The Top 10 Regulatory Issues of '09
Experts Say These Are the Banking/Security Topics to Watch in the New YearThe state of the economy, failure of high-profile financial institutions and the dawn of a new Presidential administration all are signs that new regulations are coming. The only questions are "what?" and "when?"
"We're in a strange place right now, based on what just happened with the economy and the financial services industry," says George Tubin, analyst at TowerGroup, the Boston-based financial services research firm. "Something is going to happen. But the big question mark here is what will happen and how far will regulators go to change things?"
Data breach notification legislation, increased scrutiny of identity theft prevention measures and the possible overhaul of the federal banking regulatory structure are just a few of the items up for discussion on the short list as President-elect Barack Obama is sworn in on January 20, 2009. Obama has made fixing our economy his highest priority as he enters office.
"Beyond propping up the economy his administration will also be aggressively looking for ways to develop safeguards to make sure that what's happening now can't easily happen again," says David Schneier, director of professional services at Icons Inc, an information security services firm in Princeton, NJ. "That will translate into new laws, new controls, additional testing and related reporting."
Based on expert insight, the following 10 regulatory issues are among the top concerns for financial institutions as 2009 approaches.
1. Future of Regulatory Agencies
The primary regulatory issue is: What becomes of the regulatory agencies themselves?
Anytime a new executive enters the White House, one expects change. But this is no ordinary year. We are officially in a world-wide recession. Banks have failed, been acquired, and brokerage houses have become reborn as depository institutions. According to the industry experts, the change that may be coming could be drastic, if not swift, when it comes to the regulations and structure of the federal agencies that oversee financial institutions.
This topic first arose last spring, with the announcement by Treasury of its blueprint for a restructuring of the federal banking agencies. Further, there has been recent discussion of perhaps merging regulatory agencies, or even creating one uber agency to oversee banking institutions.
"The regulators realize there is a lot of overlap and some revamping is needed. Internally, there will be change there, and regulators know it," says TowerGroup's Tubin. "Right now, everybody is trying to figure out what's going to happen. Regulators and banks alike don't want to do anything right now, in case it is not needed or becomes redundant."
2. ID Red Flags Rule
Next up is the continuing focus on the Identity Theft Red Flags Rule. Even though state-chartered credit unions and other businesses overseen by the Federal Trade Commission got an extension on enforcement until May 1, all other banks and credit unions overseen by federal banking regulators are now open to be examined for compliance with the new rule.
"Depending upon the surveys or research you look at, the cases of identity theft and identity fraud continue to increase," says Rebecca Herold, a privacy and information security expert. With the recent compliance date now past, regulators will look to ensure banks and other financials have implemented proper controls. "Training and ongoing awareness communications will be especially scrutinized, but a significant portion of organizations are weak in this area and will likely feel the impact from noncompliance sanctions," says Herold.
While the ID Theft Red Flags Rule may be the "new kid on the block" when compared to other older regulations, Schneier says not to discount its weight. "My very educated guess is that this is likely to become a growing issue as the year unfolds for many institutions who just haven't quite managed to wrap themselves around what they're supposed to be doing."
3. GLBA Requirements
With online transactions in the US nearing $130 billion for 2007, the need to properly implement the top security regulations continues to be a challenge for the banking community in 2009. "With the downturn in the economy, it has become even more attractive for cybercriminals to steal data for financial gain," says Yuval Ben-Itzhak, CTO of Finjan.
The opening up of competition among US banks, securities companies and insurance companies created the need to protect customers' data. The Gramm-Leach-Bliley Act (GLBA) allowed commercial and investment banks to consolidate. It also requires financial institutions to take steps to ensure the privacy and confidentiality of their customers' non-public information, including social security numbers, passwords, access codes, credit cards, ATM cards, individual assets, credit reports, and account numbers or other similar financial information.
Matt Davis, Practice Lead for Audit & Compliance at Secure State, a risk assessment firm in Cleveland, OH agrees with Ben-Itzhak's analysis and adds, "The Gramm-Leach-Bliley Act (GLBA) still continues to be the number one regulation that we as security professionals deal with. Not only does it hit our bank clients, but it affects many of our other clients via third-party due diligence."
