Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 10, four U.S. Democratic Senators sent a letter to acting Comptroller of the Currency Michael Hsu urging the OCC to rescind November 2021 guidance permitting national banks to engage in certain cryptocurrency activities. According to the letter, the Senators “are concerned that the OCC’s actions on crypto may have exposed the banking system to unnecessary risk, and ask that [Hsu] withdraw existing interpretive letters that have permitted banks to engage in certain crypto-related activities.” The letter noted that the OCC unilaterally released interpretive letters related to cryptocurrencies in July 2020 (Interpretive Letter 1170), October 2020 (Interpretive Letter 1172), and January 2021 (Interpretive Letter 1174). In the letters, the Senators noted, the OCC determined that banks were permitted to engage in certain crypto-related activities, which include, among other things: (i) “providing cryptocurrency custody service for customers”; (ii) “holding deposits that serve as reserves for certain stablecoins”; and (iii) “operating independent node verification networks  and stablecoins for payment activities.” The Senators argued that the letters “granted banks unfettered opportunity to engage in certain crypto activities and remain problematic” after the OCC issued another interpretive letter (Interpretive Letter 1179) under Hsu attempting to limit the risks posed by the policies set forth in the earlier letters. The Senators asked Hsu to provide information so that they can “better understand banks’ exposure to the crypto market” by August 24. The Senators also urged Hsu to work with the Fed and FDIC on replacing his agency’s existing crypto guidance with a more “comprehensive approach.”
On August 10, CFPB Director Rohit Chopra discussed the digital market before the 2022 National Association of Attorneys General Presidential Summit. In his remarks, Chopra first discussed the evolution of advertising models over time, describing how the persuasion of advertising continues to be used to target an individual based on “voluminous amounts of personal data.” Chopra also discussed HUD’s 2019 complaint against a social media platform, stating that it “illustrates the stark differences between traditional advertising and today’s digital marketing.” According to Chopra, the social media platform “helped advertisers limit the audience for ads and enabled advertisers to target specific groups of people to the exclusion of protected classes.” Chopra further noted that “state attorneys general have already begun to recognize that these platforms are not passive advertisers.” Chopra also noted that the CFPB recently issued an interpretive rule explaining that the service provider exemption for “time or space” will typically not apply to the digital marketing services offered by major platforms (covered by InfoBytes here). Chopra described that though “they may be providing space for ads, these firms are commingling many other features that go well beyond the exemption.” To conclude, Chopra expressed that “banking is under threat.” He described that “sensitive data is viewed as more valuable to firms than our actual selves,” and that “advances in technology should help our economy and society advance, rather than incentivizing a rush to seize our sensitive financial data and to allow tech giants to evade existing laws that other firms must comply with.”
On August 11, the FTC announced that it issued an advanced notice of proposed rulemaking (ANPR) on a wide range of concerns about commercial surveillance practices. According to the FTC, it is exploring “rules to crack down on harmful commercial surveillance and lax data security.” The FTC described that commercial surveillance is the business of collecting, analyzing, and profiting from information about individuals. The FTC also noted that “[m]ass surveillance has increased the risks and stakes of data breaches, deception, manipulation, and other abuses.” The ANPR solicits public comment regarding “the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.” The APRN also noted that there is increasing evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms. The FTC also released a Fact Sheet on the FTC’s Commercial Surveillance and Data Security Rulemaking and a Fact Sheet on Public Participation in the Section 18 Rulemaking Process. Comments are due 60 days after publication in the Federal Register.
On August 10, the CFPB issued an interpretive rule addressing when the CFPA’s UDAAP provisions cover digital marketing providers that commingle the targeting and delivery of advertisements to consumers with the provision of advertising “time or space.” Currently, traditional marketing firms are exempt from the CFPA provided they allow banks and other financial institutions “time and space” in traditional media outlets such as television and newspapers to advertise products. The Bureau stated, however, that digital marketers go beyond this approach when they harvest large amounts of information about consumers and use this data to shape their marketing content strategy.
Under the interpretive rule, this exception does not apply to firms that are materially involved in the development of content strategy. Due to the different nature of the services provided, behavioral marketing and advertising for financial institutions could subject marketers to legal liability depending on how those practices are designed and implemented, the Bureau said. Because “[d]igital marketing providers are typically materially involved in the development of content strategy when they identify or select prospective customers or select or place content in order to encourage consumer engagement with advertising,” the Bureau explained that digital marketers “engaged in this type of ad targeting and delivery are not merely providing ad space and time,” and therefore do not qualify under the “time or space” exception. The interpretive rule noted, among other things, that while a covered person may specify certain parameters of the intended audience for a financial product, the digital marketers’ ads and delivery algorithms “identify the audience with the desired characteristics and determine whether and/or when specific consumers see an advertisement.”
“When Big Tech firms use sophisticated behavioral targeting techniques to market financial products, they must adhere to federal consumer financial protection laws,” CFPB Director Rohit Chopra said in the announcement. “The CFPB, states, and other consumer protection enforcers can sue digital marketers to stop violations of consumer financial protection law: Service providers are liable for unfair, deceptive, or abusive acts or practices under the Consumer Financial Protection Act. When digital marketers act as service providers, they are liable for consumer protection law violations,” the Bureau added.
On August 10, the FHFA announced that Fannie Mae and Freddie Mac will start requiring servicers to obtain and maintain borrowers’ fair lending data on their loans. Data must transfer with servicing throughout the mortgage term, the announcement states, adding that beginning March 1, 2023, servicers will be required to collect borrower data including age, race, ethnicity, gender, and preferred language. The update follows an announcement issued in May (covered by InfoBytes here), which requires lenders to collect information on the borrower’s language preference, and on any homebuyer education or housing counseling that the borrower received, so that lenders can increase their understanding of borrowers’ needs throughout the home buying process. To facilitate the upcoming changes, Freddie Mac issued servicing Bulletin 2022-17, which outlines servicing requirements and notes that data elements must be stored in a format that can be searched, queried, and transferred. Simultaneously, Fannie Mae issued SVC-2022-06 to incorporate the new fair lending data requirements into its Servicing Guide. “Having fair lending data travel with servicing will help servicers do the important work of providing assistance to borrowers in need, helping to further a sustainable and equitable housing finance system,” FHFA Director Sandra Thompson said, adding that this need arose from the foreclosure crisis and Covid-19 response.
On August 11, the CFPB released Circular 2022-04 to reiterate that financial services companies may violate the CFPA’s prohibition on unfair acts or practices if they fail to safeguard consumer data. The Circular explained that, in addition to other federal laws governing data security for financial institutions, such as the Safeguards Rules issued under the Gramm-Leach-Bliley Act (which was updated in 2021 and covered by InfoBytes here), “covered persons” and “service providers” are required to comply with the prohibition on unfair acts or practices in the CFPA. Examples of when firms can be held liable for lax data security protocols are provided within the Circular, as are examples of widely implemented data security practices. The Bureau explained that inadequate data security measures may cause significant harm to a few consumers who become victims of targeted identity theft as a result, or may harm potentially millions of consumers if a large customer-base-wide data breach occurs. The Bureau reiterated that actual injury is not required to satisfy the unfairness prong in every case. “A significant risk of harm is also sufficient,” the Bureau said, noting that the “prong of unfairness is met even in the absence of a data breach. Practices that ‘are likely to cause’ substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.”
While the circular does not suggest that any of the outlined security practices are specifically required under the CFPA, it does provide examples of situations where the failure to implement certain data security measures might increase the risk of legal liability. Measures include: (i) using multi-factor authentication; (ii) ensuring adequate password management; and (iii) implementing timely software updates. “Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB Director Rohit Chopra said in the announcement. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
On August 9, the FTC issued an order denying a petition to quash a civil investigative demand (CID) against the operators of a cryptocurrency exchange regarding allegations of a December 2021 data breach. According to the order, the FTC “is investigating potential law violations arising out of [the company’s] operation and marketing of [the company], and whether Commission action to obtain monetary relief would be in the public interest.” The agency issued a virtually identical CID to the company on May 11 seeking details on what the company disclosed to consumers regarding the security of their crypto assets and how they have handled customer complaints. The FTC noted that investigation includes inquiries regarding the company’s “representations concerning its advertised exchange services; allegations that consumers have been denied access to their accounts; and concerns about the security of customer accounts especially in light of a publicly reported 2021 security breach that resulted in consumer loss of more than $200 million in cryptocurrency.” Among other things, the FTC is seeking to determine if the business practices of the operation in marketing and operating the company “constituted ‘unfair [or] deceptive . . . acts or practices . . . relating to the marketing of goods and services,’ or ‘[m]anipulative [c]onduct,’ ‘on the Internet’ (Resolution No. 2123125); constituted “deceptive or unfair acts or practices related to consumer privacy and/or data security’ in violation of Section 5 of the FTC Act (Resolution No. 1823036); or violated the GLB Act, its implementing rules, or Section 5 regarding ‘the privacy or security of consumer [financial] information.”
On August 9, the SEC announced whistleblower awards totaling more than $16 million to two whistleblowers for providing information and assistance in a successful SEC enforcement action. According to the redacted order, the SEC awarded approximately $13 million to one of the whistleblowers for prompting the opening of the investigation and providing critical information, including information on “difficult to detect” violations. The whistleblower also identified key witnesses and helped staff “understand complex fact patterns and issues related to the matters under investigation.” The second whistleblower received a more than $3 million award for submitting important new information during the course of the investigation, which provided the staff a more complete picture. The SEC attributed the lower award amount to the fact that the second whistleblower delayed reporting the wrongdoing for several years, whereas the first whistleblower “persistently alerted the Commission to the ongoing abusive practices for a number of years before the investigation was opened.”
The SEC has awarded more than $1.3 billion to 281 individuals since issuing its first whistleblower award in 2012.
On August 9, the Conference of State Bank Supervisors (CSBS) released two new tools used by state examiners to assess nonbank financial services companies’ cyber preparedness. Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program provide nonbanks the opportunity to improve their cybersecurity posture and better prepare for cybersecurity exams conducted by state examiners. The “Baseline” program is geared toward exams of “smaller, noncomplex, low-risk institutions,” and “is targeted for use by examiners with or without specialized IT and cybersecurity knowledge.” The “Enhanced” program includes all of the Baseline procedures as well as additional procedures to provide a “more in-depth review for larger, more complex institutions or for those where concerns are raised during exams.” The program is intended for use by examiners with specialized IT and cybersecurity knowledge.
“Supervisory clarity is essential to increasing industry awareness and making our financial system more resilient to cyber-attacks,” CSBS Senior Vice President of Nonbank Supervision Chuck Cross said in the announcement. “The Nonbank Cybersecurity Exam Procedures released today provide nonbank institutions additional optional tools to guard against cyber-attacks, data breaches or lapses in management oversight in this crucial area.”
CSBS announced that it intends to provide additional tools tailored to the needs of smaller nonbank financial institutions in the coming months.
On August 8, the U.S. Court of Appeals for the Tenth Circuit upheld the dismissal of an FDCPA action, concluding that an alleged false or misleading communication must be material in order to be considered a violation of the statute, and that materiality is determined through the perspective of the “reasonable consumer.” The plaintiff, a student loan debtor, alleged that he received a letter attempting to collect on debt from the defendant. The defaulted debt in question had been sold to a federal student-loan guaranty agency (creditor), which contracted with the defendant to collect the debt. According to the plaintiff, the letter appeared as if it were sent by the creditor, primarily because the letter displayed the guaranty agency’s name and logo instead of the defendant’s own information. According to the plaintiff, the letter violated several sections of the FDCPA, which prohibit the use of false representations or deceptive means to collect a debt or obtain information concerning a consumer and require a debt collector to use their “true name.” The district court dismissed the action for failure to state a claim, ruling that the letter in question was not misleading and that the plaintiff failed to establish that the defendant used materially misleading, unfair, or unconscionable means to collect the debt.
On appeal, the 10th Circuit held that “a reasonable consumer would not be misled,” because the letter (i) identifies the creditor as “the holder of a defaulted federally insured student loan”; (ii) states that the letter “is an attempt, by a debt collector, to collect a debt”; and (iii) clarifies that the defendant “is assisting [the creditor] with administrative activities associated with this administrative wage garnishment.” Moreover, “[e]ven assuming a reasonable consumer would believe [the creditor] and not [the defendant] sent the letter, [the plaintiff] fails to demonstrate how that would frustrate the reasonable consumer’s ability to respond intelligently,” the appellate court wrote.
In its determination, the 10th Circuit also considered differences related to the “least sophisticated consumer” and a “reasonable consumer” in determining how materiality should be measured. According to the appellate court, even the courts that apply the least sophisticated consumer standard tend to agree that the consumer’s interpretation must be reasonable, thereby incorporating aspects of the reasonable consumer standard. The 10th Circuit pointed out that while many courts have referenced the “least sophisticated consumer” in their rulings, few actually use that perspective. “In applying the least sophisticated consumer standard, courts typically begin by noting the least sophisticated consumer is not an expert but then quickly explain he is not actually the least sophisticated consumer,” the 10th Circuit said, adding that “[i]n reality, the nebulous least sophisticated consumer standard is simply a misnomer. A few circuits, recognizing problems with the least sophisticated consumer standard, instead look to the ‘unsophisticated consumer.’” The appellate court concluded that, assuming “the reasonable consumer would read a communication in its entirety and make sense of a communication by assessing it as a whole and in its context,” no reasonable consumer would have been materially misled.
- Kathryn L. Ryan and Jedd R. Bellman to discuss “Risk and compliance management: Are you covered?” at a Mortgage Bankers Association webinar
- Melissa Klimkiewicz and Daniel A. Bellovin to discuss “Things to know about flood insurance” at a NAFCU webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Max Bonici will moderate a panel on “Enforcement risk and other regulatory and compliance issues related to crypto and digital assets” at the American Bar Association’s 2022 Annual Meeting
- John R. Coleman to provide a “CFPB Update” at MBA’s 2022 Regulatory Compliance Conference
- Amanda R. Lawrence to discuss “The shifting data privacy and data protection landscape” at MBA’s 2022 Regulatory Compliance Conference
- Jeffrey P. Naimon to provide “An update on key fair lending cases and the CRA and UDAAP rules” at MBA’s 2022 Regulatory Compliance Conference
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar