InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Attorney General Sessions announces plans to create Cyber-Digital Task Force
On February 20, U.S. Attorney General Jeff Session announced plans to create a Cyber-Digital Task Force (Task Force) designed to combat global cyber threats. According to the DOJ’s press release, Attorney General Sessions stated that the Task Force will “advise me on the most effective ways that this Department can confront these threats and keep the American people safe.” His February 16 memorandum identified certain cyber-related issues as particularly “pressing,” including: (i) the use of the internet to spread violent ideologies; (ii) the theft of corporate, governmental, and private information on a large scale; (iii) the use of technology to evade or frustrate law enforcement; and (iv) the weaponization of consumer devices, including computers and other consumer devices, to attack U.S. citizens and businesses. The Task Force will issue a report by June 30, 2018 outlining the DOJ’s current cyber-related activities and offering recommendations.
Supreme Court denies writ challenging data breach standing
On February 20, the U.S. Supreme Court denied without comment a medical insurance company’s petition for writ of certiorari to challenge an August 2017 D.C. Circuit Court of Appeals decision, which reversed the dismissal of a data breach suit filed by the company’s policyholders in 2015. According to the D.C. Circuit opinion, the policyholders sued the medical insurance company after the company announced that an unauthorized party had accessed personal information for 1.1 million members. The lower court dismissed the policyholder’s case, holding that they did not have standing because they could not show an actual injury based on the data breach. In reversing the lower court’s decision, the D.C. Circuit, citing the Supreme Court ruling in Spokeo, Inc. v. Robins, held that it was plausible that the unauthorized party “has both the intent and the ability to use [the] data for ill.” This was sufficient to show that the policyholders had standing to bring the claims because they alleged a plausible risk of future injury.
FDIC releases 2017 annual report, among key issues are living wills, cybersecurity, and simplifying regulations
On February 15, the FDIC released its 2017 Annual Report, which includes, among other things, the audited financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund. The report also provides an overview of key FDIC initiatives, performance results, and other aspects of FDIC operations, supervision developments, and regulatory enforcement, including the following:
- Living Wills. The report discusses the FDIC’s continued evaluation of resolution plans for Systemically Important Financial Institutions (SIFIs) and notes there remain “inherent challenges and uncertainties” associated with the plans, specifically within four areas: “intra-group liquidity; internal loss-absorbing capacity; derivatives; and payment, clearing, and settlement activities.” Further, the FDIC and Federal Reserve (who share joint responsibility for reviewing and assessing resolution plans) reviewed plans submitted by the eight largest U.S. SIFIs and noted that four of the firms’ plans had shortcomings—although no deficiencies were identified—and stipulated that the plans must be resubmitted by July 1, 2019. (See previous InfoBytes coverage here on recent comments by FDIC Chairman Martin concerning living will challenges.)
- Cybersecurity. Among other initiatives, the report discusses a collaboration between the FDIC, the Federal Reserve, and the OCC to update the interagency Cybersecurity Assessment Tool, which “helps financial institutions determine their cyber risk profile, inherent risks, and level of cybersecurity preparedness.” The report provides feedback from institutions currently using the tool.
- Simplifying Regulation. In accordance with the requirements of the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (EGRPRA), the report discusses the FDIC’s, Federal Reserve Board’s, and OCC’s regulatory review process done in conjunction with the National Credit Union Administration and the members of the Federal Financial Institutions Examination Council (FFIEC). As previously covered in InfoBytes here and here, a report was issued in March outlining initiatives designed to reduce regulatory burdens, particularly on community banks and savings associations, and last September a proposed rule to simplify capital rule compliance requirements and reduce the regulatory burden was issued.
House Financial Services Committee holds hearing on current data security regulatory regime
On February 14, the House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Examining the Current Data Security and Breach Notification Regulatory Regime” to discuss opportunities to reform data security regulations at the federal and state level in order to close gaps in the regulations and reduce vulnerabilities in the system. Subcommittee Chairman Blaine Luetkemeyer (R-Mo.) opened the hearing by stating that (1) technological advancements are paired with increasingly sophisticated threats to data security; and (2) data breaches seem to be increasing in number and severity. Luetkemeyer emphasized that the time has come to consider regulatory reform to address these complex issues.
The hearing’s five witnesses offered numerous insights related to the current issues with data security. Among the issues discussed included highlighting the significance of the global data threats the U.S. faces today and the cost they have on the public’s trust in technology. Several witnesses commented on the inconsistencies in state data breach laws and offered suggestions for future regulatory reform, such as federal legislation that (i) requires companies to maintain reasonable data security policies; (ii) implements prompt consumer notification requirements of suspected breaches; and (iii) contains a safe harbor for compliance with federal data security standards. The hearing also had significant discussion regarding whether a new federal law should preempt current state laws in their entirety. The discussion recognized the challenges of pursuing a preemption approach. On one hand, partial preemption would not solve the inconsistencies that exist today, but total preemption may override state laws that currently provide strong protections with a weaker national standard.
District Court dismisses First Amendment challenge to Montana’s statute banning robocalls
On February 9, a federal judge for the U.S. District Court for the District of Montana denied a plaintiff’s motion for summary judgment, which sought to overturn the State of Montana’s statutory restrictions on robocalls. Among other things, the plaintiff—a Michigan-based political consulting firm that relies on automated calls to gather data—claimed the 1991 Montana statute violated its right to free speech under the First and Fourteenth Amendments of the United States Constitution by prohibiting automated sales and political campaign calls. However, the court ruled that the Montana statute is sufficiently narrowly tailored and is intended to preserve and protect residents’ “control over [their] property and personal choices regarding receipt of communications.” Exemptions to the ban, the court explained, can occur “if the permission of the called party is obtained by a live operator before the recorded message is delivered.” The narrow tailoring leaves “ample alternative (including all of the more traditional) channels of communication for the protected political speech.”
Alabama attorney general establishes cybercrime lab
On February 14, the Alabama Attorney General’s Office announced the establishment of the Cybercrime Lab, which was created in partnership with the U.S. Secret Service, the Federal Bureau of Investigation, U.S. Department of Homeland Security Investigations, the Alabama Fusion Center, the Alabama Office of Prosecution Services, and U.S. Attorney Louis Franklin. In addition to supporting cyber-related investigations in areas such as network intrusions and data breaches conducted by law enforcement in Alabama at the federal, state, and local levels, the Cybercrime Lab will provide assistance to agencies seeking access to digital evidence. Alabama Attorney General Steve Marshall commented that his office also has new resources for reporting suspected debit/credit card skimming devices.
President Trump releases 2019 budget proposal; key areas of reform include appropriation shifts, cybersecurity, and financial crimes
On February 12, the White House released its fiscal 2019 budget request, Efficient, Effective, Accountable, an American Budget (2019 budget proposal), along with Major Savings and Reforms (MSR) and an Appendix. The mission of the President’s budget sets forth priorities, including imposing fiscal responsibility, reducing wasteful spending, and prioritizing effective programs. However, the 2019 budget proposal has little chance of being enacted as written and does not take into account a two-year budget agreement Congress passed that the President signed into law on February 9. Notable takeaways of the 2019 budget are as follows:
CFPB. Under the MSR’s “Restructure the Consumer Financial Protection Bureau” section, Congress and the current administration would implement a broad restructuring of the Bureau to “prevent actions that unduly burden the financial industry” by restricting its enforcement authority over federal consumer law. Among other things, the proposed budget would cap the Federal Reserve’s (Fed) transfers this year at $485 million (an amount equivalent to its 2015 budget) and eliminate all transfers by 2020, at which point the Bureau’s appropriations process would shift to Congress.
Commodity Futures Trading Commission (CFTC). As stipulated in the Appendix, the budget proposes legislation, which would authorize the CFTC to collect $31.5 million in user fees to fund certain activities and would bring the Commission’s budget to $281.5 million for 2019. According to the administration, if the authorizing legislation is enacted, it would be “in line with nearly all other Federal financial and banking regulators.”
Cybersecurity. The 2019 budget proposal requests funding for the Department of Homeland Security (DHS) and the Department of Defense (DOD) to execute efforts to counter cybercrime. The DOD funds would go towards efforts to sustain the Cyber Command’s 133 Cyber Mission Force Teams, which “are on track to be fully operational by the end of 2018.” Furthermore, the administration states it “will improve its ability to identify and combat cybersecurity risks to agencies’ data, systems, and networks.”
Financial Stability Oversight Council (FSOC). Currently FSOC (which is comprised of the heads of the financial regulatory agencies and monitors risk to the U.S. financial system) and the Office of Financial Research (OFR) (FSOC’s independent research arm) receive funding through fees assessed on certain bank holding companies with assets of at least $50 billion as well as nonbanks supervised by the Fed. However, the 2019 budget proposal would require FSOC and OFR to receive their funding through the normal congressional appropriations process.
Flood Insurance. Outlined in the MSR is a budget request that would reduce appropriations for the National Flood Insurance Program's flood hazard mapping program by $78 million. The funding reduction is designed to “preserve resources for [DHS]’s core missions”; however, the administration plans to work to “improve efficiency in the flood mapping program, including incentivizing increased State and local government investments in updating flood maps to inform land use decisions and reduce risk.” Additionally, contained within the Appendix is a proposal for a “means-tested affordability program” that would determine assistance for flood insurance premium payments based on a policyholder's income or ability to repay, rather than a home's location or date of construction.
Government Sponsored Enterprises. Noted within the MSR, the budget proposes doubling the guarantee fee charged by Fannie Mae and Freddie Mac to loan originators from 0.10 to 0.20 percentage points from 2019 through 2021. The proposal is designed to help “level the playing field for private lenders seeking to compete with the GSEs” and would “generate approximately $26 billion over the 10-year Budget window.”
HUD. The 2019 budget proposal eliminates funding for the following: (i) the CHOICE Neighborhoods program (a savings of $138 million), on the basis that state and local governments should fund strategies for neighborhood revitalization; (ii) the Community Development Block Grant (a savings of $3 billion), over claims that it “has not demonstrated a measurable impact on communities”; (iii) the HOME Investment Partnerships Program (a savings of $950 million); and (iv) the Self-Help and Assisted Homeownership Opportunity Program Account (a savings of $54 million). The budget also proposes reductions to grants provided to the Native American Housing Block Grant and plans to reduce costs across HUD’s rental assistance programs through legislative reforms. Rental assistance programs generally comprise about 80 percent of HUD’s total funding.
SEC. As stipulated in the MSR, the budget proposes eliminating the SEC’s mandatory reserve fund and would require the SEC to request additional funds through the congressional appropriations process starting in 2020. According to the Appendix, the reserve fund is currently funded by collected registration fees and is not subject to appropriation or apportionment. Under the proposed budget, the registration fees would be deposited in the Treasury’s general fund.
SIGTARP. As proposed under MSR, the 2019 budget would reduce funding for the Special Inspector General for the Troubled Asset Relief Program (SIGTARP) “commensurate with the wind-down of TARP programs.” According to the proposal, “Congress aligned the sunset of SIGTARP with the length of time that TARP funds or commitments are outstanding,” which, Treasury estimates, will be in 2023. This will mark the final time payments are expected to be made under the Home Affordable Modification Program (HAMP). As previously covered in InfoBytes, SIGTARP delivered a report to Congress last month, which identified unlawful conduct by certain of the 130 financial institutions in TARP’s Making Home Affordable Program as the top threat to TARP and, thus, the agency’s top investigative priority.
Student Loan Reform. Under the 2019 budget proposal, a single income-driven repayment plan (IDR) would be created that caps monthly payments at 12.5 percent of discretionary income. Furthermore, balances would be forgiven after a specific number of repayment years—15 for undergraduate debt, 30 for graduate. In doing so, the Public Service Loan Forgiveness program and subsidized loans will be eliminated, and reforms will be established to “guarantee that all borrowers in IDR pay an equitable share of their income.” These proposals will only apply to loans originated on or after July 1, 2019, with the exception of loans provided to borrowers in order to finish their “current course of study.”
Treasury Department. Under the 2019 budget proposal, safeguarding markets and protecting financial data are a top priority for the administration, and $159 million has been requested for Treasury’s Office of Terrorism and Financial Intelligence to “continue its critical work safeguarding the financial system from abuse and combatting other national security threats using non-kinetic economic tools. These additional resources would be used to economically isolate North Korea, complete the Terrorist Financing Targeting Center in Saudi Arabia, and increase sanctions pressure on Iran, including through the implementation of the Countering America’s Adversaries Through Sanctions Act.” The budget also requests a $3 million increase from 2017 to be applied to the Financial Crimes Enforcement Network’s authority to administer the Bank Secrecy Act and its work to prevent the financing of terrorism, money laundering, and other financial crimes.
SEC exams to focus on ICOs, cybersecurity, and AML programs
On February 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released its 2018 Examination Priorities, which includes cryptocurrency and Initial Coin Offerings (ICOs) for the first time. According to the document, the OCIE’s 2018 priorities reflect “certain practices, products, and services that OCIE believes may present potentially heightened risk to investors and/or the integrity of the U.S. capital markets.” The document highlights five themes:
- Retail Investors. Among other retail investor priorities, OCIE states it will focus on high-risk products, including cryptocurrency and ICO markets due to their rapid growth. Exams in this area will review whether there are adequate controls and safeguards to protect against theft and whether appropriate disclosures about the risks associated with the investments are given to investors.
- Compliance and Risks in Critical Market Infrastructure. OCIE will look at important participants in the market structure, including clearing agencies, national securities exchanges, transfer agents, and entities under Regulation SCI.
- Review of Other Regulatory Bodies. OCIE intends to review the operations and controls of the Financial Industry Regulatory Authority (FINRA) and the Municipal Securities Rulemaking Board (MSRB).
- Cybersecurity. OCIE notes that the scope and severity of cybersecurity risks have increased dramatically. According to the document, examinations will continue to focus on, among other things, data loss prevention, governance and risk assessment, and vendor management.
- AML Programs. Anti-money laundering (AML) program examinations will focus on whether the regulated entities are “appropriately adapting their AML programs to address their obligations.” More specifically, OCIE will look at whether entities are filing accurate Suspicious Activity Reports (SARs) and performing appropriate customer due diligence reviews.
Massachusetts attorney general launches data breach reporting portal
On February 1, Massachusetts Attorney General Maura Healey launched a Data Breach Reporting Online Portal, which is available through the agency’s Security Breaches site. Organizations can use the online portal to provide notice to the attorney general’s office of a data breach as required by the Massachusetts Data Breach Notification Law (law), M.G.L. c. 93H. According to the announcement, the law requires any entity that “owns or licenses a consumer’s personal information” to notify the attorney general’s office, among others, “any time personal information is accidentally or intentionally compromised.” The announcement notes that organizations are not required to use the online portal and may still send written notice to the attorney general’s office through the mail.
The online portal announcement follows other recent actions by Healey in response to consumer data breaches. In September, Healey filed the first enforcement action in the nation against a major credit reporting agency after its significant data breach announcement (previously covered by InfoBytes here) and introduced proposed legislation, SB 130/HB 134, which, among other things, would eliminate fees for credit freezes and mandate encryption of personal information in credit reports.
FTC issues comments on FCC’s robocall blocking rules
On January 31, the FTC submitted a comment letter in response to the FCC’s request for input on its November adoption of rules allowing phone companies to proactively block illegal robocalls originating from certain types of phone numbers. (See previous InfoBytes coverage here.) Calling the development of a call-blocking, call-filtering solution to protect consumers from illegal and unwanted calls long overdue, the FTC offered support for efforts to encourage providers who block calls to “identify and quickly rectify any erroneous blocking.” However, FTC staff claimed that, based on the current record, it is unclear whether there exists “a need to require a formal challenge mechanism for errors resulting from provider-based call blocking authorized by this Report and Order.” The FTC noted that a formal challenge process is not necessary because, among other things, the FCC already cautions providers about wrongfully blocking unallocated or unassigned numbers and “warns providers that erroneous blocking may lead to liability for violating call completion rules.” Additionally, the FTC agreed with concerns raised by a telecom association that “white lists,” which contain numbers that should not be blocked, pose “substantial security risks” if the lists “fall into the hands of even a single robocaller” because they might serve as the “‘de facto master key’ that would provide robocallers with the ability to override all of the efforts painstakingly developed to thwart them.”