August 2020 Vendor Management News

Don't be the last one to know the latest vendor risk resources and articles our experts recommend during the month of August to make sure you're staying on top of the latest third-party management industry news. 

Recently Added Articles as of August 27

The pandemic continues to keep everyone on its toes as cybersecurity issues has organizations of all stripes reaching for the panic button. Banks are taking a good hard look at the books for next year, while companies rethink remote work as more security issues arise from employees at home. Oh... and the FBI teamed up with CISA to warn against a brand new cyber threat — oh goody. Read on to find out more!

Pandemic calls for cybersecurity management: While everyone knew that cybersecurity was pretty important pre-pandemic, it seems its top-of-mind for businesses both large and small as the globe continues to work through the challenges COVID-19 has presented. Remote workforces alone have underscored its importance, and with big names like Twitter and Oracle, to name a few, experiencing huge breakdowns, cyber security is the hot topic for organizations everywhere. “Without concerted management, small businesses are at a disadvantage when it comes to deciding how to go about investing in IT,” says Douw Gerber, Business Development Manager at leading South Africa-based managed IT security services company, Securicom. “What tools they need and how they should be provisioned, managed and governed. The result is bad IT spend, tools that don’t get used to their max, poor security and more risks." Gerber stresses: Cyber risk management should form part of the overall risk management strategies of every business.

Identifying common gaps in third-party risk management: In an expert interview series, Paul DeGraaff (who has over thirty years of identity and security experience with companies which include AIG, DTT and Weight Watchers) addresses the most common gaps companies experience with their third-party risk, as well as why those gaps exist, including issues around onboarding, process ownership, communication breakdown with IT departments and even discusses the role HR plays. Read on for more details with this industry renowned IAM expert.

Digital strategy clears the path for credit union innovation: While credit unions have played an important role in our communities for years, serving both businesses and individuals in need of capital, the pandemic has caused strife for credit unions as well. Many have done their best to continue serving members, but increased regulatory obligations have caused increased pressures and slowdowns. As a result, credit unions across the country are busy assessing if their digital strategy is adequately positioned for a longer-term shift to remote operations, which comes with its own challenges. Are fully remote banks our future?

NCUA asks for feedback on proposed FCU fee rules: Just last month, the NCUA proposed to exclude from total assets any loan a federal credit union (FCU) reports under the PPP or similar loan programs in the future. NAFCU also sent a Regulatory Alert to member credit unions with an overview of the proposal details to seek feedback on the approach to operating fees. Some of the feedback requested included whether credit unions agree with the proposed calculation of total assets based on the four most recently reported quarters; the approach is beneficial to the credit union, such as accounting for seasonal fluctuations; if the NCUA should adopt a different approach to mergers and conversions than what is proposed; and if the NCUA should make any other amendments regarding operating fees. Comments are expected within the next two months, so it should be interesting to see what the credit unions have to say… stay tuned!

Employees are the biggest concern for cyber risk: If the recent cyberattack on Twitter that came as a result of an employee accidentally sending login data to a hacker isn’t a parable of the time, we’re not really sure what is. Big or small, all organizations are at risk for attack, especially during times of global strife (cue: the pandemic). In some instances, it really doesn’t take all that much. In Twitter's case, 17-year-old Graham Ivan Clark gained access to the company's customer service systems after convincing a Twitter IT employee that he was a co-worker in the same department who needed the employee's login credentials, according to Florida state prosecutors. Yiiiikes. So, in order to make sure the big bad wolves don’t blow your house down, make sure to strengthen your security systems and shore up those vulnerabilities.

Facebook pushes for data portability: This past Friday, Facebook pushed for legislation which will make it easier for users to transfer photos and videos to a rival tech platform (aka data portability). This is considered a potential band aid for large companies, like Facebook, whose control of social media makes it much, much harder for smaller rivals to get started. In light of recent conversations, it seems Facebook is playing nice, also pressing for more clarity on what kinds of data should be portable and who is responsible for protecting such information as it moves to different services. Data portability is a requirement under Europe’s privacy law called the General Data Protection Regulation (GDPR) and California’s privacy law called the California Consumer Protection Act (CCPA).

