InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC reports cybersecurity and resiliency observations
On January 27, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of a report entitled Cybersecurity and Resiliency Observations, compiled from an assessment of prior examinations. The report provides best practices for regulated entities to increase readiness and awareness related to cybersecurity. Echoing themes from the OCIE’s risk-based exam priorities, previously covered by InfoBytes here, the report also emphasizes risk management. Some of the highlights of the report include:
- Governance and Risk Management. OCIE lists senior level engagement as an important factor in an effective cybersecurity program. Also important is a thorough program risk assessment as well as the application of policies and procedures based on the assessment. Additionally, the cybersecurity program should continuously evolve, and provide for constant testing and monitoring.
- Access Rights and Controls. OCIE emphasizes the need for controls to limit access to certain data only to authorized users. Organizations should set out policies and procedures to monitor for unauthorized users, require periodic password changes for users, and review systems for changes that are not approved.
- Data Loss Prevention. Many firms protect sensitive data by using vulnerability scanning as well as perimeter security to monitor network traffic. Firms may utilize technology that can monitor for and detect network threats and insider threats. Also, encrypting data as it moves into and out of the network, and segmenting data for use only by authorized systems are key data loss prevention measures.
- Mobile Security. Firms that use mobile devices and applications may require enhanced security policies including the use of multi-factor authentication, limiting firm information that can be extracted from devices, and enabling the firm to remotely clear content when devices are lost or stolen. Training is also an important practice.
- Incidence Response and Resiliency. Effective risk-based incident response plans developed by firms focus on detection and corrective actions. The plans include business continuity as well as regular testing and reassessment of the plan.
- Vendor Management. OCIE promotes proper due diligence of vendors as well as effective management of vendors including monitoring and testing to ensure security requirements are continually met.
- Training and Awareness. OCIE notes that many firms incorporate effective policies and procedures into training, periodically re-evaluate training programs, and ensure employee participation.
FDIC, OCC issue joint notice of heightened cybersecurity risk
On January 16, the FDIC and the OCC announced (FDIC FIL-3-2020, OCC Bulletin 2020-5) the issuance of a joint statement on risk management of current heightened cybersecurity risks. The statement reminds supervised financial institutions to maintain preventative controls and update and test incident response and business continuity plans. It also sets out best practices in these areas for supervised financial institutions.
The bulletin lists six “key controls” including:
- Response, resilience and recovery capabilities. Maintain system backups and segment data to prevent spread of malicious activity across the network and to increase recovery capabilities. Incident and business resilience plans should set out cyber attack response and business continuity procedures and a data backup program should be set up and regularly tested. Cyber insurance coverage may further mitigate cyber risk exposure.
- Identity and access management. Implement identity and access management controls to combat phishing attacks and prevent theft of login credentials. Incorporate risk-based authentication, limit user permissions, and continually monitor user accounts.
- Network configuration and system hardening. Configure networks with appropriate security settings that are regularly updated. Update anti-malware and routinely test network technology for vulnerabilities.
- Employee training. Provide continuous training to keep cybersecurity program employees abreast of new cyber threats and evolving social engineering tactics.
- Security tools and monitoring. Maintain competent cybersecurity staff or service providers to monitor for the most current “threat and vulnerability information,” regularly review audit logs, and establish and test ability to “detect and respond to attacks.”
- Data protection. Encrypt “sensitive and critical data,” which should also be accurately classified to ensure ease in identification.
Special Alert: NYDFS accelerates Libor transition planning
On December 23, 2019, the New York Department of Financial Services issued an “Industry Letter” requesting that each NYDFS-regulated institution submit the institution’s plan for addressing the transition away from Libor-based credit, derivative, and securities exposures. The NYDFS letter has spurred additional focus by financial institutions in the issue, and not only by those regulated by NYDFS. This Client Alert summarizes the current state of play in Libor transition, and outlines some key considerations for developing a Libor transition plan.
* * *
Click here to read the full special alert.
If you have any Libor-related questions please contact a Buckley attorney with whom you have worked in the past.SEC announces 2020 OCIE exam priorities
On January 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of its 2020 Examination Priorities. The annual release of exam priorities provides transparency into the risk-based examination process and lists areas that pose current and potential risks to investors. OCIE’s 2020 examination priorities include:
- Retail investors, including seniors and those saving for retirement. OCIE places particular emphasis on disclosures and recommendations provided to investors.
- Information security. In addition to cybersecurity, top areas of focus include: risk management, vendor management, online and mobile account access controls, data loss prevention, appropriate training, and incident response.
- Fintech and innovation, digital assets and electronic investment advice. OCIE notes that the rapid pace of technology development, as well as new uses of alternative data, presents new risks and will focus attention on the effectiveness of compliance programs.
- Investment advisers, investment companies, broker-dealers, and municipal advisers. Risk-based exams will continue for each of these types of entities, with an emphasis on new registered investment advisers (RIA) and RIAs that have not been examined. Other themes in exams of these entities include board oversight, trading practices, advice to investors, RIA activities, disclosures of conflicts of interest, and fiduciary obligations.
- Anti-money laundering. Importance will be placed on beneficial ownership, customer identification and due diligence, and policies and procedures to identify suspicious activity.
- Market infrastructure. Particular attention will be directed to clearing agencies, national securities exchanges and alternative trading systems, and transfer agents.
- FINRA and MSRB. OCIE exams will emphasize regulatory programs, exams of broker-dealers and municipal advisers, as well as policies, procedures and controls.
NYDFS directs financial institutions to submit LIBOR transition risk management plans
On December 23, NYDFS issued an Industry Letter (Letter) directing its regulated depository and non-depository institutions, insurers, and pension funds to outline their plans for managing the risks associated with the potential impact of LIBOR’s likely cessation at the end of 2021. NYDFS seeks assurance that regulated institutions’ board of directors and senior management fully understand the associated risks, have developed appropriate plans, and have initiated actions to facilitate transition to an alternative reference rate. The Letter does not mandate use of any particular alternative rate, but notes that “the Alternative Reference Rates Committee . . ., convened by the FRB and the [Federal Reserve Bank of New York (FRBNY)], has chosen [the Secured Overnight Financing Rate published by the FRBNY] as its recommended alternative to U.S. dollar LIBOR.” The Letter requires NYDFS-regulated institutions to describe: (i) programs that will assess financial and non-financial transition risks; (ii) “processes for analyzing and assessing alternative rates, and the potential associated benefits and risks of such rates both for the institution and its customers and counterparties”; (iii) processes to communicate with customers and counterparties; (iv) plans and processes for “operational readiness, including related accounting, tax and reporting aspects of [the] transition” from LIBOR; and (v) their governance framework, including oversight by an institution’s board of directors or its equivalent governing authority. Institutions are required to submit their transition-risk management plans to NYDFS by February 7.
OCC highlights key risks affecting the federal banking system in semiannual risk report
On December 9, the OCC released its Semiannual Risk Perspective for Fall 2019, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations, including credit, operational, and interest rate risks. While the OCC commented that “bank financial performance is sound,” it also advised that “[b]anks should prepare for a cyclical change while credit performance is strong,” emphasizing that “[c]redit risk has accumulated in many portfolios.” The OCC also highlighted that competition with nonbank mortgage and commercial lending could pose a risk as well.
Specific areas of concern that the OCC described include: elevation of operational risk as advances in technology and innovation in core banking systems result in a changing and increasingly complex operating environment; increased use of third-party service providers that contribute to continued threats of fraud; need for prudent credit risk management practices that include “identifying borrowers that are most vulnerable to reduced cash flows from slower than anticipated economic growth”; “volatility in market rates [leading] to increasing levels of interest rate risk”; LIBOR’s anticipated cessation and whether banks have started to determine the potential impact of cessation and develop risk management strategies; and strategic risks facing banks as non-depository financial institutions (NDFI) use evolving technology and expand data analysis abilities (the OCC commented that NDFIs “are strong competitors to bank lending models”). The OCC also noted that there is increased interest from banks in sharing utilities with NDFIs to implement Bank Secrecy Act/anti-money laundering compliance programs and sanctions processes and controls.
