InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC probes cryptocurrency exchange operators
On August 9, the FTC issued an order denying a petition to quash a civil investigative demand (CID) against the operators of a cryptocurrency exchange regarding allegations of a December 2021 data breach. According to the order, the FTC “is investigating potential law violations arising out of [the company’s] operation and marketing of [the company], and whether Commission action to obtain monetary relief would be in the public interest.” The agency issued a virtually identical CID to the company on May 11 seeking details on what the company disclosed to consumers regarding the security of their crypto assets and how they have handled customer complaints. The FTC noted that investigation includes inquiries regarding the company’s “representations concerning its advertised exchange services; allegations that consumers have been denied access to their accounts; and concerns about the security of customer accounts especially in light of a publicly reported 2021 security breach that resulted in consumer loss of more than $200 million in cryptocurrency.” Among other things, the FTC is seeking to determine if the business practices of the operation in marketing and operating the company “constituted ‘unfair [or] deceptive . . . acts or practices . . . relating to the marketing of goods and services,’ or ‘[m]anipulative [c]onduct,’ ‘on the Internet’ (Resolution No. 2123125); constituted “deceptive or unfair acts or practices related to consumer privacy and/or data security’ in violation of Section 5 of the FTC Act (Resolution No. 1823036); or violated the GLB Act, its implementing rules, or Section 5 regarding ‘the privacy or security of consumer [financial] information.”
CSBS releases nonbank cybersecurity examination tools
On August 9, the Conference of State Bank Supervisors (CSBS) released two new tools used by state examiners to assess nonbank financial services companies’ cyber preparedness. Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program provide nonbanks the opportunity to improve their cybersecurity posture and better prepare for cybersecurity exams conducted by state examiners. The “Baseline” program is geared toward exams of “smaller, noncomplex, low-risk institutions,” and “is targeted for use by examiners with or without specialized IT and cybersecurity knowledge.” The “Enhanced” program includes all of the Baseline procedures as well as additional procedures to provide a “more in-depth review for larger, more complex institutions or for those where concerns are raised during exams.” The program is intended for use by examiners with specialized IT and cybersecurity knowledge.
“Supervisory clarity is essential to increasing industry awareness and making our financial system more resilient to cyber-attacks,” CSBS Senior Vice President of Nonbank Supervision Chuck Cross said in the announcement. “The Nonbank Cybersecurity Exam Procedures released today provide nonbank institutions additional optional tools to guard against cyber-attacks, data breaches or lapses in management oversight in this crucial area.”
CSBS announced that it intends to provide additional tools tailored to the needs of smaller nonbank financial institutions in the coming months.
Agencies seek comment on renewing FFIEC’s cybersecurity assessment tool
On August 8, the OCC, the Federal Reserve Board, the FDIC, and the NCUA (collectively, “Agencies”) issued a notice in the Federal Register soliciting comments on the renewal of the Federal Financial Institutions Examination Council’s cybersecurity assessment tool. According to the notice, the Agencies are seeking comment on, among other things: (i) “[w]hether the collection of information is necessary for the proper performance of the functions of the agencies, including whether the information has practical utility”; (ii) “[t]he accuracy of the Agencies’ estimates of the burden of the collection of information; (iii) how to “enhance the quality, utility, and clarity of the information to be collected”; and (vi) “minimize[ing] the burden of the collection on respondents.” Comments are due 30 days after publication in the Federal Register.
Special Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.
The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.
The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.
Trade groups petition CFPB to supervise data aggregators
On August 2, several bank and credit union trade groups petitioned the CFPB asking the Bureau to create regulations that would allow the agency to conduct routine exams and supervise data aggregators and their customers. While the Bureau is currently considering rulemaking under Section 1033 of the Dodd-Frank Act with respect to consumer access to financial records and has “affirmed its commitment to ‘monitoring the aggregation services market and ensuring consumer protection and safety,’” the petition argued that there is a “supervisory imbalance” between banks and nonbanks in terms of data oversight. “[A]mong the participants in the market for aggregation services, typically, data holders, such as banks and credit unions, are regularly supervised and examined by the CFPB, whereas nondepository institutions such as data aggregators and data users are not examined by the CFPB,” the petition stated, adding that this “creates both an unsustainable model as the aggregation services market grows and the risk that the laws applicable to the activities of those larger participants in this market will be enforced inconsistently.” As a result, the petition warned that potential consumer harm attributed to data aggregator and data user activity may not be identified and remedied in a timely manner. The trade groups called for the Bureau to create a rule that would add a definition for “larger participants of a market” for aggregation services, as well as define the term “aggregation services” to mean a “financial product or service” under Title X of Dodd-Frank. Doing so would ensure that “all providers of comparable financial products and services” are subject to similar levels of accountability, the petition said.
Hsu discusses cybersecurity risks to financial sector
On August 2, acting Comptroller of the Currency Michael J. Hsu delivered remarks before the Joint Meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council focusing on cybersecurity risks to the financial services sector. Hsu called for collaboration among public and private sector stakeholders to safeguard the financial services sector. Hsu noted that the financial services sector has done “a good job of building cyber defenses and working with law enforcement and the regulatory community to guard against attacks,” but warned that “we cannot be complacent.” He noted that the OCC has recently observed increases in cyberattack frequency and severity against financial institutions and service providers, and that cyberattacks, such as ransomware, have risks beyond financial loss. Hsu added that “disruption to financial services can significantly impact banks’ abilities to deliver critical services to their customers and has the potential to affect the broader economy.” He also stressed that banks “need to assess both the potential impact cyber incidents may have on their own institution and the impact a cyber disruption may have on the broader financial system.” He also stated that cybersecurity breaches have been caused or intensified by the failure to have effective controls in three areas: (i) authentication; (ii) systems configuration and patch management; and (iii) cyber response and resilience capabilities. Hsu concluded by emphasizing the OCC’s commitment “to working with CISA, our financial sector counterparts, and other sectors to ensure that we have strong partnerships across the government.”
NYDFS imposes $30 million fine against trading platform for cybersecurity, BSA/AML violations
On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (3 NYCRR Part 504), Cybersecurity Regulation (23 NYCRR Part 500), and for failing to maintain adequate Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. According to a Department investigation, the platform’s BSA/AML compliance program contained significant deficiencies, including an inadequate transaction monitoring system. Among other things, the platform failed to timely transition its manual system to an automated transaction monitoring system, which was unacceptable for a program of its size, customer profiles, and transaction volumes, and did not devote sufficient resources to adequately address risks. The Department also found “critical failures” in the platform’s cybersecurity program, which failed to address operational risks, and that specific policies within the program did not fully comply with several provisions of the Department’s cybersecurity and virtual currency regulations. According to the press release, pursuant to NYDFS’s Transaction Monitoring Regulation and Cybersecurity Regulation, companies should only file a Certificate of Compliance with the Department if their programs are fully compliant with the applicable regulation.
In light of the program’s deficiencies, NYDFS stated that the platform’s 2019 certifications to the Department attesting to compliance with these regulations should not have been made and thus violated the law. The platform also “failed to comply with the Supervisory Agreement by failing to promptly notify the Department of (a) actual or material potential actions, proceedings, or similar process that were or may have been instituted against [the platform] or any affiliated entity by any regulatory body or governmental agency; and (b) of the receipt by [the platform], or any affiliated entity, of any subpoena from any regulatory body or governmental agency in which [the platform], or any affiliated entity, was the target of the investigation.” NYDFS determined that in addition to the penalty, the platform will be required to retain an independent consultant that will perform a comprehensive evaluation of its compliance with the Department’s regulations and the platform’s remediation efforts with respect to the identified deficiencies and violations.
A Buckley Special Alert is forthcoming.
State AGs announce settlement to resolve alleged data security breach
On July 26, a coalition of state attorneys general, co-led by the New Jersey AG and Pennsylvania AG, announced a settlement with a Pennsylvania-based convenience store chain related to an alleged data breach that compromised payment cards of consumers. According to the Assurance of Voluntary Compliance, the company experienced a breach of security between April 2019 and December 2019 that exposed consumer payment card data, including customers’ card numbers, expiration dates and cardholder names in New Jersey, Pennsylvania, Florida, Delaware, Maryland, and Virginia, as well as Washington, D.C. The AGs alleged that the company “failed to employ reasonable data security measures,” in violation of the states’ Consumer Protection Acts and Personal Information Protection Acts. Under the terms of the settlement, the company—without admitting to the allegations—has agreed to pay an $8 million fine, of which New Jersey is to receive approximately $2.5 million. The settlement also requires the company to strengthen its network protections and take measures to better protect consumer payment data.
OCC reports on cybersecurity and financial system resilience
Recently, the OCC released its annual report on cybersecurity and financial system resilience, which describes its cybersecurity policies and procedures, including those adopted in accordance with the Federal Information Security Modernization Act. According to the report, cybersecurity and operational resilience are “top issues for the federal banking system.” The OCC also noted that it has implemented regulations and standards requiring banks to implement information security programs and protect confidential information. For example, the Interagency Guidelines Establishing Standards for Safety and Soundness Standards “require insured banks to have internal controls and information systems appropriate for the size of the institution and for the nature, scope, and risk of its activities and that provide for, among other requirements, effective risk assessment and adequate procedures to safeguard and manage assets.” OCC regulations also, among other things, require banks to file Suspicious Activity Reports when a known or suspected violation of federal law or a suspicious transaction related to illegal activity, or a violation of the Bank Secrecy Act is detected. In regard to examination manuals, the OCC also noted that it uses a risk-based supervision process to evaluate banks’ risk management, identify material and emerging concerns, and require banks to take corrective action when warranted. The report also discussed current and emerging cybersecurity and resilience threats to the banking sector, which include ransomware, account takeover, supply chain risks, and geopolitical threats. Additionally, the OCC noted that it “monitor[s] longer-term technology developments, which may affect cybersecurity and resilience in the future.” The use of artificial intelligence, including machine learning, is one such development that may impact cybersecurity, according to the OCC.
Massachusetts AG orders company to pay $230,000 for data breach
On July 21, the Massachusetts AG announced that a Rhode Island-based job placement service company must pay a $230,000 settlement to resolve allegations that it failed to implement the proper security programs, which led to a data breach. According to the assurance of discontinuance (AOD), the company was breached in December 2020 after an employee was a victim to a phishing email, resulting in a compromise of credentials that allowed hackers to access personal data of users. The AG alleged that the company violated Massachusetts data privacy laws by failing to have a written information security program (WISP) in place during or prior to the data breach. Under the terms of the settlement, the company is required to pay $230,000 in penalties, come into compliance with state laws, continue to implement and maintain a WISP, and continue to train its employees on the importance of personal information security.