FBI and CISA warn against new cyberthreats: Advances in technology never cease, and unfortunately the same is true for advances in cyberthreats. So, what's the new hot scam now you ask? “Vishing” — that is voice phising. It’s so convincing and so insidious in fact that the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert to warn against it. The vishing gang targets new employees, especially by compiling dossiers on employees at the specific companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services and open-source research.

Former Uber Security Chief concealed hack: This week, one of Uber’s former security chiefs was charged with attempting to conceal a hack from federal investigators. The criminal charges were filed against Joe Sullivan in the San Francisco U.S. District Court in response to shady handling of a hack that exposed the email addressed and phone numbers of 57 million drivers and passengers. What’s novel about this scenario is the charges draw a distinction between failing to protect Uber’s computer network and also failing to report it to authorities. If convicted on both charges, Sullivan could face up to eight years in prison and will be the second Uber employee to face federal charges. Sounds like Uber needs to get its ducks in a row.

Pandemic wreaks havoc on bank budgeting: Budgeting can be quite the task even in the best of times. Add a dash of global pandemic, a pinch of economic strife and maybe one or two natural disasters, just for some spice, and you have a whole other beast to tackle. As a result, banks are scratching their heads and wondering how exactly to budget in times of such uncertainty. It certainly seems to be the topic of conversation for the foreseeable future. Revenue is expected to decline, interest rates are under pressure and credit quality is deteriorating, but how bad will it really be? It seems most banks are bracing for the worst come 2021 and are already getting ahead of strategy. Will 2021 be a time of recovery, or just more of the same? Time will tell.

FinCEN issues a statement on the Bank Secrecy Act: In a statement issued by the Financial Crimes Enforcement Network, FinCEN covered its approach to enforcing the Bank Secrecy Act. FinCEN emphasized that it will bring an enforcement action only where there has been a violation of statutes or regulations, and that it will not bring an enforcement action based on non-compliance with standards of conduct that are set out only in regulatory guidance. In all matters, FinCEN will consider enforcing the appropriate compliance measures to ensure that financial institutions are fully complying with their BSA obligations. Banks beware, FinCEN is watching.

DOJ green-lights foreign bank payment: This week, the Department of Justice (DOJ) broke a 6-year stretch of not issuing a Foreign Corrupt Practices Act (FCPA) Opinion Procedure Release by handing one out to a US-based investment adviser. In the FCPA, the DOJ told the adviser it would not move forward with an enforcement action if the firm pays an advisory fee. Why? The FCPA doesn't prohibit payments to foreign governments or foreign government instrumentalities and DOJ found no corrupt intent to influence a foreign official. The issue revolves around anti-bribery provisions and ensuring payments are recorded properly. Payments directed to foreign government entities rather than individual foreign officials may still generate liability under the FCPA’s accounting provisions if they aren’t noted appropriately. Moral of the story: keep a paper trail.

FDIC releases quarterly banking profile: Want to stay up to date on the financial results for all FDIC-insured institutions? You’re in luck. The FDIC just released its report card on industry status and performance, including written analyses, graphs and stats. Read on for more!

Recently Added Articles as of August 20

Lots happening this week in the world of security and COVID-19. Cybersecurity and data protection are a big theme, with Wells Fargo appointing a new chief compliance officer and another couple of corporate giants landing in a $10 billion GDPR hot seat for wrongful use of personal data. Oh, not to mention the House moved to lift an antiquated ban on a national patient identifier system. There's plenty more where that came from... read on!

Information security in a COVID-19 world: To survive in this strange new world, many organizations are faced with the reality that they need to change the way they do business… including their methodologies. Many organizations have already faced challenges in responding to the increasing use of emerging technologies confronting traditional business models and services. These developments have dramatically impacted the expectations of employees, customers and suppliers. Unfortunately, they will need to adopt emerging technologies and change their service models more rapidly.

Proposed principles of operational resilience and operational risk:  The Basel Committee on Banking Supervision (or BCBS) has has issued two consultative documents to work in tandem. In it they have proposed seven principles to strengthen banks’ ability to withstand significant operational failures or wide-scale disruptions by tackling the following areas: governance, operational risk management, business continuity planning and testing, mapping interconnections and inter dependencies, third-party dependency management, incident management and resilient information and communication technology.

COVID-19 and third-party risk management survey results: The results are in! The survey, conducted by The Risk Management Association between May and June 2020, asked questions to better gain information, insight, and impact seen during the recent COVID-19 event in relation to third parties. Some of the topics in the survey include impact to the organization, COVID-related documentation, third-party performance during COVID-19, issues related to working from home and risk assessment. Members can download the executive summary and learn more.

Cloud computing calls for better cybersecurity oversight: Just earlier this month Capital One was the latest in big banks to get heat from the OCC for its “failure to establish effective risk assessment and management processes before migrating its information technology operations to a cloud operating environment.” This has caused many to look at cybersecurity oversight and cloud storage as a whole and ask some tough questions. Unfortunately, numbers reveal that bank executives’ concerns regarding cybersecurity are declining, yet over-reliance on providers, reporting issues, tech limitations and security incidents are causing more problems than ever.

Privacy and the “big picture:” Many organizations are struggling to put holistic programs in place that comprehensively address privacy concerns across all the key functions of the business. Along with the business lines, teams such as data governance, information security, cyber risk management and third-party risk management need to coordinate their actions and responses with privacy. Overlooking these issues isn’t just bad business practice…it’s a regulatory risk and can lead to some serious reputational issues (read on below and see how Oracle and Salesforce made themselves examples).

Voice phishers targeting VPNS: The pandemic has opened a can of worms when it comes to cybersecurity. Waves of every kind of phishing and fraud scheme imaginable are inundating systems across the globe… and now there’s a new shark in the waters: voice phishing. Yep, you heard it right. These next-level crooks marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees. These tricksters typically target new hires and disappear into the ether before you know it. When the attack or call is complete, they disable the website tied to the domain… and poof! Just like that, they’re gone.

CFPB updates its FAQs: Have questions? The Consumer Financial Protection Bureau has some answers. Their compliance section has been freshened up with some new additions, including some bright and shiny FAQs around its Payday Lending Rule. These frequently asked questions are broken into three categories: Covered loans, payment transfers and payment notices, and covers pertinent information such as “what really qualifies as a ‘business day,’ when it comes to pay day rules?”

Ground-breaking bank partnership model in Colorado: After years of wrangling, it seems authorities in Colorado have finally reached a settlement with two online lenders. The settlement resolved the issue of what defines a “true lender,” and could be used in regulatory framework across the country. Under the agreement, which was announced Tuesday, the companies can qualify for a legal safe harbor in Colorado if they comply with a detailed new regime that includes a ban on loans with annual percentage rates in excess of 36%. The settlement will also offer a way forward for fintechs, which have been hesitant to do business within the state.

ISO certs in danger of lapsing due to COVID-19: It seems hundreds of thousands of ISO certifications are in danger of lapsing due to interruptions of auditor services because of the pandemic. The ones with the highest risk of suspension include ISO 27001, which covers rigorous best practices for information security management systems, as well as ISO 27017 and ISO 27018 (enhanced security control sets for cloud services), ISO 9001 (quality management) and ISO 45001 (health and safety risks). This is particularly troublesome as security has become an increasing concern due to vulnerabilities exposed by the pandemic in the first place. InfoSass claims if no special dispensation is granted, ISO-holders may find themselves being forced to pay as much as three-times their anticipated outlay this year on restoring certifications, as well as devoting extra time and resources to the project.

Increasing importance of DPIA: It seems in the scramble to implement alternative data transfer mechanisms and shore up compliance gaps post-Schrem II, something else has been overlooked: the data protection impact assessment. Typically, smaller companies don’t typically conduct formal DPIAs because they don’t fall within the EU General Data Protection Regulation and European Data Protection Board guidance. However, going forward, it’s important to consider DPIAs essential for both controllers and processors alike.

Unpacking the housing market: Despite the ravages of the pandemic, it seems there’s a bit of good news when it comes certain aspects of the economy. An index measuring homebuilder sentiment matched its highest level ever this week. But why? Interestingly, it seems there’s been a healthy amount of demand from buyers and not enough homes to meet it. Additionally, the 30-year fixed mortgage rate bottomed out at 2.88% in August, the lowest point on record. So, it seems those low borrowing rates are giving homebuying appetites a bit of a boost…which is great news for builders. Homeowners, however, are a bit less pumped. Unemployment rates have made it more difficult to meet mortgage payments, yet the home improvement industry is also getting a bit of a boost: daily foot traffic at Home Depot since April is up at least 35% over last year, while Lowe’s reported 11.2% comparable sales growth in the spring quarter.

California to create financial protection watchdog: By the end of August, California is slated to create a new department of state government. The reason? The federal Consumer Financial Protection Bureau (CFPB) has been considered relatively useless under the Trump administration. Created in response to the financial crisis in 2007, the CFPB has been the primary consumer sentinel for quite some time; however, under the Trump administration NPR reports enforcement has been down almost 80% since 2015, with recovery to consumer down 96%. Move over CFPB, it seems there’s a bigger, badder dog protecting the block.

OCC responds to NYDFS fintech lawsuit: The OCC responded to the district court’s final judgement in a lawsuit which was filed by the New York Department of Financial Services (NYDFS) which challenged the OCC’s issue of a special purpose national bank charter for fintech companies. Ultimately, the whole shebang came down to a war of words — a quibbling of semantics, so to speak. In May of 2019, the district court denied the OCC’s motion to dismiss, citing that “the term ‘business of banking’ as used in the National Bank Act (NBA) unambiguously requires receiving deposits as an aspect of the business.” The OCC fired back and said, more or less, “No way Jose.” The OCC argued that the NYDFS claims aren't justiciable, lack standing and that its interpretation was just plain wrong. Unless reversed, the district court’s decision will continue to be a cloud that deters the filing of SPNB charter applications.

Linux malware signals warning: If we’ve said it once, we’ve said it a thousand times… as soon as technology gets more advanced, so do hackers. In this latest installment, two agencies have revealed that Russian hackers have been using the previously undisclosed malware for Linux systems, called Drovorub, as part of their cyber-espionage operations, which allows hackers to steal files and take over devices. These latest revelations show that there’s really no platform, no company or internet user that is truly beyond the scope of what hackers can do these days. We are all vulnerable to attack, and now, more than ever, we must be on our guard.

OFAC sanctions enforcement and screening errors: In this podcast episode, Michael Volkov explores some of the more recent Office of Foreign Assets Control enforcement actions which have been brought as a result of screening errors. There are some big names involved, including Apple, Amazon, American Express and Cobham Metelics. Take a listen to learn more.

CCPA approved final regulations: It seems things are moving and shaking when it comes to the California Consumer Privacy Act (CCPA). This week, Attorney General Becerra announced that the California Office of Administrative Law (OAL) approved the final regulations related to the CCPA and filed them with the Secretary of State. These regulations go into effect immediately and General Becerra requested an expedited review of 30 business days and that the regulations become effective upon filing with the Secretary of State. As of August 14, the Attorney General is now authorized to enforce these final regulations in addition to the CCPA’s statutory requirements.

Oracle and Salesforce hit with $10 billion GDPR lawsuit: It seems Oracle and Salesforce are just the next two big names to face heat for the way they process personal information for advertising purposes. Class action lawsuits filed in the UK and the Netherlands are being brought by The Privacy Collective, a European non-profit foundation that is dedicated to claiming compensation for the wrongful use of personal data. The giants are accused of breaching GDPR rules, facilitating sales via harmful ads, and holding onto personal information without consumer consent… not a good look.

