Financial Services Law

NY Regulator To Conduct Cyber Security Audits And Federal Regulators Require Cyber Security Risk Assessments

New York’s Department of Financial Services (DFS) announced plans to conduct targeted cyber security audits of financial institutions regulated by the state agency following the release of a report documenting an increase in the number and intensity of cyber intrusions.

Days later, federal regulators unveiled plans for a new cyber security vulnerability and risk-mitigation assessment as well as a regulatory self-assessment of supervisory policies and processes. Highlighting key focus areas for senior management and boards of directors in community banks, the regulators indicated that they would start reviewing community banks’ ability to identify and mitigate cyber security risks as early as this summer in the information technology portion of safety and soundness examinations.

The DFS report on bank cyber security preparedness follows a survey of 154 state-regulated banks that found “most institutions experienced intrusions or attempted intrusions into their IT systems over the past three years.”

Not surprisingly, the report stated “[c]yber attacks against financial services institutions are becoming more frequent, more sophisticated, and more widespread.” It noted, however, that “[a]lthough large-scale denial-of-services attacks against major financial institutions generate the most headlines, community and regional banks, credit unions, money transmitters, and third-party service providers (such as credit card and payment processors) have experienced attempted breaches in recent years.”

Third-party processor breaches were reported by 18 percent of small institutions and 15 percent of large institutions, according to the report, with big banks also experiencing cyber threats to ATMs and mobile banking.

In addition to a rise in frequency, the “Report on Cyber Security in the Banking Sector” found an increase in the sophistication of attacks, from malware to phishing and pharming to botnets or zombies, resulting in account takeovers, identity theft, and network disruptions.

The report attributed the increases to “unfriendly nation-states” hacking U.S. systems for intelligence or intellectual property and “hacktivists” trying to make political statements, as well as those just trying to make some money, like organized crime groups or other criminals.

“As the cost of technology decreases, the barriers to entry for cybercrime drop, making it easier and cheaper for criminals of all types to seek out new ways to perpetrate cyberfraud,” the agency wrote in the report. “A growing black market for breached data serves to encourage wrongdoers further.”

To help banks better protect themselves, DFS said it will update its bank examination procedures to conduct the cyber security reviews using additional lines of queries about IT management and governance, vendor management, access controls, network security, disaster recovery, and incident response and event management.

The revised examinations “are intended to take a holistic view of an institution’s cyber readiness and will be tailored to reflect each institution’s unique risk profile,” the report concluded. “The Department believes this approach will foster smarter, stronger cyber security programs that reflect the diversity of New York’s financial services industry.”

Additional details about timing and content regarding the reviews will be released soon, DFS promised. In the meantime, it offered a tip to all state-chartered depository institutions, suggesting that they join the Financial Services Information Sharing and Analysis Center to receive notification about cyber security and physical threats and anonymously share threats with other institutions.

“The fact that so much of our financial lives are spent online makes banks increasingly tempting targets for cyber attacks,” noted DFS Superintendent Benjamin M. Lawsky. “Hackers spend day and night trying to think up new ways to steal consumers’ personal information and disrupt our nation’s financial markets, and it’s more important than ever that we rise to meet that challenge.”

To read the report, click here. To read the FFIEC release, click here.

Why it matters: Cybersecurity clearly has become a high priority supervisory issue for financial institution regulators. The FFIEC suggested a number of areas banks should focus on to prepare for upcoming reviews of their ability to identify and mitigate cybersecurity risks. These should be reviewed carefully and the necessary steps taken to create or enhance and implement appropriate policies and procedures before the next regular or special examination.

back to top

Comptroller Curry: Check The Shadows For Banking Threats

Where are the seeds of the next financial crisis?

Speaking at the Conference of State Bank Supervisors, Comptroller of the Currency Thomas Curry discussed threats to the national banking system and warned listeners about the dangers of the “shadow banking system.”

As regulatory scrutiny on banks intensifies, assets are shifting from regulated depository institutions to lesser-regulated institutions, Curry explained, resulting in an unbalanced system – and the potential for serious problems.

“In the wake of the financial crisis, the regulation of insured depository institutions has become much more rigorous, as it should,” Curry told attendees. “But as we add safeguards, beef up capital requirements, and raise standards, some activities are almost certain to migrate out of insured financial institutions into what is often called the shadow banking system. We are seeing that clearly in the area of mortgage servicing rights, which is shifting from bank servicers to nonbank companies as a result of the new capital rules.”

The Consumer Financial Protection Bureau will fill certain gaps, the Comptroller said, by writing new rules and supervising some nonbank entities. But state regulators need to step up and do their part.

“The shift of financial assets into the shadow banking system could carry with it the seeds for the next financial crisis if we do not act quickly and effectively,” Curry cautioned. “We can’t tolerate a situation where banking activities migrate to nonbank financial institutions in order to escape prudential supervision.”

State regulators should conduct balanced supervision of both bank and nonbank institutions, Curry advised. “Much of the burden for regulating the shadow system will fall upon the states, and I would encourage you to make this a high priority.”

Just a few days later, Superintendent of New York’s Department of Financial Services (DFS) Benjamin Lawsky echoed Curry’s concerns in remarks to the Mortgage Bankers Association. He also cited nonbank mortgage loan servicers as an example of the potential for a “race to the bottom” where homeowners and investors “are at risk of becoming fee factories.”

As banks offload mortgage servicing rights to lesser-regulated nonbank mortgage servicers, some servicers – being paid a flat fee – try to provide their services as cheaply as possible to maximize profits. “Regulators have a responsibility to ask whether the purported ‘efficiencies’ at nonbank mortgage servicers are too good to be true,” Lawsky said.

Some servicers also offer ancillary services like property inspections or foreclosure sales, he added, deciding how much to charge the borrower or investor with limited oversight. “The potential for conflicts of interest and self-dealing here are perfectly clear,” Lawsky said. “Servicers have every incentive to use these affiliated companies exclusively for their ancillary services, and they often do. The affiliated companies have every incentive to provide low-quality services for high fees, and they appear in some cases to be doing so.”

Answering Curry’s call, Lawsky said the DFS plans to increase its focus on nonbank servicers, particularly in the mortgage industry. “We’ve publicly highlighted our concerns about ancillary services with one particular nonbank servicer, but they are not the only industry player doing this,” he noted.

To read Comptroller Curry’s prepared remarks, click here.

To read excerpts from Superintendent Lawsky’s speech, click here.

Why it matters: The “shadow banking” term is used to address unregulated competitors of banks (mortgage brokers and servicers, non-bank auto and payday lenders, private equity firms, PayPal, Google and Bitcoin) as well as functions in the financial system which are being targeted for more regulation (repurchase agreements, asset securitization, the secondary mortgage market). After the financial crisis, banks have been the focus of state and federal regulators for increased regulation and capital and liquidity requirements, often to the competitive disadvantage and potential demise of the traditional bank business model. However, going forward, potential systemic risk is likely to be regulated wherever regulators identify it – including in the shadows of the financial system.

back to top

CFPB Report Focuses On Nonbank Financial Institutions

A new report from the Consumer Financial Protection Bureau (CFPB) highlighted the agency’s supervisory efforts with regard to nonbank financial institutions like payday lenders, debt collectors, and consumer reporting agencies. The CFPB also announced plans to finalize rules that would extend its supervisory authority to international money remitters with at least one million aggregate international money transfers annually. The report also says the CFPB anticipates expanding its supervisory authority to include the larger indirect nonbank auto lenders.

The Spring 2014 Supervisory Highlights report revealed that nonpublic supervisory actions by the CFPB have yielded more than $70 million in remediation to roughly 775,000 consumers between November 2013 and February 2014 in areas like deposits, consumer reporting, credit cards, mortgage origination, and mortgage servicing.

The report addressed in detail supervisory observations with respect to three nonbank markets: payday lenders, consumer reporting, and debt collectors. All three markets struggle with compliance management systems, the CFPB found, citing “systemic flaws” like consistent failures to establish a consumer complaint system. “The CFPB expects companies to respond to consumer complaints and identify major issues and trends that may pose broader risks to their customers,” according to the report.

Within each market, the agency also identified specific problems.

Payday lenders – offering small-dollar, short-term loans – presented several issues for the CFPB. The report said lenders deceive consumers to collect debts, sometimes by using deceptive practices, such as threatening legal actions they do not intend to pursue or imposing additional fees when the contract does not allow for it. Over-aggressive collection tactics by payday lenders also troubled the agency, with examples of calling borrowers multiple times per day and visiting borrowers’ workplaces. Third-party collectors employed by payday lenders engaged in similar deceptive and harassing behavior, the CFPB said.

Debt collectors generally (not just those seeking repayment of payday loans) are a source of “frustration,” the CFPB said, generating a heavy volume of consumer complaints and possible violations of statutes like the Fair Debt Collection Practices Act (FDCPA) with practices like failing to investigate credit report disputes, intentionally misleading consumers about litigation, and making “excessive, illegal” calls to consumers. One debt collector examined by the agency made approximately 17,000 calls outside of the 8 a.m. to 9 p.m. time period established by the FDCPA, the CFPB said.

Turning to credit reporting agencies, the report found some businesses in the market failed to follow proper procedures when handling credit report disputes. For example, some agencies did not forward relevant dispute documents to data furnishers; others, despite encouraging the filing of disputes online or by telephone, subsequently refused to accept the disputes.

In addition to discussing the CFPB’s expectations and suggestions for improving compliance efforts in each of these markets, the report provides guidance on what it regards as the necessary elements to mitigate fair lending risks. To read the CFPB’s full report, click here.

Why it matters: “For the first time at the federal level, nonbank financial institutions are subject to supervisory oversight that holds them accountable for how they treat consumers,” CFPB Director Richard Cordray said in a statement. The report suggests that the CFPB will intensify its focus in coming months on non-bank financial services providers, which as Director Cordray notes have not been subject to bank-like supervision in the past and as a result likely have less robust compliance functions. In addition, this intensified focus is likely to lead to greater attention being paid to companies that use the services of consumer reporting agencies and debt collectors, triggering more referrals by federal and state regulators overseeing these companies to the FTC and state attorneys general.

back to top



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved