This post originally appeared in our sister publication, Subject To Inquiry.

On May 21, the North American Securities Administrators Association (NASAA) announced a massive and coordinated series of enforcement actions by U.S. state and Canadian provincial regulators to combat fraudulent practices involving cryptocurrency-related investment products.

As cryptocurrencies have gained in popularity, companies have increasingly turned to a method known as an initial coin offering (ICO) to raise capital. ICOs, however, are ripe for potential fraud. As the Washington Post has explained, “consumers face higher risks of being misled at a time when the intense demand for bitcoin has prompted many retail investors to take extreme steps to gain exposure to the currency…”

Continue Reading State Regulators Announce Cryptocurrency Crackdown

The 2018 Regular Session of the Virginia General Assembly recently concluded after considering approximately 3700 bills and resolutions during the 60-day session. Several privacy-related bills were on the legislative agenda, but few were enacted into law.

Tax Return Data

As highlighted in January, the General Assembly this year continued its efforts to address the growing problem of criminals filing fraudulent tax returns using stolen identities of unsuspecting taxpayers. Last year, Virginia adopted legislation that requires employers and payroll service providers to provide breach notification to the Attorney General of Virginia when those entities experience an unauthorized access or acquisition of unredacted and unencrypted data containing a taxpayer’s identification number and certain payroll information. Virginia Code Ann. § 18.2-186.6(M).

This year, Virginia enacted legislation aimed at imposing certain obligations on state tax return preparers. Tax return preparers are not required to comply with Virginia’s data breach notification statute. However, effective July 1, 2018, Virginia tax return preparers are required to notify the Virginia Department of Taxation:

“without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted return information that compromises the confidentiality of such information maintained by such signing income tax return preparer and that creates a reasonable belief that an [unprotected] version of such information was accessed and acquired by an unauthorized person and that causes, or such preparer reasonably believes has caused or will cause, identity theft or other fraud.” Acts of Assembly, Chapter 283

Additionally, if a breach occurs, the state tax return preparer is required to provide the Department information concerning the taxpayers whose information was accessed or obtained by unauthorized persons and certain information about the preparer.  It is estimated that the enactment of this legislation will save Virginia approximately $300,000 by avoiding the issuance of unrecoverable fraudulent refunds.

Other Privacy-Related Legislation

Additional bills related to privacy include (partial listing):

  • PASSED: Clarifying that certain student directory information held by institutions of higher education may only be released in limited circumstances in response to Freedom of Information Act requests. HB1
  • PASSED: Reduction in the amount a credit reporting agency may charge a consumer to place a security freeze on his credit report from $10 to $5. 1027 SB16
  • DEFEATED: Eliminating the ability of a credit reporting agency to charge a consumer a fee to place a security freeze on the consumer’s credit report. HB6; HB86; HB1232; SB18; SB22; (partial listing)
  • DEFEATED: Prohibiting companies providing broadband internet access services in the Commonwealth from blocking, throttling, engaging in paid prioritization and interfering or unreasonably disadvantaging a users’ ability to access broadband internet access. The bill also would have limited a broadband service providers’ disclosure of personally identifiable information about consumers to circumstances involving certain court orders, subpoenas or for authorized law-enforcement activities. SB948
  • DEFEATED: Limiting state contracts for internet access services only to those services providers that agree to protect certain personally identifiable information and adhere to certain internet neutrality provisions. Proposed to prohibit internet access service providers that provide such service to a public body from blocking, throttling or providing preference to entities that pay for the optimization of data transfer rates. Additionally, the bill proposed to prohibit such service providers from knowingly disclosing personally identifiable information about users unless such disclosure is pursuant to certain court orders, subpoenas or for authorized law-enforcement activities. SB949
  • DEFEATED: Requiring consumer reporting agencies to disclose within 15 days a breach of the security of a computerized data system, when such disclosure is required by Virginia’s data breach notification statute, § 18.2-186.6. The bill provides that failure to report is a violation of the Virginia Consumer Protection Act. HB1588
  • DEFEATED: Prohibiting state agency employment applications, under certain circumstances, from inquiring whether a prospective employee has been arrested or charged with, or convicted, of any crime (a.k.a. “ban-the-box”). SB252; HB1357
  • DEFEATED: Prohibiting a prospective employer (i) from requiring a prospective employee to disclose his wage or salary history or (ii) attempting to obtain such information from the person’s current or previous employers. HB240
  • DEFEATED: Allowing the use of drones by law-enforcement without obtaining a warrant under certain circumstances. HB1290
  • DEFEATED: Prohibiting a provider of electronic communication or remote computing service from disclosing location data to an investigative or law-enforcement officer except pursuant to a search warrant. HB604
  • DEFEATED: Directing a legislative commission to study how local governments report data breaches, identify ways to promote efficient and timely reporting of such breaches by local governments and to develop best practices to assist localities with cyber security. HJ39

