(Nov. 5, 2021) Addressing and mitigating actively exploited vulnerabilities on all federal agency computer networks is the aim of a directive issued this week by the federal agency that oversees cybersecurity, which the agency said is a first-ever federal government-wide requirement.
In issuing the order, the Cybersecurity and Infrastructure Security Agency (CISA) said it also encourages state and local governments, as well as the private sector, to also take action.
The “Binding Operational Directive” (BOD 22-01), CISA said, is sending a “clear message to all organizations across the country to focus patching on the subset of vulnerabilities that are causing harm now, and enable CISA to drive continuous prioritization of vulnerabilities based on our understanding of adversary activity.”
The order, the agency said, applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. According to agency Director Jen Easterly, the order lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks.
“While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities,” she said. “It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”
The agency noted that the order prioritizes resources for patching vulnerabilities that are most likely to result in a damaging intrusion into federal agencies and American businesses, “building upon existing methods widely used to prioritize vulnerabilities by many organizations today.”
LINK:
CISA Releases Directive on Reducing The Significant Risk Of Known Exploited Vulnerabilities
(Clockwise from top left) Moderator George Hofheimer (Hofheimer Strategy Advisors), left, NASCUS President and CEO Lucy Ito and NASCUS EVP and General Counsel Brian Knight take in the Exchange discussion; Mike Williams, CEO of Colorado CU and chairman of the NASCUS Credit Union Advisory Council, enjoys the discourse; Participants are both face-to-face in Phoenix, and by virtual means.
(Nov. 5, 2021) Payment preferences, “buy-now-pay-later,” field of membership (FOM) barriers and more were all on the table at the meeting of CEOs of very large credit unions with state regulators held this week in Phoenix, sponsored by NASCUS.
The discussion was held at the two-day 2021 Exchange, an invitation-only event for regulators and leaders from credit unions with more than $10 billion in assets. The event is sponsored by NASCUS through the Dual Charter Resource Initiative (DCRI). The DCRI is a partnership, fostered by NASCUS, between the state system and key organizations within the credit union system at large. The program is committed to strengthening the state credit union charter by pursuing progressive legislation and regulation, building relationships to foster charter innovation, guarding against unnecessary federal pre-emption and expanding awareness of options available to state-chartered credit unions
Among the topics discussed by the participants were:
- Consumer behaviors with payment alternatives Venmo and PayPal and the growing tendency for Millennials and Gen Z to use their primary financial institutions as “paycheck motels” before transferring funds to a third-party payment app.
- Exploring alternative short-term loan options through “buy-now-pay-later” arrangements through payment alternatives that break payments into small installments to thwart high-interest short-term lending.
- Growing social acceptability of crypto currency as a primary payment method (particularly in Miami, Fla.) and associated risks.
- FOM barriers with digital banking and disruptions to traditional banking models.
Credit union CEOs participating included: Benson Porter, Boeing Employees’ Credit Union (BECU); Mike Ryan, Boeing Employees’ Credit Union (BECU); Mike Williams, Colorado Credit Union (and NASCUS Credit Union Advisory Council chairman); Mary McDuffie, Navy Federal Credit Union; Emily Troncoso, Navy Federal Credit Union; Bill Cheney, SchoolsFirst FCU; Gary Rodrigues, Star One Credit Union; and Brian Wolfburg, Vystar Credit Union.
State regulators participating were: Joni Kimbrell, California Department of Business Oversight; Ben Brinkley, Florida Office of Financial Regulation; Steve Pleger, Georgia Department of Banking & Finance (and NASCUS Regulator board member); Francisco Menchaca, Illinois Department of Financial & Professional Regulation; Charles Vice, Kentucky Department of Financial Institutions (and NASCUS Regulator board member); Melanie Hall, Montana Department of Administration; and Rose Conner, North Carolina Credit Union Division, (and NASCUS Regulator Board Chairman).
Participants in a first day’s panel at the NCUA DEI Summit this week were (from left) NASCUS’ Lucy Ito, CUNA’s Jim Nussle, and NAFCU’s B. Dan Berger.
(Nov. 5, 2021) NASCUS President and CEO Lucy Ito played a central role in week’s Diversity, Equity and Inclusion (DEI) Summit presented by NCUA, appearing on two panels at the three-day, virtual conference held Tuesday through Thursday.
The conference focus, according to NCUA, was on advancing DEI in the credit union system by sharing best practices, addressing challenges to advancing DEI and learning about how NCUA can support the industry in its efforts.
Ito shared the first panel with CEOs of other Washington groups representing credit unions, Jim Nussle of the Credit Union Natl. Assn. (CUNA), and B. Dan Berger of the Natl. Assn. of Federally Insured Credit Unions (NAFCU). The group discussed the credit union role in the DEI journey. The second panel featuring Ito discussed “How to Increase Gender Diversity in the C-Suite,” and included CEOs from credit unions: Mary McDuffie (Navy Federal CU president and CEO), Shruti Miyashiro (Orange County’s CU CEO), and Tracey Jackson (ResourceOne CU CFO).
In both sessions, Ito discussed the impact of DEI on herself and on the credit union system, and efforts by NASCUS and the state system at large to advance DEI along the lines of the conference’s goals.
“My thanks to NCUA, particularly Chairman Harper, Vice Chairman Hauptman and Board Member Hood, for inviting me to participate in this event – and for their personal commitments to this vital effort for the credit union industry at large,” Ito said.
(Nov. 5, 2021) Credit unions are encouraged to participate in the free program that helps members address their federal income taxes; credit unions have until Nov. 15 to contact the IRS about their interest in participating, NCUA said this week.
In its letter to credit unions (LTCU) 21-CU-12, the agency said the IRS Volunteer Income Tax Assistance (VITA) program provides education for consumers on refundable credits, including the Earned Income Tax Credit (EITC) and the Child Tax Credit (CTC). The agency noted that the refundable federal tax credits can provide thousands of dollars to working individuals and families with low to moderate incomes.
The letter outlines the benefits of participating in the VITA program (which NCUA described as potential for attracting new members, asset- and wealth-building opportunities for members and greater financial education and financial stability for members, among other things), and lists the ways credit unions may participate, and methods for doing so.
NASCUS has posted a summary of the letter (available to members only).
LINK:
NASCUS Summary, NCUA LTCU 21-CU-12 (members only)
(Nov. 5, 2021) A consumer reporting agency that uses “name-only” matching procedures is not using reasonable procedures mandated under federal consumer protection laws, the CFPB said this week.
In an “advisory opinion,” the bureau said that matching information to a particular consumer who is the subject of a consumer report based solely on whether the consumer’s first and last names are identical or similar to the names associated with the information falls outside of the Fair Credit Reporting Act (FCRA). The agency termed the practice as “inadequate matching procedures to match information to consumers.”
CFPB said it issued the advisory opinion to remind consumer reporting agencies that their matching practices must comply with their FCRA obligation to ”follow reasonable procedures to assure maximum possible accuracy.”
The advisory opinion notes that consumer complaints CFPB has received – particularly about “incorrect information on your report” – reflect “significant consumer concern” about inaccuracies in consumer reports. Last year, the bureau said, companies provided responses to more than 191,000 such complaints, which represents approximately 68% of credit or consumer reporting complaints responded to by companies that year.14
“Name-only matching,” the bureau asserted, is particularly likely to lead to inaccuracies in consumer reports. “Name-only matching occurs when a consumer reporting agency uses only first and last name to determine whether a particular item of information relates to a particular consumer, without using other personally identifying information such as address, date of birth, or Social Security number,” CFPB said.
The opinion asserts that matching information to a consumer who is the subject of a consumer report by name alone creates “significant accuracy concerns” because most names are shared with other consumers and, in some cases, with thousands of other consumers. “In preparing consumer reports, it is not a reasonable procedure to assure maximum possible accuracy to use insufficient identifiers to match information to the consumer who is the subject of the report,” the agency opined.
