On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.
On November 7, the Federal Financial Institutions Examination Council (FFIEC) announced the issuance of an updated Uniform Interagency Consumer Compliance Rating System, more commonly known as the “CC Rating System.” In final guidance the FFIEC explains that the new rating system has been re-designed “to better reflect current consumer compliance supervisory approaches and to more fully align the CC Rating System with the Agencies’ current risk-based, tailored examination processes.” The agency also notes that the revisions “were not developed to set new or higher supervisory expectations for financial institutions and their adoption will represent no additional regulatory burden” (emphasis added).
Under the new CC Rating System, institutions will be assessed on a 1-to-5 rating scale in three distinct categories: (i) board and management oversight; (ii) compliance program and violations of law; and (iii) consumer harm. The new rating system will be used by all FFIEC member agencies – including CFPB in its evaluation of non-depository institutions. FFIEC member agencies plan to implement the updated rating system on consumer compliance examinations that begin on or after March 31, 2017.
On September 9, the FFIEC updated its Information Security booklet, a key element of its Information Technology Examination Handbook. The booklet is intended to provide examiners with guidance on assessing a financial institution’s information security operations, and is divided into the following four main sections: (i) Governance of the Information Security Program; (ii) Information Security Program Management; (iii) Security Operations; and (iv) Information Security Program Effectiveness. In addition to offering technology-centric recommendations such as encryption, the booklet advises firms to create security processes and risk assessment “commensurate with their operational complexities.” It also advises financial institutions to “have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” As expected, the booklet highlights the importance of implementing effective oversight of third-party service providers. Pursuant to sub-section II.C.20, in order to ensure effective oversight of third-party service providers, management should, among other things, determine when third-parties identify, measure, mitigate, monitor, and report cyber risks so as to “facilitate a comprehensive understanding of the institution’s exposure to third-party cyber threats.”
On August 5, the FFIEC announced that the OCC, the FDIC, and the Federal Reserve are seeking public comment on a proposal for a new Consolidated Reports of Condition and Income for Eligible Small Institutions (FFIEC 051/Call Report). The proposed Call Report is a streamlined version of the Consolidated Reports of Condition and Income for a Bank with Domestic Offices Only (FFIEC 041), and would be applicable to financial institutions with domestic offices only and total assets of less than $1 billion. Intended to ease the reporting requirements for smaller institutions, the proposed Call Report would remove approximately 40% of about 2,400 data items in FFIEC 041. FFIEC 041 would remain applicable to institutions with domestic offices only that do not file the proposed Call Report. The banking agencies are also seeking public comment on proposed revisions to the FFIEC 041 and the Consolidated Reports of Condition and Income for a Bank with Domestic and Foreign Offices (FFIEC 031). Comments are due 60 days after Federal Register publication, which has not yet occurred.
On July 13, the CFPB announced that the FFIEC and HUD had published new resources for financial institutions required to file data pursuant to the Home Mortgage Disclosure Act (HMDA) and Regulation C, as amended by the CFPB’s October 2015 final rule, which revised and expanded the scope of HMDA reporting requirements. Accordingly, the CFPB updated its “Resources for HMDA filers” page to include the following new FFIEC and HUD resources: (i) a Technology Preview, which provides an initial summary for how HMDA filers will interact with the HMDA Platform, a web-based data submission and edit-check system that filers will use to submit HMDA data collected in or after 2017; (ii) Filing Instructions Guide (FIG) for HMDA data collected in 2017, which outlines changes to the submission process for data collected in 2017, 2017 file specifications, and 2017 edit specifications; and (iii) FIG for HMDA data collected in 2018. The 2018 FIG includes field definitions for the many additional or modified data points required for data collected in 2018 and 2018 file format and edit specifications. The technical specifications in the FIG will allow lenders and vendors of HMDA data-preparation software to begin making the systems changes needed to collect data in 2018 for submission in 2019. The CFPB’s HMDA resource page also includes FFIEC HMDA FAQs and reminds financial institutions to visit the FFIEC website for resources to submit data collected in or before 2016.