InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
South Dakota regulator encourages pandemic planning
On March 12, the South Dakota Division of Banking issued a memorandum encouraging state-chartered banks to review recent pandemic planning guidance issued by the Federal Financial Institutions Examination Council and then revise or establish appropriate pandemic plans. The Division advised that the plans should be integrated into business continuity plans and consider ways to maintain essential financial services for customers while limiting impact to employees. Finally, the Division indicated that it will monitor the impact of Covid-19 and alter onsite examination activities as needed.
FFIEC releases 2020 HMDA reporting guide
On February 13, the FDIC issued FIL-9-2020 announcing the Federal Financial Institutions Examinations Council’s issuance of the 2020 edition of the “Guide to HMDA Reporting: Getting It Right!” The guide applies to HMDA data collected in 2020 that will be reported to supervisory agencies by March 1, 2021, and includes, (i) a summary of responsibilities and requirements; (ii) directions for assembling the necessary tools; and (iii) instructions for reporting HMDA data. According to the announcement, the 2020 edition provides information to assist HMDA compliance in the event of a merger or acquisition, as well as updates to the appendices to reflect amendments to Regulation C made by the CFPB that took effect January 1. As previously covered by InfoBytes, the amendments extend the current temporary threshold of 500 open-end lines of credit under HMDA rules for reporting data to January 1, 2022.
CFPB releases TILA, EFTA, and CARD Act annual report
On December 18, the CFPB issued its mandated annual report to Congress covering activity in 2016 and 2017 pertaining to the Truth in Lending Act (TILA), the Electronic Fund Transfer Act (EFTA), and the Credit Card Accountability Responsibility and Disclosure Act (CARD Act). The report describes enforcement actions brought by the Bureau and federal agencies related to TILA, EFTA, the CARD Act (and respective implementing Regulations Z and E), as well as data on required reimbursements to consumers. The report also includes a compliance assessment of TILA and EFTA violations. Federal Financial Institutions Examination Council (FFIEC) member agencies report that more institutions were cited for violations of Regulation Z than Regulation E during the 2016 and 2017 reporting periods, and that the most frequently reported Regulation Z violations include (i) failing to disclose, or to accurately disclose, the finance charge on closed-end credit; (ii) failing to disclose good faith estimates on disclosures for closed-end credit; and (iii) failing to provide consumers with specific loan cost information on closing disclosures. The most commonly cited Regulation E violations include (i) failing to comply with investigation and timeframe requirements when resolving errors in electronic fund transfers; and (ii) failing to provide applicable disclosures. In addition, the report recaps FFIEC outreach activities related to TILA and EFTA, such as workshops, blogs, and other outreach events.
Agencies release 2018 CRA data
On December 16, the three federal banking agency members of the Federal Financial Institutions Examination Council (FFIEC) with Community Reinvestment Act (CRA) responsibility—the Federal Reserve Board, the FDIC, and the OCC—announced the release of the 2018 small business, small farm, and community development CRA data. The analysis contains information from 700 lenders about originations and purchases of small loans (loans with original amounts of $1 million or less) in 2018, a 2.2 percent decrease from the 718 lenders that reported data in 2017. According to the analysis, the total number of originated loans increased by approximately 8 percent from 2017, with the dollar amount of originations increasing by roughly 5 percent; however, the analysis notes that the majority of this growth is attributable to one bank’s increase in originations. The analysis further notes that 615 banks reported community development lending activity totaling nearly $103 billion in 2018, an increase from $96 billion in 2017.
FFIEC issues revised Business Continuity Management booklet
On November 14, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Business Continuity Management booklet, one of a series of booklets that make up the FFIEC Information Technology Examination Handbook. The revised booklet replaces the 2015 version, and provides enterprise-wise guidance for examiners on the principles of business continuity management and approaches toward business continuity planning and resilience, including those designed to “achieve safety and soundness, consumer financial protection, and compliance with applicable laws, regulations, and rules.” It also provides examination procedures intended to help examiners assess the effectiveness of business continuity and resilience frameworks for entities including depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers.
