Financial Services Law

Comptroller: Retailers Must Be Held Accountable for Data Breaches

Why it matters

Reflecting continued regulatory focus on the issue of cybersecurity, Comptroller of the Currency Thomas Curry said in recent remarks, retailers must be held accountable for data breaches, urging federal lawmakers to adopt legislation that would alleviate the burden currently shouldered by banks. “The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions,” he said at the Tenth Annual Community Bankers Symposium in Chicago. “And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result.” Multiple bills addressing cybersecurity that would shift some level of responsibility to retailers are currently pending in Congress, leaving Curry “hopeful” for a change, he added. While he advocated for a more reasonable burden for financial institutions, Curry also reminded banks to remain vigilant with regard to data security. “Clearly, our expectations as supervisors are high in the area of cybersecurity. But the stakes are high as well,” he said.

Detailed discussion

Cybersecurity is a topic much in the headlines recently, Curry acknowledged to an audience of community bankers. Additionally, he said even if community banks themselves have not been named in a high-profile breach, they also suffer from data thefts.

“Financial institutions are often on the hook to compensate customers for fraudulent charges, and replace credit and debit cards and monitor account activity for fraud at significant cost,” he said. “That’s not easy for any bank, but it’s a burden that falls especially heavy upon community institutions. At a cost of $5 or more per card and covering the related fraud charges, the costs can run up very quickly.”

The spate of recent data breaches highlights two pressing points, Curry explained. First, all entities can improve their cybersecurity.

Secondly, the incidents “also demonstrate why we need to level the playing field between financial institutions and merchants,” he told attendees. “The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions. And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result.”

Having called for a more equal playing field, Curry reiterated the importance of cybersecurity for community institutions. Recognizing that smaller institutions have limited resources, he encouraged attendees to take advantage of other options, including the Financial Services Information Sharing and Analysis Center (FS-ISAC).

Curry also voiced support for the Federal Financial Institutions Examination Council’s (FFIEC) efforts to provide guidance on the issue of cybersecurity, citing alerts issued by the group on technological vulnerabilities like the “Heartbleed” bug as well as an “instructive” report with observations on a Cybersecurity Assessment of community institutions.

The report “will help member agencies make informed decisions about ways to enhance the effectiveness of cybersecurity-related supervisory programs, guidance and examiner training,” Curry explained, such as suggesting the incorporation of cyber-incident scenarios into business continuity and disaster recovery planning and consideration of “external dependency management,” or keeping a close eye on third-party connections.

“[W]e expect management at every institution we supervise to monitor and maintain sufficient awareness of cybersecurity threats and vulnerabilities,” Curry counseled his audience. “For an industry in which reputation means everything, a single data breach involving confidential customer information can be extremely costly.”

Banks should expect heightened regulatory concerns to be expressed about their cybersecurity planning, as part of the regular bank examination process.

In addition, on December 10, New York’s Department of Financial Services (DFS) Superintendent Benjamin Lawsky issued new cybersecurity guidance for New York banks. 

To read Comptroller Curry’s remarks, click here.

back to top

Lawmakers Query Banks About Data Security

Why it matters

Suffered a cyber attack over the last year? Members of Congress want to hear about it, and all financial institutions should be prepared to competently respond to government inquiries if they are a victim of data breach.

In letters to 16 financial institutions, federal legislators requested information about data security and whether the bank had been subjected to any cyber attacks over the previous year. Sen. Elizabeth Warren (D-Mass.) and Rep. Elijah Cummings (D-Md.) asked entities detailed questions about the protections in place for sensitive data and the scope and impact of any attacks they may have suffered. In addition to answers, the lawmakers instructed the recipients to provide a briefing from their chief IT security professional. “Your company’s knowledge, information and experience will be helpful as Congress examines federal cybersecurity laws, and any necessary improvements to protect sensitive consumer and government information,” the lawmakers wrote, noting that law enforcement officials have identified the U.S. financial sector as “one of the most targeted in the world” for cyber crime.