Virginia’s approach on privacy issues this past session reflects its approach on most issues – a measured response in response to actual problems. This approach is in contrast to some states enacting policies in anticipation of future issues or without a solid indication of potential harm to consumers. In the case of the security freeze legislation, the enacted bill was in response to a significant data breach last year involving one of the big three credit reporting agencies. With regard to protecting certain student directory information, the General Assembly acted in response to the perceived misuse of such information by political campaigns. Finally, the legislature continued its efforts to address the continuing problem of tax fraud by attempting to cut off avenues for would be identity thieves to file false state income tax returns.

The one-year transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expired on March 1, 2018. Financial services companies that are regulated by NYDFS now face additional requirements for assessing, monitoring, testing and reporting on the integrity and security of their information systems and the overall effectiveness of their cybersecurity programs.

Overview of New York Cybersecurity Regulations

The NYDFS cybersecurity regulations became effective on March 1, 2017, and the initial 180-day transitional period expired on August 28, 2017. The regulations that took effect last year require all covered entities to implement a cybersecurity program that identifies and protects against cybersecurity risks and adopt comprehensive policies and procedures for the protection of the company’s information systems and nonpublic information. The cybersecurity regulations apply to any organization operating under or required to operate under a NYDFS license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law. Click here for more information about the requirements of the regulations that took effect last year.

Additional Actions Required to Achieve Compliance

On March 1, 2018, additional requirements under the cybersecurity regulations took effect. In addition to the requirements that took effect last year, covered entities that are subject to the cybersecurity regulations must implement the following additional cybersecurity measures: Continue Reading New York Cybersecurity Regulations: Additional Testing and Reporting Requirements Take Effect

The Financial Industry Regulatory Authority (FINRA) is ramping up on their commitment to assist the industry in its cybersecurity compliance efforts. Recent guidance to the industry from FINRA includes:

  1. an Examination Findings Report, detailing observations from recent broker-dealer examinations with the goal of assisting broker-dealers in enhancing their compliance programs and better anticipating potential areas of concern (FINRA included compliance areas to highlight based on the frequency of deficiencies and the potential impact on investors and markets); and
  2. the 2018 Regulatory and Examination Priorities, in which, notably, FINRA instructed firms to review the priorities in conjunction with the Examination Findings Report.

FINRA called out cybersecurity, in its Examination Findings Report, as one of the “principal operational risks facing broker-dealers.” While acknowledging the increased threats today, FINRA noted that firms have generally increased their focus on cybersecurity issues and some firms examined are at the forefront of developing “cutting-edge cybersecurity programs.”

FINRA detailed areas in which they observed in the examinations that firms’ cybersecurity programs were either effective or deficient. Reviewing the positives and negatives provides valuable information for firms looking to shore up their cybersecurity programs.

Examples of Effective Practices Include

  • Escalation Protocols: Have an escalation process that ensures appropriate level at the firm is apprised of issues to ensure attention and resolution.
  • Plans to Resolve Issues: Implement detailed resolution steps and time frames for completion.
  • Routine Risk Assessments: Conduct regular risk assessments, including vulnerability and penetration tests.
  • Routine Training: Conduct training for firm employees, including training tailored to different functions, in addition to generic cross-firm training.
  • Branch Office Reviews: Include cybersecurity focused branch exams to assess risks and identify issues.
  • Additional Practices: Implement security information and event management practices, use system usage analytics, and adopt data loss prevention tools.

Examples of Deficient Practices Include: 

  • Failure to Follow Access Management Steps:
    • Not immediately terminating access of departing employees.
    • Failing to have processes to monitor or supervise “privileged users” to identify unusual activity (e.g., assigning extra access rights, unauthorized work outside business hours, or logging in from different geographical locations at or about the same time).
  • Infrequent or No Risk Assessments:
    • No formal risk assessment practices.
    • Unable to identify critical assets or potential risks.
  • Informal Processes for or Lack of Vendor Management:
    • Failed to have formal processes to assess vendor’s cybersecurity preparedness;
    • Failed to include required notification of breaches involving customer information in vendor contracts.
  • Noncompliant Branch Offices:
    • Failed to manage passwords.
    • Failed to implement security patches and software updates.
    • Failed to update anti-virus software.
    • Lacked control of employee use of removable storage devices.
    • Use of unencrypted data and devices.
    • Failed to report incidents.
  • Segregation of Duties:
    • Failed to segregate duties for requesting, implementing, and approving cyber-security rules and systems changes.
  • Data Loss Prevention:
    • Lack of rules to ensure all customer sensitive information is covered.
    • Permitted or failed to block large file transfers to outside or untrusted recipients.
    • Failed to implement formal change-management processes for data loss prevention systems changes.

FINRA’s 2018 Examination and Regulatory Priorities also include cybersecurity as a priority area. In addition to the areas noted above, which FINRA also calls out in the Priority Letter, FINRA noted two additional themes.  One, they will evaluate the effectiveness of firms’ cybersecurity programs in protecting sensitive information. Two, FINRA also reminds firms that they need policies and procedures to determine when a Suspicious Activity Report should be filed regarding a cybersecurity event. (See, FinCEN’s Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, Oct. 25, 2016.)

Conclusion

FINRA reminds firms that, while exam deficiencies must be addressed, firms often benefit from “proactively” remediating issues before the exam is completed. Acting proactively strengthens firms’ programs and enhances regulatory protections. Our observation, as outside counsel, is that when firms take proactive steps to get ahead of issues, it demonstrates to the regulators that the firm has a commitment to a strong compliance program and, in the right circumstances, may have a material impact on how FINRA decides to resolve an issue.

The information FINRA provides in the Examination Report and Priorities Letter provide roadmaps to enhancing overall compliance, supervisory, and risk management programs. With regard to the focus on cybersecurity, by using this resource, firms can effectively prepare for examinations and potentially prevent program gaps and avoiding cybersecurity incidents.

On October 18, 2017, the European Commission issued its report on the first annual review of the EU- U.S. Privacy Shield, aimed at allowing personal data transfer from the EU to the U.S. through the implementation of a data protection framework providing an adequate level of protection in the U.S. Over 2,400 companies have now been certified under the Privacy Shield framework by the U.S. Department of Commerce.

From the European Commission’s perspective, the Privacy Shield continues to ensure an adequate level of protection, including new redress possibilities for individuals, enforcement procedures, and cooperation with the European data protection authorities. However, as “[t]he Privacy Shield is not a document lying in a drawer” but “a living arrangement that both the EU and U.S. must actively monitor”, the Commission made some recommendations to improve the current framework:

“More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce.

More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.

Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.

Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorization and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).

To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).”

Is this review a sufficient guarantee for U.S. businesses to continue to rely on their Privacy Shield certification with absolute trust? That remains to be seen. Indeed, the Commission negotiated the Privacy Shield agreement to reconcile the data exchange economy with the standard that must be reached in order to comply with the requirements imposed by the EU Court of Justice (CJEU). The Commission was expected to advocate for the ongoing validity of the compromise. However, a number of authorities and data protection defenders are of the opposite opinion.

The European Data Protection Supervisor, one of the strongest official voices on data protection in the EU, already had some concerns about its validity (Opinion n° 4/2016 of May 30, 2016). So did the Working Party of Article 29, gathering all national data protection authority at the EU level (Opinion n° 1/2016 of April 13, 2016). These two authorities will soon issue their own reports on this first annual review. Furthermore, these reports could have some impact on the outcome of the two actions currently pending before the CJEU, which aim at invalidating the Privacy Shield’s adequacy decision on the following grounds:

  • The possibility for U.S. agencies to legally access, on a generalized basis, the content of electronic communications;
  • The absence of complete transposition of the right to access, rectify, oppose and erase, that the EU regulations grant to data subjects; and
  • The absence of a fully independent U.S. data protection authority, with complete effective and binding redress power.

U.S. entities certified with the Privacy Shield should closely monitor the development of those cases since, in the end, the CJEU will have the final say. It would also be prudent for them to take advantage of the opportunity to implement additional safeguards by using other data transfer mechanisms, such as Binding Corporate Rules, Certification (when available), adherence to approved Codes of Conduct or Standard Contractual Clauses.

