The Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement warning financial institutions of the increasing frequency and severity of cyber attacks involving extortion, including ransomware, denial of service, and theft of sensitive customer information that is used to extort victims. In turn, financial institutions are advised to develop and implement effective programs to identify, protect, detect, respond to, and recover from these types of cyber attacks. Actions to be taken include conducting ongoing risk assessments, assuring the security of systems and services, protecting against unauthorized access, and a number of other specific measures. In addition, financial institutions that are victims of cyber extortion are advised to notify law enforcement agencies and their primary regulatory agencies, especially if sensitive customer information is accessed, and consider filing Suspicious Activity Reports.

While the joint statement specifically states that it does not purport to create any new regulatory expectations, in fact it recommends a series of specific measures that should be taken in cyber-extortion situations, and reminds financial institutions of their prudential and compliance obligations under current regulatory guidance. More generally, the joint statement underscores the financial agencies’ continuing – and perhaps increasing – concerns over cybersecurity and data breaches.

Financial institutions therefore should treat the joint statement as a regulatory directive on appropriate preventative and response strategies for cyber breaches involving extortion, as well as a reminder to make cybersecurity and data protection a top governance and operational priority that their regulators will regularly test during the examination and supervision process. The FFIEC statement contains links and references to existing guidance and resources from the FFIEC, FBI, and other agencies that, as a threshold manner, financial institutions should review and ensure have been incorporated into their compliance and risk management processes, as appropriate.

In a recent letter to the 18 members of the Financial and Banking Information Infrastructure Committee (FBIIC), Acting Superintendent of the New York Department of Financial Services (NYDFS) Anthony Albanese requested collaboration and regulatory convergence among the members on cybersecurity standards for financial institutions. FBIIC member organizations include the eight federal financial institution regulatory agencies, the US Department of the Treasury, two Federal Reserve Banks, the National Association of Insurance Commissioners, the Conference of State Bank Supervisors, and the Securities Investor Protection Corporation.

Acting Superintendent Albanese stressed the need for coordinated efforts with relevant state and federal agencies to develop a comprehensive cybersecurity framework, addressing the most critical issues while preserving flexibility to address NYDFS-specific concerns. In NYDFS’s view, potential regulations would require a financial institution to maintain a cybersecurity program covering 12 key areas:

  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and application development and quality assurance
  9. Physical security and environmental controls
  10. Customer data privacy
  11. Vendor and third-party service provider management
  12. Incident response, including by setting clearly defined roles and decision making authority

Anthony Albanese, the Acting Superintendent of the New York State Department of Financial Services (NYDFS), recently announced his resignation after slightly more than four months in the position. Albanese was appointed as Acting Superintendent in June after Superintendent Benjamin Lawsky’s resignation. Albanese is expected to remain in his current position until the end of the year.

Albanese’s resignation comes amid rumors of ongoing tension between Albanese and New York Governor Andrew Cuomo. Sources have reported that Governor Cuomo, in response to request from the financial services industry, has asked that his office be allowed to review and comment on requests that NYDFS has sent to supervised institutions. Albanese has publicly denied that his resignation was prompted by any conflict, instead stating that his appointment was always intended to be temporary and that he was offered a new opportunity in the private sector.

In the last few years, the NYDFS has been an aggressive supervisory agency, initiating and participating in a number of high-profile enforcement actions, establishing the United States’ first “BitLicense” for virtual currency businesses, and pursuing enforcement actions and consent agreements with various third-party consultants to financial institutions. Both consumer groups (with the support of Senator Elizabeth Warren) and the financial services industry groups have reportedly weighed in with Governor Cuomo’s office over the last several months with indications of their preferred replacements. With less than two months until Albanese leaves office, these lobbying efforts are certain to increase.

The replacement for Albanese, yet to be announced, will signal the future direction of the NYDFS and whether it will continue its aggressive approach to financial services regulation and enforcement or choose to take a more moderate approach.

On October 15, 2015, the Consumer Financial Protection Bureau (CFPB) released the anticipated final rule amending Regulation C, 12 C.F.R. part 1003, which implements the Home Mortgage Disclosure Act (HMDA).

