Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • MA Division of Banks Releases 2015 Annual Report

    Lending

    Recently, the Massachusetts Division of Banks released its annual report for year-end 2015. The report provides a broad overview of the Division’s 2015 efforts related to, among other things, foreclosure relief, cybersecurity protection, mortgage and depository supervision, and corporate transactions. Notable 2015 updates outlined in the report include the Division (i) approving 24 new mortgage companies in 2015, which resulted in 497 mortgage brokers and lenders being licensed to do business in Massachusetts; (ii) expanding its coordination, cooperation, and participation with the CFPB, Multi-state Mortgage Committee, and the New England Regional Mortgage Committee through sharing information in concurrent examinations of non-depository mortgage entities; and (iii) increasing oversight of the financial industry’s information technology environment, including collaborating with the Conference of State Bank Supervisors to host an event for Massachusetts bankers about common cybersecurity situations. The report includes objectives for 2016, including such as implementing and enforcing “consumer protection laws and regulations while providing consumers the information they need to know their rights and make informed financial decisions.”

    CFPB Foreclosure Mortgage Licensing CSBS Privacy/Cyber Risk & Data Security

  • OCC Releases Semiannual Risk Perspective Report

    Privacy, Cyber Risk & Data Security

    On July 11, the OCC released its Semiannual Risk Perspective for Spring 2016, which generally provides an overview of supervisory concerns for the federal banking system and specifically presents data as of December 31, 2015 in the following areas: (i) operating environment; (ii) bank performance; (iii) key risk issues; and (iv) regulatory actions. Similar to the fall 2015 report, the current report identifies cybersecurity, third-party vendor management, business continuity planning, TRID, and BSA/AML compliance, among other things, as key areas of potential operational and compliance risk. Further, the report highlights the new Military Lending Act rule, effective October 3, 2016, as a new key potential risk. According to the report, the OCC’s supervisory priorities for the next twelve months will generally remain the same; moreover, the outlook for the OCC’s Large Bank Supervision and Midsize and Community Bank Supervision operating units will remain broadly similar.

    OCC Anti-Money Laundering Bank Secrecy Act Bank Supervision Military Lending Act Risk Management TRID Vendor Management Privacy/Cyber Risk & Data Security

  • European Union Approves EU-U.S. Privacy Shield

    Privacy, Cyber Risk & Data Security

    On July 12, the European Union (EU) finalized and adopted the EU-U.S. Privacy Shield for transatlantic data flows. As previously covered in InfoBytes, on October 6, 2015, the Court of Justice of the European Union declared in Shrems v. Data Protection Commissioner “invalid” a decision of the European Commission that the EU-U.S. Safe Harbor Framework provided adequate protection for personal data transferred from the EU to the U.S., thus requiring the EU and the U.S. to develop a new framework for transatlantic data transfers. The recently finalized EU-U.S. privacy shield is based on the following principles: (i) strong obligations on companies handling data, including requiring the Department of Commerce to regularly conduct updates and reviews of participating companies and tightening conditions for the onward transfers of data; (ii) clear safeguards and transparency obligations on U.S. government, assuring that “the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms”; (iii) effective protection of individual rights, including complaint-handling mechanisms and the designation of an Ombudsperson independent from U.S. intelligence services to handle redress possibility in the area of national security for EU citizens; and (iv) annual joint review mechanism to monitor the functioning of the Privacy Shield. On July 12, the Commission simultaneously released a Q&A, a Fact Sheet, the “Adequacy Decision,” which will enter into force immediately after Member States are notified, and Annexes.

    Privacy/Cyber Risk & Data Security

  • European Union Approves Cybersecurity Rules

    Privacy, Cyber Risk & Data Security

    On July 6, the European Union (EU) approved cybersecurity rules that will require certain businesses, including those in financial service and digital service providers, to maintain security and report cybersecurity incidents. The new laws, referred to as the Network and Information Security (NIS) Directive, are intended to establish “harmonized” security and reporting requirements for “operators of essential services,” which EU member states will identify based on certain criteria, such as whether the service is “critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service.” Certain digital service providers, such as online marketplaces, search engines, and cloud services, will also have to maintain security measures and report major incidents. The requirements are “lighter for these providers.” The NIS Directive will become effective on the twentieth day after publication in the EU Official Journal; member states “will have 21 months to transpose the directive into their national laws and six additional months to identify operators of essential services.”

    Privacy/Cyber Risk & Data Security European Union

  • FSOC Publishes 2016 Annual Report, Highlights Marketplace Lending as Emerging Risk

    Privacy, Cyber Risk & Data Security

    On June 21, the Financial Stability Oversight Council (FSOC) released its 2016 annual report. The report reviews financial market and regulatory developments, identifies emerging risks, and offers recommendations to enhance the U.S. financial markets, promote market discipline, and maintain investor confidence. Among other things, the report focuses on threats and vulnerabilities related to cybersecuritry, marketplace lending, and distributed ledger systems/blockchain technology. Addressing the need for heightened cybersecurity, the report advises financial institutions to work together with government agencies to better understand risks associated with destructive malware attacks and to “improve cybersecurity, engage in information sharing efforts, and prepare to respond to, and recover from, a major incident.” Regarding marketplace lending, the report stresses that, as the industry continues to grow, “financial regulators will need to be attentive to signs of erosion in lending standards.” Finally, according to the report, distributed ledger systems pose operational vulnerabilities that “may not become apparent until they are deployed at scale,” and cautions that a “considerable degree of coordination among regulators may be required to effectively identify and address risks associated with distributed ledger systems.”

