November Vendor Management News

Catch the latest headlines for the month of November related to third party risk management. It's important to stay up-to-date. 

Recently Added Articles as of November 28

To wrap November up, it’s been a very interesting week for third party news buffs. This week, we see actions from most major regulators and discussion of what remains to be done in the rest of 2019. These articles include the CFPB’s rulemaking agenda, an interesting settlement by the CFPB, a reflective statement by the head of the OCC, the OCC lowering costs, the CFPB proving the C for “consumer” in its name is a priority and a whole bunch of other news that only risk and compliance wonks could love.

Article by the Comptroller of the Currency on the US banking system and its resiliency: According to Joseph Otting, 31^st U.S. Comptroller of the Currency, today, U.S. banks are strong and their strength is a direct result of more than a decade of great work by banks’ boards, senior management and regulators. How exactly did this happen? He feels the Trouble Asset Relief Program (TARP) and Capital Purchase Program (CPP) helped greatly in promoting large-scale economic recovery. But, there’s much more to it than just that, such as central banks globally stepping in to assist, stress testing, policy changes and more. Today, he feels banks are the healthiest he has seen in his 35-year career. This insightful article gives a lot of background on how this happened and how prepared we’ll be for the next crisis because of the lessons learned over the last decade.

Three ad providers are the cause of about 60% of malicious ads: With cybersecurity and data breaches being one of the hottest topics in third party risk, it’s interesting to learn that three ad providers are the source of about 60% of malicious ads. Confiant released their “Demand Quality Report for Q3 2019” which found SSP-H, SSP-I and SSP-D are the cause of 60%. A single SSP is responsible for 30%. Tis the season for an increase in malicious ads, too. Be careful out there!  

2019 NAFCU Report on Credit Unions is available to the public: In the report, you can expect to see the trends and challenges impacting credit unions. There’s a focus on 5 key areas: credit union financial conditions and role in the economy, their service to members, trends in membership, NAFCU policy priorities and financial technology. And, no surprise here. The NAFCU report recommends relief for credit unions.

OCC Bulletin announces fees and assessments structure for 2020: Effective January 1, 2020, the OCC will reduce rates in all fee schedules by 10%. Yes, you read that right. The OCC lowers fees on national banks and associations. As far as assessments go, there won’t be an inflation adjustment to the rates.

Regulators still have much to do before closing out 2019: What’s next on the list for regulators in 2019? The fall 2019 unified agenda of regulatory actions shares that one big thing is a possible reform to the Community Reinvestment Act (CRA). The agenda provides a nice visual of what’s to come in the next few months – even into 2020. A few other possibilities include enhanced cyber risk management standards, implementing a stress capital buffer, completion of the FDIC brokered deposits proposal and more.

President of the Federal Reserve Bank of Cleveland provides an update on the Fed’s creation of real-time payments network: Community bankers have many questions about the Federal Reserve’s creation of their own real-payments network and how it’ll interact with the industry’s Real Time Payments network. Loretta Mester, president of the Federal Reserve Bank of Cleveland, shared that she feels two competing networks won’t create an issue stating, “What you’ll end up seeing is… some back will be on both, and others will stick with one. But if we make sure that the message sending is standardized, they’ll be able to switch if they want to switch, so there’s going to be room for both systems to be very robust systems.” Read more for more clarity on the Federal Reserve’s role in rapid and digital transactions.

CFPB’s debt collection proposal benefits consumers: Contrary to expectations, the CFPB’s debt collection proposal focuses on giving borrowers more control of how their personal debt is collected. New consumer protections were announced. Some of the protections include mandated disclosures, the use of electronic messaging, ramping up opt-out mechanisms and more limitations around phone conversations. According to the CFPB, the way in which we communicate has changed over the years; therefore, it’s best for both collectors and borrowers if debt collection rules reflect the changes. So, true to its name, it makes sense that the CFPB (“Consumer” Financial Protection Bureau) proposes debt collection rules that favor consumers.

Investigations have gone through the roof: According to the Committee on Foreign Investment in the United States (CFIUS) annual report, investigations are skyrocketing. From 2014 through 2017, they’ve rose by 237%. We feel a big jump in investigations will eventually lead to big jump in fines, orders, enforcements and more. Do you agree?

CFPB settles with employment background screening company for violating the Fair Credit Reporting Act: The CFPB announced a proposed stipulated judgment with an employment background screening company who violated the Fair Credit Reporting Act. If approved by the court, Sterling Infosystems, Inc. must pay $6 million in monetary relief to consumers as well as a $2.5 million civil money penalty.

