Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • FDIC OIG releases Special Inquiry Report to address breach response plan

    Privacy, Cyber Risk & Data Security

    On April 16, the FDIC’s Office of Inspector General (OIG) released its Special Inquiry Report—“The FDIC’s Response, Reporting, and Interactions with Congress Concerning Information Security Incidents and Breaches”—which contains findings from an examination of the FDIC’s practices and policies related to data security, incident response and reporting, and Congressional interactions. The Special Inquiry Report is the culmination of a request made by the former Chairman of the Senate Committee on Banking, Housing, and Urban Affairs in 2016, and focuses on the circumstances surrounding eight information security incidents that occurred in 2015 and 2016—seven of which involved personally identifiable information and constituted data breaches. An eighth incident involved the removal of “highly sensitive components of resolution plans submitted by certain large systemically important financial institutions without authorization” by a departing FDIC employee.

    According to the report, the OIG asserts that, among other things, the FDIC failed to (i) put in place a “comprehensive incident response program and plan” to handle security incidents and breaches; (ii) clearly document risk assessments and decisions associated with data incidents; (iii) fully consider the range of impacts on bank customers whose information was compromised; (iv) promptly notify consumers when an incident occurred and did not adequately consider notifications as a separate decision from whether it would provide credit monitoring services; (v) for at least one incident, failed to convey the seriousness of the breach; and (vi) provide timely, accurate, and complete responses to Congressional requests to gather information about how the agency was handling the incidents.

    As a result of these findings, the OIG presented recommendations and timeframes for the FDIC to “address the systemic issues.” Recommendations include: (i) clearly defining roles and responsibilities within the FDIC Breach Response Plan, and establishing procedures “consistent with legal, regulatory, and/or operational requirements for records management”; (ii) establishing a separation between consumer breach notifications and the offer of credit monitoring services; (iii) adhering to established timeframes for reporting incidents to FinCEN when suspicious activity report information has been compromised; (iv) conducting an annual review of the Breach Response Plan to confirm that that the guidance has been consistently followed during the preceding year; (v) developing guidance and training to ensure that employees and contractors are fully aware of the legal consequences of removing any sensitive information from FDIC premises before they depart; (vi) ensuring that FDIC policies, procedures, and practices result in complete, accurate statements and representations to Congress, and updating and correcting prior statements and representations as necessary; (vii) clarifying “legal hold policies and processes”; and (viii) specifying that the Office of Legislative Affairs is responsible for “providing timely responses to Congressional requests and communicating with Congressional staff regarding those requests.”

    The FDIC concurred with the recommendations and has completed corrective actions for two, with plans to address the remaining recommendations between June and December of this year. The FDIC has also agreed to keep the OIG informed of the progress made to address the identified performance issues.

    Privacy/Cyber Risk & Data Security FDIC OIG Data Breach Congress Senate Banking Committee

    Share page with AddThis
  • Student loan servicer must comply with CFPB CID pending appeal

    Courts

    On April 17, the U.S. District Court for the Western District of Pennsylvania ordered a student loan servicer to comply with a CFPB Civil investigative Demand (CID), while the servicer awaits appeal. As previously covered by InfoBytes, in February the court enforced a CFPB CID issued against the student loan servicer in June 2017. In granting the Bureau’s petition to enforce the CID, the court found that the CID’s Notification of Purpose met the statutory notice requirements because nothing in the law bars the CFPB “from investigating the totality of a company’s business operations.” The court also found that the investigation was for a “legitimate purpose,” the information requested is relevant and not already known by the Bureau, and the request is not unreasonably broad or burdensome. On March 26, the servicer filed a motion to stay the court’s order pending appeal to the U.S. Court of Appeals for the 3rd Circuit. In denying the servicer’s motion, the court held that the servicer would not be irreparably harmed if it responded to the CID should the 3rd Circuit reverse the court’s decision as the Appeals Court could order all documents to be returned and prevent the CFPB from acting upon information learned through the CID. Additionally, the servicer argued that the CFPB would not be injured if the court granted the stay because the agency has not yet brought an enforcement action. The court disagreed with this argument, holding that the CFPB cannot bring an enforcement action without reviewing the relevant documents and granting the stay would only “further stall the CFPB’s efforts to obtain documents and information that it requested nine months ago.”

