On March 25, Department of the Treasury’s Deputy Secretary Raskin delivered remarks regarding the agency’s efforts to enhance cybersecurity as the number of cyber-attacks continue to increase. Raskin outlined three specific areas where financial institutions can better prepare for cyber threats and enhance “cyber resilience” in the event of a cyberattack: (i) increase information sharing among financial institutions, thereby making this a priority for the financial sector worldwide; (ii) ensure that safeguards are in place for all third-party vendors with access to the financial institution’s data and systems; and (iii) design a cyber-preparedness “playbook” that has a “detailed, documented plan so that the firm can react quickly to minimize internal and external damage, reduce recovery and time costs, and instill confidence in outside stakeholders and the public.”
In April 2012, the Consumer Protection Financial Bureau issued Bulletin 2012-03, a guidance document setting forth the CFPB’s high-level expectations related to the engagement of third party service providers by supervised financial institutions. Since then, the Bureau has often referenced the Service Provider Bulletin in subsequent guidance and enforcement actions, but has not provided much in the way of detailed requirements for managing service providers. Despite the absence of strong guideposts, the CFPB has nonetheless sent unmistakable signals to highlight conduct which fails to meet the Bureau’s expectations on a variety of vendor relationship issues.
“The CFPB has voiced its dissatisfaction on a number of occasions with supervised entities that fail to perform adequate vendor oversight,” according to Elizabeth McGinn, Partner in the D.C. office of BuckleySandler. “In particular, nonbanks and service providers that are still coming up-to-speed on federal agency supervision and enforcement have to be alert and aware of important trends in recent enforcement actions that challenge outdated notions of vendor management.” Read more…
CFPB Announces Enforcement Action Against Telecommunications Company for Alleged Unauthorized Third-Party Charges
On December 17, the CFPB filed a complaint in the Southern District of New York against a telephone company for allegedly charging its customers tens of millions of dollars in unauthorized third-party charges. According to the CFPB’s press release, for roughly a decade the company “crammed” consumers’ wireless bills with illegal charges by outsourcing payment processing for digital purchases – such as apps, games, and movies – to vendors known as “billing aggregators.” The CFPB alleges that the company failed to properly monitor the aggregators’ billing of customers as a payment processor for the third parties, and violated Dodd-Frank and the CFPA by (i) allowing third party vendors to attach illegitimate charges to consumers’ bills; (ii) billing customers for the unauthorized charges without their consent; (iii) failing to heed red flags showing that the system “was a breeding ground for unauthorized charges”; and (iv) failing to respond to consumer complaints. The complaint seeks refunds for consumers and penalties.
On September 24, the CFPB announced a consent order with a large national bank to address alleged unfair practices related to add-on identity theft protection products marketed by the bank and sold and administered by a third-party service provider to the bank’s customers from 2003–2012. Specifically, the CFPB alleged that customers were unfairly billed by the service provider for certain products that offered credit monitoring and credit report retrieval services without receiving the full benefit of the services. Customers who enrolled in these add-on identity theft products were required to provide sufficient written authorization and personal verification before the customers’ credit bureau reports could be accessed. However, according to the Bureau, in many instances time passed before a customer’s authorization was obtained or a customer’s authorization was never obtained. In other instances, the credit bureau could not match the customer’s identification information with its records. Although the bank’s vendor, rather than the bank itself, was directly responsible for selling and administering the products, the CFPB found that the bank’s compliance monitoring, service provider management, and quality assurance functions had failed to prevent, identify, and correct the unfair practices, resulting in substantial injury to more than 420,000 consumers. According to the CFPB’s order, this injury was not reasonably avoidable by consumers, and was not outweighed by any countervailing benefit to consumers or competition, and, therefore, the bank engaged in unfair practices. Read more…
On August 20, the CFPB announced a consent order with a Texas-based auto finance company to address alleged deficiencies in the finance company’s credit reporting practices. The company offers both direct and indirect financing of consumer auto purchases, and, according to the CFPB, specializes in lending to consumers with impaired credit profiles. In general, the CFPB took issue with the finance company’s alleged failure to implement policies and procedures regarding the accuracy and integrity of information furnished to consumer credit reporting agencies (CRAs) and alleged deceptive acts in the finance company’s representations regarding the accuracy of furnished information.
The CFPB’s action specifically alleged that the finance company violated the Fair Credit Reporting Act (FCRA) by providing inaccurate information to credit reporting agencies regarding how its borrowers were performing on their accounts, including by: (i) reporting inaccurate information about how much consumers were paying toward their debts; (ii) reporting inaccurate “dates of first delinquency,” which is the date on which a consumer first became late in paying back the loan; (iii) substantially inflating the number of delinquencies for some borrowers when it reported borrowers’ last 24 months of consecutive payment activity; (iv) informing CRAs that some of its borrowers had their vehicles repossessed, when in fact those individuals had voluntarily surrendered their vehicles back to the lienholder. The CFPB claims this activity took place over a three-year period, even after the company was made aware of the issue. The CFPB believes the company furnished incorrect information to the CRAs on as many as 118,855 accounts.
