January 2020 Vendor Management News

It's the first month of the year! Kick 2020 off right by making sure you stay updated on key third-party risk news and resources.

Recently Added Articles as of January 30

To wrap up the first month of the year, this week’s news articles are mainly all about the regulators and what they’re focusing on. There’s a little dose of CCPA in here, too.

Why establishing who owns a business is so important: Need a break from reading the news? Check out this recent podcast featuring Ellen Lafferty who shares why organizations must have policies and procedures in place to determine business ownership and control, when verification should be done and an overview of a risk-based approach. OFAC checks are so important! (1/29)

Fintech risk management guidance is released: Are you looking for more guidance around risk management and fintechs? You’re in luck. The Federal Reserve published new guidance in the December issue of the Consumer Compliance Supervision Bulletin that they recommend for organizations considering innovation. There’s particular focus on risk management during the vendor selection process when planning to engage with fintech vendors. It’s worth the read.

A company settles OFAC violations: Eagle Shipping International paid over $1 million to settle OFAC violations. A reminder to be diligent and run your OFAC checks.

OCC to host credit and operational risk workshops: Mark your calendars! The OCC will host workshops March 3-4 in New Orleans. The first day is the credit risk workshop and the second day focuses on operational risk. If you’re interested, now is the time to secure your spot as workshops are limited to 35 registrants.

NAFCU asks the CFPB and FFIEC to provide data privacy guidance: NAFCU’s president and CEO is seeking interagency guidance around the Gramm-Leach-Bliley Act (GLBA) as he feels this will assist credit unions and other financial institutions as they work to comply with data privacy laws. The association feels state standards are difficult to comply to and is pushing for California to exempt credit unions from the CCPA. They’re hopeful a national data privacy standard will be enforced at some point. So, the question becomes, who should take the lead on privacy?

The CFPB clarifies the abusive standard: Well, not really. However, a framework outlining how the agency plans to supervise and enforce to defend against abusive acts or practices was released. It’s a start.

Bankers rank their strengths and challenges in a recent survey: 227 financial institutions recently responded to a survey in which they identified their strengths and challenges. Curious how they ranked themselves? Customer retention and compliance are above average but in-branch and digital experience could use some improvement. Check out the results for more insight.

It's Some organizations seem to misunderstand CCPA: It’s been a few weeks since CCPA became effective and it appears some organizations are slightly confused. Inaccurate information is being published on many  websites around how the law impacts the organization and their customers. And, of course, managing the requests that are coming from customers now that CCPA is in effect is certainly a challenge for many. There are a lot of unanswered questions looming.

NYDFS develops a new Consumer Protection Task Force: The goal of the New York Department of Financial Services newly created task force is to protect consumers as the federal government rolls back important consumer protections. They’ll provide their advice on consumer engagement, policy development and research. Members of the task force are appointed and will serve three-year terms with no compensation.

Recently Added Articles as of January 23

This week’s news is lighter as far as the number of articles to focus on; however, they’re nonetheless important as there is heightened cybersecurity risk to the financial services industry and critical business sectors resulting in the FDIC and OCC issuing a joint statement, updates on OCC enforcement actions and a CFPB investigation.

FDIC and OCC focus on cybersecurity: Due to increased cybersecurity risk, the FDIC and OCC issue a joint statement on heightened cybersecurity risk. In the statement there is emphasis on risk management procedures that can help reduce risk. These include response and resiliency capabilities, authentication and system configuration.

OCC announces enforcement actions: The OCC announces five enforcement action updates. These include actions against national banks, federal savings associations and some individuals affiliated with similar organizations. Check it out.

Inspector General of the Federal Reserve investigates the CFPB: Due to collecting a smaller amount of restitution, some senators are calling for a CFPB investigation. There are concerns regarding Kathy Kraninger’s first year as director since the agency didn’t call for defendants to pay as much consumer redress.

Recently Added Articles as of January 16

There are all sorts of news articles this week. And, lots of them! New priorities, more wrangling over the fintech charter, enforcement actions and more.

Visa acquires Plaid: Visa will purchase Plaid for $5.3 billion. Plaid is a company that focuses on the development of APIs. Visa says that this purchase will expand their network capabilities and open up new market opportunities.

Wells Fargo will pay $102.8 million to settle the USAA mobile deposit patent case: Once again, Wells Fargo loses a case against USAA. Last year, Wells Fargo paid $200 million for infringing two USAA patents. This year, Wells Fargo has been ordered to pay $102.8 million for infringement. Wells Fargo disagrees and plans to appeal.

Former FinCEN employee pleads guilty: In today’s unusual news… A former FinCEN employee pleads guilty to conspiracy to unlawfully disclose Suspicious Activity Reports (SARs). On more than one occasion, the former senior adviser agreed to disclose sensitive information in SARs. As a reminder, the confidentiality of SARs is critical and extremely important. A violation like this is not taken lightly.

