Latest Compliance News

In March 2024, Mozilla said it was winding down its collaboration with Onerep — an identity protection service offered with the Firefox web browser that promises to remove users from hundreds of people-search sites — after KrebsOnSecurity revealed Onerep’s founder had created dozens of people-search services and was continuing to operate at least one of them. Sixteen months later, however, Mozilla is still promoting Onerep. This week, Mozilla announced its partnership with Onerep will officially end next month. Mozilla Monitor. Image Mozilla Monitor Plus video on Youtube. In a statement published Tuesday, Mozilla said it will soon discontinue Monitor Plus , which offered data broker site scans and automated personal data removal from Onerep. “We will continue to offer our free Monitor data breach service, which is integrated into Firefox’s credential manager, and we are focused on integrating more of our privacy and security experiences in Firefox, including our VPN, for free,” the advisory reads. Mozilla said current Monitor Plus subscribers will retain full access through the wind-down period, which ends on Dec. 17, 2025. After that, those subscribers will automatically receive a prorated refund for the unused portion of their subscription. “We explored several options to keep Monitor Plus going, but our high standards for vendors, and the realities of the data broker ecosystem made it challenging to consistently deliver the level of value and reliability we expect for our users,” Mozilla statement reads. On March 14, 2024, KrebsOnSecurity published an investigation showing that Onerep’s Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010 , including a still-active data broker called Nuwber that sells background reports on people. Shelest released a lengthy statement wherein he acknowledged maintaining an ownership stake in Nuwber , a data broker he founded in 2015 — around the same time he launched Onerep.

SUNSHINE ACT MEETING NOTICE The FDIC Board of Directors will meet in an open session: Date and Time: Tuesday, November 25, 2025, at 10:00 a.m. ET Place:  The Board meeting will be open to public observation by webcast . Members of the media should contact the Office of Communications by Monday, November 24, at [email protected] to attend in person from FDIC Headquarters, 550 17th Street, NW, Washington, DC. Read Notice & Agenda The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US

An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline. Some affected Cloudflare customers were able to pivot away from the platform temporarily so that visitors could still access their websites. But security experts say doing so may have also triggered an impromptu network penetration test for organizations that have come to rely on Cloudflare to block many types of abusive and malicious traffic. At around 6:30 EST/11:30 UTC on Nov. 18, Cloudflare’s status page acknowledged the company was experiencing “an internal service degradation.” After several hours of Cloudflare services coming back up and failing again, many websites behind Cloudflare found they could not migrate away from using the company’s services because the Cloudflare portal was unreachable and/or because they also were getting their domain name system (DNS) services from Cloudflare. However, some customers did manage to pivot their domains away from Cloudflare during the outage. And many of those organizations probably need to take a closer look at their web application firewall (WAF) logs during that time, said Aaron Turner , a faculty member at IANS Research . Turner said Cloudflare’s WAF does a good job filtering out malicious traffic that matches any one of the top ten types of application-layer attacks , including credential stuffing, cross-site scripting, SQL injection, bot attacks and API abuse. But he said this outage might be a good opportunity for Cloudflare customers to better understand how their own app and website defenses may be failing without Cloudflare’s help. “Your developers could have been lazy in the past for SQL injection because Cloudflare stopped that stuff at the edge,” Turner said. “Maybe you didn’t have the best security QA [quality assurance] for certain things because Cloudflare was the control layer to compensate for that.” Turner said one company he’s working with saw a huge increase in log volume and they are still trying to figure out what was “legit malicious” versus just noise. “It looks like there was about an eight hour window when several high-profile sites decided to bypass Cloudflare for the sake of availability,” Turner said. “Many companies have essentially relied on Cloudflare for the OWASP Top Ten [web application vulnerabilities] and a whole range of bot blocking. How much badness could have happened in that window? Any organization that made that decision needs to look closely at any exposed infrastructure to see if they have someone persisting after they’ve switched back to Cloudflare protections.” Turner said some cybercrime groups likely noticed when an online merchant they normally stalk stopped using Cloudflare’s services during the outage. “Let’s say you were an attacker, trying to grind your way into a target, but you felt that Cloudflare was in the way in the past,” he said. “Then you see through DNS changes that the target has eliminated Cloudflare from their web stack due to the outage. You’re now going to launch a whole bunch of new attacks because the protective layer is no longer in place.” Nicole Scott , senior product marketing manager at the McLean, Va. based Replica Cyber , called yesterday’s outage “a free tabletop exercise, whether you meant to run one or not.” “That few-hour window was a live stress test of how your organization routes around its own control plane and shadow IT blossoms under the sunlamp of time pressure,” Scott said in a post on LinkedIn. “Yes, look at the traffic that hit you while protections were weakened. But also look hard at the behavior inside your org.” Scott said organizations seeking security insights from the Cloudflare outage should ask themselves: 1. What was turned off or bypassed (WAF, bot protections, geo blocks), and for how long? 2. What emergency DNS or routing changes were made, and who approved them? 3. Did people shift work to personal devices, home Wi-Fi, or unsanctioned Software-as-a-Service providers to get around the outage? 4. Did anyone stand up new services, tunnels, or vendor accounts “just for now”? 5. Is there a plan to unwind those changes, or are they now permanent workarounds? 6. For the next incident, what’s the intentional fallback plan, instead of decentralized improvisation? In a postmortem published Tuesday evening, Cloudflare said the disruption was not caused, directly or indirectly, by a cyberattack or malicious activity of any kind. “Instead, it was triggered by a change to one of our database systems’ permissions which caused the database to output multiple entries into a ‘feature file’ used by our Bot Management system,” Cloudflare CEO Matthew Prince wrote. “That feature file, in turn, doubled in size. The larger-than-expected feature file was then propagated to all the machines that make up our network.” Cloudflare estimates that roughly 20 percent of websites use its services, and with much of the modern web relying heavily on a handful of other cloud providers including AWS and Azure , even a brief outage at one of these platforms can create a single point of failure for many organizations. Martin Greenfield , CEO at the IT consultancy Quod Orbis , said Tuesday’s outage was another reminder that many organizations may be putting too many of their eggs in one basket. “There are several practical and overdue fixes,” Greenfield advised. “Split your estate. Spread WAF and DDoS protection across multiple zones. Use multi-vendor DNS. Segment applications so a single provider outage doesn’t cascade. And continuously monitor controls to detect single-vendor dependency.”

Federal Reserve Board releases information regarding enhancements to bank supervision

Federal Reserve Board issues enforcement action with former employee of Commerce Bank and announces termination of enforcement actions with Société Générale S.A. and Industrial and Commercial Bank of China Ltd.

CFPB finalizes its June 2025 interim final rule amending Regulation B, extending compliance dates in its 2023 small business lending rule and making other adjustments.

Washington, D.C.—Today, the Consumer Financial Protection Bureau (CFPB) filed a notice informing the court in NTEU v. Vought that the Department of Justice’s Office of Legal Counsel (OLC) has determined that the Bureau may not legally request funds at this time from the Federal Reserve under Dodd-Frank.

Federal Reserve Board issues enforcement actions with Belt Valley Bank and The Halstead Bank

Federal Reserve Board finalizes changes to its supervisory rating framework for large bank holding companies

Federal Reserve Board announces termination of enforcement actions with Riverbend Financial Corporation, Northwest Bancorporation of Illinois, Inc., and First Citizens Bank of Butte

Federal Reserve Board issues enforcement actions with former employee of First Horizon Bank and former employee of NobleBank & Trust

BOARD MEETING | OCTOBER 7, 2025 FDIC Board of Directors Meeting Today, the Federal Deposit Insurance Corporation's Board of Directors met in open and closed sessions. Materials and information relative to the open Board actions are available on the  Board Matters webpage . Items Addressed in Open Session: Notice of Proposed Rulemaking regarding Unsafe or Unsound Practices, Matters Requiring Attention Press Release Statement by Acting Chairman Hill Financial Institution Letter Notice of Proposed Rulemaking regarding Prohibition on Use of Reputation Risk by Regulators Press Release Statement by Acting Chairman Hill A recording of the  full webcast of the open session  is available. Board Materials The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US

SUNSHINE ACT MEETING NOTICE The FDIC Board of Directors will meet in an open session: Date and Time: Tuesday, October 7, 2025, at 10:00 a.m. ET Place:  The Board meeting will be open to public observation by webcast . Members of the media should contact the Office of Communications by Monday, October 6, at [email protected] to attend in person from FDIC Headquarters, 550 17th Street, NW, Washington, DC. Read Notice & Agenda The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US

Federal Reserve Board issues enforcement action with former employee of Dacotah Bank

Federal Reserve Board issues enforcement actions with former employee of First Horizon Bank and former employee of Manufacturers and Traders Trust Company

BOARD MATTERS | AUGUST 19, 2025 FDIC Board Approves Proposal to Amend Official Signs and Advertising Requirements By notational vote, the Federal Deposit Insurance Corporation's Board of Directors today unanimously approved the following matter. Materials and information related to  this Board action are available on the Board Matters webpage . Notice of Proposed Rulemaking: FDIC Official Signs, Advertisement of Membership, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo Press Release Financial Institution Letter Board Materials The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US

