting the popular scam tactics, and then offering protective steps. The CFTC released a customer advisory called “AI Won’t Turn Trading Bots into Money Machines,” which focused on trading platforms that claim AI-created algorithms can guarantee huge returns.
Specifically in FINRA’s notice, the regulator stated that registration is a good indicator of sound investment advice, and offers the Investor.gov tool as a means to check; however, even registered firms and professionals can offer claims that sound too good to be true, so “be wary.” FINRA also warned about investing in companies involved in AI, often using catchy buzzwords or making claims to “guarantee huge gains.” Some companies may engage in pump-and-dump schemes where promoters “pump” up a stock price by spreading false information, then “dump” their own shares before the stock’s value drops. FINRA’s guidance additionally discussed the use of celebrity endorsements to promote an investment using social media; FINRA states that social media has become “more saturated with financial content than ever before” leading to the rise of “finfluencers.” Finally, FINRA mentioned how AI-enabled technology allows scammers to create “deepfake” videos and audio recordings to spread false information. Scammers have been using AI to impersonate a victim’s family members, a CEO announcing false news to manipulate a stock’s price, or how it can create realistic marketing materials.
The CFTC’s advisory highlighted how scammers use AI to create algorithmic trading platforms using “bots” that automatically buy and sell. In one case cited by the CFTC, a scammer defrauded customers into selling him nearly 30,000 bitcoins, worth over $1.7 billion at the time. The CFTC posted a Request for Comment on the Use of Artificial Intelligence in CFTC-Regulated Markets. The Request listed eight questions addressing current and potential uses of AI by regulated entities, and several more addressing concerns regarding the use of AI in regulated markets and entities for the public to respond to.
SEC rejects petition to amend the “no admit/no deny policy”
On January 30, the SEC rejected a nonprofit’s 2018 rulemaking petition that requested an amendment to Rule 202.5(e) under Commission Rule of Procedure 192(a), which outlines the terms for the Commission's acceptance of settlements in enforcement actions. Specifically, the rule prohibits settlements imposing sanctions if a defendant can publicly deny the Commission's allegations.
The rejection letter emphasizes the SEC’s authority to investigate securities law violations and initiate enforcement actions, saying that considering the request “could undermine confidence in the Commission’s enforcement program.” The SEC highlights its reliance on consent judgments and the contractual nature of settlements, as well as the potential implications of the proposed amendment on the SEC’s settlement process, adding that “it could undermine confidence in the Commission’s enforcement program.” SEC Chair Gary Gensler said in a statement supporting the decision that “a settlement that allows the denial of wrongdoing undermines the value provided by the recitation of the facts, and it muddies the message to the public.”
The Commission has decided not to amend Rule 202.5(e), affirming that the rule is a valid exercise of its authority in pursuing enforcement actions and settling cases. The policy allows the SEC to retain the option of seeking legal remedies if a defendant publicly denies allegations after settling. The letter also emphasizes that the constitutional and statutory arguments presented in the petition lack merit and conflict with established legal precedent regarding the waiver of rights in civil settlements. The Commission underscores the importance of the “no-deny” provision in preserving its ability to challenge public denials in court and rejects the notion that settling defendants can later deny allegations without consequence.
District Court grants MSJ for defendant for not acting as a debt collector
On January 22, the U.S. District Court for the Northern District of Illinois granted a defendant’s motion for summary judgment in an FDCPA case. According to the order, a hospital that treated plaintiff referred his medical bills to defendant, who services hospitals throughout revenue cycles and acts as an extension of the hospital to service patient accounts. In a letter sent by defendant to plaintiff, defendant stated that the amount was not currently in default but emphasized the importance of hearing from plaintiff. After receiving this first statement from defendant, plaintiff’s attorney contacted defendant explaining plaintiff’s situation, and advised defendant to cease communications. Despite the request, defendant sent a follow-up statement, similar to the first, which plaintiff assumed meant that the debt was in default and required urgent attention. Subsequently, plaintiff paid the outstanding medical debt.
Plaintiff then filed a lawsuit against defendant, alleging that the statements sent by defendant did not comply with disclosures mandated by the FDCPA. Defendant filed a motion for summary judgment, contending that it is not a debt collector covered by the Act. The defendant further argued that since the FDCPA’s definition of “debt collector” expressly excludes “any person collecting or attempting to collect any debt owed… which was not in default at the time that it was obtained by such person,” defendant was not a debt collector because they never treated the medical debt as in default. Although the FDCPA does not define when a debt is “in default,” the court found that the hospital and defendant never treated the debt as defaulted at the time of assignment, and since it did not acquire a defaulted debt to collect, defendant is therefore not considered a covered debt collector under the FDCPA. The court also found issues with plaintiff’s assertations, concluding that they were not applicable to defendant, as it is not a “debt collector” nor a “collection agency,” and that there was no genuine issue of material fact on the question of whether plaintiff’s debt was “in default” at the time it was assigned. As such, the court granted defendant’s motion for summary judgment as a matter of law, indicating that, based on the reasons provided, defendant is not considered a debt collector under the FDCPA.
