Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Ransomware Attack Has Global Impact, Bipartisan Legislation Introduced to Counter Hacking

    Privacy, Cyber Risk & Data Security

    On May 12, a cyberattack spread around the world, affecting more than 230,000 computers in roughly 150 countries, according to a statement issued by the American Bankers Association. The ransomware, known as “WannaCry,” was used to exploit a vulnerability that affects computers running Microsoft Windows (see Department of Homeland Security Alert). Users of infected computers received a message that their files had been encrypted and that they must pay a ransom in bitcoin in order to decrypt their files. However, as conveyed in a press release issued by the Financial Services - Information Sharing and Analysis Center (FS-ISAC), it appears that the majority of the attacks seem to be targeting and impacting non-financial sector entities globally. FS-ISAC “believes the current attacks utilize known vulnerabilities for which there are available software patches,” but that firms and service providers need to implement the patches. Agencies continue to monitor what may be the first in a series of attacks.

    SEC Office of Compliance and Examinations (OCIE) and FBI Issue Responses. The OCIE released a statement cautioning registrants to be vigilant in mitigating risk, and noted a recent OCIE study that determined a substantial number of registrants did not conduct periodic risk assessments, penetration tests, or vulnerability scans, while a smaller number had not updated critical security patches. The OCIE also provided links to guidance on cybersecurity risk management. Likewise, the FBI issued a bulletin providing guidance on additional protection measures following the attack.

    Bipartisan Legislation Introduced. On May 17, bipartisan legislation was introduced in the House and Senate to add transparency and accountability to the federal government process for retaining or disclosing vulnerabilities in technology products, services, applications, and systems. The bill, Protecting our Ability To Counter Hacking (PATCH) Act, follows the apparently leaked NSA hacking tool which opened the door to the global “WannaCry” ransomware attack. It is sponsored by Senators Brian Schatz (D-Haw.),  Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.), and Representatives Ted Lieu (D-Cal.) and Blake Farenthold (R-Tex.). As described in a release issued by Sen. Schatz’s office, the proposed legislation would make the Vulnerabilities Equities Process (VEP) more permanent, while altering its structure. It would also make the Department of Homeland Security the chair of the interagency board overseeing the VEP. Under the bill, the NSA and other security agencies would still be a permanent part of the board, while other agencies and the White House's National Security Council could attend meetings if the board deems it necessary. The established board would also produce a report for Congress on the policies it establishes regarding the disclosure of vulnerabilities no later than 180 days after the enactment of the Act. An unclassified version of the report will be publically available as well. “Striking the balance between U.S. national security and general cybersecurity is critical, but it's not easy,” Sen. Schatz noted. “This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”

    Coalition for Cybersecurity Policy and Law. The legislation has already received support. The Coalition issued the following statement in support of the proposed bill: “We support the goals of the PATCH Act and we look forward to working with Chairman Johnson, Senators Schatz and Gardner, and Reps. Lieu and Farenthold as it moves forward in both chambers. The events of the past week clearly demonstrate the real-world consequences of exploited vulnerabilities. Governments have a critical role in getting vulnerability information to organizations capable of acting to protect security in a timely manner upon discovery.”

    Privacy/Cyber Risk & Data Security ABA SEC Congress

    Share page with AddThis
  • CFPB Issues Request for Information on Small Business Lending; Prepares to Implement Section 1071 of Dodd Frank Act

    Agency Rule-Making & Guidance

    On May 10, the CFPB announced the issuance of a Request for Information on various aspects of the market for small business loans as the Bureau prepares to implement Section 1071 of the Dodd-Frank Act, which amends the Equal Credit Opportunity Act (ECOA) to require financial institutions to compile, maintain, and report information concerning credit applications made by women-owned, minority-owned, and small businesses. The Request includes questions grouped in five categories: (i) defining what constitutes a small business; (ii) data points the Bureau will require to be submitted and collected; (iii) types of lenders involved in small business lending and the appropriate institutional coverage for the data collection requirements; (iv) types of financial products offered to small businesses generally, and those owned by women and minorities in particular; and (v) privacy concerns related to the data collection.