For more information on the future of the Privacy Shield, please refer to the following Password Protected blog posts:

The Validity of EU-U.S. Personal Data Export Tools: A Pending Issue

Is the Privacy Shield Viable? Article 29 Working Party Proposes to Wait for Its Final Verdict

Criticisms over the Draft Adequacy Decision by the European Data Protection Supervisor: Final Lap for the Privacy Shield?

WP 29 Expresses Concerns About EU-U.S. Privacy Shield

EU-U.S. Privacy Shield: Better or Worse?

 

On October 18, 2017, the Consumer Financial Protection Bureau (CFPB) issued a set of Consumer Protection Principles regarding the sharing and aggregation of consumers’ financial data. The timing of the announcement in light of last month’s disclosure of the Equifax breach of approximately 140 million consumers’ financial data seems noteworthy, as all companies whose businesses rely on the consumer-authorized financial data market are scrambling to regain consumer trust.

Noting the “growing market” for consumer-authorized financial data aggregation services, the CFPB has promulgated nine principles which, in the words of CFPB Director Richard Cordray “express [the Bureau’s] vision for realizing an innovative market that gives consumers protection and value.” (See CFPB press release).

Many of the principles themselves will be familiar to anyone who has paid attention to consumer privacy discourse over the last 30+ years. They are in many ways a restatement of the OECD Guidelines, published in 1980 by the Organisation for Economic Co-operation and Development, but with a few useful additions. The “new” CFPB principles include time-tested privacy principles of:

  1. informed consent & control over data sharing;
  2. notice and transparency regarding the third parties’ access to and use of consumer data;
  3. data quality & accuracy and the right of consumers to dispute inaccuracies;
  4. an expectation of security and safeguards to protect consumer data;
  5. a right of access by consumers to their own data; and
  6. accountability to the consumer for complying with the foregoing principles.

In addition, however, the CFPB principles contain some fairly specific guidance that is particularly useful in the context of financial data and may have a significant impact on the way financial data is gathered, marketed and retained. For example, the CFPB Principles contain a specific principle (#4) regarding payment authorization:

  • Authorizing Payments. Authorized data access, in and of itself, is not payment authorization. Product or service providers that access information and initiate payments obtain separate and distinct consumer authorizations for these separate activities. Providers that access information and initiate payments may reasonably require consumers to supply both forms of authorization to obtain services.

The above principle is one of several that illustrate the CFPB’s disapproval of broad, open-ended consents from consumers, favoring instead tailored, purpose-specific access. Principle #2 (Data Scope and Usability) is another example of this theme. It reads in part, “Third parties with authorized access only access the data necessary to provide the product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.”

It remains to be seen how these principles might be applied to data collectors like credit bureaus, who typically hold consumer data for as long as a consumer’s lifetime in many cases. The CFPB’s press release emphasized that the principles are not intended to supercede or interpret any existing consumer protection statutes or regulations and that they are not binding. Still, they do provide a window into the CFPB’s mindset and the likely trend for future regulation.

The 180-day transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies is set to expire Aug. 28, 2017. Financial services companies must achieve compliance with the cybersecurity regulations prior to this deadline or face substantial monetary penalties and reputational harm.

Cybersecurity Regulation Overview

The cybersecurity regulations became effective March 1, 2017. In its official introduction to the regulations (23 NYCRR 500), NYDFS observed that the financial services industry has become a significant target of cybersecurity threats and that cybercriminals can cause large financial losses for both financial institutions and their customers whose private information may be stolen for illicit purposes. Given the seriousness of this risk, NYDFS determined that certain regulatory minimum standards were warranted but avoided being overly prescriptive, to allow cybersecurity programs to match the relevant risks and keep pace with technological advances.

The cybersecurity regulations require each financial services company regulated by NYDFS to assess its specific risk profile and design a program that addresses its risks in a robust fashion. The required risk assessment, however, is not intended to permit a cost-benefit analysis of acceptable losses where an institution faces cybersecurity risks. Senior management must be responsible for an organization’s cybersecurity program and file an annual certification confirming compliance with the regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.

NYDFS has issued a clear warning of its intent to pursue strong enforcement of the Cybersecurity Regulations:  “It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.  The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.  Adoption of the program outlined in these regulations is a priority for New York State.”

To learn more about who is affected, required actions to comply, possible penalties and upcoming deadlines, click here.

