Federal Regulatory Agencies
News releases, reports, statements and associated documents from federal regulatory agencies ranging from the Securities Exchange Commission to the Commodities Futures Trading Commission
Featured Stories
Litigation: SEC Settles Action Against Beverly Hills Resident For Involvement in Scheme to Defraud Readers of Citron Research Tweets
WASHINGTON, Oct. 23 -- The Securities and Exchange Commission issued the following litigation release (No. 2:24-cv-09082; C.D. Cal. filed Oct. 22, 2024) involving Ryan Choi:
* * *
The Securities and Exchange Commission today announced that Ryan Choi agreed to pay more than $1.8 million to settle charges that he negligently engaged in a scheme to defraud readers of Citron Research in connection with two tweets issued by the platform. In July 2024, the SEC charged Andrew Left, who operates the Citron Research website and related social media platforms, for engaging in a scheme to defraud Citron
... Show Full Article
WASHINGTON, Oct. 23 -- The Securities and Exchange Commission issued the following litigation release (No. 2:24-cv-09082; C.D. Cal. filed Oct. 22, 2024) involving Ryan Choi:
* * *
The Securities and Exchange Commission today announced that Ryan Choi agreed to pay more than $1.8 million to settle charges that he negligently engaged in a scheme to defraud readers of Citron Research in connection with two tweets issued by the platform. In July 2024, the SEC charged Andrew Left, who operates the Citron Research website and related social media platforms, for engaging in a scheme to defraud CitronResearch followers by publishing false and misleading statements regarding his supposed stock trading recommendations.
The SEC's complaint against Choi alleges that in December 2020, Choi worked with Left on the research and content for two buy recommendations that Left issued through Citron Research. According to the complaint, Choi failed to act reasonably by not conducting adequate research or due diligence, which he provided to Left to support the recommendations that Left included in the Citron Research tweets. The complaint further alleges that Choi quickly traded on price increases that came after the two Citron Research tweets, and negligently failed to ensure that this trading activity was adequately disclosed in the tweets. According to the complaint, Choi made a total of $1,647,217 in profits in connection with his trading around these two tweets.
The SEC's complaint charges Choi with violating Section 17(a)(3) of the Securities Act of 1933. Without admitting or denying the allegations of the complaint, Choi agreed to the entry of a final judgment permanently enjoining him from violating Section 17(a)(3) of the Securities Act and requiring him to pay a civil penalty of $115,231, disgorgement of $1,647,217, and prejudgment interest of $64,818.
The SEC's investigation was conducted by Wendy E. Pearson and Sarah S. Nilson and supervised by Finola H. Manvelian. Trial attorney Stephen Kam, Carina Chambarry and Michael Barnes in the SEC's Division of Economic and Risk Analysis, and Darren Boerner in the Division of Enforcement's Market Abuse Unit provided assistance. The SEC appreciates the assistance of the Financial Industry Regulatory Authority.
* * *
Resources
* SEC Complaint (https://www.sec.gov/files/litigation/complaints/2024/comp26164.pdf)
* * *
Original text here: https://www.sec.gov/enforcement-litigation/litigation-releases/lr-26164
FEC Record: AO 2024-09 - Use of Campaign Funds for Eldercare Expenses
WASHINGTON, Oct. 23 -- The Federal Election Commission issued the following record on Oct. 22, 2024:
* * *
Congresswoman Nanette Barragan may use campaign funds to pay for certain eldercare expenses to the extent they are incurred as a direct result of her own campaign activity or certain official officeholder duties.
Background
Congresswoman Barragan currently represents California's 44th Congressional District and is a candidate in the 2024 election. Barragan for Congress (the committee) is her principal campaign committee. Congresswoman Barragan's mother suffers from several severe health
... Show Full Article
WASHINGTON, Oct. 23 -- The Federal Election Commission issued the following record on Oct. 22, 2024:
* * *
Congresswoman Nanette Barragan may use campaign funds to pay for certain eldercare expenses to the extent they are incurred as a direct result of her own campaign activity or certain official officeholder duties.
Background
Congresswoman Barragan currently represents California's 44th Congressional District and is a candidate in the 2024 election. Barragan for Congress (the committee) is her principal campaign committee. Congresswoman Barragan's mother suffers from several severe healthconditions and requires 24-hour care. The Congresswoman resides in her mother's home, holds power of attorney, and manages her care.
Since January 2023, Congresswoman Barragan has secured the services of several caregivers but has experienced gaps in coverage, which she expects will continue.
Congresswoman Barragan asked whether she could use campaign funds to pay for caregiving to cover gaps when she is not able to provide the care herself for campaign or officeholder-related reasons.