LINK:
Fair Credit Reporting; Name-Only Matching Procedures
(Nov. 5, 2021) Payment stablecoins and their arrangements should be subject to a federal regulatory framework on a consistent and comprehensive basis through an act of Congress – including by requiring that stablecoins may only be issued by federally insured credit unions and banks, according to a report issued this by a presidential working group focusing on the digital currencies.
Issued by the Treasury Department’s “President’s Working Group on Financial Markets,” along with the FDIC and the OCC, the report also said that such federal legislation would complement existing authorities held by federal regulators meant to ensure market integrity, investor protection and prevention of illicit finance.
“Stablecoins that are well-designed and subject to appropriate oversight have the potential to support beneficial payments options,” said Treasury Secretary Janet L. Yellen in a statement. “But the absence of appropriate oversight presents risks to users and the broader system.”
The report’s conclusions are being interpreted by some that stablecoin issuers would have to secure either a bank or credit union charter before participating with the payment method. In any event, a key recommendation is that legislation be enacted that only allows stablecoins to be issued by federally insured financial institutions.
Key concerns that should be addressed in legislation, according to the report, include:
- Risks to stablecoin users and protection against stablecoin runs, which legislation should address by requiring stablecoin issuers to be insured depository institutions, “which are subject to appropriate supervision and regulation, at the depository institution and the holding company level.”
- Payment system risk, which legislation should address by requiring custodial wallet providers to be subject to appropriate federal oversight. “Congress should also provide the federal supervisor of a stablecoin issuer with the authority to require any entity that performs activities that are critical to the functioning of the stablecoin arrangement to meet appropriate risk-management standards,” the report stated.
- Systemic risk and concentration of economic power, which should be addressed by legislation that requires stablecoin issuers to comply with activities restrictions that limit affiliation with commercial entities. “Supervisors should have authority to implement standards to promote interoperability among stablecoins,” the report asserts. “In addition, Congress may wish to consider other standards for custodial wallet providers, such as limits on affiliation with commercial entities or on use of users’ transaction data.”
In the meantime, the report states, the FDIC and OCC are committed to taking action to address risks falling within their jurisdictions, “including efforts to ensure that stablecoins and related activities comply with existing legal obligations, as well as to continued coordination and collaboration on issues of common interest.”
The report states that while Congressional action is “urgently needed” to address the risks inherent in payment stablecoins, “in the absence of such action, the agencies recommend that the Financial Stability Oversight Council (FSOC) consider steps available to it to address the risks outlined in this report.”
The report also notes that work on digital assets and other payment innovations related to cryptographic and distributed ledger technology is ongoing throughout the Biden Administration. “The administration and the financial regulatory agencies will continue to collaborate closely on ways to foster responsible financial innovation, promote consistent regulatory approaches, and identify and address potential risks that arise from such innovation,” the report stated.
LINK:
President’s Working Group on Financial Markets Releases Report and Recommendations on Stablecoins
(Nov. 5, 2021) Climate change poses “significant challenges” to the safety and soundness of financial institutions and the stability of the financial sector more broadly, the Federal Reserve said in a statement this week. The assertion was issued in the wake of a declaration issued earlier in the week by the Network of Central Banks and Supervisors for Greening the Financial System (NGFS), as part of the international conference (the “Conference of Parties 26” or COP26) held in Glasgow, Scotland, about climate change. “A sustained global response by national authorities, the international community, and the private sector can address the financial and economic implications of climate change,” the Fed statement said … A new Office of Minority and Community Development Banking to support the FDIC’s work with minority depository institutions (MDIs), community development financial institutions (CDFIs), and other “mission-driven” banks was announced this week by the agency. The FDIC said the new office “will further promote private sector investments in low- and moderate-income (LMI) communities.”
LINKS: