Top Story Technology Related

The Federal Reserve has announced that 57 early adopter organizations, including financial institutions and service providers, have completed formal testing and certification in advance of the FedNow Service's launch planned for late July. Many of these organizations will be live when the FedNow Service launches in late July or shortly after, with financial institutions ready to send and receive transactions and service providers ready to support transaction activity.

This group of early adopters is now performing final trial runs on the service to confirm their readiness to support live transactions over the new instant payments infrastructure. The early adopters include 41 financial institutions participating as senders, receivers and/or correspondents supporting settlement, 15 service providers processing on behalf of participants, and the U.S. Department of the Treasury.

"We are on track for the FedNow Service launch, with a strong cohort of financial institutions and service providers of all sizes in the process of completing the final round of readiness testing," said Ken Montgomery, first vice president of the Federal Reserve Bank of Boston and FedNow program executive. "With go-live nearing, financial institutions and their industry partners should be confident in moving forward with plans to join the network of organizations participating in the FedNow Service."

Over time, financial institutions are expected to adopt and build on the FedNow Service with the goal of offering new instant payments services to their customers. Montgomery noted that as a platform for innovation, the FedNow Service is intended to support multiple use cases, such as account to account transfer, request for payment, bill pay, and many others.

In addition to working with early adopters, the Federal Reserve continues to work with and onboard financial institutions planning to join later in 2023 and beyond, as the initial step to growing a robust network aiming to reach all 10,000 U.S. financial institutions.

The National Credit Union Administration has released a report on Cybersecurity and Credit Union System Resilience to the Committee on Financial Services of the House of Representatives and to the Committee on Banking, Housing, and Urban Affairs of the Senate. The report provides an explanation of the measures taken to strengthen cybersecurity within the federally insured credit union system and the NCUA.

This morning, the CFPB announced it has issued an order against ACI Worldwide and one of its subsidiaries, ACI Payments, for improperly initiating approximately $2.3 billion in unlawful mortgage payment transactions. ACI’s data handling practices negatively impacted nearly 500,000 homeowners with mortgages serviced by Mr. Cooper (formerly known as Nationstar). By unlawfully processing erroneous and unauthorized transactions, ACI opened homeowners to overdraft and insufficient funds fees from their financial institutions. Today’s CFPB order requires ACI, among other things, to pay a $25 million civil money penalty.

“The CFPB’s investigation found that ACI perpetrated the 2021 Mr. Cooper mortgage fiasco that impacted homeowners across the country,” said CFPB Director Rohit Chopra. “While borrower accounts have now been fixed, we are penalizing ACI for its unlawful actions that created headaches for hundreds of thousands of borrowers.”

Mr. Cooper was one of ACI’s largest mortgage servicing customers until at least 2021. Mr. Cooper services the mortgages of more than four million borrowers and collects their monthly mortgage payments. Many homeowners with mortgages serviced through Mr. Cooper chose to schedule their monthly mortgage payments using ACI’s Speedpay product, which allowed the company to automatically transfer homeowners’ authorized mortgage payments from their personal bank accounts to Mr. Cooper.

On Friday, April 23, 2021, ACI conducted tests of its electronic payments platform. But instead of using deidentified or dummy data in its tests, ACI used actual consumer data it had received from Mr. Cooper, which included names, bank account numbers, bank routing numbers, and amounts to be debited or credited. During its performance testing, ACI improperly sent several large files filled with Mr. Cooper’s customer data into the ACH network, unlawfully initiating approximately $2.3 billion in electronic mortgage payment transactions from homeowners’ accounts. None of the nearly 500,000 impacted borrowers anticipated, authorized, or were aware of these transactions until after they had been processed by their respective banks.

At one bank, for example, more than 60,000 accounts experienced more than $330 million in combined unlawful debits by that morning. Among these account holders, approximately 7,300 had their available balances reduced by more than $10,000—overnight.

This is the CFPB’s first action addressing unlawful information handling practices in processing mortgage payments. Last year, the CFPB issued an enforcement circular describing how shoddy data handling practices can constitute violations of the Consumer Financial Protection Act.

• See our April 28, 2021, story on the Mr. Cooper payments problem

OCC Bulletin 2023-22, issued yesterday, introduces the OCC's Cybersecurity Supervision Work Program, recently developed fur use by examiners. The OCC has recognized the need to update its approach to cybersecurity assessment as part of the agency’s bank supervision. The Cybersecurity Supervision Work Program (CSW) provides high-level examination objectives and procedures that are aligned with existing supervisory guidance and the National Institute of Standards and Technology Cybersecurity Framework. The CSW Overview page on www.occ.gov links to the CSW References page, which provides cross-references that map the CSW procedures to existing supervisory guidance and industry cybersecurity frameworks. For example, cross-references include the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool, the Center for Internet Security’s Critical Security Controls, and the Cyber Risk Institute’s Profile.

The CSW does not establish new regulatory expectations, and banks are not required to use this work program to assess cybersecurity preparedness. The OCC continues to encourage but does not require use of standardized approaches to assess and improve cybersecurity preparedness, and banks may choose from a variety of tools and frameworks available. The CSW does not change the availability of banks’ optional use of the FFIEC Cybersecurity Assessment Tool or other cybersecurity frameworks.

The Financial Stability Board has published for public comment a toolkit for financial authorities and financial institutions as well as service providers for their third-party risk management and oversight.