Analysis
Under the Federal Election Campaign Act (the Act) and Commission regulations, campaign funds may not be converted to personal use. The Act and Commission regulations define "personal use" as the use of campaign funds "to fulfill any commitment, obligation, or expense of a person that would exist irrespective of the candidate's election campaign" or duties as a federal officeholder. The regulations provide a non-exhaustive list of expenses that, when paid using campaign funds, constitute per se personal use. For expenses not included on this list, the Commission determines, on a case-by-case basis, whether the use is a prohibited "personal use"--that is, whether the expense would exist irrespective of the candidate's campaign or federal officeholder duties.
The Commission has not previously addressed in advisory opinions the use of campaign funds to pay eldercare expenses but has approved their use for childcare expenses that would not have existed absent campaign activity.
Payment of eldercare expenses
As primary caregiver with power of attorney over her mother, Congresswoman Barragan has a legal responsibility to ensure that her mother receives necessary care. When she is away from home and cannot care for her mother herself, Congresswoman Barragan incurs costs for her mother's care.
The Commission concluded that Congresswoman Barragan may use campaign funds to pay to fill gaps in her mother's care that arise when she is in her district or travels to other destinations for official campaign events, such as fundraising events and meetings with campaign supporters, because those expenses directly result from Congresswoman Barragan's participation in such events and therefore would not exist irrespective of her campaign.
Likewise, when Congresswoman Barragan travels as part of an official Congressional Member Delegation (CODEL) or to Washington, DC, to cast votes in Congress, the associated caregiving costs directly result from her duties as a federal officeholder. As such, the use of campaign funds to fill unanticipated gaps in care would not exist irrespective of her duties as a federal officeholder and would not be a prohibited personal use.
The Commission declined to render an opinion with respect to various additional campaign or officeholder activities including Congresswoman Barragan's travel with other candidates, to the national convention, in her official capacity as Chair of the Congressional Hispanic Caucus, or for unspecified official activity.
Date Issued: October 10, 2024; Length: 7 pages
Citations
Regulations
11 CFR Sec. 113.1(g)
Definition of personal use
11 CFR Sec. 113.2(a),(e)
Permissible non-campaign use of funds
Advisory Opinions
AO 1995-42
McCrery
AO 2018-06
Liuba for Congress
AO 2019-13
MJ for Texas
AO 2022-07
Swalwell
Resources
* Advisory opinion 2024-09 (https://www.fec.gov/data/legal/advisory-opinions/2024-09/)
* Commission consideration of AO 2024-09 (https://www.fec.gov/updates/october-10-2024-open-meeting/)
Author
Mary Ann Baker, Communications Specialist
* * *
Original text here: https://www.fec.gov/updates/ao-2024-09/
SEC Charges Advisory Firm WisdomTree With Failing to Adhere to Its Own Investment Criteria For ESG-Marketed Funds
WASHINGTON, Oct. 22 -- The Securities and Exchange Commission issued the following news release on Oct. 21, 2024:
* * *
Firm misstated that funds did not invest in companies involved in fossil fuels and tobacco
* * *
The Securities and Exchange Commission today charged New York-based investment adviser WisdomTree Asset Management Inc. with making misstatements and for compliance failures relating to the execution of an investment strategy that was marketed as incorporating environmental, social, and governance (ESG) factors.
According to the SEC's order, from March 2020 until November 2022,
... Show Full Article
WASHINGTON, Oct. 22 -- The Securities and Exchange Commission issued the following news release on Oct. 21, 2024:
* * *
Firm misstated that funds did not invest in companies involved in fossil fuels and tobacco
* * *
The Securities and Exchange Commission today charged New York-based investment adviser WisdomTree Asset Management Inc. with making misstatements and for compliance failures relating to the execution of an investment strategy that was marketed as incorporating environmental, social, and governance (ESG) factors.
According to the SEC's order, from March 2020 until November 2022,WisdomTree represented in prospectuses for three ESG-marketed exchange-traded funds, and to the board of trustees overseeing the funds, that the funds would not invest in companies involved in certain products or activities, including fossil fuels and tobacco. However, the SEC's order finds that the ESG-marketed funds invested in companies that were involved in fossil fuels and tobacco, including in coal mining and transportation, natural gas extraction and distribution, and retail sales of tobacco products. According to the SEC's order, WisdomTree used data from third-party vendors that did not screen out all companies involved in fossil fuel and tobacco-related activities. The SEC's order further finds that WisdomTree did not have any policies and procedures over the screening process to exclude such companies.
"At a fundamental level, the federal securities laws enforce a straightforward proposition: investment advisers must do what they say and say what they do," said Sanjay Wadhwa, Acting Director of the SEC's Division of Enforcement. "When investment advisers represent that they will follow particular investment criteria, whether that is investing in, or refraining from investing in, companies involved in certain activities, they have to adhere to that criteria and appropriately disclose any limitations or exceptions to such criteria. By contrast, the funds at issue in today's enforcement action made precisely the types of investments that investors would not have expected them to based on WisdomTree's disclosures."
WisdomTree consented to the entry of the SEC's order finding that it violated the antifraud provisions of the Investment Advisers Act of 1940 and the Investment Company Act of 1940, and the compliance rule in the Investment Advisers Act. Without admitting or denying the SEC's findings, WisdomTree agreed to a cease-and-desist order and censure and to pay a $4 million civil penalty.
The SEC's investigation was conducted by Salvatore Massa and Joshua Tannen, and was supervised by Lee A. Greenwood, Andrew Dean, and Corey Schuster, all from the Enforcement Division's Asset Management Unit. Russell Feldman and Daniel Loss of the Enforcement Division's New York Regional Office provided assistance in the matter. The examination that led to the investigation was conducted by Arjuman Sultana, Majid S. Mahmood, Lev Miller, and Margaret Pottanat of the Division of Examinations.
* * *
Original text here: https://www.sec.gov/newsroom/press-releases/2024-173
Prepared Remarks of CFPB Director Rohit Chopra at the Federal Reserve Bank of Philadelphia on the Personal Financial Data Rights Rule
WASHINGTON, Oct. 22 -- The Consumer Financial Protection Bureau issued the following news release:
Thank you to everyone at the Federal Reserve Bank of Philadelphia for organizing today's event. I especially want to thank President Patrick Harker for his service to this region and our country.
Today, the Consumer Financial Protection Bureau has finalized the Personal Financial Data Rights rule, which implements an authority enacted by Congress in 2010 in the aftermath of the financial crisis. The rule will provide more freedom, promote decentralization, and spur greater competition. It is an
... Show Full Article
WASHINGTON, Oct. 22 -- The Consumer Financial Protection Bureau issued the following news release:
Thank you to everyone at the Federal Reserve Bank of Philadelphia for organizing today's event. I especially want to thank President Patrick Harker for his service to this region and our country.
Today, the Consumer Financial Protection Bureau has finalized the Personal Financial Data Rights rule, which implements an authority enacted by Congress in 2010 in the aftermath of the financial crisis. The rule will provide more freedom, promote decentralization, and spur greater competition. It is animportant step toward ensuring that these principles, embedded in the fabric of our financial system dating back to the earliest days of the republic, are reflected in this digital era.
I'll start by explaining the problems we are looking to solve with this Personal Financial Data Rights rule required by Congress. Then, I want to describe how the final rule works. I'll conclude with some next steps to continue moving open and decentralized banking and payments in the U.S. forward.
As always, my remarks reflect the views of the Consumer Financial Protection Bureau and do not necessarily represent the views of any other component of the Federal Reserve System.
What We Need to Fix
In today's economy, the problems in banking are similar to problems that we see in other sectors. Rather than innovate on providing the best products at the best prices and with the best service, companies have found new ways to boost their bottom line.
For example, rather than constantly create a better product or service, we see "innovation" on how firms can make it harder to cancel or switch. Rather than advertise the true price up front, we see mysterious junk fees pop up later in the process. Instead of making things simple to work across different brands, we find ourselves buying proprietary plugs, switches, and other accessories that only work with specific products.
These types of issues cost consumers billions. When the Federal Reserve started to raise interest rates in 2022, the nation's largest financial institutions were quick to hike rates on loans, but many barely budged when it came to raising rates on deposits for savers.
Switching a bank account or credit card now involves the risk of screwing up an auto-debit for a bill or incurring an unwanted fee. People are even warned that canceling an account might hurt their credit score or their ability to get another loan.
It's no surprise that for millions of people across the country, they're still using the same credit card that they first got when they became an adult. I know I'm guilty of this.
There's other problems too. Young people start off adulthood with a lousy credit score, if they can even get one at all, since you need a long credit history to get a high score. The same is true for new immigrants and others with little else on their credit report. Since lenders want an automated way to evaluate you, it isn't always easy to prove that you're a good credit risk.
When it comes to making payments online or at a store's checkout counter, the market is rife with monopolistic practices that enrich incumbent networks at the expense of consumers, businesses, and creators.
The results of this are that you pay more for loans and you earn less on your deposits. Fewer people are able to get competitive and affordable credit. Businesses of all sizes pay more to process payments, pushing prices up. All of this hurts the whole economy.
In the U.S., digital technologies are changing this, opening up new opportunities to fix these problems. By allowing consumers to permission their personal financial data, and make it over time more seamless, people can more easily sign up, switch accounts, and take their financial history with them. But, much of the data sharing that does take place today uses unsafe methods like third parties using login credentials to scrape vast amounts of data from online banking interfaces.