District Court: Plaintiff has standing but still dismisses FCRA case
On January 19, the U.S. District Court for the District of New Jersey granted a bank’s motion to dismiss an FCRA case. According to the opinion, after plaintiff’s credit report revealed monthly payments towards previously closed accounts with defendant, plaintiff alleged that because the accounts were closed, the entire balance was due and that she had neither the right nor the obligation to pay defendant in monthly installments. Plaintiff then disputed the debt with a credit reporting agency, which forwarded the dispute to defendant, but ultimately plaintiff’s credit report was never updated to $0 monthly payments as she requested. Three days later, plaintiff filed suit alleging defendant violated the FCRA by failing to investigate the dispute and failing to direct the credit reporting agency to report the tradelines with $0 monthly payments. Although plaintiff does not assert in her complaint that her credit reports have been distributed to any potential lender, plaintiff alleged that the tradelines listed in her credit report are inaccurate and “create a misleading impression of her consumer credit file.”
In determining Article III standing, the court held that plaintiff sufficiently alleged injury in fact because defendant’s “false and misleading reporting to a credit bureau about Plaintiff’s obligation on a debt has a close relationship to reputational harms such as defamation and common law fraud.” The court acknowledged, however, that “[l]ower courts have split on the issue of whether dissemination of a defamatory statement to a credit reporting agency, as opposed to the potential creditors at issue.” On one hand, the U.S. Supreme Court found that class members whose misleading credit reports were not disseminated to a third party did not suffer concrete harm. In another case, the Seventh Circuit concluded that plaintiffs adequately proved third-party dissemination by presenting evidence that debt collectors reported false information about them to a credit reporting agency, dismissing any interpretation precedent that would demand the plaintiffs to additionally demonstrate that the third party shared the false information. The court agreed with the latter decision, citing that “dissemination to a credit reporting agency suffices to establish defamatory publication for standing purposes.”
Although plaintiff established Article III standing, the court found that plaintiff failed to state a claim under the FCRA because she failed to allege that the tradelines issued by defendant contain inaccurate information. Furthermore, the court found that a report, as plaintiff requested, showing $0 monthly payments on the account would be more misleading, because it would purport that plaintiff does not owe a balance to defendant.
Fed announces an end date to its Bank Term Funding Program
On January 24, the Federal Reserve announced that its program created to protect liquidity following a period of financial stress last spring, named the Bank Term Funding Program (BTFP), will stop making loans on March 11. The Fed was granted the authority to provide more liquidity to depository institutions under Section 13(3) of the Federal Reserve Act, whereby the Fed can lend to banks and nonbanks in emergencies and for one year at a time. The Spring 2023 banking issues led to liquidity concerns, which the Fed sought to stabilize with the BTFP. According to the term sheet, the rate for term advances will be the “one-year overnight index swap rate plus 10 basis points” as long as the rate is not lower than the IORB rate that same day. In return, the borrower financial institutions pledge their debt and securities as collateral. The Fed notes that advances can still be requested under the BTFP until March 11. However, the interest rate applicable to new BTFP loans between now and March 11 will be no lower than the interest rate on reserve balances (IORB).
Acting Comptroller discusses bank liquidity risk
On January 18, OCC Acting Comptroller of the Currency, Michael J. Hsu, delivered remarks at an event held by Columbia University Law School on bank liquidity risk. Hsu highlighted the evolving nature of bank runs and urged banks and regulators to adapt. While individual bank supervision has seen some adjustments, Hsu stressed the need for targeted regulatory enhancements to ensure the systematic implementation of updated liquidity risk management practices, particularly among midsize and large banks. Hsu’s remarks emphasized three themes:
Recognizing the speed and severity of certain outflows. The liquidity risk for banks with uninsured deposits significantly increased. Hsu said that anticipating potential herding scenarios in liquidity risk management is crucial;
Ensuring the ability to monetize. Hsu said banks and regulators need to adapt to the faster pace of bank runs, where large outflows happen more quickly than in the past. Having enough liquid assets is not sufficient; banks must quickly convert assets into cash, Hsu said. Utilizing the Fed’s discount window is an option, but it faces stigma. Hsu also mentioned that there is a proposal for a targeted regulatory requirement for banks to have enough liquidity to cover short-term outflows, up to five days, using pre-positioned collateral to de-stigmatize discount window usage while preventing over-reliance; and
Limiting guilt by association. To combat the fear that uninsured depositors across banks could be at risk upon bank failures, Hsu said a long-term solution involves distinguishing between operational and non-operational deposits, requiring standardized classification systems and ongoing research efforts to effectively mitigate contagion risks.