    The CFPB also released Director Cordray’s prepared remarks in advance of a field hearing on small business lending where he introduced the Request for Information and issued a related press release. Comments are due 60 days after the Request for Information is published in the Federal Register. The Bureau also released a report, entitled “Key Dimensions of the Small Business Lending Landscape,” which presents the CFPB's perspective on the market for lending to small, minority-owned and woman-owned firms and gaps in its understanding.

    A couple of industry groups have already weighed in regarding expected difficulties with the application of Section 1071. In a letter sent Tuesday in advance of the field hearing, the National Association of Federally-Insured Credit Unions (NAFCU) urged the CFPB to exempt its members from any rulemaking that compels disclosure of business loan information. NAFCU Regulatory Affairs Counsel Andrew Morris cites the unique characteristics of credit unions, and that such data collection “may yield confusing information about credit unions and further restrict lending activity as a result of increased compliance costs.” The letter notes that “[c]redit unions serve distinct fields of membership, and as a result, institution-level data related to women-owned, minority-owned and small business lending substantially differs in relation to other lenders.”

    And, in a white paper provided to the Treasury Department, the American Bankers Association criticizes what amounts to Section 1071’s conflation of consumer and commercial lending, “recommend[ing] the elimination of any vestige of Bureau regulatory, supervisory, or enforcement authority over commercial credit or other commercial account and financial services.”

    Agency Rulemaking & Guidance CFPB Small Business Lending Dodd-Frank ECOA NAFCU ABA Treasury Department

    Share page with AddThis
  • American Bankers Association White Paper Addresses Concerns Over HMDA Expansion

    Agency Rule-Making & Guidance

    On May 2, the American Bankers Association (ABA) issued a white paper to the Treasury Department on the implementation of the 2015 Home Mortgage Disclosure Act (HMDA) rule as part of its continuing response to President Trump’s executive order outlining “core principles” for financial regulation (see previously issued Special Alert here). The white paper, HMDA – More Really is Less: The Data Fog Frustrates HMDA, presents several views held by the ABA including that the CFPB should (i) rescind requirements to collect any data fields not expressly required by HMDA; (ii) suspend the effective date of the 2015 HMDA rule until privacy and security concerns are addressed (see previously issued Special Alert here); (iii) exclude commercial loans from HMDA coverage; and (iv) revoke the new HMDA data elements added by the Dodd-Frank Act. The ABA noted that the Dodd-Frank Act added more than 13 new categories to the statutory HMDA data fields lenders are required to collect, and in the implementing regulation, Regulation C, the CFPB added 25 new data fields to the existing 23 fields. The ABA noted that the CFPB estimates that, in addition to existing costs of HMDA compliance, the additional annual costs of operations will be approximately $120.6 million conservatively (more if reporting quarterly) and lenders will incur a one-time additional cost of between $177 million and $326.6 million. Furthermore, the ABA states there still remains a need to address the “significant” privacy issues presented by the “vast trove of data points added by Dodd-Frank,” and that “the collection and transfer and warehousing of greatly increased and more sensitive data will necessitate even more robust and costlier private sector and government systems.” However, the ABA noted the Bureau has not initiated rulemaking to address the privacy issues presented.

    Notably, last month, the CFPB issued a proposal in the Federal Register to amend the 2015 HMDA rule (see previously issued Special Alert here). The changes are primarily for the purpose of clarifying data collection and reporting requirements, and most of the clarifications and revisions would take effect in January 2018. The deadline to submit comments on the CFPB’s proposal is May 25, 2017.

    Agency Rulemaking & Guidance HMDA CFPB ABA

    Share page with AddThis
  • American Bankers Association Argues for “Strong, Consistent” National Data Protection Standard

    Privacy, Cyber Risk & Data Security

    In a May 8 letter to Congress, the American Bankers Association (ABA) called on Congress to pursue national data protection standards for companies that handle consumers’ sensitive financial data. The letter notes that the financial sector has an excellent track record in protecting consumer data, citing data from the Identity Theft Resource Center indicating that only 0.2% of records exposed in data breaches were attributable to the financial sector, as opposed to the 81.3% of records exposed at businesses included retail, adding that the industry is highly motivated and under constant oversight to ensure that Federal privacy and data protection laws such as the Gramm-Leach-Bliley Act are followed.  On the other hand, the ABA notes, other industries are not required to protect consumer data under Federal law and have strongly opposed legislation that would add such requirements. The association concludes that a “strong, consistent national standard for fighting data breaches” is necessary to create a “security infrastructure that brings banks, payment networks and retailers together to safeguard sensitive financial data.”

    Privacy/Cyber Risk & Data Security Congress ABA

    Share page with AddThis
  • State AGs, Industry Groups Submit Comments Addressing CFPB’s Proposed Delay of Prepaid Accounts Rule

    State Issues

    As previously covered in InfoBytes, the Bureau released its final rule (the “Prepaid Accounts Rule”) on prepaid financial products in October of last year in order to provide consumers with additional federal protections under the Electronic Fund Transfer Act and also to offer consumers standard, easy-to-understand information about prepaid accounts. Recently, however, the CFPB announced its intention to delay the effective date of its Prepaid Accounts Rule by six months. If approved, the proposed extension would push back the current October 1, 2017, effective date to April 1, 2018. According to the proposed rule and request for public comment published by the Bureau in the March 15 Federal Register, the extension comes in response to comments received from “some industry participants” who “believe they will have difficulty complying with certain provisions.” The CFPB has taken the position that extending the deadline for compliance “would, among other things, help industry participants address certain packaging-related logistical issues for prepaid accounts that are sold at retail locations.” Comments on the proposal were due April 5.

    State AG’s Letter. On April 5, attorneys general from 17 states and the District of Columbia submitted a letter to congressional leaders presenting various arguments against pending House and Senate resolutions (S.J. Res. 19, H.J. Res. 62, and H.J. Res. 73) providing for congressional disapproval and effectively nullifying the CFPB’s Prepaid Accounts Rule. The state attorneys general—including AGs for the District of Columbia, California, Hawaii, Illinois, Iowa, Maine, Maryland, Massachusetts, Minnesota, Mississippi, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, Virginia, and Washington, along with the Executive Director of the Hawaii Office of Consumer Protection—argued, among other things, that consumer protections provided by the Rule are important because, among other things, “consumers frequently report concerns about hidden and abusive fees as well as fraudulent transactions that unfairly deplete the funds loaded onto prepaid cards.” The AGs’ letter notes further that prepaid cards are often used by “vulnerable consumers” who have limited or no access to a traditional bank account. Notably, although they characterize these congressional resolutions as a “misplaced effort,” the state AGs acknowledge that the Congressional Review Act “gives Congress, with the President’s signature, a window to veto a rule from going into effect.”

    American Bankers Association (ABA) Letter. In another comment letter, submitted on April 3, the ABA commended the CFPB for “proposing to extend the deadline” because, among other things, “some industry participants, especially those offering prepaid cards in retail stores, may have difficulty complying with certain provisions.”  The ABA also noted that the extension of time presents an opportunity for the Bureau to “consider making adjustments as appropriate to ensure unnecessary disruption to consumers’ access to, and use of, prepaid accounts.” As explained in the letter, the ABA’s primary concern about the Prepaid Accounts Rule “remains the inconsistency and lack of clarity of the regulation’s distinction between checking accounts and prepaid accounts.” To this end, the ABA recommends that the Bureau use the extra time to “remove inconsistencies in the Rule and clarify the distinction between a prepaid account and a checking account to ensure that banks do not inadvertently violate the regulation and risk significant potential liability and supervisory actions.” The ABA’s letter also calls for “similar changes” to the “definition of ‘payroll account’” in order to further distinguish product types.

    Independent Community Bankers of America (ICBA) Letter. Also on April 3, the ICBA also submitted a short comment letter stating, among other things, that it “fully supports extending the effective date” as the additional time will “ensure that systems and technology changes could be made to facilitate compliance.”

    State Issues State AG CFPB Prepaid Rule EFTA ABA ICBA

    Share page with AddThis
  • President Trump Hosts “National Economic Council” Listening Session with CEOs of Small and Community Banks

    Federal Issues

    On March 9, President Trump met with 11 community bank CEOs at the White House seeking the bankers’ input on which regulations may be crimping their ability to lend to consumers and small businesses. The meeting included representatives from the Independent Community Bankers of America (ICBA), and the American Bankers Association (ABA), as well as nine bank executives from across the country. Treasury Secretary Steven Mnuchin, National Economic Council Chairman Gary Cohn, and White House Chief of Staff Reince Priebus also were present.

    The President started the meeting by noting that “[n]early half of all private-sector workers are employed by small businesses” and that “[c]ommunity banks are the backbone of small business in America” before announcing his commitment to “preserving our community banks.” Following the President’s brief opening remarks, the attendees had the opportunity to introduce themselves and share specific examples of how excessive regulatory burdens affect their ability to serve their customers, make loans and create jobs at the local level. Proposals, such as the ICBA’s Plan for Prosperity, also were discussed.

    Following the meeting, ABA President and CEO Rob Nichols released a statement “commend[ing] President Trump for meeting with community bankers to hear the challenges they face serving their clients.” He described the meeting as “an important step” toward re-examining the “highly prescriptive rules” that have created a “regulatory environment” in which “mortgages don’t get made, small businesses don’t get created and banks find it more difficult to make the loans that drive job creation.” The ICBA also issued a post-meeting Press Release, in which their Chairman, Rebeca Romero Rainey, explained that among the items discussed at the meeting was the ICBA’s “Plan for Prosperity”—a “pro-growth platform to eliminate onerous regulatory burdens on community banks” that “includes provisions to cut regulatory red tape, improve access to capital, strengthen accountability in bank exams, incentivize credit in rural America and more.” The ICBA Chairman also confirmed that the Association “looks forward to continuing to work with President Trump, his administration and Congress to advance common-sense regulatory relief that will support communities nationwide.”

    Also weighing in was House Financial Services Committee Chairman Jeb Hensarling (R-TX), who issued a press release praising the President for “listening to the concerns of community bankers who have been buried under an avalanche of burdensome regulations as a result of Dodd-Frank.” Chairman Hensarling also took the opportunity to tout the Financial CHOICE Act, his bill that would make sweeping amendments to the Dodd-Frank Act. According to Chairman Hensarling, GOP members on the Financial Services Committee are “eager to work with the President and his administration this year to fulfill the pledge to dismantle Dodd-Frank and unclog the arteries of our financial system so the lifeblood of capital can flow more freely and create jobs.”

    Federal Issues Bank Regulatory Lending Congress Insurance House Financial Services Committee Trump ABA Dodd-Frank

    Share page with AddThis
  • GOP Lawmakers Reintroduce House Version of the “TAILOR” Act

    Federal Issues

    On February 22, Congressman Scott Tipton (R-CO) and eight GOP cosponsors reintroduced the Taking Account of Institutions with Low Operation Risk (TAILOR) Act (H.R. 1116), a bill intended to “provide smaller community banks and credit unions relief from onerous regulatory compliance burdens” by “requiring federal regulatory agencies to tailor regulations to fit the business model and risk profile of institutions instead of imposing one-size-fits-all mandates across the board.” According to Rep. Tipton, the various provisions contained within the measure are ultimately intended to provide a means of reducing “often unworkable” compliance costs that community and independent banks and credit unions face when forced to adhere to "regulations designed and intended for big banks.” 

    In a February 17 press release, the American Bankers Association (ABA) “strongly supported” the bill, which it anticipates would effectively “address the huge flow of new regulations that have made it more difficult for banks to meet the needs of consumers and small businesses as well as local and regional economies.”

    The TAILOR Act received bipartisan support when it was previously introduced before the 114th Congress. The June 2015 version of the bill—which was substantially similar to the current iteration—received bipartisan support and was twice approved by the House Financial Services Committee. And, as previously covered on InfoBytes, a companion Senate-version of the TAILOR Act (S. 366) was introduced earlier this month by Sen. Mike Rounds (R-SD).

    Federal Issues Agency Rulemaking & Guidance ABA Congress House Financial Services Committee TAILOR Act

    Share page with AddThis