April Vendor Management News

Stay on top of the third party risk management industry. To help you out, we've listed some articles below from this past week that we recommend checking out. 

Recently Added Articles as of April 25

Lots in the news this week. Perhaps none bigger than the changes at the CFPB to provide more information on the context of investigations. They’ve also announced a symposia series to provide additional education and garner feedback. The FDIC and Duke University team up for a conference to discuss fintech and the future of banking. Wells Fargo shareholders get angry in the annual meeting. There was a banks vs credit unions round. The FTC action to bar a payment processor that didn’t heed its enforcement directive. What a week!

FTC permanently bans a payment processor: After violating a 2009 federal district court order, a payment processor can no longer engage in or assist with payment processing and is fined an additional $1.8 million. The 2009 judgement and order required the processor to review their merchant clients to verify they weren’t involved in unfair or deceptive practices. Looks like the FTC found that the payment processor didn’t follow through with the request. They can’t say they weren’t warned.

FinCEN holds a stark reminder of the importance of registering: Major penalties are in store for those who ignore anti-money laundering (AML) laws. Take Eric Powers case in consideration. Powers will receive a $35,000 fine and is prohibited from engaging in money transmission services or any type of activity that makes him a money services business (MSB) due to failure to follow laws. He didn’t register as a MSB, file a CTR nor did he have any policies and procedures developed around BSA. His negligence has caused him to be the first peer-to-peer virtual currency exchanger to be penalized for failure to file a CTR.

New Symposia Series from the CFPB: And without further ado…dun dun dun! Director Kathy Kraninger announces the bureau will publish proposed rules regarding the Fair Debt Collection Practices Act (FDCPA) and a symposium series to discuss and clarify the meaning of the “abusive acts or practices” term in UDAAP among other things to increase transparency in the bureau’s rulemaking. This will be the first topic of the series. This is what we’ve been waiting for!

Banks vs Credit Unions – the struggle continues: They’re staking out their grounds on membership for credit unions, in particular. Federal judges express concerns regarding the National Credit Union Administration’s (NCUA) field-of-membership rule and that it may need redlining as it may allow credit unions stretch the meaning of local community too far. It’s in question if credit unions should be permitted to exclude urban cores from their membership areas or not. A decision has not been made.

HIPAA priorities for 2019 and beyond: There has been far less activity from the Office of Civil Rights (OCR) and the U.S. Department of Health and Human Services as compared to years past. However, it looks like enforcement activity may resume for reasons such as the need for settlement payments to provide the government with revenue in a time of budgetary restrictions or the potential incentive that if a breach occurs and is reported, then the individuals impacted could receive a portion of the fine received. Clearly, data breaches continue to be a front burner issue. Enjoy the quiet while you have it, because something tells us it’s not going to stay like this forever!

FDIC and Duke University collaborate to discuss the future of fintech: A conference called “Fintech and the Future of Banking” was announced. Programming includes discussions around the innovation regulatory approach, how data and technology impacts lending, the industry’s competition, venture capital roles and pros and potential cons of utilizing data and tech to inform financial consumer decision making. Sounds like a jam-packed agenda with a plethora of great information.

Shareholders interrupt the annual Wells Fargo meeting: Things got heated during the Wells Fargo annual meeting as shareholder abruptly disrupted the opening remarks demanding answers to their questions around the prior scandals. One shareholder was even escorted out. One shareholder said, “Your reputation is worse than the tobacco companies.” It hasn’t been determined when Wells Fargo will find a new CEO, but this will certainly make it more challenging. Continuing frustration, yes, but this outburst will not help Wells Fargo’s reputation.

CFPB to give more information to companies under investigation: The CFPB announced that they will give more insight to organizations under enforcement investigation for violating consumer protection laws, also known as Civil Investigative Demands (CIDs), by sharing what was violated such as the wrongful conduct and/or legal provision violations under investigation. These changes come from NAFCU suggestions. This will help prohibit vague requests for information from the CFPB. It looks like the CFPB really is trying to keep their promise to be more transparent.

Recently Added Articles as of April 18

This week there are some concerns raised over the recent Wells Fargo CEO departure, some talks about agencies similar to the CFPB being developed at the state-level, a discussion around deregulation, a focus on consumer complaints, reputation risk, company culture and more.  

Continuing concerns over Wells Fargo. CEO’s departure heightens concerns; this is not the reaction they were hoping for: Regulators have expressed that they’re unsatisfied with Wells Fargo right now. Guess why. Their progress has been slower than it should be to improve their risk management and corporate governance.

