On March 30, the FFIEC announced two separate statements regarding cyber attacks at financial institutions: Statement on Destructive Malware and Statement on Compromising Credentials. The statements come in light of the growing number of attacks within the past two years and outline how financial institutions can ensure that the risk management processes and business continuity planning in place are sufficient for mitigating attacks and recovering from attacks that do occur. Noting the FFIEC’s existing guidelines for financial institutions, the report includes, but is not limited to, reminders to do the following: (i) securely configure systems and services; (ii) improve information security awareness and training programs; (iii) protect against unauthorized access to systems; (iv) participate in information-sharing forums; and (v) continually conduct information security risk assessments.
On April 6, the Federal Reserve, OCC, and FDIC (Agencies) revealed that their ongoing regulatory review under the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (EGRPRA) will now be expanded to include recently issued regulations. The EGRPRA requires the Agencies and the FFIEC to review and identify outdated, burdensome, or unnecessary regulations at least every 10 years. The regulators have held two public outreach meetings with additional outreach sessions currently scheduled for May 4 in Boston, August 4 in Kansas City, October 19 in Chicago, and concluding on December 2 in Washington, D.C.
On March 17, the FFIEC released a summary of its cybersecurity priorities for the remainder of 2015. The FFIEC intends to enhance its cybersecurity preparedness in seven main ways: (i) issuing a cybersecurity self-assessment tool that will help institutions to evaluate cybersecurity risk and risk management capabilities; (ii) improving council members’ process for “gathering, analyzing, and sharing information with each other during cyber incidents;” (iii) ensuring that test emergency protocols are set to respond to all cyber incidents in coordination with public-private partnerships; (iv) establishing training programs on developing cyber threats and vulnerabilities; (v) updating the Information Technology Examination Handbook; (vi) increasing focus on technology service providers’ ability to respond to cyber threats; and (vii) collaborating and sharing information with law enforcement and intelligence agencies. The seven action items derive from the FFIEC’s 2014 pilot assessment of cybersecurity readiness at over 500 financial institutions.
On December 2, the FFIEC announced the release of its revised BSA/AML examination manual. The updated revisions address supervisory expectations and include regulatory changes since the manual’s last publication in 2010. Significantly modified sections of the examination include (i) Suspicious Activity Reporting, (ii) Currency Transaction Reporting, (iii) Foreign Bank and Financial Accounts Reporting, and (iv) Third-Party Payment Processors. The manual is available on the FFIEC BSA/AML InfoBase.
On November 3, the FFIEC released its observations from a cybersecurity assessment of more than 500 institutions, and recommended that all regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) as a medium to “identify, respond to, and mitigate cybersecurity threats and vulnerabilities.” The FS-ISAC is a non-profit information sharing forum created by industry participants to share physical and cybersecurity threat information within the public and private sector. The assessment supplemented regularly scheduled bank examinations and built upon supervisory expectations contained within existing FFIEC information technology guidance.
The Federal Financial Institutions Examination Council (FFIEC) recently announced a series of initiatives aimed at promoting cybersecurity preparedness for community financial institutions throughout the country. One such initiative is the creation of the Cybersecurity and Critical Infrastructure Working Group, which was launched in June 2013 in order to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. This announcement follows the FFIEC’s May 2013 press release that highlighted an emphasis on cybersecurity awareness. The FFIEC press release described a webinar that the FFIEC provided to 5,000 chief executive officers and senior managers from community financial institutions to raise awareness about the pervasiveness of cyber threats, and introduce new vulnerability and risk-mitigation assessments and regulatory self-assessments of supervisory policies and processes.
On June 24, the FFIEC unveiled a new web page that will serve as a central repository for current and future FFIEC-related materials on cybersecurity. Although the FFIEC did not release any new resources, the launch shows the continuing focus of banking regulators on emerging cybersecurity risks. The FFIEC noted that the launch coincided with a pilot program through which state and federal regulators will assess how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks. Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience.
On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
On April 2, the FFIEC advised financial institutions that distributed denial-of-service (DDoS) attacks on a financial institution’s public websites present operational and reputation risks. If coupled with attempted fraud, a financial institution may also experience fraud losses and face liquidity and capital risks. The FFIEC members expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans and to, among other things, (i) maintain an ongoing program to assess information security risk; (ii) monitor Internet traffic to the institution’s website to detect attacks; (iii) activate incident response plans and notify service providers, including Internet service providers, as appropriate, if the institution suspects that a DDoS attack is occurring; (iv) ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow; and (v) evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
In a second statement, the FFIEC advised financial institutions of a type of large dollar value ATM cash-out fraud by which cyber attackers gain access to, and alter the settings on, ATM web-based control panels used by small- to medium-sized financial institutions. The FFIEC states that institutions that issue debit, prepaid, or ATM cards may face operational risks, fraud losses, liquidity and capital risks, and reputation risks, and that institutions that outsource their card issuing function to a card processor may initially be liable for losses even if the compromise occurs at the processor. To mitigate these risks, the FFIEC expects member financial institutions to, among other things, (i) conduct ongoing information security risk assessments; (ii) perform security monitoring, prevention, and risk mitigation; (iii) take specific steps to protect against unauthorized access; (iv) implement and test controls around critical systems regularly; and (v) conduct information security awareness and training programs.
On December 11, the FFIEC, on behalf of the CFPB, the FDIC, the OCC, the Federal Reserve Board, the NCUA, and the State Liaison Committee, released final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions and nonbanks supervised by the CFPB. The guidance was finalized largely as proposed. However, in response to stakeholder comments, the regulators clarified certain provisions. For example, the final guidance clarifies that traditional emails and text messages, on their own, are not social media. The final guidance also explains that to the extent consistent with other applicable legal requirements, a financial institution may establish one or more specified channels that customers must use for submitting communications directly to the institution, and that a financial institution is not expected to monitor all Internet communications for complaints and inquiries, but should take into account the results of its own risk assessment in determining the appropriate approach regarding monitoring and responding to communications. The regulators also clarified that the guidance is not intended to provide a “one-size-fits-all” approach; rather financial institutions are expected to assess and manage the risks particular to the individual institution, taking into account factors such as the institution’s size, complexity, activities, and third party relationships. The final guidance also contains further discussion regarding the application of certain laws and regulations to social media activities, such as the Community Reinvestment Act. Finally, consistent with other recent regulatory initiatives, the final guidance clarifies that prior to engaging with a prospective third party an institution should evaluate and perform due diligence appropriate to the risks posed.
Comptroller Highlights Emerging Cybersecurity Risks, Discusses OCC and Financial Institution Responses
On September 18, in remarks before the Exchequer Club, Comptroller of the Currency Thomas Curry highlighted the emerging operational risks for financial institutions posed by cyberattacks, one of several risk areas identified by the OCC in its recent semiannual report. Comptroller Curry bank cyberattacks have lead to only minor disruptions so far, but are evolving and growing with the development and implementation of new technologies. The Comptroller identified the OCC’s and other federal banking agencies’ attempts to address these risks, including through an FFIEC working group created earlier this year. The Comptroller hopes the working group will address cyber issues through changes to examination policy and by supporting increased information sharing and communication between regulated institutions and their regulators, as well as among regulators and other government entities. According to the Comptroller, the OCC currently is engaged in outreach on this issue to all of its regulated institutions, but is especially focused on assisting community banks and thrifts. The Comptroller urged financial institutions, their boards, and senior level management to be aware of and engaged on the risks posed by cyber threats, including, for example, by considering the potential for new products or strategic business decisions to create new vulnerabilities. He also implored institutions and their leaders to effectively share information, such as through industry cyber threat sharing organizations.
On September 18, the CFPB launched a new web-based tool for use in analyzing HMDA data. The CFPB explains that its new HMDA tool focuses on the number of mortgage applications and originations, in addition to loan purposes and loan types for 2010 through 2012, and allows the public to see nationwide summaries or employ interactive features to isolate the information for metropolitan areas. The CFPB is planning additional features for the site, including (i) “easy-to-use tools” that allow users to filter HMDA records and create summary tables and (ii) an application programming interface that will allow researchers and software developers to incorporate the CFPB-provided HMDA data into other applications and visualizations. During a CFPB Consumer Advisory Board meeting at which the new tool was demonstrated, Director Cordray explained that the CFPB’s HMDA tool is designed to enhance the value of the HMDA data to help identify potentially discriminatory lending patterns and determine whether lenders are serving the housing needs of their communities.
The launch corresponded with the FFIEC’s annual HMDA data release. The release provides data on mortgage lending transactions—including applications, originations, purchases and sales of loans, denials, and other actions related to applications—provided by 7,400 U.S. financial institutions covered by HMDA for the 2012 calendar year. The FFIEC release notes that 2012 HMDA data are the first to use the census tract delineations and population and housing characteristic data from the 2010 Census and from the American Community Survey and that the boundaries of many census tracts have been revised in the process of transitioning to the 2010 Census, and cautions users that boundary changes and updates to the population and housing characteristics of census tracts complicate intertemporal analysis of the annual HMDA data. The release further advises users that while the HMDA data can inform analysis of fair lending compliance, the HMDA data alone cannot be used to determine whether a lender is complying with fair lending laws because they do not include many potential determinants of creditworthiness and loan pricing, such as the borrower’s credit history, debt-to-income ratio, and the loan-to-value ratio.
As the technology continues to grow and become a part of day-to-day life, smartphones and tablets are reshaping the delivery of financial services to consumers. The mobile device is quickly becoming a full-fledge platform for electronic financial services, especially for mobile payments.
The variety and number of mobile devices and service providers to support them has introduced new and different stakeholders – all of whom are competing with traditional financial institutions for dominance in the mobile commerce/mobile payment space. This new and rapidly evolving environment presents new and operational risks for consumers, payment providers, and the recipients of the payments. It will be vital to identify who has legal responsibility and liability for the various risks associated with payment platforms and payment transactions.
To learn more about the mobile technology issues impacting the financial services industry, please review some of our recent articles on the issue. BuckleySandler attorneys Margo Tank and David Whitaker raise legal considerations surrounding the regulatory uncertainty in mobile payments in their article, “Is Regulatory Uncertainty an Impediment to Mobile Payments?” earlier this year. In “Federal Regulators Issue Guidance on Social Media and Mobile Privacy” Margo, David, and Ian Spear discuss the recent guidance and flexible guidelines issued by the FFIEC and FTC. Another recent article by Margo and David provides a list of the accessibility items financial services companies should consider when developing their websites and mobile apps.
On June 6, the Federal Financial Institutions Examination Council (FFIEC) announced the formation of a working group to further promote coordination across the federal and state banking regulatory agencies on critical infrastructure and cybersecurity issues.
On April 18, the Federal Financial Institutions Examination Council published the 2013 Guide to HMDA Reporting. The updated edition reflects the transfer of HMDA and Regulation C authority to the CFPB, updates previously announced asset-size threshold exemption adjustments, and includes minor technical changes.