But more importantly, incumbents don't want to lose their captive customer base. Just like other sectors of the economy, big companies have little incentive to make it easy for you to port and share your data. We've seen how they can concoct a slew of reasons to block consumers from these benefits.
Open Banking in the U.S.
One of the best ways to support a vibrant market is to eliminate roadblocks to competition. In the early years of the wireless phone market, switching to a new carrier was extremely cumbersome, requiring you to get an entirely new phone number. The Federal Communications Commission later instituted a policy requiring wireless number portability between carriers. This dramatically reshaped the competitive dynamics, creating incentives to compete on service and prices.
To make our banking and payments market more competitive, it needs to be open and decentralized using a common set of data standards, free of powerful gatekeepers and middlemen that can impose private regulations and extract fees.
Over the last few years, we have been working with players across the ecosystem to sketch out what open banking in the U.S. could look like. By connecting consumer transaction data, payroll data, credit reporting data, retirement and investment balances, payments information, and more, we can accelerate the progress that the U.S. is already making. We also closely studied the experiences with data sharing in other sectors (like in health care) and in open banking frameworks in other jurisdictions.
One foundational aspect is to ensure that incumbents can't block consumers from controlling and porting their personal financial data. In 2010, Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act. Section 1033 gives consumers new rights to access their personal financial data in a standardized format, subject to the rules of the CFPB. Since the CFPB never finalized any rules, it was essentially a dead letter. Our final rule today is our first significant rule using this dormant authority.
How the Rule Works
Here's how the new rule works. If you are a consumer who uses a checking account, credit card, or mobile wallet, your provider holds a lot of your personal information. For example, they may have records of your recent transactions, account balances, upcoming bill payments, and information needed to initiate payments. If you want to use that information to make a payment, apply for credit, or switch banks, your provider might throw up roadblocks to keep you from leaving for a competitor offering you a better deal.
Our rule prevents companies from doing that. That means you can more easily walk away from mediocre products or services and choose financial institutions that offer higher rates for your savings, lower rates on loans, free access to your paycheck before payday, or ways to more effectively manage your finances.
Under the Personal Financial Data Rights Rule, if a consumer chooses, they could allow mortgage lenders to use data from their checking account on their income and expenses in the underwriting process. This data could help supplement and improve the accuracy of traditional credit histories and help more people obtain credit on better terms. Over the long run, this could reduce the system's dependence on credit scores.
To take another example, the payments infrastructure in the U.S. is lagging behind many other developed countries. By giving consumers the ability to more easily use secure payments information, we can create more options to make payments and facilitate what is often referred to as "pay-by-bank." This has the potential to make payment options like ACH and FedNow more mainstream. This could also benefit merchants, who face high fees to accept payments through Visa, Mastercard, and other incumbent payment networks. Some merchants have plans to incentivize payments through these alternatives through cashback, discounts, and rewards.
Cash flow underwriting and more intense payments competition are just two possible use cases for consumer-driven data access, but there are countless others. At the CFPB, we believe that products and services powered by consumer-driven data access should continue to improve consumer finance for all.
But what if companies are just pretending to offer you a competing product? What if they really just want to exploit your data for other purposes? We learned a great deal from the experiences in other jurisdictions, and we knew that putting in some meaningful limitations on how permissioned data could be used was critical.
The rule institutes strong privacy protections. It's pretty simple. A company that ingests consumer's data can use the data to provide the product or service the consumer asked for, but not for unrelated purposes the consumer doesn't want.
The Personal Financial Data Rights rule says that consumers can authorize companies to access their data, but those companies then need to act on behalf of the consumer when they access that data. That means companies can't offer you a payment product that uses your data, but then use your data against you by feeding it to a personalized models that ends up charging you more for an airline ticket or other service. That's not what you were in the market to get.
Similarly, if you authorize sharing your data with a company so that you can get a cheaper loan, the data needs to be used to provide you that loan, not for other purposes. And it doesn't matter that the company has included those purposes in legal fine print that you don't have any practical ability to reject. Our rule also means companies can't offer something as a pretext to collect data to sell it or use it to target advertisements at them.
The final rule allows companies to use consumer data to improve the product or service the consumer requested, consistent with the goals of jumpstarting competition. But the rule is designed to ensure that open banking does not become a new data pipeline that fuels surveillance pricing or other manipulative mischief.
Our rule also recognizes that personal financial data is sensitive, and there are basic protections and rights that should go along with accessing this kind of information. Specifically, the rule ensures that personal financial data is collected and used minimally, stored securely, transferred accurately, and deleted when it's no longer needed or when the consumer revokes access.
Critically, the rule also strengthens protections by accelerating the shift away from the industry practice known as "screen scraping." Screen scraping is a still common but risky practice that typically involves consumers providing their account usernames and passwords to third parties who use them to access data indiscriminately through consumer online banking portals. With screen scraping, there are risks of overcollection of data, inaccurate data sharing, and the spread of login credentials.
With respect to implementation, the law asks that the CFPB prescribe standards through the rules, but it also asks that CFPB make an effort to avoid requiring a particular type of technology. I was particularly fixated on these provisions. We know that technical standards are critical to make sure that the system is open and interoperable. Without these standards, each incumbent would create its own set of complicated hurdles.
Rather than micromanage the specifics of open banking, the rule sets out an architecture for standard setting bodies to align on technical standards. Those organizations can seek accreditation from the CFPB, but only if they have a structure and process to develop standards in a fair, open, and inclusive manner. This approach will allow the standards to evolve over time as technology and market needs change.
However, the process can't be rigged against incumbents or challengers or the public. Standard setting organizations must reflect the full range of relevant interests consumers and firms, incumbents and challengers, and large and small actors. In June, the CFPB finalized a rule outlining the qualifications for entities to become a recognized industry standard setting body, which can issue standards to help companies comply with the final rule announced today.
What's Next
While we have finalized this Personal Financial Data Rights rule, there is a lot for us to all work on together in advance of the early 2026 deadline for the largest financial institutions to comply. Here's just a few of those near-term items:
First, the CFPB is working to prioritize reviewing applications by standard-setting organizations. Several weeks ago, we posted the first application for recognition for public comment, and we are working rapidly to evaluate the application. We are looking to make sure that applicants meet the standards for recognition in the rule. Those applicants must be ready to show that they can set up the right protocols to develop technical standards in a fair way.
Second, the CFPB is continuing to be in constant communication with other financial regulators to advance open banking. The final rule makes clear that when consumers authorize companies to obtain their personal financial data on their behalf, these companies are not acting as service providers to the financial institutions holding the consumer's data those companies are acting on behalf of the consumer. We are working together to ensure that incumbent fintechs and banks do not engage in tactics to choke off potential competitors.
Third, the industry must update industry-controlled rules on payment networks. In the last few years, the CFPB has repeatedly expressed an urgent need for payment networks to ensure that their rules make sense for the modern age when it comes to payment fraud and errors.
Many payment network rules help to make recoveries from merchants, financial institutions, and others that erroneously or fraudulently receive funds. The pandemic and the rise of more digital payment apps has added new complexity to this. I appreciate that many in the industry would like the CFPB to solve this for them, but these are private network rules. The governing bodies of those private networks need to address this.
Finally, the CFPB will be developing a roadmap for the next set of rules to advance open banking. This first rule covers a wide range of accounts for payments and transactions. We are considering a number of other use cases, such as how to reduce costs and complexity in the mortgage market. During the rulemaking process, there were a number of important issues raised, such as coverage of accounts used for government benefits, like EBT cards, and the ability for nonprofit researchers to use consumer-permissioned data.
The CFPB will also be working on additional guidance and advisory opinions to advance open banking and payments. We will also look for opportunities for other types of financial data, such as those involving investments and securities in retirement plans, to plug into this ecosystem.
Conclusion
In closing, just steps from where we sit today were the sites of major experiments in our country's history in setting up a financial system. The First and Second Banks of the United States sought to ensure that banking was bolstering the economy of the young republic. Later, a Black servant named Curtis Roberts became the first depositor in the nation's first savings association, the Philadelphia Savings Fund Society, whose offices were around the corner.
Our history reminds us of how important it is that our banking system advance public purposes without entrenching too much power in the hands of a few.
We knew that a banking system structured to solely support commercial enterprise and only the wealthiest families would lack legitimacy and would fail to provide economic opportunity to most of our people. Instead of concentrating economic power with one or just a few giant players, with distant outposts from where decisions were made, we promoted a system that served individuals and communities in ways that gave them control.
For the U.S. to ensure that our financial system is advancing opportunities for households, businesses, and the economy, our policies must create more power for individuals to avoid being captive and instead exercise their liberty to do business with someone new. The CFPB's Personal Financial Data Rights Rule is an important step toward reclaiming this history.
***
Original text here: https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-federal-reserve-bank-of-philadelphia-on-the-personal-financial-data-rights-rule/
NRC Chair and Commissioners Host Public Meeting in Atlanta
WASHINGTON, Oct. 22 -- The Nuclear Regulatory Commission issued the following news release:
NRC Chair Christopher Hanson and Commissioners David Wright, Annie Caputo and Bradley Crowell will host a public meeting Oct. 30 at the agency's Region II office in Atlanta. The meeting is one of a series being held at the agency's regional offices. The Commission will hear from NRC staff about regional activities and from external stakeholders on their interactions with the agency.
The Commission has invited representatives from Honeywell Metropolis, Framatome, Southern Company, Tennessee Valley Authority,
... Show Full Article
WASHINGTON, Oct. 22 -- The Nuclear Regulatory Commission issued the following news release:
NRC Chair Christopher Hanson and Commissioners David Wright, Annie Caputo and Bradley Crowell will host a public meeting Oct. 30 at the agency's Region II office in Atlanta. The meeting is one of a series being held at the agency's regional offices. The Commission will hear from NRC staff about regional activities and from external stakeholders on their interactions with the agency.
The Commission has invited representatives from Honeywell Metropolis, Framatome, Southern Company, Tennessee Valley Authority,the Institute of Nuclear Power Operations and the Georgia Environmental Protection Division to share their views and make presentations. Senior NRC managers and staff will brief the Commission on the region's hiring and training efforts, oversight of fuel facilities and new reactors, and coordination with state and tribal governments on nuclear emergency preparedness.
The meeting is scheduled from 1-4 p.m. Oct. 30 at the NRC's Region II office, Marquis One Tower, 245 Peachtree Center Ave. NE, 8th Floor Conference Center, Atlanta. Members of the public can attend in person or watch live via webcast (https://video.nrc.gov/).
The NRC's Region II office is responsible for conducting inspections at operating nuclear power plants in the Southeast and for inspecting and evaluating all NRC-regulated activities associated with the construction of new commercial nuclear facilities. It also performs inspections to ensure the safe and secure operation of the nation's nuclear fuel cycle facilities.
* * *
Original text here: https://www.nrc.gov/cdn/doc-collection-news/2024/24-026-ii.pdf
NCUA IG Audit: Federal Information Security Modernization Act of 2014 - FY 2024
ALEXANDRIA, Virginia, Oct. 22 -- The National Credit Union Administration Inspector General issued the following audit report (No. OIG-24-08) on Sept. 12, 2024, entitled "Federal Information Security Modernization Act of 2014 - Fiscal 2024."
Here are excerpts:
* * *
TO: Chairman Todd M. Harper
Board Vice Chairman Kyle S. Hauptman
Board Member Tanya Otsuka
Executive Director Larry Fazio
General Counsel Frank Kressman
Deputy Executive Director Rendell Jones
Chief of Staff Catherine Galicia
OEAC Deputy Director Samuel Schumach
Acting Chief Information Officer David Tillman
Deputy Chief
... Show Full Article
ALEXANDRIA, Virginia, Oct. 22 -- The National Credit Union Administration Inspector General issued the following audit report (No. OIG-24-08) on Sept. 12, 2024, entitled "Federal Information Security Modernization Act of 2014 - Fiscal 2024."
Here are excerpts:
* * *
TO: Chairman Todd M. Harper
Board Vice Chairman Kyle S. Hauptman
Board Member Tanya Otsuka
Executive Director Larry Fazio
General Counsel Frank Kressman
Deputy Executive Director Rendell Jones
Chief of Staff Catherine Galicia
OEAC Deputy Director Samuel Schumach
Acting Chief Information Officer David Tillman
Deputy ChiefInformation Officer Rob Foster
Chief Financial Officer Eugene Schied
AMAC President Cory Phariss
E&I Director Kelly Lay
CURE Director Martha Ninichuk
OHR Director Towanda Brooks
OCSM Director Kelly Gibbs
OBI Director Amber Gravius
OCFP Director Matthew Biliouris
Cybersecurity Advisor and Coordinator Todd Finkler
Senior Agency Official for Privacy Linda Dent
THROUGH: Inspector General James W. Hagen
FROM: Deputy Inspector General R. William Bruns
SUBJECT: National Credit Union Administration Federal Information Security Modernization Act of 2014 Audit - Fiscal Year 2024 DATE: September 12, 2024
Attached is the Office of Inspector General's FY 2024 independent evaluation of the effectiveness of the National Credit Union Administration's(NCUA) information security program and practices./1
The OIG engaged Sikich CPA LLC (Sikich)/2 to perform this evaluation.3 The contract required that this evaluation be performed in conformance with generally accepted government auditing standards issued by the Comptroller General of the United States. The OIG monitored Sikich's performance under this contract.
This report summarizes the results of Sikich's independent evaluation and contains nine new recommendations that will assist the agency in improving the effectiveness of its information security and its privacy programs and practices. NCUA management concurred with and has identified corrective actions to address the recommendations.
We appreciate the effort, assistance, and cooperation NCUA management and staff provided to us and to Sikich management and staff during this engagement. If you have any questions on the report and its recommendations, or would like a personal briefing, please contact me at 703-5186350.
* * *
TABLE OF CONTENTS
I. EXECUTIVE SUMMARY ... 1
II. SUMMARY OF RESULTS ... 2
III. AUDIT RESULTS ... 4
SECURITY FUNCTION: IDENTIFY ... 4
Finding 1: The NCUA Did Not Maintain an Up-to-Date IT Asset Inventory ... 5
Finding 2: The NCUA Did Not Consistently Complete Annual Risk Assessment Reviews for All Third-Party NCUA Services ... 6
Finding 3: The NCUA Did Not Consistently Complete SCRM Risk Assessments for All Third-Party Systems and Service Providers and Has Not Fully Completed SCRM Policies and Procedures ... 8
SECURITY FUNCTION: PROTECT ... 10
Finding 4: The NCUA Did Not Consistently Resolve Network Vulnerabilities Within Required Timelines ... 10
Finding 5: The NCUA Did Not Complete Its Backlog of Overdue Background Reinvestigations ... 13
Finding 6: The NCUA Did Not Ensure That All Privileged Users Completed Initial Role-Based Security Training in Accordance With NCUA Policy ... 15
SECURITY FUNCTION: DETECT ... 16
SECURITY FUNCTION: RESPOND ... 16
SECURITY FUNCTION: RECOVER ... 17
Finding 7: The NCUA Has Not Completed the Implementation of an Alternate Processing and Storage Site That Is Geographically Separate From the Primary Site ... 18
APPENDIX A: BACKGROUND ... 19
APPENDIX B: OBJECTIVE, SCOPE, AND METHODOLOGY ... 21
APPENDIX C: STATUS OF PRIOR-YEAR RECOMMENDATIONS ... 24
APPENDIX D: MANAGEMENT COMMENTS ... 28
* * *
EXECUTIVE SUMMARY
The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or other source. FISMA also requires agency Inspectors General (IGs) to assess the effectiveness of their agency's information security program and practices. The Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) have issued guidance for federal agencies to follow. In addition, NIST issued the Federal Information Processing Standards (FIPS) to establish agency baseline security requirements.
The National Credit Union Administration (NCUA) Office of the Inspector General (OIG) engaged Sikich CPA LLC (Sikich)/2 to conduct a performance audit in support of the FISMA requirement for an annual independent evaluation of the NCUA's information security program and practices. The objective of this performance audit was to assess the NCUA's compliance with FISMA and agency information security and privacy practices, policies, and procedures and ultimately to assess the effectiveness of NCUA's information security program and practices.
OMB and the Department of Homeland Security (DHS) annually provide federal agencies and IGs with instructions for preparing FISMA reports. On December 4, 2023, OMB issued Memorandum M-24-04, Fiscal Year 2024 Guidance on Federal Information Security and Privacy Management Requirements./3
This memorandum describes the methodology for conducting FISMA audits and the process for federal agencies to report to OMB and, where applicable, DHS. According to that memorandum, each year the IGs are required to complete the IG FISMA Reporting Metrics/4 to independently assess their agency's information security program.
For this year's review, IGs were required to assess 20 core/5 and 17 supplemental/6 IG FISMA Reporting Metrics across five security function areas - Identify, Protect, Detect, Respond, and Recover - to determine the effectiveness of their agency's information security program and the maturity level of each function area. The maturity levels are Level 1: Ad Hoc, Level 2: Defined, Level 3: Consistently Implemented, Level 4: Managed and Measurable, and Level 5: Optimized. To be considered effective, an agency's information security program must be rated Level 4: Managed and Measurable. See Appendix A for additional background information on the FISMA reporting requirements.
For this audit, we reviewed selected controls outlined in NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, supporting the fiscal year (FY) 2024 IG FISMA reporting metrics, for a sample of 4 of the 63 NCUA-managed and third-party information systems/7 in the NCUA's system inventory as of January 19, 2024. The audit covered the period from October 1, 2023, through July 9, 2024. We performed audit fieldwork from March through July 2024.
* * *
View full report here: https://ncua.gov/files/audit-reports/oig-audit-compliance-fisma-2024.pdf
FCC NOW PARTNERING WITH TEN STATE ATTORNEYS GENERAL ON PRIVACY PROTECTION
WASHINGTON, Oct. 22 -- The Federal Communications Commission issued the following news release:
* * *
Privacy & Data Protection Task Force Leading Agency's Coordination Efforts for Consumer Data & Cybersecurity Protections
* * *
The FCC's Privacy and Data Protection Task Force today announced additional partnerships between the agency's Enforcement Bureau and state partners on privacy, data protection, and cybersecurity enforcement matters. These formal relationships allow federal and state enforcement leaders to share expertise, resources, and coordinate efforts in conducting investigations
... Show Full Article
WASHINGTON, Oct. 22 -- The Federal Communications Commission issued the following news release:
* * *
Privacy & Data Protection Task Force Leading Agency's Coordination Efforts for Consumer Data & Cybersecurity Protections
* * *
The FCC's Privacy and Data Protection Task Force today announced additional partnerships between the agency's Enforcement Bureau and state partners on privacy, data protection, and cybersecurity enforcement matters. These formal relationships allow federal and state enforcement leaders to share expertise, resources, and coordinate efforts in conducting investigationsto protect consumers.
What's New?
The Attorneys General of Massachusetts, Maine, Vermont, Delaware, and Indiana have joined a growing list of partners alongside Connecticut, Illinois, New York, Oregon, Pennsylvania and the District of Columbia. These Memoranda of Understanding affirm that the FCC and State Attorneys General "share close and common legal interests in working cooperatively to investigate and, where appropriate, prosecute or otherwise take enforcement action in relation to privacy, data protection, or cybersecurity issues." Coordinated action and information sharing will take place pursuant to applicable federal and state laws and privacy protections.
Federal and State Leaders
FCC Chairwoman Jessica Rosenworcel said: "Consumers expect their data will remain private and that any exposure of their personal information will be addressed with urgency and accountability. Success on this front requires strong partnerships between federal enforcement officials and state leaders. I thank our partners for their dedication to protecting consumers' privacy."
FCC Enforcement Bureau Chief Loyaan A. Egal said: "Our Privacy and Data Protection Task Force continues to investigate data breaches, work with companies to improve their privacy, sensitive data, and cybersecurity protections, and pursue regulatory efforts to further protect consumers who increasingly rely on FCC-regulated services in their everyday lives. Cooperation with state partners is critical to this success, and I welcome our friends in Delaware, Indiana, Maine, Massachusetts, and Vermont to this coalition."
Maine Attorney General Aaron M. Frey said: "Fraud, scams and data breaches steal the hardearned money of Mainers every day. Our collaboration with the FCC will bring new resources, perspective and expertise to the fight to keep Mainers safe from scams and identity theft." Massachusetts Attorney General Andrea Joy Campbell said: "In a time when cyber threats are becoming more common, it's critical for federal and state partners to work together to ensure consumers' personal data is protected from exploitation. I am grateful for the opportunity to partner with the FCC's Privacy and Data Task Force and will continue to fight for consumers both in Massachusetts and across the country."
Vermont Attorney General Charity Clark said: "Protecting data privacy has been one of my top priorities as Vermont's Attorney General. I am proud to join this partnership to work together toward a future that prioritizes our privacy over corporate profits and acknowledges the critical role data plays in the modern marketplace."
Delaware Attorney General Kathy Jennings said: "The FCC and the Delaware DOJ have a successful history of working together combating intrusive robocalls. With this new partnership, we will be better equipped to share resources and work with our federal partners to protect Delawarean's data privacy and security."
Power of Partnerships
During investigations, both the FCC's Enforcement Bureau and state investigators seek records, talk to witnesses, interview targets, examine consumer complaints, confer with experts, and take other critical steps to build a record against possible threat actors. These privacy and data protection partnerships provide critical resources for building cases and coordinating efforts to protect consumers and businesses nationwide.
The state agencies and attorney general offices leverage years of expertise, both investigative and technical. The FCC offers partner states not only the expertise of its enforcement staff, but also important resources and remedies to support state investigations. For example, the MOUs facilitate relationships with other authorities in this space including other federal agencies, and support for and expertise with critical investigative tools including subpoenas and confidential response letters from suspected targets. The FCC's unique position and authorities have allowed the Commission to work with state partners to obtain measurable results in the robocalling space to scale efforts to protect consumers.
FCC's Privacy and Data Protection Task Force
To lead and coordinate this important work, Chairwoman Rosenworcel created the Privacy and Data Protection Task Force to work on privacy and data protection issues subject to the Commission's authority under the Communications Act. The Task Force coordinates across the agency on the rulemaking, enforcement, and public awareness needs regarding privacy and data protection activities, including threats like SIM swapping scams, port-out fraud, and data breaches, which can increase the risk posed by these scams by exposing consumers' information that can make it easier for scammers to steal consumers cell phone accounts. The FCC also secured "Consumer Privacy Upgrades" covering beneficial data protection, cybersecurity, and consumer privacy terms with all of the largest wireless carriers, including September 2024 settlements with T-Mobile and AT&T, and a July 2024 settlement with Verizon on behalf of TracFone.
* * *
Original text here: https://docs.fcc.gov/public/attachments/DOC-406791A1.pdf