Wells Fargo appoints new compliance chief: Ongoing scandal has prompted multi-national financial giant Wells Fargo to clean house once again. Their chief compliance officer, Mike Roemer, is leaving just two and half years after he was hired to help mop up their compliance program after the fraud scandal in late 2016. In a statement released on Thursday, Wells Fargo announced Paula Dominick, the chief compliance officer at Credit Suisse USA, has been hired to replace him. She starts her new gig in October and be responsible for oversight of all regulatory compliance risks. Hopefully with Paula in charge, Wells Fargo can finally clean up their act.

The House votes to remove ban on patient identifier system: The House of Representatives has spoken! This month the House cast a vote to lift the ban on the Department of Health and Human Services to develop a national patient identifier system. The Health Insurance Portability and Accountability Act (HIPPA) had long ago called for comprehensive system which would assign all Americans with a unique healthcare number (similar to a social security number) which would allow individuals to be identified across the entire US healthcare system. Why is this important? Say you were a CA resident but needed to see a doctor in New York because of an emergency. The national identifier system would allow medical professions to quickly access medical records and personal history. Currently, the lack of such an identifier makes matching patients with their medical records complicated, which increases the potential for misidentification of a patient. I think we can all agree, now, more than ever, we need medical cohesion. Three cheers for progress.

Recently Added Articles as of August 13

It's a busy week in third-party risk management. Deloitte's 2020 survey has been released and the results are in: risk management is more important than ever. Meanwhile, fraudsters are hard at work and so are the organizations who are trying to keep them at bay. The NCUA sounds the alarm on credit union schemes, while cybersecurity and increased protocols around cryptocurrency are at the forefront. Zoom and Capital One are in the hot seat this week for privacy-related issues, and the Fed made a couple of announcements. Make sure you don't miss out on the details! Read on for more.

Deloitte survey underscores importance risk management: In its fifth annual survey, the 2020 findings from Deloitte seem to suggest that it’s more important than ever to prioritize third-party risk management. The survey polled 1,145 responses across 20 countries and explores key findings which include, cost of failure, balancing responsibility and cost, increasing regulatory activity, vision for transformation and leveraging external assistance.

Is business interruption insurance panacea or placebo?: In the wake of the pandemic, most everyone is taking a good hard look at their organizations and questioning what needs to change should we ever walk through something like this again. Disaster recovery and business continuity spending rarely is an easy sell. No one wants to spend dollars on a plan that you likely will never use. But, even for those that do have insurance, it seems it’s not so simple. “Insurers are denying the vast majority of claims, and many policyholders have already filed lawsuits seeking court rulings that their COVID-19-related losses are covered,” said Tamara Bruno, a partner at the global law firm Pillsbury Winthrop Shaw Pittman. But why? Law firms across the United States say many insurers believe that claims related to COVID-19 are not covered, either because of a lack of physical damage to property or because policy provisions exclude virus coverage.

NIST releases zero trust architecture abstract: Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources. A zero trust architecture uses zero trust principles to plan industrial and enterprise infrastructure and workflows; and ultimately, it’s designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention and simplifying user-access control.

NCUA sounds alarm on fraud: In a public alert to credit unions, the NCUA issued a warning about the continued fraud schemes at work in light of the pandemic…especially those piggybacking off expanded government assistance programs, such as the CARES Act, Coronavirus Aid and others. NCUA warned against financial institution fraud, such as imposter and money mule schemes as well as small business administration loan frauds which manipulate PPP applications or use other sketchy tactics such as fake business accounts. Other trickery the NCUA mentioned included business tax credit fraud, unemployment insurance fraud and reporting fraud. But the most important nugget is that crime doesn’t take breaks, so neither can the credit unions. Fighting financial crime is a full-time gig, so continued education is crucial to consumer protection.

