ABA Banking Journal: Federal court blocks enforcement of beneficial ownership reporting rule
December 3, 2024
Less than a month before a Jan. 1 deadline for businesses to report their beneficial owners to the Financial Crimes Enforcement Network, a federal judge in Texas has issued a preliminary injunction blocking enforcement of the requirement. The order states that covered companies nationwide do not need to comply with the Jan. 1 reporting deadline, unless the judge or a higher court reverses the order in the meantime.
The lawsuit, brought by the National Federation of Independent Business and several of its members, challenged the constitutionality of the Corporate Transparency Act, the 2021 bill that established a beneficial ownership information, or BOI, registry and the requirement for businesses to report. The plaintiffs argued that the CTA exceeded Congress’s authority to regulate interstate commerce, that it violates the First Amendment by compelling speech and infringing freedom of association and that it violates the Fourth Amendment by forcing the disclosure of private information.
By mid-November, as the initial Jan. 1 reporting deadline approached, only about a quarter of the estimated 32.5 million covered businesses had registered. According to newly released poll data from Wolters Kluwer, 37% of firms were waiting until closer to the deadline and 12% said they had insufficient resources to do the filing. Meanwhile, 9% of businesses believed they were not covered by the rule, and 32% were unsure whether the rule applied to them.
Full Article
CISA News: The Insider Threat
83% of organizations reported insider attacks in 2024
November 26, 2024 | Bill Josh Nadeau
According to Cybersecurity Insiders’ recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside their digital ecosystem while putting into practice effective threat management strategies to address them.
The rising concern of insider attacks
As businesses readily adopt hybrid cloud working models and next-generation technologies, the complexity of insider risk management has risen. Cybersecurity Insiders recently reviewed 413 IT and cybersecurity professionals to better understand where and how insider threats impact their organizations.Surprisingly, the rate of insider threat incidents has grown considerably year-over-year, with 48% of respondents reporting that they’re contending with a much more prevalent problem in just the last 12 months. When reviewing the reasoning behind this escalation, Cybersecurity Insiders was able to narrow down four primary issues that are the culprits:
-
Complicated IT environments: The support of remote and hybrid working models, in addition to wide-scale cloud adoption by modern businesses, has created more intricate operational structures that are harder to manage and control.
-
Inadequate security measures: Many businesses struggle to stay up-to-date with the latest security best practices and still rely on outdated protocols to protect their digital assets.
-
Lack of employee training and awareness: Not all insider threats are malicious. In fact, most employees are simply not trained enough to stay aware of the risks they can introduce into the business while also playing an active role in preventing insider threats from happening.
-
Weak enforcement policies: Although 93% of respondents in the report said that strict visibility and control was an important factor for them, only 36% actually had an effective solution in place for unified visibility and access control.
Breaking down the actual costs associated with insider threats
While many security teams understand the security implications of insider threats, the full scope of their financial repercussions isn’t always recognized. Cybersecurity Insider’s report dug deeper into these factors; the results are quite revealing.For 32% of the organizations that dealt with insider threats in the last year, the average cost to fully recover averaged between $100,000 and $499,000. While this was the most common response received, 21% of respondents reported much steeper costs, ranging between $1 million and $2 million.These statistics only represent the quantifiable costs associated with insider threat remediation. They don’t consider the additional losses businesses can experience when factoring in the damage these attacks cause to their reputations and the loss in customer trust that comes with it.
Best practices for improving insider threat management
Considering the negative implications that insider threats pose on organizations, it’s important to implement effective best practices to minimize exposure. These include:
Advanced monitoring solutions: Insider threats are often much more difficult to detect than external attacks. Due to this fact, it’s important to invest in more advanced monitoring solutions such as User and Entity Behavior Analytics (UEBA). These tools use machine-learning algorithms and behavioral analytics to monitor user activity while flagging anomalies to assist security teams with early warnings of potential insider threat activity.
Non-IT data sources: Incorporating non-IT data sources into your threat management platforms helps broaden the intelligence of enabled security solutions. For example, by adding information such as legal data, HR records and other public data sources, you can get a more complete view of potential insider threats that could emerge. These data sources could comprise employee performance reviews and disciplinary actions or other publicly sourced information on social media. All of this information helps with early detection and can considerably lower risk ratios.
Automated threat detection and response: With many organizations quickly scaling their digital reach, manual threat detection and response have become highly inefficient. Automated response tools have become an essential asset to help businesses analyze large streams of data, identify potential threats and accelerate response times. In addition to on-premise security solutions, Threat Detection and Response (TDR) services can significantly improve a business’s cybersecurity hygiene. With immediate access to the latest tools and highly trained teams, TDR services can strengthen security defenses.
Zero trust frameworks: Strict access control is essential to limit the potential for insider threats to persist. Adopting a zero trust security model reduces organization exposure by assuming all users and devices in or outside a company network are potential threats. This ensures that every access attempt is thoroughly vetted and restricts the ability of malicious insiders to maintain unauthorized access to sensitive systems and networks.
Employee training and awareness: A common area of concern for the companies listed in Cybersecurity Insiders’ recent report is employee training, with 32% of respondents admitting that lack of awareness was a major contributor to an attack. It’s important to continuously educate staff on the dangers of insider threats and teach them how to identify and report suspicious activities.
Creating a security-conscious culture: It’s important to set the right tone for the entire organization when it comes to cybersecurity planning. To achieve this, company leadership should be actively involved in helping to prioritize threat management across all departments while leading by example. This ensures that everyone has shared accountability when it comes to avoiding internal and external threats.
Regular security audits and assessments: In order to ensure the solutions and practices you’re putting into place are effective, regular security audits and assessments are critical. These comprehensive evaluations should review everything from security policies and access controls to the effectiveness of any incident response plans actively in place.
Incident response planning: Organizations should always be prepared for the worst-case scenario and have a well-defined incident response plan in place. Considering that a significant amount of organizations in the last report by Cybersecurity Insiders shows most impacted businesses are still unsure about their recovery times, it’s more important than ever to have clearly outlined procedures for remediating attacks.
Stay ahead of the insider threats
As insider threats continue to escalate each year, it’s critical for organizations to take active steps in their prevention. By following the best practices outlined and building more internal awareness regarding these ongoing threats, businesses can ensure they maintain a resilient cybersecurity posture.
Full Article
December 3, 2024
The Consumer Financial Protection Bureau today proposed a new rule to expand existing federal protections for consumer data to certain activities by data brokers.
The proposed rule would define data brokers as “consumer reporting agencies” under the Fair Credit Reporting Act when they sell certain sensitive information about consumers, such as Social Security numbers and phone numbers, according to the CFPB. As a result, data brokers would be required to comply with FCRA requirements on ensuring the accuracy of the data they sell, providing consumers access to their information and maintaining safeguards against unauthorized access to the data.
Earlier this year, CFPB Director Rohit Chopra announced his intention to draft the proposed rule after President Biden issued an executive order “encouraging” the CFPB “to protect Americans from data brokers that are illegally assembling and selling extremely sensitive data, including that of U.S. military personnel.” The rule will not be finalized before President-elect Trump takes office, and it is unclear whether his administration will prioritize the issue.
In a statement accompanying the proposed rule, the CFPB alleged that countries such as China and Russia currently can purchase detailed information about military service members and government employees “for pennies per person,” and that the data could be used to perpetuate scams or collect detailed information about domestic violence survivors. The proposed rule would ensure that data brokers are treated like credit bureaus and background check companies that already must comply with the FCRA, the agency said.
Comments on the proposed rule must be received by March 3, 2025.
Full Article
National School for Experienced Ag Bankers
June 23-26, 2025 | Spearfish
The National School for Experienced Ag Bankers is a seminar for experienced ag bankers who want to further develop their ag lending skills, learn new skills, confirm existing methodology and meet fellow bankers who share the same career path. Taught by a nationally-recognized faculty of bankers, academics and other real-world ag banking practitioners, this program is focused on ag lending opportunities and challenges that are relevant to ag bankers from across the United States.
Information and Registration
SDBA IRA Basics
January 9, 2025 | Virtual
This course is designed as a “very basic” IRA seminar as it is designed to build a solid IRA foundation. The seminar will start with the differences between a Traditional and a Roth IRA, and then discuss how to set up a new IRA and the eligibility rules to contribute to an IRA. The biggest topic for people new to IRAs to discuss is the moving of money from one financial institution to another. This involves IRA transfers and rollovers, plus the direct rollovers from a qualified plan. Discussion will go thru the 13 exceptions to taking money out of an IRA before age 59.5 to avoid the penalty tax, and how RMD is calculated in a traditional IRA. There will be an introduction into death distributions. Finally, we will cover how to take money out of a Roth IRA.
Information and Registration
2025 Midwest Economic Forecast Forum
Prepare for 2025 by joining an economic discussion with Federal Reserve Bank President Austan Goolsbee. Time will be allowed for open Q&A during this virtual event. Bankers are encouraged to invite their business clients and local community leaders to tune in to these economic insights together. Individuals or group registration rates are available.
Information and Registration
Question of the Week
Q: Does the recently issued Reconsideration of Value (ROV) guidance apply to commercial transactions?
A: Like so many novel compliance-related issues, unfortunately the answer is less than crystal clear. While the scope of the final guidance is intended to be limited to "real estate-related financial transactions that are secured by a single 1-to-4 family residential property," which some may say suggests a consumer-purpose transaction, the guidance and its commentary do reference ECOA, which applies to both consumer-purpose and commercial-purpose transactions; again, this aspect is not exactly clear, and the conservative approach may be to treat it as such considering the lack of clarity at this time:
“24. See 15 U.S.C. 1691 et seq. and 12 CFR part 1002. While this guidance focuses on residential valuations, ECOA covers all lending, including commercial lending. In addition, Regulation B requires creditors to (1) provide an applicant a copy of all appraisals and other written evaluations developed in connection with an application for credit that is to be secured by a first lien on a dwelling; and (2) provide a copy of each such appraisal or other written valuation promptly upon completion, or three business days prior to consummation of the transaction (for closed-end credit) or account opening (for open-end credit), whichever is earlier. See 12 CFR 1002.14(a)(1)." Interagency Guidance on Reconsiderations of Value of Residential Real Estate Valuations
It is worth noting that institutions have flexibility in their approach to their internal ROV processes, however – and as the guidance highlights – “institutions that choose to implement ROV policies described in this guidance would not be precluded or excused from complying with other relevant legal and contractual requirements related to ROVs, as applicable.”
Learn how to put compliance management solutions from Compliance Alliance to work for your bank, by contacting (888) 353-3933 or [email protected] and ask for our Membership Team. For timely compliance updates, subscribe to Bankers Alliance’s email newsletters.
SDBA eNews Archive View past issues of the SDBA eNews
Advertising Opportunity Learn more about sponsoring the SDBA eNews
Questions/Comments Contact the SDBA at 605.224.1653 or via email
|