CFPB’s Fall 2019 rulemaking agenda is released: The CFPB released their fall 2019 rulemaking agenda which extends out to September 30, 2020. Some noteworthy mentions on the agenda include a final debt collection rule set to occur in 2020, examining loan originator compensation requirements and E-SIGN and Regulation Z as well as rulemaking to the Payday Rule, discussion around abusive acts and practices and more. It looks like the CFPB has a full schedule next year and there is a lot to look forward to.

FINASTRA to host a webinar on core transformation at banks: Next week, on December 4^th at 2:00 pm ET, FINASTRA will host a webinar that delves further into the importance of protecting your future during your core review of your business model. You’ll also hear two banks’ experiences with core transformation. Looks like an interesting webinar for financial institutions.

Recently Added Articles as of November 21

This week, we have a heavy focus on NAFCU and the CFPB, but there’s also some talk of innovation sprinkled in as well.

IPA announces upcoming webinar: On November 26^th, IPA Legal will host a webinar to discuss the CFPB’s new innovation policies. The No-Action Letter (NAL) Policy, Trial Disclosure Program (TDP) Policy and Compliance Assistance Sandbox (CAS) Policy were announced in September. Innovation may be the answer.

The Equifax data breach deal doesn’t suffice according to one watchdog: A class action watchdog disapproves of Equifax’s data breach deal. They feel counsel embellished its fee request and suppressed customers’ ability to make monetary claims. It looks like no easy pass for Equifax.  

CFPB pushes back and files opposition to All American Check Cashing’s Writ of Certiorari: The CFPB filed a brief opposing All American Check Cashing’s Petition for Writ of Certiorari Before Judgment. All American Check Cashing feels waiting for the court’s decision determining if the CFPB’s leadership is unconstitutional is unnecessary. The CFPB has pushed back and All American Check Cashing responded. Curious? Read about it to watch the debate unfold.

NAFCU and NCUA collaborate to discuss examinations: NAFCU and NCUA met to discuss modernizing examinations and other exam issues. As a reminder, NAFCU has recommended 18-month exam cycles. NAFCU also requested an updated on NCUA’s efforts to modernize examinations. And, NAFCU released a helpful resource, Exam Fairness Guide, which helps with understanding exam basics.

NAFCU and the Treasury Department discuss issues: NAFCU and the Treasury Department met to discuss top of mind issues. The panel went into extensive detail regarding the housing finance reform, faster payments, cybersecurity and NAFCU’s request for national data and cyber security standards, regulatory coordination between financial institutions and fintechs and needed rulemaking around the Americans with Disabilities Act regarding website accessibility requirements.

Violations of Dodd-Frank results in a record breaking CFPB penalty: A $59 million judgement was delivered as it has been found that two mortgage-relief companies violated the Consumer Financial Protection Act of the Dodd-Frank Act by mispresenting their services to customers. This settlement breaks down as follows: $21.7 million in restitution to customers and civil penalties of $37.3 million. There’s a lesson here. Promise to tell the truth and only the truth to your customers!

Recently Added Articles as of November 14

After a few weeks of a news slowdown, it’s picked back up and we have a smattering of just about everything.

Violations of BSA get more costly: Details were recently shared regarding the annual inflation adjustment to the Bank Secrecy Act’s (BSA) civil monetary penalty amounts. According to NAFCU Regulatory Paralegal Shari Pogach, "While this is an annual adjustment, it should still be a reminder that the federal regulator examiners are taking now a deeper look at BSA compliance.” As penalties rise, it’s a stark reminder the non-compliance can be costly!

Former Fed Chairman’s thoughts on digital currency in banking: Alan Greenspan, former U.S. Federal Reserve Chairman, shares his thoughts on digital currency in banking. He feels there is no reason for banking institutions to implement digital currency. His reasoning is that national currencies offer the best sovereign credit backing. However, some other Federal Reserve employees feel digital currency must happen. What are your thoughts? Is it inevitable?

NAFCU’s thoughts on the CFPB’s proposed use of tech sprints: NAFCU’s senior counsel for research and policy shared his feedback regarding the CFPB’s proposed use of tech sprints. Tech sprints are supposed to address regulatory compliance obstacles and promote innovation. NAFCU also went ahead and shared a couple of areas where they feel technology could be used to reduce supervisory burdens. These include compliance checks and risk management decisions.

Goldman Sachs and the criteria for credit limits: The new Apple card may need to quickly reassess its algorithm. NYDFS is already asking questions about potential gender discrimination. Goldman Sachs denies the accusations but will revisit their Apple Card credit limit provisions and how they’re determined.

Microsoft is pro CCPA: Microsoft announced they will implement CCPA throughout the United States. According to the blog, Microsoft says, “We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents. Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual.” Microsoft will continue to practice privacy protection in their daily routine. While some companies are nervous, it looks like Microsoft is happily embracing the change.