The same day, the OCC also issued Bulletin 2019-57 to note that the revised booklet rescinds Bulletin 2015-9, “FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet.”
Buckley Insights: Leveraging open source intelligence for cyber threat modeling
The FTC Safeguards Rule, FFIEC Cybersecurity and IT Guidance, and other OCC guidelines (here and here) emphasize the need for cyber threat intelligence (CIT) and threat identification to inform an organization’s overall cyber risk identification, assessment, and mitigation program. Indeed, to successfully implement a risk-based information security program, an organization must be aware of both general cybersecurity risks across all industries, as well as both business-sector risks and organizational risks unique to the organization. Furthermore, proposed revisions to the FTC Safeguards Rule (previously covered by InfoBytes here) emphasize the need for a “through and complete risk assessment” that is informed by “possible vectors through which the security, confidentiality, and integrity of that information could be threatened.”
Threat modeling is generally understood as a formal process by which an organization identifies specific cyber threats to an organization’s information systems and sensitive information, which provides the management insight regarding the defenses needed; the critical risk areas within and across an information system, network, or business process; and the best allocation of scarce resources to address the critical risks. Even today, generally an accepted threat modeling process involves comprehensive system, application, and network mapping and data flow diagrams. Many threat modeling tools are available free to the public, such as Microsoft’s Threat Modeling Tool, which provides diagramming and analytical resources for network and data flow diagrams, utilizing the STRIDE model (spoofing, tampering, repudiation, information disclosure, denial of service, and escalation of privilege) to inform the user of general cyber-attack vectors that each organization should consider. Generally, between cybersecurity frameworks, such as the NIST Cybersecurity Framework (for risk-based analytical approaches), and threat modeling tools identifying generic cyber threats such as STRIDE (for general or sector-specific cyber risks), an organization can achieve a risk-informed information security program.
However, with the increasing amount of large-scale data breaches occurring and with the evolving complexity of cybersecurity threats, many regulatory agencies and other industry-based standards institutions have called for a need to go one step further and understand the techniques, tactics, and procedures (TTPs) utilized by hackers using CIT. By using CIT and other threat-based models, organizations can gain insight into potential attack vectors through red-teaming and penetration testing by simulating each phase of a hypothetical attack into the organization’s information system and determine potential countermeasures that can be employed at each step of the kill chain. For instance, Lockheed Martin’s formal kill chain model involves seven steps (reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective) and proposes six potential defensive measures at each step (detect, deny, disrupt, degrade, deceive, and contain). Consequently, an organization can layer its defenses along each step in the kill chain to increase the probability of detection or prevention of the attack. Kill Chain was used as part of a U.S. Senate investigation into the data breach of a major corporation in 2013, identifying several stages along the chain where the attack could have been prevented or detected.
This threat identification process requires greater detail on adversarial TTPs. Fortunately, MITRE has provided for public consumption its ATT&CK (adversarial tactics, techniques, and common knowledge) platform. ATT&CK collects and streamlines adversarial TTPs in specific detail and provides information on each technique and potential mitigating procedures, including commonly used attack patterns for each. For instance, one tactic identified by ATT&CK is to encrypt data being exfiltrated to avoid detection by data loss prevention (DLP) tools or other network anomaly detection tools and identifies more than forty known techniques and tools that have been used to achieve encrypted transmission. ATT&CK also identifies potential detection and mitigation options, such as scanning unencrypted channels for encrypted files using DLP or intrusion detection software. Thus, instead of a generic data breach risk analysis, organizations can understand specific TTPs that may make data breach detection and analysis more difficult, and possibly take measures to prevent it.
