InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC highlights operational risks in 2022 Risk Review
On May 20, the FDIC released its 2022 Risk Review, summarizing emerging risks in the U.S. banking system observed during 2021 in four broad categories: credit risk, market risk, operational risk, and climate-related financial risk. According to the FDIC, the current risk review expands upon coverage in prior reports by examining operational risks to banks resulting from cyber threats, illicit finance, and climate-related financial risks. Monitoring these risks is among the agency’s top priorities, the FDIC said, explaining that the number of ransomware attacks in the banking industry increased in 2021, and that the “number and sophistication of cyber attacks also increased with remote work and greater use of digital banking tools.” Additionally, “threats from illicit activities continue to pose risk management challenges to banks.” The FDIC noted that the banking environment improved in 2021 as the economy recovered but stated that recovery was uneven across industries and regions. While “[f]inancial market conditions were generally supportive of the economy and banking industry in 2021,” they began to deteriorate in early 2022 with the onset of the Russian invasion of Ukraine, the FDIC said.
DOJ will not charge researchers who report cybersecurity flaws in “good faith”
On May 19, the DOJ revised its policy for charging cases under the Computer Fraud and Abuse Act (CFAA), directing prosecutors to not charge researchers who report cybersecurity flaws in “good faith.” The policy directive informs prosecutors that the DOJ will not prosecute security researchers that access computers “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public.” Instead, the policy directive focuses the DOJ’s resources “on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer— such as one email account—and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.” The new policy directive explains, however, that “claiming to be conducting security research is not a free pass for those acting in bad faith,” and provides that “discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research,’ is not in good faith.”
FTC cracks down on ed tech providers’ COPPA compliance
On May 19, the FTC warned providers of education technology (ed tech) tools for children that they must fully comply with all provisions of the Children’s Online Privacy Protection Act (COPPA). The Commission voted unanimously to approve a policy statement clarifying how COPPA applies to ed tech tools that gather data about children, while underscoring prohibitions on harvesting and monetizing children’s data. The policy statement explained that ed tech providers cannot force children to disclose more information than is reasonably necessary for participating in their educational services and are prohibited from using collected data for marketing or advertising purposes. Additionally, providers are prohibited from retaining children’s data for longer than necessary to fulfill the purpose for which it was collected, and must have procedures in place to keep the data secure. The FTC noted that “even absent a breach, COPPA-covered ed tech providers violate COPPA if they lack reasonable security.” Providers that fail to comply with COPPA may face civil penalties as well as new requirements and limitations on their business practices to stop the unlawful conduct. The policy statement comes as the FTC reexamines COPPA. As previously covered by InfoBytes, the Commission launched a rule review in 2019.
Illinois amendments address confidentiality of customer financial records
On May 13, the Illinois governor signed SB 3971, which makes various amendments to Illinois Banking Act and Savings Bank Act provisions concerning the confidentiality of customer financial records. Among other things, the Act provides that a bank must disclose financial records “only after the bank sends a copy of the subpoena, summons, warrant, citation to discover assets, or court order,” to the person establishing the relationship with the bank if living (or the person’s representative otherwise), at the person’s last known address. Further, such requests must be sent through a third-party commercial carrier or courier, with delivery charge fully prepaid, by hand or by electronic delivery at an email address on file with the bank (provided the person has consented to electronic delivery).
The Act also stipulates that a bank retain customer financial records “in a manner consistent with prudent business practices and in accordance with this Act and applicable State or Federal laws, rules, and regulations.” A bank may also destroy records (with reasonable precautions taken to ensure the confidentiality of the information contained in the records) except where a retention period is required by law. The Act is effective immediately.
U.S. signs protocol to strengthen international efforts to combat cybercrime
On May 12, the U.S. signaled its commitment to fight cybercrime by signing the Second Additional Protocol to the Convention on Cybercrime to obtain access to needed electronic evidence. Deputy Assistant Attorney General Richard Downing of the DOJ’s Criminal Division signed the new protocol to strengthen and expand international law enforcement cooperation to combat cybercrime. Currently, 66 countries are party to the multilateral treaty (commonly known as the Budapest Convention), which presents a “technology-neutral approach to cybercrime” and “has created an enduring framework for cooperation that ensures law enforcement has the tools they need to respond to new criminal methods.”
According to the DOJ’s announcement, the new “Protocol to the Budapest Convention will accelerate cooperation among parties to protect [] citizens from cybercrime and hold criminals accountable. As cybercrime proliferates, electronic evidence is increasingly stored in different jurisdictions. The Second Additional Protocol is specifically designed to help law enforcement authorities obtain access to such electronic evidence, with new tools including direct cooperation with service providers and registrars, expedited means to obtain subscriber information and traffic data associated with criminal activity, and expedited cooperation in obtaining stored computer data in emergencies. All these tools are subject to a system of human rights and rule of law safeguards.”