Credit Unions are well advised to pay attention to members’ concerns: Two NAFCU representatives delve into the CFPB’s recent consumer complaint report and the NCUA’s vendor management expectations. They provide a good overview as well as discuss emerging trends. It looks like some of the top complaints include issues with credit cards, debt collection and credit or consumer reporting to just name a few. The NCUA examiners also share their top vendor management expectations. So, we’re wondering. What are your customers complaining about?

Will California create a state-level CFPB?: That is the question. California has mentioned creating a state-level version of the CFPB; however, they’ve also said that they may just increase the supervisory and enforcement activities by implementing a larger budget and staff. Which do you think would be more beneficial?

Reputation risk and company culture focus: As companies become more technology focused, reputation risk and company culture expectations heighten. It seems like this is largely due to the unique challenges that technology presents, such as ease of access to complain on social media. Due to this, focusing on reputation risk, and how it’s intertwined with other business risks, as well as overall company culture and leadership, is a must. Check this article out for some tips. You never know, you may learn some new ways to become an even better leader yourself.

“Deregulation” may be a term that frightens policymakers: This week, there was a proposal issued to ease up on foreign bank regulatory supervisory standards. Yet still, federal leaders and policymakers are sure to not use the word “deregulation”. Interesting since that is exactly what seems to be happening in some areas and many working in compliance have seemed very hopeful for deregulation.  

Fintech is here and ready to help organizations transform: Large banks, like Key Bank, are utilizing fintech solutions to help streamline payments processing. With the help of fintech solutions, organizations have expressed that they’re able to develop a more efficient strategy and address many of the manual pain points that have previously existed. It looks like the bank has a very well-developed process in place to vet and on board the right fintech partner. Does your organization’s process meet or exceed theirs?

NYDFS rejects granting BitLicense to Seattle-based cryptocurrency exchange: The NY Department of Financial Services rejects Bittrex Inc.’s application for BitLicense but accepts a competitor’s application. Bittrex didn’t meet all of the agency's requirements which include specific anti-money laundering, cybersecurity and consumer protection standards. New York is the only state to require digital asset firms to obtain a license to operate, making it one of the strictest. Bittrex has decided to dispute the findings. Our spidey-senses tell us this may not turn out well - challenging them before receiving approval as well as knowing they are one of the most aggressive regulators...?

FTC fines an online lending company for engaging in deceptive and unfair consumer practices: Avant, LLC has agreed to settle deceptive and unfair loan servicing allegations by paying $3.85 million. The lender wrongfully added unauthorized charges to thousands of customer accounts as well as unlawfully made them consent to automatic payments from their bank accounts in addition to many other law violations found. You know how we’re always reiterating that you need to look at similar organizations' recent enforcement actions? This is why. Learn from this and don’t let it happen to you.  

Recently Added Articles as of April 11

This week’s news features a crisis of confidence for the credit reporting agencies, a planned transition of leadership at the FFIEC, a ranking of the largest cybersecurity firms, a focus on third party service provider contracts and new student lending regulations by the NYDFS.

Rankings of the largest cybersecurity firms: The world’s 5 largest cybersecurity firms were ranked by market share. However, here is something we found even more interesting. Although cybersecurity is a regulatory hot button and priority at many organizations, cybersecurity firms only represent two percent of total IT expenditure. That’ll probably change sooner rather than later. Check it out and learn why we’re not the only ones to think so.

Crisis of confidence for the credit reporting agencies - Renewed concerns after the Equifax breach: “Why can’t I just delete my credit file and stop doing business with you if I so choose?” and “Why not wipe child identity theft off the map by creating and immediately freezing a credit file for every newborn baby?”. These are the kinds of questions that Mark Begor, CEO at Equifax, was recently asked in an interview. Many have wondered if he really understood the impact of the 2017 data breach and what the credit agency is doing to protect consumer data moving forward. Begor speaks up.

GDPR remains an elusive challenge, even a year later: Lawmakers thought they were giving organizations enough time to get GDPR compliant; however, it appears many still aren’t. Is your organization prepared? Don’t be scrambling at the last minute to be data security compliant.

DNS attacks on the rise: Domain Name System (DNS) attacks recently hit websites like Gmail, Netflix and PayPal. Beginning last December, it’s been found that over the last four months attackers have been using Google cloud to look for routers that they can exploit due to existing vulnerabilities. There have been three waves of attacks. It’s been shared that if you want to protect yourself then make sure your routers have the latest firmware, and that means installing manual patches, as needed. Attacks like this can cause a huge impact on an organization’s reputation, so... are your networks secure?

