Following the recent streak of high-profile cyberattacks on U.S. companies, the Obama administration last week unveiled a program that would impose sanctions on individuals or groups overseas that are potential sources of cyberthreats. Also in the news: Facebook’s privacy practices face growing scrutiny in Europe; banks shed high-risk customers to avoid penalties; and more.
U.S. sanctions program aims at foreign cyberattackers
President Barack Obama last week issued an executive order that deems destructive cyberattacks a “national emergency” and allows the U.S. Treasury Department to freeze the assets and bar the financial transactions of individuals and groups that engage in such activities. The sanctions target entities outside the United States who threaten its national security, foreign policy and economy through malicious cyberactivities, according to the executive order.
The program grants the administration use of the same penalties it applies on other threats, such as the crises in the Middle East and Ukraine, Reuters reported. According to a report from Reuters, security and legal experts consider the move a promising step in light of the persistent string of attacks on U.S. computer networks. However, expert Mark Rasch, former Justice Department trial attorney, said that the breadth of power the program gives the executive branch could result in a “compliance nightmare for companies.” Additionally, security experts cited the difficulty of identifying hackers responsible for these attacks.
Facebook faces mounting heat from the EU over privacy
Facebook is facing mounting probes into its privacy practices from various European authorities, reported The Wall Street Journal. In recent weeks, data privacy regulators from France, Italy and Spain have joined a group of regulators from Belgium, Germany and the Netherlands that is investigating the social networking giant’s data handling practices. The group is looking into how Facebook is integrating data from its various services, including Instagram and WhatsApp, to target advertising, as well as how the company is tracking users’ browsing habits through its “like” button.
Typically, Facebook’s privacy compliance in Europe falls under the purview of the data protection authority in Ireland, where the company’s European headquarters is located. However, in advance of impending changes to the EU’s data protection regulations, European regulators from other countries have increasingly been taking on big U.S. technology companies in addition to Facebook, including Amazon, Apple and Google, according to WSJ.
Some of the regulators launching the probes say that the “right to be forgotten” ruling, made by the European Court of Justice (the top court in the EU) last year, is a precedent that justifies their right to investigate Facebook. Others, such as the Information Commissioner’s Office in the U.K., which hasn’t joined the effort, says it recognizes the role of the Irish data protection regulator over Facebook’s privacy compliance in Europe.
Regulators tell banks to rein in widespread closures of risky accounts
Banks are closing down the accounts of high-risk customers in response to a record number of penalties imposed by U.S. regulators in recent years regarding inadequate risk controls, according to The Wall Street Journal‘s Risk & Compliance blog. Moreover, some U.S. authorities have previously urged banks to stop transacting with certain customers. Now, regulators are growing concerned that the entire lines of business these banks are cutting off are turning to less regulated or underground institutions, particularly in the areas of money-transfer services and foreign-correspondent banking.
Officials ranging from Comptroller of the Currency Tom Curry to Adam Szubin, the U.S. Treasury Department’s acting undersecretary for terrorism and financial intelligence, are now advising banks to be more discerning in their decisions to leave or not take on a customer relationship because it is considered at high risk for money laundering.
It’s doubtful that regulators’ shift in tone will prompt these banks to immediately reverse their decision regarding whole categories of high-risk customers, some experts told WSJ. One reason is the vagueness of recent guidelines around risk controls; another reason, according to Rich Riese, senior vice president of the American Bankers Association’s Center for Regulatory Compliance, is that banks are unlikely to take back the high-risk customers they’ve recently shed.
U.S. Justice Department deems HSBC slow on compliance changes
British multinational bank HSBC, which in 2012 was charged with laundering money on behalf of Mexican cartels and transferring money for nations blacklisted by the U.S., such as Iran and Sudan, has been slow in meeting the requirements of its $1.9 billion deferred-prosecution agreement (DPA), according to a court filing made by federal prosecutors as part of a quarterly update on the bank’s progress.
In the filing, which summarizes the findings of Michael Cherkasky, the independent monitor who has been following HSBC’s progress for over a year, the U.S. Justice Department commends HSBC’s progress in areas such as risk assessment and compliance monitoring and testing; however, it also highlighted two areas in which the bank has been “too slow” with its progress and must do more: its corporate culture and its compliance technology.
According to the filing, the bank’s overhaul was initially met with resistance, pointing to pushback from the managers at HSBC’s U.S. unit for global banking and markets, which resulted in an internal audit report that the filing said was “more favorable to the business than it would otherwise have been,” The New York Times reported.
The filing also docks the bank’s technology systems as needing further improvement, saying it continues to “suffer from fragmentation and lack of connectivity.” These weaknesses, the filing said, could sacrifice the quality of customer data collected and analyzed by the bank. They also inhibit auditors’ view into customers’ banking history to look into potentially suspicious activity, the filing said.