Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On April 27, NYDFS released a report warning the financial services industry to tighten third-party risk management measures, as the “next great financial crisis could come from a cyber-attack.” The report covers a December 2020 cyber-attack described as “part of a widespread, sophisticated cyber espionage campaign by Russian Foreign Intelligence Service actors” focusing on “stealth and stealing sensitive information.” According to the report, hackers installed malware into a software platform used by the government and financial services and telecommunications companies to monitor and manage the performance of their networks. This attack, NYDFS noted, is “the most visible, widespread, and intrusive information technology software supply chain attack” to date and “opened back doors into thousands of organizations, including almost 100 companies in New York’s financial services industry.” While none of NYDFS’s regulated entities’ networks were actively exploited, the regulator warned that these types of attacks highlight the financial services industry’s vulnerability to supply chain attacks. Moreover, because third-party risk management is a key part of NYDFS’s Cybersecurity Regulation, the regulator is “exploring ways to further address this critical component of cybersecurity.” Report findings highlight that, among other things, (i) the patch-management programs for many regulated entities “are immature and lack the proper ‘patching cadence’ needed to ensure timely remediation of high-risk cyber vulnerabilities,” and (ii) “supply chain” cyber-attacks are dangerous since “malware is embedded inside a legitimate product,” allowing “an attacker to access the networks of many organizations in a single stroke.”
The report provides several recommendations, including that entities should (i) include in their vendor risk-management policies and procedures “processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors”; (ii) adopt a “zero trust” approach and implement multiple layers of security and extra protection for sensitive information; (iii) address vulnerabilities in a timely manner through patch testing, validation processes, and deployment; and (iv) ensure their incident response plans address supply chain compromises.
On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform text recognition scanning on tens of thousands of mortgage documents was adequately securing consumers’ personal data. The FTC’s complaint alleges that the vendor stored the unencrypted contents of these documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. The data contained sensitive personal information, including “names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, or other personal and financial information of borrowers, as well as of family members and others whose information was included in the mortgage application.” According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was accessed approximately 52 times. The FTC claims, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of all of its vendors as required by the Safeguards Rule.
The proposed settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.
On July 31, the Maryland’s secretary of state provided updated guidance regarding the waived in-person notarization requirement as part of the state’s Covid-19 response (see here for previous coverage). The guidance provides requirements for performing remote notarizations, lists remote notary vendors, and provides a brief set of FAQ pertaining to remote notary practices in general. The temporary waiver of the in-person notarization requirement was ordered by Governor Hogan on March 30, and is set to expire when the declared state of emergency lifts.
On May 27, the Alternative Reference Rates Committee (ARRC)—a group of private-market participants convened by the Federal Reserve Board and the Federal Reserve Bank of New York—released a set of best practices for market participants to transition from LIBOR to the Secured Overnight Financing Rate (SOFR) before the anticipated cessation of LIBOR at the end of 2021. Key practices recommended include: (i) new USD LIBOR cash products should include ARRC-recommended fallback language as soon as possible; (ii) third-party technology and operations vendors should complete enhancements necessary to support the preferred alternative SOFR by the end of 2020 as outlined in previously issued guidance; (iii) new use of LIBOR should end no later than June 30, 2021, depending on the specific cash product market; and (iv) parties that choose to select a replacement rate at their discretion following a LIBOR transition event should disclose the planned rate selection to relevant parties at least six months prior to the new rate’s effective date.
Find continuing InfoBytes coverage on LIBOR here.
On February 27, Federal Reserve (Fed) Governor Michelle W. Bowman spoke before the Banking Outlook Conference held at the Federal Reserve Bank of Atlanta on ways the Fed can increase transparency and modernize payment services for community banks. Bowman stated that the Fed is “uniquely positioned as a provider of payment services and as a supervisor of banks to ensure that our nation’s evolving financial system works for community banks.” Bowman discussed how the Fed can achieve this objective by, among other things, (i) adopting an additional same-day automated clearinghouse (ACH) window, which “will allow banks and their customers, particularly those located outside the eastern time zone, to use same-day ACH services during a greater portion of the business day”; (ii) implementing FedNow, which would, as previously covered by InfoBytes, “facilitate end-to-end faster payment services, increase competition, and ensure equitable and ubiquitous access to banks of all sizes nationwide”; and (iii) encouraging partnerships between community banks and fintech firms to “leverage the latest technology to provide customer-first, community-focused financial services and provide customers with efficiencies, such as easy-to-use online applications or rapid loan decisionmaking.” Bowman highlighted the Fed’s fintech innovation office hours, as well as the Fed’s recently launched fintech innovation webpage (covered by InfoBytes here), and emphasized the Fed’s desire to hear directly from banks and fintech companies on innovation challenges.