FTC hosts tech summit on artificial intelligence; CFPB weighs in
On January 25, the FTC hosted a virtual tech summit focused on artificial intelligence (AI). The summit featured speakers from the FTC––including all three commissioners––software engineers, lawyers, technologists, entrepreneurs, journalists, and researchers, among others. First, Commissioner Slaughter spoke on how there are three main acts that led to where we are today in creating guardrails for AI use: first, the emergence of social media; second, industry groups and whistleblowers rang the alarm on data privacy and forced regulators to play catch-up; third, regulators must now urgently grapple with difficult social externalities such as impacts on society and political elections.
The first panel discussed the various business models at play in the AI space. One journalist spoke on the recent Hollywood writers’ strike, opining that copyright law is a poor legal framework by which to regulate AI, and suggested labor and employment law as a better model. An analyst at a venture capital firm discussed how her firm finds investment opportunities by reviewing which companies use a language-learning model, as opposed to the transformer model, which is more attractive to that firm.
Before the second panel, Commissioner Bedoya discussed the need for fair and safe AI, and said that in order for the FTC to be successful, it must execute policy with two topics in mind: first, people need to be in control of technology and decision making, not the other way around; and second, competition must be safeguarded so that the most popular technology is the one that works the best, not just the one created by the largest companies.
During the second panel, a lawyer from the CFPB spoke on how the CFPB is doing “a lot” with regards to AI, and that the CFPB gives AI technology no exceptions in the laws it oversees. The CFPB recently issued releases on how the “black box” model in credit decision making needs to be fair and free from bias. When discussing future AI enforcement actions, the CFPB lawyer said in a “high-level” way that AI enforcement is currently “capacity building”; they are building out their resources to be more intellectually diverse, including having recently created their technologist program.
FinCEN issues FAQs on PPP
On January 12, FinCEN and the SBA issued FAQs on the Paycheck Protection Program (“PPP”), established under the CARES Act, to assist borrowers and lenders in interpreting the CARES act and the PPP Interim Final Rule. Among the issues addressed in the FAQs, FinCEN and the SBA provided guidance regarding whether under the CDD Rule, lenders are required to collect, certify, or verify beneficial ownership information for existing customers, stating that it is not necessary to re-verify “[i]f the PPP loan is being made to an existing customer, and the existing customer and the necessary information was previously verified. Additionally, FinCEN and the SBA addressed the question of whether a lender’s collection of the information required with respect to owners of 20% or greater interest in PPP applicants is sufficient to satisfy a lender’s obligation to collect beneficial ownership information under the Bank Secrecy Act. FinCEN and the SBA stated that for lenders with existing customers the lender does not need to reverify beneficial ownership information for owners that hold ownership interests of at least 20 percent, and with respect to new customers with the same ownership interest, all natural persons will need to provide the same information in order to satisfy BSA requirements. FinCEN also answered more FAQs on its April 2020 FAQs regarding the PPP on Second Draw PPP Loans, on BSA/AML compliances, and on SBA Procedural Notice 5000-835955, the last stating that a “PPP lender may reveal the existence of a SAR to the SBA when requesting a guaranty purchase (without charge-off) from the SBA.”
Fannie, Freddie release an updated Single-Family Social MBS Framework
On January 23, Freddie Mac and Fannie Mae (the “Enterprises”) announced an updated Single-Family Social MBS and Corporate Debt Bonds Framework, and updates to mortgage-backed securities (“MBS”) disclosures. As part of the framework updates, the Enterprises will rename the Social Index to the “Mission Index” in February. Additionally, Fannie Mae will update the formulation of the index in February, and Freddie Mac will update the formulation of the index in May. The Mission Index offers MBS investors insights into the Enterprises’ mission-oriented lending initiatives, enabling investors to allocate capital towards those activities. The revised Mission Index will apply to pools issued by Fannie Mae starting in March and for Freddie Mac starting in June.
The updated frameworks define criteria beginning in June for the Enterprises’ mortgage collateral that may be pooled, issued and labeled “Social MBS.” That label is applied when the Mission Index score of the underlying pool exceeds a specified threshold. The Enterprises also announced they plan to provide impact reporting annually beginning in 2025, “which will help the market understand the associated impact of the loans underlying their investments.”