Key rules under GLBA include The Financial Privacy Rule, which governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, regardless of whether they are financial institutions, who receive such information. The Safeguards Rule (issued by the Federal Trade Commission) requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions - such as credit reporting agencies - that receive customer information from other financial institutions. It bolsters the security and confidentiality of customer records and information, protects against any anticipated threats or hazards to their security or integrity, and protects against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
To protect these sensitive data, the payment card industry implemented a data security standard to prevent credit card fraud, hacking and various other security vulnerabilities and threats. As a result, any company processing, storing, or transmitting payment card data must be PCI-DSS compliant.
4. Remote Deposit guidance compliance
The industry awaits the FFIEC's final guidance on remote deposit - the ability to deposit checks into a bank account from a remote site (home, office or mobile) without having to physically deliver the paper to a bank or ATM. This is a service many banks want to offer or expand, pending further regulatory guidance. "We are hopeful here that the guidance will be realistic based upon the risk the product presents," says Doug Johnson of the American Bankers Association (ABA). "We do envision, however, more responsibilities on the part of bankers to monitor the info sec practices of RDC customers."
5. Real Estate Settlement Procedures Act
The new RESPA Rule affects over 2 million entities (banks, credit unions, mortgage lenders, brokers, settlement service providers, etc.). Each affected entity must change procedures and implement new GFE (Good Faith Estimate) and HUD-1 forms effective 1/1/2010. The Rule also impacts vendors that provide systems and forms. "This will require significant resources in 2009 to get ready for compliance," says Huda. Some requirements become effective 1/16/09. Banking agencies and the U.S. Department of Housing and Urban Development (HUD) will monitor progress closely.
6. TILA & Regulation Z
The new Truth in Lending Act (TILA) / Regulation Z changes will become effective October 2009. It creates a new category of high-priced loans with new disclosure requirements. It will also significantly impact marketing and advertising of loans and require modifications to current disclosure procedures. Certain practices are now illegal and will require employee training and system modifications to ensure compliance at a significant cost.
7. Fair Lending
With a new Department of Justice (DOJ) administration, coupled with the latest HMDA data statistics and a renewed focus by the banking agencies on fair lending, there will be several fair lending cases and allegations of lending discrimination involving several financial institutions of all sizes and types. Many financial institutions have taken the eye off fair lending risk management. CRA ratings will also be downgraded. Financial institutions will have to enhance their fair lending programs. "Due to the impact of subprime loans on the market, consumer lending will receive heightened scrutiny by regulators," says Eva Weber of the Aite Group. Loan underwriting practices will be impacted, affecting lending operations. Potential product design mandates will also affect strategies for institutions, says Weber.
8. Credit Card Practices
This is yet another area "top of mind" with lawmakers and regulators. Banks will have to modify operations and business strategies to meet greater regulatory scrutiny on issues such as billing practices, payment application and interest rate calculation, says Aite's Weber.
9. BSA/AML
Banking agencies will discover deficient Bank Secrecy Act/ Anti-Money Laundering (BSA/AML) programs and new money laundering schemes at financial institutions predicts Sai Huda, Chairman and CEO of Compliance Coach. "Many financial institutions have taken their eye off the BSA/AML risk as they cut costs and focus on credit. However, there will be several Cease and Desist Orders and Civil Money Penalties assessed and will force financial institutions to re-focus, Huda observes. Many institutions will not be permitted to acquire others or merge because of deficient BSA/AML programs. Regulators will reject applications for acquisitions and mergers and invoke USA PATRIOT Act Section 327 that require approval of applications only after taking into account adequacy of BSA/AML programs, says Huda.
10. Vendor Management
It's a holdover from the top concerns of '08 - ensuring that third-party service providers meet exacting standards of information security and data protection . Each of the major regulatory agencies issued guidance or bulletins on the topic throughout the year, and it's a critical component of the GLBA and ID Theft Red Flags regulations. Agencies have already put banking institutions on notice that vendor management is a key examination issue. Given the state of the economy and the likelihood of increased outsourcing by institutions, vendor management is only going to become more critical when 2009 arrives.
To learn more about regulatory expectations re: vendor management, see this first in a series of three related webinars.