InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FFIEC Issues Cybersecurity Statement, Comments on Recent Attacks on Interbank Messaging and Payment Networks
On June 7, the FFIEC issued a statement on behalf of its members (the OCC, Federal Reserve, FDIC, NCUA, CFPB, and State Liaison Committee) advising financial institutions to “actively manage the risks associated with interbank messaging and wholesale payment networks.” According to the statement, recent cyber attacks against interbank networks and wholesale payment systems have demonstrated the ability to: (i) bypass information security controls and compromise a financial institution’s wholesale payment origination environment; (ii) “obtain and use valid operator credentials with the authority to create, approve, and submit messages”; (iii) make use of sophisticated understanding of funds transfer operations and operational controls; (iv) disable security logging and reporting by using highly customized malware, as well as conceal and delay detection of fraudulent transactions with the use of other operational controls; and (v) quickly transfer stolen funds across multiple jurisdictions. Due to the potential financial loss and compliance risk associated with the unauthorized transactions, the statement reminds financial institutions to consider the following steps to ensure compliance with regulatory requirements and FFIEC guidance: (i) establish and maintain an information security risk assessment program that “considers new and evolving threat intelligence related to online accounts and adjust customer authentication, layered security, and other controls in response to identified risks”; (ii) implement and maintain protection and detection systems, including antivirus protection and intrusion detection systems, and properly monitor system alerts; (iii) protect against unauthorized access to critical systems by, among other things, “limiting the number or credentials with elevated privileges across institutions” and establishing authentication rules; (iv) implement and regularly test controls around critical systems, and report test results to senior management, as well as the board of directors, if appropriate; (v) validate business continuity planning and ensure that the institution is able to “quickly recover and maintain payment processing operations”; (vi) strengthen information security awareness by conducting regular and mandatory training; and (vii) participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.
In light of the FFIEC’s statement, the OCC simultaneously released Bulletin 2016-08, cautioning financial institutions that use interbank messaging and wholesale payment networks to take the aforementioned risk mitigation steps.
CFPB, Federal Banking Agencies, and NCUA Issue Interagency Guidance Regarding Deposit Reconciliation Practices
On May 18, the CFPB, the Federal Reserve, the OCC, the FDIC, and the NCUA issued interagency guidance on supervisory expectations regarding customer account deposit reconciliation practices. According to the guidance, banks create a “credit discrepancy” if they credit a customer a different amount than the total of the items the customer tried to deposit into an account. In further explaining what constitutes a credit discrepancy, the guidance states, “the customer may deposit $110 to an account, but may indicate on the deposit slip that only $100 has been tendered. In this case, the financial institution may credit $100 to the customer’s account as indicated on the deposit slip without reconciling the $10 discrepancy.” According to the guidance, some financial institutions fail to correct the inconsistencies between the dollar value of items deposited to the customer’s account and the amount actually credited to that same account. This is a potential violation of (i) the Expedited Funds Availability Act’s, as implemented by Regulation CC, requirement to make deposited funds available for withdrawal within prescribed time limits; (ii) the FTC Act’s ban of unfair or deceptive acts or practices; and (iii) the Dodd-Frank Act’s prohibition of unfair, deceptive, or abusive acts or practices. In addition to reminding financial institutions of their obligations to comply with the aforementioned applicable laws, the guidance stresses that financial institutions are expected to “adopt deposit reconciliation policies and practices that are designed to avoid or reconcile discrepancies, or designed to resolve discrepancies such that customers are not disadvantaged.”
