InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS, insurance broker reach $3 million cyber breach settlement
On April 14, NYDFS announced a settlement with an insurance broker to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of two cyber breaches between 2018 and 2020. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A September 2019 examination revealed that the cyber breaches involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also alleged that the broker failed to implement a multi-factor authentication as required by 23 NYCRR Part 500. Under the terms of the consent order, the broker will pay a $3 million civil monetary penalty and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged the broker’s “commendable” cooperation throughout the examination and investigation and stated that the broker had demonstrated its commitment to remediation.
Fed’s Small Business Credit Survey shows Covid-19 challenges
Recently, the Federal Reserve Banks released the 2021 Report on Employer Firms covering findings from their small business credit survey (SBCS), which gathered insights from nearly 10,000 small businesses with fewer than 500 employees on challenges resulting from the Covid-19 pandemic, as well as on business performance and credit conditions. SBCS findings showed that few small businesses were able to avoid negative impacts as a result of the pandemic, and notably revealed disparities in experiences and outcomes across business and owner demographics, including race and ethnicity, industry, and firm size. Key findings include:
- Small businesses’ financial conditions sharply declined between 2019 and 2020, with firms owned by people of color reporting greater challenges. Statistics include: (i) 78 percent of firms reported decreases in revenue; (ii) 79 percent, 77 percent, and 66 percent of Asian-owned, Black-owned, and Latinx-owned firms, respectively, “characterized their financial condition as ‘fair’ or ‘poor’” (in contrast to 54 percent of Non-Hispanic White); and (iii) the share of firms carrying more than $100,000 in debt increased from 31 percent in 2019 to 44 percent in 2020.
- 91 percent of small businesses applied for some type of emergency funding. The Paycheck Protection Program (PPP) was the most commonly used program, with 77 percent of PPP applicants receiving all of the funding they requested. Applications were most frequently submitted through large and small banks, with 95 and 83 percent of applicants having an existing relationship with either a large bank or small bank, respectively, prior to applying for a PPP loan.
- 64 percent of small businesses would apply for additional government-provided assistance if it were available, with 39 percent reporting that “they would be unlikely to survive until sales return to ‘normal’ (that is, 2019 levels) without further government assistance.”
- Approval rates on loans, lines of credit, and cash advances decreased. Prior to the start of the pandemic, 81 percent of small businesses were at least partially approved for funding. After March 1, only 70 percent received partial approval.
- Use of online lenders decreased during 2020, with 42 percent of small businesses applying for loans, lines of credit, or cash advances through a large bank (43 percent turned to a small bank). In contrast, the number of small businesses that applied to online lenders fell from 33 percent in 2019 to 20 percent in 2020. Notably, small businesses with lower credit scores applied to online lenders and nonbank finance companies more often than their higher credit score counterparts. Moreover, small businesses that received financing from online lenders reported a decline in net satisfaction.
NYDFS announces Statewide Office of Financial Inclusion and Empowerment
On April 13, NYDFS announced the new Statewide Office of Financial Inclusion and Empowerment, which is intended to meet the financial services needs of low- and middle-income New Yorkers and provide a “single-stop state resource” for consumers to access financial help. Superintended Linda A. Lacewell stated that the intention of the office is to “advance the Department’s strategic financial inclusion initiatives” and “pilot and develop policy initiatives designed to help further financial inclusion and empowerment.” Among other things, the new office will (i) maintain a centralized list of financial services counseling providers from across the state in the areas of housing, student loan, debt, and general financial literacy; (ii) coordinate state and local services intended to expand access to credit and opportunities for wealth building; (iii) “[i]ncubate new programs to expand access to safe and affordable banking services, credit and financial education,” and “coordinate public-private partnerships”; and (iv) foster the provision of high-quality, low-cost financial products across New York. Lacewell also announced that the Honorable Tremaine Wright will serve as the office’s first director. Wright, who will develop and implement the office’s policies and programs, was previously elected to the New York State Assembly where she was chair of New York State Black, Puerto Rican, Hispanic & Asian Legislative Caucus.
Agencies issue MRMG; seek comments on BSA/AML compliance
On April 9, the Federal Reserve Board, FDIC, and OCC, in consultation with FinCEN and the NCUA, issued a joint statement on the use of risk management principles outlined in the agencies’ “Supervisory Guidance on Model Risk Management” (known as the “model risk management guidance” or MRMG) as it relates to financial institutions’ compliance with Bank Secrecy Act/anti-money laundering (BSA/AML) rules. While the joint statement is “intended to clarify how the MRMG may be a useful resource to guide a bank’s [model risk management] framework, whether formal or informal, and assist with BSA/AML compliance,” the agencies emphasized that the MRMG is nonbinding and does not alter existing BSA/AML legal or regulatory requirements or establish new supervisory expectations. In conjunction with the release of the joint statement, the agencies also issued a request for information (RFI) on the extent to which the principles discussed in the MRMG support compliance by financial institutions with BSA/AML and Office of Foreign Assets Control requirements. The agencies seek comments and information to better understand bank practices in these specific areas and to determine whether additional explanation or clarification may be helpful in increasing transparency, effectiveness, or efficiency. Comments on the RFI are due within 60 days of publication in the Federal Register.
Fed formalizes stance on supervisory guidance
On March 31, the Federal Reserve Board issued a final rule codifying the Interagency Statement Clarifying the Role of Supervisory Guidance issued by the CFPB, FDIC, NCUA, and OCC on September 11, 2018 (2018 Statement). As previously covered by InfoBytes, an October 2018 joint proposal amended the 2018 Statement by (i) clarifying that references in the 2018 Statement limiting agency “criticisms” includes criticizing institutions “through the issuance of [matters requiring attention] and other supervisory criticisms, including those communicated through matters requiring board attention, documents of resolution, and supervisory recommendations”; and (ii) adding that supervisory criticisms should be “specific as to practices, operations, financial conditions, or other matters that could have a negative effect on the safety and soundness of the financial institution, could cause consumer harm, or could cause violations of laws, regulations, final agency orders, or other legally enforceable conditions.” The final rule is effective 30 days after publication in the Federal Register, and mirrors final rules issued by the CFPB, OCC, FDIC, and NCUA.
U.S.-EU release statement on Joint Financial Regulatory Forum
On March 24 and 25, EU and U.S. participants, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, participated in the U.S.-EU Joint Financial Regulatory Forum to discuss topics of mutual interest, including those related to (i) “next steps” for Covid-19 recovery and for mitigating financial stability risks; (ii) “sustainable finance”; (iii) banking and insurance multilateral and bilateral engagement; (iv) capital market regulatory and supervisory cooperation; (v) regulatory and supervisory developments pertaining to financial innovation, including the importance of promoting ongoing “responsible innovation and international supervisory cooperation”; and (vi) anti-money laundering and countering the financing of terrorism (AML/CFT) issues, including “the potential for enhanced cooperation to combat money laundering and terrorist financing bilaterally and in the framework of [the Financial Action Task Force].” Participants also discussed possible responses to climate-related financial risks, as well as “the progress in their respective legislative and supervisory efforts to ensure a smooth transition away from LIBOR.”
FDIC issues 2021 Consumer Compliance Supervisory Highlights
On March 31, the FDIC released the spring 2021 edition of the Consumer Compliance Supervisory Highlights, intended to provide information and observations related to the FDIC’s consumer compliance supervision of state non-member banks and thrifts in 2020. Topics include:
- A summary of the FDIC’s supervisory approach in response to the Covid-19 pandemic, including efforts made by banks to meet the needs of consumers and communities;
- An overview of the most frequently cited violations (approximately 74 percent of total violations involved TILA, Truth in Savings Act, Flood Disaster Protection Act, EFTA, and RESPA), as well as other consumer compliance examination observations related to RESPA, TRID, and fair lending;
- Information on regulatory developments, such as Community Reinvestment Act and flood insurance rulemaking and small-dollar loan programs;
- A summary of consumer compliance resources available to financial institutions; and
- Examples of practices that may be useful to institutions in mitigating risks.
FFIEC releases 2021 HMDA reporting guide
On March 30, the FDIC issued FIL-21-2021 announcing the Federal Financial Institutions Examinations Council’s issuance of the 2021 edition of the “Guide to HMDA Reporting: Getting It Right!” The guide applies to HMDA data collected in 2021 that will be reported to supervisory agencies by March 1, 2022, and includes (i) a summary of responsibilities and requirements; (ii) directions for assembling the necessary tools; and (iii) instructions for reporting HMDA data. According to the announcement, the 2021 edition provides information to assist with HMDA compliance in the event of a merger or acquisition, as well as updates to the appendices that reflect amendments to Regulation C made by a CFPB final rule published last year (covered by InfoBytes here). The final rule increased the permanent threshold from 25 to 100 loans starting July 1, 2020, for both depository and nondepository institutions, and also increased the permanent threshold for collecting and reporting data about open-end lines of credit from 100 to 200. The latter change, however, will not take effect until January 1, 2022, when the current temporary threshold of 500 open-end lines of credit expires.
Prudential regulators exploring how institutions use AI
On March 29, the FDIC, Fed, OCC, CFPB, and NCUA issued a request for information (RFI) seeking input on financial institutions’ use of artificial intelligence (AI), which may include AI-based tools and models used for (i) fraud prevention to identify unusual transactions for Bank Secrecy Act/anti-money laundering investigations; (ii) personalization of customer services; (iii) credit underwriting; (iv) risk management; (v) textual analysis; and (vi) cybersecurity. The RFI also solicits information on challenges financial institutions face in developing, adopting, and managing AI, as well as on appropriate governance, risk management, and controls over AI when providing services to customers. Additionally, the agencies seek input on whether it would be helpful to provide additional clarification on using AI in a safe and sound manner and in compliance with applicable laws and regulations. According to FDIC FIL-20-2021, while the agencies support responsible innovation by financial institutions and believe that new technologies, including AI, have “the potential to augment decision-making and enhance services available to consumers and businesses, . . . identifying and managing risks are key.” Comments on the RFI are due 60 days after publication in the Federal Register.
NYDFS updates cybersecurity fraud alert
On March 30, NYDFS issued an updated cybersecurity fraud alert that warns of other techniques used in a widespread cybercrime campaign targeting public-facing websites. As previously covered in InfoBytes, the update stems from NYDFS’ February 16 cybersecurity fraud alert sent to regulated entities, which described a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. In addition to the techniques previously identified, NYDFS alerts regulated entities of the following additional hacking methods: (i) using web-debugging tools to steal unredacted, plaintext NPI while in transit from the data vendor to the company; and (ii) credential stuffing to gain access to insurance agent accounts and using those agent accounts to steal consumer NPI. To prevent sensitive data from being stolen from public-facing websites, NYDFS advises financial organizations to circumvent displaying prefilled NPI, even in redacted form, and to guarantee that all portals are being guarded by the “robust access controls required by [NYDFS]’s cybersecurity regulation.” The alert also outlines remediation steps that financial institutions should execute to guarantee basic security.