HMDA and Regulation C have long required covered lenders to collect and report certain data about mortgage applications, which the federal government uses to assess a covered institution’s fair lending risk. The new rule, which is intended to implement amendments made to HMDA by the Dodd-Frank Act, makes several important changes to Regulation C. These changes include:

  • dramatically broadening the data that covered institutions must collect (around 25 new data points are added and around a dozen existing data points are modified);
  • effectively expanding the scope of covered non-depository institutions and slightly narrowing the scope of covered depository institutions through implementation of loan-volume thresholds for triggering application of Regulation C; and
  • modifying the scope of covered products.

The long-awaited and somewhat delayed TILA-RESPA Integrated Disclosure Rule took effect on October 3. The new rule requires mortgage lenders to use a new, integrated disclosure form and comply with new rules regarding disclosures and timing of the same.

Because of industry pressures, the Integrated Disclosure Rule’s implementation was delayed by two months (the original effective date was August 1). Despite industry concerns regarding the ability to comply with the new rule and possible delays that the new rule would cause for mortgage closings after October 1, the Consumer Financial Protection Bureau (CFPB) declined requests to further delay the rule. In a letter to the industry, CFPB Director Richard Cordray stated that the CFPB recognizes the “substantial resources” that the mortgage industry has had to dedicate to the conversion to the new disclosures, and in initial examinations, CFPB examiners will look for “good-faith efforts” to comply with the rule. According to Director Cordray, examiners will consider a mortgage lender’s

  • implementation plan, including actions to update policies and procedures;
  • training of appropriate staff; and
  • handling of early technical problems and other implementation challenges.

On September 29, four senators and 39 representatives sent a letter to Consumer Financial Protection Bureau (CFPB) Director Richard Cordray expressing concern about the CFPB’s proposed rulemaking for prepaid accounts. (Read our LawFlash discussing the proposed rule.)

The letter specifically identifies four areas of concern:

  • The broad coverage of the proposed rule, which encompasses person-to-person transfers and other transactions where consumers might not necessarily expect protections similar to credit cards and other traditional financial products.
  • The requirement of multiple disclosures, and the lack of usefulness of the long-form disclosure.
  • The implementation deadline—requesting 24 months from the final rule’s publication date instead of the proposed nine-month implementation period.
  • The effect of the overdraft provisions and whether consumers would be better served by overdrafts that allow for “micro-credit” but are exempt from the requirements of Regulation Z.

The Board of Governors of the Federal Reserve System and the other federal agencies tasked with implementing the Volcker Rule recently released two additional frequently asked questions (FAQs). Both FAQs address compliance obligations with respect to particular exceptions to the Volcker Rule’s proprietary trading prohibition—market-making activity and prime brokerage transactions.

FAQ 17 addresses an aspect of the required compliance program for a trading desk that is engaged in market making–related activity. The FAQ states that a banking entity’s trading desk may rely on objective factors, a shared utility. or a third-party service provider to determine whether an issuer of a security is a covered fund, but such reliance must be incorporated into the banking entity’s written compliance program and be subject to independent testing and audit to ensure efficacy.

FAQ 18 addresses the timing of the annual CEO certification required in connection with permissible prime brokerage transactions. Generally, the first CEO certification (if applicable) should be submitted by March 31, 2016. For covered funds that were sponsored or owned by a banking entity prior to December 31, 2013 (“legacy covered funds”), the first CEO certification (if applicable) should be submitted by March 31 following the end of the relevant conformance period.

Read the new FAQs.

The Office of the Comptroller of the Currency’s (OCC’s) Committee on Bank Supervision has released its Fiscal Year 2016 priorities. Not surprisingly, the top supervision and examination priorities are

  • governance and oversight,
  • credit underwriting and risk, and
  • cybersecurity.

Other priorities include the Bank Secrecy Act/money laundering, operational risk, compliance, interest rate risk, and fair access. The OCC’s expectations under each of the priorities differ for large banks and midsize and community banks. The OCC continues to emphasize compliance with its guidance on third-party relationships. OCC examiners will also begin to use the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool released in June 2015 to supplement their exam work.. The Cybersecurity Assessment Tool has caused some concerns among smaller banks for potentially being too rigid.

These supervisory priorities are consistent with the top risks identified in the OCC’s Spring 2015 Semiannual Risk Perspective. All OCC-supervised institutions should be mindful of the 2016 priorities and be prepared for examiners to emphasize each of the categories during the next exam.

Read the OCC Fiscal Year 2016 Operating Plan.