Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 21, six Democratic Senators wrote to OCC Comptroller Joseph Otting and FDIC Chairman Jelena Williams to strongly oppose recent proposed rules by the agencies (see OCC notice here and FDIC notice here). As previously covered by a Buckley Special Alert, the OCC and FDIC proposed rules reassert the “valid-when-made doctrine,” which states that loan interest that is permissible when the loan is made to a bank remains permissible after the loan is transferred to a nonbank. In the letter, the Senators suggest that the proposed rules enable non-bank lenders to avoid state interest rate limits. According to the letter, the proposed rules would encourage “payday and other non-bank lenders to launder their loans through banks so that they can charge whatever interest rate federally-regulated banks may charge.” Additionally, the letter urges both agencies to consider their past declarations against “rent-a-bank” schemes, and contends that the agencies should not attempt to address Madden v. Midland Funding, LLC, which rejected the valid-when-made doctrine, through rulemaking, but should instead leave such lawmaking to Congress.
On December 3, the Federal Reserve, the CFPB, the FDIC, the NCUA, and the OCC (agencies) issued an Interagency Statement on alternative data use in credit underwriting, highlighting applicable consumer protection laws and noting risks and benefits. (See press release here). According to the statement, alternative data use in underwriting may “lower the cost of credit” and expand credit access, a point previously raised by the CFPB and covered in InfoBytes. Specifically, the potential benefits include: (i) increased “speed and accuracy of credit decisions”; (ii) lender ability to “evaluate the creditworthiness of consumers who currently may not obtain credit in the mainstream credit system”; and (iii) consumer ability “to obtain additional products and/or more favorable pricing/terms based on enhanced assessments of repayment capacity.” “Alternative data” refers to information not usually found in traditional credit reports or typically provided by customers, including for example, automated “cash flow evaluation” which evaluates a borrower’s capacity to meet payment obligations and is derived from a consumer’s bank account records. The statement indicates that this approach can improve the “measurement of income and expenses” of consumers with steady income over time from multiple sources, rather than a single job. The statement also recognizes that the way in which entities use alternative data—for example, implementing a “Second Look” program, where alternative data is only used for applicants that would otherwise be denied credit—can increase credit access. The statement points out that use of alternative data may increase potential risks, and that those practices must comply with applicable consumer protection laws, including “fair lending laws, prohibitions against unfair, deceptive, or abusive acts or practices, and the Fair Credit Reporting Act.” Therefore, the agencies encourage entities to incorporate appropriate “robust compliance management” when using alternative data in order to protect consumer information.
Federal and state banking regulators confirmed in a December 3 joint statement that banks are no longer required to file a suspicious activity report on customers solely because they are “engaged in the growth or cultivation of hemp in accordance with applicable laws and regulations.”
* * *
Click here to read the full special alert.
For questions about the alert and related issues, please visit our Bank Secrecy Act/Anti-Money Laundering practice page, or contact a Buckley attorney with whom you have worked in the past.
On November 18, 2019 the Office of the Comptroller of the Currency (“OCC”) issued a proposed rule to clarify that when a national bank or savings association sells, assigns, or otherwise transfers a loan, the interest permissible prior to the transfer continues to be permissible following the transfer. The very next day, the Federal Deposit Insurance Corporation (“FDIC”) followed suit with respect to state chartered banks. The proposals are intended to address problems created by the U.S. Court of Appeals for the Second Circuit in Madden v. Midland Funding, LLC, a decision that cast doubt, at least in the Second Circuit states, about the effect of a transfer or assignment on a bank loan’s stated interest rate that was nonusurious when made. Comments on these proposals are due 60 days following publication in the Federal Register, and as noted below, the case for robust banking industry comment is more compelling than is typically the case.
* * *
Click here to read the full special alert.
If you have any questions about the alert or other related issues, please visit our Fintech practice page or contact a Buckley attorney with whom you have worked in the past.
On November 14, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Business Continuity Management booklet, one of a series of booklets that make up the FFIEC Information Technology Examination Handbook. The revised booklet replaces the 2015 version, and provides enterprise-wise guidance for examiners on the principles of business continuity management and approaches toward business continuity planning and resilience, including those designed to “achieve safety and soundness, consumer financial protection, and compliance with applicable laws, regulations, and rules.” It also provides examination procedures intended to help examiners assess the effectiveness of business continuity and resilience frameworks for entities including depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers.
The same day, the OCC also issued Bulletin 2019-57 to note that the revised booklet rescinds Bulletin 2015-9, “FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet.”
The FTC Safeguards Rule, FFIEC Cybersecurity and IT Guidance, and other OCC guidelines (here and here) emphasize the need for cyber threat intelligence (CIT) and threat identification to inform an organization’s overall cyber risk identification, assessment, and mitigation program. Indeed, to successfully implement a risk-based information security program, an organization must be aware of both general cybersecurity risks across all industries, as well as both business-sector risks and organizational risks unique to the organization. Furthermore, proposed revisions to the FTC Safeguards Rule (previously covered by InfoBytes here) emphasize the need for a “through and complete risk assessment” that is informed by “possible vectors through which the security, confidentiality, and integrity of that information could be threatened.”
Threat modeling is generally understood as a formal process by which an organization identifies specific cyber threats to an organization’s information systems and sensitive information, which provides the management insight regarding the defenses needed; the critical risk areas within and across an information system, network, or business process; and the best allocation of scarce resources to address the critical risks. Even today, generally an accepted threat modeling process involves comprehensive system, application, and network mapping and data flow diagrams. Many threat modeling tools are available free to the public, such as Microsoft’s Threat Modeling Tool, which provides diagramming and analytical resources for network and data flow diagrams, utilizing the STRIDE model (spoofing, tampering, repudiation, information disclosure, denial of service, and escalation of privilege) to inform the user of general cyber-attack vectors that each organization should consider. Generally, between cybersecurity frameworks, such as the NIST Cybersecurity Framework (for risk-based analytical approaches), and threat modeling tools identifying generic cyber threats such as STRIDE (for general or sector-specific cyber risks), an organization can achieve a risk-informed information security program.
