InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Federal Banking Agencies Seek Comment on Call Report Proposal for Small Financial Institutions
On August 5, the FFIEC announced that the OCC, the FDIC, and the Federal Reserve are seeking public comment on a proposal for a new Consolidated Reports of Condition and Income for Eligible Small Institutions (FFIEC 051/Call Report). The proposed Call Report is a streamlined version of the Consolidated Reports of Condition and Income for a Bank with Domestic Offices Only (FFIEC 041), and would be applicable to financial institutions with domestic offices only and total assets of less than $1 billion. Intended to ease the reporting requirements for smaller institutions, the proposed Call Report would remove approximately 40% of about 2,400 data items in FFIEC 041. FFIEC 041 would remain applicable to institutions with domestic offices only that do not file the proposed Call Report. The banking agencies are also seeking public comment on proposed revisions to the FFIEC 041 and the Consolidated Reports of Condition and Income for a Bank with Domestic and Foreign Offices (FFIEC 031). Comments are due 60 days after Federal Register publication, which has not yet occurred.
FFIEC and HUD Release HMDA Filing Guides; CFPB Updates Resources for HMDA Filers Page
On July 13, the CFPB announced that the FFIEC and HUD had published new resources for financial institutions required to file data pursuant to the Home Mortgage Disclosure Act (HMDA) and Regulation C, as amended by the CFPB’s October 2015 final rule, which revised and expanded the scope of HMDA reporting requirements. Accordingly, the CFPB updated its “Resources for HMDA filers” page to include the following new FFIEC and HUD resources: (i) a Technology Preview, which provides an initial summary for how HMDA filers will interact with the HMDA Platform, a web-based data submission and edit-check system that filers will use to submit HMDA data collected in or after 2017; (ii) Filing Instructions Guide (FIG) for HMDA data collected in 2017, which outlines changes to the submission process for data collected in 2017, 2017 file specifications, and 2017 edit specifications; and (iii) FIG for HMDA data collected in 2018. The 2018 FIG includes field definitions for the many additional or modified data points required for data collected in 2018 and 2018 file format and edit specifications. The technical specifications in the FIG will allow lenders and vendors of HMDA data-preparation software to begin making the systems changes needed to collect data in 2018 for submission in 2019. The CFPB’s HMDA resource page also includes FFIEC HMDA FAQs and reminds financial institutions to visit the FFIEC website for resources to submit data collected in or before 2016.
FFIEC Issues Cybersecurity Statement, Comments on Recent Attacks on Interbank Messaging and Payment Networks
On June 7, the FFIEC issued a statement on behalf of its members (the OCC, Federal Reserve, FDIC, NCUA, CFPB, and State Liaison Committee) advising financial institutions to “actively manage the risks associated with interbank messaging and wholesale payment networks.” According to the statement, recent cyber attacks against interbank networks and wholesale payment systems have demonstrated the ability to: (i) bypass information security controls and compromise a financial institution’s wholesale payment origination environment; (ii) “obtain and use valid operator credentials with the authority to create, approve, and submit messages”; (iii) make use of sophisticated understanding of funds transfer operations and operational controls; (iv) disable security logging and reporting by using highly customized malware, as well as conceal and delay detection of fraudulent transactions with the use of other operational controls; and (v) quickly transfer stolen funds across multiple jurisdictions. Due to the potential financial loss and compliance risk associated with the unauthorized transactions, the statement reminds financial institutions to consider the following steps to ensure compliance with regulatory requirements and FFIEC guidance: (i) establish and maintain an information security risk assessment program that “considers new and evolving threat intelligence related to online accounts and adjust customer authentication, layered security, and other controls in response to identified risks”; (ii) implement and maintain protection and detection systems, including antivirus protection and intrusion detection systems, and properly monitor system alerts; (iii) protect against unauthorized access to critical systems by, among other things, “limiting the number or credentials with elevated privileges across institutions” and establishing authentication rules; (iv) implement and regularly test controls around critical systems, and report test results to senior management, as well as the board of directors, if appropriate; (v) validate business continuity planning and ensure that the institution is able to “quickly recover and maintain payment processing operations”; (vi) strengthen information security awareness by conducting regular and mandatory training; and (vii) participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.
In light of the FFIEC’s statement, the OCC simultaneously released Bulletin 2016-08, cautioning financial institutions that use interbank messaging and wholesale payment networks to take the aforementioned risk mitigation steps.
FFIEC Updates IT Examination Handbook
On April 29, the FFIEC updated its IT Examination Handbook, revising its Retail Payment Systems booklet to include an Appendix E, Mobile Financial Services. The Retail Payment Systems booklet consists of guidance intended to help examiners evaluate financial institutions’ and third-party providers’ management of risks associated with retail payment systems. Appendix E is designed to address risk management associated with mobile financial services (MFS): “Appendix E contains guidance pertaining to [MFS] risks that supplements existing booklet guidance on other retail payment topics, such as electronic payments related to credit cards and debit cards, remote deposit capture and changes in technology or retail payment systems.” Appendix E outlines risk management practices for the following MFS technologies: (i) short message service/text messaging; (ii) mobile-enabled web sites and browsers; (iii) mobile applications; and (iv) wireless payment technologies. In addition to MFS technologies, Appendix E also addresses management strategies related to (i) risk identification; (ii) risk measurement; (iii) risk mitigation; and (iv) monitoring and reporting.
