On June 24, the FFIEC unveiled a new web page that will serve as a central repository for current and future FFIEC-related materials on cybersecurity. Although the FFIEC did not release any new resources, the launch shows the continuing focus of banking regulators on emerging cybersecurity risks. The FFIEC noted that the launch coincided with a pilot program through which state and federal regulators will assess how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks. Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience.
The Federal Financial Institutions Examination Council (FFIEC) recently announced a series of initiatives aimed at promoting cybersecurity preparedness for community financial institutions throughout the country. One such initiative is the creation of the Cybersecurity and Critical Infrastructure Working Group, which was launched in June 2013 in order to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. This announcement follows the FFIEC’s May 2013 press release that highlighted an emphasis on cybersecurity awareness. The FFIEC press release described a webinar that the FFIEC provided to 5,000 chief executive officers and senior managers from community financial institutions to raise awareness about the pervasiveness of cyber threats, and introduce new vulnerability and risk-mitigation assessments and regulatory self-assessments of supervisory policies and processes.
On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
On April 2, the FFIEC advised financial institutions that distributed denial-of-service (DDoS) attacks on a financial institution’s public websites present operational and reputation risks. If coupled with attempted fraud, a financial institution may also experience fraud losses and face liquidity and capital risks. The FFIEC members expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans and to, among other things, (i) maintain an ongoing program to assess information security risk; (ii) monitor Internet traffic to the institution’s website to detect attacks; (iii) activate incident response plans and notify service providers, including Internet service providers, as appropriate, if the institution suspects that a DDoS attack is occurring; (iv) ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow; and (v) evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
In a second statement, the FFIEC advised financial institutions of a type of large dollar value ATM cash-out fraud by which cyber attackers gain access to, and alter the settings on, ATM web-based control panels used by small- to medium-sized financial institutions. The FFIEC states that institutions that issue debit, prepaid, or ATM cards may face operational risks, fraud losses, liquidity and capital risks, and reputation risks, and that institutions that outsource their card issuing function to a card processor may initially be liable for losses even if the compromise occurs at the processor. To mitigate these risks, the FFIEC expects member financial institutions to, among other things, (i) conduct ongoing information security risk assessments; (ii) perform security monitoring, prevention, and risk mitigation; (iii) take specific steps to protect against unauthorized access; (iv) implement and test controls around critical systems regularly; and (v) conduct information security awareness and training programs.
On December 11, the FFIEC, on behalf of the CFPB, the FDIC, the OCC, the Federal Reserve Board, the NCUA, and the State Liaison Committee, released final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions and nonbanks supervised by the CFPB. The guidance was finalized largely as proposed. However, in response to stakeholder comments, the regulators clarified certain provisions. For example, the final guidance clarifies that traditional emails and text messages, on their own, are not social media. The final guidance also explains that to the extent consistent with other applicable legal requirements, a financial institution may establish one or more specified channels that customers must use for submitting communications directly to the institution, and that a financial institution is not expected to monitor all Internet communications for complaints and inquiries, but should take into account the results of its own risk assessment in determining the appropriate approach regarding monitoring and responding to communications. The regulators also clarified that the guidance is not intended to provide a “one-size-fits-all” approach; rather financial institutions are expected to assess and manage the risks particular to the individual institution, taking into account factors such as the institution’s size, complexity, activities, and third party relationships. The final guidance also contains further discussion regarding the application of certain laws and regulations to social media activities, such as the Community Reinvestment Act. Finally, consistent with other recent regulatory initiatives, the final guidance clarifies that prior to engaging with a prospective third party an institution should evaluate and perform due diligence appropriate to the risks posed.
Comptroller Highlights Emerging Cybersecurity Risks, Discusses OCC and Financial Institution Responses
On September 18, in remarks before the Exchequer Club, Comptroller of the Currency Thomas Curry highlighted the emerging operational risks for financial institutions posed by cyberattacks, one of several risk areas identified by the OCC in its recent semiannual report. Comptroller Curry bank cyberattacks have lead to only minor disruptions so far, but are evolving and growing with the development and implementation of new technologies. The Comptroller identified the OCC’s and other federal banking agencies’ attempts to address these risks, including through an FFIEC working group created earlier this year. The Comptroller hopes the working group will address cyber issues through changes to examination policy and by supporting increased information sharing and communication between regulated institutions and their regulators, as well as among regulators and other government entities. According to the Comptroller, the OCC currently is engaged in outreach on this issue to all of its regulated institutions, but is especially focused on assisting community banks and thrifts. The Comptroller urged financial institutions, their boards, and senior level management to be aware of and engaged on the risks posed by cyber threats, including, for example, by considering the potential for new products or strategic business decisions to create new vulnerabilities. He also implored institutions and their leaders to effectively share information, such as through industry cyber threat sharing organizations.
