- FDIC and OCC Issue Risk Management Guidance on Heightened Cybersecurity Risks
- CFPB Announces How It Intends to Apply “Abusiveness” Standard
- Division of Banks Issues Legal Opinion on Card Fees Imposed by Third-Party Processors
- Guidance Issued on New Hampshire Insurance Data Breach Reporting Requirements
- Other Developments: Mutual Conversions and Auditor Independence
1. FDIC and OCC Issue Risk Management Guidance on Heightened Cybersecurity Risks
The FDIC and OCC have issued new guidance for banks on heightened cybersecurity risks facing the financial services industry because of increased geopolitical tensions and threats of aggression. The guidance published on January 16, titled Joint Statement on Heightened Cybersecurity Risk, warns that disruptive and destructive attacks against banks’ information systems and networks have increased in frequency and severity in recent years. The guidance recommends that banks reevaluate the adequacy of information technology safeguards against threats, especially safeguards against ransom and other destructive malware. The guidance focuses on risk management principles that can reduce the risk of a cyber-attack and minimize business disruptions. The guidance also highlights cybersecurity risk management principles, such as business resilience, authentication, system configuration, security tool, data protection, and employee training. According to the guidance, banks should be aware that attackers often obtain access to bank systems and networks by compromising user credentials and introducing malware by targeting bank employees and contractors with phishing or spear phishing attacks. Click here for a copy of the guidance.
Nutter Notes: The new cybersecurity guidance expands on standards articulated in the federal banking agencies’ Interagency Guidelines Establishing Information Security Standards and other resources provided by the FFIEC, such as the Statement on Destructive Malware. While the guidance encourages banks to apply the principles and risk mitigation techniques described in these resources to reduce the risk of a cyber attack’s success and minimize the negative impacts of a cyber attack, the guidance emphasizes that bank management should be prepared for a worst-case scenario and maintain sufficiently robust business continuity planning processes for the rapid recovery, resumption, and maintenance of bank operations. The guidance suggests that bank management should consider maintaining system backups either on segmented portions of the bank’s network or on offline storage media, such as tape. The guidance explains that logically segmenting and establishing physical air gaps between critical network components and services, such as core processing, transaction data, account data, and backups, and highly sensitive elements of a bank’s network environment reduces the risk that an attack will spread across a network.
2. CFPB Announces How It Intends to Apply “Abusiveness” Standard
The CFPB has issued a policy statement providing a framework for how it defines “abusive” conduct and how it will enforce the prohibition against abusive acts or practices in consumer financial products and services under Section 1031(a) of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”). According to the statement released on January 24, the CFPB intends to apply three principles when citing conduct as abusive in supervisory examinations or challenging conduct as abusive in enforcement actions against financial service providers, including banks and their service providers. First, the CFPB will cite or challenge conduct in which the harms to consumers from the conduct outweigh the benefits to consumers. Second, the CFPB generally will not challenge conduct as abusive on the basis of the same facts that the CFPB has alleged are unfair or deceptive—described by the CFPB as avoiding “dual pleading” of abusiveness and unfairness or deception violations arising from all or nearly all the same facts. Third, the CFPB generally does not intend to seek certain types of monetary relief for abusiveness violations where the financial institution or service provider was making a good faith effort to comply with the abusiveness standard. However, the statement notes that the CFPB will continue to seek restitution for consumers harmed by abusive conduct regardless of whether a financial institution or service provider acted in good faith. The policy statement is effective immediately. Click here for a copy of the policy statement.
Nutter Notes: Section 1031(a) of the Dodd-Frank Act prohibits financial institutions and their service providers from engaging in unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service. The Dodd-Frank Act also empowers the CFPB to use its supervisory and enforcement authority to enforce that prohibition. While Section 1031(d) of the Dodd-Frank Act sets forth general standards for when the CFPB may declare that an act or practice is abusive, there has been uncertainty as to the scope and meaning of abusiveness. The policy statement notes that there is relatively limited legislative history discussing the meaning of the abusiveness standard or distinguishing it from the deception and unfairness standards, which are more well-defined by past regulatory policy statements, administrative and judicial precedent, and statutory amendments. In applying the new framework for enforcing the abusiveness standard, the policy statement explains that the CFPB will consider the factors outlined in CFPB Bulletin 2013-06 regarding Responsible Business Conduct when determining whether a financial institution or service provider made a good faith effort to comply with the abusiveness standard.
3. Division of Banks Issues Legal Opinion on Card Fees Imposed by Third-Party Processors
The Massachusetts Division of Banks has issued a legal opinion addressing whether a fee for the processing of a consumer credit card payment to a merchant, charged and collected by a third-party payment processor engaged by the merchant, is permissible under a Massachusetts law that prohibits the imposition of a surcharge on a cardholder who elects to use a credit card in lieu of payment by cash, check, or other means. Citing previous opinions by the Division of Banks, the legal opinion issued on January 13 concluded that the processing fee does not violate Massachusetts law, provided that certain criteria are met. Those criteria include that the consumer has the choice as to whether to pay by credit card or by other means, such as cash or check, and that any additional costs associated with processing the credit card payment by the third-party payment processor are paid directly to the third-party processor. In addition, the third-party processor must be completely independent from the merchant, and neither the merchant nor any of its employees may receive any direct or indirect compensation or consideration from the third-party processor or any other party in connection with credit card transactions, according to the legal opinion. Finally, the legal opinion explained that neither the merchant nor its employees may have any of certain types of specified relationships with the third-party processor or any affiliate, subsidiary, or related party. The legal opinion noted that there is an ongoing question as to whether state prohibitions on credit card surcharges such as the one under Massachusetts law are constitutional. Click here to access the legal opinion.
Nutter Notes: The Massachusetts prohibition on the imposition of a surcharge on a cardholder who elects to use a credit card in lieu of payment by other means is set forth in the Massachusetts Truth in Lending law, Chapter 140D, Section 28A of the General Laws of Massachusetts. The prohibition on credit card surcharges applies to merchants in sales transactions with consumers, but does not address processing fees or other charges that may be imposed by a third-party service provider that is not affiliated with the merchant. The Division of Banks’ legal opinion notes that credit card surcharge prohibitions under the laws of California, Texas, and Florida have recently been invalidated by federal courts for violating the First Amendment to the United States Constitution. The United States Supreme Court considered whether a similar restriction under New York law was invalid on First Amendment grounds. In that case, the Supreme Court held that the state’s restriction on surcharges does regulate speech because it regulates how merchants may communicate their prices to consumers. The Court remanded the case to the United States Court of Appeals for the Second Circuit to determine whether the state’s restriction on surcharges should be struck down. Before the court could make a determination, the parties to the lawsuit settled the matter on terms that permit merchants in New York to impose credit card surcharges where the merchants post total prices for credit card purchases in dollars and cents.
4. Guidance Issued on New Hampshire Insurance Data Breach Reporting Requirements
The New Hampshire Insurance Department has issued new guidance on data security breach reporting requirements for persons licensed to conduct insurance business in New Hampshire, including banks licensed as insurance producers. The guidance issued on January 2 explains that, under a new insurance data security law, New Hampshire licensees must notify the New Hampshire Insurance Commissioner that a cybersecurity event has occurred within three days in certain circumstances, unless an exception to the notice requirement applies. According to the guidance, the notice requirements apply if New Hampshire is the licensee’s home state and the cybersecurity event has a reasonable likelihood of materially harming a New Hampshire resident or there is a reasonable likelihood of materially harming any part of the normal operations of the licensee. The notice requirements also apply to any licensee if the licensee reasonably believes that the cybersecurity event involves nonpublic information of 250 or more New Hampshire residents and the event impacts the licensee, has a reasonable likelihood of materially harming any New Hampshire consumer, or has a reasonable likelihood of materially harming any part of the licensee's normal operations. The reporting requirements became effective under the law on January 1, 2020. Click here for a copy of the guidance.
Nutter Notes: Under the new law, licensees will have until January 1, 2022 to require any third-party service providers to implement appropriate administrative, technical, and physical measures to comply with certain information security standards. According to the guidance, the New Hampshire Insurance Department will require certain licensees domiciled in New Hampshire to submit a written statement certifying that the licensee is in compliance with the requirements of the new law beginning on March 1, 2021. The New Hampshire insurance data security law defines a “cybersecurity event” as “an event resulting in unauthorized access to, disruption or misuse of, an information system or nonpublic information stored on such information system.” An incident involving unauthorized acquisition of encrypted nonpublic information does not qualify as a cybersecurity event under an exception in the definition if the encryption process or encryption key is not also compromised. The New Hampshire Insurance Department has made an online form available to report a cybersecurity event.
5. Other Developments: Mutual Conversions and Auditor Independence
- OCC Proposes Amendments to Mutual-to-Stock Conversion Regulations
The OCC issued a proposed rule on January 8 that would amend the regulations for federal savings associations that are converting from mutual to stock form to increase flexibility and reduce regulatory burden. Among other things, the proposed amendments would clarify which forms and accounting standards are to be used in connection with a mutual-to-stock conversion, and encourage electronic filing, electronic meetings, and notice to members by email. Comments on the proposed rule are due by March 9, 2020.
Nutter Notes: The proposed rule would also implement certain recommendations from the FFIEC’s March 2017 report under the Economic Growth and Regulatory Paperwork Reduction Act. Specifically, the proposal would repeal the regulatory requirements for employment contracts of federal savings associations in their entirety. The proposal requests comment on potential amendments to the rules regarding fiduciary record-keeping requirements for national banks and FSAs and acceptable collateral for self-deposited trust funds. Click here for a copy of the proposed rule.
- SEC Proposes Amendments to Auditor Independence Standards
The SEC on December 30, 2019 proposed amendments to update certain auditor independence requirements that apply to public companies, including banks and holding companies, that are meant to more effectively focus the independence analysis on those relationships or services that are likely to pose threats to an auditor’s objectivity and impartiality. According to the SEC, the proposed amendments are meant to reduce audit committee review of relationships and services that would not pose threats to an auditor’s objectivity and impartiality. Comments on the proposed rule are due by March 16, 2020.
Nutter Notes: Among other things, the proposed rule would amend the definition of “affiliate of the audit client” to include a materiality qualifier in the common control provisions. The proposed rule would also amend the definition of “audit and professional engagement period” to shorten the lookback period for domestic first-time filers to assess compliance with auditor independence requirements. Click here for a copy of the proposed rule.