Financial Institutions and Third-Party Service Providers: Data Security and Vendor Management

Part I: The Current Process is Broken and the Regulators Are Preparing to Strike

For service providers that collect, process, maintain or store a financial institution’s (“FI”) consumer data (“Vendors”), becoming and maintaining the status of an approved third-party service provider to such a heavily-regulated entity has become more challenging as cybersecurity, privacy and infrastructure resilience considerations and requirements evolve.  Most, if not all FI’s to some degree, require that such Vendors go through some sort of vetting, approval process, or program to verify the Vendor’s ability to adequately secure the Vendor’s critical infrastructure, to protect the consumer’s non-public personal information.  That being said, not all Vendor vetting, approval processes, or programs are equal.  They vastly vary in depth and breadth of review of the Vendor, including how they review the Vendor’s knowledge, infrastructure, and controls. 

In addition, active enforcement, to date, by a certain prudential regulator has motivated certain FI’s (not all) to have comprehensive data governance and control mechanisms in place, which includes ensuring that their Vendors are in a position to fulfill these same data governance, control, and privacy requirements as the FI.  In addition to differences in vetting, not all FI’s onboard and oversee their Vendors with the same rigor.  

As a result, not surprisingly, not all Vendors are equally knowledgeable about their cybersecurity and data protection obligations as a Vendor to FI’s.  Some very unsophisticated Vendors are still able to have access to, process and control consumer data on behalf of their FI clients, because as described above, not all FI’s enforce data security controls equally.  Clearly, this creates significant risk for the consumer and the FI, and last but not least, the vendor.  But that may change very soon.

I. Current State of Vendor Approval Processes and Programs

The depth and breadth of the vendor approval process or program varies drastically by FI, ranging from comprehensive to weak.  Comprehensive programs may include, for example: 1) deep and probing review of the Vendor’s information security program, requiring specific artifacts detailing each infrastructure control element pegged to the actual control with the actual technology in place for each and every requirement of a specific representative framework (e.g. NIST, ISO) and benchmark (e.g. CIS) control, as evidenced by the Vendor at the Vendor’s infrastructure command line.  Weak programs, by way of example, may have the following characteristics: 1) the technologically unsophisticated Vendor merely attests to a self-completed SIG LITE questionnaire containing material misrepresentations made by the Vendor (in good-faith or not); 2) the FI only requesting an AICPA SOC 2, Type II report (which may merely be that of the Vendor’s IaaS provider alone, not addressing the Vendor’s portion of the shared responsibility of compliance) along with a few contractual representations and warranties; 3) negotiated exceptions to narrow limitations of liability; and 4) an attestation by the Vendor detailing the sufficiency of insurance coverage.

II. The OCC Has Been Leading the Way, but the CFPB, FTC, and States are Circling their Prey

From my direct experience as a Vendor, the most comprehensive FI vendor management and approval processes can be found at FIs regulated by the Office of the Comptroller of the Currency (OCC).  The OCC has lately been the most active in examination of infrastructure controls, risk and data governance.  It has for years been making examples of OCC-regulated institutions for not having the appropriate risk controls through very public enforcement efforts, with consent orders that have imposed significant civil penalties totaling amounts that in the aggregate exceed approximately $1 billion.  Yes, billion. 

While, not to be outdone, the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) have recently set the stage for enforcing, potentially jointly, the data security standards and obligations under their purview (these regulatory agencies, unlike the OCC, do not oversee institutions for safety and soundness) against companies under their broad jurisdiction (and we know the CFPB pushes the envelope when it comes to its jurisdiction).  These agencies, as well as state regulatory agencies, may begin to enforce such obligations in a manner that is even more aggressive than it has been to date. 

A.     FTC and GLBA:  Consumer-facing FI’s are subject to the requirements of the Gramm-Leach-Bliley Act (GLBA). The FTC implements the GLBA’s information security obligations under its Safeguards Rule, which requires covered financial institutions, as well as service providers, to maintain an information security program that includes specific requirements, such as imposing limitations on who can access/view customer data, requiring the use of encryption to secure information, and requiring the designation of a single, qualified individual to oversee an institution’s information security program.

