InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Biden issues executive order on EU-U.S. privacy shield replacement
On October 7, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) to address the facilitation of transatlantic data flows between the EU and the U.S. The E.O. outlines commitments the U.S. will take under the EU-U.S. Data Privacy Framework, which was announced in March as a replacement for the invalidated EU-U.S. Privacy Shield. As previously covered by InfoBytes, the Court of Justice of the EU (CJEU) issued an opinion in the Schrems II case (Case C-311/18) in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements. In annulling the EU-U.S. Privacy Shield, the CJEU determined that because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR.
Among other things, the E.O. bolsters privacy and civil liberty safeguards for U.S. signals intelligence-gathering activities, and establishes an “independent and binding mechanism” to enable “qualifying states and regional economic integration organizations, as designated under the E.O., to seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law.” Specifically, the E.O. (i) creates further safeguards for how the U.S. signals intelligence community conducts data transfers; (ii) establishes requirements for handling personal information collected through signals intelligence activities and “extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance”; (iii) requires the U.S. signals intelligence community to make sure policies and procedures reflect the E.O.’s new privacy and civil liberty safeguards; (iv) establishes a multi-layer review and redress mechanism, under which the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) is granted the authority to investigate complaints of improper collection and handling of personal data and may issue binding decisions on whether improper conduct occurred and what the appropriate remediation should be; (v) directs the U.S. attorney general to establish a Data Protection Review Court (DPRC) to independently review CLPO decisions, thereby serving as the second level of the E.O.’s redress mechanism (see DOJ announcement here); and (vi) calls on the Privacy and Civil Liberties Oversight Board to review U.S. signals intelligence community policies and procedures to ensure they are consistent with the E.O.
Hsu says regulators should coordinate efforts to mitigate crypto risks
On October 11, acting Comptroller of the Currency Michael J. Hsu delivered remarks before DC Fintech Week 2022, discussing the importance of identifying and monitoring cryptocurrency risks to protect consumers and the financial system. Among other things, Hsu noted that crypto “is an immature industry based on an immature technology.” He added that the industry still needs to deal with “the unabating volume of scams, hacks, and fraud.” Hsu voiced his concerns about integrating crypto into the traditional financial system without a more “accurate and complete” view of the risks. He noted that “[t]he largest crypto players today want to provide an increasingly broad range of services seamlessly under one roof for their customers.” Hsu pointed out that even though commingling crypto activities could “offer convenience for consumers and cost savings for crypto firms, conflicts abound and the riskiest activity threatens the whole bundle.” He warned that banks looking “to engage in crypto activities may want to carefully consider the scope of what they want to do, start with what can be most readily risk managed, and impose gates, through limits and other controls, to prevent uncontrolled expansion and growth into higher-risk activities.”
Hsu also delivered remarks before the Harvard Law School and Program on International Financial Systems Roundtable on Institutional Investors and Crypto Asset, discussing the need for clarifying supervisory expectations related to crypto activities and the role of regulators to ensure safety and soundness while promoting responsible innovation. Hsu said that regulators should coordinate efforts to write rules that help mitigate risks associated with digital assets. He emphasized that the term “don’t chase” for financial regulators means “not lowering our standards when dealing with crypto.” He further pointed out that “[s]haring information with peer agencies and seeking a common understanding of the risks and opportunities in the space can help ensure that regulatory standards remain high and the playing field stays level.” Hsu concluded by reiterating that he is a “crypto skeptic,” stating that his “skepticism of crypto stems from a frustration that the most promising innovations have been crowded out by hype and a fixation on trading,” and said that “[p]rogrammability, composability, and tokenization hold promise.”
Fed to roll out new bank application filing system at the end of October
On October 6, the Federal Reserve Board announced that the current bank application filing system will be replaced with a new, upgraded cloud-based system known as FedEZFile later this month. The Fed stated that while the substantive requirements of the applications will remain the same, the new system will make the filing process more intuitive. Paper applications and communications will also be minimized. Under the system, applicants will be provided real-time status tracking, two-way messaging, and the ability to digitally sign documents. A webinar on the new system is forthcoming.
FINRA alerts firms about rising ACATS fraud
On October 6, FINRA issued Regulatory Notice 22-21, alerting member firms to the rising trend of fraudulent account transfers of customer accounts using the Automated Customer Account Transfer Service (ACATS)—an automated system that facilitates the transfer of customer account assets from one member firm to another. FINRA explained that “ACATS fraud is related to the growing threat of new accounts being opened online or through mobile applications using stolen or synthetic identities,” and may occur when the identity of a legitimate customer of a carrying member is stolen by a bad actor to open a brokerage account online or through a mobile app at a receiving member. Bad actors, FINRA warned, may open a new account using stolen information only or through a combination of stolen and false information, and will try to move the ill-gotten assets to an external account at a different financial institution. FINRA reminded members of regulatory obligations that may apply to ACATS fraud, including know-your-customer rules, Bank Secrecy Act/AML requirements, and the Identity Theft Red Flags Rule.
Treasury requests feedback on cyberinsurance
On October 7, the U.S. Treasury Department published its Annual Report on the Insurance Industry, as required by the Dodd-Frank Act. The report discussed the U.S. insurance industry’s financial performance and its financial condition for the year ending December 31, 2021, and provided a domestic outlook for the industry for 2022. The report also summarized the Federal Insurance Office’s (FIO) activities and addressed certain matters affecting the domestic and international insurance industry.
Earlier, Treasury issued a request for input in the Federal Register on a potential federal insurance response to catastrophic cyber incidents. According to Treasury, “the comments will inform FIO’s work in responding to a recommendation by the U.S. Government Accountability Office that FIO and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency jointly assess the extent to which the risks to U.S. critical infrastructure from catastrophic cyberattacks warrant a federal insurance response.” The request stated that cyber insurance is a significant risk transfer mechanism, and that the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency. Comments are due November 14.
FSB reports on stablecoins and crypto-asset activities
Recently, Financial Stability Board (FSB) Chair Klaas Knot sent a letter to the G20 Finance Ministers and Central Bank Governors concerning global financial stability, followed by the release of two FSB reports. The letter stated that “turmoil in crypto-asset markets has validated many of the FSB’s concerns about crypto assets,” and noted that the “‘crypto winter’ has reinforced [its] assessment of existing structural vulnerabilities.” The letter expressed concerns that the risks crypto assets pose to financial stability are "likely to come back to the fore sooner rather than later.” Knot stated that the FSB’s report on stablecoins expanded recommendations for the regulation of stablecoins, which are digital tokens that aim to maintain a one-on-one value with less volatile assets such as the euro or dollar. In the stablecoin report, the FSB stated that most existing stablecoins would not meet its recommendations at present, and would require “significant improvements” to their governance, risk management, stabilization mechanisms and disclosures. Knot also discussed the FSB's report on crypto-asset activities and markets, which focuses on regulatory, supervisory, and oversight issues relating to crypto-assets to help ensure safe innovation. The report noted that “[c]orrelations between crypto-asset prices and mainstream equity indices have been steadily increasing since year-end 2021 and peaked in May 2022, when the market stress began.” The letter further described that in 2020, G20 Leaders endorsed the Roadmap for Enhancing Cross-border Payments to address the frictions that payments currently face, and thereby achieve faster, cheaper, more transparent and more inclusive cross-border payment services. As previously covered by InfoBytes, Knot stated that the recent FSB report on the roadmap presents “priorities for this new phase of the work, and proposes an intensified public-private sector collaboration to take this forward.” In regard to cyber risks, he stated that cyber-risk safeguards are important due to rapidly growing cyber incidents. He further stated that the FSB “is working to promote a resilient global financial system in the near term and over the longer run, supporting policymakers in the G20 to foster stronger, equitable and inclusive growth.”
FSB releases G20 roadmap for enhancing cross-border payments
On October 10, the Financial Stability Board (FSB) published its priorities for the next phase of work under the G20 Roadmap for Enhancing Cross-Border Payments. According to the FSB, the plan includes steps to strengthen external engagement during the next phase of the group’s work. The FSB noted three priorities for the payment program’s next phase, which include: (i) payment system interoperability and extension; (ii) legal, regulatory and supervisory frameworks; and (iii) cross-border data exchange and message standards. The FSB further noted that it will coordinate work to develop further details of the actions that will take place to follow through with the plan, including discussions with industry participants. The updated roadmap will be provided during the first G20 Finance Ministers and Central Bank Governors meeting in 2023.
OCC releases bank supervision operating plan for FY 2023
On October 6, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2023. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) strategic and operational planning; (ii) operational resiliency; (iii) third-party oversight and risk management; (iv) credit risk management with a focus on new products, areas of highest growth, and portfolios representing concentrations; (v) allowances for credit losses (ACL), including instances where ACL processes use third-party modeling techniques; (vi) interest rate risk; (vii) liquidity risk management; (viii) consumer compliance management systems with a focus on how programs are disclosed in relation to UDAP and UDAAP statutes; (ix) Bank Secrecy Act/AML compliance; (x) fair lending risks; (xi) Community Reinvestment Act strategies and the potential for modernization rulemaking; (xii) new products and services in areas such as payments, fintech, and digital assets; and (xiii) climate-change risk management. The plan will be used by OCC staff to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches and agencies of foreign banking organizations, and certain identified third-party service providers subject to OCC examination.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered here.
OCC announces updated FFIEC cyber resource guide
On October 6, the OCC announced that the Federal Financial Institutions Examination Council (FFIEC) issued an update to the FFIEC Cybersecurity Resource Guide for Financial Institutions. According to the OCC, the 2022 FFIEC Cybersecurity Resource Guide for Financial Institutions provides a list of voluntary programs and actionable initiatives that are intended to help financial institutions meet their security control objectives and respond to cyber incidents. The 2022 guide rescinds and replaces the 2018 guide, and applies to a wide range of financial institutions including community banks. Highlights of the guidance include: (i) updated resource links for the Assessment, Exercise, Information Sharing, and Response and Reporting categories; and (ii) new ransomware specific resources.
CFPB blogs about challenging inaccurate appraisals
On October 6, the CFPB released a blog post regarding mortgage borrowers’ ability to challenge inaccurate appraisals through the reconsideration of value process (ROV). Among other things, the CFPB explained that “[a] lender’s reconsideration of value process must ensure that all borrowers have an opportunity to explain why they believe that a valuation is inaccurate and the benefit of a reconsideration to determine whether an adjustment is appropriate.” As required under the Equal Credit Opportunity Act Valuations Rule, the Bureau explained that some lenders include information regarding how to request a ROV in appraisals and other home valuations. The Bureau further noted that when lenders provide clear, plain-language notice of ROV opportunities to borrowers, lenders help ensure that their ROV process is nondiscriminatory. Lenders that do not have a clear and consistent method to ensure that borrowers can seek a ROV may risk violating federal law. The Bureau added that it has taken steps to implement legal requirements to limit bias in algorithmic appraisals, and that regulators are also providing more oversight over the activities of the Appraisal Foundation.