Guidance for compliance and the board: Internal controls are crucial when it comes to creating an effective framework. The basic framework many organizations use comes from the COSO Model and has become the standard since its creation in 2012. The internal controls for a board or board compliance committee typically include five important concepts: risk assessments, corporate compliance policy or code of conduct, implementing procedures, training and monitoring. The question is, has your organization implemented COSO? What’s your board involvement look like? What about documentation? If any of these questions have you scratching your head, it might be time to take a harder look.

Comptroller Brooks talks vendor management: The Acting Comptroller of Currency, Brian Brooks, chatted with the American Bankers Association and talked details around regulatory guidance and third-party vendor management standards. Can supervised entities gain relaxed onboarding requirements? These are the kinds of questions Brooks is entertaining as they move forward with this third-party regulatory exploration.

Zoom in hot water over privacy protection: With most everyone working from their home office (aka the kitchen the table), Zoom is now busier than ever. But in the hustle, it seems the leader in modern enterprise video communications may have forgotten to cross a few t’s and a dot a few i’s. Advocacy group Consumer Watchdog slapped Zoom with a lawsuit, claiming the company falsely promised it was using end-to-end encryption to protect users during the pandemic. "As the number of reported data breaches and privacy incidents continues to soar, consumers are making data security a crucial consideration when choosing which companies to do business with and which products to buy," the nonprofit consumer advocacy group said in its complaint. "Unfortunately, Zoom's claims that communications on its platform were end-to-end encrypted were false. Zoom only used the phrase 'end-to-end encryption' as a marketing device to lull consumers and businesses into a false sense of security." Important reminder: Practice what you preach… or at least what you promise.

CFPB issues consent orders for false advertising for VA mortgages: In late July the CFPB announced consent orders against Sovereign Lending Group, Inc. (Sovereign) and Prime Choice Funding, Inc. (Prime Choice). This went down after a number of CFPB-led investigations found that both companies were using deceptive direct mail campaigns to advertise VA-guaranteed mortgages. We all know the only things guaranteed are death and taxes, so it’s a shame for all involved. The CFPB also cited several examples of asserted false, misleading and inaccurate representations of costs and terms.

The Fed announces individual large bank capital requirements: After conducting stress tests earlier this year, effective October 1, the Fed announced that individual large bank capital requirements will be necessary. So, what does that mean exactly? Well, under its framework for large banks - those with more than $100 billion in total assets - minimum capital requirements, which are the same for each firm and should be 4.5 percent and the stress capital buffer, or SCB, which is determined from the stress test results, and is at least 2.5 percent. And, if applicable, a capital surcharge for global systemically important banks, or GSIBs, is at least 1.0 percent. On Monday, the board affirmed the stress test results for five firms that requested reconsideration. Those firms are BMO Financial Corporation, Capital One Financial Corporation, Citizens Financial Group, Inc., The Goldman Sachs Group Inc. and Regions Financial Corporation… whew, as if Mondays weren’t stressful enough.

OCC fines Capital One $80 million: Capital One’s wallet is undoubtedly feeling a bit lighter after the Office of the Comptroller of the Currency hit the bank with an $80 million civil money penalty. The reason? Failing to establish sound risk management processes and internal controls which caused a data breach in 2019. The breach resulted in the exposure of personal information for approximately 100 million Americans and around 6 million Canadians. The OCC’s audit also found cascading failures, including a rash of control weaknesses as well as negligence on the side of the board. Bad news all around. But it’s also a wakeup call around cloud servicing. The hacker obtained access through an insecure web app firewall, which signals a cry for stronger cybersecurity measures.

The fed announces new interbank settlement service: On Thursday, The Federal Reserve Board announced the details around FedNow Service, a new 24x7x365 interbank settlement service with clearing functionality to support instant payments in the United States. This is a milestone and will continue to modernize the American payment system, and will hopefully bring benefits of instant payments more broadly to U.S. communitiies. "The rapid expenditure of COVID emergency relief payments highlighted the critical importance of having a resilient instant payments infrastructure with nationwide reach, especially for households and small businesses with cash flow constraints," said Federal Reserve Board Governor Lael Brainard. "Since we initiated FedNow one year ago, we have been hitting our project milestones, and today I am pleased to announce the Federal Reserve Board has approved the core features and functionality based on extensive input from stakeholders." Perhaps the best is yet to come? 

Recent OCC action calls for cryptocurrency controls: Two recent actions by the Office of the Comptroller of the Currency (OCC), one enforcement action and one interpretive note, highlights the need to focus on the kinds of anti–money laundering (AML) controls needed for banks to handle cryptoassets and well….also make sure it’s kosher. Sure, cryptocurrency does have some unique characteristics — such as lack of personal identifiers, decentralized networks and the enablement of nearly irrevocable real-time settlement — that make it higher risk than traditional financial transaction, BUT there are frameworks which can be used to better mitigate the risk in most circumstances. It’s these frameworks that must be bolstered to prevent fraudsters from wreaking havoc.

CUNA backs bills for $2 billion crisis fund: After Senator Brian Schatz introduced a bill on Tuesday that would create a $2 billion community crisis fund to help with the aftermath of the pandemic, CUNA President and CEO Jim Nussle made his support known. “The pandemic and ensuing economic crisis has had a disproportionate impact on vulnerable communities and the policy response needs to recognize that more needs to be done to help these communities recover,” Nussle said. “Sen. Schatz’s legislation to create a CDFI Crisis Fund will ensure that CDFI credit unions can get much needed resources to our most vulnerable communities, reducing the pain experienced as the result of any number of disasters.” The bill’s $2 billion CDFI Crisis Fund would serve as a complement to the Treasury’s CDFI Fund and would be refilled as funds are dispersed each year. Activation for the funds are dependent on two triggers: economic crisis and/or natural disasters.

Recently Added Articles as of August 6

This week cybersecurity topics are hot, hot, hot, with new security breaches, COVID-19 scams, and bad actors lurking around every corner. Ever heard of "tabnabbing" or "deepfake technology?" It's just the latest in ever-growing sophistication of cybercriminals you'll need to make sure you're aware of. Meanwhile, the OCC gets slapped with a lawsuit and a new bill may have banks and fintech alike reframing their data privacy positions. Check out that and more in the headlines this week!

The undeniable importance of multi-factor authentication: In a climate where bad actors are waiting to take advantage of any opening available, and armed with new tactics which seem to be cooked up daily, now, more than ever, it’s crucial to make absolutely sure your services and devices are secured. Multi-factor, two-factor, 2-step—regardless of what it's called—relies on more than just the username/password combo to verify identity before providing access to a device or service. By relying on multiple factors, such as pairing up something you know (password) with something you have (smart card or smartphone) it minimizes the risk of unauthorized access.

Morgan Stanley accidentally discloses confidential consumer data: Another big company, another big data “whoops.” It seems a leak happened, once again, via a third-party vendor who did not have the proper controls in place. The data was exposed when servers (and other hardware sold to recyclers after a vendor was hired to scrub the devices) still had retained client data…yikes. Now the company is facing two class action lawsuits. “The missing equipment and servers contain everything unauthorized third-parties need to illegally use Morgan Stanley’s current and former customers’ PII to steal their identities and to make fraudulent purchases,” the lawsuits state. Don’t be like Morgan Stanley. Do your due diligence... and for heaven's sake, check your controls! 

FFIEC issues risk management statement: In the hopes of better protecting consumers in the wake of the pandemic, the FFIEC has issued a joint statement to provide risk management and consumer protection principles. This is intended for financial institutions to consider while working with borrowers as loans begin to near their initial accommodation periods. The statement not only includes background information but best practices for risk management such as monitoring the credit risks of loans and fully assessing and understanding the terms of loan agreements.