    Courts CFPB Student Lending CIDs Appellate Third Circuit

    Share page with AddThis
  • House passes measures to address identity theft

    Federal Issues

    On April 18, the House passed H.R. 2905 by a vote of 403-3. The “Justice for Victims of IRS Scams and Identity Theft Act of 2017,” would direct the DOJ and the Treasury Department to submit reports to Congress detailing identity theft prosecutions. The DOJ’s report must contain the number of identity theft cases referred to the agency during the previous five years, along with recommendations for improving fraud deterrence, prevention, and interagency collaboration. The bill would also require Treasury to report on efforts to assist in the prosecution of individuals who fraudulently posed as IRS agents, in addition to trends and resources needed to improve the prosecution of IRS impostors. All reports would be due 120 days after the bill's enactment.

    On April 17, the House voted 420-1 to pass H.R. 5192, which would, among other things, require the Social Security Administration to provide a database for financial institutions to validate fraud protection data (an individual’s name, social security number, and date of birth) when attempting to “reduce the prevalence of synthetic identity fraud.” In particular, H.R 5192 is designed to protect the needs of vulnerable consumers, including minors and recent immigrants, and limits inquiries to those with a permissible purpose in accordance with section 604 of the Fair Credit Reporting Act. Further, prior to submitting a verification request, a financial institution must receive electronic consumer consent.

    Federal Issues Federal Legislation Privacy/Cyber Risk & Data Security U.S. House Identity Theft

    Share page with AddThis
  • CFPB and OCC fine national bank $1 billion for mortgage and auto lending practices

    Federal Issues

    On April 20, the CFPB, in coordination with the OCC, announced a $1 billion settlement with a national bank for certain auto and mortgage lending practices the bank had previously discontinued and for which voluntary consumer remediation was initiated by the bank. According to the CFPB consent order, the Bureau alleged the bank inappropriately (i) charged fees for mortgage rate-lock extensions, and (ii) operated a force-placed insurance program in connection with auto loans. Specifically, the CFPB alleged that the bank sometimes charged rate lock extension fees to consumers when it should have absorbed the fees. With respect to auto loans, the Bureau alleged that, due to issues with the vendor employed to monitor for insurance and issue insurance if not maintained by the consumer, certain consumers paid for force-placed insurance premiums and interest that may not have been required resulting in potential consumer harm. The CFPB consent order acknowledges that the bank voluntarily discontinued the above practices and has voluntarily begun consumer remediation. Under the terms of both of the consent orders, the bank will remediate affected consumers and will implement necessary changes to its compliance risk-management program.

    Federal Issues CFPB OCC Settlement Auto Finance Mortgages Rate Lock Force-placed Insurance

    Share page with AddThis
  • Aruban telecom official pleads guilty to money laundering conspiracy involving FCPA violations

    Financial Crimes

    An Aruban telecom official pleaded guilty to money laundering charges in connection with a scheme to arrange and receive corrupt payments to influence the awarding of contracts in Aruba. The DOJ’s press release describes the company as an Aruban state-owned company. According to his plea agreement, a Dutch citizen living in Florida operated a money laundering conspiracy between 2005 and 2016 in his position as the company’s product manager. An individual who owned several Florida-based telecommunications companies, previously pleaded guilty to paying bribes to the official and his wife.

    The official admitted that he conspired with the individual and others to transmit funds from Florida and elsewhere in the United States to Aruba and Panama with the intent to promote a wire fraud scheme and a corrupt scheme that violated the FCPA. The official was promised and received bribes from individuals and companies located in the United States and abroad in exchange for using his position at the company to award lucrative mobile phone and accessory contracts. The official also admitted to providing favored vendors with confidential company information in exchange for the more than $1.3 million in corrupt payments.

    The company filed a civil complaint against the official and other parties on March 3 in U.S. District Court for the Southern District of Florida, which contains a few points of note. First, the company describes itself in the complaint as a privatized company, whereas the DOJ’s press release called it an instrumentality of the Aruban government. Second, the complaint states that the company became aware of some of the official's alleged activities via the Panama Papers, the 2016 leak of over 11 million documents from Panamanian law firm and financial services provider Mossack Fonseca.

    Financial Crimes DOJ FCPA Anti-Money Laundering

    Share page with AddThis
  • U.S. imposes denial of export privileges on Chinese telecom giant for violating prior settlement agreement

    Financial Crimes

    On April 16, the U.S. Department of Commerce imposed a denial of export privileges on Chinese telecommunications equipment corporation for violating a previous settlement relating to illegally shipping telecommunications equipment to Iran and North Korea. As previously covered in InfoBytes, in March 2017, the company agreed to a combined civil and criminal penalty and to forfeiture of over $1.1 billion for shipping the equipment, making false statements, and obstructing justice. As part of the settlement, the company agreed to a seven-year suspended denial of export privileges, which would trigger if the agreement was not met or if the company committee further violations.