On October 19, 2016, the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (together, the “Prudential Regulators”) published an advance notice of proposed rulemaking (ANPR) that would require banks with more than $50 billion in assets to take additional steps to protect against cyber-attacks.  Comments to the ANPR are due January 17, 2017.

The ANPR explains that Prudential Regulators have existing programs that contain supervisory expectations for cybersecurity practices at financial institutions and third-party service providers, such as existing FFIEC standards (please see our recent FFIEC alerts available here and here).  The proposed ANPR standards would be integrated into these existing supervisory frameworks.

The ANPR addresses five categories of cyber standards: (1) cyber risk governance; (2) cyber risk management; (3) internal dependency management; (4) external dependency management; and (5) incident response, cyber resilience, and situational awareness. Significant proposals within each category include the following:

  1. Cyber risk governance – The board of directors of a covered entity would be required to hold senior management accountable for implementing the entity’s cyber risk management framework. The ANPR proposes requiring the board to have adequate expertise in cybersecurity or to maintain access to resources or staff with such expertise. The ANPR also considers requiring senior leaders with responsibility for cybersecurity to be independent of business line management.
  2. Cyber risk management – The ANPR would require covered entities, to the greatest extent possible, to integrate cyber risk management into the responsibilities of at least three independent functions with appropriate checks and balances.  Units responsible for the day-to-day business functions would need to assess, on an ongoing basis, cyber risks associated with the activities of the unit, and that information regarding those risks is shared with senior management, as appropriate, in a timely manner.  The ANPR proposes explicitly requiring the audit function of a covered entity to assess whether the cyber risk management framework complies with applicable regulations and is appropriate for the firm’s size, complexity, interconnectedness, and risk profile.
  3. Internal dependency management – The ANPR would require covered entities to maintain an inventory of all business assets on an enterprise-wide basis, prioritized according to the assets’ criticality to the business functions they support, the firm’s mission and the financial sector.  Covered entities would need to track connections among assets and risk levels throughout the life cycles of the assets.
  4. External dependency management – The ANPR proposes requiring covered entities to have a current, accurate, and complete awareness of, and prioritize, all external dependencies and trusted connections on an enterprise-wide basis, based on their criticality to the business functions they support, the entity’s mission, and the financial sector. Covered entities would be expected to generate and maintain a current, accurate, and complete listing of all external dependencies and business functions, including mappings to supported assets and business functions.
  5. Incident response, cyber resilience, and situational awareness – Covered entities would be required to be capable of operating critical business functions in the face of cyber-attacks and to continuously enhance their cyber resilience. This includes establishing processes designed to maintain effective situational awareness capabilities to reliably predict, analyze, and respond to changes in the operating environment.  In addition, the ANPR proposes that covered entities establish and maintain enterprise-wide cyber resilience and incident response programs, with escalation protocols, based on their enterprise-wide cyber risk management strategies and supported by appropriate policies, procedures, governance, staffing, and independent review. These programs would be required to include processes to incorporate lessons learned into the programs.

The Prudential Regulators are considering implementing the enhanced standards in a tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector (“sector-critical systems”).  Particularly, the ANPR proposes a requirement that covered entities minimize the residual cyber risk of sector-critical systems by implementing the most effective and commercially available controls.  Prudential Regulators are also considering requiring covered entities to establish a recovery time objective (RTO) of two hours for their sector-critical systems.

As the ANPR states, “[a]s technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks. Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.” As a result, banks, their boards and third-party vendors should all continue to expect heightened cybersecurity regulations and consider changes to other liability standards that might result from those heightened regulatory expectations.

Last Monday, October 24, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray spoke on the Bureau’s approach to FinTech at Money 20/20, a conference focused on payments and financial service innovation.  In his remarks, Cordray focused on responding to criticism of the CFPB’s enforcement actions against FinTech start-ups and appeared to warn large financial institutions about limiting access to financial data.  The Bureau also released the first report on “Project Catalyst,” the CFPB’s effort to facilitate innovation in consumer financial products and services.

Cordray began by stating that the Bureau’s enforcement actions against FinTech providers “should not be misread or overread.”  Cordray characterized these actions as not aimed at stifling innovation, but rather addressing “basic meat-and-potatoes issues such as companies that promise one thing to their customers and then do something quite different.”  For example, in March 2016, the CFPB imposed a $100,000 penalty on Dwolla, an online payment platform accused of deceiving customers by claiming that its data protection methods “exceeded industry standards.”

Later, Cordray appeared to rather bluntly warn banks against limiting access to customers’ financial data from FinTech providers with whom customers do business.  For example, some banks and FinTech firms have clashed over the practice of “screen scraping”—a technology that allows financial advisors and other FinTech companies to collect financial data of willing consumers through their bank’s website.  Some large banks have reportedly attempted to limit screen scraping, citing security concerns.  While Cordray recognized that allowing such access can “raise various issues,” he nonetheless expressed that the Bureau is “gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data rather than exploring ways to make such access, once granted, is safe and secure.”

In what could signal potential future regulation or enforcement activity, Cordray made clear that the Bureau “believes consumers should be able to access this information and give their permission for third-party companies to access this information as well” and that the Dodd-Frank Act supports this position.  In Cordray’s view, Congress specified that consumers should be able to access, in a usable electronic form, their financial information maintained by financial institutions.  Further, in its Project Catalyst report, the Bureau noted that it is working to achieve a “level playing field” for all market participants.

The Project Catalyst report also outlines several areas of consumer finance that the Bureau believes hold potential for consumer benefit.  Most revolve around increasing access to “underserved consumers,” like “unbanked” households and individuals with poor or no credit scores.  In addition to increasing consumer-permissioned access to financial data, the report highlighted efforts by FinTech companies such as:

  • Entering the student loan market to offer high-rate borrowers opportunity to refinance at lower rates;
  • Improving mortgage loan servicing such as through the use of machine learning to detect at an earlier stage when borrowers are likely to suffer financial distress;
  • Assisting with “cash flow management” to help consumers smooth uneven or unexpected changes in income, avoid overdrafts, and reduce reliance on short-term credit; and
  • Making peer-to-peer payment systems that bypass existing reliance on bank accounts or other networks more consumer friendly.

As FinTech providers continue to develop innovative financial products and services, we will continue to follow the Bureau’s efforts to navigate and regulate this evolving space.

Businesses and financial entities continue to grapple with the increasing frequency and sophistication of hacking, displayed by the recent botnet attack that affected numerous websites on October 21, 2016, as well as the recent SWIFT hack which was used to steal $81 million dollars from the Bangladeshi central bank.  On October 11, 2016, G-7 financial leaders attempted to respond to the growth of these hacks by agreeing to a set of guidelines to promote best practices in the financial industry.  The guidelines, entitled Fundamental Elements of Cybersecurity for the Financial Sector, are intended to provide common, non-binding, high-level fundamental elements for both public and private financial sector entities to tailor to their specific cybersecurity programs and incident response plans.  The practices consist of the following elements:

  • Cybersecurity Strategy and Framework – establish and maintain a cybersecurity strategy and framework tailored to specific risks.
  • Governance – define and facilitate performance of roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework to ensure accountability; and provide adequate resources, appropriate authority, and access to the governing authority (e.g., board of directors).
  • Risk and Control Assessment – identify functions, activities, products, and services, and prioritize their relative importance, while assessing their respective risks. Identify and implement controls to protect against and manage those risks within the tolerance set by the governing authority.
  • Monitoring – establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls.
  • Response – timely (a) assess the nature, scope, and impact of a cyber incident; (b) contain the incident and mitigate its impact; (c) notify internal and external stakeholders; and (d) coordinate joint response activities as needed.
  • Recovery – resume operations responsibly, while allowing for continued remediation, including by (a) eliminating harmful remnants of the incident; (b) restoring systems and data to normal and confirming normal state; (c) identifying and mitigating all vulnerabilities that were exploited; (d) remediating vulnerabilities to prevent similar incidents; and (e) communicating appropriately internally and externally.
  • Information Sharing – engage in the timely sharing of reliable, actionable cybersecurity information with internal and external stakeholders on threats, vulnerabilities, incidents, and responses to enhance defenses, limit damage, increase situational awareness, and broaden learning.
  • Continuous Learning – review the cybersecurity strategy and framework regularly and when events warrant to address changes in risks, allocate resources, identify and remediate gaps, and incorporate lessons learned.

These G-7 practices follow the New York Department of Financial Services’ recent proposed rules that would require banks and other financial institutions to adopt minimum cybersecurity standards.  Both public and private financial sector entities remain prime targets for cyberattacks.  Given recent events, anyone operating in the financial sector should consider strengthening cybersecurity programs and incident response plans, both as a result of prudent operational and business practice, and the increasing focus regulators place on complying with existing (or forthcoming) cybersecurity regulations.