SEC Issues Interpretive Guidance on Cybersecurity Disclosures

By Mary Crotty, freelance writer for banks and third-party service providers

Despite our best efforts, cyber attacks continue to plague U.S. businesses, including those in the financial services industry. Even large and globally sophisticated entities fall prey, as witnessed by the Equifax breach last summer. Just as advancements in science often require new ethical standards, the latest developments in and incidents of cybercrime often result in new or updated regulatory guidance.

Although the Interpretive Guidance on cybersecurity posted in the Federal Register yesterday by the Securities and Exchange Commission (SEC) does not mention the Equifax breach, its focus on disclosure requirements and director/officer/insider ethics suggest that last summer’s extensive and embarrassing incident at one of the three major credit reporting agencies may have influenced the content and timing of this guidance.

Setting the Stage

In explaining its reason for issuing the February 26, 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, the SEC notes that, “In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission.”

It goes on to note that, “Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” While this reliance on data and technology spurs growth and opportunity in our world, it also exposes organizations to the risk of harm to or theft of both. The preventative and mitigation efforts used to fight cybercrime extol a heavy cost.

Therefore, “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber attack.”

Expansion of 2011 Guidance

This latest guidance expands upon original SEC guidance on cybersecurity disclosures issued in October 2011. The guidance published and effective as of February 26, 2018,  discusses two topics not specifically covered in that 2011 guidance:

  1. Disclosure Policies and Procedures: “This release stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. Companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity. Such robust disclosure controls and procedures assist companies in satisfying their disclosure obligations under the federal securities law.”
  2. Director/Officer/Insider Ethics: “We also remind companies and their directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws and also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.”

More from the SEC Cybersecurity Disclosure Guidance

In addition, the guidance indicates the following:

  • The SEC understands that not all information may be initially available or that an investigation may still be in process, “However, an ongoing internal or external investigation–which often can be lengthy–would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
  • Companies bound by this guidance are required to correct previous disclosures as needed due to additional or different information coming to light.
  • There is a list of factors that can help a company evaluate its cybersecurity risk for disclosure purposes, including, but not limited to, the severity and frequency of past cyber incidents, the probability and potential magnitude of future occurences, and the adequacy of preventative measures.
  • The financial impact of cybersecurity incidents and defense measures must be “incorporated into financial statements on a timely basis.”

Cybersecurity Should Be a Priority for All Businesses

Public companies regulated by the SEC are not the only ones at material risk from cybercrime. In today’s world, all companies are at risk, including community banks, credit unions, regional banks, and national and multi-national financial institutions. The cost of defending against cybercrime maybe be high, but the cost of not doing so is potentially much higher.


2018 BSA/AML Fines Already Equal $1.246 Billion

By Mary Crotty, freelance writer for banks and third-party service providers

It has been a busy year so far for federal regulators scrutinizing compliance with the Bank Secrecy Act (BSA) and other anti-money laundering (AML) regulations. They have already meted out a combined $1.246 billion in both civil money penalties (CMPs) and criminal fines related to BSA/AML deficiencies at various financial institutions.

BSA/AML Civil Money Penalties So Far in 2018

From the Office of the Comptroller of the Currency (OCC)

The OCC has levied a total of $195 million in CMPs since the start of the year, including $125 million in fines just in the last week. All three of these enforcement actions relate to prior Cease and Desist or Consent Orders regarding the offending institutions’ BSA/AML compliance programs.

  • $75 Million CMP Against U.S. Bank N.A.: On February 15, the OCC issued an enforcement action, which noted that the bank “failed to adopt and implement a compliance program that adequately covered the required BSA/AML program elements due to an inadequate system of internal controls, ineffective independent testing, and inadequate training, and the Bank failed to file all necessary Suspicious Activity Reports (SARs) related to suspicious customer activity.”
  • $50 Million CMP Against Rabobank, N.A.: On February 7, the OCC issued an enforcement action for deficiencies in this institution’s BSA/AML program.
  • $70 Million CMP Against Citibank: On January 4, the OCC issued an enforcement action for Citibank’s failure to comply with a 2012 Consent Order related to BSA/AML deficiencies.

From the Financial Crimes Enforcement Network (FinCEN)

While FinCEN has only issued one BSA/AML-related fine so far this year, at $185 million it almost equaled the total amount of the OCC’s three such fines.

  • $185 Million CMP Against U.S. Bank N.A.: On the same day that the OCC fined this bank, FinCEN did too, noting that it “willfully violated the BSA’s program and reporting requirements from 2011 to 2015.”

From the Federal Reserve (FED)

The Fed has issued two enforcement actions since the start of the year for a total of $44 million in CMPs.

  • $15 Million CMP Against U.S. Bancorp: While the OCC and FinCEN punished the subsidiary, on February 14, the FED issued this action against the parent corporation and ordered it “to improve risk management and oversight of its banking subsidiaries’ compliance with U.S. economic sanctions, and Bank Secrecy Act and anti-money laundering requirements.”
  • $29 Million CMP against U.S. Operations of Mega International Commercial Bank: On January 17, the Fed issued an enforcement action for anti-money laundering violations and “required the firm to improve its anti-money laundering oversight and controls.”

BSA/AML Criminal Actions So Far in 2018

In conjunction with the above-mentioned civil action by the Fed against U.S. Bancorp, the U.S. Attorney for the Southern District of New York announced criminal charges against the institution for two felony violations of the Bank Secrecy Act by its subsidiary. It imposed a $453 million forfeiture in addition to the $75 million CMP by the OCC for a total combined penalty of $528 million.

Rabobank also faced criminal charges from the Department of Justice (DOJ) in addition to the CMP imposed on it by the OCC. The bank “pleaded guilty to a felony conspiracy charge for concealing deficiencies in its AML program and obstructing the OCC’s examination of it.” The DOJ imposed a $368,701,259 forfeiture on the bank.

Expect Intense Regulatory Scrutiny of BSA/AML Compliance Throughout 2018

These civil and criminal actions suggest that federal regulators are increasing their focus on BSA/AML compliance, especially at institutions that have previously been cited for deficiencies in their programs. In addition to preparing for FinCEN’s Customer Due Diligence Rule, which goes into effect on May 11, financial institutions would be wise to review their overall BSA/AML compliance programs to ensure they are effective enough to stand up to such heightened examiner scrutiny.



Final Countdown to FinCEN’s CDD Rule

By Mary Crotty, freelance writer for banks and third-party service providers

Banks have just under 90 days to finalize their plans to comply with the Financial Crimes Enforcement Network’s (FinCEN) Customer Due Diligence Rule (CDD). At this stage of the project plan, communication is critical because on May 11, 2018 this rule is fully applicable to all covered financial institutions.

First, bank employees will need to be trained on the written procedures you’ve developed for complying with the CDD Final Rule. Of course that includes being fully versed on the technical details of the rule, but they will also need guidance on dealing with customers not used to having to provide such information to open an account, which leads us to the second piece of communication–the external portion. Consider an advanced messaging campaign that explains the CDD rule to business customers to help avoid potential customer backlash after May 11.

A Brief Tutorial on FinCEN’s CDD Final Rule

Key Dates

Purpose of the CDD Final Rule

According to FinCEN’s FAQ regarding the CDD Final Rule, it is amending “existing BSA regulations in order to clarify and strengthen customer due diligence requirements for certain financial institutions.”

First Major Element of the CDD Final Rule

The rule incorporates a “fifth pillar” into BSA/AML compliance programs by explicitly requiring banks “to implement and maintain appropriate risk-based procedures for conducting ongoing customer due diligence.” This includes three key responsibilities:

  1. Understanding the nature and purpose of the customer relationship
  2. Ongoing monitoring to identify and report suspicious activity
  3. Maintaining up-to-date information on customers

Second Major Element of the CDD Final Rule

In addition, the rule “requires covered financial institutions to establish and maintain written procedures that are reasonably designed to identify and verify the beneficial owners of legal entity customers.” Legal entity customers are corporations, limited liability corporations, and other types of business entities that have registered with the Secretary of State or a comparable agency.

The rule creates two aspects of beneficial ownership.

  1. Ownership Prong: As of May 11, 2018, banks must collect and verify the name, date of birth, address, and social security number of anyone who owns 25 percent or more of a legal entity that is opening a new account.
  2. Control Prong: As of May 11, 2018, banks must collect and verify the same information for one individual with significant responsibility of a legal entity that is opening a new account.

Warning: Although banks do not have to go back and collect beneficial ownership information on already existing accounts as of May 11, 2018, the ongoing monitoring described in the first major element above does require banks to regularly maintain and update customer information.

For a Smoother Transition

If you need help crafting the messaging that explains this rule to your employees who will be responsible for complying with it or to your business customers who will be impacted and likely surprised by it, let bank risk and compliance writer Mary Crotty partner with your compliance office for a smoother transition.