    The Department imposed the denial after determining that the company made false statements during the 2016 settlement negotiations and again during the probationary period in 2017 related to disciplinary actions against senior employees that the company said it was taking or had already taken. The false statements covered up the fact that the company had actually failed to issue letters of reprimand and paid full bonuses to the employees who had engaged in illegal conduct.

    Financial Crimes Settlement Department of Commerce Iran North Korea China International

    Share page with AddThis
  • National Institute of Standards and Technology issues updated cybersecurity framework

    Privacy, Cyber Risk & Data Security

    On April 16, the National Institute of Standards and Technology (NIST) announced the release of enhancements to its cybersecurity framework guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. Updates to Cybersecurity Framework Version 1.1 (Framework) incorporate comments received from public feedback, team members, and workshops held over the past two years, as well as stakeholder input on draft versions. Changes include the addition of (i) explanations to clarify that the Framework can be used to promote compliance with an organization’s own cybersecurity requirements; (ii) a cybersecurity risk self-assessment section; (iii) an expanded section addressing ways in which the Framework can be used to manage cybersecurity within the supply chain; (iv) refinements to authentication and identity processes; (v) new language explaining the “relationship between Implementation Tiers and Profiles” in regard to risk management programs; and (vi) a new subcategory on the lifecycle of vulnerability disclosure. The process for which changes are made to the Framework may be viewed on NIST’s website. NIST further notes that both first-time and current Framework users should experience minimal to no disruptions when implementing the updated Framework, and are encouraged to customize the Framework “to maximize individual organizational value.”

    As previously covered in InfoBytes, last year President Trump issued an Executive Order directing federal agencies to follow NIST’s Framework to manage cybersecurity risk.

    Privacy/Cyber Risk & Data Security NIST Risk Management

    Share page with AddThis
  • Department of Education, Veterans Affairs team up to simplify student loan discharge process for disabled veterans

    Lending

    On April 16, the U.S. Department of Education announced a partnership with the U.S. Department of Veterans Affairs (VA) to identify disabled student loan borrowers who qualify for debt forgiveness. Eligible veterans with federal student loans or aid through the Teacher Education Assistance for College and Higher Education Grant Program that are identified as a match on the National Student Loan Data System and the VA database will be notified of their potential eligibility in the mail and will receive a Total and Permanent Disability Discharge application.

    Lending Student Lending Department of Education Department of Veterans Affairs Debt Cancellation

    Share page with AddThis
  • New York Attorney General launches cryptocurrency integrity initiative

    Fintech

    On April 18, the New York Attorney General’s office announced the launch of an initiative designed to protect virtual currency investors and increase transparency and accountability within the cryptocurrency industry. Attorney General Eric T. Schneiderman sent questionnaires to 13 virtual currency trading platforms, requesting information on their operations, policies, and internal controls as part of a “fact-finding inquiry.” “[T]oo often, consumers don't have the basic facts they need to assess the fairness, integrity, and security of these trading platforms,” the Attorney General stated. The Virtual Markets Integrity Initiative asks the trading platforms to disclose several categories of information, including ownership and control information, operation and fees, trading policies and procedures, internal controls, and privacy and money laundering risks and safeguards. Responses will be analyzed, compared across platforms, and presented to the public. Questionnaires are due May 1.

    Fintech State Attorney General Investigations Virtual Currency Cryptocurrency State Issues

    Share page with AddThis
  • States pass legislation updating security freeze laws

    Privacy, Cyber Risk & Data Security

    On April 12, the Kansas governor signed HB 2580, which amends existing law to prohibit consumer reporting agencies (CRAs) from charging a fee to a consumer for placing, temporarily lifting, or removing a security freeze on his or her credit report. Moreover, it prevents CRAs from charging fees for replacing a previously requested personal identification number. The law is effective July 1.

    Additionally, on April 10, the Iowa governor signed SF 2177, which updates the state’s security freeze law to prohibit CRAs from charging a fee to a consumer for placing, temporarily lifting, removing, or reinstating a security freeze on his or her credit report. Additionally, among other things, the law (i) expands the methods a consumer may use to submit a request for a security freeze; (ii) reduces the number of days CRAs must commence a security freeze after receiving a request from five to three business days; (iii) requires CRAs to send written confirmation within three business days to a consumer after placing a security freeze; and (iv) states that if a consumer requests a security freeze from a CRA that “compiles and maintains files on a nationwide basis,” the CRA must attempt to identify other CRAs that also maintain nationwide files so that the consumer may request additional security freezes. The amendments generally take effect July 1, with the exception of certain provisions that take effect January 1, 2019.

    Visit here for additional InfoBytes coverage on states that have recently enacted similar prohibitions.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Security Freeze

    Share page with AddThis

Pages