Consumer financial protection may expand in California and New York: California and New York are working to expand upon their consumer financial protection processes. In California, they’d like to enact a new “California Consumer Protection Law”. This would give the now Department of Business Oversight the authority to administer new law and would also change their department name to the Department of Financial Protection and Innovation. In New York, they’d like to enact legislation that would make state law more consistent with federal law, make products and services subject that are subject CFPB enforcement authority also subject to state oversight, increase maximum penalties under the Financial Services Law and provide the Department of Financial Services with the authority to collect restitution and damages.

CFPB files suit against student loan deft relief firms: The CFPB filed a lawsuit against several firms who partook in unlawful behavior by gathering individuals’ data illegally, charging unlawful fees and engaging in deceitful conduct. Monster Loans is one of the firms being sued as they violated the Fair Credit Reporting Act (FCRA) by obtaining information from a credit bureau on customers with student loan debt. Monster Loans acted like they were offering mortgage loans to these customers, but the company was actually using the information to give to debt-relief companies to use in their marketing. Remember, if it sounds too good to be true then it probably is.

Organizations haven’t missed the mark to become CCPA compliant: Yes, CCPA did go into effect on January 1, 2020. However, the CCPA enforcement date is July 1, 2020. Therefore, if you’re not compliant with CCPA, you still have time. According to Ballard Spahr, in the next 6 months it’s recommended that you create a detailed map of data flows, update policies to address CCPA obligations and respond to verifiable customer requests to use their CCPA rights. You still have time, but you better start today!

NAFCU continues to express TCPA concerns: NAFCU met with the FCC and made clear that they still have concerns regarding the Telephone Consumer Protection Act (TCPA) and its lack of clarity. NAFCU is especially concerned about the challenges presented by TCPA to implement procedures that don’t violate TCPA regulations. This has been an ongoing modernization effort between NAFCU and the FCC for 3 years. When will they get to a point where both are in full agreement?

OCC fintech charter appeal is happening: Since the OCC is appealing the Southern District Court of NY’s decision regarding the fintech charter plan, they will be heard in the second circuit where they’ll have an opportunity to validate the plan and their reasoning behind it. It’ll be interesting to see how this plays out this year.

Regulators and the Fed disagree on lending: Regulators are working to amend the rules of the 1977 Community Reinvestment Act (CRA). This update will be the first since 1955. The Fed isn’t fully on board with the proposed changes as they feel the updates don’t take into consideration business cycle changes or the different types of lower-income families within communities. The proposed updates may be too broad.

NCUA announces 2020 supervisory priorities: In the National Credit Union Administration’s 2020 supervisory priorities, you’ll find bank secrecy act and anti-money laundering compliance, consumer financial protection, cybersecurity, liquidity risk and credit risk, continuous monitoring of the new standard for current expected credit losses and the transition from the interest rate benchmark - London Interbank Offered Rate (LIBOR). In addition, the NCUA plans to release a new user portal. This is in an effort to modernize processes. Do any of these priorities come as a surprise to you?

Comerica Bank continues to be the preferred vendor of choice for the unbanked: After a competitive evaluation process, the U.S Department of the Treasury’s Bureau of the Fiscal Service announced that Comerica Bank will be reappointed as the fiscal agent for the Direct Express prepaid debit card program. The agreement will be for 5 years. There are some improvements to the Comerica Bank agreement that currently provides a program to 4.5 million people without a bank account. These improvements include a reduction in cardholder fees for certain transactions, improvements to customer service requirements, more reporting requirements and more.

Recently Added Articles as of January 9

This week, most of the news is regarding California Consumer Privacy Act (CCPA), legal analysis and regulatory speculation for the new year. Fortunately, no one work up to a major enforcement action as a holiday gift. Well, at least not thus far. A lot of agencies are joining in the fintech focus too, likely because the OCC is having to sort of figure out what to do next besides challenge the New York ruling.

SEC announces 2020 examination priorities: The SEC's Office of Compliance Inspections and Examinations released their 2020 examination priorities. Among the focus is a continued prioritization of cyber and information security risks, anti-money laundering and more. Also, the OCIE says they'll continue to focus on third-party risk management. 

Compliance with security standards is important: Recent cyberattacks are a stark reminder why compliance with standards like HIPPA is so important. Per HIPAA, organizations are required to perform risk analyses to assess possible risks and vulnerabilities to the security of electronic protected health information (ePHI) and implement action plans. It’s a critical requirement to protecting an organization and sensitive data. Organizations who have not followed requirements have fallen victim to attacks that could have had a significantly less impact on their organization or avoided completely had they followed recommendations.

Big things happening at the Venture Center in Arkansas with ICBA: Beginning this week and not concluding until March, over 100 banking executives, regulators, industry thought experts and more will join the accelerator program as mentors and coaching participants. The accelerator program brings forth a ton of industry information in 12 short weeks in an intense learning environment. The mentors will provide their expert feedback on products and services that are under development. It’s sure to be a busy and informative time.

A look back at SEC enforcement actions in 2019: Peruse last year’s top 4 SEC enforcement actions. These include enforcement actions on Barclays, Westport Fuel Systems, Quad/Graphics Inc. and Juniper Networks. Do you recall these? If not, now is the time to brush up and learn what not to do.