    FSOC Digital Assets Blockchain Marketplace Lending Privacy/Cyber Risk & Data Security Distributed Ledger

  • Department of Homeland Security and DOJ Issue Operational Rules to Implement Provisions of CISA

    Privacy, Cyber Risk & Data Security

    On June 15, the Department of Homeland Security and the DOJ (collectively, Departments) issued final procedures to implement certain provisions of the Cybersecurity Information Sharing Act (CISA) of 2015. The rules establish operational procedures “relating to the receipt of cyber threat indicators and defensive measures by all federal entities under CISA.” The recently issued procedures finalize interim guidance released by the Departments in February 2016.

    DOJ CISA Privacy/Cyber Risk & Data Security

  • NYDFS Issues Virtual Currency License to XRP II, LLC

    Fintech

    On June 13, the NYDFS announced that it approved XRP II, LLC’s application for a virtual currency license. Before approving the company’s August 2015 application, NYDFS conducted a “rigorous review” of the company’s anti-money laundering, capitalization, consumer protection, and cybersecurity standards. To date, NYDFS has received 26 BitLicense applications; two companies, including this one, have been approved for BitLicenses and two have received state trust charters. NYDFS further noted that it recently denied two applications for a virtual currency license; the companies in receipt of the denial letters were ordered to stop any New York operations.

    Anti-Money Laundering Virtual Currency Licensing NYDFS Privacy/Cyber Risk & Data Security

  • FFIEC Issues Cybersecurity Statement, Comments on Recent Attacks on Interbank Messaging and Payment Networks

    Privacy, Cyber Risk & Data Security

    On June 7, the FFIEC issued a statement on behalf of its members (the OCC, Federal Reserve, FDIC, NCUA, CFPB, and State Liaison Committee) advising financial institutions to “actively manage the risks associated with interbank messaging and wholesale payment networks.” According to the statement, recent cyber attacks against interbank networks and wholesale payment systems have demonstrated the ability to: (i) bypass information security controls and compromise a financial institution’s wholesale payment origination environment; (ii) “obtain and use valid operator credentials with the authority to create, approve, and submit messages”; (iii) make use of sophisticated understanding of funds transfer operations and operational controls; (iv) disable security logging and reporting by using highly customized malware, as well as conceal and delay detection of fraudulent transactions with the use of other operational controls; and (v) quickly transfer stolen funds across multiple jurisdictions. Due to the potential financial loss and compliance risk associated with the unauthorized transactions, the statement reminds financial institutions to consider the following steps to ensure compliance with regulatory requirements and FFIEC guidance: (i) establish and maintain an information security risk assessment program that “considers new and evolving threat intelligence related to online accounts and adjust customer authentication, layered security, and other controls in response to identified risks”; (ii) implement and maintain protection and detection systems, including antivirus protection and intrusion detection systems, and properly monitor system alerts; (iii) protect against unauthorized access to critical systems by, among other things, “limiting the number or credentials with elevated privileges across institutions” and establishing authentication rules; (iv) implement and regularly test controls around critical systems, and report test results to senior management, as well as the board of directors, if appropriate; (v) validate business continuity planning and ensure that the institution is able to “quickly recover and maintain payment processing operations”; (vi) strengthen information security awareness by conducting regular and mandatory training; and (vii) participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.

    In light of the FFIEC’s statement, the OCC simultaneously released Bulletin 2016-08, cautioning financial institutions that use interbank messaging and wholesale payment networks to take the aforementioned risk mitigation steps.

    FDIC CFPB Federal Reserve OCC NCUA FFIEC Privacy/Cyber Risk & Data Security

  • SEC Settles with New York Financial Firm and Employee Over Alleged Failure to Protect Customer Data

    Privacy, Cyber Risk & Data Security

    On June 8, the SEC announced that a New York-based financial services firm agreed to pay a $1 million civil monetary penalty to resolve allegations that it violated the “Safeguards Rule,” Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)). According to the SEC, the firm “failed to ensure the reasonable design and proper operation of its policies and procedures in safeguarding confidential customer data.” The SEC further contends that the firm failed to audit or test the authorization models that allowed employees to access the portals hosting customer data. The financial services firm settled the charges without admitting or denying the SEC’s findings. As of result of the company’s alleged failures, between 2011 and 2014, a then-current employee of the firm gained access to and copied data regarding approximately 730,000 customer accounts to his personal server. The SEC alleges that the employee’s personal server was hacked, and portions of the misappropriated data were posted to at least three Internet sites, with an offer to sell more of the stolen data in exchange for payment in digital currency. Per the employee’s separate consent order, the employee agreed to an industry and penny stock bar with the right to apply for reentry after five years. He was previously criminally convicted for his actions and received 36 months of probation and $600,000 in restitution.

    SEC Privacy/Cyber Risk & Data Security Virtual Currency

  • FTC to Host Fourth Start with Security Event

    Privacy, Cyber Risk & Data Security

    On June 15, the FTC will host its fourth Start with Security event in Chicago, Illinois. Featuring agency representatives Todd Kossow, Maureen Ohlhausen, Cora Han, Jim Trilling, Steve Wernikoff, and Andrea Arias, as well as security experts from various industries, the Start with Security event is intended to provide companies with tips for implementing effective data security. The event will host the following four panels: (i) Building a Security Culture; (ii) Integrating Security into the Development Pipeline; (iii) Considering Security when Working with Third Parties; and (iv) Recognizing and Addressing Network Security Challenges. A full day event, the panels “will address how companies can create and prioritize a culture of security, how to integrate security into the development pipeline, what security issues to consider when a company works with third parties, and how to recognize and address network security challenges.”

    As recently noted in its 2015 Annual Highlights report, the FTC’s Start with Security efforts, including its June 2015 Guide for Business, are part of the agency’s education outreach programs designed to promote good data security practices within businesses.

    FTC Privacy/Cyber Risk & Data Security Vendor Management

Pages

Upcoming Events