In our latest podcast, Adam Hamm outlines 3 things to pay attention to in getting ready for the New York Department of Financial Services regulation known as Part 500, and Steven Stachowicz explains the reasoning behind some recent actions by the CFPB. Listen at the link below. Download the printable October issue of Compliance Insights here.
In-Depth Interview Compliance Insights [transcript] October 27, 2017
Kevin Donahue: Hello, this is Kevin Donahue, Senior Director with Protiviti, welcoming you to a new installment of Powerful Insights. I’m joined today by Adam Hamm and Steven Stachowicz, and we’re going to be talking a little bit about some of the key issues covered in the October issue of Protiviti’s Compliance Insights. Adam is a Managing Director and a leader with Protiviti’s Financial Services and Cybersecurity practice, focusing on both the financial services and the insurance industry, while Steven is a leader within Protiviti’s Risk and Compliance practice. Adam, thanks for joining me today.
Adam Hamm: Absolutely. Thank you for having me.
Kevin Donahue: Let me toss the first question to you. The New York Department of Financial Services issued its cybersecurity regulation known as Part 500, affecting covered financial services entities, and they issued that in March of this year. We’ve covered the implications of this at some depth both on our website and our blog. There are no new developments for this regulation but just give us an insight about what we covered in this issue of compliance insights and why we did it.
Adam Hamm: Sure. There are a couple of reasons why it’s important at this stage. First, now that the regulations have been in place for a number of months, there are a lot of companies out there that are required to comply with Part 500 that have now gained a full appreciation for all of the different components of the law and what it’s going to take to become compliant. So those companies are out there in full gear, working through the different aspects of Part 500 and frankly they’re struggling with some parts of the regs. So any advice we can give is very helpful for them at this point. Conversely, there are some companies out there that have been slower to realize all that Part 500 requires and they’re going to need assistance catching up.
The second reason is that the first annual certification deadline under Part 500 is fast approaching. That’s in mid-February of every year. So for companies to be able to be in a position to certify compliance and to sign on the dotted line that they are in compliance with all the parts of Part 500 that the transition deadline has passed for, time is really running out to do that necessary prep work internally so that they can be in a position to sign on the dotted line come mid-February of 2018.
Kevin Donahue: Great. Adam, a quick follow-up on that. With regard to the coming deadline and you mentioned there is some confusion among some companies. Some of them have been slow to get going on this. What are a few things that these companies should pay attention to today related to this regulation and the coming deadline?
Adam Hamm: That’s a great question. So I would break that down into three parts in terms of what they should be paying attention to. The first thing would be what our parents used to teach us which is first things first, they should be focusing on those aspects of Part 500 that they’re going to have to be certifying in mid-February next year. So the law broke all the different components of Part 500 into four different transition deadlines. The first transition deadline was in the end of August of 2017 and it’s all those components of the law that companies are going to have to certify come mid-February of 2018. So you’re talking about things like the cybersecurity program and policies, how they’re going to handle access privileges, their incident response plan, how they’re going to handle providing notice to the Superintendent of the New York Department of Financial Services if they have a cybersecurity event. All of those unique and specific components of Part 500 will have to be certified that they’re in compliance by every company subject to Part 500 by mid-February of next year. So that’s the very first thing that companies should be focusing on – to make sure they’re in a position to be compliant and to certify compliance on those things.
The second thing, which is related to the first, is the risk assessment. 500.09 of Part 500 details everything that companies subject to Part 500 have to do for their risk assessment, and as companies are starting to realize, that risk assessment component of Part 500 is not complementary or it’s not just one piece of Part 500. It really is foundational to becoming compliant with all the different aspects and parts of this New York cyber regulation. So even though the deadline for the risk assessment isn’t until March 1st of 2018, because so many other parts of the law depend on doing that risk assessment correctly, holistically, comprehensively cataloguing all the unique risks that the company faces from a cybersecurity perspective, companies really have to be well on the way to getting that done over the course of the next number of months so that they can then adapt their cyber program and policies in how they handle any other number of aspects of Part 500. So that’s the second thing.
Then the third thing, even though some of these transition deadlines are passed, the first certification of compliance is in mid-February, for example there’s a transition deadline that doesn’t take place until September of 2018. Some of the aspects that are included in those second, third, and fourth transition deadlines are going to take an extensive amount of time and preparation to get ready for. I’ll just give you three examples: multifactor authentication, encryption, and third-party service providers. All of those would take substantial work for companies to be able to be in a position to be compliant with the requirements of those sections of Part 500. That would be the third thing that companies should focus on. So, first things first, that first group of Part 500 that’s due within the next couple of months, the first certification deadline. The second thing is the risk assessment. Make sure that you’re doing a good job and have that completed hopefully before the March 1st deadline. And then third, a lot of these other very difficult parts of Part 500, comply with MFA, encryption and third party service providers. Those would be the three things I think companies should be focusing on.
Kevin Donahue: Thanks, Adam. Steven, let me ask the next question of you. The Consumer Financial Protection Bureau issued its first No Action Letter. Why is that news exactly and what does it concern?
Steven Stachowicz: Sure, thanks Kevin. The letter represents really the first action that the CFPB is taking in relation to its Project Catalyst initiative. So we talked in Compliance Insights over the past couple of years about innovative financial technologies and the compliance-related impacts of those technologies as being developed by both banks and by the non-bank, or so-called fintech-type companies. With respect to the technologies, these innovative consumer financial products and services though, there are elements of those that are perhaps untested. They’re new, so when you look at those products in relation to the existing regulatory framework, there are questions in terms of how the regulatory framework specifically applies to a particular product, and the regulators, the CFPB, the OCC as well on the banking side, said that they don’t want to be impediments to financial innovation.
So the CFPB has, as part of its work, the Project Catalyst initiative, which is really to work with banks and non-bank players on new financial products and services and making sure that not only are they consumer-friendly, but they’re aligned with consumer financial laws and regulations. So the No Action Letter is an opportunity for banks or non-banks to request of the CFPB some degree of assurances, and it’s not a perfect level of assurance, but some degree of assurance that they can move forward with offering a product or a service as described, and that they have at least some comfort that the regulator will not come after themfor non-compliance with a specific law or regulation if in fact they executed in the way that they have outlined.
That’s what we see in this first case, so an organization, a non-bank, a fintech company came to the CFPB with a particular product and a particular problem or concern related to Regulation B or the Equal Credit Opportunity Act and was asking for guidance from the CFPB regarding the application of that law or regulation to its specific underwriting and pricing models to sort of enable them to move forward with offering the product in the market, and the CFPB gave them that sort of “no-action response” in exchange for some promises by the organization to provide information to the CFPB on a regular basis as to the performance of that particular product.
So it’s not something that clearly has been used all that much necessarily because as you can tell, this process is very public. A lot of the information that was requested by that company and that the CFPB then responded with is all available publicly on the CFPB’s website. So that may be a turnoff for some organizations, if you will, that view some of what they’re doing as very proprietary, but at the same time, it also highlights the CFPB’s willingness to work with that organization and understand what the organization is trying to do, give the organization at least some degree of comfort that they can proceed with it and then sort of see where things go from there.
Over time, I think we all know that the regulatory framework may need to evolve the way that consumer financial products and services evolve, and so something like this really enables the CFPB to understand some of the innovative products and services that are coming out of the market and how its regulatory framework does or doesn’t address some of the challenges here. It also allows organizations like the applicant that requested the no-action to partner with the regulator as well and understand their perspective on how to build the appropriate risk management and controls around its products while still offering them in the market to consumers.
Kevin Donahue: Understood. Also regarding the CFPB, you’ve also noted that it’s making certain technical amendments to its Regulation B. What are those changes and why are they significant for lenders?
Steven Stachowicz: So they are pretty technical and they’re definitely worth the read. If you’re a mortgage lender that already reports information for the Home Mortgage Disclosure Act or Regulation C, these amendments are really going to be viewed as almost nothing more than a conforming amendment. So you have these two regulations, Regulation B and Regulation C, both of which address the concept of collecting certain data elements from consumers when they’re applying for real estate-secured loans. The Regulation B generally prohibits the collection of information on certain characteristics like race or ethnicity as part of its overall non-discrimination purpose, but it does permit the collection in certain circumstances where they may be required such as under other laws or regulations.
Regulation C is an example of where that may be required and is required because mortgage lenders are generally required to report that information on an annual basis to their regulators for analysis purposes. So Regulation C is changing in January of 2018, which, if you’re a mortgage lender you know all too well that it’s changing, because there’s a lot that goes into implementing that change in a couple of months. Regulation B though, as written today, doesn’t precisely conform to the Regulation C changes, and so that’s – I warned you this was technical – they’re looking to conform them and conform them in some technical ways so that categories of information being collected are similar, but it also allows lenders a little bit more flexibility, lenders who perhaps don’t report for home mortgage purposes, some of the smaller lenders that are out there, or lenders that may soon be reporting for HMDA or may soon not be reporting for HMDA. It allows them flexibility for those particular lenders to collect information that might otherwise be prohibited, and so that’s generally viewed as a good thing.
One of the other things that’s happening in the amendments is that the CFPB is eliminating from Regulation B a model form that is outdated now, so again it’s just a matter of conforming. That model application form has been in place for a number of years, but it’s going to be phased out for other forms that are more reflective of the changes that are about to occur for Regulation C. So they’re technical changes. If you’re a mortgage lender that’s already going forward with the HMDA implementation in January, these changes may seem like a non-event, but are still important to understand. If you’re a non-HMDA-reporting entity that still makes real-estate secured loans, then these changes are important to understand in terms of what they will or will not allow you to collect in those particular circumstances.
So it’s very technical, probably the most technical thing we’ve talked about here today, but it’s more than just an asterisk, if you will, on the HMDA implementation for January. It’s something that all mortgage lenders and in particular those smaller mortgage lenders that may not be reporting for HMDA should be familiar with.
Kevin Donahue: Thanks, Steven. You’re right, it definitely is technical, but certainly something that should be on the radar for those affected lenders.
Thank you and thank Adam for joining me today to discuss some of the topics covered in the latest issue of Compliance Insights from Protiviti. I want to invite again our audience to visit Protiviti.com/Compliance-Insights where you can download our latest issue.
– End of Recording –