Financial Services Law

CFPB Flunks For-Profit Education Company, Orders $31M Payment

Continuing its recent focus on student lending, the Consumer Financial Protection Bureau (CFPB) ordered a for-profit college company to provide loan forgiveness and refunds of more than $23 million, adding an $8 million civil money penalty on top.

What happened

Since 2009, California-based Bridgepoint Education Inc. enrolled hundreds of thousands of students in online courses at Ashford University and the University of the Rockies, offering private loans to cover tuition costs. But the company also deceived students into taking out private student loans that cost more than advertised, the Bureau alleged in an administrative complaint. For example, the company told borrowers repayment was as low as $25 each month when this estimate "was not realistic" and monthly payments were much higher, the CFPB said. As a result, students did not know the true cost of their loans and were obliged to pay more than promised, according to the Bureau.

"Bridgepoint deceived its students into taking out loans that cost more than advertised, and so we are ordering full relief of all loans made by the school," CFPB Director Richard Cordray said in a statement about the action. "Together with our state partners, we will continue to be vigilant in rooting out illegal practices facing student borrowers in the for-profit space."

To settle charges that the company's actions violated the Dodd-Frank Wall Street Reform and Consumer Protection Act's prohibition on unfair, deceptive, or abusive acts or practices, Bridgepoint entered into a consent order with the CFPB.

All payments made by students toward private student loans taken out from the two schools will be refunded pursuant to the comment order, including principal and interest. In addition to this estimated $5 million, Bridgepoint must also discharge all outstanding debt for its institutional student loans for another $18.5 million. The CFPB tacked on an $8 million civil money penalty for a total of $31.5 million.

Bridgepoint is also subject to policy changes. Going forward, the company is prohibited from making false, deceptive, or misleading statements about actual or typical monthly payments that students are obligated to make and must remove any negative information about outstanding private student loan debt owed to the school from borrowers' credit reports.

Finally, the Bureau leveraged a newly developed financial aid shopping tool as part of the consent order. Bridgepoint will now require all entering students as well as existing students starting different programs to use the tool when they decide to borrow money to pay for school. The tool provides personalized financial aid offer information along with details about graduation and loan default rates, potential salaries for the program the student is interested in, and post-graduation budgeting.

Students will be required to use the tool prior to enrollment, the CFPB said, and Bridgepoint will be responsible for generating a personalized interactive disclosure for each student.

To read the consent order in In the Matter of Bridgepoint Education, Inc., click here.

Why it matters

The CFPB has made student lending one of its priorities in recent months, from an administrative action against a debt relief company for allegedly deceiving student loan borrowers and misrepresenting an affiliation with the Department of Education to a proposal for grading financial companies for their offerings to students with the "Safe Student Account Scorecard," an attempt to increase transparency on student accounts.

back to top

New York's DFS Proposed Cybersecurity Regulations for Financial Institutions

New York's Department of Financial Services (DFS) has a proposed broad-reaching cybersecurity regulation that would impose new corporate governance, risk management and vendor management requirements on banks and other financial services entities.

What happened

With the threat of cybercriminals continuing unabated, the DFS proposed "first-in-the-nation" regulation for banks, insurance companies and other financial services institutions under its jurisdiction. The "Cybersecurity Requirements for Financial Services Companies" represent minimum standards and were drafted to allow institutions to maintain flexibility to keep pace with technological advances.

"This regulation requires each company to assess its specific risk profile and design a program that addresses its risk in a robust fashion," the DFS wrote. "Senior management must take this issue seriously and be responsible for the organization's cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity's cybersecurity program must ensure the safety and soundness of the institution and protect its customers."

Covered entities include "any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law." As a result, nationally chartered institutions, such as national banks, would not be subject to the regulation.

The regulation would require covered entities to establish and maintain a cybersecurity program that is "designed to ensure the confidentiality, integrity and availability" of the entity's information systems and "nonpublic information," including any business-related information, information provided to a covered entity, healthcare information, and personally identifiable information. Certain core cybersecurity functions should be included in the program, according to the regulations, such as identifying internal and external cyber risks, the use of defensive infrastructure, and fulfillment of all regulatory reporting requirements.

Covered entities also need to implement and maintain a cybersecurity policy covering a broad array of topics, from business continuity and disaster recovery planning and resources to incident response to physical security and environmental controls. The policy must be reviewed and approved by the board of directors or an equivalent governing body, DFS said.

If a financial institution has not already done so, the regulations mandate the appointment of a Chief Information Security Officer (CISO) "responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy." The CISO must provide a report to the board (at least biannually) about the state of the program and enforcement of the policies and procedures, made available to the DFS Superintendent upon request.

Third-party access to information systems should receive special attention in a Covered Entity's written policies and procedures, DFS noted. Entities should conduct a risk assessment of all third parties with access to nonpublic information or information systems, establish minimum cybersecurity practices for third parties to do business together, and perform at least annual assessments of the continued adequacy of a third party's cybersecurity practices.

Some of the regulations' requirements are quite granular, such as those mandating limitations on access privileges, the use of multifactor authentication, limits on data retention, and the encryption of nonpublic information (both in transit and at rest).

