Make sure you don't miss any important vendor management news! To make it easier for you, we've put together this list of key third party risk management articles and news. Read below!
Recently Added Articles as of September 19
This week there’s a lot of NAFCU and NCUA news. There are also new enforcement actions, settlements, CFPB news and even some north of the border news, eh? It’s been a busy week in the industry.
CFPB announces consumer complaints will remain public: In recent years, many organizations have pushed back as they’ve felt the CFPB consumer database is unfair. Why? They feel it can cause reputational harm as the complaints published can be done so by anyone and may be inaccurate. Former CFPB director Mick Mulvaney talked about taking the compliant database and making it private. However, ending speculation, the CFPB just announced that database will remain public but with some enhancements, such as specific disclosures. Kathy Kraninger feels the database “empowers consumers and informs the public.” We’re curious to hear others’ reactions to this breaking news.
Bank of America under phony accounts investigation: It’s not just Wells Fargo! The CFPB is investigating Bank of America (BofA). The bank may have opened credit card accounts without consumer acknowledgement. BofA is pushing back; however, much of their arguments have been rejected by the CFPB’s director. The CFPB will continue to evaluate whether BofA opened phony accounts in violation of federal laws and regulations like the Fair Credit Reporting Act and the ban of unfair or abusive practices in the Dodd-Frank Act.
$1.5 million fine for poor cybersecurity measures: Phillip Capital Incorporated failed to meet cybersecurity standards as their employees weren’t monitored and, therefore, there was no assurance the cybersecurity of the business was safe. This was discovered when an employee was affected by a phishing email. Falling victim to the phishing attack resulted in a data breach that impacted 1 million of their customers’ funds and the company was faulted for taking too long to report the issue to their customers. Remember, it’s important to have a plan in place regarding how you’ll notify your customers when a breach occurs. Your reputation is at risk. How quickly and the way you relay the news speaks volumes!
Fintechs often aren’t prepared for hacks: It’s been found fintechs are often a target for hackers. Because most are startups, they seem like easy prey for cybercrime masterminds. Often, fintechs aren’t prepared to deal with fraud as they’re more focused on driving growth. Their venture investors expect rapid growth. However, due to the increase in fintech attacks, it seems they’re getting better at being prepared. Just a reminder that it’s smart to do your due diligence when partnering with any third party provider, but especially a fintech.
NCUA focusing on rulemaking this week: What’s on the agenda for the NCUA this week? Rulemaking! Chairman Rodney Hood feels regulation must be effective but not excessive. Therefore, the NCUA is reviewing regulations and modifying, amending or even eliminating any that aren’t compatible with today’s financial system. Curious? Check out their agenda to stay up to date.
Effective date of the California Consumer Privacy Act (CCPA) may be delayed: Many are requesting the effective date be moved to January 1, 2022. This is two years later than the anticipated effective date. Organizations proposing the date adjustment honed in on two issues. First, there are still proposed CCPA amendments that remain unaddressed. Second, proposed new rules in California aren’t set to conclude until later this year and, if approved, these will add additional compliance obligations. No surprise here as the final details have been so late in being developed.
OCC issues Bulletin 2019-43: Bulletin 2019-43 reminds banks of appraisal management company registration requirements that became effective on August 10, 2019. Remember, if you’re an appraisal management company, you must register with the state(s) you’re doing business with as well as be aware that you’re subject to state supervision. In addition, the bulletin shares bank considerations to help confirm AMC registration. This overall will help with third party risk management.
OSFI cracking down on banks’ behavior: A Canadian regulator, the Office of Superintendent of Financial Institutions, is assessing risk in banks’ behavior. These risk-culture surveys will help OSFI better understand where bank misconduct stems from and how to improve this. These faulty areas can create more risk for institutions, so it’s important to be proactive.
Maxitransfers Corp agrees to settle CFPB lawsuit for $500,000: Maxitransfers violated the CFPB’s money transfer rules. In about a 4-year span, the corporation processed around 14.5 million transfer remittances. However, the corporation went the wrong direction when they indicated in a disclosure that they’re not responsible for errors made by banks or payment agents. According to the Electronic Funds Transfer Act (EFTA) and Remittance Transfer Rule (RTR), remittance transfer providers are in fact responsible for errors, so the statement was misleading. The corporation was penalized for violating a few more expectations as well. A stark reminder for those dealing with money transmitters that it's prudent to oversee their activities and ensure they're licensed and well-managed.
A third party risk lesson for fintechs: Fintechs can just look at enforcement actions against companies in the prepaid industry to learn that they must also comply with financial regulatory guidelines. Take the enforcement action against Achieve as an example. Although Achieve isn’t a bank, financial regulators still had non-bank expectations of them. A few items noted in the consent order against Achieve included the need for a risk-based compliance management system, compliance training, communicating compliance matters to the board and more. It would be wise of fintechs to review these lessons in the prepaid industry and take action before it happens to them. Are you making the same mistakes or are you paying attention to your peers’ mistakes and learning from them?
