March Vendor Management News

In efforts of staying on top of the third party risk management industry, we've listed some articles below from this past month that we recommend checking out. 

Recently Added Articles as of March 28

Lots of news to be aware of this week. Third party risk and customer data protection make the top of the Fed’s risk concerns. Additionally, more regulations are likely in the works for big technology companies while, at the same time, a tech company is on the rise and growing again. Oh, and it’s been found that state-sponsored attacks are sweeping across organizations. Let’s not forget to mention articles shared this past week with helpful reminders regarding cyber insurance and board involvement that you should keep in the back of your mind. 

• Chase CEO with stern advice for big technology companies – prepare for big regs too: More stringent regulations likely in the works for big tech giants. Jamie Dimon, CEO of JPMorgan Chase, shares that big technology companies should get prepared. Will this be like the same regulations imposed on banks during the financial crisis? Are you ready?
• Four questions about cyber insurance: Here’s a scary, but not surprising, statistic – 73% of companies aren’t ready to face a cyberattack. With that being said, do you have cyber insurance? And, if so, does it cover you third parties? Not all do. Learn the 4 questions you should be asking yourself regarding cyber insurance.
• Marqeta continues expansion: Marqeta, a modern card issuing and payment processing platform, is looking to expand even more. Previously, companies like Visa, Goldman Sachs and more have funded the organization. Marqeta plans to focus on services that coincide with digital payment ventures in order to increase their growth internationally and in the U.S. The question remains, who are their investors this round? Waiting to see…  
• Statement by FDIC chair at symposium - Few insights into further regulations, but much discussion of the role of supervision: Transparency is equivalent to certainty. That’s one of the big takeaways from FDIC chairman, Jelena McWilliams. Check out this insightful speech to learn more about how the FDIC works to supervise with clear rules and expectations, transparency, consistency and more. I think we can all get on board with that concept.
• Board’s responsibilities in oversight, along with tone from the top: Check out the topics your CCO should be sharing with the board on a regular basis to keep them informed. Additionally, learn more about what the board should be asking your CCO. We’re always saying set the “tone-at-the-top”. Regulations require it, but does it actually happen at your organization? Be honest.
• Insurers creating a rating system for cybersecurity: Some of the biggest insurers are going to collaborate and assess cybersecurity products and services on the market. Interesting initiative to make a more comprehensive and consistent rating. 
• Reuters on cyberattacks in the banking sector:  Reuters report finds state-sponsored attacks on banks on the rise. Cyberattacks on institutions are often linked to nation-states which results in disruption and destructive damages. According to Reuters, “Out of 94 cases of cyberattacks reported as financial crimes since 2007, the attackers behind 23 of them were believed to be state-sponsored, the majority coming from countries like Iran, Russia, China and North Korea.” Now institutions must be prepared to combat not only cyber-attacks, but also wide-reaching theft.
• Federal Reserve on current market conditions and risks: Look at page 7. Customer data protection and third party risk as one of the top four risks in the industry. Others include risk caused by negative economic cycles and fintech/charter risk.
• CAMELS ratings remain confidential: OCC provides stern reminder that criminal action will be taken, in the form of fines and jail time, if organizations violate guidelines and reveal CAMELS ratings that should remain undisclosed. A CAMELS rating classifies a bank’s overall condition and should remain private. Know what can be and can’t be shared before it’s too late.
• Insight from the former Comptroller of the Currency: Hear from experts on their opinions and insights regarding regulating the fintech industry in today’s ever-changing regulatory environment. 
  
  

Recently Added Articles as of March 21

The news meter hit "full" on articles found recently – there’s been enough news to stop Godzilla in his tracks and make Clint Eastwood cry. Let’s take it from the top – FIS acquisition of Worldpay is very big in the payments industry, lots of news on the looming implications of the California privacy act, more troubles for Wells, Mastercard expanding card capabilities, the CFPB starting to ramp up investigations – FTC must have been getting a little antsy as they jumped in with their own “show your work” reminder – and, of course, we have some fintech charter wrangling.  

• Department of Defense to start enforcing third party risk management standards as well as part of a broader cybersecurity effort: The Department of Defense (DoD) is cracking down. It was announced in March that if you’re a contractor not up to date on cybersecurity standards you soon won’t get much leeway from the DoD. Within the next 18 months, the DoD will begin auditing companies’ cybersecurity efforts if they want to work with the military. Cybersecurity is important so we’re on board.
• Wells Fargo CEO Tim Sloan got grilled at a congressional hearing: Lawmakers wanted proof that Wells Fargo won’t experience any more consumer abuse scandals. Sloan was asked if the bank is “simply too big to manage”, of which Sloan said it wasn’t. He also mentioned he can’t promise perfection but believes the changes he’s implemented since becoming CEO will prevent future harm the best the bank can. Next month, the CEOs of Morgan Stanley, Goldman Sachs, Citigroup, JPMorgan and Bank of America are expected to make an appearance before the panel. Pressure is on.
• Mastercard buys Ethoca to improve fraud detection capabilities: Mastercard announced a deal, expected to close in the second quarter, to buy Ethoca – a technology company that helps merchants and card issuers identify and resolve fraud in digital transactions. The plan is to combine Ethoca’s platform with Mastercard’s fraud management and security products. This will allow clients to identify and stop fraud and false declines. It’s a good area of focus.
• FTC top complaints in 2018 were imposter scandals: FTC released its 2018 Consumer Sentinel Network Data Book. The imposter scandals made up 18% of the reports summarized, debt collection is second with 16% (in 2017 it was number one) and identity theft is third with 15%. There were more than 535,000 imposter scans reported and 167,000 people reported their information was misused in some way. Not surprising. 
• FTC gave record-setting $5.7 million fine to TikTok, a popular short-form video sharing platform: A little off the usual topics, but COPPA is a regulator we should all be familiar with and its privacy implications for kids and social media. This changes the risk landscape for online service providers – so it’s time for companies to re-evaluate themselves to ensure compliance with COPPA.
• CFPB is focusing on bill-pay: The CFPB released its 18^th edition of Supervisory Highlights. It covers supervision activities from June 2018 through November 2018. An area of focus was on issues with disclosure, timing, deceptive practices and third party implications related to bill-pay.
• NAFCU presses Congress for more control over fintechs: NAFCU President and CEO Dan Berger wants to ensure fintech firms are required to the same data security and consumer protection standards as credit unions. With the addition of innovation, it’s still important to make sure to protect consumers properly. Ahhhh, the battle rages on… 
• FTC issued its 2018 Privacy and Data Security Update: It has summaries of hundreds of cases, warning letters and other actions related to the seven areas that were key to the FTC’s 360-degree approach in 2018. The seven are: general privacy, data security & identity theft, credit reporting & financial privacy, international enforcement, children’s privacy and do not call. Curious?
• FIS acquires Worldpay, creating global behemoth: Major acquisition. FIS wanted to expand its reach in digital payments and Worldpay makes technology that supports transactions for e-commerce merchants, so the $43 billion deal made sense to them. Worldpay’s benefit is the deal will help them expand into new markets and compete with global payment competitors.   
• Analysis of the evolution of payments and where we’re heading: The timeline includes the prepaid card rule, the five-year look-back report on the remittance rule, funds availability and remote capture, examinations and regulation Z and more. Note in particular the concerns over privacy and the CCPA.
• Key things to know from the FIS Worldpay acquisition: Be nimble, be responsive. Five key takeaways from the deal are: a company’s relevance in the fintech industry is tied to its ability to share its data; the market is moving fast and so are the deals – this isn’t the only recent acquisition; the two companies plan to tap $500 million in new revenue while shaving about $400 million in expense; because FIS will now be offering a wide range of security and cross-selling, it can compete with fintechs like Stripe, Square and PayPal; and this duo promotes a cashless world.
• 8 things to know about CCPA: The California Consumer Privacy Act (CCPA) can affect organizations not even physically in California. It may even push other states to follow suit or Congress to pass a national privacy law. So, CCPA is coming – are you ready?
• FTC says basically “show your work” when it comes to complying with consent orders: The FTC thinks some respondents aren’t taking their responsibility seriously when it comes to providing detailed and timely compliance reports. So, they’re introducing new language in their future orders. Are you living up to their expectations?

Recently Added Articles as of March 14

Latest news includes a Green Dot innovation, new FFIEC resource materials and Wells Fargo in more trouble.