On September 18, the CFPB launched a new web-based tool for use in analyzing HMDA data. The CFPB explains that its new HMDA tool focuses on the number of mortgage applications and originations, in addition to loan purposes and loan types for 2010 through 2012, and allows the public to see nationwide summaries or employ interactive features to isolate the information for metropolitan areas. The CFPB is planning additional features for the site, including (i) “easy-to-use tools” that allow users to filter HMDA records and create summary tables and (ii) an application programming interface that will allow researchers and software developers to incorporate the CFPB-provided HMDA data into other applications and visualizations. During a CFPB Consumer Advisory Board meeting at which the new tool was demonstrated, Director Cordray explained that the CFPB’s HMDA tool is designed to enhance the value of the HMDA data to help identify potentially discriminatory lending patterns and determine whether lenders are serving the housing needs of their communities.
The launch corresponded with the FFIEC’s annual HMDA data release. The release provides data on mortgage lending transactions—including applications, originations, purchases and sales of loans, denials, and other actions related to applications—provided by 7,400 U.S. financial institutions covered by HMDA for the 2012 calendar year. The FFIEC release notes that 2012 HMDA data are the first to use the census tract delineations and population and housing characteristic data from the 2010 Census and from the American Community Survey and that the boundaries of many census tracts have been revised in the process of transitioning to the 2010 Census, and cautions users that boundary changes and updates to the population and housing characteristics of census tracts complicate intertemporal analysis of the annual HMDA data. The release further advises users that while the HMDA data can inform analysis of fair lending compliance, the HMDA data alone cannot be used to determine whether a lender is complying with fair lending laws because they do not include many potential determinants of creditworthiness and loan pricing, such as the borrower’s credit history, debt-to-income ratio, and the loan-to-value ratio.
As the technology continues to grow and become a part of day-to-day life, smartphones and tablets are reshaping the delivery of financial services to consumers. The mobile device is quickly becoming a full-fledge platform for electronic financial services, especially for mobile payments.
The variety and number of mobile devices and service providers to support them has introduced new and different stakeholders – all of whom are competing with traditional financial institutions for dominance in the mobile commerce/mobile payment space. This new and rapidly evolving environment presents new and operational risks for consumers, payment providers, and the recipients of the payments. It will be vital to identify who has legal responsibility and liability for the various risks associated with payment platforms and payment transactions.
To learn more about the mobile technology issues impacting the financial services industry, please review some of our recent articles on the issue. BuckleySandler attorneys Margo Tank and David Whitaker raise legal considerations surrounding the regulatory uncertainty in mobile payments in their article, “Is Regulatory Uncertainty an Impediment to Mobile Payments?” earlier this year. In “Federal Regulators Issue Guidance on Social Media and Mobile Privacy” Margo, David, and Ian Spear discuss the recent guidance and flexible guidelines issued by the FFIEC and FTC. Another recent article by Margo and David provides a list of the accessibility items financial services companies should consider when developing their websites and mobile apps.
On June 6, the Federal Financial Institutions Examination Council (FFIEC) announced the formation of a working group to further promote coordination across the federal and state banking regulatory agencies on critical infrastructure and cybersecurity issues.
On April 18, the Federal Financial Institutions Examination Council published the 2013 Guide to HMDA Reporting. The updated edition reflects the transfer of HMDA and Regulation C authority to the CFPB, updates previously announced asset-size threshold exemption adjustments, and includes minor technical changes.
On April 1, the Federal Financial Institutions Examination Council (FFIEC) announced that Comptroller of the Currency Thomas Curry will serve a two-year term as FFIEC Chairman. The FFIEC also selected Federal Reserve Board Member Daniel Tarullo as Vice Chairman, and announced three new State Liaison Committee members: Michael Mach, Division of Banking Administrator for the Wisconsin Department of Financial Institutions; Lauren Kingry, Superintendent of the Arizona Department of Financial Institutions; and Thomas Candon, Deputy Commissioner of Banking and Securities of the Vermont Department of Financial Regulation. The FFIEC is responsible for prescribing uniform principles, standards, and report forms for the federal examination of financial institutions, and for recommending changes to promote uniformity in the supervision of financial institutions. The FFIEC also conducts schools for federal examiners.
On February 13, the CFPB announced a plan to implement its recently adopted mortgage rules, which go into effect in January 2014. To assist financial institutions with implementing the rules, the CFPB will (i) coordinate with other agencies that conduct examinations of mortgage companies to ensure all regulators have a shared understanding of the CFPB’s new rules, (ii) publish plain-language guides in the spring, (iii) publish updates to the official interpretations, with priority given to issues that are important to a large number of providers or consumers, and that critically affect mortgage companies’ implementation decisions, (iv) publish readiness guides, available this summer, and (v) work with the FFIEC to develop more in-depth examination procedures.
On January 22, the FFIEC proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions, as well as nonbanks supervised by the CFPB. With regard to compliance and legal risks, the guidance addresses (i) the applicability of existing federal laws and regulations to the use of social media for marketing and originating new deposit and lending products and the use of social media to facilitate consumer use of payment systems; (ii) the need to apply BSA/AML internal controls to customers engaging in electronic banking through the use of social media, and e-banking products and services offered in the context of social media, as well as BSA/AML risks emerging through the growing use of social media; (iii) CRA monitoring of social media sites run by an institution; and (vi) customer privacy issues associated with social media. The guidance also reviews reputational risks related to social media, including risks related to (i) fraud and brand identity; (ii) social media vendor monitoring; (iii) privacy; (iv) consumer complaints; and (v) employee use of social media. Finally, the guidance addresses the vulnerability of social media to malware and the resultant operational risk. The FFIEC is accepting comments for 60 days after publication in the Federal Register. After the comment period, the agencies will issue supervisory guidance and will urge state regulators to follow.
In an annual rite of autumn, on September 18 the Federal Financial Institutions Examination Council released 2011 Home Mortgage Disclosure Act (HMDA) data for U.S. mortgage lenders. The public data contains information regarding nearly all home mortgage applications acted on in the prior calendar year, designated by loan purpose (i.e., home purchase, home refinance and home improvement). The HMDA data covers home loan applications made to over 7,600 U.S. financial institutions, including banks, savings associations, credit unions and mortgage companies, and contains information on approximately 11.7 million applications, 7.1 million originations and 2.9 million purchases.
HMDA data provides a wealth of mortgage industry-related information, including data on application and loan volume, the proportion of loans backed by the Fair Housing Administration and Veterans Administration, and lender concentration in the mortgage market. However, its most important function and the reason HMDA was enacted is the role the data plays in fair lending enforcement. Toward this end, the outcome of each home mortgage loan application is classified according to the applicant’s race, ethnicity and gender. HMDA data further allows analyses based on the site of the subject property, as well as the location of the lender. Read more…
On October 31, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Supervision of Technology Service Providers Booklet (TSP Booklet). The revised TSP Booklet, which is part of the FFIEC Information Technology Examination Handbook, provides guidance for examiners and financial institutions on the supervision of technology service providers by describing the federal banking regulators’ statutory authority to supervise third-party service providers, outlining the regulators’ risk-based supervision program, and providing the Uniform Rating System for examinations. The TSP Booklet clarifies that outsourced activities should be subject to the same risk management, security, privacy, and other internal controls and compliance policies as if such functions were performed internally, and that a financial institution’s board of directors and management have the responsibility for ensuring that outsourced activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.
Concurrent with the release of the updated TSP Booklet, the Federal Reserve Board, the FDIC, and the OCC issued new Administrative Guidelines for the Implementation of Interagency Programs for the Supervision of Technology Service Providers. The Guidelines are separate from the FFIEC IT Examination Handbook and describe how the agencies implement their interagency supervisory programs. The Guidelines are primarily a resource for examiners and include the reporting templates used by examiners.