Our Take: financial services regulatory update – November 3, 2023

Change remains a constant in financial services regulation. Read "our take" on the latest developments and what they mean.

Current topics – November 3, 2023

1. Biden Administration issues Executive Order on Artificial Intelligence

On October 30th, the Biden administration issued its long-awaited executive order (EO) on artificial intelligence (AI). The EO calls for new standards, funding, training and enforcement to mitigate AI risks, while also paving the way for the technology's widespread adoption. It directs various federal agencies to take action, including the following with respect to financial services (FS):

  • The Treasury Department is directed to issue a report within 150 days on best practices for financial institutions to manage cybersecurity risks posed by AI.
  • The CFPB and Federal Housing Finance Agency (FHFA) are encouraged to develop requirements for supervised institutions to evaluate AI-based models for underwriting, automated collateral valuation and appraisal for bias.
  • The CFPB and Department of Housing and Urban Development (HUD) are encouraged to issue guidance within 180 days “to combat unlawful discrimination” resulting from AI used in decisions about housing access and other real estate-related transactions.
  • In general, all independent regulatory agencies are encouraged to develop or clarify existing rulemaking to address risks stemming from AI, such as fraud, discrimination, privacy and financial stability. The EO also requests clarification of supervised entities’ responsibility to conduct due diligence on and monitor any third-party AI services they use as well as expectations related to the transparency and explainability of AI models.

The EO follows several actions that financial services agencies have already taken on AI, including:

  • On September 19th, the CFPB issued guidance on credit denials when financial institutions use AI in their decisioning, calling on lenders to adhere to certain legal requirements including providing accurate and specific reasons for denial when using AI and other complex models.
  • On June 1st, the Fed, OCC, FDIC, CFPB, NCUA and FHFA released a joint proposal that would require that mortgage originators and secondary market issuers adopt quality control standards for the use of automated valuation models (AVMs).
  • On April 25th, the CFPB, Department of Justice, Federal Trade Commission and Equal Employment Opportunity Commission issued a statement on Enforcement Efforts Against Discrimination and Bias In Automated Systems.

Our Take

The EO is the government’s most significant step yet toward regulating AI in all of its manifestations. Although it does not itself create any new restrictions or requirements, it amplifies the pressure for the regulatory agencies to ramp up requirements regarding bias, fraud, data security, fair lending and housing, and cybersecurity risks. As demonstrated by previous actions, the FS regulators have already affirmed their authority to enforce violations of existing laws that stem from the use of AI. In both the EO and past actions, the CFPB is taking charge when it comes to AI-driven consumer harm with the unambiguous position that discrimination and other abusive practices do not need to be intentional to violate existing laws. While they await further regulations and guidance, all financial institutions using AI or other automated systems should prioritize efforts to analyze the outcomes of those technologies for potential bias across consumer demographics and classes. As the directive to all independent regulatory agencies indicates, this should include review of AI provided or used by third parties in accordance with the interagency third party risk management guidance. Another clear theme of the EO concerns the transparency and explainability and security of AI-driven decisions. Financial institutions should prepare for future scrutiny by ensuring that they have detailed explanations of the data and logic underlying AI systems as well as controls in place to prevent consumer harm and unauthorized use or access to data. To start organizing a broader risk management strategy around the use of AI technologies, firms should create an AI risk taxonomy that enables risks to be measured, managed and, if necessary, transparently reported over time.

With the EO acknowledging the numerous benefits of innovation and automation, the message is not for regulators to clamp down on the use of AI but to ensure that it is being used in a fair, transparent, explainable and secure manner.

For more, see our Next Move Special Edition: White House mobilizes bold push for responsible adoption of AI.