FinCEN warns consumers about COVID scams: The Financial Crimes Enforcement Network sounded the alarm on scammers with a press release that warned financial institutions and consumers alike about pandemic-related trickery. The world is always a stage for bad actors, no matter what state it may be in (including global health crises). The press release urged readers to beware of malware and phishing schemes, extortion, email compromise and cryptocurrency scams.

BNP Fined for Alleged Risk Management Failures: BNP Paribus, the world’s 8^th largest bank by total assets was fined $650,000 for allegedly running a trading desk without the proper risk controls and risk management practices in place. The settlement letter stated: “Due to the ‘unreasonable financial risk management controls and supervisory system,’ the brokerage firm executed erroneous orders on ‘at least two’ trade dates during the period in question, between 2011 and 2018.” A big third-party risk no-no.

Varo Bank honored with full-service national bank charter: Following signoffs from the Federal Deposit Insurance Corp (FDIC) and the Federal Reserve, Varo is the first challenger bank to obtain a national bank charter from the Office of the Comptroller of the Currency (OCC) — a process that cost the fintech nearly $100 million. Quite a sum, but Varo Bank's opening on August 1, 2020, represents some big changes. Namely, the evolution of banking and a new generation of banks that are born from innovation and built on technology intended to empower consumers and businesses.

Lawsuit slapped against a major regulator, OCC, and their fintech charter: State regulators, academics and consumer advocates filed separate briefs in a lawsuit against the Office of the Comptroller of the Currency this week, stating that the national bank regulator lacks the authority to grant a special-purpose fintech charter. In the brief, which was filed Thursday, the Conference of State Bank Supervisors argued that while the OCC has yet to grant any special-purpose fintech charters, the agency has already damaged state regulators by attracting companies towards its federal charter on illegitimate grounds. So far, the OCC has declined to comment.

The constant threat of social engineering: Its one the oldest tricks in the book… and the bad news is that it’s only getting more sophisticated. Social engineering has taken its game to new heights. Now they’re not only “phishing,” but “spear phishing” as well; building even more targeted attackers that are harder to spot. Oh, and let’s not forget “tabnabbing.” No, it’s not the latest, viral dance move sensation, and we wish we could say made it up, but here we are. This is an approach which allows hackers to take control of your web browsers, and if they’re lucky, nab your sensitive information... an important reminder that as hacking becomes more intelligent, so must we.

Banks and fintech to reframe data privacy debate: There’s been a buzz of discussion around a new data privacy bill, which, if passed by Congress, may disrupt access to critical data for financial service innovators. “Privacy advocates are often more concerned about the sheer volume of consumer data being shared between institutions and third parties than what is done with that information,” writes Flocken and Griffin, “But focusing on the amount of data being held leads to a dead end, as most technology needs vast amounts of data to function.” So, are fintechs and new-age banks facing a rock and hard place when it comes to blazing their paths towards the intersection of tech and finance? I suppose we’ll have to see.

Reputation risk management never expires: It’s true, and anyone who’s hung their hat in the third-party risk management industry long enough will tell you: reputation risk management (when done well) is the gift that keeps on giving. Board directors covet their company's reputation because it's their most valuable asset; and a study by Deloitte and Forbes affirmed this conviction, but truly, it shouldn’t surprise anyone. Senior-level executives also agreed that their company's reputation presented the greatest risk to the company's ability to achieve business strategies. What about you? Would you agree?

IT leaders posed with new risk: It seems “deepfake technology” is latest, evil internet spindoctor to watch out for. Aimed at producing audio and video material that is fake, but does not appear to be, the typical context of this is social or political transgression: faking a picture, a film or audio clip of someone saying or doing something they didn’t actually say or do for purposes as benign as amusement and as malignant as embarrassment, social disruption, extortion or concealment of a crime or treaty violation….Sheesh, as if the world wasn’t already scary and confusing enough.

Do you know how to prepare for the aftermath of the pandemic? Download the infographic.