NCUA focuses on stronger consumer compliance: In a speech delivered at the Women in Housing and Finance Policy Lunch, a NCUA board member shared they want more consumer compliance focus to happen. The member shared that their efforts to measure and enforce compliance regarding consumer financial protection laws and regulations at credit unions with under $10 billion in assets does not meet standards in the industry. He’s ready to see the approach evolve. Sounds like a good plan. What do you think?
Recently Added Articles as of September 12
This week… wow! NAFCU meetings, states setting their own standards on UDAP/UDAAP (the kind of news that makes you go "yikes" at first!), the morphing of the evil that people perpetrate, a major CFPB enforcement action, a sideswipe of the east coast – and devastation of the Bahamas – as a reminder about disaster preparedness, a large payment provider rebranding itself to advance in the fintech space and so much more.
The bad guys are getting more creative: It’s hard to believe it’s been 18 years since the very tragic 9/11 terrorist attacks against the United States. When that happened, compliance professionals everywhere had to find ways to stop terrorist financing cash flows. Today, we are faced with other terrorisms like mass shootings. All of this is providing difficult for financial institutions to track, identify and report; however, it’s important because it often includes money laundering and terrorist financing threats. Check out this article to learn what FinCEN is doing and what credit unions can do as crimes evolve. Evil takes many forms.
SecurityScorecard on what to do when you have a third party data breach: According to an eSentire survey earlier this year, 44% of all firms surveyed had experienced a significant data breach by a third party vendor. It’s not an area to take lightly. Check out this article by SecurityScorecard to learn four next steps you should take when breached.
CFPB announces innovation initiatives: The CFPB announces the No-Action Letter (NAL) Policy, Trial Disclosure Program (TDP) Policy and Compliance Assistance Sandbox (CAS) Policy all which encourage innovation and assist compliance. As a very quick overview, NAL means the CFPB will not bring action against a company for providing products/services under certain facts and circumstances. TDP means entities can facilitate in-market testing for a limited time upon permission to improve consumer disclosures. CAS means even if there is regulatory uncertainty, testing a financial product or service is okay. Of course, many of this must come with a stamp of approval.
States setting their own standards on UDAP/UDAAP: States are taking UDAP and UDAAP regulations into their own hands. For example, Maryland and Arkansas are shedding some light on how they approach and regulate UDAP/UDAAP. Could have predicted this. Absent a federal standard, the states will set their own often divergent standards around UDAAP.
Ballard Spahr analysis of the recently issued CFPB report on credit cards: Last week we announced the CFPB released their biennial credit card market report. This week, Ballard Spahr released their analysis of the report to help break it down and call out key takeaways. Some include that credit card availability has remained stable, rewards card use has increased and more.
NAFCU provides suggestions on how to even the credit union and fintech playing field: In a recent NAFCU whitepaper, the organization shares their ideas regarding the relationships between financial institutions and fintechs. They share insight regarding the fintech landscape, an overview of political and regulatory fintech efforts and more.
CFPB files a UDAAP complaint: According to the CFPB, Certified Forensic Loan Auditors, LLC engaged in deceptive and abusive acts and practices. The company, and their owner and sole auditor, charged unlawful advance fees.
Disasters like Hurricane Dorian will happen: Are you prepared? With the recent tropical storm wreaking havoc, NAFCU shares the importance of business continuity and disaster recovery planning. One reminder is that per NCUA section 748.1, if you’re a credit union, within five business days leading up to or immediately following a disaster you must notify the NCUA. A reminder about disaster preparedness is never a waste of time.
NAFCU cries foul over bank abuses: NAFCU is speaking up when it comes to bank abuses. Recently, it was reported that the American Bankers Association (ABA) was the owner of a website that was anti-credit union. With that shocking information brought to light, NAFCU’s president and CEO, Dan Berger, wants the House Financial Services Subcommittee on Oversight and Investigations to dig deeper and ask what other secretive efforts bankers are funding. Berger also shared some differences between credit unions and banks which highlights where he feels credit unions prevail. The two seem to be fighting a never-ending battle.
FTC announces $30 million settlement with an Illinois-based operator: The lead generators of the operator were deceptive in consumer marketing efforts and used unlawful and deceptive tactics. In addition, the company called consumers on the National Do Not Call list which violated the Telemarketing Sales Rule. This is a stark reminder to all organizations that you are who you partner with. However, check out the article for the three biggest takeaways.
Two big names pay a $170 million COPPA penalty: The FTC shares that Google and YouTube, a subsidiary of Google, agreed to a $136 million federal civil money penalty and $34 million New York penalty. This settles allegations that YouTube violated the Children’s Online Privacy Protection Act Rule (COPPA). YouTube obtained information/identifiers about the children without contacting parents for consent. Moral of the story – don’t mess with the kids!