Covered entities are also required to notify DFS of any cybersecurity event with a "reasonable likelihood of materially affecting the normal operation of the Covered Entity" or "that affects nonpublic information," within 72 hours of becoming aware of the event. The regulations define the term "cybersecurity event" as "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System."

DFS offers limited exemptions from the regulations for covered entities with fewer than 1,000 customers in each of the last three calendar years, less than $5 million in gross revenue over the last three fiscal years, and less than $10 million in year-end total assets.

To read the DFS cybersecurity regulations, click here.

Why it matters

Because of the large number of banks, insurance companies and other financial institutions based in New York, the regulation is likely to have nationwide impact on financial institutions' cybersecurity compliance practices. Set to take effect January 1, 2017, the regulations are based in part on the DFS's recent survey of regulated financial institutions and their cybersecurity practices. "Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with," DFS Superintendent Maria T. Vullo said in a statement. "DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks." Financial institutions should familiarize themselves with the regulations, which could provide the basis for similar standards in other states or from federal regulators.

back to top

House to Consider Financial CHOICE Act

The full House of Representatives will now consider Rep. Jeb Hensarling's (R-Texas) legislative proposal to repeal the Dodd-Frank Consumer Protection and Wall Street Reform Act after it passed out of a committee.

What happened

The Financial CHOICE (Creating Hope and Opportunity for Investors, Consumers and Entrepreneurs) Act was introduced in July by Rep. Hensarling, the Chair of the House Financial Services Committee.

In addition to replacing Dodd-Frank, the 512-page H.R. 5983 would add a new section to the Bankruptcy Code specific to large financial institutions, allow banks to use a 10 percent leverage ratio, prevent the Financial Stability Oversight Council from designating nonbank firms (such as insurance companies) as systemically important financial institutions subject to heightened supervision, and cap the fraud penalties imposed by the Securities and Exchange Commission.

The bill would "end[] too big to fail once and for all and assure[] that these companies are subject to bankruptcy, not bailout," Rep. Hensarling said in prepared remarks prior to a vote on the measure, calling it "a better way" than Dodd-Frank. "It replaces taxpayer funds with loss-absorbing private capital—far more capital than either Dodd-Frank or Basel requires. And it substitutes market discipline for government control."

If enacted, the bill would effect a full repeal of the Volcker Rule and have a significant impact on the Consumer Financial Protection Bureau (CFPB), changing the structure of the agency to a five-member commission (with an accompanying tweak to its name to the "Consumer Financial Opportunity Commission") funded through the appropriations process. The new Commission would be required to verify consumer complaint information before making it publicly available, use the notice and comment process for any proposed guidance, and establish a procedure for issuing written advisory opinions.

The bill passed the Financial Services Committee along almost uniform party lines, with just one Republican breaking ranks to vote against the measure in a final count of 30 to 26. Democrats elected to take a hands-off approach to the proposal by not proposing any amendments or changes and instead simply voted against it.

To read the Financial CHOICE Act, click here.

Why it matters

With a Democrat in the White House, enactment is obviously unlikely. That said, some expect the bill to provide a model for future legislation in a possible Trump administration. Rep. Hensarling is no stranger to legislative proposals circumscribing the CFPB's authority and reining in Dodd-Frank, having supported bills that would repeal Bureau guidance with regard to both auto lending and mortgage lending.

back to top

FFIEC Offers Guidance on Information Security Exams

How will examiners review the information security programs of financial institutions?

Revised guidance from the Federal Financial Institutions Examination Council (FFIEC) provides help to banks by articulating the expectations of federal regulators in an update to the "Information Security" booklet originally released by the interagency body in 2006.

What happened

Information security "is the process by which a financial institution protects the creation, collection, storage, use, transmission, and disposal of sensitive information, including the protection of hardware and infrastructure used to store and transmit such information," the FFIEC explained, and is "essential" to the overall safety and soundness of an institution.

To help guide banks through the process of examinations focused on information security, the updated guidance begins with some general rules. Information security policies and processes should be "commensurate with [a bank's] operational complexities," with strong board and senior management support, clear accountability for carrying out security responsibilities, and review on an ongoing basis to "assess and refine" program controls.

The guidance set forth four overarching areas of an institution's information security program that examiners will be taking a closer look at, beginning with effective corporate governance. Banks should establish a "culture" of information security, with clearly defined information security responsibilities and adequate resources to support the information security program, the FFIEC said.

"Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program," the guidance stated, independent of the IT operations staff and reporting directly to the board or senior management.

With regard to information security management policies and procedures, banks should identify threats, measure risk, define information security requirements, and implement controls, the booklet advised. Consistent with the FFIEC Cybersecurity Assessment Tool, the guidance reminded financial institutions to address each phase of the information life cycle, from risk identification to risk measurement to risk mitigation and risk monitoring and reporting.

In addition, the policies should integrate with other parts of the bank like support functions and lines of business, making sure to consider third-party service provider activities. "Although the use of outsourcing may change the location of certain activities from financial institutions to third-party service providers, outsourcing does not change the regulator expectations for an effective information security program," the guidance noted.

Examiners will also review the security operations of a financial institution's information security program. Strong operations should be broad enough to encompass all security-related functions with appropriate staffing levels as well as the technology necessary for continual incident detection and response activities.

Policies should address the "timing and extent" of security operations activities, reporting, escalation triggers, and response actions, the FFIEC said, adding that many institutions use an issue tracking system to record and manage requests and events.

Finally, the guidance discussed the need for testing. Self-assessments, tests, and audits of the overall program are essential, and should have appropriate coverage, depth, and independence, the FFIEC explained. As part of the testing regime, a reporting process—including the creation and distribution of "timely, complete, transparent, and relevant to management decision" reports—should be followed.

To read the FFIEC's booklet, click here.

Why it matters

The FFIEC guidance offers a road map to information security program compliance and is required reading for financial institutions.

back to top

FinCEN Warns of E-Mail Compromise Schemes

Financial institutions should be aware of a growing number of e-mail compromise schemes, the Financial Crimes Enforcement Network (FinCEN) warned in a new advisory bulletin.

What happened

Developed in coordination with the Federal Bureau of Investigation (FBI) and the U.S. Secret Service, FIN-2016-A003 puts banks on notice that criminals are misappropriating funds by compromising the e-mail accounts of victims to send fraudulent wire transfer instructions to financial institutions.

A growing trend—there have been approximately 22,000 reported cases involving $3.1 billion since 2013—the scams appear in two forms: business e-mail compromise (BEC) fraud, targeting a financial institution's commercial customers, and e-mail account compromise (EAC), which involves a victim's personal accounts.

The e-mail compromise schemes involve three stages, FinCEN explained. First, criminals unlawfully access a victim's e-mail account through social engineering or computer intrusion, gaining access to information about the victim's financial institutions, account details, and contacts. In the second stage, the criminals use the stolen information to e-mail fraudulent wire transfer instructions to the financial institution in a manner that appears to be from the victim.

Criminals will use either the victim's actual e-mail account or create a fake e-mail account resembling the victim's e-mail, the advisory said. For the final stage, criminals trick the victim's employee or financial institution into conducting wire transfers that appear legitimate but are in fact unauthorized. Banks in Hong Kong and China are common destinations for fraudulent transactions, FinCEN added.

The advisory provided three examples of common BEC and EAC schemes. In the BEC illustrations, a criminal impersonates a financial institution's commercial customer, asking the bank to pay $200,000 for business activity to an account in Hong Kong, or the criminal impersonates a company executive, instructing an employee to effectuate a transfer. Scams have also involved criminals pretending to be a supplier, providing fraudulent payment information to mislead a company employee into unintentionally directing wire transfers to a criminal-controlled account.

As for EAC schemes, "[i]ndividuals who conduct large transactions through financial institutions, lending entities, real estate companies, and law firms are the most likely targets," FinCEN cautioned. Common scenarios include criminals who impersonate lending or brokerage services to transfer money ostensibly on behalf of a client or impersonate attorneys to tap into client funds.

How to combat the scams? "Success in detecting and stopping BEC and EAC schemes requires careful review and verification of customers' transaction instructions and consideration of the circumstances surrounding such instructions," the advisory said.

FinCEN offered red flags for BEC and EAC fraud, emphasizing that no single transactional red flag necessarily indicates suspicious activities and that financial institutions should also perform additional inquiries and investigations where appropriate. Red flags include seemingly legitimate e-mails that "contain different language, timing, and amounts" than previously verified, messages from a familiar source with a slightly altered e-mail address (such as an underscore instead of a dash, or a single letter transposed), and wire transfer instructions to a foreign bank account that has been documented as the destination of fraudulent transactions.

Also problematic: e-mailed transaction instructions that feature markings, assertions, or language designating the transaction request as "Urgent," "Secret," or "Confidential," as well as instructions "that would give the financial institution limited time or opportunity to confirm the authenticity of the requested transaction," according to the advisory.

FIN-2016-A003 also encouraged financial institutions to report BEC and EAC fraud, even where attempts are unsuccessful. Although transactions are often irrevocable, victims or financial institutions that report unauthorized wire transfers to law enforcement within 24 hours have greater success at recovery, in part due to FinCEN's partnership with the FBI and Secret Service.

In addition, financial institutions may have an obligation to report a scam. "With respect to e-mail-compromise fraud, a financial institution may have a [Suspicious Activity Report] filing obligation regardless of whether the scheme or involved transactions were successful, and regardless of whether the financial institution or its customers incurred an actual loss," FinCEN said.

To read FIN-2016-A003, click here.

Why it matters

Financial institutions would be well served to use extra caution when handling e-mail requests for wire transfers. FinCEN urged banks to consider all the surrounding facts and circumstances in conjunction with the red flags described in the advisory, and perform additional inquiries and investigations where appropriate. "Financial institutions can play an important role in identifying, preventing, and reporting fraud schemes by promoting greater communication and collaboration among their internal anti-money laundering, business, fraud prevention, and cybersecurity units," the advisory stated. Financial institutions should identify customers more likely to be the targets of such email scams and consider educational outreach programs to build their working relationships with those customers.

back to top