FFIEC: Financial Institutions Need to Share Cyberthreat Information
Why it matters
Financial institutions of all sizes need to share cyberthreat information with each other, the Federal Financial Institutions Examination Council (FFIEC) urged based upon an assessment performed of the preparedness of various community institutions. “Recent cyber attacks and widely reported pervasive vulnerabilities highlight the rapidly changing cyber risk landscape,” the FFIEC stated. “Financial institutions participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyber attacks on their systems.” The call to action included a statement from the FFIEC members (the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the National Credit Union Administration, and the State Liaison Committee) encouraging information sharing as well as a report on general observations gleaned from the nationwide assessment.
The FFIEC’s latest statement reflects regulators’ continued and increasing focus on the importance of cybersecurity to risk mitigation, including communications and information sharing from both within and among institutions in order to mitigate risks.
Detailed discussion
Recommending that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), the FFIEC released a statement on information sharing emphasizing that such forums are “an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents.”
Recent attacks have highlighted the “rapidly changing” cyberrisk landscape, the FFIEC said, and those institutions that participate in information sharing “have improved their ability to identify attack tactics and successfully mitigate cyber attacks on their systems” and have gained “deeper insight” into their specific vulnerabilities and how to enhance their controls.
To mitigate risk, the FFIEC said financial institutions are expected to “monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so that they may evaluate risk and respond accordingly.” Policies and procedures should be in place to evaluate risk specific to the institution, and the use of the FS-ISAC and other resources can enhance risk management.
In a separate document, the FFIEC released general observations based on cybersecurity assessments conducted during the summer of 2014 at more than 500 community institutions.
Risk varies significantly across financial institutions, the report noted, depending on the type, volume, and complexity of operational considerations, including connection types, products and services offered, and technologies used. For example, access points and connection types like wireless networks or BYOD (bring your own device) raise questions for banks – Do we need all these connections? How are we managing these connections in light of constantly changing cyberthreats? And how do all of the connections and technologies collectively affect the institution’s risk?
Each product and service introduces separate risks, as do different technologies like ATMs (presenting concerns about cash-out scams) and Internet services (which may be vulnerable to distributed denial-of-service, or DDoS attacks).
Cybersecurity preparedness is essential for financial institutions, the FFIEC said, including consideration of issues like the process for ensuring ongoing and routine discussions at the senior management and board level about cyberthreats and determining accountability for managing cyberrisk. In addition, “the outcome and benefits improve when training and awareness programs are kept current and are provided on a routine basis” for all employees, the report noted.
Again referencing collaboration, the report stressed that “[p]articipating in information sharing forums (e.g. FS-ISAC) is an important element of a financial institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents.” Keeping on top of media reports about potential cyber events and maintaining event logs also provide valuable threat intelligence.
Financial institutions can establish a range of cybersecurity controls from preventative to detective to corrective, the FFIEC said, and should include external dependency management considerations like third-party service providers or business partners. “Before executing a contract, it is important for management to consider the risks of each connection and evaluate the third party’s cybersecurity controls,” the report stated.
If a cyberattack occurs, financial institutions should have in place notification procedures (for customers, regulators, and law enforcement) and processes to provide documentation. Testing the plans “across business functions and with third parties will help financial institutions identify and manage gaps before cyber attacks occur,” the FFIEC wrote.
back to top
Digital Currency Corner
What FinCEN’s Denial of Payment Processing Exemption for Virtual Currency-Related Businesses Means for Traditional Payment Processors
Why it matters
The rapid evolution of virtual and digital currencies has spawned significant activity in several federal agencies with implications potentially for traditional entities in certain cases. In addition to reported actions by the Securities and Exchange Commission and a proposed regulation by The Bureau of Consumer Financial Protection (CFPB), two rulings issued by the Financial Crimes Enforcement Network (FinCEN) as part of its effort to provide greater clarity to digital and virtual currency-related companies, may also portend a tightening of a money services business (MSB) exemption frequently relied on by traditional payment processors.
In the two most recent rulings by FinCEN, agency staff refused to provide relief to two companies that had argued they were not money transmitters and thus did not fall under the Bank Secrecy Act’s (BSA) definition of a “money service business.” FinCEN staff noted that, as a result, both will be subject to the full range of reporting, recordkeeping and other obligations imposed by the BSA on MSBs.
Most startling to the Bitcoin community was the conclusion of FinCEN staff that an exchanger was an MSB regardless of whether it acted as a broker (i.e., “attempting to match two (mostly) simultaneous and offsetting transactions involving the acceptance of one type of currency and the transmission of another”) or as a dealer (i.e., “transacting from its own reserve in either convertible virtual currency or real currency”). While FinCEN has not yet determined that crypto-to-crypto currency exchanges are money transmission activities, these orders may be a step in that direction.
One company sought to provide virtual currency payments to merchants in both the United States and Latin America who wish to receive customer payments in Bitcoin; the other proposed to match offers to buy and sell legal or “real” currency for virtual currency. In each case, the company argued that it was a payment processor that was exempt from the definition of money transmitter. FinCEN determined that neither qualified for the exemption because neither processed payments between two regulated financial institutions and that each was required to register as an MSB and comply with the BSA’s recordkeeping, reporting and Anti-Money Laundering (AML) compliance program requirements.
Detailed discussion
The company that planned to set up a platform consisting of a trading system to match offers to buy and sell convertible virtual currency for currency of “legal tender” as well as a set of book accounts where prospective buyers or sellers of one type of currency could deposit funds to cover their exchanges said it would maintain separate accounts in U.S. dollars as well as a virtual wallet from which customers could make either USD or virtual currency deposits to fund their exchanges. In both cases, the accounts and the wallet would be segregated and protected from potential seizure by the company’s creditors.
Analogizing the business to a securities or commodities exchange, the company argued that it should not be considered a money transmitter because no money transmission occurred between the company and any counterparty. Alternatively, it argued that the money transmission would be integral to the company’s business or otherwise eligible for the payment processor exemption. And, finally, it argued that it should be characterized as a “user” rather than “exchanger” or “administrator” of virtual currency pursuant to FinCEN’s 2013 guidance determining the former was not an MSB.
FinCEN staff rejected all three arguments. The business clearly includes a money transmission even though transactions occur subject to the condition of finding a match, Jamal El-Hindi, Associate Director of the Policy Division at FinCEN, wrote in FIN-2014-R011. “The regulatory definition of money transmission does not contain any element of conditionality before it applies,” he said. “A person that accepts currency, funds, or any value that substitutes for currency, with the intent and/or effect of transmitting currency, funds, or any value that substitutes for currency to another person or location if a certain predetermined condition established by the transmitter is met, is a money transmitter under FinCEN’s regulations.” According to the letter, two money transmitter transactions occur in this model one between the company and the customer selling the virtual currency and one between the company and customer buying the virtual currency.
El-Hindi also rejected the claim that the money transmissions were integral to the transaction and similarly that the transmissions qualified for the payment processor exemption. He concluded that the payment service met the definition of a money transmission because the company “is facilitating the transfer of value, both real and virtual, between third parties. Such money transmission is the sole purpose of the company’s system, and is not a necessary part of another, non-money transmission service being provided by the company.”
As to the payment processor exemption, he said the company failed to meet two of its requirements: the company is not receiving payment as a seller or creditor from a buyer or debtor for the provision of a non-money transmission-related good or service, noting that providing virtual for real currency or vice versa is not a non-money transmission-related service, and by making payments of convertible virtual currency directly to and from customers, the company is not operating through a clearing and settlement service that admits only BSA-regulated financial institutions as members.
Further, the letter states the company could not be considered a “user” of virtual currency pursuant to FinCEN’s 2013 guidance because it intended to accept convertible virtual currency from one person and transmit it to another person as part of the acceptance and transfer of currency, funds, or other value that substitutes for currency. It said, “Whether a person is deemed to be an MSB depends on how that person uses the convertible virtual currency, and for whose benefit.”
In the second ruling, FIN-2014-R012, El-Hindi reached a similar conclusion with regard to a business that intended to provide virtual currency-based payments to Latin American hotels. Customers would pay for their purchase using a credit card, which would be transferred to the company. The company would then transfer the equivalent in Bitcoin to the merchant.
Although the company would purchase and store Bitcoin to use for payments to the merchant, the “fact that the company uses its cache of Bitcoin to pay the merchant is not relevant,” according to the ruling. Because the company plans to accept and convert the customer’s real currency into virtual currency for transmission to the merchant, it was an exchanger pursuant to FinCEN’s guidance and therefore a money transmitter.
Like the first company, the payment processor exemption did not apply as the company did not plan to operate through clearing and settlement systems that admit only BSA-regulated financial institutions, El-Hindi wrote.
To read FIN-2014-R011, click here.
To read FIN-2014-R012, click here.
