Regulatory Change Management – iGRC Digest – Q2 2017


This document provides a summary of GRC related source changes and updates. It is not a
comprehensive list of applicable changes or regulations.

Please consult with your legal / compliance team for applicability to your organization or other
relevant changes and updates.


President signs bill overturning FCC internet privacy rules:


Basel Committee releases guidance on: Prudential treatment of problem assets – definitions of non-
performing exposures and forbearance

CFPB – Proposed Rule – Amendments to Equal Credit Opportunity Act (Regulation B) Ethnicity and Race
Information Collection


HHS – CMS – Correcting Amendment – Medicare Program: Hospital Outpatient Prospective Payment
and Ambulatory Surgical Center Payment Systems and Quality Reporting Programs; Organ
Procurement Organization Reporting and Communication; Transplant Outcome Measures and
Documentation Requirements; Electronic Health Record (EHR) Incentive Programs; Payment to
Nonexcepted Off-Campus Provider- Based Department of a Hospital; Hospital Value-Based Purchasing
(VBP) Program; Establishment of Payment Rates Under the Medicare Physician Fee Schedule for
Nonexcepted Items and Services Furnished by an Off-Campus Provider-Based Department of a Hospital;
Correcting Amendment


OCC issues “National Bank Director Waivers” booklet of the Comptroller’s Licensing Manual.


FTC Halts Imposter Scheme that Falsely Claimed Connection to the Agency


SEC – Final Rule – Inflation Adjustments and Other Technical Amendments Under Titles I and III of the
Jobs Act

NIST publishes Draft SP 800-190 “Application Container Security Guide”

SWIFT launches new anti-fraud payment control service


NRC – Proposed Rule – Emergency Preparedness for Small Modular Reactors and Other New

NIST – Recent Cryptanalysis of FF3

OCC issues the “Retail Lending” booklet of the Comptroller’s Handbook:

FDA issues warning letter to Abbott over medical device safety and security issues:


FRB – Final Rule – Regulation A: Extensions of Credit by Federal Reserve Banks

FRB – Final Rule – Regulation D: Reserve Requirements of Depository Institutions


DOE – Liberty Eclipse Energy Cyber Incident Exercise – Exercise Summary Report


Beijing cyber regulators to summon Apple over live streaming: Xinhua


CFPB – Policy Guidance and Procedural Rule – Policy on Ex Parte Presentations in Rulemaking

FRB-OIG – Evaluation Report 2017-IT-B-009: The Board Can Enhance Its Cybersecurity Supervision
Approach in the Areas of Third-Party Service Provider Oversight, Resource Management, and
Information Sharing

FTC Approves Final Consent Order with Online Company Charged with Deceptively Tracking Consumers
Online and Through Mobile Devices:


SEC – Request for Comment on Possible Changes to Industry Guide 3 (Statistical Disclosure by Bank
Holding Companies); Extension of Comment Period


FTC – Children’s Online Privacy Protection Rule Safe Harbor Proposed Self-Regulatory Guidelines; TRUSTe
COPPA Safe Harbor Program Application to Modify Program Requirements

CFPB – Proposed Rule – Technical Corrections and Clarifying Amendments to the Home Mortgage
Disclosure (Regulation C) October 2015 Final Rule

CFPB – Final Rule – Prepaid Accounts Under the Electronic Fund Transfer Act (Regulation E) and the Truth
in Lending Act (Regulation Z); Delay of Effective Date

Basel Committee releases twelfth progress report on adoption of the Basel regulatory framework:


HHS-CMS – Proposed Rule – Medicare and Medicaid Electronic Health Record (EHR) Incentive Program
Requirements for Eligible Hospitals, Critical Access Hospitals, and Eligible Professionals …

AICPA issues cybersecurity risk management reporting framework:

CFTC’s Division of Market Oversight Issues Guidance on the Calculation of Projected Operating Costs by
Designated Contract Markets and Swap Execution Facilities:

FCC adopts a new regulatory framework for business data services:

PCI Security Standards Council has published “Information Supplement: Best Practices for
Securing E-commerce”


FDIC Releases Final Handbook for De Novo Organizers Applying for Deposit Insurance:


FS-ISAC announces creation of the Global Resilience Federation (GRF):


Office of the President – Executive Order 13794 of April 28, 2017
Establishment of the American Technology Council


DHS – Proposed Rule – Privacy Act of 1974: Implementation of Exemptions; Department of Homeland
Security/U.S. Immigration and Customs Enforcement–016 FALCON Search and Analysis System of

U.S. & Japan reach cyber information sharing agreement:


CFTC – Proposed Rule – Chief Compliance Officer Duties and Annual Report Requirements for Futures
Commission Merchants, Swap Dealers, and Major Swap Participants; Amendments

NIST / NCCoE releases draft of the NIST Cybersecurity Practice Guide, “Securing Wireless Infusion Pumps
in Healthcare Delivery Organizations”

OCC issues “Fiduciary Powers” booklet of the Comptroller’s Licensing Manual:

OCC issues “Public Notice and Comments” booklet of the Comptroller’s Licensing Manual:

DHS submits “Study on Mobile Device Security”

Hong Kong Securities and Futures Commission (SFC) publishes new proposed cybersecurity rules:


NRC – Preliminary draft regulatory analysis; request for comment – Regulatory Improvements for Power
Reactors Transitioning to Decommissioning

SEC – Proposed Rule – Amendments to Investment Advisers Act Rules To Reflect Changes Made by the

CFTC – Request for information – Project KISS

SEC – Final Rule – Technical Amendments to Form ADV and Form ADV–W

FTC launches website to assist small businesses with cybersecurity and other issues:


CFPB – Request for Information Regarding 2013 Real Estate Settlement Procedures Act Servicing Rule

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical

FCC – Public Notice – Guidance on the FCC’s Sunshine Period in the Restoring Internet Freedom


NIST has released NISTIR 8170, “The Cybersecurity Framework Implementation Guidance for Federal

NIST has released SP 800-121 Revision 2, “Guide to Bluetooth Security”


FCC – Proposed Rule – Advanced Methods To Target and Eliminate Unlawful Robocalls


FCC votes to advance net neutrality repeal

EU Commission fines Facebook 110M euros


NSTAC Report to the President on Emerging Technologies: Strategic Vision Executive Summary


FCC Commissioner opposes states’ efforts to enact broadband privacy laws:


OCC updates policies and procedures regarding violations of laws and regulations:


CFTC – Request for Information; Correction – Project KISS

Internet Association statement on the BROWSER Act:

Statement On The BROWSER Act

New York Attorney General Announces Settlement with Tech Company Over Sale Of Insecure Wireless
Door And Padlocks

India makes biometrics mandatory for all e-gov projects:


CFTC – Final Rule – Recordkeeping

CFTC – Final Rule – Whistleblower Awards Process

NIST has released Draft SP 800-193, “Platform Firmware Resiliency Guidelines”


China’s Cybersecurity Law Takes Effect:


FRB – Proposed Rule – Availability of Funds and Collection of Checks (Regulation CC)

FCC – Proposed Rule – Restoring Internet Freedom

FCC – Final Rule – Business Data Services in an Internet Protocol Environment; Technology Transitions;
Special Access for Price Cap Local Exchange Carriers; AT&T Corporation Petition for Rulemaking To
Reform Regulation of Incumbent Local Exchange Carrier Rates for Interstate Special Access Services


Health Care Industry Cybersecurity Task Force – Report on Improving Cybersecurity in the Health Care

European Parliament releases study on proposed ePrivacy Regulation:


OCC issues “Termination of Federal Charter” booklet of the Comptroller’s Licensing Manual.

EU Commission Issues Questionnaire in Preparation for Annual Review of Privacy Shield


NCUA – Proposed Rule – Appeals Procedures

NCUA – Proposed Rule – Supervisory Review Committee; Procedures for Appealing Material Supervisory

Basel Committee publishes revised “Sound management of risks related to money laundering and
financing of terrorism”

OCC has issued frequently asked questions (FAQ) to supplement OCC Bulletin 2013-29, “Third-Party
Relationships: Risk Management Guidance”


NCUA – Proposed Rule – Bylaws; Bank Conversions and Mergers; and Voluntary Mergers of Federally
Insured Credit Unions

Basel Committee issues second set of frequently asked questions (FAQs) and answers on Basel III’s
Liquidity Coverage Ratio (LCR).


Washington State passes biometric data law:


South Korea joins APEC Cross-Border Privacy Rules system:

OCR Issues Guidance on the Correct Response to a Cyberattack:

OCR Issues Guidance on the Correct Response to a Cyberattack


FRB – Final Rule – Availability of Funds and Collection of Checks

NIST releases NISTIR 8011, “Automation Support for Security Control Assessments” (Volumes 1 & 2)


FTC Offers Comment on Process Aimed at Improving Security of Internet of Things Devices

OCC issues “Articles of Association, Charter, and Bylaw Amendments” booklet of the Comptroller’s
Licensing Manual.


CFTC – Interim Final Rule – Revisions to Freedom of Information Act Regulations


FDA – Proposed Rule – Use of Electronic Records and Electronic Signatures in Clinical Investigations
Under Part 11— Questions and Answers; Draft Guidance for Industry; Availability

NIST publishes June 2017 ITL Bulletin:

HHS-CMS releases Proposed Rule on Medicare Program: CY 2018 Updates to the Quality Payment

U.S. Chamber of Commerce issues “Principles for Fair and Accurate Security Ratings”


DOE – Proposed Rule – Human Reliability Program

Basel Committee releases Implementation: Range of practices in implementing the countercyclical
capital buffer policy

NIST has published:
SP 800-63-3, “Digital Identity Guidelines”
SP 800-63A, “Digital Identity Guidelines – Enrollment and Identity Proofing”
SP 800-63B, “Digital Identity Guidelines – Authentication and Lifecycle Management”
SP 800-63C, “Digital Identity Guidelines – Federation and Assertions”

FTC requests comments on CAN-SPAM Rule:


FRB – Final Rule – Regulation A: Extensions of Credit by Federal Reserve Banks

FRB – Final Rule – Regulation D: Reserve Requirements of Depository Institutions

CFTC – Final Rule – Commission Delegated Authority Provisions and Technical Amendments

NIST publishes SP 800-12 Rev 1, An Introduction to Information Security:


FTC updates COPPA guidance:


FTC – Rule Review – CAN–SPAM Rule


CFPB – Proposed Rule – Amendments to Rules Concerning Prepaid Accounts Under the Electronic Fund
Transfer Act (Regulation E) and the Truth in Lending Act (Regulation Z)

Basel Committee issues “Consultative Document: Simplified alternative to the standardised approach to
market risk capital requirements

NIST releases SP 800-192, “Verification and Test Methods for Access Control Policies/Models”

OCC issues revised “Branch Closings” booklet of the Comptroller’s Licensing Manual.


CMS-HHS – Proposed Rule – Medicare Program; CY 2018 Updates to the Quality Payment Program

NCUA – Final Rule – Safe Harbor

NCUA – Final Rule – Civil Monetary Penalty Inflation Adjustment

NCUA – Final Rule – Revisions to the Freedom of Information Act Regulation

CFPB – Policy Guidance – Policy Guidance on Supervisory and Enforcement Priorities Regarding Early
Compliance With the 2016 Amendments to the 2013 Mortgage Rules Under the Real Estate
Settlement Procedures Act (Regulation X) and the Truth in Lending Act (Regulation Z)