The Rippleshot Data Breach Blog

Financial Institution Regulation: What's Happening in Washington?

Written by Anna Kragie | Mar 16, 2018 7:57:20 PM

It’s been a busy week in the world of financial institution regulation as headlines about Dodd-Frank, the Equifax breach, credit freezes and data security stole the spotlight. While these four topics have been at the forefront of the news cycle for many months, each of them found their way into the top news items.

Here’s a breakdown of what’s been happening in Washington, and how it may impact the world of financial services.

Dodd-Frank: Senate Votes to Scale Regulations Back

The Senate voted on March 14 to move forward on a bill that would loosen many of the financial regulations set following the economic crisis of 2008. This bill received bipartisan support, 67-31, with Republicans leading the support for the bill. Democrats have been split on this issue. This bill needs approval from the House to move forward.

What this bill would do is loosen the regulation placed on more than two dozen banks that were put in place following the global financial crisis, specifically smaller regional and community banks. One core component of the Dodd-Frank requirement rollback pertains to the revenue threshold for being considered a larger bank that needs additional regulatory scrutiny.

The new threshold would lift that requirement from $50 billion to $250 billion, lessening restriction and compliance costs on smaller institutions. It would nix regulatory requirements such as annual stress testing on the smaller financial institutions. The bill has other restrictions is would loosen for small community banks and credit unions, based on their level of assets — including whom they lend to, and how they manage their money.

Under the current requirements, banks with more than $50 billion in assets fall under the “too big to fail” category and are held to the strictest regulations, which includes the annual stress test to determine if they are able to survive another economic recession. Raising the threshold would allow many less organizations to face this additional regulatory scrutiny.

The debate on this particular issue in the Dodd-Frank Act comes down to a number of points, including the reduction of compliance costs this bill would create. Supporters of the bill suggest that smaller financial institutions have been held to unfair standards since they are in the same camp as mega banks like JPMorgan Chase, instead of just regional or mid-sized firms. Critics of the bill warn loosening the regulations fails to acknowledge the number of mid-sized institutions that would be helped by the Senate’s legislation following the economic crisis — and those that may need the additional oversight.

Free Credit Freezes May be on the Way

The fallout from the Equifax breach has spurred many discussions about how to better protect consumers from potential impact of the incident. It’s been six months since the breach was discovered and the Senate is one step closer to delivering one possible solution: Free credit freezes. The Equifax breach is estimated to impact more than 148 million U.S. consumers.

The option to block access to your credit report was part of a the larger bill, including the loosening of Dodd-Frank regulations. For consumers, this bill would be a benefit. Concern over the bill, however, is about state versus federal regulation over consumer protection. Critics of the bill suggest it would override state regulations that are stronger in some cases, and would step on the toes of other states who may want to strengthen their credit protection provisions on their own.

Since this law would only refer to credit checks, there some concern that states with stronger regulations — applying the rule to lenders, along with insurers and employers accessing credit files — this could override those regulations and potentially weaken their ability to enforce their own rules.

Some consumer advocates have suggested the bill is a good step, but does not go far enough to protect the American public. Proponents of the bill, however, say federal regulation over this key issue is needed to fully protect consumers on a national level.

“Consumers in every state will be protected by a strong federal law under this bill,” Francis Creighton, president and CEO of the association, said in a statement.

Did Equifax Fail To Inform Its Internal Teams of the Breach?

Speaking of Equifax, another negative report showed up in news this week about the credit reporting agency. An SEC has filed a complaint against the former executive, international chief information officer Jun Ying, who has been accused of insider trading. He sold his stock in the company just before the breach was publicly disclosed.

According to the SEC compliant, Equifax had two approaches to deal with the breach. One that had to deal with the response to the breach, and one to determine how to deal with the public following the release of the news about the hack. These operations — Project Sierra and Project Sparta — were conducted independently, and were reportedly were kept from its own staff, even after the breaches were internally discovered.

Equifax reportedly has a “crisis action team” that was kept secret from the rest of the company, according to the SEC complaint. That group was allegedly involved in changing passwords and taking remediation efforts to recover from the breach. This came at the same time Ying is being accused of offloading his company stock shares that were worth more than $950,000, according to the SEC.

Congress Eyes Standardizing Data Security And Breach Notification Bills

This news hit the wires last week, but is heavily related to the news that broke this week. The House Financial Services Committee (HFSC) is considering two legislative proposals that would streamline the notification process of data breaches. This bill will would establish a national security standard and breach notification system overseen by the Federal Trade Commission, and includes a protocol for notifying law enforcement of data breaches.

The HFSC is examining two bills — the Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017 and the Data Acquisition and Technology Accountability and Security Act. The first bill would be an overhaul to an old bill that mandates the oversight of large consumer reporting agencies’ cybersecurity measures and policies. This bill also looks to overhaul the Fair Credit Reporting Act, which allows for provisions to request a security freeze on credit reports (see above).

This bill is similar to another bill being discussed on the Hill — The Data Security and Breach Notification Act, which proposes harsher sentences for company executives who fail to notify consumers of a breach. The initial terms of the bill calls for jail time for those who are aware of breaches, yet fail to alert consumers in a timely fashion.

The legislation also cracks down on company employees who attempt to cover up data breaches, and also calls on the FTC to create stricter security standards to better protect consumers’ personal and financial data. Beyond implementing regulation and punishments for those who don’t abide, the legislation also introduces incentives for businesses who integrate new technologies to protect consumer data by making it unusable/unreadable if it was ever stolen in a data breach.

Under the proposed legislation, knowingly hiding a data breach could be crime punishable by up to five years in prison. The bill requires businesses to provide notification to impacted customers or users within 30 days of learning of the breach. There is, however, some leeway in the bill for companies to extend that deadline in order for companies to “accurately identify affected consumers; to prevent further breach or unauthorized disclosures; or to reasonably restore the integrity of the data system," according to the bill.