The CFPB is growing: The hiring freeze has been lifted! After nearly two years, the CFPB can begin recruiting new hires again. Know anyone looking for a job with a government agency? Maybe pass along this exciting news to them.
CFPB identifies ombudsman for overseeing private education loans and related complaints: The ombudsman for private education loan will be Robert G. Cameron. He will have many duties such as reviewing complaints regarding private student loans. Reading the tea leaves… expect some investigations and enforcement actions.
A bank pays $16 million to settle FCPA case: Deutsche Bank agrees to settle a FCPA lawsuit for $16 million. The bank hired public official relatives in China and Russia as part of corrupt hiring practices. And this, my friends, is why it’s always good to check to see about ownership and OFAC, etc.
Mobile banking fintech sets its sights on a lucrative new customer base: NorthOne, a Canada-based fintech, is the latest to enter the mobile-first checking account market. The company will bring three subscription tiers to show their flexibility. Who will be next to join the growing market?
A dominant player in the payments industry rebrands: Galileo Processing is now known as Galileo Financial Technologies in an effort to bring awareness that they do more than just payment processing and extend their reach into the fintech space.
Recently Added Articles as of September 5
For a short week, there has certainly been a lot of news. Reminder! Congress is not in session, and many people are on late summer holiday with a shortened week due to Labor Day. Plus, there’s a major hurricane looming… So, it’s quite a surprising amount.
An OCC Fintech Charter suit dismissed: The Conference of State Bank Supervisors’ (CSBS) second lawsuit against the OCC’s bank charter has been dismissed. According to the judge, CSBS lacks standing. Keep in mind, this is CSBS’ second lawsuit and the OCC hasn’t even received it’s first application. Interesting.
Delta sues third party tech vendor: A security incident exposes 825,000 Delta customers’ personally identifying information and payment card information according to a Delta complaint. The airline company feels their tech vendor, committed fraud, negligence and breach of contract by having inadequate authentication measures and security procedures. In addition, the vendor took longer than they should to notify Delta of the breach. We often say you should write data breach notification clauses into your contracts…and this is a good example of why.
NAFCU on Credit Union and bank mergers: All you have to do is read the opening line in this article! Credit unions are acquiring small banks rapidly in an effort to grow and better serve their communities. Although banks criticize these actions, credit unions continue to push back and set the record straight regarding why they’re purchasing banks quickly.
Plan ahead for compliance: The “Big Four” release excellent whitepapers on what to focus on in 2020 from a regulatory compliance perspective. This includes KPMG, EY, Deloitte and PWC. Given there’s so much to think about, this is a good reminder to review and plan early.
NAFCU president and CEO shares the association's focus is on helping credit unions grow stronger: According to Dan Berger, president and CEO at NAFCU, “credit unions grow to serve the greater good, not the greater greed.” This was in response to him sharing the association’s strong focus on helping credit unions grow. To do this, the association has worked hard to pass legislation that lets credit unions help even more members.
The Comptroller of the Currency talks about fintech, automation and other topics: The comptroller of the currency shares more regarding their considerations when making regulatory decisions around fintech. Check out this week’s episode of FinTech Beat to hear more.
Amazon tests out handprints for checkout at Whole Foods: Say what? In New York, Amazon is testing out the use of handprints as form of payment instead of an app or card. They plan to roll it out to Whole Foods first. How does this relate to third party risk? Well, this is another example of technology advancing which will ultimately likely lead to more oversight needed. In the meantime, give Amazon a high five for this biometrics attempt at Whole Foods checkout.
Regulators scrutinizing payday advance apps: Regulators are questioning payroll advance apps. Although these apps claim they’re a good option for anyone living paycheck to paycheck, there are regulators and about 10 other states questioning if they’re violating payday-lending laws. What do you think? Are these apps safer or actually scarier?
Digital readiness in the finance industry: In today’s digital society, credit unions must have an online presence that meets customer expectations. To do this many are migrating banking services to online. However, with tech companies moving into the financial services space, the competition is steep, and it may not be enough. They’re going to have to get creative as they develop future digital strategy. The question remains, if we’re moving beyond digital banking then where do we go next?
Asset Recovery Associates settles CFPB lawsuit: Asset Recovery Associates (ARA), a company who violated the Fair Debt Collections Practices Act and Consumer Financial Protection Act, agrees to a settlement with the CFPB. ARA told customers they would sue or arrest them if they didn’t pay. Although they didn’t intend to actually take action, they said that they were attorneys who would place liens on customer homes and/or garnish wages as well as make sure this all impacts the customer’s credit score, while none of it was true. ARA will pay $36,800 in restitution and a $200,000 civil penalty.
CFPB credit card market report is released: The fourth biennial credit card market report was released. It shares insight regarding the state of the market for 2017-2018. To no surprise, credit cards remain an essential form of payment for many. In addition, the bureau shares a little about credit card product innovation. Check it out!
You can protect your organization with strong vendor management program. Download the infographic.