States Champion Regulatory Streamlining; CFPB Remains Focused on Consumer Loan Servicing and Fair Lending

By Carol Beaumier, Executive Vice President and Managing Director
Regulatory Compliance Practice

 

 

 

While regulatory relief remains a topic within the Beltway, the Conference of State Bank Supervisors (CSBS), the nationwide organization of financial regulators from all 50 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, has already taken action to streamline the multistate regulatory oversight framework for one group of its regulated entities – money services businesses (MSB). In April, the CSBS launched the Money Services Business Call Report (MSB Call Report) which will allow MSBs to submit a single periodic financial form and other activity reports rather than deal with state-specific reporting requirements in varying formats. The MSB Call Report includes a Financial Condition Report, Transaction Activity Report, Permissible Investment Report and (to be added in the fourth quarter 2017) a Transaction Destination Country Report. The initial report was due by May 15, 2017. While individual states need to opt into this reporting, this move is nonetheless a step in the right direction for the MSB community.

Among the topics on the agenda of the Consumer Financial Protection Bureau (CFPB) are mortgage servicing rights for consumers and fair lending. The CFPB’s 2016 final rule amending certain provisions of Regulation X (Real Estate Settlement Procedures Act) and Regulation Z (Truth in Lending) will be effective in October 2017. The rule requires a series of modifications to the procedures and technology platforms used by mortgage services. These modifications affect, among other things, key definitions (successors in interest, delinquency), lender-placed insurance, loss mitigation, communications with borrowers in bankruptcy, and periodic statements and coupon books. With the effective date less than six months away, mortgage services need to understand and be prepared to implement all of the required changes.

The 2016 CFPB Fair Lending Report, published in April, signals the agency’s fair lending priorities for 2017. These include identification of redlining activities; mortgage and student loan servicing issues based on race, ethnicity, sex or age; and fair lending challenges faced by women-owned and minority-owned businesses. Lenders engaged in mortgage and student loan servicing and small business lending activities should consider stepping up their monitoring and testing of these areas in preparation for upcoming CFPB examinations.

Learn more about these developments in our May issue of Compliance Insightsavailable here, and review our monthly recap of compliance developments on the same site.

In the UK, 2017-2018 Priorities for Financial Services Firms Published

By Bernadine Reese, Managing Director
Risk and Compliance, UK

 

 

 

The UK Financial Conduct Authority (FCA) has issued its annual business plan for fiscal year 2017-2018. The FCA is the conduct regulator for 56,000 financial services firms and financial markets in the UK and the prudential regulator for over 18,000 of those firms. Its annual business plan and mission statement gives firms and consumers greater clarity about how the regulator intends to prioritize its interventions in financial markets over the next 12 months.

The plan sets outs FCA’s cross-sector and individual sector priorities for the next 12 months. It identifies the following cross-sector priorities: culture and governance, financial crime and anti-money laundering (AML), promoting competition and innovation, technological change and resilience, treatment of existing customers, and consumer vulnerability and access.

The main individual sector priorities focus on the need to continue with the implementation of the Markets in Financial Instruments Directive (MiFID II); improving competition in all areas of financial services; supporting the implementation of ring-fencing in retail banking; and assessing the developing market for automated advice models (robo-advice) in the retail investment market.

A fundamental part of the plan is the risk outlook, which identifies key trends and emerging risks that help form the regulators’ priorities for the coming year. Technological change, cybercrime and resilience are noted as major risks. However, many of the largest risks detailed in the FCA’s risk outlook are external: international events, demographic changes, the course of the UK economy, and the impact of the UK’s decision to leave the European Union (EU), commonly known as Brexit.

We published a recent Flash Report, which lays out specifics and reasoning around each of this priorities. Financial firms in the UK are advised to familiarize themselves with the report so they can determine where to focus their compliance efforts and to better understand the regulator’s expectations.

What’s the Latest on Fintech Charters and What About That Russian Laundry?

In the April edition of Compliance Insights, we discuss the Office of the Comptroller of the Currency’s draft supplement, released in March, which further outlines the application guidelines for fintech bank charters (covered previously in our January issue). We also lay out previously unknown details of the “Russian Laundromat” money laundering scheme, as reported by the Organized Crime and Corruption Reporting Project, and we touch on the CFPB’s latest, $1.75 million enforcement action. Listen to our interview with Steven Stachowicz, Managing Director with Protiviti’s Risk and Compliance practice, at the audio link below. Full transcript of the conversation follows.

 

In-Depth Interview, Compliance Insights [transcript]

April 24, 2017

 Kevin Donahue: Hello. This is Kevin Donahue, Senior Director with Protiviti, welcoming you to a new installment of Powerful Insights. I’m talking today with Steven Stachowicz, a Managing Director and leader with Protiviti’s Risk and Compliance practice, and we’re going to be covering just some of the highlights from the April edition of Protiviti’s Compliance Insights newsletter. Steven, as always, thanks for joining me.

Steven Stachowicz: Hi, Kevin. Thanks for having me today.

Kevin Donahue: Steve, to start off, in the lead article of this month’s newsletter, we summarize a new licensing manual supplement from the OCC that applies to fintechs seeking a special-purpose national bank charter. Steven, what are some of the notable points in the OCC’s draft supplement?

Continue reading

2017 Technologies Driving GRC Change

By Scott Wisniewski, Managing Director
GRC Tech Advisory Solutions

 

 

 

Digital transformation was probably one of 2016’s top buzzwords, meaning many different things to different analysts, journalists and vendors. For me, it represents real and significant investments in modernizing IT infrastructures, including those that support GRC activities and processes.

Consider the trends we’re immersed in. Enterprises are adopting cloud and mobile technologies at an extraordinary rate in the hopes of driving greater productivity and collaboration, and organizations of all sizes are launching data initiatives involving the collecting and analyzing of massive amounts of data in order to drive better business decisions and improve customer experience. At the same time, the rapidly evolving regulatory environment, such as the EU’s impending Global Data Protection Regulation (GDPR), is putting pressure on legal, compliance, security and IT departments to invest in a range of new data initiatives, consulting services and technologies.

In response to the trends, organizations are rethinking their GRC infrastructures, hoping to gain a much broader and deeper understanding of risk drivers and the bigger GRC picture. Further, to make GRC work effectively in increasingly complex and highly distributed organizations, GRC leaders recognize they must embed GRC into the everyday activities of the business.

The combined impact of all these activities will make 2017 the year that GRC practitioners will:

  • Acknowledge that effective GRC cannot be achieved via a single technology or application. Instead it will depend on a new, complete architecture. A single GRC application today may expose operational risk, but it cannot develop and present the type of complete GRC picture that regulators and boards are now demanding. Developing such a picture requires the combination of traditional GRC applications and new tools to:
    • Extract data from internal systems, such as information security and ERP
    • Consume external content, such as regulatory content feeds
    • Incorporate performance metrics, such as sales and financial results
    • Collect and consolidate market and credit risks as well as the risks identified by business intelligence tools and other analytics

With all these new tools in place, organizations will finally be able to build new presentation layers that provide a complete – and far more useful – picture of their GRC profile.

  • Take advantage of increased information sharing and collaboration to improve governance. As part of their digital transformations, many enterprises are focused on developing new and more effective ways to share information and collaborate. The ability to manage and track this activity will enable GRC programs to incorporate affirmative governance components, such as corporate culture and business achievements. It will also enable the embedding of GRC program elements, such as activities assigned to Line 1 business owners, into the enterprise applications they access every day, encouraging them to more consistently follow governance best practices as they engage in their daily activities.
  • Improve risk decision-making by using data analytics. Thanks to an array of new technologies – in-memory computing, visualization tools, mobile reporting services, etc. – organizations can now rapidly aggregate and analyze huge volumes of data from systems across the enterprise. Data scientists are also developing new methodologies and business rules to aggregate and optimize data for analytics more effectively. As a result, organizations will finally be able to automate many GRC tasks, such as risk scoring assessments, thereby automatically exposing potential risk hot spots that previously went undetected until the damage was done.