The consent order requires the company to pay a $2.75 million penalty to the CFPB. In addition, the finance company must: (i) review all previously reported accounts for inaccuracies and correct those accounts or delete the tradeline; (ii) arrange for consumers to obtain a free credit report; and (iii) inform all affected consumers of the inaccuracies, their right to a free consumer report, and how consumers may dispute inaccuracies. The order also directs the company to sufficiently provide the staffing, facilities, systems, and information necessary to timely and completely respond to consumer disputes in compliance with the FCRA.
On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.
On July 2, the Massachusetts Division of Banks published an industry letter regarding mortgage lenders’ obligation to timely fund and disburse mortgage proceeds and oversee internal and third-party compliance with that requirement. The letter advises lenders that numerous recent examinations have revealed issues with timely funding of loans by lenders and disbursement of funds by settlement agents. The letter reminds lenders that the state’s “Good Funds Law” requires a mortgage lender to disburse—in the form of a certified check, bank treasurer’s check, cashier’s check, or wire transfer—the full amount of the loan proceeds prior to recording the mortgage, and that failure to do so may be considered an unfair and deceptive practice. In addition, the letter advises lenders that (i) they must establish and implement policies and procedures to ensure that vendors distribute loan proceeds in the required timeframe, and (ii) internal compliance audits should include testing of the lender’s and any settlement agents’ settlement processes and procedures.
On July 1, the Federal Reserve Board announced a joint enforcement action with the Illinois Department of Financial and Professional Regulation against a state bank that allegedly failed to properly oversee a nonbank third-party provider of financial aid refund disbursement services. The consent order states that from May 2012 to August 2013, the bank opened over 430,000 deposit accounts in connection with the vendor’s debit card product for disbursement of financial aid to students. The agencies claim that during that time, the vendor misled students about the product, including by (i) omitting material information about how students could get their financial aid refund without having to open an account; (ii) omitting material information about the fees, features, and limitations of the product; (iii) omitting material information about the locations of ATMs where students could access their account without cost and the hours of availability of those ATMs; and (iv) prominently displaying the school logo, which may have erroneously implied that the school endorsed the product. The regulators ordered the bank to pay a total of $4.1 million in civil money penalties. In addition, the Federal Reserve is seeking restitution from the vendor, and, pursuant to the order against the bank, may require the bank to pay any amounts the vendor cannot pay in restitution to eligible students up to the lesser of $30 million or the total amount of restitution based on fees the vendor collected from May 2012 through June 2014. The consent order also requires the bank to submit for Federal Reserve approval a compliance risk management program in advance of entering into an agreement with a third party to solicit, market, or service a consumer deposit product on behalf of the bank.
On June 25, the OCC published its semiannual risk report, which provides an overview of the agency’s supervisory concerns for national banks and federal savings associations, including operational and compliance risks. As in prior reports and as Comptroller Curry has done in speeches over the past year, the report highlights cyber-threats and BSA/AML risks. The OCC believes cyber-threats continue to evolve and require heightened awareness and appropriate resources to identify and mitigate the associated risks. Specifically, the OCC is concerned that cyber-criminals will transition from disruptive attacks to attacks that are intended to cause destruction and corruption. Extending another recent OCC theme, the report notes that the number, nature, and complexity of both foreign and domestic third-party relationships continue to expand, resulting in increased system and process interconnectedness and additional vulnerability to cyber-threats. The report also states that BSA/AML risks “remain prevalent given changing methods of money laundering and growth in the volume and sophistication of electronic banking fraud.” The OCC adds that “BSA programs at some banks have failed to evolve or incorporate appropriate controls into new products and services,” and again cautions that a lack of resources and expertise devoted to BSA/AML risk management can compound these concerns. Finally, the OCC expressed concern that competitive pressures in the indirect auto market are leading to an erosion of underwriting standards. The OCC’s supervisory staff plans to review retail credit underwriting practices at banks, especially for indirect auto.
On April 16, Comptroller of the Currency Thomas Curry spoke to attendees of the Consumer Electronics Show Government Conference, taking his concerns about banks’ vendor relationships and cybersecurity risks to potential third-party technology service providers. Comptroller Curry explained the banking system’s vulnerability to cyberattacks given its significant reliance on technology and telecommunications, and expressed particular concern about potential attacks on community banks. He reiterated several of the specific risk issues he recently discussed with community bankers. Comptroller Curry (i) outlined risks related to the consolidation of bank vendors; (ii) identified as a “special problem” banks’ reliance on foreign vendors, and cautioned banks to consider the legal and regulatory implications of where their data is stored or transmitted; and (iii) expressed concern about vendors’ access to important and confidential bank and customer data. He assured attendees that the OCC is not trying to discourage the use of third-party vendors, but in explaining the OCC’s particular focus on controls and risk management practices employed by vendors that provide services to banks and thrifts, Comptroller Curry advised vendors of the OCC’s authority under the Bank Service Company Act to issue enforcement actions and its authority to examine vendors designated as Technology Service Providers. He reported that banks have asked the OCC to more actively supervise critical service providers and stated that in working to protect the banking system the OCC will have to “look beyond individual financial institutions to the range of vendors and customers that have access to some part of its infrastructure and systems.”
On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
On April 7, the FDIC reissued, as attachments to FIL-13-2014, three technology outsourcing resources. The documents, which the FDIC describes as containing “practical ideas for banks to consider when they engage in technology outsourcing” are titled: (i) Effective Practices for Selecting a Service Provider; (ii) Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements; and (iii) Techniques for Managing Multiple Service Providers. The FDIC advises that the resources are informational only and do not substitute for official examination guidance. On April 10, the FDIC urged financial institutions to utilize existing resources to identify and help mitigate potential cyber-related risks. The FDIC advised institutions to ensure that their information security staff are aware of and subscribe to reliable and recognized resources that can help quickly identify emerging cyber risks, including the following governmental resources: (i) the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT); (ii) U.S. Secret Service Electronic Crimes Task Force (ECTF); (iii) FBI InfraGard; (iv) financial services sector regional coalitions; and (v) Information Sharing and Analysis Centers (ISACs).
On March 4, Comptroller of the Currency Thomas Curry addressed the annual meeting of the Independent Community Bankers Association where he stressed the need for banks to effectively manage risk presented by the outsourcing of data security and information technology. The Comptroller explained that “[t]hird parties can be the weak link in [a bank’s] information systems security and resiliency; and especially where that third party is providing security services.” Referencing guidance the OCC issued last year, the Comptroller described the OCC’s due diligence expectations for banks’ third-party relationships as “substantial” and stressed that a bank’s due diligence needs to cover not only the vendor, but the vendor’s own third-party relationships. Mr. Curry also focused on other concerns he has about third-party relationships, including: (i) consolidation of service providers, which can increase the number of banks impacted when deficiencies occur at a single vendor; (ii) increased reliance by banks on foreign-based service providers; and (iii) third parties’ access to “large amounts of sensitive bank or customer data.”
On January 17, the OCC released a cease and desist order entered jointly by the OCC and the FDIC with two affiliated technology service providers that offer payment and other technology solutions for banks. Without describing the specific circumstances leading to the action, the order states that the regulators had reason to believe the service providers were operating without (i) an internal auditor or an integrated risk-focused audit program; (ii) a comprehensive due diligence program or formal policies to evaluate vendor risk; (iii) an enterprise-wide risk assessment; (iv) effective business continuity or disaster recovery planning; (v) procedures to identify software vulnerabilities; and (vi) an effective log review program to identify threats. The regulators did not assess a penalty, but will require the vendors to implement numerous risk management enhancements. Under the order, the technology service providers or their board must, among other things, (i) fill specific management positions; (ii) implement an audit program; (iii) conduct a security risk assessment; (iv) develop a vendor management program; (v) implement business continuity/disaster recovery plans; and (vi) submit quarterly progress reports to regulators and client banks.
Recently, the OCC released a formal agreement it entered with the FDIC, the Federal Reserve Bank of St. Louis, and a banking software company to resolve allegations of unsafe and unsound practices relating to the software company’s disaster recovery and business continuity planning and processes. The action reportedly resulted from the third-party service provider’s (TSP) delay in reestablishing full operations at a processing center in the wake of Hurricane Sandy. The agreement requires the TSP to continue to maintain a compliance committee, which must submit quarterly written reports to the TSP’s board. The agreement also details minimum requirements for (i) an enhanced disaster recovery and business continuity planning (DR/BCP) process; and (ii) a DR/BCP risk management program and audit process. The agreement also reaffirms the TSP board’s responsibility for proper and sound management of the TSP. The action demonstrates the OCC’s and other federal authorities’ continued focus on third-party service providers. While in this instance the regulators employed the Bank Services Company Act to directly address concerns about a TSP, recent Federal Reserve Board and OCC guidance also focuses on financial institutions’ responsibilities with regard to managing risks related to third parties’ disaster recovery and business continuity.