By leveraging open-source CIT from tools such as ATT&CK and other reports from third-party sources such as government and industry alerts, organizations can begin the process of designing proactive defenses against cyber threats. It is important to note, however, that ATT&CK can only inform an organization’s threat modeling, and is not a threat model itself; additionally, ATT&CK focuses on penetration and hacking TTPs and, therefore, does not examine other threats that organizations may face, including distributed denial of services (DDoS) attacks that threaten the availability of its systems. Such threats will still need to be accounted for in any financial organization’s risk assessment, particularly if such DDoS prevent its clients from accessing their financial accounts and ultimately, their money.
CFPB issues filing guides for 2020 HMDA data
On September 25, the CFPB released the Filing Instructions Guide for HMDA data collected in 2020 that must be reported in 2021. The guide references changes to the submission process, and includes a reminder that, starting in 2020, “covered institutions that reported a combined total of at least 60,000 applications and covered loans in the preceding calendar year are required to report HMDA data quarterly. Instructions for quarterly reporting can be found in the Supplemental Quarterly Reporting Guide, which was issued the same day. The file format for submitting the HMDA data, along with the required data fields to be collected and reported, have not changed.
FFIEC releases 2018 HMDA data; CFPB issues mortgage activity reports
On August 30, the Federal Financial Institutions Examinations Council released the 2018 Home Mortgage Disclosure Act (HMDA) data on mortgage lending transactions covering information submitted by financial institutions on or before August 7. The data will not remain static, but instead will be updated on an on-going basis to reflect late submissions and resubmissions. The data currently includes information on 12.9 million home loan applications, 7.7 million of which resulted in loan originations, and 2 million purchased loans. Observations on the data include: (i) the total number of originated loans decreased by roughly 12.6 percent; (ii) refinance originations decreased by 23.1 percent; (iii) the share of refinance loans to low- and moderate-income borrowers increased from 22.9 percent to 30 percent; and (iv) nondepository, independent mortgage companies accounted for 57.2 percent of first-lien owner-occupied home purchase loans (up from 56.1 percent in 2017).
On the same day, the CFPB also released two data point articles describing mortgage market activity based on data reported under HMDA. The first article presents a report providing a “first look” at mortgage application and origination trends within the 2018 HMDA data. The second article introduces a report introducing the “new and revised data points in the 2018 HMDA data” and discussing the Bureau’s initial observations on the mortgage market based upon those new or revised data points.
FFIEC urges standardized cybersecurity approach
On August 28, the FFIEC issued a press release emphasizing the benefits of implementing a standardized cybersecurity preparedness approach. The FFIEC noted that firms who adopt a standardized approach are “better able to track their progress over time, and share information and best practices with other financial institutions and with regulators.” Highlighted are several standardized tools for financial institutions to use when assessing and improving their level of cybersecurity preparedness, including the FFIEC Cybersecurity Assessment Tool, the Financial Services Sector Coordinating Council Cybersecurity Profile, the National Institute of Standards and Technology Cybersecurity Framework, and the Center for Internet Security Critical Security Controls.
Democratic Representatives demand rescission of CFPB’s permanent HMDA threshold proposal
On June 11, House Financial Services Committee Chairwoman Maxine Waters and 64 other Democratic House members sent a letter to the CFPB urging rescission of its May proposal to permanently raise the coverage thresholds for collecting and reporting HMDA data and to retire its HMDA Explorer tool. (Covered by InfoBytes here.) In the letter, members argue that recent data “showed widespread discrimination in bank lending” and that redlining continues to be a pervasive problem. They note that HMDA data is an important tool for public officials to understand access to credit in their communities, and that the Bureau’s proposal would exempt “about half of lending institutions from reporting data about closed-end mortgages … [and] sacrifice information that can make a difference in the lives of creditworthy, lower-income consumers.” The members also ask for information regarding the new Federal Financial Institutions Examination Council (FFIEC) query tool that is to be used as a replacement for the HMDA Explorer tool and Public Data Platform API that the Bureau plans to retire, as previously covered by InfoBytes here.