FFIEC Releases Revised Management Booklet with Emphasis on Sound IT Governance
On November 10, the FFIEC issued a revised Management booklet, which outlines the principles of overall sound governance and, more specifically, IT governance. The booklet is one of 11 that makes up the FFIEC’s Information Technology Examination Handbook, and explains how risk management, including IT risk management, is a component of governance. The handbook emphasizes that the board of directors sets the tone and the direction of an institution’s IT program. Specifically, the board’s responsibilities include (i) reviewing and approving an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity; (ii) overseeing an institution’s process for approving third-party vendors; (iii) approving policies to report significant security issues to the board, steering committee, government agencies, and law enforcement, as necessary; (iv) holding management accountable for identifying, measuring, and mitigating IT risks; and (v) providing independent, comprehensive, and effective audit coverage of IT controls. The revised handbook incorporates cybersecurity concepts as an integral part of maintaining effective IT policies and procedures, noting that, “[a]lthough an institution is not required to have a separate cybersecurity program, its information security program should identify, measure, mitigate, monitor, and report on the heightened risks associated with cybersecurity.”
FFIEC Issues Joint Statement Regarding Cyber Attacks Involving Extortion
On November 3, the FFIEC issued a statement notifying financial institutions of the increasing frequency and severity of cyber attacks involving extortion. The joint statement urges financial institutions to take steps to ensure effective risk management programs, including but not limited to the following: (i) conducting ongoing information security risk assessments; (ii) performing security monitoring, prevention, and risk mitigation; (iii) implementing and regularly testing controls around critical systems; and (iv) participating in industry information-sharing forums. The statement identifies resources financial institutions can refer to for assistance in mitigating cyber attacks involving extortion.
The OCC also published a bulletin alerting all OCC-supervised institutions of the FFIEC’s joint statement.
Director Cordray Submits Letter to Trade Associations Regarding TRID Compliance
On October 1, CFPB Director Richard Cordray, on behalf of the FFIEC, responded to correspondence from the American Bankers Association and other trade associations seeking guidance as to their compliance with the Bureau’s Know Before You Owe TILA-RESPA Integrated Disclosure Rule, which will become effective on October 3, 2015. Per Director Cordray’s letter, the FFIEC’s member agencies’ examiners “will expect supervised entities to make good faith efforts to comply with the Rule’s requirements in a timely manner.” Moreover, examiners will take a number of factors into consideration in determining compliance with the Rule, including (i) an institution’s implementation plan; (ii) an institution’s training of its staff; and (iii) how an institution handles any early technical problems or other implementation challenges.
FFIEC Releases Cybersecurity Assessment Tool
As previously covered in InfoBytes, on June 30, the FFIEC released a Cybersecurity Assessment Tool (Assessment) to provide a “repeatable and measurable process” for financial institutions to measure their cybersecurity readiness. The Assessment aims to help financial institutions determine their cybersecurity preparedness and make informed decisions regarding their risk management practices. In addition to the Assessment, the FFIEC also released an executive overview, a user’s guide, a pre-recorded webinar, a glossary of terms, and appendices to assist financial institutions in understanding supervisory expectations, increasing awareness of cybersecurity risks, and assessing and mitigating the threats facing their institutions. As an interagency body representing the Fed, FDIC, OCC, CFPB, and the NCUA, the FFIEC prescribes uniform principles, standards, and reporting forms for the federal examination of financial institutions, and makes recommendations to promote uniformity in the supervision of financial institutions.
OCC Comptroller Discusses Emerging Payment Systems Technology and Cybersecurity, FFIEC Set to Release Cybersecurity Assessment Tool
On June 3, in prepared remarks delivered at the BITS Emerging Payments Forum, OCC Comptroller Thomas Curry advised that as financial institutions continue to develop payment systems, banks need better preparation for potential cyber-risks. Curry warned that “[c]yber criminals will also probe emerging payment systems for vulnerabilities that they can exploit to engage in money laundering[.]” In addition, Curry advocated for more regulatory oversight of digital currencies and non-bank mobile payment providers, such as ApplePay and Google Wallet. Addressing cybersecurity concerns, Curry called for increased information-sharing to promote best practices and strengthen cybersecurity readiness among the banking industry. In particular, he urged financial institutions – of all sizes – to participate in the Financial Services Information Sharing and Analysis Center, or FS-ISAC, a non-profit founded by the banking industry to facilitate the sharing and dissemination of cybersecurity threat information. Moreover, Curry confirmed that the FFIEC will soon be releasing a Cybersecurity Assessment Tool for financial institutions to use when evaluating their cybersecurity risks and risk management capabilities, observing that the tool will be particularly helpful to community banks as cybersecurity threats continue to increase.
Federal Banking Regulators Expand Scope of EGRPRA Review
On April 6, the Federal Reserve, OCC, and FDIC (Agencies) revealed that their ongoing regulatory review under the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (EGRPRA) will now be expanded to include recently issued regulations. The EGRPRA requires the Agencies and the FFIEC to review and identify outdated, burdensome, or unnecessary regulations at least every 10 years. The regulators have held two public outreach meetings with additional outreach sessions currently scheduled for May 4 in Boston, August 4 in Kansas City, October 19 in Chicago, and concluding on December 2 in Washington, D.C.