Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 14, NYDFS announced a proposed regulation, which would allow regulated entities to share confidential supervisory information with legal counsel or with independent auditors without obtaining prior written approval from the agency. Currently, entities are required to receive prior written approval for each instance in which they want to share confidential supervisory information with hired legal counsel or independent auditors. The proposal would allow a regulated entity to share this information without prior written approval from NYDFS as long as there is a written agreement between the parties, in which the hired legal counsel or independent auditor agrees to, among other things, (i) only use the information for the purposes of legal representation or auditing services; (ii) not to disclose the information to its employees except on a “need to know” basis; (iii) promptly notify NYDFS of any requests for the information; and (iv) maintain records for all information disclosed pursuant to the regulation. Comments on the proposal will be accepted for 60 days following publication in the state register on November 27.
On November 15, the U.S. Court of Appeals for the Eleventh Circuit vacated the district court’s certification order of a class action alleging a national satellite TV company violated the TCPA by contacting individuals who had previously asked to not be contacted. According to the opinion, a consumer filed a class action against the company alleging that the company failed to maintain an “internal do-not-call list,” which allowed the company and its telemarketing service provider to contact him eighteen times after he repeatedly asked to not be contacted. The consumer sought certification “of all persons who received more than one telemarketing call from [the telemarketing service provider] on behalf of [the company] while it failed to maintain an internal do-not-call list.” The district court certified the class and the company appealed.
On appeal, the 11th Circuit disagreed with the district court, concluding the court incorrectly determined that issues common to the class predominated over issues individual to each member. Specifically, the appellate court noted that the class consisted of unnamed class members who may not have asked the company to stop calling and therefore, would never have been on an internal do-not-call list, had one been properly maintained. Thus, these members were not injured by the company’s failure to comply and their injuries are then “not fairly traceable to [the company’s] alleged wrongful conduct,” resulting in a lack of Article III standing to sue. The appellate court emphasized that recertification is still possible, but the district court would need to determine which of the class members made the request to not be contacted. However, if “few made [the] request, or if it will be extraordinarily difficult to identify those who did, then the class would be overbroad” and individualized issues may “overwhelm issues common to the class.”
On November 15, the U.S. District Court for the Northern District of Georgia entered a stipulated final judgment and order to resolve allegations concerning one of the defendants cited in a 2015 action taken against an allegedly illegal debt collection operation. As previously covered by InfoBytes, the CFPB claimed that several individuals and the companies they formed attempted to collect debt that consumers did not owe or that the collectors were not authorized to collect. The complaint further alleged uses of harassing and deceptive techniques in violation of the CFPA and FDCPA, and named certain payment processors used by the collectors to process payments from consumers. While the claims against the payment processors were dismissed in 2017 (covered by InfoBytes here), the allegations against the outstanding defendants remained open. The November 15 stipulated final judgment and order is issued against one of the defendants who—as an officer and sole owner of the debt collection company that allegedly engaged in the prohibited conduct—was found liable in March for violations of the FDCPA, as well as deceptive and unfair practices and substantial assistance under CFPA.
Among other things, the defendant, who neither admitted nor denied the allegations except as stated in the order, is (i) banned from engaging in debt collection activities; (ii) permanently restrained and enjoined from making misrepresentations or engaging in unfair practices concerning consumer financial products or services; and (iii) prohibited from engaging in business ventures with the other defendants; using, disclosing or benefitting from certain consumer information; or allowing third parties to use merchant processing accounts owned or controlled by the defendant to collect consumer payments. The stipulated order requires the defendant to pay a $1 civil money penalty and more than $5.2 million in redress, although full payment of the judgment is suspended upon satisfaction of specified obligations and the defendant’s limited ability to pay.
On November 14, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Business Continuity Management booklet, one of a series of booklets that make up the FFIEC Information Technology Examination Handbook. The revised booklet replaces the 2015 version, and provides enterprise-wise guidance for examiners on the principles of business continuity management and approaches toward business continuity planning and resilience, including those designed to “achieve safety and soundness, consumer financial protection, and compliance with applicable laws, regulations, and rules.” It also provides examination procedures intended to help examiners assess the effectiveness of business continuity and resilience frameworks for entities including depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers.
The same day, the OCC also issued Bulletin 2019-57 to note that the revised booklet rescinds Bulletin 2015-9, “FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet.”
CFPB says some organizations won’t need to comply with screening and training requirements for temporary MLOs
On November 15, the CFPB issued an interpretive rule, which clarifies the screening and training requirements for mortgage loan originators (MLOs) with temporary authority under Regulation Z. As previously covered by InfoBytes, Section 106 of Economic Growth, Regulatory Relief, and Consumer Protection Act amends the Secure and Fair Enforcement for Mortgage Licensing Act of 2008 (SAFE Act) to establish temporary authority, providing a way for eligible MLOs who have applied for a new state loan originator license to act as a loan originator in the application state while the state considers the application. Regulation Z currently requires organizations to perform criminal screenings (including whether the applicant has been convicted of enumerated felonies within specified timeframes) and training requirements before permitting the individual to originate loans. According to the Bureau, Regulation Z is “ambiguous” as to whether these requirements would apply to MLOs with temporary authority and therefore, the interpretive rule clarifies that an organization is not required to conduct the criminal screening or ensure the training of any MLOs with temporary authority under the SAFE Act.
The interpretive rule is effective November 24, the same day the SAFE Act amendments take effect.
On November 14, the FDIC released its latest issue of the FDIC Quarterly, which analyzes the U.S. banking system and focuses on changes occurring since the 2008 financial crisis, particularly within nonbank lending growth. The three reports—published by the FDIC’s Division of Insurance and Research—“address the shift in some lending from banks to nonbanks; how corporate borrowing has moved between banks and capital markets; and the migration of some home mortgage origination and servicing from banks to nonbanks.”
- Bank and Nonbank Lending Over the Past 70 Years notes that total lending in the U.S. has grown dramatically since the 1950s, with a shift in bank lending that reflects the growth of nonbank loan holders as nonbanks have gained market share in residential mortgage and corporate lending. The report states that in 2017, nonbanks represented 53 percent of mortgages originated by HMDA filers, and originated a significant volume of loans for sale to the GSEs. Mortgage servicing also saw a shift from banks to nonbanks, with nonbanks holding “42 percent of mortgage servicing rights held by the top 25 servicers in 2018.” The report also discusses shifts in lending for commercial real estate, agricultural loans, consumer credit, and auto loans, and notes that bank lending to nondepository financial institutions has grown from roughly $50 billion in 2010 to $442 billion in the second quarter of 2019.
- Leveraged Lending and Corporate Borrowing: Increased Reliance on Capital Markets, With Important Bank Links examines the shift in corporate borrowing from banks to nonbanks, with nonfinancial corporations “relying more on capital markets and less on bank loans as a funding source.” The report also, among other things, discusses resulting risks and notes that “[d]espite the concentration of corporate debt in nonbank credit markets, banks still face both direct and indirect exposure to corporate debt risks.”
- Trends in Mortgage Origination and Servicing: Nonbanks in the Post-Crisis Period examines changes to the mortgage market post 2007, including the migration outside of the banking system of a substantive share of mortgage origination and servicing. The report also discusses trends within the mortgage industry, key characteristics of nonbank originators and servicers, potential risks posed by nonbanks, as well as potential implications the migration to nonbanks may pose for banks and the financial system. Specifically, the report lists several factors contributing to the resurgence of nonbanks in mortgage origination and servicing, including (i) crisis-era legacy portfolio litigation at bank originators; (ii) more aggressive nonbank expansion (iii) nonbanks’ technological innovations and mortgage-focused business models; (iv) large banks’ sales of crisis-era legacy servicing portfolios due to servicing deficiencies and other difficulties; and (v) capital treatment changes to mortgage servicing assets applicable to banks. The report emphasizes, however, that “[c]hanging mortgage market dynamics and new risks and uncertainties warrant investigation of potential implications for systemic risk.”
The FTC Safeguards Rule, FFIEC Cybersecurity and IT Guidance, and other OCC guidelines (here and here) emphasize the need for cyber threat intelligence (CIT) and threat identification to inform an organization’s overall cyber risk identification, assessment, and mitigation program. Indeed, to successfully implement a risk-based information security program, an organization must be aware of both general cybersecurity risks across all industries, as well as both business-sector risks and organizational risks unique to the organization. Furthermore, proposed revisions to the FTC Safeguards Rule (previously covered by InfoBytes here) emphasize the need for a “through and complete risk assessment” that is informed by “possible vectors through which the security, confidentiality, and integrity of that information could be threatened.”
Threat modeling is generally understood as a formal process by which an organization identifies specific cyber threats to an organization’s information systems and sensitive information, which provides the management insight regarding the defenses needed; the critical risk areas within and across an information system, network, or business process; and the best allocation of scarce resources to address the critical risks. Even today, generally an accepted threat modeling process involves comprehensive system, application, and network mapping and data flow diagrams. Many threat modeling tools are available free to the public, such as Microsoft’s Threat Modeling Tool, which provides diagramming and analytical resources for network and data flow diagrams, utilizing the STRIDE model (spoofing, tampering, repudiation, information disclosure, denial of service, and escalation of privilege) to inform the user of general cyber-attack vectors that each organization should consider. Generally, between cybersecurity frameworks, such as the NIST Cybersecurity Framework (for risk-based analytical approaches), and threat modeling tools identifying generic cyber threats such as STRIDE (for general or sector-specific cyber risks), an organization can achieve a risk-informed information security program.
However, with the increasing amount of large-scale data breaches occurring and with the evolving complexity of cybersecurity threats, many regulatory agencies and other industry-based standards institutions have called for a need to go one step further and understand the techniques, tactics, and procedures (TTPs) utilized by hackers using CIT. By using CIT and other threat-based models, organizations can gain insight into potential attack vectors through red-teaming and penetration testing by simulating each phase of a hypothetical attack into the organization’s information system and determine potential countermeasures that can be employed at each step of the kill chain. For instance, Lockheed Martin’s formal kill chain model involves seven steps (reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective) and proposes six potential defensive measures at each step (detect, deny, disrupt, degrade, deceive, and contain). Consequently, an organization can layer its defenses along each step in the kill chain to increase the probability of detection or prevention of the attack. Kill Chain was used as part of a U.S. Senate investigation into the data breach of a major corporation in 2013, identifying several stages along the chain where the attack could have been prevented or detected.
This threat identification process requires greater detail on adversarial TTPs. Fortunately, MITRE has provided for public consumption its ATT&CK (adversarial tactics, techniques, and common knowledge) platform. ATT&CK collects and streamlines adversarial TTPs in specific detail and provides information on each technique and potential mitigating procedures, including commonly used attack patterns for each. For instance, one tactic identified by ATT&CK is to encrypt data being exfiltrated to avoid detection by data loss prevention (DLP) tools or other network anomaly detection tools and identifies more than forty known techniques and tools that have been used to achieve encrypted transmission. ATT&CK also identifies potential detection and mitigation options, such as scanning unencrypted channels for encrypted files using DLP or intrusion detection software. Thus, instead of a generic data breach risk analysis, organizations can understand specific TTPs that may make data breach detection and analysis more difficult, and possibly take measures to prevent it.
By leveraging open-source CIT from tools such as ATT&CK and other reports from third-party sources such as government and industry alerts, organizations can begin the process of designing proactive defenses against cyber threats. It is important to note, however, that ATT&CK can only inform an organization’s threat modeling, and is not a threat model itself; additionally, ATT&CK focuses on penetration and hacking TTPs and, therefore, does not examine other threats that organizations may face, including distributed denial of services (DDoS) attacks that threaten the availability of its systems. Such threats will still need to be accounted for in any financial organization’s risk assessment, particularly if such DDoS prevent its clients from accessing their financial accounts and ultimately, their money.
AG coalition calls on Department of Education to discharge loans for students who attended closed for-profit school
On November 13, a coalition of 22 state attorneys general led by the Massachusetts attorney general sent a letter to the Department of Education’s Federal Student Aid Chief Operating Officer to determine whether the Department has complied with federal regulations that allow student borrowers to qualify for automatic discharge relief if they attended a school within 120 days of its closure date and have not continued their education elsewhere. The letter referred to an estimate provided by the Department in May, which stated that approximately 52,000 former students of a now-closed for-profit college qualified for automatic closed-school discharge relief. The letter notes, however, that recent information obtained from Congress indicates that only 7,000 student borrowers have been granted automatic discharges. Among other things, the AGs ask the Department to clarify whether all eligible students are now receiving automatic discharges, and request that the 120-day window be expanded “due to the deeply compromised nature of the school and its offerings in the months before its national collapse.” In addition, the letter requests details about the number of students with discharged loans and the methodology the Department is using to implement the automatic closed-school discharge.
On November 13, the Washington attorney general announced an office supply company has agreed to pay $900,000 to resolve an investigation into deceptive computer repair services. According to the AG’s office, the company allegedly used a software program, called “PC Health Check” or similar names, to facilitate the sale of diagnostic and repair services to retail customers that cost up to $200, regardless of whether their computer was actually infected with viruses or malware. The company claimed that the program, which allegedly detected malware symptoms on consumers’ computers, actually based the results on answers to four questions consumers were asked by a company employee at the beginning of the service, including whether the computer had slowed down, had issues with frequent pop-up ads, received virus warnings, or crashed often. After the questions were asked, the responses were entered into the program and a simple scan of the computer was run. The AG’s office claims that the scan had no connection to the malware symptoms results because an affirmative answer by the consumer to any of the four questions always led to the report of actual or potential malware symptoms. The release also states that in 2012, a company employee informed management that “the software reported malware symptoms on a computer that ‘didn’t have anything wrong with it,’” but that the company continued to sell the repair services until 2016 to an estimated 14,000 Washington consumers. According to the AG’s release, Washington is the only state to reach an agreement with the company over the alleged practices in addition to the $35 million national settlement the company and its software vendor reached with the FTC in March for similar conduct. (Previous InfoBytes coverage here.)
On November 12, the Financial Crimes Enforcement Network (FinCEN) issued an advisory on the Financial Action Task Force (FATF)-identified jurisdictions with “strategic deficiencies” in their anti-money laundering and combating the financing of terrorism (AML/CFT) regimes. As previously covered by InfoBytes, in October, FATF updated the list of jurisdictions to include the Bahamas, Botswana, Cambodia, Ghana, Iceland, Mongolia, Pakistan, Panama, Syria, Trinidad and Tobago, Yemen, and Zimbabwe. At the time, FATF noted that several jurisdictions had not yet been reviewed, and that it “continues to identify additional jurisdictions, on an ongoing basis, that pose a risk to the international financial system.”
The FinCEN advisory reminds financial institutions of the FATF October updates and emphasizes that financial institutions should consider both the FATF Public Statement and the Improving Global AML/CFT Compliance: On-going Process documents when reviewing due diligence obligations and risk-based policies, procedures, and practices. Moreover, the advisory includes public statements on the status of, and obligations involving, the Democratic People’s Republic of Korea (DPRK) and Iran, in particular. The advisory reminds jurisdictions of the actions the United Nations and the U.S. have taken with respect to sanctioning the DPRK and Iran and emphasizes that financial institutions must comply “with the extensive U.S. restrictions and prohibitions against opening or maintaining any correspondent accounts, directly or indirectly, with foreign banks licensed by the DPRK or Iran.”
- Daniel P. Stipano to discuss “Connecting the dots on your CDD program” at the ABA/ABA Financial Crimes Enforcement Conference
- Daniel P. Stipano to discuss “Beneficial Ownership: You have questions – We have quick answers” at the ABA/ABA Financial Crimes Enforcement Conference
- Moorari K. Shah to discuss "Legal & regulatory issues – Next wave of regulatory policy" at the Marketplace Lending & Alternative Financing Summit
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at an American Bar Association webinar
- Kari K. Hall and Christopher M. Walczyszyn to speak on the "Understanding updates to Regulation CC to ensure effective check processing" at a National Association of Federal Credit Unions webinar
- APPROVED Webcast: Periodic reporting made easier
- Daniel P. Stipano to discuss "A 20/20 view on 2020’s legislative and regulatory outlook" at the ACAMS Anti-Financial Crime and Public Policy Conference