Consent Order Watch: Key IT Findings from 2025 Consent Orders

In early 2025, several high-profile consent orders underscored systemic IT control weaknesses within banking and fintech firms. Notable orders include NYDFS actions against PayPal and Block (Cash App) and a California DFPI order against Hatch Bank. Summarized below are key deficiencies identified and the primary remediation expectations.

Key Deficiencies Identified

1. Governance and Board Oversight Gaps
   Institutions often lacked formal processes for timely board or senior management review and approval of cybersecurity and IT policies. In one case, the Information Security Policy did not undergo annual board review until late 2023, leaving leadership insufficiently informed about evolving risks. In another, engineering teams sometimes bypassed required risk processes because policies were not consistently enforced across all units.

2. Inadequate Change Management and Secure Development Practices
   Major platform changes sometimes proceeded without required risk assessments, vulnerability scans, or penetration tests. One example involved exposure of sensitive data stemming from misclassifying a significant platform change as routine, thus bypassing formal risk and control identification.

3. Weak Access Controls and Identity Management
   Optional or inconsistent multi-factor authentication (MFA) and weak identity-management frameworks left systems vulnerable. In one order, MFA was not mandatory for all customer access, exposing Nonpublic Information to unauthorized access.

4. Insufficient Third-Party and Fintech Partner Oversight
   Rapid onboarding of fintech partners often outpaced oversight capabilities. A consent order emphasized that fintech relationships proceeded without thorough due diligence on partners’ IT and information security practices, leading to AML and compliance gaps.

5. Transaction-Monitoring and AML System Shortcomings
   Scaling issues in transaction-monitoring platforms created backlogs and delayed suspicious activity reporting. Regulators noted that inadequate IT system capacity and ineffective monitoring workflows hindered timely alert processing and SAR filings.

6. Business Continuity and Disaster Recovery Weaknesses
   BC and DR plans often lacked comprehensive scope or independent testing. In one case, the BCDR program did not cover all critical functions and was not tested by qualified personnel or third parties, risking extended outages during incidents.

7. Staffing, Expertise, and Training Deficiencies
   Firms sometimes did not employ enough qualified cybersecurity personnel or provide sufficient training on secure development lifecycles and risk processes. In one consent order, the institution was cited for failing to maintain adequate cybersecurity staffing and training programs.

Primary Remediation Expectations

1. Enhance Cybersecurity Governance
   • Institute formal annual board review and approval of cybersecurity and IT policies and programs.
   • Document leadership oversight of major technology initiatives and compliance programs.

2. Strengthen Change Management and Secure Development Lifecycle
   • Mandate risk assessments, vulnerability scans, and penetration tests for all significant system changes.
   • Enforce automated checks to ensure that code deployments require documented security checks and sign-offs before production release.

3. Improve Access Control and Identity Management
   • Require mandatory MFA for all user and administrative access.
   • Implement role-based access controls with continuous monitoring of privileged activities.

4. Formalize Third-Party and Fintech Partner Oversight
   • Conduct thorough due diligence on partners’ IT security and compliance practices before onboarding.
   • Require periodic security attestations, penetration testing reports, and remediation plans from partners.
   • Integrate third-party risks into enterprise risk assessments and secure board approval for new or materially changed partnerships.

5. Scale Transaction-Monitoring and AML Systems
   • Regularly evaluate system capacity and upgrade infrastructure to handle peak transaction volumes.
   • Leverage automation and analytics for efficient alert prioritization and timely SAR filings.

6. Develop and Test Robust BC and DR Plans
   • Cover all critical business functions, data flows, infrastructure components, and third-party dependencies.
   • Conduct annual independent testing by qualified internal teams and external parties; promptly remediate any gaps.

7. Ensure Qualified Staffing and Continuous Training
   • Hire or contract sufficient cybersecurity experts aligned with the institution’s risk profile.
   • Provide ongoing training on policies, secure coding, incident response, and emerging threats to relevant teams.

8. Ongoing Reporting and Independent Validation
   • Submit periodic remediation status updates to regulators, boards, and senior management.
   • Engage independent auditors or external consultants to validate that controls are effective and sustainable.

How Our Consultancy Can Help

Our consultancy specializes in IT audit value add services tailored to banks and fintechs. We offer:

1. Governance Reviews and Board Reporting Frameworks
   We assess existing cybersecurity and IT policy governance, including committee and board reporting processes to provide assurance that leadership remains informed to properly act on key risks.

2. Change Management and Secure Development Assessments
   We evaluate secure development lifecycle processes, perform gap analyses on risk assessment practices, and help drive implementation of automated checks and documentation workflows to ensure all releases undergo proper security and control reviews.

3. Access Control and Identity Management Audits
   We conduct in-depth reviews of access control frameworks for internal and 3rd party hosted applications and systems.

4. Third-Party and Fintech Partner Oversight Programs
   We review due diligence checklists, design’s of third-party risk management frameworks, and ongoing monitoring and reporting processes. Our approach includes alignment with enterprise risk appetites and regulatory requirements.

5. Transaction-Monitoring and AML System Evaluations
   We review system capacity and performance, assess alert triage workflows, and recommend automation enhancements. We align AML technology controls with regulatory expectations to ensure timely SAR filings and reduce backlog risks.

6. Business Continuity and Disaster Recovery Planning and Testing
   We review comprehensive BC and DR plans covering critical functions and dependencies, including testing strategies and execution.

7. Staffing and Training Strategies
   We review cybersecurity staffing models to ensure they are commensurate with risk, including review of training curricula on secure development, engineering, and incident response.

8. Regulatory Issue Management
   We provide external audit services, prepare evidence packages for regulators, and implement continuous monitoring dashboards to track remediation progress and control effectiveness over time.

Our consultancy can help your institution address the most critical IT control areas highlighted by recent consent orders, driving change to embed sustainable practices that demonstrate to regulators that remediation is effective and enduring.

References

1. New York Department of Financial Services. Consent Order to PayPal, Inc., January 23, 2025. https://www.dfs.ny.gov/industry-guidance/enforcement-discipline/ea20250123-paypal-inc

2. Reuters. “PayPal fined by New York for cybersecurity failures.” January 23, 2025. https://www.reuters.com/technology/paypal-fined-by-new-york-cybersecurity-failures-2025-01-23/

3. New York Department of Financial Services. Consent Order to Block, Inc., April 10, 2025. https://www.dfs.ny.gov/industry-guidance/enforcement-discipline/ea20250410-block

4. Banking Dive. “Block agrees to pay $40M New York penalty.” April 16, 2025. https://www.bankingdive.com/news/block-cash-app-compliance-deficiency-new-york-penalty-fine-dfs/745554/

5. California Department of Financial Protection and Innovation. Consent Order Against Hatch Bank, April 3, 2025. https://dfpi.ca.gov/wp-content/uploads/2025/04/HATCH-BANK-4-3-25-Order.pdf

6. PYMNTS. “California’s Hatch Consent Order Suggests States May Be Eyeing BaaS Risks.” May 5, 2025. https://www.pymnts.com/news/banking/2025/california-hatch-bank-consent-order-suggests-states-may-be-eyeing-baas-risks/