CUBE RegNews:
October 20^th

Metropolitan Commercial Bank fined $14.5 million for customer identification breach

Metropolitan Commercial Bank has been fined approximately $14.5 million for violations of customer identification rules and deficient third-party risk management practices, which were related to the issuance of prepaid card accounts. 

The violations stem from actions taken in 2020, when Metropolitan Commercial Bank opened prepaid card accounts that were later found to be used by illicit actors to collect illegally-obtained state unemployment insurance benefits. The critical issue heer was the lack of adequate procedures to verify the true identity of applicants when opening prepaid card accounts through a third-party program manager, thereby contravening the customer identification rules set forth in the Bank Secrecy Act. 

Because of this enforcement action, Metropolitan Commercial Bank is now mandated by the Federal Reserve Board to enhance its customer identification, customer due diligence, and third-party risk management programs. These measures are essential to prevent similar violations in the future and to strengthen the bank’s overall compliance with regulatory requirements. 

The enforcement action is not an isolated event. It is being conducted in coordination with an action by the New York Department of Financial Services, which serves as the state regulator overseeing Metropolitan Commercial Bank. Collectively, the penalties imposed by the Federal Reserve Board and the Department of Financial Services amount to approximately $30 million. 

This action reiterates the importance of rigorous customer identification and third-party risk management practices. Ensuring compliance with these regulations is not only a legal obligation but also a critical step in safeguarding the integrity of financial systems and preventing illicit activities. 

FinCEN proposes new rule to increase CVC transparency

The Financial Crimes Enforcement Network (FinCEN) has proposed a new rule which would require financial institutions to implement new recordkeeping and reporting requirements regarding convertible virtual currency (CVC) mixing. The proposed rule recognizes the risks posed by the extensive and increasing use of CVC mixing services by a variety of illicit actors throughout the world and by malicious actors. The proposal introduces additional reporting requirements including the following.

Reportable information regarding the covered transaction 

• Amount of CVC Transferred. 
• CVC Type.
• CVC Mixer Used (if known).
• CVC Wallet Address (Mixer). 
• CVC Wallet Address (Customer).
• Transaction Hash. 
• Date of Transaction.
• IP Addresses and Time Stamps.
• Narrative.

 Reportable information regarding the customer associated with covered transactions: 

• Customer’s Full Name, date of birth and address. 
• Customer’s Date of Birth. 
• Email Address.
• Unique Identifying Number.

 Filing procedures: 

• Financial institutions must report this information to FinCEN within 30 days of detecting a covered transaction. 
• The reportable data should be submitted in a format specified by FinCEN.
• The information required aligns with existing AML/CFT obligations, with the focus on CVC mixing transactions. 
• The financial institution is only required to report information within its possession, not requiring outreach to transaction counterparts. 

Recordkeeping requirements: 

• Financial institutions must maintain records documenting their compliance with the regulation. This includes records of reported information and the associated transactions. 

The rule will be available to comment on shortly. 

Payment Systems Regulator speech on Open Banking

Kate Fitzgerald, the Head of Policy at the Payment Systems Regulator (PSR), delivered a speech at the Open Banking Expo in which she provided a comprehensive regulatory overview of the challenges and opportunities for Open Banking.  

The PSR, as the UK’s independent economic regulator of payment systems, is committed to promoting competition and innovation in the payment industry. Fitzgerald emphasized the potential of Open Banking to enhance competition and improve the user experience. 

The PSR is the independent regulator of payment systems in the UK, overseeing various payment networks, including LINK, Faster Payments, Visa, Mastercard, Bacs, and the upcoming Sterling Fnality system. The PSR’s role is to promote competition and innovation in payments, with a focus on improving outcomes for users in terms of pricing, innovation, and service quality. 

Fitzgerald highlighted the competitive nature of payments and the potential for Open Banking to further enhance competition among payment systems. The PSR’s strategy places a strong emphasis on unlocking greater competition through Open Banking, recognizing it as a key means to achieve this goal. 

The speech emphasized the growth of Open Banking in the UK and its impact on consumers and businesses. It has resulted in innovative solutions and products, such as personal finance apps and the opening up of current account data for income verification and affordability checks, leading to faster processes and improved financial support. 

