Weekly Fintech Focus

  • The FFIEC issued new guidance to financial institutions with recommendations for effective risk management strategies when using cloud computing services.
  • The GAO is encouraging bank regulators to continue focusing on addressing important fintech issues, including issuing guidance about data aggregation, alternative data use, and de-risking.
  • CFPB announces new interactive database for consumer complaints.
  • Treasury partners with payments companies to deliver COVID-19 relief funds on prepaid debit cards.
  • Galileo pairs up with Klar and becomes first API software integrator to achieve Mastercard certification.

FFIEC Issues Cloud Computing Security Risk Management Guidance

On April 30, 2020, the Federal Financial Institutions Examination Council issued a statement addressing security risk management in the cloud computing space for the financial services sector. The statement directs financial institution (FI) management to engage in effective risk management for the safe and sound use of cloud computing services. The statement highlights the importance of sound security management and addresses the need for FI management to understand the shared responsibilities between FIs and cloud service providers (CSPs). The statement does not create any new regulatory requirements or expectations, but does provide examples of risk management practices for the safe and sound use of cloud computing services, and for safeguarding customer information.

In summary, the statement reminds management that cloud computing environments, while generally operated in a secure fashion, do not alleviate the FIs independent obligations to understand and address their own security obligations when using CSPs. Properly utilizing cloud computing environments requires the FI and CSP to understand their shared responsibilities for implementing and managing security controls. The responsibilities for each party shift depending on the cloud model that is being used (either a SaaS, PaaS, or IaaS model). FIs may outsource management of some controls to the CSP, but this must be done only after a careful review of the contract between the parties, the cloud model used, the criticality of the service on the cloud, and other risk factors unique to each FI.

The statement outlines several examples of risk management practices for assessing risks and implementing controls for FIs using cloud services. First, the FI should ensure that the use of cloud computing services fits with the FI’s IT strategic plan and architecture, including an understanding of how the FI will integrate with the cloud computing environment, and how the FI will monitor the CSP. The FI should approach working with a CSP in a similar way to how it would conduct due diligence and management of other third-party relationships, with an understanding of the unique risks and benefits of cloud technology.

For managing security risks, the FI should understand the security functions of the CSP and also understand what gaps could exist for the FI. For example, the FI will need to ensure that it properly configures its integration with the cloud and that it is utilizing its own security resources while leveraging those of the CSP to monitor the use of the cloud computing environment. In addition, the FI will need to ensure that it engages best practices to identify and access management for resources that use the cloud. Sensitive data should be encrypted to better protect this data, even if there is a breach of either the FI or the CSP.

As time goes on, more FIs are utilizing cloud computing environments for more critical activities. FIs need to ensure that they are considering the resiliency and recovery capabilities of the FI and the CSP in the event of a breach or failure of the cloud computing environment. The cloud integration must be considered in both the FI’s incident response testing and business continuity planning. Regular testing is imperative to understand and mitigate problems with the security controls and configurations relative to the cloud computing environment.

One section of the FFIEC’s statement is dedicated to controls that are unique to the cloud computing environment. These controls include management of a secure virtual infrastructure, the use of containers in the cloud computing environment, use of managed security services, interoperability and portability of data and services, and data destruction or sanitization. This section acknowledges the benefits for security of using a CSP’s services, but also cautions that traditional security controls may be insufficient for FIs using cloud technology.

GAO Encourages Bank Regulators to Redouble Efforts About Important Fintech Issues

The U.S. Government Accountability Office (GAO) recently sent letters to the Federal Deposit Insurance Corporation (FDIC) and the Board of Governors of the Federal Reserve (Federal Reserve), providing updates on the status of the bank regulators’ implementation of certain GAO recommendations issued last year in the GAO’s Performance and Accountability Report for Fiscal Year 2019.  The GAO also issued a full report to the Treasury Department covering all of the open recommendations under the department’s purview, including recommendations for the Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC). Some recommendations from the last few years are still not fully implemented, and the GAO is pushing the bank regulators to fully implement all open recommendations to improve the safety and soundness of the U.S. banking system. Many of the important open issues directly affect fintech firms, including issues related to data aggregators and alternative data, as well as modernization of the BSA/AML regulations with a focus on de-risking issues.

Data Aggregators and Alternative Data. In the area of fintech and consumer protection issues, the GAO encourages bank regulators to continue working to provide direct guidance on the use of non-traditional or alternative data for making credit decisions or detecting fraud. The GAO recommends that the bank regulators continue to engage with other regulators, such as the Consumer Financial Protection Bureau (CFPB) to determine the most effective means of issuing such guidance so banks have a better understanding of how to work with fintech data aggregators and lenders.

BSA/AML Modernization and De-Risking. The letters and reports also recommend that the bank regulators continue to conduct a retrospective review of the Bank Secrecy Act/anti-money laundering (BSA/AML) regulations and their implementation by banks. In particular, the GAO recommends that the bank regulators review how the BSA/AML regulations and banks’ implementations affect bank’s willingness to provide services to certain types of companies or industries.

CFPB Announces New Interactive Database for Consumer Complaints

The Consumer Financial Protection Bureau (CFPB) announced the launch of its new interactive database for consumer complaints. Consumers are now able to view complaints by state using an interactive map and can otherwise sort the complaints by date, company name, key words, and other filters. Consumers are also able to view certain statistical data (e.g. complaints per 1,000 population) and aggregate information about products and issues.

The CFPB believes that this provides the public with additional information and context regarding the more than 2.2 million consumer complaints that it has received since 2011. Notably, the CFPB has implemented a posting control whereby complaints are not published until the earlier of the company responds and confirms the commercial relationship with the consumer or after 15 days.

Treasury Using New Payments and Fintech Partners to Make Relief Payments

Earlier this month we discussed guidance from the CFPB that emphasized flexibility and waived certain requirements under Regulation E for distributions of relief funds through prepaid cards. Reports state that recently the Treasury Department reached a deal with Visa, Metabank, and Fiserv to send prepaid cards with COVID-19 relief payments to un-banked or underbanked individuals. Under the contracts, Metabank and Fiserv will issue Visa prepaid debit cards. These new partnerships are aimed at speeding up the process of distributing funds through the U.S. Debit Card to these individuals who do not have a bank account on file or to whom delivering a paper check would be inefficient or insecure.

Galileo Pairs Up with Klar and Becomes First API Software Integrator to Receive Mastercard Certification

Galileo Financial Technologies has partnered with Mexican challenger bank Klar and became the first API software integrator to secure Mastercard certification. The partnership and Mastercard certification allow Galileo to launch in Mexico as part of Mastercard’s Fintech Accelerate program. The certification itself is for Mastercard’s Mexico Domestic Switch and covers signature, PIN, ATM transactions, as well as settlement and chargeback processing.