Stay on top of the third party risk management industry. To help you out, we've listed some articles below from this past week that we recommend checking out.
Recently Added Articles as of April 18
This week there are some concerns raised over the recent Wells Fargo CEO departure, some talks about agencies similar to the CFPB being developed at the state-level, a discussion around deregulation, a focus on consumer complaints, reputation risk, company culture and more.
Continuing concerns over Wells Fargo. CEO’s departure heightens concerns; this is not the reaction they were hoping for: Regulators have expressed that they’re unsatisfied with Wells Fargo right now. Guess why. Their progress has been slower than it should be to improve their risk management and corporate governance.
Credit Unions are well advised to pay attention to members’ concerns: Two NAFCU representatives delve into the CFPB’s recent consumer complaint report and the NCUA’s vendor management expectations. They provide a good overview as well as discuss emerging trends. It looks like some of the top complaints include issues with credit cards, debt collection and credit or consumer reporting to just name a few. The NCUA examiners also share their top vendor management expectations. So, we’re wondering. What are your customers complaining about?
Will California create a state-level CFPB?: That is the question. California has mentioned creating a state-level version of the CFPB; however, they’ve also said that they may just increase the supervisory and enforcement activities by implementing a larger budget and staff. Which do you think would be more beneficial?
Reputation risk and company culture focus: As companies become more technology focused, reputation risk and company culture expectations heighten. It seems like this is largely due to the unique challenges that technology presents, such as ease of access to complain on social media. Due to this, focusing on reputation risk, and how it’s intertwined with other business risks, as well as overall company culture and leadership, is a must. Check this article out for some tips. You never know, you may learn some new ways to become an even better leader yourself.
“Deregulation” may be a term that frightens policymakers: This week, there was a proposal issued to ease up on foreign bank regulatory supervisory standards. Yet still, federal leaders and policymakers are sure to not use the word “deregulation”. Interesting since that is exactly what seems to be happening in some areas and many working in compliance have seemed very hopeful for deregulation.
Fintech is here and ready to help organizations transform: Large banks, like Key Bank, are utilizing fintech solutions to help streamline payments processing. With the help of fintech solutions, organizations have expressed that they’re able to develop a more efficient strategy and address many of the manual pain points that have previously existed. It looks like the bank has a very well-developed process in place to vet and on board the right fintech partner. Does your organization’s process meet or exceed theirs?
NYDFS rejects granting BitLicense to Seattle-based cryptocurrency exchange: The NY Department of Financial Services rejects Bittrex Inc.’s application for BitLicense but accepts a competitor’s application. Bittrex didn’t meet all of the agency's requirements which include specific anti-money laundering, cybersecurity and consumer protection standards. New York is the only state to require digital asset firms to obtain a license to operate, making it one of the strictest. Bittrex has decided to dispute the findings. Our spidey-senses tell us this may not turn out well - challenging them before receiving approval as well as knowing they are one of the most aggressive regulators...?
FTC fines an online lending company for engaging in deceptive and unfair consumer practices: Avant, LLC has agreed to settle deceptive and unfair loan servicing allegations by paying $3.85 million. The lender wrongfully added unauthorized charges to thousands of customer accounts as well as unlawfully made them consent to automatic payments from their bank accounts in addition to many other law violations found. You know how we’re always reiterating that you need to look at similar organizations' recent enforcement actions? This is why. Learn from this and don’t let it happen to you.
Recently Added Articles as of April 11
This week’s news features a crisis of confidence for the credit reporting agencies, a planned transition of leadership at the FFIEC, a ranking of the largest cybersecurity firms, a focus on third party service provider contracts and new student lending regulations by the NYDFS.
Rankings of the largest cybersecurity firms: The world’s 5 largest cybersecurity firms were ranked by market share. However, here is something we found even more interesting. Although cybersecurity is a regulatory hot button and priority at many organizations, cybersecurity firms only represent two percent of total IT expenditure. That’ll probably change sooner rather than later. Check it out and learn why we’re not the only ones to think so.
Crisis of confidence for the credit reporting agencies - Renewed concerns after the Equifax breach: “Why can’t I just delete my credit file and stop doing business with you if I so choose?” and “Why not wipe child identity theft off the map by creating and immediately freezing a credit file for every newborn baby?”. These are the kinds of questions that Mark Begor, CEO at Equifax, was recently asked in an interview. Many have wondered if he really understood the impact of the 2017 data breach and what the credit agency is doing to protect consumer data moving forward. Begor speaks up.
GDPR remains an elusive challenge, even a year later: Lawmakers thought they were giving organizations enough time to get GDPR compliant; however, it appears many still aren’t. Is your organization prepared? Don’t be scrambling at the last minute to be data security compliant.
DNS attacks on the rise: Domain Name System (DNS) attacks recently hit websites like Gmail, Netflix and PayPal. Beginning last December, it’s been found that over the last four months attackers have been using Google cloud to look for routers that they can exploit due to existing vulnerabilities. There have been three waves of attacks. It’s been shared that if you want to protect yourself then make sure your routers have the latest firmware, and that means installing manual patches, as needed. Attacks like this can cause a huge impact on an organization’s reputation, so... are your networks secure?
CFPB Director Kraninger to serve as FFIEC Chairman: Kathleen Kraninger will serve as Chairman of the Federal Financial Institutions Examination Council (FFIEC) until March 31, 2021. She succeeds former chairman Jelena McWilliams.
NYDFS passes student loan servicing regulations: The legislation, expected for some time, requires significant oversight of practices, including registering with New York Department of Financial Services. Article 14-A now requires student loan servicers who provide both federal and non-federal student loans to obtain licensure from the NYDFS if they plan to provide loans to New York residents. If you are a servicer who doesn’t comply, you could be subjected to penalties and litigation. There are some additional prohibited practices under the law that you should be aware of such as not misrepresenting or omitting material information or misleading a borrower. Looks like consumer protection laws and best practices are coming into play here.
Third party service provider contracts are under increasing scrutiny and that’s here to stay: Contract scrutiny is evolving – both through indirect and direct regulations. It really all started with the financial crisis in 2008. Technology systems can provide may operational efficiencies, of course, however there are risks involved in outsourcing to a third party service provider and that should always be kept in the back of your mind as you review the agreement. Do you really know your service provider? If you can’t answer yes to that then you may have cause for concern.
Recently Added Articles as of April 4
A lighter news week, but nonetheless, an impactful one. A vendor most of us likely use agrees to pay a large fee to settle deceptive consumer practices allegations. Consumers were surveyed and it’s been found that the majority think privacy in the digital world is impossible. Additionally, there is some clarification needed on who is responsible – the organization or the software provider – for a vulnerability exposure. And the FDIC may have just added some more clarification around that. Finally, Wells Fargo CEO steps down.
Office Depot and tech support firm settle with FTC: Office Depot has agreed to pay $25 million, and their software provider Support.com has agreed to pay $10 million, to the FTC to settle deceptive practices allegations. The firms provided a deceptive malware software as part of their tech repair services. It was found that consumers would answer 4 questions regarding their PC as part of a “Health Check” and if they answered “yes” to any of the questions then the software would claim to have identified malware infections or symptoms through a scan. However, the claim regarding an infected PC was directly related to the 4 questions, and not the scan. From there, consumers were directed to a screen where they were encouraged to purchase additional services to address and fix the issues. Do you understand what regulators will consider to be an unfair, deceptive, or abusive act or practice (UDAAP)? Be sure to lookout for enforcement actions like these and up your game if needed!
Survey finds privacy in the digital world is not possible: Kaspersky Lab released a survey that found 56% of industry consumers still think full privacy in the modern world, despite regulations like General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), is impossible. Data scandals at companies such as Experian and Facebook may largely be the culprits to blame for the lack of trust still present. We want to know. Do you think your consumer data is completely secure?
Banks and software companies should share responsibility for flaws: A vulnerability exposed in Heimdal Security, a cybersecurity software provider to UK bank RBS, has caused much controversy regarding if the software company or the bank is responsible for verifying the overall security of the product. EMEA CEO of Veracode, Paul Farrington, feels the bank is just as responsible for the vulnerability as the software provider is. Interestingly, he shares that even if Heimdal Security is legally responsible, RBS is morally responsible as they should be performing proper due diligence on their vendors. Want our two cents? Ultimately, the regulated institution is the bank or credit union so the buck stops there.
Sloan out as Wells Fargo CEO: It’s been announced that Tim Sloan has stepped down from his role as Wells Fargo CEO and from his position on the board. Sloan did not represent the institution quietly during his short tenure. During his time, he has been involved in and tried to resolve numerous scandals that have occurred such as sham account openings, mortgage and auto lending controversies and deceptive consumer practices. Since the announcement, stock have increased. Was Sloan forced to step down?
FDIC reminder on tech service provider contracts: FIL-19-2019 has been issued by the FDIC to share and address examiner observations regarding missing items in contracts between financial institutions and technology service providers. This was a reminder that most of the contracts are lacking detail regarding each parties’ responsibilities, the financial institution is ultimately responsible for managing risk, effective contracts greatly assist with overseeing technology service provider risk and more. Quick tip…it may be time to take another look at your contracts. Make sure that they’re meeting regulatory expectations!