SEC Strikes Out After Bitcoin Companies
Sending shivers through the Bitcoin community, the Securities and Exchange Commission (SEC) reportedly has sent the first of many letters expected to be sent to crypto currency-related companies asking them informally to submit information to assist the SEC in determining whether violations of federal securities laws have occurred.
Redacted letters available on the Internet do not specify the nature of the violations at issue (widely expected to include the public sale of unregistered securities via crowd funding and Ponzi schemes). However, they request the companies to produce a significant amount of information. While companies receiving such letters are not required by law to respond, the failure to cooperate may be viewed unfavorably if the SEC determines a violation has occurred. The cost of producing the requested documents may prove costly for those receiving the letter even if a determination is made ultimately that no violation has occurred.
Plaintiff’s Attorney Attacks Bitcoin-Related Companies
A crypto currency exchange customer has sued a Florida company providing crypto-to-crypto exchange, alleging, among other things, that his crypto currency holdings were stolen as a result of a weakness in the exchange platform’s data security protocol. The company had denied the allegations, asserting instead that the customer failed to take appropriate precautions to protect his crypto currency. This lawsuit appears to signal an increased focus by the plaintiff’s bar on companies in the crypto currency industry, putting pressure on a fledgling industry to address data security, consumer disclosures and other practices that could subject them to costly allegations of unfair, deceptive or abusive acts and practices, fraud and other allegations favored in actions brought by the plaintiff’s bar.
CFPB Has Virtual Currencies in Its Sights With Prepaid Access Proposal
The Bureau of Consumer Financial Protection (CFPB) has released its long-awaited proposal to extend Regulation E and Regulation Z protections to prepaid access. In the 870-page release, one paragraph discusses virtual currency. Noting that the CFPB began accepting complaints on virtual currency in August 2014, the proposal says: “The Bureau also recognizes that the proposed rule may have potential application to virtual currency and related products and services. As a general matter, however, the Bureau’s analysis of mobile financial products and services, as well as virtual currencies and related products and services, including the applicability of existing regulations and this proposed regulation to such products and services, is ongoing. The proposed rule does not specifically resolve these issues.”
To read the CFPB’s proposed rule, click here.
back to top
OCC Updates Process, Policy on “Matters Requiring Attention”
Why it matters
To encourage communication of problems and expediency of correction, the Office of the Comptroller of the Currency (OCC) updated its policy on “Matters Requiring Attention,” or MRAs, in a newly released bulletin. The changes are intended to ensure that a uniform standard exists to inform banks when examiners discover problems and that banks in turn conduct the process of fixing the problem more quickly. In addition to the establishment of standardized language for reporting an issue to bank management and boards with a clear categorization of the issue (such as new, repeated, or escalating), the OCC set additional expectations for executives. “Successful supervision relies upon clear communication of supervisory expectation,” Comptroller Thomas J. Curry said in a statement about the policy changes. “Clarifying how we use MRAs helps ensure that our concerns are addressed, that deficient practices are corrected early, and that we can track concerns more effectively.”
Detailed discussion
MRAs “communicate specific supervisory concerns identified during examinations in writing to boards and management teams of regulated institutions,” the agency explained in OCC Bulletin 2014-52, and require timely and effective corrective action by bank management, as well as follow-up by OCC examiners.
To improve the process, the bulletin standardized MRA terminology, format, follow-up, analysis, and reporting across the agency. By providing consistent reports from examiners, boards and management can respond to problems in a more efficient manner, the OCC said.
Going forward, examiners will make use of the Five Cs (concern, cause, consequence, corrective action, and commitment) format in tracking the problem. The concern, or deficient banking practice, will be identified with a description of how it deviates from sound governance or risk management principles, for example, with a determination of the cause, when it is evident.
The consequence – what could happen to the bank if the concern continues, like violations of the law or enforcement actions – is followed by the corrective action, which describes what the board and management must do to address the concern and eliminate the cause. Finally, a commitment will be reached with regard to the bank’s action plan, with specific milestones, a completion date, and staff accountable for the implementation.
Not until the bank implements and the OCC verifies and validates the effectiveness of the corrective action can the concern be “closed.” “Open” concerns may be categorized in one of six ways: new, repeat (from the prior five-year period), self-identified (an “important consideration” when the OCC considers the bank’s risk management system, the agency noted), past due, pending validation, or escalated (with milestones not met or inadequate attention devoted to correcting the deficiency).
The OCC also established additional expectations for boards, including holding management accountable for the deficient practices, directing management to develop and implement corrective actions, approving the necessary changes to the bank’s policies, processes, procedures, and controls, and establishing processes to monitor progress and verify and validate the effectiveness of management’s corrective actions.
“Timely and effective” communication between bank management, boards, and examiners is also encouraged by the bulletin, with a promise from the OCC that examiners will provide draft concerns to help with factual accuracy, conduct quarterly follow-ups on concerns, provide a response to bank communications within 30 days of receipt, and provide information and recommendations to boards and management apart from the MRA process.
The changes grew out of an international peer review of the OCC’s supervisory efforts last year, which recommended that the agency develop controls towards a “consistent resolution of identified deficiencies by the institutions,” as well as “controls to better manage the MRA follow-up process.”
The new policy applies to examination of all national banks, federal savings associations, and federal branches and agencies, regardless of size.
To read OCC Bulletin 2014-52, click here.
back to top
CFPB’s Supervisory Highlights Document Mortgage, Student Loan Violations
Why it matters
In the latest edition of The Bureau of Consumer Financial Protection (CFPB) Supervisory Highlights, the Bureau reported continuing violations in several markets. The Fall 2014 report, which covers supervisory work performed between March and June of this year, focused on two primary areas: student loan servicing and mortgage servicing. While the report doesn’t name names or provide exact numbers of violations, Bureau examiners found at least one instance of a loan modification violation, while one or more mortgage servicers lacked the required policies and procedures for oversight of service providers. Student loan servicers were found to have charged illegal late fees, misrepresented minimum payments, allocated payments to maximize late fees, and made illegal debt collection calls to consumers at inconvenient times. Other areas of examination also raised concerns for the CFPB, including debt collection, electronic fund transfers, and consumer reporting.
Detailed discussion
The sixth edition of the Bureau’s Supervisory Highlights focused primarily on student loan and mortgage servicing, but documented violations in other areas as well.
- Student loan servicing. Examiners found that at least one servicer allocated a borrower’s payments proportionally to each of the multiple loans in a combined account. When the borrower made a payment less than the total amount due, the effect was late fees charged to each of the loans, a practice the CFPB said was unfair under the Dodd-Frank Act. In addition, one or more servicers inflated the minimum payment due to include amounts in deferment and not actually due (a deceptive practice, the Bureau said), charged illegal late fees during the grace period, and failed to provide accurate tax information for borrowers seeking to obtain a student loan interest payment deduction. The CFPB found that some servicers implied to borrowers that student loans are never dischargeable in bankruptcy (a deceptive communication because a borrower may assert undue hardship for a discharge) and one or more servicers “routinely” made debt collection calls to delinquent borrowers early in the morning or late at night.
- Mortgage servicing. Three issues were highlighted by the Bureau in the mortgage servicing ecosystem. Despite new rules that took effect in January 2014 and two subsequent supervisory bulletins, examiners found servicers that failed to have policies and procedures in place to oversee service providers. At least one servicer delayed the conversion from a trial loan modification to a permanent loan modification. And at least one servicer deceived consumers about the status of a permanent loan modification, the Bureau said, by failing to execute an agreement signed by the borrowers and later sending new agreements with materially different terms.
- Debt collectors. Examiners discovered that at least one debt collector imposed convenience fees on consumers in a state where such fees were prohibited by law or the law was silent on the legality of such fees and the agreement did not expressly authorize them. The Bureau also reported that “in at least one examination” a debt collector “routinely” threatened consumers with litigation that it did not intend to pursue and only initiated litigation on a “small fraction” of the accounts it collected.
- Electronic fund transfers. Several Regulation E requirements were cited in the CFPB’s report, from error resolution failures after receiving oral notice of an error from a consumer to a violation of the limit on consumer liability for unauthorized transfers, where a company denied the claim of a consumer who said his PIN was compromised. One or more financial institutions did not include a statement about the consumer’s right to obtain documentation relied on by the institution investigating an error in the standard error resolution notice, the Bureau said.
- Consumer reporting. Failure to comply with the Fair Credit Reporting Act (FCRA) by “one or more” consumer reporting agencies was found by the CFPB, specifically the statute’s mandate that certain information be provided to consumers in the reinvestigation notice. At least one consumer reporting agency did not address complaints received directly from consumers, according to the report, while a specialty consumer reporting agency provided inconsistent information to consumers about making telephone disputes and maintained what the Bureau characterized as a “weak” consumer complaint program.
To read the Fall 2014 Supervisory Highlights, click here.
back to top