• We try to stay away from the political angles but when the head of the OCC is talking, you gotta listen - there's an OCC video below. Other interesting news this week includes a Green Dot innovation, new FFIEC resource materials and Wells Fargo in more trouble.
• New FFIEC exam guidelines: The Federal Financial Institutions examination Council (FFIEC) is big on effective communication, so one of the methods they keep effective communication is through report of examination (ROE). They’re making updates to that ROE – they want it to address changes to a financial institution’s supervision process, technology advances and changes in the industry. What fun.
• Wells Fargo employees are speaking out: Since the scandal of fake bank accounts, unwarranted fees and unwanted products, Wells Fargo has claimed they no longer have as aggressive sales targets that had caused the employees to break rules. However, employees are now saying that’s pretty much not true as they still have intense expectations that are difficult to meet and some people are still bending the rules to be successful. Well, well Wells (try saying that 5 times fast)…what now?
• Law protects minors against ID theft: On September 21 of last year a new federal law went into effect - section 301 of EGRRCPA. It lets parents/guardians/child welfare representative of people under 16 request a security freeze/credit freeze on the child’s behalf to protect them from identify theft and fraud. And, it’s free. Truly, anyone can be a victim so thumbs up to this.
• Joseph M. Otting talks about OCC priorities: Tired of reading articles? Here’s a video. It’s a Youtube discussion on the OCC of the future.
• Get-rich-quick victims to get $644,000: The Federal Trade Commission (FTC) will be mailing 12,072 refund checks – grand total equaling $644,000 – to people who lost money due to a get-rich-quick scheme that falsely claimed you could earn significant money working online by using products marketed as “secret codes” by the operators of the Mobile Money Code scheme. Very kind FTC.
• Green Dot launches social media push toward banking: It’s developing Bank OS, which would enable partners to develop their own financial products like credit cards, mobile app, etc. So, they’re targeting people involved in apps – social media influencers, app store developers, etc.

Recently Added Articles as of March 7

This week the FTC’s annual complaints report came out, the House Banking panel expressing concern over credit reporting agencies, the SEC’s first chief risk officer, banks vs privacy, re-branding in a merger and a couple of interesting legal analyses on the state of third party risk management and regulatory reform. 

• Housing banking panel concerned over credit reporting agencies’ dominance: Is there enough competition? Representatives worry that may be much of the systemic problem’s cause. They also discussed revamping the credit reporting industry – several ideas proposed.
• FTC released annual top complaints report: You know anyone in it? Imposter issues led the way.
• Wells Fargo investors reach $240M deal over fake accounts scandal: Largest ever insurer-funded cash settlement in a derivative suit to resolve claims over a bank’s fraudulent account scandal you say? Wells Fargo & Co. shareholders are trying to get a $240 million deal with bank executives approved by a California federal judge.
• SEC has its FIRST chief risk officer: That’s a big deal. Gabriel Benincasa has been named as the SEC's first chief risk officer. They needed to strengthen risk management and cybersecurity efforts, so the role was created. For example, in 2016, their public online database of filings was hacked – don’t want a repeat. Benincasa previously worked in risk and compliance positions in the financial sector and will be tasked to help the coordination of work to identify, monitor and mitigate key risks facing the agency, and also be an adviser on enterprise risks and controls issues.
• Banks must be involved in the privacy debate now: We’ve been preaching and predicting this ever since the Equifax breach. Banks should expect to meet more consumer privacy requirements – California led the way. How high are the stakes? How can you prepare? Who’s controlling the debate?
• Rebranding BB&T-Suntrust getting tricky: What’s in a name? Interesting dilemma over the merged entities.
• New FDIC resources just made it easier than ever to file a complaint: How? The FDIC now has an online support center portal with resources for consumers to better understand their rights and make well-informed money decisions, ability to submit and track requests, complaint or inquiry information and ability to submit requests or complaints.
• Social media platforms, online retailers, games, apps and others may have weaknesses in their ability to keep you safe: Uh oh. There are new schemes around money laundering. Former Facebook official gives a stern cautionary statement.
• Rising tide of mobile attacks: As technology gets more convenient, fraudsters grow more interested. A report says the financial industry experienced a 107% spike of attempts to gain controls of user accounts during mobile transactions.
• Are neobanks threats to typical banks?: No, not yet. More mobile-based banking startups are coming into the market. They’re making partnerships with financial institutions for compliance reasons and market themselves as fee-free accounts, personal financial management and debit cards supplying with interchange as a revenue stream. Familiar with any of these? Downside, they’ve got their own set of problems.
• Here’s a legal analysis of the state of regulatory reform based on the report issued by Thomson Reuters: The report covers, you guessed it, regulatory reform as well as what developments could shape financial regulation this year and analyzes how your organization can manage the change. Stock markets and global politics are key.
• Here are legal perspectives on third party risk management: Want an excuse to take a break and listen to a song or two? Third party risk relates to award-winning musician, Andre Pevin – come away from this knowing two keys to vendor risk management are: proper planning and communication.
• Stricter governance flows to fintechs: Fintechs already experience higher expectations from their financial institution clients as part of third party risk management. As governance increases for their clients, they can only expect it will continue to flow to them as well. 

Learn how organizations are handling vendor risk regulations and expectations - download our industry whitepaper.