Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 18, the CFPB issued its mandated annual report to Congress covering activity in 2016 and 2017 pertaining to the Truth in Lending Act (TILA), the Electronic Fund Transfer Act (EFTA), and the Credit Card Accountability Responsibility and Disclosure Act (CARD Act). The report describes enforcement actions brought by the Bureau and federal agencies related to TILA, EFTA, the CARD Act (and respective implementing Regulations Z and E), as well as data on required reimbursements to consumers. The report also includes a compliance assessment of TILA and EFTA violations. Federal Financial Institutions Examination Council (FFIEC) member agencies report that more institutions were cited for violations of Regulation Z than Regulation E during the 2016 and 2017 reporting periods, and that the most frequently reported Regulation Z violations include (i) failing to disclose, or to accurately disclose, the finance charge on closed-end credit; (ii) failing to disclose good faith estimates on disclosures for closed-end credit; and (iii) failing to provide consumers with specific loan cost information on closing disclosures. The most commonly cited Regulation E violations include (i) failing to comply with investigation and timeframe requirements when resolving errors in electronic fund transfers; and (ii) failing to provide applicable disclosures. In addition, the report recaps FFIEC outreach activities related to TILA and EFTA, such as workshops, blogs, and other outreach events.
On December 16, the three federal banking agency members of the Federal Financial Institutions Examination Council (FFIEC) with Community Reinvestment Act (CRA) responsibility—the Federal Reserve Board, the FDIC, and the OCC—announced the release of the 2018 small business, small farm, and community development CRA data. The analysis contains information from 700 lenders about originations and purchases of small loans (loans with original amounts of $1 million or less) in 2018, a 2.2 percent decrease from the 718 lenders that reported data in 2017. According to the analysis, the total number of originated loans increased by approximately 8 percent from 2017, with the dollar amount of originations increasing by roughly 5 percent; however, the analysis notes that the majority of this growth is attributable to one bank’s increase in originations. The analysis further notes that 615 banks reported community development lending activity totaling nearly $103 billion in 2018, an increase from $96 billion in 2017.
On November 14, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Business Continuity Management booklet, one of a series of booklets that make up the FFIEC Information Technology Examination Handbook. The revised booklet replaces the 2015 version, and provides enterprise-wise guidance for examiners on the principles of business continuity management and approaches toward business continuity planning and resilience, including those designed to “achieve safety and soundness, consumer financial protection, and compliance with applicable laws, regulations, and rules.” It also provides examination procedures intended to help examiners assess the effectiveness of business continuity and resilience frameworks for entities including depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers.
The same day, the OCC also issued Bulletin 2019-57 to note that the revised booklet rescinds Bulletin 2015-9, “FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet.”
The FTC Safeguards Rule, FFIEC Cybersecurity and IT Guidance, and other OCC guidelines (here and here) emphasize the need for cyber threat intelligence (CIT) and threat identification to inform an organization’s overall cyber risk identification, assessment, and mitigation program. Indeed, to successfully implement a risk-based information security program, an organization must be aware of both general cybersecurity risks across all industries, as well as both business-sector risks and organizational risks unique to the organization. Furthermore, proposed revisions to the FTC Safeguards Rule (previously covered by InfoBytes here) emphasize the need for a “through and complete risk assessment” that is informed by “possible vectors through which the security, confidentiality, and integrity of that information could be threatened.”
Threat modeling is generally understood as a formal process by which an organization identifies specific cyber threats to an organization’s information systems and sensitive information, which provides the management insight regarding the defenses needed; the critical risk areas within and across an information system, network, or business process; and the best allocation of scarce resources to address the critical risks. Even today, generally an accepted threat modeling process involves comprehensive system, application, and network mapping and data flow diagrams. Many threat modeling tools are available free to the public, such as Microsoft’s Threat Modeling Tool, which provides diagramming and analytical resources for network and data flow diagrams, utilizing the STRIDE model (spoofing, tampering, repudiation, information disclosure, denial of service, and escalation of privilege) to inform the user of general cyber-attack vectors that each organization should consider. Generally, between cybersecurity frameworks, such as the NIST Cybersecurity Framework (for risk-based analytical approaches), and threat modeling tools identifying generic cyber threats such as STRIDE (for general or sector-specific cyber risks), an organization can achieve a risk-informed information security program.