2. NYDFS adopts Part 500 amendments

On November 1st, the New York Department of Financial Services (NYDFS) adopted amendments to its Part 500 cybersecurity requirements, marking the first changes to the requirements since 2017. The final amendments follow revisions in June 2023 and November 2022 after the initial proposal in July 2022. They are largely consistent with the revised June proposal, retaining focus on governance and compliance in addition to core cyber defense capabilities:

  • Strict requirements for larger companies, including affiliates. The final amendments cement stricter requirements for a new category of “Class A companies,” defined as firms with 2,000 employees or an average of $1b in gross annual revenues over the past three years. Both definitions include “affiliates,” or firms with common ownership that share information systems, cyber resources or any part of a cybersecurity program with the NYDFS-supervised institutions. Class A companies will be required to (1) undergo an independent audit based on risk assessments of their cybersecurity programs; (2) implement an access management password solution and controls to prevent the usage of common passwords for privileged accounts; and (3) implement an endpoint detection and response system to monitor for anomalous activity and generate alerts.
  • Executive certification and reporting effective for 2023. The final amendments retain the requirement for the CISO and highest-ranking executive (usually the CEO) to certify for “material compliance.” According to the final implementation timeline, certification will be due by April 15, 2024 for calendar year 2023. CISOs will also need to start reporting to the Board at least annually on material cybersecurity issues and plans for remediating inadequacies in the cyber program. However, there is still no definition for “material,” and therefore firms must establish their own criteria for materiality. If firms can not comply, they must file a written statement of explanation with supporting documentation.
  • Audits linked to risk assessments starting April 2024. The final rule requires Class A companies to execute independent audits, based on the risk assessment, rather than on an annual basis.  These can be conducted by internal or external parties, as long as they are conducted by “auditors free to make decisions not influenced by the covered entity being audited or by its owners, managers or employees.” The independent audit requirement becomes effective April 29, 2024.
  • New notification requirements starting in 30 days. Under the original draft, firms would be required to notify NYDFS within 72 hours of any cybersecurity event in which an unauthorized user has gained access to a privileged account or in which ransomware has been deployed within a material part of the firm’s systems. The final amendments only require reporting for cyber incidents that have a material likelihood of harming the firm’s normal operations, or where the deployment of ransomware is involved. Firms must notify even if the incident occurs at an affiliate or third party if the firm itself is impacted. In addition, the final amendments require notification of any ransomware payment within 24 hours and creates a continuing obligation to provide updates to the regulator as these become available.
  • Net new technology and resiliency requirements. The original amendments would expand current expectations around incident response plans to require that they incorporate the possibility of ransomware incidents. Firms would also be required to implement business continuity and disaster recovery (BCDR) plans that are reasonably designed to ensure the availability and functionality of the covered entity’s services. The final amendments specify that NYDFS would expect firms to test plans at least annually with all applicable staff, including senior management, and conduct routine training of key stakeholders.
  • Final transition periods between six months and two years. The most challenging technical requirements take effect after the following transition periods: 180 days for most policy-level changes, with (1) one year for data encryption and incident response plan requirements, as well as CISO and senior governing body requirements, (2) 18 months for access management and malicious code requirements; and (3) two years for multi-factor authentication and asset inventory requirements.

Our Take

After a long period of consideration and revision, the countdown is on for concrete requirements such as CEO and CISO certification of material compliance by April 15th, 2024. Firms may have already been preparing for compliance based on the proposed amendments but should now ramp up their efforts, including budgeting for the changes that will have a heavier operational and technological lift. For example, meeting the asset inventory requirement will be a significant undertaking for many firms even though they have until late 2025 to complete it. In addition, the requirement to include end of life management in policy and service support expiration will force conversations around technology upgrades, which will require budget. Enhancing and testing incident response and BCDR plans with all applicable staff will also take careful thought, time and training. Although NYDFS is now forcing the hand of its supervised institutions, many of the final requirements represent industry leading practices, such as the thorough maintenance of asset inventories, MFA, encryption, BCDR testing including backups, which help to protect both financial institutions and their customers.

While the independent audit requirement has seen significant revision, it remains a powerful check on the cybersecurity program as a whole. NYDFS explained the revision to a more flexible, risk-based approach in light of its understanding that Class A companies typically conduct multiple cybersecurity audits each year. Accordingly, even though it is not stated as an annual requirement, it will effectively remain so due to the annual risk assessment and because the independent audit is a regulatory requirement, it will be a necessary artifact to demonstrate compliance. With certification now including domains outside the typical CISO responsibility, such as asset inventories and continuity testing, an independent audit that includes them will be important in supporting both CISO and CEO certification. It will be necessary to align CISO, technology, and resiliency organizations with independent audit around capability requirements, control design and execution expectations and what constitutes evidence sufficient to support certification.

For publicly listed financial services firms subject to the SEC’s recent cybersecurity disclosure rule, published in July and effective as of September, the NYDFS requirements will pose coordination challenges. Both require incident reporting, but the scope and materiality definitions may differ. For example,the DFS rule applies to the covered entity, which may be one of several subsidiaries of a parent company subject to the SEC rule. However, there are also synergies, such as the mutual emphasis on Board oversight, raising the stakes for Board members to increase their education around the cybersecurity threat environment in order to effectively challenge management.

For more information, see New York pushes stricter cyber requirements: 6 things you need to know now.

3. On our radar

These notable developments hit our radar this week:

  • FSOC adopts stability risk framework and designation guidance. On November 3rd, the Financial Stability Oversight Council (FSOC) approved final versions of a new analytic framework for financial stability risks and updated guidance on the nonbank financial company (NBFI) determinations process. The analytic framework describes the FSOC’s approach for identifying, assessing and addressing potential risks to financial stability. It also describes the range of responses the FSOC may take depending on the nature of the identified risk: coordinating with regulatory agencies, providing recommendations to regulators or Congress, designating payment, clearing, and settlement activities that are, or are likely to become, systemically important. and designating NBFIs for Fed supervision and regulation. The NBFI guidance describes a two stage process for reviewing an NBFI for designation that includes formal notification, requests for information, and the opportunity for the NBFI to request a hearing if designation is proposed. The guidance further describes annual reevaluations of designations and the process for rescinding a designation if the company mitigates the identified risks. Both are effective 60 days after publication in the federal register.
  • DOL revives fiduciary rule. On October 31st, the Department of Labor (DOL) proposed a new rule to update the definition of an “investment advice fiduciary” under the Employee Retirement Income Security Act (ERISA). The DOL had previously enacted a fiduciary rule in 2016 that was vacated in 2018. The new proposal seeks to fill gaps in the SEC’s Regulation Best Interest, which sets conduct standards advice concerning securities and funds, by extending fiduciary requirements to commodities, fixed index annuities, and 401(k) rollovers.
  • SEC finalizes new swap execution facility rules. On November 2nd, the SEC finalized new rules which set up a registration and regulation process for trading platforms and provide clarity on how they should execute trades. The rules also address conflicts of interest of security-based swap execution facilities (SBSEFs) and national securities exchanges that trade security-based swaps (SBS). The rules will go into effect 60 days after being published in the Federal Register.
  • GOA makes a decision on SEC crypto guidance. On October 31st, the Government Accountability Office (GAO) made a decision that the SEC issued guidance (from March 2022) on how covered entities should account for and disclose their custodial obligations to safeguard cryptoassets held for their platform users is a “rule” and therefore must be submitted to Congress for review. Under the Congressional Review Act (CRA) before a rule can take effect, an agency must submit a report on the rule to both Congress as well as the Comptroller General for review which the SEC did not do as it was released as a “Staff Accounting Bulletin” (SAB) which is more interpretive guidance and not a rule. However, many, including SEC Commissioner Hester Peirce questioned the manner in which the change was made which resulted in this GAO investigation.
  • Treasury’s FIO starts data collection to assess climate related financial risks to consumers. On November 1st, the Treasury’s Federal Insurance Office (FIO) took its first critical step to proceed with data collection from insurers to assess climate-related financial risk to consumers. This data is particularly important given recent insurer pullbacks and significant premium increases in several states. FIO’s data collection will obtain previously unavailable insurance data at a zip code level from the largest homeowners insurance providers that collectively underwrite around 70% of homeowners insurance premiums nationwide.
  • CFPB issues report on state CRA laws. On November 2nd, the CFPB published a new analysis on state Community Reinvestment Act (CRA) laws. The report examined the laws of seven states (Connecticut, Illinois, Massachusetts, New York, Rhode Island, Washington, West Virginia) and the District of Columbia, and found that many of those states adopted laws similar to the federal CRA law. While the federal CRA law applies strictly to banks, state reinvestment laws can apply to a wide range of financial institutions, including nonbank mortgage companies.
Follow us