Federal Financial Institutions Examination Council (FFIEC) Issues Guidance on Authentication and Access to Financial Institution Services and Systems
The FFIEC, on behalf of its members, on August 11, 2021, issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems.
- Highlights the current cybersecurity threat environment, including increased remote access by customers and users, and attacks that leverage compromised credentials; and mentions the risks arising from push payment capabilities.
- Recognizes the importance of the financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
- Supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication.
- Discusses how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
- Includes examples of authentication controls, and a list of government and industry resources and references to assist financial institutions with authentication and access management.
The new guidance replaces previous documents issued in 2005 and 2011.
Consumer Financial Protection Bureau (CFPB) Confirms Effective Date for Debt Collection Final Rules
On July 30, 2021, the CFPB announced that two final rules issued under the Fair Debt Collection Practices Act (FDCPA) will take effect as planned, on November 30, 2021. The CFPB issued a proposal in April 2021 that, if finalized, would have extended the effective dates to January 29, 2022. The CFPB has now determined that such an extension is unnecessary. Following this announcement, the CFPB will publish a formal notice in the Federal Register withdrawing the April 2021 proposal.
The CFPB proposed extending the final rules’ effective date by 60 days to allow stakeholders affected by the COVID-19 pandemic additional time to review and implement the rules. The public comments generally did not support an extension. Most industry commenters stated that they would be prepared to comply with the final rules by November 30, 2021. Although consumer advocate commenters generally supported extending the effective date, they did not focus on whether additional time is needed to implement the rules. The alternative basis for an extension that many commenters urged, a reconsideration of the rules, was beyond the scope of the notice of proposed rulemaking and could raise concerns under the Administrative Procedure Act. Nothing in this decision precludes the CFPB from reconsidering the debt collection rules at a later date.
Two final rules under the FDCPA will take effect in November. The first rule, issued in October 2020, focuses on debt collection communications and clarifies the FDCPA’s prohibitions on harassment and abuse, false or misleading representations, and unfair practices by debt collectors when collecting consumer debt. The second rule, issued in December 2020, clarifies disclosures debt collectors must provide to consumers at the beginning of collection communications. The second rule also prohibits debt collectors from suing or threatening to sue consumers on time-barred debt. Additionally, the second rule requires debt collectors to take specific steps to disclose the existence of a debt to consumers before reporting information about the debt to a consumer reporting agency.
Interagency Statement on Community Reinvestment Act (CRA) Joint Agency Action
The Federal Reserve Board (FRB), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) are committed to working together to jointly strengthen and modernize regulations implementing the CRA.
The agencies have broad authority and responsibility for implementing the CRA. Joint agency action will best achieve a consistent, modernized framework across all banks to help meet the credit needs of the communities in which they do business, including low- and moderate-income neighborhoods.
The statement was released on July 20, 2021.
Mortgage Servicing COVID-19 Rule
On June 28, 2021, the CFPB issued a final rule (2021 Mortgage Servicing COVID-19 Rule or 2021 Rule) amending certain provisions in Regulation X regarding additional assistance for borrowers experiencing a COVID-19-related hardship. This compliance guide provides an overview of the 2021 Rule.
The final rule establishes temporary procedural safeguards to help ensure that borrowers have a meaningful opportunity to be reviewed for loss mitigation before the servicer can make the first notice or filing required for foreclosure on certain mortgages. In addition, the final rule would temporarily permit mortgage servicers to offer certain loan modifications made available to borrowers experiencing a COVID-19-related hardship based on the evaluation of an incomplete application. The CFPB is also finalizing certain temporary amendments to the early intervention and reasonable diligence obligations that Regulation X imposes on mortgage servicers.
The final rule is effective as of August 31, 2021.
Federal and State Regulators Release Updates to the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual
On June 21, 2021, the FFIEC released updates to four sections of the BSA/AML Examination Manual (Manual). The updates affect the following Manual sections:
- International Transportation of Currency or Monetary Instruments Reporting
- Purchase and Sale of Monetary Instruments Recordkeeping
- Reports of Foreign Financial
- Special Measures
The updates should not be interpreted as new instructions or increased focus on certain areas; instead, they offer further transparency into the examination process and support risk-focused examination work.
The Manual provides instructions to examiners for assessing the adequacy of a bank’s or credit union’s BSA/AML compliance program and its compliance with BSA regulatory requirements. The Manual itself does not establish requirements for banks; such requirements are found in statutes and regulations.
The FRB, FDIC, the National Credit Union Administration, the OCC, and the State Liaison Committee worked closely with the Department of the Treasury’s Financial Crimes Enforcement Network on the updates. These updates are identified by a 2021 date label on the FFIEC BSA/AML InfoBase. Updates to other sections of the Manual will be announced as they are completed.
If you have questions about this update, please contact Frank Antiga at firstname.lastname@example.org, Michael Caparoula at email@example.com, Shawn Kaciubij at firstname.lastname@example.org, or Tim Schofer at email@example.com or 724-934-0344.