Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC Approves Modifications to COPPA Safe Harbor Program

    Privacy, Cyber Risk & Data Security

    On July 31, the FTC announced it has approved TRUSTe’s proposed modifications to its Children’s Online Privacy Protection Rule's (COPPA) safe harbor program. As previously covered in InfoBytes, COPPA regulates what websites and online services are required to do to ensure the protection of children’s privacy and safety online. The safe harbor program allows the FTC to review and approve “self-regulatory guidelines” submitted by industry groups that implement “the same or greater protections for children” as those contained in the COPPA Rule, and subjects approved groups to safe harbor review and disciplinary procedures instead of formal enforcement action. Among the approved modifications is a change which requires all participants to conduct a comprehensive annual internal assessment of any third-party or service provider that collects personal information from children on their websites or through online services.

    Privacy/Cyber Risk & Data Security Agency Rule-Making & Guidance FTC Compliance Vendor Management

  • FDIC Updates Supervisory Guidance on Risk Management Examination Policies

    Agency Rule-Making & Guidance

    On July 26, the FDIC issued Financial Institution Letter FIL-31-2017 to announce updates to its Risk Management Manual of Examination Policies. The revisions, which incorporated guidance from the FDIC’s Board of Directors, updated the Report of Examination Instructions regarding matters requiring board attention and “deviations from the safety and soundness principles underlying statements of policy.” The revision also included updated instructions for examiners to use when complying with examination schedules. The letter applies to all FDIC-supervised financial institutions.

    Agency Rule-Making & Guidance FDIC Risk Management Bank Supervision Vendor Management

  • OCC Releases Spring 2017 Semiannual Risk Report

    Agency Rule-Making & Guidance

    On July 7, the Office of the Comptroller of the Currency (OCC) announced the release of its Semiannual Risk Perspective for Spring 2017 indicating key risk areas for national banks and federal savings associations. Acting Comptroller of the Currency Keith Noreika pointed out in his remarks that, “[w]hile these are risks that the system faces as a whole, we note that the risks differ from bank to bank based on size, region, and business model. Compliance, governance, and operational risk issues remain leading risk issues for large banks while strategic, credit, and compliance risks remain the leading issues for midsize and community banks.”

    The report details the four top risk areas:

    • Elevated strategic risk—banks are expanding into new products and services as a result of fintech competition. According to the report, this competition is increasing potential risks. The OCC hopes to finish developing a special purpose banking charter for fintech companies soon.
    • Increased compliance risk—banks must comply with anti-money laundering rules and the Bank Secrecy Act in addition to addressing increased cybersecurity challenges and new consumer protection laws.
    • Upswing in credit risk—underwriting standards for commercial and retail loans have been relaxed as banks exhibit greater enthusiasm for risk and attempt to maintain loan market share as competition increases.
    • Rise in operational risk—banks face increasingly complex cyber threats while relying on third-party service providers, which may be targets for hackers.

    The report used data for the 12 months ending December 31, 2016.

    Agency Rule-Making & Guidance OCC Risk Management Consumer Finance Payments Consumer Lending Privacy/Cyber Risk & Data Security Anti-Money Laundering Military Lending Act Compliance Bank Regulatory Vendor Management

  • OCC to Host Operational Risk Workshop, Will Hold Innovation "Office Hours"

    Agency Rule-Making & Guidance

    On July 25, the OCC will host an operational risk workshop in Charleston, WV for directors of national community banks and federal savings associations supervised by the OCC. The workshop will focus on the key components of operational risk, governance, third-party risk, vendor management, and cybersecurity.

    Additionally, on July 24 through the 26, the OCC’s Office of Innovation will hold “Office Hours” in New York City for national banks, federal savings associations, and fintech companies to provide an opportunity for attendees to discuss matters related to financial technology, new products and services, bank or fintech partnerships, as well as other items related to financial innovation. Meeting requests are due by July 5.

    Agency Rule-Making & Guidance OCC Risk Management Vendor Management Privacy/Cyber Risk & Data Security

  • OCC Supplement Answers Frequently Asked Questions Covering Third-Party Relationships: Risk Management Guidance

    Agency Rule-Making & Guidance

    On June 7, the OCC released Bulletin 2017-21, which provides answers to frequently asked questions from national banks and federal saving associations concerning third-party procedure guidance. The Bulletin, issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” released October 30, 2013, highlights the OCC’s responses to the following topics:

    • defines third-party relationships and provides guidance on conducting due diligence and ongoing monitoring of service providers;
    • provides insight on how to adjust risk management practices specific to each relationship;
    • discusses ways to structure third-party risk management processes;
    • discusses advantages and disadvantages to collaboration between multiple banks when managing third-party relationships;
    • outlines bank-specific requirements when using collaborative arrangements;
    • provides information-sharing forums that offer resources to help banks monitor cyber threats;
    • discusses how to determine whether a fintech relationships is a “critical activity” and covers risks associated with engaging a start-up fintech company;
    • addresses ways in which banks and fintech companies can partner together to serve underbanked populations;
    • covers criteria to consider when entering into a marketplace lending arrangement with a nonbank entity;
    • clarifies whether OCC Bulletin 2013-29 applies when a bank engages a third-party to provide mobile payments options to consumers;
    • outlines the OCC’s compliance management requirements;
    • discusses banks’ rights to access interagency technology service provider reports; and
    • answers whether a bank can rely on the accuracy of a third-party’s risk management report.

    As previously covered in InfoBytes, the OCC released a supplement (Bulletin 2017-7) to Bulletin 2013-29 in January of this year identifying steps prudential bank examiners should take when assessing banks’ third-party relationship risks.

    Agency Rule-Making & Guidance OCC Vendor Management Risk Management Marketplace Lending Fintech Prudential Regulators

  • FFIEC Releases Update to Cybersecurity Assessment Tool to Aid Institution Preparedness

    Privacy, Cyber Risk & Data Security

    On May 31, the Federal Financial Institutions Examination Council (FFIEC) announced the release of an update to the Cybersecurity Assessment Tool (CAT) developed to aid institutions in determining their risk profiles, identifying risks, and determining cybersecurity preparedness. The update details changes made to the FFIEC IT Examination Handbook and provides a revised mapping in Appendix A to the updated Information Security and Management booklets. The press release notes that “[m]anagement of financial institutions and management of third-party service providers are primarily responsible for assessing and mitigating their entities’ cybersecurity risk.  Outlined in Appendix A, the CAT is a framework designed to provide a “repeatable and measurable process” to measure cybersecurity in areas such as cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. The CAT also provides “additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.” Financial institutions access addition cybersecurity risk management information here.

    Privacy/Cyber Risk & Data Security FFIEC Vendor Management

  • CFPB Announces Plans to Directly Supervise Service Providers

    Agency Rule-Making & Guidance

    As previously discussed in InfoBytes, the CFPB released its Spring 2017 Supervisory Highlights, which outlined its supervisory and oversight actions in areas such as mortgage servicing and student loan servicing. The Supervisory Highlights also announced the CFPB’s plans to develop and implement a program to directly monitor key service providers to institutions it supervises to “potentially reduce risks to consumers at their source.” Section 1002(26)(A) of Dodd-Frank defines a “service provider” as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service, including a person that: (i) participates in designing, operating, or maintaining the consumer financial product or service; or (ii) processes transactions relating to the consumer financial product or service….” Sections 1024(e) and 1025(d) of Dodd-Frank authorize the CFPB to supervise service providers to banks or non-banks that are already supervised by the CFPB such as depository institutions having more than $10 billion in assets as well as the following: mortgage originators, brokers or servicers; payday lenders; private student lenders; and other providers of consumer financial products or services in areas such as auto finance, debt collection, student loan servicing, consumer reporting, and international money transfers.

    The Bureau stated that its initial work involves conducting baseline reviews of some service providers to learn about their structure, operations, compliance systems, and compliance management systems. “In more targeted work, the CFPB is focusing on service providers that directly affect the mortgage origination and servicing markets,” the Bureau noted. The CFPB plans to shape future service provider supervisory activities based on what it learns through its findings.

    Agency Rule-Making & Guidance CFPB Mortgage Servicing Vendor Management Mortgage Origination

  • OCC to Host Workshops for Community Bank Directors in June

    Agency Rule-Making & Guidance

    On June 20 and 21, the OCC will be hosting two workshops in Nashville for directors of national community banks and federal savings associations supervised by the OCC. The June 20 “Credit Risk” workshop will focus on ways to identify trends and recognize problems within a loan portfolio. In addition, the workshop will discuss board and management roles, how to stay informed of changes in credit risk, and how to effect change. The June 21 “Operational Risk” workshop will focus on the key components of operational risk, and also cover governance, third-party risk, vendor management, and cybersecurity.

    Additionally, from June 26 to 28, the OCC will be hosting a “Building Blocks for Directors” workshop in Atlanta for directors, senior management team members, and other key executives of national community banks and federal savings associations supervised by the OCC. The workshop will: (i) focus on the duties and core responsibilities of directors and management; (ii) discuss major laws and regulations; and (ii) provide insight on the examination process.

    Agency Rule-Making & Guidance OCC Risk Management Vendor Management

  • OCC to Host Credit Risk and Operational Workshops for Directors of National Community Banks and Federal Savings Associations; Banking Agencies to Conduct Webinar to Introduce New FFIEC Call Report

    Agency Rule-Making & Guidance

    On March 2, the Office of the Comptroller of the Currency (OCC) announced that it will host two workshops in Phoenix on April 11-12 for directors of OCC supervised national community banks and federal associations. The Credit Risk workshop (April 11) will cover strategies to recognize trends and problems in credit risk within the loan portfolio, and the Operational Risk workshop (April 12) will discuss key components of operational risk, governance, third-party risk, vendor management, and cybersecurity.

    Also on March 2, four members of the Federal Financial Institutions Examination Council (FFIEC) (Federal Reserve Board, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and the Conference of State Bank Supervisors) announced the implementation of the new streamlined FFIEC 051 Call Report, effective March 31, 2017, that will introduce burden-reducing changes to the existing versions of the Call Report and will be available to eligible small institutions. “’Eligible small institutions’ are [defined as] institutions with domestic offices only and total assets of less than $1 billion, excluding those that are advanced approaches institutions for regulatory capital purposes.” The revisions to the requirements are subject to approval by the OMB. On March 8, the FFIEC will conduct a webinar from 2:00 p.m. to 3:30 p.m. ET to introduce the new Call Report and explain the revisions.

    Agency Rule-Making & Guidance OCC FFIEC Community Banks Federal Reserve FDIC Call Report Vendor Management

  • NYDFS Landmark Cybersecurity Rule Set to Take Effect on March 1

    State Issues

    On February 16, New York Governor Andrew Cuomo announced that with the New York Department of Financial Services’ (NYDFS) publication of a Final Regulation, New York’s “First-in-the-Nation Cybersecurity Regulation” is set to take effect on March 1.  As discussed previously in InfoBytes, the regulation—which requires banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain a cybersecurity program designed to protect consumers’ private data—imposes broad and, in some cases proscriptive, data security and cybersecurity requirements on Covered Entities that venture into new territory for both state and federal financial regulators. Indeed, as described by Governor Cuomo, the regulation reflects New York’s efforts to “lead[] the nation” through “decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.”  

    Moreover, as detailed in a follow-up InfoBytes Special Alert, NYDFS issued a updated proposed regulation on December 28 in response to over 150 comments and testimony presented at a hearing before New York State lawmakers. Though the updated proposed regulation did not differ drastically from the original, the revised proposed regulation provided for somewhat greater flexibility in how covered entities could go about implementing the requirements. Among other things, the December 28 revisions provided for: (i) longer timeframes for compliance with its requirements; (ii) more flexibility for compliance with certain requirements and acknowledgement that some requirements may not be applicable to all financial institutions; and (iii) clarifications to certain key definitions.

    The newly released Final Regulation retains the revisions incorporated in the December 28 revision, but also contains the following notable revisions:

    • Record retention requirements for audit trail materials relating to Cybersecurity Events were reduced from five years to three years.
    • Clarification that Covered Entities’ policies and procedures for reporting by Third Party Service Providers of Cybersecurity Events only apply to the Covered Entity’s Nonpublic Information.
    • The limited exemption for small businesses to certain requirements of the rule has been narrowed by including a Covered Entity’s New York affiliates when calculating its number of employees and annual revenue.
    • Further clarification on the exemptions for companies regulated under New York’s Insurance Law.

    With the expiration of the 30-day comment period and the publication of the Final Rule, New York’s Cybersecurity regulation is officially cleared to become effective upon publication in the New York State Register on March 1.

    InfoBytes will continue to monitor the rollout of this pioneering regulation as it progresses.

    State Issues Agency Rule-Making & Guidance Bank Regulatory NYDFS Privacy/Cyber Risk & Data Security Vendor Management 23 NYCRR Part 500

Pages

Upcoming Events