However, with the increasing amount of large-scale data breaches occurring and with the evolving complexity of cybersecurity threats, many regulatory agencies and other industry-based standards institutions have called for a need to go one step further and understand the techniques, tactics, and procedures (TTPs) utilized by hackers using CIT. By using CIT and other threat-based models, organizations can gain insight into potential attack vectors through red-teaming and penetration testing by simulating each phase of a hypothetical attack into the organization’s information system and determine potential countermeasures that can be employed at each step of the kill chain. For instance, Lockheed Martin’s formal kill chain model involves seven steps (reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective) and proposes six potential defensive measures at each step (detect, deny, disrupt, degrade, deceive, and contain). Consequently, an organization can layer its defenses along each step in the kill chain to increase the probability of detection or prevention of the attack. Kill Chain was used as part of a U.S. Senate investigation into the data breach of a major corporation in 2013, identifying several stages along the chain where the attack could have been prevented or detected.
This threat identification process requires greater detail on adversarial TTPs. Fortunately, MITRE has provided for public consumption its ATT&CK (adversarial tactics, techniques, and common knowledge) platform. ATT&CK collects and streamlines adversarial TTPs in specific detail and provides information on each technique and potential mitigating procedures, including commonly used attack patterns for each. For instance, one tactic identified by ATT&CK is to encrypt data being exfiltrated to avoid detection by data loss prevention (DLP) tools or other network anomaly detection tools and identifies more than forty known techniques and tools that have been used to achieve encrypted transmission. ATT&CK also identifies potential detection and mitigation options, such as scanning unencrypted channels for encrypted files using DLP or intrusion detection software. Thus, instead of a generic data breach risk analysis, organizations can understand specific TTPs that may make data breach detection and analysis more difficult, and possibly take measures to prevent it.
By leveraging open-source CIT from tools such as ATT&CK and other reports from third-party sources such as government and industry alerts, organizations can begin the process of designing proactive defenses against cyber threats. It is important to note, however, that ATT&CK can only inform an organization’s threat modeling, and is not a threat model itself; additionally, ATT&CK focuses on penetration and hacking TTPs and, therefore, does not examine other threats that organizations may face, including distributed denial of services (DDoS) attacks that threaten the availability of its systems. Such threats will still need to be accounted for in any financial organization’s risk assessment, particularly if such DDoS prevent its clients from accessing their financial accounts and ultimately, their money.
On October 30, the OCC issued a proclamation permitting OCC-regulated institutions, at their discretion, to close offices affected by the California wildfires “for as long as deemed necessary for bank operation or public safety.” The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the 2012 Bulletin, only bank offices directly affected by potentially unsafe conditions should close and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.
Find continuing InfoBytes coverage on disaster relief here.
On October 30, the CFPB, OCC, and the Federal Reserve Board published a final rule in the Federal Register, which increases the smaller loan exemption threshold for the special appraisal requirements for higher-priced mortgage loans (HPMLs) under TILA. TILA requires creditors to obtain a written appraisal before making a HPML unless the loan amount is at or below the threshold exemption. Each year the threshold must be readjusted based on the annual percentage increase in the Consumer Price Index for Urban Wage Earners and Clerical Workers. The exemption threshold for 2020 is $27,200, up from $26,700 in 2019. The final rule will take effect January 1, 2020.
On October 29, the Federal Reserve Board, the FDIC, and the OCC (agencies) issued a final rule to simplify capital rule compliance requirements and reduce the regulatory burden for community banks in accordance with the Economic Growth, Regulatory Relief, and Consumer Protection Act. Among other things, the final rule allows qualifying community banks to adopt a simple community bank leverage ratio to measure capital adequacy, removing requirements for calculating and reporting risk-based capital ratios. Qualifying community banks must have less than $10 billion in total consolidated assets and meet additional criteria such as a leverage ratio greater than 9 percent. The agencies estimate that approximately 85 percent of community banks will qualify. The final rule also grants a community bank that temporarily fails to comply with the framework a two-quarter grace period to come back into full compliance, as long as its leverage ratio remains above 8 percent. According to the agencies, banking organizations will be permitted to use the community bank leverage ratio framework in their March 31, 2020 Call Report or Form FR Y-9C, as applicable. The final rule will take effect January 1, 2020.
On October 24, the CFTC, FDIC, OCC, and SEC announced that they joined the Global Financial Innovation Network (GFIN). GFIN was created by the United Kingdom’s Financial Conduct Authority in 2018 and is an international network of 50 organizations, including the CFPB and other financial regulators. As previously covered by InfoBytes, GFIN members are committed to supporting financial innovation by (i) collaborating on innovation and providing accessible regulatory contact information for firms; (ii) providing a forum for joint regulation technology work; and (iii) providing firms with an environment in which to trial cross-border solutions. According to the FDIC’s announcement, “[p]articipation in the GFIN furthers these objectives and enhances the agencies’ abilities to encourage responsible innovation in the financial services industry in the United States and abroad.”
- Daniel P. Stipano to discuss "ACAMS Moneylaundering.com Year-End Compliance Review and 2020 Outlook" at an ACAMS webinar
- APPROVED Webcast: Periodic reporting made easier
- Daniel P. Stipano to discuss "A 20/20 view on 2020’s legislative and regulatory outlook" at the ACAMS Anti-Financial Crime and Public Policy Conference