Detailed discussion

Focusing on cybersecurity, two lawmakers called on financial institutions to provide perspective on their experience over the past 12 months. Sen. Warren and Rep. Cummings cited statistics that 500 million records have been stolen from various financial institutions as a result of cyber attacks over the last year, with 80 percent of the hacking victims unaware of the breach until informed by federal investigators. And press reports about recent bank victim, JPMorgan Chase, indicated that the hackers may have tried to breach the security protections at other institutions, the lawmakers said.

“The increasing number of cyber attacks and data breaches is unprecedented and poses a clear and present danger to our nation’s economic security,” Sen. Warren and Rep. Cummings wrote. “Each successive cyber attack and data breach not only results in hefty costs and liabilities for businesses, but exposes consumers to identity theft and other fraud, as well as a host of other cyber crimes. Your ability to protect consumers and safeguard their personal information is central to earning and maintaining consumer confidence in our economic system.”

To aid in federal oversight, the lawmakers requested the recipients – Automatic Data Processing, Inc., Bank of America, Bank of New York Mellon, Bank of the West, Citigroup, Deutsche Bank, E-Trade, Fidelity, GE, Goldman Sachs, HSBC, Morgan Stanley, PNC, Regions, U.S. Bank, and Wells Fargo – provide certain information.

If the company suffered any breaches or attempted hacks over the last year, the letter sought information about the date, manner, and method of intrusion used, when the institution first discovered the breach, and what types of data were accessed, as well as the number of customers affected and how they were notified of the breach.

Findings from investigative analyses and reports that may have identified vulnerabilities to malware or other reasons for the breach were also sought by the legislators, along with information about the individuals or entities thought responsible.

In the wake of the breach, what data protection improvement measures were undertaken by the institution? The letter also asked for an estimate of the number and value of fraudulent transactions connected to the data breach, including a breakdown of government customers.

For those institutions that have not suffered a breach, the lawmakers made inquiries about third-party relationships, asking for “a description of the data security policies and procedures that govern your relationships with vendors, third-party service providers, and subcontractors, including the manner by which your company ensures that entities performing work on your behalf have reasonable data security controls in place to thwart cyber attacks.”

Finally, the letter requested any recommendations that letter recipients might have “for improvements in cybersecurity laws or the coordination of efforts to identify and respond to emerging trends in cybersecurity risks to help prevent future data breaches.”

In addition to providing responses to the questions by December 19, the legislators requested a briefing from the financial institution’s chief IT security professional.

To read the letters from the lawmakers, click here.

back to top

CFPB Releases Proposed Prepaid Product Rule

Why it matters

The Consumer Financial Protection Bureau (CFPB) released a proposed rule that Director Richard Cordray said would “fill key gaps” for consumers regarding prepaid products. The 870-page proposal would add protections like a requirement that financial institutions work with consumers to investigate any errors on covered products, protect consumers against fraud and theft, provide consumers with free and easy access to product information, and add “Know Before You Owe” prepaid disclosures that would highlight the key costs associated with the product prior to use. Certain protections provided to credit cards would be adopted for prepaid cards as well, including monthly account statements and limits on late fees and first-year fees. The scope of covered products is broad, and may pick up emerging technologies like value stored on mobile devices, and not just traditional prepaid cards. As a result, the proposal could have a significant impact on the evolution of new payment systems. The proposal is currently open for public comment.

Detailed discussion

Seeking to increase the protections available for consumers with regard to prepaid products, the CFPB proposed a new rule.

“Consumers are increasingly relying on prepaid products to make purchases and access funds, but they are not guaranteed the same protections or disclosures as traditional bank accounts,” Cordray said in a press release. “Our proposal would close the loopholes in this market and ensure prepaid consumers are protected whether they are swiping a card, scanning their smartphone, or sending a payment.”

Among the fastest growing types of consumer financial products in the United States, the total dollar value loaded onto general purpose reloadable cards is expected to reach almost $100 billion through 2014, the agency said, adding that unbanked and underbanked consumers are “disproportionately” likely to rely on prepaid cards.

The proposal – which would cover traditional plastic prepaid cards as well as mobile and other electronic prepaid accounts like payroll cards, tax refund cards, peer-to-peer payment products, and certain federal, state and local government benefit cards – would apply existing federal protections in place for other products to covered prepaid products.