With respect to third-party service providers, Bowman proposed several important initiatives for the Fed to help community banks effectively manage their third-party relationships and access innovative new technology. These include providing clear, consistent due diligence guidance on third-party relationships to provide uniform standards that are aligned with guidance issued by the OCC and other banking agencies. Bowman also suggested increasing the transparency of its third-party supervisory program by releasing information that may be useful about key service providers to community banks, and tailoring regulatory burdens for community banks with assets under $1 billion.
On February 10, Federal Reserve (Fed) Governor Michelle W. Bowman spoke before the Conference for Community Bankers on the interaction between innovation and regulation for community banks. In discussing her “vision for creating pathways to responsible community bank innovation,” Bowman identified particular challenges facing smaller banks when identifying and integrating new technologies and offered suggestions for ways the Fed can assist these banks in managing relationships with third-party service providers. Acknowledging that responsible innovation requires community banks to identify goals and pinpoint products and services to implement their strategies, Bowman recognized that compliance costs can create an outsized and undue burden on smaller banks and stated that federal regulations should be tailored to bank size, risk, and complexity. Among other things, Bowman stated that the Fed could align its third-party service provider guidance with the OCC and other banking agencies to provide uniform standards to banks. “It is incredibly inefficient to have banks and their potential fintech partners and other vendors try to navigate unnecessary differences and inconsistencies in guidance across agencies,” Bowman noted. Regulators and supervisors have a role in easing the burden for community banks, she added, noting that third-party guidance should allow banks to conduct shared due diligence on potential partners and pool resources to avoid duplicating work. In addition, Bowman commented that the Fed could help banks make this choice by publishing a list of service providers subject to regulatory supervision and increasing transparency around “who and what” the Fed evaluates. Bowman further stated that any guidance should also explain what due diligence looks like for potential fintech partners, since standards applied to other third parties may not be universally applicable. Giving community banks a better vision of what success in due diligence looks like, Bowman stated, will require releasing more information on its necessary elements.
Bowman also highlighted the Fed’s upcoming fintech innovation office hours, as well as the Fed’s recently launched fintech website section, (both covered by InfoBytes here), which are designed to help provide access to Fed staff, highlight supervisory observations regarding fintech, provide a hub of information for interested stakeholders on innovation-related matters, and deliver practical tips for banks and other companies interested in engaging in fintech activity.
On January 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of its 2020 Examination Priorities. The annual release of exam priorities provides transparency into the risk-based examination process and lists areas that pose current and potential risks to investors. OCIE’s 2020 examination priorities include:
- Retail investors, including seniors and those saving for retirement. OCIE places particular emphasis on disclosures and recommendations provided to investors.
- Information security. In addition to cybersecurity, top areas of focus include: risk management, vendor management, online and mobile account access controls, data loss prevention, appropriate training, and incident response.
- Fintech and innovation, digital assets and electronic investment advice. OCIE notes that the rapid pace of technology development, as well as new uses of alternative data, presents new risks and will focus attention on the effectiveness of compliance programs.
- Investment advisers, investment companies, broker-dealers, and municipal advisers. Risk-based exams will continue for each of these types of entities, with an emphasis on new registered investment advisers (RIA) and RIAs that have not been examined. Other themes in exams of these entities include board oversight, trading practices, advice to investors, RIA activities, disclosures of conflicts of interest, and fiduciary obligations.
- Anti-money laundering. Importance will be placed on beneficial ownership, customer identification and due diligence, and policies and procedures to identify suspicious activity.
- Market infrastructure. Particular attention will be directed to clearing agencies, national securities exchanges and alternative trading systems, and transfer agents.
- FINRA and MSRB. OCIE exams will emphasize regulatory programs, exams of broker-dealers and municipal advisers, as well as policies, procedures and controls.
On April 4, the Colorado Court of Appeals reversed the trial court’s ruling assessing civil penalties against a foreclosure law firm for allegedly failing to disclose that its principals had an ownership interest in one of its vendors. The appeals court found that the civil penalty was not warranted because the failure to disclose “did not significantly impact members of the public as actual or potential consumers.” According to the opinion, the State of Colorado brought an enforcement action against a foreclosure law firm and its affiliated vendors, alleging, among other things, that the law firm and its vendors violated the Colorado Consumer Protection Act (the Consumer Act) by making “false or misleading statements of fact concerning the price” of their foreclosure services. The State argued that the relationship between the law firm and its vendors allowed the vendors to charge for services in excess of the market rate, pass on those costs to the law firm’s customers, and share a portion of the inflated costs with the law firm. While the trial court rejected two of the State’s claims against the defendants, it concluded that the law firm committed a deceptive practice under the Consumer Act that, “significantly impact[ed] the public as actual or potential consumers,” by failing to disclose its affiliated relationship with one of the vendors.
On appeal, the appellate court rejected the trial court’s conclusion that the alleged deception significantly impacted the public, noting that the deception was confined to two clients, Fannie Mae and Freddie Mac, in the context of their private agreements with the firm. Because the misrepresentation was in the context of a private relationship, and the tax-paying public were not “consumers of the law firm’s services for purposes of the Consumer Act,” the appellate court found the trial court erred when awarding the civil penalties under the Act. Moreover, the appellate court affirmed the trial court’s rejection of the State’s other claims against the law firm.
On April 2, the FDIC issued Financial Institution Letter FIL-19-2019 (Technology Service Provider Contracts), which describes examiner observations about gaps in financial institutions’ contracts with technology service providers (TSPs) that may require financial institutions to take additional steps to manage business continuity and incident response. Although not specifically referenced in FIL-19-2019, this latest FDIC guidance echoes themes set forth in the FDIC’s Office of Inspector General (OIG) Audit Report released in 2017 (covered in Infobytes here). Specifically, examiners noted contractual deficiencies in recent reports of examination, including failing to: (i) adequately define rights and responsibilities regarding business continuity and incident response, or provide sufficient detail to allow financial institutions to manage those processes and risks; (ii) consistently require TSPs to maintain a business continuity plan, establish data recovery standards, and commit to contractual remedies if the TSP missed a data recovery standard; (iii) sufficiently detail the TSP’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement; and (iv) clearly define key terms used in contractual provisions relating to business continuity and incident response.
FIL-19-2019 further stresses that supervised institutions are required to comply with the Interagency Guidelines Establishing Information Security Standards promulgated pursuant to the GLBA, which among other things sets forth expectations for managing TSP relationships through contractual terms and ongoing monitoring. The FDIC references prior guidance establishing regulatory expectations, including: (i) Guidance for Managing Third-Party Risk (FIL-44-2008, issued June 6, 2008); and (ii) the Business Continuity Booklet set forth in the FFIEC IT Examination Handbook, which was updated in February 2015 to include a new appendix specific to managing service provider risks (Appendix J: Strengthening the Resilience of Outsourced Technology Services). FIL-19-2019 also contains a reminder to depository institutions that the Bank Service Company Act requires depository institutions to provide written notice to their respective federal banking agency of contracts or relationships with TSPs that provide certain services, including check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, Internet banking, or mobile banking services.
On May 24, the OCC released its Semiannual Risk Perspective for Spring 2018, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. Priorities focus on credit, operational, compliance, and interest risk, and while the OCC commented on the improved financial performance of banks from 2016 to early 2018, in addition to the “incremental improvement in banks’ overall risk management practices,” the agency also noted that risks previously highlighted in its Fall 2017 report have “changed only modestly.” (See previous InfoBytes coverage here.)
Specific areas of concern noted by the OCC include: (i) easing of commercial credit underwriting practices; (ii) increasing complexity and severity of cybersecurity threats; (iii) use of third-party service providers for critical operations; (iv) compliance challenges under the Bank Secrecy Act; (v) challenges in risk management involving consumer compliance regulations; and (vi) rising market interest rates, including certain risks associated with the “potential effects of rising interest rates, increasing competition for retail and commercial deposits, and post-crisis liquidity regulations for banks with total assets of $250 billion or more, on the mix and cost of deposits.” Additionally, concerns related to integrated mortgage disclosure requirements under TILA and RESPA previously considered a key risk have been downgraded to an issue to be monitored.