However, with the increasing amount of large-scale data breaches occurring and with the evolving complexity of cybersecurity threats, many regulatory agencies and other industry-based standards institutions have called for a need to go one step further and understand the techniques, tactics, and procedures (TTPs) utilized by hackers using CIT. By using CIT and other threat-based models, organizations can gain insight into potential attack vectors through red-teaming and penetration testing by simulating each phase of a hypothetical attack into the organization’s information system and determine potential countermeasures that can be employed at each step of the kill chain. For instance, Lockheed Martin’s formal kill chain model involves seven steps (reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective) and proposes six potential defensive measures at each step (detect, deny, disrupt, degrade, deceive, and contain). Consequently, an organization can layer its defenses along each step in the kill chain to increase the probability of detection or prevention of the attack. Kill Chain was used as part of a U.S. Senate investigation into the data breach of a major corporation in 2013, identifying several stages along the chain where the attack could have been prevented or detected.
This threat identification process requires greater detail on adversarial TTPs. Fortunately, MITRE has provided for public consumption its ATT&CK (adversarial tactics, techniques, and common knowledge) platform. ATT&CK collects and streamlines adversarial TTPs in specific detail and provides information on each technique and potential mitigating procedures, including commonly used attack patterns for each. For instance, one tactic identified by ATT&CK is to encrypt data being exfiltrated to avoid detection by data loss prevention (DLP) tools or other network anomaly detection tools and identifies more than forty known techniques and tools that have been used to achieve encrypted transmission. ATT&CK also identifies potential detection and mitigation options, such as scanning unencrypted channels for encrypted files using DLP or intrusion detection software. Thus, instead of a generic data breach risk analysis, organizations can understand specific TTPs that may make data breach detection and analysis more difficult, and possibly take measures to prevent it.
By leveraging open-source CIT from tools such as ATT&CK and other reports from third-party sources such as government and industry alerts, organizations can begin the process of designing proactive defenses against cyber threats. It is important to note, however, that ATT&CK can only inform an organization’s threat modeling, and is not a threat model itself; additionally, ATT&CK focuses on penetration and hacking TTPs and, therefore, does not examine other threats that organizations may face, including distributed denial of services (DDoS) attacks that threaten the availability of its systems. Such threats will still need to be accounted for in any financial organization’s risk assessment, particularly if such DDoS prevent its clients from accessing their financial accounts and ultimately, their money.
On September 25, the CFPB released the Filing Instructions Guide for HMDA data collected in 2020 that must be reported in 2021. The guide references changes to the submission process, and includes a reminder that, starting in 2020, “covered institutions that reported a combined total of at least 60,000 applications and covered loans in the preceding calendar year are required to report HMDA data quarterly. Instructions for quarterly reporting can be found in the Supplemental Quarterly Reporting Guide, which was issued the same day. The file format for submitting the HMDA data, along with the required data fields to be collected and reported, have not changed.
On August 30, the Federal Financial Institutions Examinations Council released the 2018 Home Mortgage Disclosure Act (HMDA) data on mortgage lending transactions covering information submitted by financial institutions on or before August 7. The data will not remain static, but instead will be updated on an on-going basis to reflect late submissions and resubmissions. The data currently includes information on 12.9 million home loan applications, 7.7 million of which resulted in loan originations, and 2 million purchased loans. Observations on the data include: (i) the total number of originated loans decreased by roughly 12.6 percent; (ii) refinance originations decreased by 23.1 percent; (iii) the share of refinance loans to low- and moderate-income borrowers increased from 22.9 percent to 30 percent; and (iv) nondepository, independent mortgage companies accounted for 57.2 percent of first-lien owner-occupied home purchase loans (up from 56.1 percent in 2017).
On the same day, the CFPB also released two data point articles describing mortgage market activity based on data reported under HMDA. The first article presents a report providing a “first look” at mortgage application and origination trends within the 2018 HMDA data. The second article introduces a report introducing the “new and revised data points in the 2018 HMDA data” and discussing the Bureau’s initial observations on the mortgage market based upon those new or revised data points.
On August 28, the FFIEC issued a press release emphasizing the benefits of implementing a standardized cybersecurity preparedness approach. The FFIEC noted that firms who adopt a standardized approach are “better able to track their progress over time, and share information and best practices with other financial institutions and with regulators.” Highlighted are several standardized tools for financial institutions to use when assessing and improving their level of cybersecurity preparedness, including the FFIEC Cybersecurity Assessment Tool, the Financial Services Sector Coordinating Council Cybersecurity Profile, the National Institute of Standards and Technology Cybersecurity Framework, and the Center for Internet Security Critical Security Controls.
On June 11, House Financial Services Committee Chairwoman Maxine Waters and 64 other Democratic House members sent a letter to the CFPB urging rescission of its May proposal to permanently raise the coverage thresholds for collecting and reporting HMDA data and to retire its HMDA Explorer tool. (Covered by InfoBytes here.) In the letter, members argue that recent data “showed widespread discrimination in bank lending” and that redlining continues to be a pervasive problem. They note that HMDA data is an important tool for public officials to understand access to credit in their communities, and that the Bureau’s proposal would exempt “about half of lending institutions from reporting data about closed-end mortgages … [and] sacrifice information that can make a difference in the lives of creditworthy, lower-income consumers.” The members also ask for information regarding the new Federal Financial Institutions Examination Council (FFIEC) query tool that is to be used as a replacement for the HMDA Explorer tool and Public Data Platform API that the Bureau plans to retire, as previously covered by InfoBytes here.