Protections under the Electronic Fund Transfer Act (EFTA) would apply once a consumer registers the account, providing analogous benefits to checking accounts, the CFPB said. For example, financial institutions would be required to provide either periodic statements to consumers or make account information easily accessible online at no cost.

The proposed rule would also provide error resolution rights for consumers, requiring financial institutions to investigate and resolve mistakes “in a timely manner.” If the institution cannot resolve the alleged error within the given time frame, the consumer’s account must be credited for the disputed amount until the investigation is complete.

Provisions were included for unauthorized, erroneous, or fraudulent withdrawals or purchases, limiting the responsibility to consumers for a lost card or unauthorized charges to $50, as long as the consumer provides prompt notice of the transaction.

The CFPB expanded the use of “Know Before You Owe” disclosures to prepaid products in the proposed rule, providing two model disclosure forms. Financial institutions would need to complete a short form that would highlight key information for the prepaid account, including the monthly fee, fee per purchase, ATM withdrawal cost and the fee to reload cash on the account. The long form would include all of the information from the short form as well as any other fees that could possibly be imposed on the account.

Consumers would have to receive or have access to a full set of the fees and account information prior to acquiring the account, the Bureau added. Prepaid account issuers must post account agreements on their websites and provide them to the CFPB for an agency site.

To bring the protections for prepaid products in line with other credit products, provisions from the Truth in Lending Act and the Credit Card Accountability Responsibility and Disclosure Act were incorporated into the proposal. Before offering credit, prepaid companies must ensure that consumers have the ability to repay the debt, provide a monthly credit billing statement, give consumers at least 21 days to repay a debt before charging a late fee (which must be “reasonable and proportional” to the account terms at issue), and restrict the total fees for prepaid credit products to 25 percent of the credit limit during the first year of the account.

To keep prepaid account and credit products distinct, the CFPB added other requirements like a 30-day waiting period and establishing a clear separation between prepaid funds and credit repayment, banning the use of funds loaded to the prepaid account to repay the credit unless a consumer has affirmatively opted in.

To read the CFPB’s proposed rule, click here.

back to top

New York DFS Targets Third-Party Relationships in Letters to Banks

Why it matters

Continuing the regulatory focus on third-party relationships, New York’s Department of Financial Services (DFS) has sent multiple letters to banks across the country to address the issue of data security. The DFS has been keeping a close eye on cybersecurity in the banking sector, releasing a report in May that noted “the industry’s reliance on third-party service providers for critical bank functions” presents serious concerns for financial institutions. The New York regulator is not alone; the Office of the Comptroller of the Currency (OCC) released a bulletin earlier this year with guidance about managing the risk of third-party relationships, while the OCC and the Federal Deposit Insurance Corporation (FDIC) took action for “unsafe or unsound banking practices” against two financial institution technology service providers.

Detailed discussion

Expressing concern about the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers,” the DFS sent several letters to gather data about current practices.

DFS Superintendent Benjamin Lawsky asked recipients to disclose “any policies and procedures governing relationships with third-party service providers,” as well as “any due diligence processes used to evaluate” all types of providers, including accountants and law firms.

Specifically, the DFS requested the methods used to protect sensitive data being sent to or received from third parties, the data accessible by those outside the institution, and “any and all protections against loss incurred as a result of an information security failure by a third-party service provider, including any relevant insurance coverage.”

“It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors,” Lawsky wrote in the letter, a copy of which was obtained by Reuters. “It is important that financial institutions are able to identify, monitor and mitigate any cybersecurity risks posed by their third-party relationships.”

The trigger for the letters and heightened regulatory scrutiny appears to be the number of high profile data breaches occurring at major companies, such as JPMorgan Chase. That incident involved the personal information – including names, addresses, phone numbers, and e-mail addresses – of an estimated 83 million accountholders when the bank’s computer systems were hacked.

After collecting the requested information from banks, Lawsky’s letter said the DFS intends to review how institutions manage cybersecurity risks with regard to third parties with an eye toward possible regulation. The regulator is reportedly considering a rule that representations and warranties are obtained by financial institutions from third-party service providers with respect to cybersecurity standards and practices.

back to top