Top Story Technology Related

The FDIC has issued a notice of proposed rulemaking that would modernize its brokered deposit regulations. The proposal would, among other things, modernize the regulatory framework to remove regulatory disincentives to offering deposit accounts to customers through different channels.

The proposal would—

• establish a new framework for analyzing whether deposits placed through deposit placement arrangements qualify as brokered deposits. These include arrangements between insured depository institutions (IDIs) and third parties, such as financial technology companies, for a variety of business purposes, including access to deposits, as well as IDIs' increasing reliance on new technologies to engage and interact with their customers.
• revise the "facilitation" prong of the deposit broker definition so that it applies to any person that engages in specified activities, and provide that a wholly owned operating subsidiary be eligible for the "IDI exception" to the "deposit broker" definition under certain circumstances.
• amend the "primary purpose" exception to apply when the primary purpose of an agent's or nominee's business relationship with its customers in the placement of funds with IDIs. The availability of the primary purpose exception would be clarified for third parties that place deposits through brokerage sweep accounts, under certain conditions, and to third parties whose primary purpose is enabling customers to make payments, under certain conditions.
• establish an application process for any third party that wishes to use the primary purpose exception, and would require ongoing reporting.
• continue to consider an agent's placement of brokered CDs as deposit brokering, and such deposits would continue to be reported as brokered

Comments on the proposal will be accepted for 60 days following publication in the Federal Register.
UPDATE: Published at 85 FR 7453 on 2/10/2020, with 60-day comment period ending 4/10/2020.

The OCC's National Risk Committee has issued its Semiannual Risk Perspective for Fall 2019, which indicates operational, credit, and interest rate risks are among the key themes for the federal banking system. Report highlights include:

• Operational risk is elevated as banks adapt to a changing and increasingly complex operating environment. Key drivers elevating operational risk include the need to adapt and evolve current technology systems for ongoing cybersecurity threats.
• Credit risk has accumulated in many portfolios. Banks should prepare for a cyclical change while credit performance remains strong. Preparation includes maintaining robust credit control functions, particularly credit review, problem loan identification and workout, collections, and collateral management.
• Recent volatility in market rates has led to increasing levels of interest rate risk. The complexity of asset/liability management is exacerbated by the recent yield curve inversions.
• The London InterBank Offered Rate (Libor) will likely cease to be an active index by the end of 2021. Accordingly, the OCC is increasing regulatory oversight of this area to evaluate bank awareness and preparedness.
• Banks face strategic risks from non-depository financial institutions, use of innovative and evolving technology, and progressive data analysis capabilities.

• OCC press release

Russian nationals charged with banking cybercrimes

The U.S. Department of Justice has joined with the U.S. Department of State and the United Kingdom’s National Crime Agency in charging two Russian nationals, Maksim Y. Yakubets and Igor Turashev, with a vast and long-running cybercrime spree that stole from thousands of individuals and organizations in the United States and abroad. They are charged with an effort that infected tens of thousands of computers with a malicious code called Bugat. Once installed, the computer code, also known as Dridex or Cridex, allowed the criminals to steal banking credentials and funnel money directly out of victims’ bank accounts. Their names and those of their associates have been added to the SDN List.

• FBI press release
• Justice Department press release

Evil Corp sanctioned for infecting bank computers

OFAC has announced action taken against Evil Corp, the Russia-based cybercriminal organization responsible for the development and distribution of the Dridex malware. The Dridex malware is a multifunctional malware package that is designed to automate the theft of confidential information, to include online banking credentials from infected computers.

Evil Corp has used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft. OFAC's action targets 17 individuals and seven entities to include Evil Corp, its core cyber operators, multiple businesses associated with a group member, and financial facilitators utilized by the group. Identification information on the designated individuals and entities can be found in BankersOnline's OFAC Update.

FinCEN and the CISA (U.S. Cybersecurity and Infrastructure Security Agency) issued a Report on Dridex Malware that provides an overview of the malware, related activity, and a list of previously unreported indicators of compromise derived from information reported to FinCEN by private sector financial institutions. Because actors using Dridex malware and its derivatives continue to target the financial services sector, including financial institutions and customers, the techniques, tactics, and procedures contained in this report warrant renewed attention. Treasury and CISA encourage network security specialists to incorporate these indicators into existing Dridex-related network defense capabilities and planning.

The SEC has announced Kristina Littman has been named Chief of the Division of Enforcement’s Cyber Unit, a national, specialized unit that focuses on protecting investors and markets from cyber-related misconduct.

The FATF has announced that FATF President Xiangmin Liu hosted one of the first regional meetings on tackling the illegal wildlife trade as a financial crime, in Beijing, China. FATF report this is the first time that public and private sector representatives, including anti-money laundering experts and wildlife experts, have come together to share experiences about detecting and combating the financial flows linked to the illegal wildlife trade.

During the next year, the FATF will work with the public and private sector, including the People’s Bank of China, the United for Wildlife Financial Taskforce and The Royal Foundation, to develop a report on good practices that will assist in financial investigations of the illegal wildlife trade. The report will highlight how public-private partnerships and international cooperation can help to identify and disrupt the illicit proceeds of this devastating criminal activity.

The Federal Financial Institutions Examination Council (FFIEC) has revised the "Business Continuity Management" booklet, one of a series of booklets that make up the FFIEC Information Technology Examination Handbook (IT Handbook). The revised "Business Continuity Management" booklet provides information for examiners to assess the adequacy of a bank’s risk management related to the availability of critical financial products and services. The revised booklet replaces the "Business Continuity Planning" booklet issued in February 2015 and rescinds OCC Bulletin 2015-9, "FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet."

• OCC press release
• FDIC FIL-71-2019
• FRB SR 19-13

InfoTrax Xystems, L.C., a Utah-based technology company, has agreed to implement a comprehensive data security program to settle Federal Trade Commission allegations that the company failed to put in place reasonable security safeguards. A complaint filed by the FTC alleged that the failure to put in place reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients allowed a hacker to access the personal information of a million consumers.

The Federal Trade Commission has sued a Nevada data storage services company over allegations that it misled consumers about its participation in the EU-U.S. Privacy Shield framework and failed to adhere to the program’s requirements before allowing its certification to lapse. The Complaint filed by the FTC alleges that, between January 2017 and October 2018, RagingWire Data Centers, Inc. claimed in its online privacy policy that the company participated in the Privacy Shield framework and complied with the program’s requirements, even though it had allowed its certification to lapse in January 2018. The Department of Commerce warned Raging Wire twice to either remove the claims or take steps to recertify its participation in the Privacy Shield program. The company, however, failed to recertify until it was contacted by the FTC in October 2018.

The OCC has announced Kevin Greenfield will become the agency’s Deputy Comptroller for Operational Risk. He will oversee development of policy and examination procedures addressing operational risk, bank information technology, cybersecurity, critical infrastructure resilience, payments systems, and corporate and risk governance. Greenfield previously served as the OCC’s Director for Bank Information Technology for the Operational Risk Division.

The FDIC, OCC, SEC, and Community Futures Trading Commission (CFTC) have announced they are joining the Global Financial Innovation Network (GFIN). The agencies join 46 other financial authorities, central banks, and international organizations from around the globe that are members of the GFIN to foster greater cooperation among financial authorities on a variety of innovation topics, regulatory approaches, and lessons learned.