Audit committees and their role: Did you know, according to the SEC, an audit committee should set the tone for an organization’s financial reporting and set expectations for communication with audit and management? However, that’s not their only responsibility. They also play a part in the success of implementing GAAP standards, etc. This joint statement is a good reminder to all on what the role of the audit committee is.

U.S. is preparing for a cyberattack: U.S. officials are concerned and preparing for a potential Iranian cyberattack on government agencies and organizations. During this time, the director of the U.S. Cybersecurity and Infrastructure Security Agency urges people to pay attention to how they work and to be cautious.

Government officials plan to discuss tech policies at the International Consumer Electronics Show (CES): The DOJ and FTC are investigating the big four tech companies over possible antitrust and anti-competition practices. These companies are Apple, Google, Facebook and Amazon. So, during this time, there are plans to discuss tech policies. It seems like several agencies are getting more vocal about their interest in fintech.

CCPA is projected to cost organizations around $55 billion: As a reminder, the passage of CCPA means that organizations will need to inform consumers of the data that they’re collecting on them and also give consumers the option to opt out. Compliance with CCPA is complex for most organizations; therefore, many can anticipate spending a good amount to become fully compliant.

7 compliance issues to be aware of in 2020: Looking to understand the top compliance items to be on watch for in the new year? In this article, you’ll learn 7 to keep on your radar. Some of the issues listed include really understanding how the reviews of technology service providers will play out, climate change disclosures, critical audit matters disclosures in external audit firm reports and more.

OCC 2019 Annual Report: The OCC released their 2019 annual report which shares more insight on last year’s strategic priorities, financial management and regulatory and policy initiatives. Interestingly, the annual report only makes passing mention of the fintech charter initiative.

Next steps for regulators as tech changes happen: Lately, it’s become clear that policymaking has been moving at a much slower pace than the growth of technology which is causing policymaking to fall behind. Regulators must determine their next steps to catch up. Therefore, the future for regulation will likely have an innovation focus, but there’s a lot to do to get there.

Recently Added Articles as of January 2

It may be a short week with the New Year but it’s a busy week for fintechs. And, we see bleak prospects for regulatory reform in 2020.

Fintechs made headway in 2019: Fintechs didn’t secure the OCC bank charter in 2019, but that hasn’t stop them from making some big developments. Several fintechs launched bank products that are impacting deposits and changing up the way things have always been done. With the market seeking innovation, banks and fintechs alike are taking steps to improve their digital initiatives. It’ll be interesting to see the changes that happen in 2020. Is the new motto to stop banking and start finteching?

Federal Reserve announces a fintech innovation program: Announced by the Federal Reserve Board, there’ll now be the opportunity to join a series of fintech innovation office hours. This gives financial institutions and financial technology companies a dedicated time to share their issues involving fintech. And, they also launched a section of the website that is dedicated to fintech innovation. Looks like the Fed followed the lead of the CFPB and OCC. Who is next?

Financial services legislation reform in 2020: Given that next year is an election year, there’s a small chance of passing pending bills. Historically, passing billings during a presidential election year has been quite difficult. According to Raymond James’ policy expert Ed Mills, “the window is probably closed.” What are your thoughts?

The Fed may be changing it up in the New Year: Over the last decade, the federal bank regulators were heavily focused on writing rules. Now, in the next decade, it appears they may be coming to the end of their rulemaking chapter. Is the Fed changing its tune on bank supervision and regulation?

The OCC appeals the New York decision to strike down the fintech charter: It’s the gift that keeps on giving. In October 2019, NY Department of Financial Services filed suit in an effort to block the OCC’s special purpose national bank charters to fintech companies. Now, the OCC has filed an appeal.

The FDIC is weighing the impact of regulatory actions and seeking public input: Recently, the FDIC issued an RFI requesting comment on approaches the agency currently uses or may be considering using to analyze the impact of regulatory actions. This is an effort to improve the quality of their regulations and policies, minimize regulatory burdens and ensure their regulations and policies achieve legislative goals in an efficient and effective manner. The RFI will close on January 28, 2020.

FDIC and Federal Reserve System’s request for comments on CAMELS ratings is extended: In October 2019, the Federal Reserve System and FDIC announced an RFI seeking comments and feedback on the use of CAMELS ratings. The comment period’s end date is extended from December 30, 2019 to February 28, 2020.

Hackers are getting more clever at scamming: According to the FBI, in 2018 they found losses from hacks totaled $12.5 billion to the business community. They’ve warned that it’ll likely only get worse. Hackers and scammers are getting smarter and more creative. Here’s a great example. Recently, KVC Health Systems fell victim to a hacker’s tricks. The hacker was re-routing employee direct deposits to new accounts that belonged to them – the hacker. How’d they get away with this? They sent phony emails to the human resources department that looked like direct deposit change requests. Remember, trust but verify and teach your employees to be extra cautious.

Master vendor management in the new year. Download this eBook to see how.