On April 29, nine Democratic Senators, led by Sherrod Brown (D-Ohio), wrote to the CFPB expressing “deep concern” regarding the Bureau’s plan to retire its tools for public exploration of HMDA data—HMDA Explorer Tool and the Public Data Platform API. In the letter, the Senators argue that retiring the tools with no plan for adequate replacements “threatens to undermine the statutory purposes of HMDA and does not live up the commitments to transparency and accountability” that Director Kraninger promised to uphold during her nomination hearing. The Senators cite to the Bureau’s decision to move the Office of Fair Lending and Equal Opportunity from the Supervision and Enforcement section to the Office of the Director and argue that “[r]reductions in available data and its accessibility, combined with weakened [fair lending] enforcement, is a disservice to the consumers the CFPB was created to protect.” The letter urges the CFPB to reverse course and requests that the Bureau provide a “detailed briefing” on the decision by May 10.
In the notice regarding the tools’ retirement, the Bureau states that the FFIEC “will publish a query tool for the 2018 data in the coming months.”
CFPB and Federal Reserve update HMDA examination procedures; CFPB updates ECOA baseline review procedures
On April 1, the CFPB and the Federal Reserve Board (Federal Reserve) issued revisions to the HMDA examination procedures covering data collected since January 1, 2018, under the HMDA amendments issued by the Bureau in October 2015 and August 2017, as well as section 104(a) of the Economic Growth, Regulatory Relief, and Consumer Protection Act (implemented and clarified by the 2018 HMDA Rule, which was covered by InfoBytes in August 2018 here.) According to the Federal Reserve’s CA 19-5, the HMDA examination updates include, (i) Narrative, Examination Objectives, and Examination Procedure sections that were developed by the Task Force on Consumer Compliance of the FFIEC; (ii) Review of Compliance Management System, Examination Conclusions and Wrap-Up, and Examination Checklist sections that were developed in consultation with the FDIC and the OCC; and (iii) sampling, verification, and resubmission procedures. With regard to HMDA data collected prior to January 1, 2018, institutions will continue to be examined according to the interagency HMDA examination procedures “transmitted with CA 09-10 and the HMDA sampling and resubmission procedures transmitted with CA 04-4.”
Additionally, in April, the CFPB also released updated ECOA baseline review procedures. The procedures consist of five modules: (i) Fair Lending Supervisory History; (ii) Fair Lending Compliance Management System (CMS); (iii) Fair Lending Risks Related to Origination; (iv) Fair Lending Risks Related to Servicing; and (v) Fair Lending Risks Related to Models. According to the Bureau, all exams will cover the Fair Lending CMS module and additional modules will be assigned depending on the scope of examination.
- Andrew W. Schilling to moderate "Expectations of in-house counsel from their law firm partners" at the ACI's 7th Annual Advanced Forum on False Claims and Qui Tam
- Sasha Leonhardt to discuss "Cybersecurity basics for compliance staff" at a NAFCU webinar
- Buckley Webcast: Tips for navigating changes to the FHA recertification process
- Daniel P. Stipano to discuss "A 20/20 view on 2020’s legislative and regulatory outlook" at the ACAMS Anti-Financial Crime and Public Policy Conference
- Kari K. Hall and Michelle L. Rogers to discuss "Overdrafts and regulatory trends" at the CLE Alabama Banking Law Update
- Kathryn L. Ryan to discuss "Industry open forum session on NMLS usage" at the NMLS Annual Conference & Training
- Kathryn L. Ryan to discuss "Regulating innovative consumer lending products" at the NMLS Annual Conference & Training
- Daniel P. Stipano to moderate "Washington update" at the 17th Puerto Rican Symposium of Anti Money Laundering 2020 conference
- Melissa Klimkiewicz to discuss "Private flood insurance updates" at the MBA's Servicing Solutions Conference & Expo 2020
- APPROVED Checkpoint Webcast: CFL overview
- Sasha Leonhardt to discuss "MLA & SCRA" on a NAFCU webinar
- Daniel P. Stipano to discuss "Pathway of the SARs: Tracking trajectories of suspicious activity reports from alerts to prosecution" at the ACAMS moneylaundering.com 25th Annual International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Which bud’s for you? A deep-dive into evolving marijuana laws" at the ACAMS moneylaundering.com 25th Annual International AML & Financial Crime Conference