The toolkit has been developed against a backdrop of digitalization of the financial services sector and growing reliance of financial institutions on third-party service providers for a range of services, some of which support their critical operations. These dependencies can bring many benefits to financial institutions including flexibility, innovation and improved operational resilience. However, if not properly managed, disruption to critical services or service providers could pose risks to financial institutions and, in some cases, financial stability.

The toolkit aims to:

• Reduce fragmentation in regulatory and supervisory approaches to financial institutions’ third-party risk management across jurisdictions and different areas of the financial services sector
• Strengthen financial institutions’ ability to manage third-party risks and financial authorities’ ability to monitor and strengthen the resilience of the financial system
• Facilitate coordination among relevant stakeholders (i.e. financial authorities, financial institutions and third-party service providers)

This should help mitigate compliance costs for both financial institutions and third-party service providers.

The toolkit, which looks holistically on third-party risk management, comprises:

• A list of common terms and definitions to improve clarity and consistency across financial institutions and to improve communication among relevant stakeholders
• Tools to help financial institutions identify critical services and manage potential risks throughout the lifecycle of a third-party service relationship
• Tools for supervising how financial institutions manage third-party risks, and for identifying, monitoring and managing systemic third-party dependencies and potential systemic risks

The FSB is inviting comments on this consultative document. Written responses should be sent to fsb@fsb.org by August 22, 2023, with the subject line “Third-Party Risk Management and Oversight.” Responses will be published on the FSB’s website unless respondents expressly request otherwise.

Yesterday, the CFPB released its Office of Servicemember Affairs 2022 Annual Report , which highlights the growth of digital payment app usage in the servicemember community, the unique risks to servicemembers from these services, and the potential abuse from bad actors. Some servicemembers have also indicated in their complaints about incurring serious financial harm from scams and fraud when using these services, and their complaints suggest digital payment app providers often fail to provide timely and substantive resolutions.

In 2022, servicemembers, veterans, and their families submitted nearly 66,400 complaints to the CFPB, a 55% increase from 2021. More than 1,100 complaints were submitted on digital payment apps, one of the fastest-growing complaint types submitted to the Bureau. Many of the reported issues and complaints about digital payment apps relate to frauds and scams, suggesting it is a rapidly growing financial threat to military families.

The report focuses on the growth of digital payment apps in the servicemember community, and identified several risks to military families, including:

• Serious financial harm from fraud and scams when using digital payment apps
• Identity theft and unauthorized account access
• Failure of digital payment app providers to provide timely and substantive resolutions to servicemember complaints

The report recommends that digital payment app providers:

• Improve the safety and security of their networks to prevent fraud
• Improve their responsiveness in the event fraud does occur
• Tailor policies on refunds for fraud losses that recognize the unique experiences of military families

Acting Comptroller of the Currency Michael J. Hsu on Friday discussed the benefits and risks of tokenization and artificial intelligence (AI) in remarks at the American Bankers Association’s Risk and Compliance Conference in San Antonio. In his remarks, the Acting Comptroller discussed how risk and compliance can facilitate responsible innovation in AI and tokenization, and the distinctions between public, trustless blockchains and centralized, trusted blockchains.

The Department of Defense's Military Lending Act website includes a notice added yesterday that MLA's next system release (version 5.16) is scheduled to be installed between 6 p.m. and 9 p.m. Pacific Daylight Time on Thursday, June 29, 2023. The enhancements will include:

• A new user option for masking the user's SSN or ITIN and date of birth (default will be to mask the entries)
• Stronger validation rules will be added to the MLA account creation process

The OCC has announced it will host two workshops July 18–19 in Minneapolis for directors, senior management, and other key executives of national community banks and federal savings associations.

The Credit Risk: Recognizing and Responding to Risk workshop on July 18 covers the roles of the board and management, credit risk within the loan portfolio, and how to stay informed of changes in credit risk.

The Operational Risk: Navigating Rapid Changes workshop on July 19 covers key risk management processes, oversight roles and governance responsibilities, fraud, risk-based audit programs, third-party vendor oversight, establishing a strong ethical culture, and regulatory expectations to address cyber threats.

The fee for each workshop is $99. Participants receive course materials, supervisory materials, and lunch.

To register online and view the schedule and locations of other workshops, visit the OCC's website.

OFAC has announced it intends to retire its FTP server on or about June 10, 2024.

In order to comply with updated Treasury security policies, OFAC will retire this FTP capability associated with the file transfer protocol. OFAC is aware that many users utilize ofacftp.treas.gov to automate their sanctions list data downloads. OFAC will maintain this server for one additional calendar year to allow users sufficient time to develop automation that utilizes the list content hosted on the agency's website at the following URLs:

• Human-readable SDN List Files: Specially Designated Nationals And Blocked Persons List (SDN) Human Readable Lists | Office of Foreign Assets Control (treasury.gov)
• SDN List Data Files: Specially Designated Nationals List - Data Formats & Data Schemas | Office of Foreign Assets Control (treasury.gov)
• All non-SDN List Data Files (Consolidated List): Consolidated Sanctions List (Non-SDN Lists) | Office of Foreign Assets Control (treasury.gov)
• All non-SDN human-readable list files: Other OFAC Sanctions Lists | Office of Foreign Assets Control (treasury.gov)