Rippleshot Blog

It’s been a busy week in the world of financial institution regulation as headlines about Dodd-Frank, the Equifax breach, credit freezes and data security stole the spotlight. While these four topics have been at the forefront of the news cycle for many months, each of them found their way into the top news items.

Here’s a breakdown of what’s been happening in Washington, and how it may impact the world of financial services.

The future of the Consumer Financial Protection Bureau (CFPB) has been under the spotlight lately as Congress and lawmakers put plans in place to potentially close the consumer watchdog agency.

Let’s back up... while we're sure most banks and credit unions are familiar with the Consumer Financial Protection Bureau (CFPB), many others aren't - and they're not alone. In a survey by CreditCards.com, 81% of consumers polled did not know what it is,  which is a problem considering that the CFPB’s sole purpose is to protect consumers.

A hidden gem, the Monthly Complaint Report by the Consumer Financial Protection Bureau (CFPB) helps uncover problem areas impacting the financial products and services industry in the eyes of the consumer. Whether it be consumer loans, bank accounts/ services, payment cards, debt collection, payday loans, or fraud, the CFPB has handled over 930,700 consumer complaints as of July 2016, including 24,500 in June itself. Through a careful compilation and analysis of such consumer complaints, the CFPB has been able to discern a “high-level snapshot of trends in consumer complaints”. Follow the Rippleshot Team as we review highlights from the report and discuss customer sentiments surrounding financial products and services.

We knew this was coming when the Federal Reserve issued guidance applying the Customer Identification Program (CIP) to prepaid cards in March of this year. Customers are able to reload prepaid cards, use direct deposit and in some cases, receive overdraft protection, which the federal agency determined enough for it to be considered an account relationship. And now that reloadable prepaid cards are considered an account relationship, it’s not surprising that the Consumer Financial Protection Bureau recently issued new rules requiring fraud protection support for those using them.

In early September, New York Governor Andrew Cuomo introduced new regulation that would make the state the first in the nation to enforce a cybersecurity program for financial institutions. While some have compared the regulation to the FFIEC (Federal Financial Institutions Examination Council)’s Cybersecurity Assessment Tool and guidelines, the proposed regulation would actually go much farther in its quest to ensure all financial institutions in NY are prepared for and are doing their best to prevent cyber attacks.

Bad news. Ransomware is back with a newfound vengeance. Many of us know ransomware to be a notorious form of malware that prevents users from accessing their own systems, either by locking a user from a system entirely (locker ransomware), or encrypting user files on an affected system (crypto-ransomware). In either case, users are forced to pay a ransom in order to restore functionality and access, many times to the tune of thousands of dollars. Although ransomware dates back to 1989, its practice has ebbed and flowed in its prevalence over the years. However, it is clear that 2016 has seen a marked increase in the frequency, cost, and effectiveness of ransomware incidents. Follow the Rippleshot Team as we document the return of ransomware and its impact on the cybersecurity landscape of 2016.

The CFPB’s wide-ranging jurisdiction over the consumer financial industry has had banks and credit unions worried about potential punishment and fines for years. Up until this point, the vast majority of their enforcements have focused around credit card policies, lending and debt collection. But this summer’s enforcement against payment processor Intercept Corp. is the agency’s second big lawsuit against an entity for ignoring “clear signs of brazen fraud,” sending a clear signal that turning a blind eye to these practices is unacceptable.

The landscape of fraud between 2015 to 2016 is best characterized as uncertain and dynamic. As government institutions such as the CFPB and FFIEC begin to play a bigger role in cybersecurity regulation, it has yet to be seen what data security protocols will be required of financial institutions. Also, pending legislation in Congress surrounding data security has the potential to determine federal standards of information security for merchants. Finally, with back-and-forth lawsuits between retailers, payment card networks, and issuers over disputes regarding EMV compliance and liability shift, nobody is exactly sure who will come out on top.

At Rippleshot, we understand how difficult it can be to juggle so many moving parts and develop actionable insights from them. That’s why we created a timeline for you to get up to speed on recent developments in card fraud and payments security.

Last Thursday, the Consumer Financial Protection Bureau issued a set of proposed rules that would put an end to the mandatory arbitration clauses that you see in many bank and credit card contracts today. This announcement has already seen a wealth of commentary from industry associations to legal experts and consumer advocates, but how did we get to this point? What data on arbitrations was used to make this decision? And how will this inevitable regulation affect banks moving forward? We’ll cover it all below.

It’s been nearly a year since the Federal Financial Institutions Examinations Council (FFIEC) debuted the Cybersecurity Assessment Tool, commonly known in the industry as the CAT. At last week’s ABA Risk Management Conference, we learned a ton about the tool’s voluntary nature, how it compares to existing cybersecurity assessments, and how banks are passing the regulatory scrutiny onto their own vendors and third-party providers.

It’s been a hot couple of months for regulators and cybersecurity. Back in June, the FFIEC (Federal Financial Institutions Examination Council) introduced a new cybersecurity assessment and recommended guidelines for banks and credit unions. In August, a U.S. appeals court ruled that the FTC (Federal Trade Commission) has the authority to regulate corporate cybersecurity. And just a few weeks ago, Dwolla, a payment platform company, found itself the first ever data security target of the CFPB (Consumer Financial Protection Bureau), and was hit with $100,000 in fines. We review the details of each, and what this means for the future.

As we’ve noted in previous posts, the heat is on in figuring out how to best stem fraud from gift and prepaid cards. Prepaid cards have long been a favorite of fraudsters looking for ways to move money anonymously, and the increased prevalence of reloadable prepaid cards (like those issued by Green Dot or Vanilla), where balances can be re-upped, are particularly susceptible to money laundering practices. The problem has been well-documented, with The Boston Globe reporting that in 2013, $30 million of the $20 billion loaded on Green Dot’s cards involved fraud. This week, The Federal Reserve, along with the FDIC, OCC, NCUA and the FCEN issued interagency guidance in an attempt to put an end to the problem.