Higher Risk Areas of UDAAP

QUESTION

I am our company’s Compliance Manager and General Counsel. I am working with my team to identify high risk areas of numerous regulations. 

In reviewing the high risks associated with UDAAP, there were many. So, we had to find even higher risks. 

I would like to work with a small set of “higher risk” categories in our UDAAP analysis. We will use your higher risk areas to train all affected personnel. 

What are higher risk areas of UDAAP? 

ANSWER

The legal and regulatory requirements of Unfair, Deceptive, or Abusive Acts and Practices (“UDAAP”) are vast. Indeed, several regulatory frameworks interlock in an overall matrix of UDAAP mandates. 

However, providing a small set of higher risk categories is possible. I do not claim that my suggestions are comprehensive. That said, you should be able to pivot from them in the context of UDAAP training. 

There are at least three higher risk categories associated with UDAAP. I believe these would be the challenges posed by advertising, products, and third party relationships. 

Consider the following suggestions for higher risk areas of UDAAP.

Advertising, Disclosures, and Contract Terms 

Representations in advertising and terms of contracts and disclosures should be accurate, clear, and sufficiently informative. This also means that representations that go to the heart of a consumer’s decision to purchase a product or service, such as statements about costs, benefits, restrictions on use or availability, or qualification for a product, are especially material. Omitting important information or failing to properly qualify representations in advertising may represent UDAAP risk. 

Higher Risk Products 

Some products are generally identified as potentially having higher UDAAP risk, such as subprime loan and credit card products, overdraft protection services, rewards checking, and products marketed to the elderly or financially vulnerable or financially vulnerable unsophisticated. 

Third Party Relationships 

Use of affiliated or nonaffiliated third parties to provide products or services such as advertising or marketing, issuing credit cards, or offering products such as insurance or mortgage loans, and collection activity may raise potential UDAAP risk. Due diligence by a financial institution in selecting the third party provider and the extent of its monitoring and oversight of the activities of the third party, including disclosures and solicitations produced by the third party, are important factors. 

I suggest you discuss specific examples of FTC responses to UDAAP violations in your UDAAP training. Advertisements, particularly for mortgage loans, have attracted a great deal of regulatory scrutiny. The Federal Trade Commission has warned banks, mortgage brokers, lenders, mortgage servicers, and media outlets that carry their advertisements for home mortgages. Some advertising claims currently appearing on websites, newspapers, magazines, direct mail, and unsolicited email and faxes may violate federal law. 

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director

Lenders Compliance Group

Cybersecurity Rule – Proposed Updates

QUESTION

Our Cybersecurity Policy is a good one. I know this because we have had an examination, and the regulator approved it. 

Although we are a mid-west company, I notice that New York requires an update to its cybersecurity rule. That makes me nervous since New York’s cybersecurity requirements influence many states. 

I want to update our Cybersecurity Policy to reflect New York’s requirements. Sooner or later (probably sooner), our state is going to adopt the same requirements. 

What are the new Cybersecurity Policy requirements in New York? 

ANSWER

New York’s Department of Financial Services (DFS) has been quite active in requiring its licensees to comply with its Cybersecurity Rule (“Rule”). Effective March 1, 2017, the DFS promulgated a regulation[i] implementing the Rule. 

I published a White Paper about the Rule in advance of its effective compliance date, entitled 

Cybersecurity Guidelines – "First-in-the-Nation" Regulation. 

You’re welcome to download it HERE. 

From its inception, the DFS requires individuals and entities to comply with the Rule. These are called “Covered Entities.” A Covered Entities include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the banking law, the insurance law, or the financial services law. 

I agree that the DFS influences other state banking departments vis-à-vis cybersecurity regulations. Now, the DFS is proposing to update the Rule.[ii] So, it’s a good time to anticipate policy and procedure revisions. Even if the proposed Amendments (“Amendments”) are not adopted in full or at all, given the rapidly evolving cyber threat landscape and, in particular, the growing prevalence of ransomware incidents, many aspects of the Amendments reflect Best Practices. 

Some of the proposed changes are rather significant. For instance, the updated Rule will have such requirements as a mandatory 24-hour notification for cyber ransom payments, heightened cyber expertise requirements for board members, and new access restrictions to privileged accounts. 

I will provide a brief summary of the proposed updates. Covered entities should monitor whether the DFS formally proposes amendments to ensure they are equipped technically, organizationally, and financially to meet the heightened governance, technical, and notification obligations. 

Notification Obligations 

The Amendments will create new requirements to notify the DFS of certain incidents. Specifically, there will be a requirement to notify the DFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a material part of the covered entity’s information systems. 

Furthermore, covered entities will be required to notify the DFS within 24 hours of a covered financial institution making a ransomware payment connected to a cybersecurity event; additionally, there will be a requirement to provide the DFS within 30 days with an explanation of (a) why the payment was necessary, (b) whether alternatives were considered, and (c) what sanctions diligence was conducted. 

Risk Assessments 

There are risk assessment requirements under the current Cybersecurity Rule. Under the Rule, a covered entity must conduct a periodic risk assessment of its information systems “sufficient to inform the design of” its cybersecurity program required by the Rule and must update the risk assessment to address various changes, developments, and threats. The Amendments will expand upon the Rule’s definition of a “Risk Assessment” and more clearly articulate that an assessment must “take into account the specific circumstances of the covered entity.” And the Amendments also would clarify that a covered entity’s risk assessment must be updated at least annually or whenever a change in business or technology “causes a material change to the covered entity’s cyber risk.” 

Heightened Monitoring 

The Amendments will add several new monitoring requirements to the Rule, including:

 

·     Completion of an asset inventory that tracks information (e.g., owner, location, classification or sensitivity, support expiration date, and recovery time requirements) for each technology asset (e.g., hardware, operating systems, applications, infrastructure devices, APIs, and cloud services), and requirements for updating and validating the asset inventory;

 

·     Heightened access controls for privileged accounts, such as limiting access to a need-to-know basis, implementing multifactor authentication, and securely configuring or disabling protocols that permit remote control of devices;

 

·     Regular phishing training and exercises for all personnel; and

 

·     Monitoring and filtering of emails to block malicious content.

Governance 

Governance will be updated in the Amendments to include new obligations, including:

 

·     CISO independence and authority to ensure that cyber risks are appropriately managed;

 

·     Additional CISO reporting obligations to the board of directors  include plans for remediating inadequacies and timely reporting on material cybersecurity issues or major cybersecurity events (which are not defined);

 

·     Expertise and knowledge thresholds for board members (or requirements that persons with such expertise and knowledge advise them) such that they can exercise effective oversight of cyber risk;

 

·     Cybersecurity policy approval by the board (i.e., not senior management);

 

·     Annual certification of compliance with the Cybersecurity Rule by CEO and CISO, as differentiated from a senior officer;

 

·     Required business continuity and disaster recovery (“BCDR”) plans, which would be necessary to include certain prescribed content, such as identification of essential data, personnel, and infrastructure, a communications plan in the event of a disruption, and procedures for the maintenance of backup infrastructure;

 

·     Periodic testing of incident response and BCDR plans, and ability to restore systems from backups, including to address ransomware incidents and the ability to recover from backups; and

 

·     Annual review by CISO of the feasibility of encryption and effectiveness of the compensating controls, as well as a requirement to implement a written policy requiring industry-standard encryption to protect nonpublic information held at rest or transmitted over external networks by the covered entity. 

Larger (Class A) Companies 

The Amendments will impose additional cybersecurity obligations on a new category of covered entities, so-called “Class A Companies.” Under the Amendments, a “Class A Company” would be a covered entity with: (1) over 2,000 employees; or (2) over $1 billion in gross annual revenues averaged over the last three years from all of its business operations and those of its affiliates.  

These Class A Companies would be subject to additional cybersecurity obligations, including: 

·     Annual independent audits of the company’s cybersecurity program; 

·     Weekly vulnerability assessments will be conducted, including systematic vulnerability scans and reviews of information systems, and documentation and reporting to the board and senior management of material gaps identified by these assessments; 

·     Password controls, including a “vaulting solution” for privileged accounts and an automated method for blocking commonly used passwords; 

·     Monitor anomalous activity by way of endpoint detection and response solution, with a centralized solution for logging and security event alerting; and 

·     Risk assessments by external experts at least once every three years. 

Even if a covered entity is not a large company, smaller companies should consider implementing at least some of the Class A obligations.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] 23 NYCRR Part 500

[ii] Announced by the DFS on July 29, 2022

Investor Owned Residential Loans: Risk Assessment

QUESTION

We are a mid-sized mortgage lender focused on investor-owned 1-4 family residential properties. Our underwriting and procedures are risk-based. In the last few years, we have grown considerably. I came on two years ago as the compliance manager. 

Last year, I retained a law firm to handle an audit to evaluate our procedures and overall risk-based audit program. In the end, I do not feel they did not consider important areas, such as underwriting standards, portfolio monitoring, capital treatment, and several qualitative factors. The audit objectives were not clearly defined. 

I am looking for some guidelines and remedies. If we have to do another audit, we do not want to spend as much money as we spent previously. Our policies and procedures are good, but I want more depth, especially because we are scaling up quickly. 

What audit objects and procedures should I consider in a risk assessment? 

ANSWER

There are lenders in the country whose sole or primary loan product involves financing investor-owned, 1-4 family residential properties. Our firm has such clients, and we work closely with them on their specific compliance needs. Most of them have risk-based programs that set up audit objectives and procedures. 

I suggest you contact us to discuss our IORR Tune-up®. The acronym “IORR” stands for “Investor Owned Residential Real Estate.” The intended purpose of the IORR Tune-up® is to promote consistent risk management practices for residential properties where the primary repayment source for the loan is rental income. The fee is probably a fraction of the cost you spent previously. The IORR Tune-up® will likely tell you the information you sought and does it in 60 days. 

For information about the IORR Tune-up®, Contact Us Here.

Lenders are authorized to make loans to investors to purchase or refinance 1-4 family residential real estate (“RRE”) properties for rental to others. Many lenders manage IORR financing like owner-occupied 1-4 family residential loans. However, the credit risk presented by IORR lending is more similar to that associated with loans for income-producing commercial real estate. Because of this similarity, regulators expect lenders to use the same types of credit risk management practices for IORR used for commercial real estate lending. (For banks, this expectation does not change the regulatory capital, regulatory reporting, or HOLA requirements for IORR.[i]) 

Your review should include at least the following audit objectives: 

·    Evaluate whether loan underwriting standards incorporate risks related to IORR loans. 

·    Understand methods for setting loan identification and portfolio monitoring expectations. 

·    Determine whether ALLL[ii] estimation procedures incorporate IORR loan risks and related qualitative factor adjustments, if applicable. 

·    Evaluate the adequacy of internal risk assessment and rating systems to monitor IORR credit risks effectively. 

·    Evaluate continued compliance with regulatory reporting, HOLA[iii], and risk-based capital treatment, if applicable. 

We spend considerable time keeping our clients aware of the federal and state laws and regulations relating to IORR transactions, especially the regulations that implement consumer protection laws, including ECOA, the Fair Housing Act, the Fair Credit Reporting Act, the Home Mortgage Disclosure Act, RESPA, HOEPA, TILA, and the Bank Secrecy Act. Management’s lending processes and origination platforms should ensure compliance with all applicable laws and regulations and provides timely and accurate disclosures to mortgage applicants. Mortgage loan originators and the lender’s staff must be diligent in safeguarding applicants’ and borrowers’ confidential information. 

Lenders and loan officers should provide sufficient information to customers so they fully understand material terms, costs, and risks of the loan products offered. Communication with customers, including advertisements, oral statements, and promotional materials, should provide clear and balanced information about the relative benefits and risks of mortgage loan products. 

Lenders Compliance Group has identified eighteen categories and questions that act as criteria for audit procedures. I will list them, so you can get a sense of how to build a due diligence assessment. The drill-down analysis is extensive. 

1.   Evaluate the institution’s credit risk management expectations for IORR loans. 

Know the risks! IORR has distinct and very different risks involved from traditional 1- to 4-family lending, such as the loans generally being repaid by rent and possibly some of the investor’s personal income, the investor possibly owning multiple properties, vacancies leading to lower revenue, and increased credit risk. 

Thus, it is essential to ensure appropriate policies and procedures suitable for the risks specific to IORR lending. These policies and processes should cover loan underwriting standards; loan identification and portfolio monitoring expectations; allowance for loan and lease losses (“ALLL”) methodologies, if applicable; and internal risk assessment and rating systems. 

2.   Identify if regulatory reporting, HOLA, and risk-based capital treatment are carried out properly.[iv] 

3.   Determine if IORR loans have been classified as residential or commercial. (If they are classified as residential, are they effectively managed as commercial loans?) 

4.   Does the institution exercise prudent underwriting due diligence similar to that required for commercial real estate loans? 

5.   Has an income producing property analysis been conducted? 

6.   Determine if loan structuring documents incorporate commercial-type provisions. 

7.   Are credit and administration issues being handled in a manner consistent with commercial real estate loans? 

8.   Is commercial real estate amortization guidance being followed? What guidelines are used? 

9.   Is guidance on multiple properties being followed? 

10.  Are subordination, non-disturbance, and attornment agreements obtained to cover the following issues? 

11.   Is subrogation considered in the loan agreement? 

12.  Are commercial vs. residential title issues adequately addressed? 

13.  Are loan identification and portfolio monitoring expectations adequately addressed? 

14.  Do internal risk assessment and rating systems include special consideration for IORR loans? 

15.  Does loan monitoring consider critical IORR loan issues, such as higher overall costs, smaller loan size, competition pricing like residential loans, appraisal timing, and environmental testing? 

16.  Have the IORR loans been factored into allowance for loan and lease losses considerations, if applicable? 

17.  Have IORR regulatory exam issues been adequately addressed, such as improper classification, risk rating reviews, LO monitoring, appraisal requirements, and borrower types? 

18.  Have secondary market issues been adequately addressed?

Challenges of Cryptocurrency Compliance

QUESTION

We are writing a policy for cryptocurrency compliance. We are a mid-sized nonbank. I am the Compliance Manager, and I have two in support staff. Our Board of Directors thinks cryptocurrency will continue to be a part of bank and nonbank transactions. They retained a research firm that says it is growing quickly.

I recognize that there are benefits to cryptocurrency. However, in writing this policy, we see how it can also impact our Anti-Money Laundering safeguards. So, we need to know the risks of cryptocurrency triggering our AML tripwires. 

What are the safe versus risky features of cryptocurrency? 

ANSWER

Your question comes at a time when cryptocurrency is a hot topic in banking and government circles. Indeed, the Treasury Department views cryptocurrency as potentially leading to economic instability due to increased fraud risk in the absence of sufficient government regulation. The Washington Post reports:

“The Treasury Department will warn the White House that cryptocurrencies could pose significant financial risks that outweigh their benefits unless the government rolls out major new regulations, according to two people familiar with the matter.”[i] 

I speak with DC political types all the time, and I can tell you that a good percentage of them do not know what cryptocurrency is, let alone how to regulate it. Sometimes I wonder if they only just recently figured out how to send an email. Several of them are oblivious to how the Internet works, so I suppose they think it works by magic. 

But, there is no mystery to cryptocurrency. It’s not magic. 

Cryptocurrency is establishing itself as a legitimate alternative to traditional finance. As such, it should be regulated. And, as to linking it to Anti-Money Laundering (AML), you are entirely correct: there is a direct interface with Know Your Customer (KYC) processes and cryptocurrency. 

Understand that cryptocurrencies had a total market capitalization of $900 billion in June, which jumped to $1 trillion in August.[ii] That is astounding growth! 

You’ll need to become familiar with certain new terminology to make sense of cryptocurrency compliance. I will embolden a few words that are particular to cryptocurrency. So, let’s dig in! 

What is Cryptocurrency? 

Some people believe that cryptocurrency is impervious to scrutiny and appropriate regulation. The notion here is that transactions are “transparent” because they are kept in blockchain ledgers. Thus, it is erroneously thought, cryptocurrency can’t be well-regulated. However, these are simply digital ledgers that capture each transaction, which can be traced back to a wallet address. Transactions are time-stamped and immutable because to alter something in a ledger, every single block in the chain, across all its distributed versions, would need to be changed. 

There is also the view that cryptocurrency is where criminals hang out to hide their nefarious purposes. I don’t think that holds up to scrutiny. The fact is that only 0.15% of such transaction volume was related to crime in 2021.[iii] 

Is cryptocurrency vulnerable to cyberattacks? Well, yes and no. Wallets are owned and accessed by persons, which means they will be vulnerable to fraudsters and cybercriminals.[iv] But the blockchain technology that facilitates and records cryptocurrency transactions is nearly impossible to edit and is rooted in cryptography. However, cryptocurrency wallets need to be secured to protect them from attack. 

It seems to me that anyone who thinks cryptocurrency is a fad has not been paying attention. It jumped by 567% in 2021[v] and is forecasted to have a compound annual growth rate of 12.8% between 2021 and 2031.[vi] 

I have read that people in economies battling hyperinflation have avoided devaluation of their hard-currency wages by exchanging them for digital currencies, which are then used to pay for food and other products.[vii] In economies with high remittance-based GDPs, cryptocurrency seems to be a fast and reliable way to transfer funds overseas compared to traditional alternatives, which may offer poor exchange rates. Some large financial institutions also appear to recognize opportunities to mobilize in cryptocurrency investing. Small companies seem to acknowledge that cryptocurrency can fill financial access gaps in regions where the traditional finance market is more limited. 

But money attracts thieves! 

Criminality and Cryptocurrency 

Cash has anonymity, but crypto currency does not! Cryptocurrency transactions are traceable through the blockchain, and cryptocurrency wallets are represented by a numbered key rather than held in a natural or legal person’s name. Therefore, KYC is an essential tool in cryptocurrency compliance. 

Blockchain analysis can show the transaction history of a cryptocurrency coin or crypto wallet, but criminals will still find ways to obfuscate their source of funds and identities. The same risk and transaction patterns and factors used in KYC for traditional financial products show evidence of similar criminals, such as money launderers, cybercriminals, and traffickers. These crooks tend to adapt to and use the efficiencies of new technology. 

Vendors that provide wallets to businesses and individuals must aim to have an accurate and perpetual KYC record of persons they are onboarding and servicing. If there are signs of criminality, law enforcement can trace the behavior and know who is behind it. 

As cryptocurrency and its accessibility continue to grow, so does the evidence of criminal activity. International financial compliance regulators such as the Financial Action Task Force (FATF), the Financial Crimes Enforcement Network (FinCEN), and the European Union are taking the lead in developing regulatory approaches to virtual currencies. Although these efforts are critical, regulation is still much too tenuous and loose. Regulations certainly do not maintain international continuity. 

Another transaction medium is a “kiosk” that lets users purchase Bitcoins (and other cryptocurrencies) using cash or a debit card. This “kiosk” is called a Bitcoin Automated Teller Machine (BATM). The BATM is a quickly growing medium that requires regulation. To get a sense of how quickly BATMs are being installed, in June 2022 there were 37,786 BATMs available in seventy-eight countries.[viii] As of today, there are nearly 38,723 BATMs. 

Ratifying policies and procedures for cryptocurrency transactions is “mission critical” to a financial institution involved in cryptocurrency transactions. Frankly, given the lack of comprehensive regulation, it is vital that banks and financial institutions develop their own best practices and manage AML strategies that will mitigate the risks bad actors pose, making sure due diligence is as complete as possible. 

Safe and Risky Features 

You asked about distinguishing between safe and risky features of cryptocurrency. I believe that a primary, reliable measure of risk is traceability. The blockchain provides a record of transactions and ownership. But what if that history is hidden, or nobody is reviewing it? 

And, to be sure, traceability in cryptocurrency and digital assets varies. 

There are several known ways that ownership is obscured in cryptocurrency transactions, and you must ensure that your KYC initiatives account for them. I will provide four examples.

 

1. Mixers

 

Also called tumblers, mixers aim to hide the origin of their users’ funds by obscuring the transaction history of crypto assets. For instance, Bitcoin Fog[ix] allowed users to transfer funds from their crypto wallets into ‘the fog,’ where the assets would be mixed with other users’ currencies to anonymize the funds. After the currencies were mixed, the original user would receive a random number of payouts, each containing a random amount of cryptocurrency.[x]

UDAAP Violations caused by Insufficient Data Protection

QUESTION

Last year, we were criticized by our regulator for not “safeguarding consumer data.” We revamped our policies and procedures for several weeks, hired an IT company, did penetration testing, and even hired a law firm to check our system. They brought in a firm such as yours to do an overview of our policies. So, we thought we covered all the bases. 

We have just received a letter from the regulator. They are requesting an on-site visit soon. This was expected. But as we got ready for the examination, we learned that the CFPB is going after consumer protection violations, such as connecting to UDAAP violations. 

Since we covered everything – or thought we did! – it would be great if you could fill in any possible blanks to prepare for the coming examination. 

What important actions can we take to double-check our consumer data security? 

ANSWER

Safeguarding consumer data requires constant vigilance. Some companies dwell on the digital aspects, but that is certainly not enough, nor is it so narrowly adduced. I think your question is best understood in the context of insufficient data protection because insufficient data protection may indeed lead to UDAAP violations. 

The nexus to UDAAP violations is likely what the CFPB has in mind concerning safeguarding sensitive consumer information.[i] While the prohibitions in UDAAP are fact-specific, failure to implement common data security practices will significantly increase the likelihood that a firm may be violating UDAAP. 

The CFPB issuance you mention is meant to increase the focus on potential misuse and abuse of personal financial data. As part of this effort, the CFPB is explaining how and when firms may be violating the Consumer Financial Protection Act (CFPA) with respect to data security. Specifically, financial companies are at risk of violating the CFPA if they fail to have adequate measures to protect against data security incidents. 

I am going to describe the CFPB’s view of conduct that typically meets the first two elements of a UDAAP claim, that is, (1) the likeliness to cause substantial injury to consumers and (2) that it is not reasonably avoidable by consumers, which then increases the risk that an entity’s conduct triggers liability under the CFPA’s prohibition of unfair practices. 

To put this in stark, declarative terms: 

Inadequate data security can be an unfair practice in the absence of a breach or intrusion.[ii] 

Note that the linkage to UDAAP does not only involve inadequate data security, but also it pertains even in the absence of a breach or intrusion. How did we get here? 

Past data security incidents did it! For instance, the 2017 Equifax data breach led to the harvesting of sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the CFPA and other laws. In the case of Equifax, the CFPB alleged that Equifax violated the CFPA’s prohibition on unfair acts or practices.[iii] The Federal Trade Commission (FTC) also alleged that Equifax violated the FTC Act and the FTC’s Safeguards Rule, which implements Section 501 of the Gramm-Leach-Bliley Act (GLBA) and establishes certain requirements that nonbank financial institutions must adhere to for the protection of financial information.[iv] 

Providers of consumer financial services are subject to specific requirements to protect consumer data. 

Safeguards 

In 2021, the FTC updated its Safeguards Rule, implementing section 501(b) of the GLBA to set forth specific criteria relating to the safeguards that certain nonbank financial institutions must implement as a part of their information security programs. 

Among other things, these safeguards include: 

·     Limiting who can access customer information. 

·     Require the use of encryption to secure such information. 

·     Require the designation of a single qualified individual to oversee an institution’s information security program, who reports at least annually to the institution’s board of directors or equivalent governing body. 

The federal banking agencies also have issued interagency guidelines to implement section 501 of the GLBA. 

Failure to comply with these requirements may violate the CFPA’s prohibition on unfair acts or practices in certain circumstances. 

Here’s a Rule of Thumb for defining an unfair act or practice: it is an act or practice 

·       That causes or is likely to cause substantial injury to consumers, 

·       Which is not reasonably avoidable by consumers, and 

·       Is not outweighed by countervailing benefits to consumers or competition.

Turning to insufficient data protection, there are at least three safeguards you can implement that may serve to overcome allegations of not sufficiently protecting sensitive consumer data. I will discuss them briefly here. However, your policies and procedures must require them, and you must test their implementation regularly. 

Safeguard Number One: Multi-Factor Authentication 

Multi-factor authentication (MFA) is a security enhancement that requires multiple credentials (factors) before an account can be accessed. There are three satisfactory types of MFA: 

1.       Something you know, like a password. 

2.       Something you have, like a token. 

3.       Something you are, like your fingerprint. 

Many of our clients use a common MFA setup that supplies both a password and a temporary numeric code to log in. Another MFA factor is the use of hardware identification devices. There are levels of security. MFA greatly increases the level of difficulty for adversaries to compromise enterprise user accounts and thus gain access to sensitive customer data. MFA solutions that protect against credential phishing – like using the web authentication standard supported by web browsers – are especially important.