CFPB updates auto finance section of the Supervision and Examinations Manual
On August 28, the CFPB updated its examination procedures for automobile finance in its Supervision and Examinations Manual. The procedures are comprised of seven modules and each examination will cover one or more modules. Prior to using the procedures, examiners will complete a risk assessment and examination scope memorandum, which will assist in determining which of the seven modules the exam will cover: (i) company business model; (ii) advertising and marketing; (iii) application and origination; (iv) payment processing and account maintenance; (v) collections, debt restructuring, repossession, and accounts in bankruptcy; (vi) credit reporting, information sharing, and privacy; and (vii) examiner conclusions and wrap-up.
FDIC adds to risk management exam policies
On August 27, the FDIC issued Financial Institution Letter FIL-47-2019 announcing an update to its Risk Management Manual of Examination Policies to incorporate a new section titled “Risk-Focused, Forward-Looking Safety and Soundness Supervision.” According to the letter, the new section covers the FDIC’s “long-standing examination philosophy” that the focus of supervision should be on areas that present the greatest risk. The letter notes that the risk-focused approach is “forward-looking,” with the intent to look beyond the condition of an institution at a specific point in time to just how well the institution will be able to respond to a changing market and assist examiners in identifying and correcting “weaknesses in conditions or practices before they impact an institution’s financial condition.”
OCC outlines fraud risk management principles
On July 24, the OCC issued Bulletin 2019-37 to provide fraud risk management principles for all OCC-supervised institutions. The Bulletin supplements previously issued notices addressing corporate and risk governance, and focuses on fraud risk, operational risk, and the need for strong governance and sound risk management principles. According to the OCC, strong governance is vital to managing an institution’s exposure to fraud and must include a strong corporate culture that discourages imprudent risk-taking. However, the OCC noted that fraud risk management should be commensurate with the bank’s risk profile. The Bulletin highlights several preventative and detective controls, including (i) developing anti-fraud policies and procedures, such as ethics policies, codes of conduct, and identity theft programs; (ii) creating anti-fraud awareness campaigns; (iii) establishing fraud risk management training programs for employees and contractors and educating customers on preventative measures; (iv) implementing a system of controls intended to prevent employees and third parties from conducting fraudulent transactions, such as opening or closing of bank accounts; (v) conducting background investigations for new employees and periodic checks for existing employees and third parties; (vi) providing sound training and information security programs; and (vii) establishing processes for customer identification, customer due diligence, and beneficial ownership identification and verification. Additionally, the OCC stated that senior management should understand the institution’s exposure to fraud risk and associated losses.
Fed tailors state member bank exams to risk
On June 3, the Federal Reserve Board issued supervisory letter SR 19-9 to provide guidance on its enhanced process for determining the scope of safety-and-soundness examinations of community and regional state member banks (SMB). Under the “Bank Exams Tailored to Risk” (BETR) process, the Fed intends to “gauge the risk of a bank’s various activities [and] facilitate[] a more data-driven approach to the risk tailoring of supervisory work.” A SMB’s level of risk within individual risk dimensions—such as credit, liquidity, and operational risk—will be derived from a combination of surveillance metrics and examiner judgment.
Among other things, BETR’s objectives are to (i) apply appropriately streamlined examination work programs to identified low-risk activities, in order to conserve supervisory staff resources and minimize regulatory burden; (ii) direct enhanced supervisory resources and attention to identified high-risk activities; and (iii) implement average intensity examination work programs to moderate-risk activities. Examiners are to tailor examination procedures to the size, complexity, and risk profile of an SMB, with examiners focusing on “developing an appropriate assessment of bank management’s ability to identify, measure, monitor, and control risk.”