B.     CFPB and CFPA:  On August 11, 2022, the CFPB issued Consumer Financial Protection Circular 2022-04, which asserts that information security programs are also subject to CFPB oversight, based on a UDAAP theory.  The CFPB believes that maintaining adequate consumer data protections would be required to comply with the CFPB’s prohibition on unfair, deceptive, or abusive acts or practices (UDAAP).

In the Circular, the CFPB stated that, “in addition to other federal laws governing data security for financial institutions, including the Safeguards Rules issued under the Gramm-Leach-Bliley Act (GLBA), ‘covered persons’ and ‘service providers’ must comply with the prohibition on unfair acts or practices….”  The CFPB has already put this interpretation into practice.  In a past enforcement action based on data security, the CFPB found that inadequate data security for the sensitive consumer information collected, processed, maintained, or stored by the company constituted an unfair practice, even in the absence of a data breach.

C.     State Requirements:  In addition to federal requirements, there are state regulatory requirements that govern how FIs and their Vendors mange data privacy, specifically how they collect, transmit, secure and transact with consumer data.  States such as California, Colorado, Connecticut, Utah and Virginia have been very active in the area of privacy and rights to control consumer data, with other states starting to catch up.  In addition to the privacy laws, there are a number of state specific cybersecurity, data security and breach management laws that must be followed when consumers are located in, or business is being conduct in New York, New Jersey, Massachusetts, Maryland, Oregon, Texas, and Washington.  Companies need to understand that state enforcement actions are occurring, and these enforcement actions are not merely triggered by a security breach, but are focused on veracity of cybersecurity programs.  In one specific case in New York, the New York Department of Financial Services (NYDFS) charged a company for not only having defects in their cybersecurity program, but failing to timely and adequately address vulnerabilities.  NYDFS has even gone so far as to impose a $1.5M penalty on a licensed mortgage banker for failing to report a cyber breach, as well as for failing to investigate and identify the exposed consumer data from a nefarious actor that exposed an email vulnerability until NYDFS required the mortgage banker to act.

III. The Current Vendor Management Process is Broken, Regulatory Enforcement Actions are Looming and Vendors Must Get Better at Securing the FI’s Consumer Data

Too many Vendors’ risk management, data governance, cybersecurity and privacy knowledge and infrastructure controls are not sufficient to support their, and their FI clients express cybersecurity and data privacy regulatory obligations.  Too many FI’s are falling short in holding Vendors accountable, contractually and through weak vendor onboarding, vendor management and vendor oversight programs and processes.  In addition, there are many new Vendors in the “FinTech” space that do not or have even tried to understand (or that have the resources) to comply with the myriad of federal and state data security and privacy obligations to which FIs will need impose on them.   

The bottom line is that FI’s and Vendors are going to be held accountable for the federal and state requirements we’ve discussed herein.  We can expect to see more investigations and consent orders, and significant civil penalties.  In addition, we could see a contraction in the number of Vendors in the financial services industry, because not all companies will be able to survive the regulatory onslaught.  This may impact the ability of the industry to deliver consumer financial services and innovate new financial technologies. 

Please contact John Levonick at jlevonick@garrishorn.com if you would like to discuss.

Up Next… Part II: What FI’s and Vendors Must Do to Fix the Problem

John V. Levonick

John Levonick is a seasoned lawyer who focuses on consumer finance, capital markets, and technology.

With insight gained from years of experience as Chief Executive Officer, General Counsel and Chief Compliance Officer, John understands the dynamic and everchanging finance and technology markets. He has extensive experience drafting and negotiating commercial agreements, complex financial instruments, launching of digital products and services, deploying secure cloud infrastructures, and supporting global technology companies within the heavily regulated U.S. financial markets.

Previous
Previous

CFPB and OCC Tag Major Bank for $100s of Millions - "Junk Fees"

Next
Next

Whistleblower Claim Leads to a $23.75m Settlement