ABA Seeks Interagency Guidance Related to Force-Place Flood Insurance Premiums
On April 22, the American Bankers Association (ABA) sent a letter to the OCC, the Federal Reserve, and the FDIC regarding force-place flood insurance (also known as lender-placed insurance). The ABA probed the question of whether or not the advancement of a lender-placed flood insurance premium constitutes an “increase” to the designated loan – a statutory “tripwire” under the Flood Disaster Protection Act (FDPA). According to the letter, “increasing reports” from ABA members suggest that examiners are taking the position that “advancing a flood insurance premium in order to force-place flood insurance increases a loan balance and therefore constitutes a MIRE event [(making, increasing, renewing, or extending a designated loan)].” The letter summarizes FDPA requirements, noting that, if examiners are in fact considering the advancement of a premium to force-place flood insurance as an increase to a designated loan, such an “interpretation is new to the industry and is inconsistent with industry practice and contractual obligations under standard mortgage loan agreements.” According to the ABA, this new approach would result in increased borrower confusion and expense: “[i]ndeed, if adding the flood insurance premium to the loan is considered to increase the loan amount, following that logic through, the payment of a force-placed hazard insurance premium, taxes, or even a late fee would also ‘increase’ the loan—and result in a MIRE event as it is wholly inconsistent to treat these protective advances differently. Accordingly, a delinquent borrower could experience a ‘MIRE event’ as frequently as monthly with each late payment. Clearly, this was not Congress’s intent.” The ABA urged the banking agencies to release interagency guidance to address concerns related to the advancement of flood insurance premiums as a potential MIRE event.
Federal Reserve Announces Off-Site Electronic Loan File Review Process
On April 19, the Federal Reserve issued a letter announcing a new off-site loan file review program available to banking institutions with less than $50 billion in total assets. According to the letter, recent technological advancements, i.e. secure data transmission and electronic file imaging, allow the Federal Reserve to collect and review loan file information off-site “without compromising the effectiveness of the examination process.” To determine if the off-site loan review program is appropriate for an institution, the Federal Reserve will consider the following: (i) if the institution uses a secure transmission method to submit the loan file data; (ii) if the institution can provide loan data and imaged documents that are legible, easily viewable, and properly organized; and (iii) if the loan files are sufficiently comprehensive, allowing examiners to reach a conclusion regarding the appropriate rating of a credit without requesting additional information. Regarding adjustments to the examination process of an off-site loan review, the letter cautions that examiners will need to allocate sufficient time before an examination begins to ensure loan file data was successfully transmitted to the Reserve Bank, and communicate with institutional management throughout the examination process. Finally, the letter discusses the scope of the off-site examination process verses that of an on-site examination process, noting that (i) certain portions of examination work will remain off-site regardless of whether the institution is participating in the new off-site program; and (ii) at examiners’ discretion, Reserve Banks “may hold either off-site or on-site discussions with the institution’s management regarding preliminary loan review findings such as the appropriateness of individual credit ratings assigned by [a state member bank or foreign banking organization] and the completeness of credit file documentation.”
Pakistani Bank Reaches Agreement with NYDFS to Enhance AML Compliance Controls
Recently, the Federal Reserve and NYDFS announced that a New York branch of a Pakistani bank agreed to strengthen its compliance with BSA/AML requirements and OFAC regulations. The NYDFS’s and the NY Federal Reserve Bank’s recent examination into the bank’s branch found deficiencies related to its risk management and compliance with BSA/AML and OFAC regulations. Pursuant the agreement, the bank must submit written plans to the NYDFS and the NY Federal Reserve Bank on its strategy to improve its BSA/AML/OFAC compliance and its suspicious activity reporting. In addition, the bank must submit quarterly progress reports to the aforementioned regulators.
The recently issued agreement comes after a similar agreement earlier this month in which a New York branch of a Korean bank agreed to enhance its BSA/AML/OFAC compliance.
Boston Fed President Comments on the Ever-Changing Nature of Cyber Risk
On April 4, the Federal Reserve Bank of Boston’s President Eric S. Rosengren delivered remarks at the 2016 Cybersecurity Conference. Rosengren commented on the status of the U.S. economy and the “ever-changing” nature of cyber risk. According to Rosengren, risks in the cyber realm, unlike those related to the economy, are not waning. Significant cyber risk points outlined in Rosengren’s remarks include: (i) banks are increasingly having to compete with “fintech” entities providing similar financial services without the regulatory burden of being a bank; (ii) rapid growth in new applications and devices may provide consumer convenience, but do not always focus on security issues at large; and (iii) implementation of a communication plan addressing customer, vendor, and regulator concern in light of a breach is critical to mitigating problems. Finally, Rosengren cautioned that, “[b]anking organizations need to continue to evolve as [cyber risks] morph, and as new innovations and expectations of convenience introduce new challenges to security.”
FinCEN, Banking Agencies Release Guidance on Applying Customer Identification Program Requirements to Holders of Prepaid Cards
On March 21, the Federal Reserve, FDIC, NCUA, OCC, and FinCEN published guidance to issuing banks (i.e., banks that authorize the use of prepaid cards) intended to clarify the application of customer identification program (CIP) requirements to prepaid cards. The guidance clarifies that when the issuance of a prepaid card creates an “account” as defined in CIP regulations, CIP requirements apply. The guidance indicates that a prepaid card should be treated as an account if it has attributes of a typical deposit product, including prepaid cards that provide the ability to reload funds or provide access to credit or overdraft features. Once an account has been opened, CIP regulations require identification of the “customer.” The guidance explains that the cardholder should be treated as the customer, even if the cardholder is not the named accountholder, but has obtained the card from a third party program manager who uses a pooled account with the bank to issue prepaid cards. Finally, the guidance stresses that third party program managers should be treated as agents, not customers, and that “[t]he issuing bank should enter into well-constructed, enforceable contracts with third-party program managers that clearly define the expectations, duties, rights, and obligations of each party in a manner consistent with [the] guidance.”
Federal Reserve Releases Progress Report on Efforts to Improve US Payment System
On February 2, the Federal Reserve published a report titled, “Progress Report: Strategies for Improving the U.S. Payment System.” The report details “progress made and outlin[es] anticipated steps for moving forward with [the Federal Reserve’s] initiative to enhance payment system speed, efficiency, and security.” The report highlights the significance of industry collaboration among stakeholders, commenting on the creation of the Faster Payments and Secure Payments Task Forces, which are comprised of more than 500 industry members. Looking ahead, the Federal Reserve plans to continue enhancing its 2015 initiative by, among other things, (i) providing additional opportunities for stakeholders to engage in strategy efforts; (ii) publishing, in early 2017, an assessment of faster payments solution proposals brought forward by participants of the Faster Payments Task Force; (iii) developing greater end-to-end efficiency for domestic and cross-border payments by creating a “detailed plan and timeline for implementation of the ISO 20022 format for wire transfers”; and (iv) releasing operational details regarding enhancements to its payment, settlement, and risk management services.
Agencies Release CRA Asset-Size Threshold Adjustments
On December 22, the Federal Reserve, the OCC, and the FDIC jointly announced the adjusted thresholds for asset-size used to define small and intermediate small banks and savings associations under the Community Reinvestment Act. Effective January 1, 2016, a small bank or savings association will be defined as an institution that, as of December 31 of either of the past two calendar years, had assets of less than $1.216 billion. An intermediate small bank or intermediate small savings association will be defined as an institution with at least $304 million and less than $1.216 billion in assets as of December 31 of either of the past two calendar years. The agencies published the annual adjustments in the Federal Register on December 29, 2015.
FDIC and Federal Reserve Announce Settlement with Connecticut-Based Financial Aid Company Over Deceptive Practices
On December 23, the FDIC announced separate settlements with a Connecticut-based financial aid company and an affiliated Utah-based bank for alleged deceptive practices in violation of the FTC Act. Separately, the Federal Reserve announced a settlement solely with the Connecticut-based company for allegedly violating the FTC Act by employing deceptive practices. The company provides financial aid disbursements to higher education institutions for its students. According to the agencies, the company omitted material facts about its financial aid disbursement business, such as: (i) details about alternative disbursement methods available to students; (ii) a full and complete fee schedule; and (iii) information regarding the locations of fee-free ATMs. In addition, the agencies alleged that the company prominently displayed school logos, suggesting to students that schools had endorsed its refund product.
The FDIC’s orders against the company and the bank require each to pay a civil money penalty of $2.23 million and $1.75 million, respectively. In addition, the company and the bank together will pay approximately $31 million in restitution to roughly 900,000 consumers. Under the terms of the Federal Reserve’s order, the company will: (i) pay approximately $24 million in restitution to an estimated 570,000 consumers; (ii) pay a civil money penalty of more than $2 million; (iii) adopt a consumer compliance risk-management program; and (iv) refrain from future violations of section 5 of the FTC Act.