BOARD MEETING | JULY 15, 2025 FDIC Board of Directors Meeting Today, the Federal Deposit Insurance Corporation's Board of Directors met in open and closed sessions. Materials and information relative to the open Board actions are available on the Board Matters webpage . Items addressed in Open Session: Notice regarding Proposed Amendments to FDIC Guidelines for Appeals of Material Supervisory Determinations Press Release Statement by Acting Chairman Hill Financial Institution Letter Notice of Proposed Rulemaking regarding Adjusting and Indexing Part 363 and Certain Other FDIC Regulatory Thresholds Press Release Statement by Acting Chairman Hill Financial Institution Letter Request for Information regarding Industrial Banks and Industrial Loan Companies and Their Parent Companies; and Notice regarding Parent Companies of Industrial Banks and Industrial Loan Companies; Withdrawal of Proposed Rule Press Release Statement by Acting Chairman Hill Financial Institution Letter Notice of Proposed Rulemaking regarding Community Reinvestment Act Regulations Notice of Proposed Rulemaking regarding Establishment and Relocation of Branches and Offices Press Release Statement by Acting Chairman Hill Financial Institution Letter Notice regarding Regulatory Publication and Review Under the Economic Growth and Regulatory Paperwork Reduction Act of 1996 A recording of the  full webcast of the open session  is available. Board Materials The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . CONNECT WITH US

Today, in the Consumer Financial Protection Bureau’s (CFPB) November 12, 2021 lawsuit against FirstCash, Inc., and nineteen subsidiaries alleging violations of the Military Lending Act (MLA), the parties reached a settlement and jointly filed a stipulated final judgment and proposed order, which if entered by the court, would resolve the lawsuit.

SUNSHINE ACT NOTICE The FDIC Board of Directors will meet in an open session: Date and Time: Tuesday, July 15, 2025, at 10:00 a.m. ET Place:  The Board meeting will be open to public observation by webcast . Members of the media should contact the Office of Communications by Monday, July 14, at [email protected] to attend in person from FDIC Headquarters, 550 17th Street, NW, Washington, DC. Read Notice & Agenda The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . STAY CONNECTED

BOARD MATTERS | JUNE 27, 2025 FDIC Board of Directors Approve New Actions Today, the Federal Deposit Insurance Corporation's Board of Directors unanimously approved the following matters. Materials and information related to these Board actions are available on the Board Matters webpage . Regulatory Capital Rule: Modifications to the Enhanced Supplementary Leverage Ratio Standards Press Release Financial Institutions Letter Statement by Acting Chairman Hill Customer Identification Program Rule Exemption Order Press Release Financial Institutions Letter Board Materials The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . STAY CONNECTED

BOARD MEETING | JUNE 26, 2025 FDIC Board of Directors Meeting After consultation among Board members, the Federal Deposit Insurance Corporation decided to handle today's Board matters notationally. Related materials will be available on the Board Matters webpage . The FDIC does not send unsolicited email. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . STAY CONNECTED

SUNSHINE ACT NOTICE The FDIC Board of Directors will meet in open session: Date and Time: Thursday, June 26, 2025, at 10:00 a.m. Place:  The Board meeting will be open to public observation by webcast . Members of the media should contact the Office of Communications by Tuesday, June 24, at [email protected] to attend in person from FDIC Headquarters, 550 17th Street, NW, Washington, DC. Read Notice & Agenda The FDIC does not send unsolicited e-mail. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . STAY CONNECTED

Small business lending rule extension of compliance dates 2025

BOARD MEETING | MAY 20, 2025 FDIC Board of Directors Meeting Today, the Federal Deposit Insurance Corporation's Board of Directors met in open and closed sessions. Materials and information relative to the open Board actions are available on the Board Matters webpage . Items addressed in Open Session: Deposit Insurance Fund Restoration Plan Semiannual Update Press Release Statement by Acting Chairman Hill Recission of the 2024 FDIC Statement of Policy on Bank Merger Transactions and Reinstatement of Prior FDIC Statement of Policy Financial Institutions Letter A recording of the full webcast of the open session is available. Board Materials The FDIC does not send unsolicited e-mail. If this publication has reached you in error, or if you no longer wish to receive this service, please unsubscribe . STAY CONNECTED

The CFPB amended its January 30, 2025 consent order with the international remittance company Wise resolving claims including advertising inaccurate fees and failing to properly disclose exchange rates and other costs.