<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">
Article

Regulatory Brief for August 2022: Data security, UDAAP & the Future of the FFIEC’s CAT tool

Risk & Compliance

Regulatory Brief for August 2022: Data security, UDAAP & the Future of the FFIEC’s CAT tool

Posted by Stephanie Lyon on Sep 8, 2022 6:00:00 AM
Stephanie Lyon
Find me on:

Ready for another month of regulatory changes, guidance, and news? This month’s Ncast Regulatory Brief podcast has got you covered.

Join Ncontracts pro team of regulatory compliance attorneys as they chat about the latest regulatory compliance news at the federal and state level.  

Want to dig in even deeper? Log onto Ncomply, Ncontracts’ secure, centralized compliance management system (CMS), for all the details, including action plans for responding to regulatory change.

Here are a few podcast highlights: 

CFPB: Data security is a UDAAP issue 

The CFPB released a consumer financial protection circular August 15 warning institutions that the CFPB and other federal regulators can go after institutions for both UDAAP and UDAP violations of the Consumer Financial Protection Act (CFPA) for insufficiently safeguarding sensitive consumer information they have collected, processed, maintained, or stored. 

The CFPB said that data breaches and exposure of sensitive information harm consumers. That harm can occur even if an event doesn’t happen, meaning lax security controls that could expose your customer data counts as a violation.  

Listen to the Ncast to learn about the precedents CFPB based this opinion on and the areas your IT department should be focusing on.  

Struggling to keep up with regulatory change?

Register for our webinar:
Are You Ready for It? How to Manage Regulatory Change

FHFA to require servicers to maintain fair lending data

The Federal Housing Finance Agency (FHFA) announced that Fannie Mae and Freddie Mac will start requiring servicers to collect borrower data including age, race, ethnicity, gender, and preferred language beginning March 1, 2023. FHFA lenders, mortgagees and applicants will also be required to have a Unique Entity Identifier (UEI) by December 31, 2022. 

Agencies address CRE loan accommodations

The OCC, FDIC and NCUA are seeking input on an updated policy statement on accommodations and workouts for commercial real estate (CRE) loans. It would align with existing guidance on working with stressed but creditworthy borrowers, including short-term loan accommodations.  

Agencies consider future of FFIEC’s CAT 

The federal banking agencies are looking at the future of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT), asking for comments to weigh in on the voluntary framework developed to help financial institutions assess their inherent risk profile and level of cybersecurity preparedness.  

There is also talk that the OCC might be considering other options, but there haven’t been any formal announcements so national banks should focus on the CAT tool.

Cybersecurity assessments for nonbanks 

The Conference of State Bank Supervisors (CSBS) released two cybersecurity examination tools used by state examiners for nonbank financial services companies to improve their cybersecurity posture:

  1. The Baseline Nonbank Cybersecurity Exam Program (for less complex nonbanks) and
  2. The Enhanced Nonbank Cybersecurity Exam Program (for larger and more complex nonbanks)

This is in addition to the CSBS’s Ransomware Self-Assessment Tool and a Cybersecurity 101 Guide.

For more inside scoop on regulatory issues, including details of enforcement actions and settlements and the first-ever EA under the California Consumer Privacy Act, the latest on access to Fed accounts and payment services, FDIC guidance on representment of NSF (Non Sufficient Funds) fees, the NCUA’s corporate system resolution program, and what the Federal Reserve has to say about cryptocurrency, listen to the podcast.

HEAR MORE

Topics: Risk & Compliance

Share This Page
Search Blog
    subscribe to nsight blog