I have never been more optimistic about the evolution of GRC. As assurance professionals, lines of business and IT work together to implement new strategies and new supporting technologies, we will transform GRC from mere operational risk management to a function that can protect organizations while actually helping them to be more successful.

Compliance News Roundup: The Clearing House AML Recommendations, CFPB on Alternative Data and More

Protiviti published its March issue of Compliance Insights this week. We sat down with Steven Stachowicz, Managing Director with Protiviti’s Risk and Compliance practice, to discuss some of the highlights. Listen to our podcast below, or click on the “Continue Reading” link to read the interview.

 

In-Depth Interview, Compliance Insights [transcript] Continue reading

Four Ways for Insurers to Prepare for New NAIC Cybersecurity Rules

By Adam Hamm, Managing Director
Risk and Compliance

 

 

 

Cybersecurity and technology represent immense challenges and opportunities for all insurers and financial services companies. Organizations need to protect sensitive information and customer data to the greatest extent possible, and to recover as quickly as possible in the event of a breach.

Insurance companies store large amounts of personal information about their policyholders. Cybercriminals know this, and have been increasingly targeting insurers. The past two years have seen a dramatic increase in successful cyberattacks, exposing the personally-identifiable information of more than 100 million Americans. As a result, state insurance regulators have been looking for ways to protect consumers and ensure the integrity of the industry. This month, New York became the first state to adopt cybersecurity guidelines. And the National Association of Insurance Commissioners (NAIC) is working towards completing its Data Security Model Law.

Continue reading

New York Steps Up With First State-Level Cybersecurity Regulations for Financial Services Companies

By Adam Hamm, Managing Director
Risk & Compliance

 

 

 

With the future of federal regulations uncertain, the New York Department of Financial Services (NYDFS) has taken cybersecurity matters into its own hands. Effective March 1,, 2017, banks, insurers and other financial services regulated by the NYSDFS must maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

New York is the first state to adopt comprehensive cybersecurity regulation. Others are watching closely. The National Association of Insurance Commissioners (NAIC) is still crafting its own highly anticipated cybersecurity model law, and comparisons between the two frameworks will continue. We will be following up on these developments as they happen, as well as monitoring whether other states will follow New York’s lead.

Much more than a ritual box-checking exercise, the New York regulation requires the state’s banks, insurance companies and other financial service providers to each conduct a thorough cybersecurity risk assessment and design a robust cybersecurity program based on the findings.

Risk assessments will vary according to the individual risk profile of each covered entity but, generally, the documented risk assessment needs to do the following:

  • Provide criteria for the evaluation and categorization of identified cybersecurity risks or threats which the entity may face.
  • Design criteria for the assessment of the confidentiality, integrity, security and availability of the entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks.
  • Develop a risk mitigation program that describes how actual risks will be mitigated (or accepted) and how the company will monitor these risks. It is important to document the systems that are in place to detect and defend against cyberattacks, and test employee response to ensure that protocols are both followed and effective.
  • Develop policies and procedures for the implementation and operation of the cybersecurity program, and train employees in these procedures.

In addition, each entity must designate a qualified chief information security officer (CISO) to administer the cybersecurity program. This may not be news to larger financial institutions, but for a smaller entity it may be a brand new requirement that requires some restructuring.

A CISO doesn’t have to come from within the entity’s ranks. Third parties can provide the CISO oversight services in an outsourced capacity. It is important to note, however, that while the responsibility for the oversight can be delegated, liability for the risk as well as for compliance is not transferable and remains with the entity.

There are many more specific details in the NYDFS regulation that covered entities will need to carefully look into as they shape their cybersecurity programs. Among them are specific initiatives that companies will either need to undertake now, or review to make sure they comply with the rule: incident response plan, data encryption, multi-factor authentication, third-party service provider security policies, penetration testing and vulnerability assessments, access privileges, and an audit trail for all these efforts, among others.

Covered entities have until February 15, 2018, to submit their first certification of compliance (annual requirement). This is a very short timeframe. I would urge companies to begin their risk assessments with utmost speed to ensure adequate time to identify and remediate any security gaps before the 2018 compliance deadline.

You can read the full regulation here.