On June 29, the GAO published a report titled “Information Security: FDIC Implemented Controls over Financial Systems, but Further Improvements are Needed.” According to the report, notwithstanding recent efforts to implement effective information security controls to protect sensitive information and systems, the FDIC “continues to have unremediated weaknesses.” After examining the FDIC’s security systems, the GAO found that the FDIC’s user-authorization controls, although improved, remain vulnerable because the corporation failed to (i) implement an effective process for performing periodic reviews of user access rights; (ii) consistently disable inactive accounts; (iii) regularly document authorized modifications to user access; and (iv) identify authorization and recertification deficiencies. The report emphasizes that weaknesses in the user authorization controls “increase the risk that individuals may have greater access to financial data” than necessary. The report further notes that the corporation failed to fully implement, among other things, (i) encryption for all mainframe connections compliant with Federal Information Processing Standards Publications; (ii) effective audit and monitoring controls; (iii) procedures for controlling physical access to facilities; and (iv) management controls of security features for all hardware and software components to control for changes during a system’s life cycle. The GAO recommends that the FDIC improve its information security program by updating and implementing “access control procedures” and implementing additional monitoring of its “critical files.”
On July 15, the OCC, the FDIC, and the Federal Reserve released final revisions to the Interagency Questions and Answers Regarding Community Reinvestment document. The revised Questions and Answers document is based on a September 10, 2014 proposal and addresses questions from bankers, community organizations, and others pertaining to: (i) innovative or flexible lending practices; (ii) responsiveness and innovativeness of an institution’s loans, qualified investments, and community development services; (iii) availability and effectiveness of retail banking services; and (iv) community development-related issues, such as economic development, community development loans and activities, and community development services. According to the Questions and Answers document, the agencies did not adopt one of the revisions in the September 2014 proposal that had addressed “the availability and effectiveness of retail banking services.”
On June 28, the FDIC announced that it is conducting a survey to collect information on banks’ small business lending practices. Selected at random, approximately 2,000 FDIC-insured banks will participate in the web-based small dollar lending survey. Intended to provide insight into various aspects of small business lending, the survey will collect data related to: (i) the general characteristics of banks’ small business borrowers; (ii) the types of credit offered to small businesses; (iii) commercial lending and its relative importance for different-sized banks and business models; (iv) geographical location, collecting data for banks in urban and rural communities; and (v) market areas for small business lending and perceived competition. In addition, the survey contains questions related to consumer transaction accounts, responding to a Congressional mandate to “learn more about bank efforts to bring unbanked individuals into the conventional finance system.” Institutions selected to participate in the survey received a letter from the FDIC in late June with directions on how to proceed. The U.S. Census Bureau is administering the survey on behalf of the FDIC. It is unclear how this survey relates to the CFPB’s forthcoming rulemaking on small business lending.
FFIEC Issues Cybersecurity Statement, Comments on Recent Attacks on Interbank Messaging and Payment Networks
On June 7, the FFIEC issued a statement on behalf of its members (the OCC, Federal Reserve, FDIC, NCUA, CFPB, and State Liaison Committee) advising financial institutions to “actively manage the risks associated with interbank messaging and wholesale payment networks.” According to the statement, recent cyber attacks against interbank networks and wholesale payment systems have demonstrated the ability to: (i) bypass information security controls and compromise a financial institution’s wholesale payment origination environment; (ii) “obtain and use valid operator credentials with the authority to create, approve, and submit messages”; (iii) make use of sophisticated understanding of funds transfer operations and operational controls; (iv) disable security logging and reporting by using highly customized malware, as well as conceal and delay detection of fraudulent transactions with the use of other operational controls; and (v) quickly transfer stolen funds across multiple jurisdictions. Read more…
On June 2, the FDIC announced a settlement with eight financial institutions to resolve federal and state securities law claims based on the institutions’ residential mortgage-backed securities (RMBS) practices. As the receiver for five failed banks from November 2011 through August 2012, the FDIC filed six lawsuits for alleged violations of federal and state securities laws. Specifically, according to the FDIC, the eight financial institutions made misrepresentations in offering documents in connection with the sale of 21 RMBS to the five failed banks. The $190 million in settlement funds will be distributed among the receiverships for the five failed banks.