Many are ready for changes to the CAMELS rating system: Recently, the Federal Reserve and FDIC announced a request for comment which meant input was welcomed regarding the CAMELS rating system and how it’s used to score the overall health of banks. While this was exciting to many, it’s important to remember that submitting feedback does involve some risk. You may share confidential details about the process that aren’t necessarily supposed to be shared. Remember, banks shouldn’t know the CAMELS rating results of other banks. I think we can all agree we want changes to CAMELS ratings but raising your hand could draw scrutiny.

Cordray-era CFPB lawsuit update: Recently, one of three deceptive debt collection practices lawsuits brought against foreclosure relief providers over five years ago received a final judgement.

The California Consumer Privacy Act (CCPA) may mean lawsuits: CCPA is set to become effective on January 1, 2020. With that, it’s predicted that data breach class action suits will follow closely behind. If you’re a company doing business in California, and experience a data breach, you may unfortunately be part of one. However, your best approach to help avoid this is to establish good cybersecurity posture and put arbitration agreements in place. Are you ready for the changes?

UDAAP implications in the emerging payments space: Attorneys general understand there is value in payment apps, but they still have their concerns. This is because some of these apps could fall under “money transmitter” in the anti-money laundering rules of FinCEN. Also, you’re violating Unfair, Deceptive, and Abusive Acts or Practices (UPAAP) if you process transactions without a license. So, basically, when creating the app, keep in mind the regulation and law you must comply to.

The CFPB and small business data collection: It’s been a while since the Consumer Financial Protection Bureau (CFPB) has issued new rulemaking on small business lending requirements. This seems to be making many anxious. Recently, a panelist of experts discussed their thoughts on this and predicted the CFPB’s approach. Interested in learning the panelists thoughts and the CFPB director’s points in the symposium?

Fallout from Capital One data breach: Michael Johnson was the chief information security officer (CISO) at the time of the huge data breach that happened earlier this year. Capital One has decided to move him to role of an advisor and hire a replacement CISO. As an advisor, he will continue to assist with the bank’s ongoing response to the breach.

CCPA steps for banks and credit unions: Are you a bank or credit union? If you still don’t feel prepared for CCPA, you’re not alone and this article may help. It highlights 3 steps you should take as CCPA gets closer. What are they? First, fully grasp your data collection activities. Second, review your security and fraud prevention processes. Third, keep in mind that compliance impacts brand trust, so you want to remain compliant.

HomeStreet Bank and FDIC announce $1,350,000 settlement: HomeStreet bank agreed to pay a $1,350,000 civil money penalty for violating the Real Estate Settlement Procedures Act (RESPA). The FDIC found HomeStreet Bank violated section 8(a).

Fiserv and First Data are fully merged: Now that Fiserv and First Data are fully merged, Fiserv looks to stay competitive while cutting costs. With the acquisition, they anticipate they can reduce costs by $1.1 billion annually. I’d say that’s a pretty good average.

Recently Added Articles as of November 7

We head into the holiday season with news surrounding NAFCU, data security, data breaches and more.

The NAFCU Journal’s November-December edition now available: NAFCU announced the release of the November-December edition of The NAFCU Journal. Interested in learning more about credit card offerings, exam expectations and preparing for disasters? Then this may be a great resource for you.

A national data security standard is requested: NAFCU wants a national data security standard and they made sure to let Congress know. According to NAFCU’s Brad Thaler, without a national data security standard in place it “creates risk, as bad actors often target those companies who do not have high security standards.” With data security standards in progress at the state level, NAFCU feels uniformity at the national level is even more needed. Speaking of the state level, do you know if your state has proposed data security law and regulation circulating?

Three banks are shut down within one week: Is this a sign that stiffer regulations are upon us? Regulators closed 3 banks in one week. Industry experts advise bankers to take caution and pay attention since this could mean a stricter regulatory stance on capital adequacy and risk. Please, no return to Bank Fail Fridays!

AT&T settles FTC allegations: AT&T agreed to pay the FTC $60 million to settle deceptive and misleading conduct allegations. AT&T offered “unlimited data plans” but neglected to tell customers that if they use a certain amount of data within their given billing cycle then their data speeds would be reduced. Remember, disclosure is key.

NCR takes a proactive approach to a recent Mint and QuickBooks Online hack: Mint and QuickBooks were recently hacked, causing bank account passwords to be compromised and fund to be siphoned. To protect their data, NCR blocked the platforms from accessing its online banking platform. Since their online banking platform is used by many financial institutions, they felt this was the best precautionary approach. It looks like NCR is taking the data breach very seriously; but let’s be honest, in today’s tech friendly world you really must. Sometimes, the best offense is to be on the defense.

Are you prepared to handle a data breach if it happens? Download the infographic.