OCC discusses use of AI
On May 13, OCC Deputy Comptroller for Operational Risk Policy Kevin Greenfield testified before the House Financial Services Committee Task Force on Artificial Intelligence (AI) discussing banks' use of AI and innovation in technology services. Among other things, Greenfield addressed the OCC’s approach to innovation and supervisory expectations, as well as the agency’s ongoing efforts to update its technological framework to support its bank supervision mandate. According to Greenfield’s written testimony, the OCC “recognizes the paramount importance of protecting sensitive data and consumer privacy, particularly given the use of consumer data and expanded data sets in some AI applications.” He noted that many banks use AI technologies and are investing in AI research and applications to automate, augment, or replicate human analysis and decision-making tasks. Therefore, the agency “is continuing to update supervisory guidance, examination programs and examiner skills to respond to AI’s growing use.” Greenfield also pointed out that the agency follows a risk-based supervision model focused on safe, sound, and fair banking practices, as well as compliance with laws and regulations, including fair lending and other consumer protection requirements. This risk-based approach includes developing supervisory strategies based upon an individual bank’s risk profile and examiners’ review of new, modified, or expanded products and services. Greenfield further noted that “the OCC is focused on educating examiners on a wide range of AI uses and risks including risks associates with third parties, information security and resilience, compliance, BSA, credit underwriting, and fair lending and data governance, as part of training courses and other educational resources.” According to Greenfield’s oral statement, “banks need effective risk management and controls for model validation and explainability, data management, privacy, and security regardless of whether a bank develops AI tools internally or purchases through a third party.”
Senate confirms Bedoya as FTC commissioner; Powell to serve second term as Fed chair
On May 11, the U.S. Senate voted along party lines to confirm Alvaro Bedoya as an FTC Commissioner. Bedoya, who brings a background in privacy and data security, fills the FTC commissioner seat vacated by current CFPB Director Rohit Chopra. A Georgetown University visiting professor of law, Bedoya also founded the law school’s Center on Privacy & Technology. According to the administration’s announcement, Bedoya previously “co-led a coalition that successfully pressed an Internet giant to drop ads for online payday loans” and served as the first chief counsel to the Senate Judiciary Subcommittee on Privacy, Technology and the Law. (Covered by InfoBytes here.) FTC Chair Lina M. Khan praised Bedoya’s “expertise on surveillance and data security,” and, following his confirmation, stated that his “knowledge, experience, and energy will be a great asset to the FTC.”
The Senate also confirmed Jerome Powell by a vote of 80-19 to serve a second four-year term as Federal Reserve Chair, and confirmed Lisa Cook and Philip Jefferson to serve as Board Governors (see here and here). Still pending is President Biden’s nomination of Michael Barr to serve as Vice Chair for Supervision of the Federal Reserve.
Connecticut becomes fifth state to enact comprehensive privacy legislation
On May 10, the Connecticut governor signed SB 6, establishing a framework for controlling and processing consumers’ personal data in the state. Connecticut is now the fifth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Virginia, and Utah (covered by Buckley Special Alerts here and here and InfoBytes here and here). As previously covered by InfoBytes, Connecticut consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. The Act also outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests free of charge within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 60 days to cure the alleged violation before the attorney general can file suit. The Act takes effect July 1, 2023.
District Court settles data scraping lawsuit
On May 9, the U.S. District Court for the Northern District of California issued a final judgment on consent resolving a lawsuit concerning data scraping allegations. A professional networking site (plaintiff) sued a Singapore-based company and three company founders (collectively, “defendants”) claiming the defendants violated the terms of the plaintiff’s user agreement by gaining unauthorized access to areas of the plaintiff’s platform that are only accessible to real logged-in members, scraping millions of member profile pages, and using fake member accounts and prepaid virtual debit card numbers to fraudulently obtain access to a function that provides advanced features. In alleging claims for breach of contract, fraud and deceit, and misappropriation, among others, the plaintiff claimed the defendants’ activities defrauded it out of hundreds of thousands of dollars in revenue. According to the court’s judgment, the defendants have agreed to be permanently restrained and barred from engaging in the aforementioned activities, including using scraping to access the plaintiff’s data, engaging in marketing and advertising about the availability of user data on the defendant’s website, circumventing any technological measures that control access to the plaintiff’s servers, and transferring data to third parties. “Defendants represent that they have destroyed all [plaintiff] member profile data, whether stored in electronic form or otherwise, in their possession, custody, or control and have certified in writing that they have done so,” the judgment stated. While the judgment did not include a monetary penalty, the court noted that violation of the final judgment or consent shall expose the defendants and all other persons bound by the final judgment on consent “to all applicable penalties, including contempt of Court.”
Fed updates synthetic identity fraud mitigation toolkit
Recently, the Federal Reserve updated a synthetic identity fraud mitigation toolkit offering new information regarding fraud detection technology and data sharing and discussing the value of fraud information sharing within the industry to help fight synthetic identity fraud. As previously covered by InfoBytes, in February, the Fed released the synthetic identity fraud mitigation toolkit intended to help financial institutions, businesses, and consumers improve awareness, detection, measurement, and mitigation of identity fraud. The recent updates in the toolkit provide guidance on enhancing organizations' ability to prevent and mitigate synthetic identity fraud using a variety of detection and prevention technologies and approaches. Topics contained in the toolkit include insights and downloadable resources covering, among other things: (i) the basics of synthetic identity fraud; (ii) how synthetic identities are used; (iii) when synthetics become a reality; (iv) detecting a synthetic identity; (v) validating identities; and (vi) identifying synthetics.