CFPB Director Kraninger to serve as FFIEC Chairman: Kathleen Kraninger will serve as Chairman of the Federal Financial Institutions Examination Council (FFIEC) until March 31, 2021. She succeeds former chairman Jelena McWilliams.

NYDFS passes student loan servicing regulations: The legislation, expected for some time, requires significant oversight of practices, including registering with New York Department of Financial Services. Article 14-A now requires student loan servicers who provide both federal and non-federal student loans to obtain licensure from the NYDFS if they plan to provide loans to New York residents. If you are a servicer who doesn’t comply, you could be subjected to penalties and litigation. There are some additional prohibited practices under the law that you should be aware of such as not misrepresenting or omitting material information or misleading a borrower. Looks like consumer protection laws and best practices are coming into play here.

Third party service provider contracts are under increasing scrutiny and that’s here to stay: Contract scrutiny is evolving – both through indirect and direct regulations. It really all started with the financial crisis in 2008. Technology systems can provide may operational efficiencies, of course, however there are risks involved in outsourcing to a third party service provider and that should always be kept in the back of your mind as you review the agreement. Do you really know your service provider? If you can’t answer yes to that then you may have cause for concern.

Recently Added Articles as of April 4

A lighter news week, but nonetheless, an impactful one. A vendor most of us likely use agrees to pay a large fee to settle deceptive consumer practices allegations. Consumers were surveyed and it’s been found that the majority think privacy in the digital world is impossible. Additionally, there is some clarification needed on who is responsible – the organization or the software provider – for a vulnerability exposure. And the FDIC may have just added some more clarification around that. Finally, Wells Fargo CEO steps down.

Office Depot and tech support firm settle with FTC: Office Depot has agreed to pay $25 million, and their software provider Support.com has agreed to pay $10 million, to the FTC to settle deceptive practices allegations. The firms provided a deceptive malware software as part of their tech repair services. It was found that consumers would answer 4 questions regarding their PC as part of a “Health Check” and if they answered “yes” to any of the questions then the software would claim to have identified malware infections or symptoms through a scan. However, the claim regarding an infected PC was directly related to the 4 questions, and not the scan. From there, consumers were directed to a screen where they were encouraged to purchase additional services to address and fix the issues. Do you understand what regulators will consider to be an unfair, deceptive, or abusive act or practice (UDAAP)? Be sure to lookout for enforcement actions like these and up your game if needed!

Survey finds privacy in the digital world is not possible: Kaspersky Lab released a survey that found 56% of industry consumers still think full privacy in the modern world, despite regulations like General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), is impossible. Data scandals at companies such as Experian and Facebook may largely be the culprits to blame for the lack of trust still present. We want to know. Do you think your consumer data is completely secure?

Banks and software companies should share responsibility for flaws: A vulnerability exposed in Heimdal Security, a cybersecurity software provider to UK bank RBS, has caused much controversy regarding if the software company or the bank is responsible for verifying the overall security of the product. EMEA CEO of Veracode, Paul Farrington, feels the bank is just as responsible for the vulnerability as the software provider is. Interestingly, he shares that even if Heimdal Security is legally responsible, RBS is morally responsible as they should be performing proper due diligence on their vendors. Want our two cents? Ultimately, the regulated institution is the bank or credit union so the buck stops there.

Sloan out as Wells Fargo CEO: It’s been announced that Tim Sloan has stepped down from his role as Wells Fargo CEO and from his position on the board. Sloan did not represent the institution quietly during his short tenure. During his time, he has been involved in and tried to resolve numerous scandals that have occurred such as sham account openings, mortgage and auto lending controversies and deceptive consumer practices. Since the announcement, stock have increased. Was Sloan forced to step down?

FDIC reminder on tech service provider contracts: FIL-19-2019 has been issued by the FDIC to share and address examiner observations regarding missing items in contracts between financial institutions and technology service providers. This was a reminder that most of the contracts are lacking detail regarding each parties’ responsibilities, the financial institution is ultimately responsible for managing risk, effective contracts greatly assist with overseeing technology service provider risk and more. Quick tip…it may be time to take another look at your contracts. Make sure that they’re meeting regulatory expectations!

Are you monitoring your vendor's complaints? See why you need to. Download the infographic.