Fitzgerald stressed the importance of robust security measures and data collection to mitigate financial crime risks in Open Banking, such as fraud and money laundering. The speech highlighted ongoing efforts to develop enhanced fraud data systems. 

The speech touched on the need for sustainable commercial models in Open Banking, including charging models, contractual structures, and sufficient coverage to drive network effects. Regulatory intervention may be required to ensure alignment with industry objectives. 

Looking to the future, explained that the PSR is working to unlock the full potential of Open Banking by further developing variable recurring payments (VRPs) and developing a framework for wider retail, e-commerce, B2B, and B2C payments. 

As with so many of her peers speaking on behalf of regulatory bodies, Fitzgerald stressed the importance of industry collaboration and ongoing engagement to address challenges and foster innovation in Open Banking. 

Fitzgerald concluded with an acknowledgment that Open Banking has the potential to significantly impact the way people make payments.  

Bank of England speech on cyber risk and operational resilience

In a speech at the London School of Economics, Bank of England Financial Policy Committee (FPC) member Elisabeth Stheeman spoke about cyber risks and operational resilience.

Stheeman emphasized the FPC’s primary role in identifying and mitigating systemic risks to safeguard the resilience of the UK’s financial system. She highlighted several instances where financial resilience was tested, such as the challenges posed by the COVID-19 pandemic, liquidity shocks, and overseas banking sector issues. These “tests” were essential in ensuring that the financial system remained stable and capable of providing services to households and businesses. 

The speech then delved into operational risk, encompassing both natural and man-made hazards that affect the systems and processes within financial institutions. These risks are divided into non-malicious (eg, natural disasters) and malicious (eg, cyber-attacks and IT system outages) categories. Notably, cyber risks, due to the increasing digitization and interconnectedness of financial systems, have become a significant concern. 

Stheeman stressed the prominence of cyber risks on the FPC’s radar. The National Cyber Security Center (NCSC) has highlighted the evolving cyber threats from countries like Russia and China. Ransomware attacks and cybercrime continue to be major challenges in this domain. Stheeman explained how a cyber-attack could have both direct and indirect impacts on financial stability. Directly, it might disrupt essential financial services, while indirectly, it could lead to liquidity stress, financial losses, or a loss of confidence in financial institutions. 

To mitigate these risks, the Bank of England, alongside HM Treasury and the Financial Conduct Authority (FCA), is actively working on improving and testing the operational resilience of the financial system against cyber-attacks. Various tools, including cyber stress tests and collective efforts, are being utilized to assess and enhance cyber resilience. The FPC has set baseline expectations for resilience and a tolerance for firms’ capabilities to restore services after a cyber incident. 

The speech then discussed the 2022 cyber stress test, which focused on retail payment disruption. The test aimed to evaluate firms’ abilities to identify and mitigate the consequences of a hypothetical cyber incident, using an “impact tolerance” as a measure of when UK financial stability is affected. 

Key lessons from the stress test were outlined, including the need for firms to prepare for contingencies, automate data reconciliation, and communicate effectively. The importance of mitigating actions, such as making emergency cash available, was stressed. Furthermore, coordinated decision-making and communication across the industry were deemed essential to limit the impact of incidents. 

Stheeman also highlighted that operational resilience extends beyond cyber risks. Firms are increasingly relying on third-party services like cloud providers, which can enhance operational resilience but also pose risks. Direct regulatory oversight of these critical third parties is being considered. 

Concluding, Stheeman note operational resilience, especially in the context of growing cyber risks, is a medium-term priority for the FPC. The lessons learned from cyber stress tests are continuously incorporated into future testing, as the interconnected and digitized nature of businesses demands a comprehensive understanding of how operational risks can threaten financial stability and how resilience can be strengthened at a systemic level. 

EBA sets EU-wide examination program priorities

The European Banking Authority (EBA) has published the European Supervisory Examination Program (ESEP) for 2024, which identifies key topics for heightened supervisory attention across the European Union.   

Three topics have been for supervisory attention for 2024 as follows: 

• liquidity and funding risk;
• interest rate risk and hedging; and
• recovery operationalization. 

 The topics reflect current challenges and provides clear priorities for supervisors on topics that require EU traction, based on the request of the Board of Supervisors.