On October 19, the FDIC, the OCC, and the Federal Reserve, issued an Advanced Notice of Proposed Rulemaking (ANPR) to further the “development of enhanced cyber risk management standards for the largest and most interconnected entities under their respective supervisory jurisdictions, and those entities’ service providers.” These standards, according to the ANPR, are intended to “increase the operational resilience” of supervised entities and their service providers and, based on the interconnectedness of these entities, “reduce the impact on the financial system in case of a cyber event experienced by one of these entities.” The ANPR proposes organizing enhanced cyber standards into the following categories: (i) cyber risk governance; (ii) cyber risk management; (iii) internal dependency management; (iv) external dependency management; and (v) incident response. The ANPR further explains that the banking agencies “are considering implementing the enhanced standards in a tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector.” Comments on the ANPR, which would not apply to community banks, are due January 17, 2017.
On October 20, the FDIC, OCC, Federal Reserve, Farm Credit Administration, and National Credit Union Administration issued a proposed rule intended to develop further the private flood insurance marketplace by implementing certain provisions of the 2012 Biggert-Waters Flood Insurance Reform Act (Biggert-Waters Act). Notably, the proposed rule would “require regulated lending institutions to accept policies that meet the statutory definition of private flood insurance in the Biggert-Waters Act and permit regulated lending institutions to accept flood insurance provided by private insurers that does not meet the statutory definition of ‘private flood insurance’ on a discretionary basis, subject to certain restrictions.” Comments on the proposal are due 60 days after it is published in the Federal Register.
Federal Reserve Board Member Recognizes Blockchain Technology’s Potential; Warns of Associated Risks
On October 7, at the Institute of International Finance Annual Meeting Panel on Blockchain, Federal Reserve Board member Lael Brainard delivered a speech titled “Distributed Ledger Technology: Implications for Payments, Clearing, and Settlement.” Brainard acknowledged blockchain technology as possibly the “most significant development in many years in payments, clearing, and settlement” and outlined its potential “to transform the way financial market participants transfer, store, and maintain ownership records of digitized assets.” Brainard highlighted payment technology changes as a particular regulatory focus and emphasized the Federal Reserve’s “responsibilities for promoting the safety and efficiency of the payments and settlements systems; supervising financial institutions engaged in payments, clearing and settlement; and safeguarding financial stability.” Read more…
On October 11, the U.S. Department of the Treasury announced that the Group of Seven (G-7) countries – comprised of the United States, Canada, France, Germany, Italy, Japan, and the United Kingdom – issued fundamental elements to “help address cyber risks facing the financial sector from both entity-specific and system-wide perspectives.” In Fundamental Elements of Cybersecurity for the Financial Sector, G-7 outlines eight elements for private and public entities within the financial sector to use as “building blocks” for confronting cyber-related issues, the first of which is to establish and implement tailored cybersecurity strategies and operational frameworks that should be tailored to an entity’s nature, size, complexity, risk profile, and culture. G-7’s remaining seven elements are as follows: (i) define and facilitate effective governance structures to ensure accountability; (ii) identify cyber risks and implement control assessments, including systems, policies, procedures, and training; (iii) “establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises”; (iv) ensure that incident response policies are effective and guarantee timeliness; (v) establish and test contingency plans that help to ensure effective recovery of critical functions and operations; (vi) share cybersecurity information with internal and external stakeholders, including threat indicators, vulnerabilities, and incidents; and (vii) develop a review process that addresses, among other things, evolving cyber risks. In support of the G-7 elements, Federal Reserve Vice Chairman Stanley Fischer stated that they are “a crucial step in furthering hardening each link in the chain of our global financial system.”
On October 7, following the Federal Reserve’s and the CFPB’s leads, the OCC released Bulletin 2016-33 advising financial institutions of updated interagency examination procedures for compliance with the Department of Defense’s (DoD) Military Lending Act (MLA) July 2015 final rule. As previously summarized in BuckleySandler’s Special Alert, the DoD issued an interpretive rule regarding the amendments to the regulations implementing the MLA on August 26, 2016. The 2015 final rule went into effect for consumer credit products other than credit cards on October 3, 2016. The requirements will take effect for credit card accounts one year later, on October 3, 2017. The OCC plans to include the updated interagency examination procedures in the Comptroller’s Handbook.