Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 6, the CFPB announced a settlement with an Indiana-based payday retail lender and affiliates (companies) in seven states to resolve alleged violations of the Consumer Financial Protection Act (CFPA), Truth in Lending Act (TILA), and Gramm-Leach-Bliley Act (GLBA) privacy protections. The CFPB alleges that the companies engaged in unfair acts or practices, failed to properly disclose annual percentage rates, and failed to provide consumers with required initial privacy notices.
Specifically, the Bureau alleges that the companies violated CFPA’s UDAAP provisions by, among other things, (i) failing to implement processes to prevent unauthorized charges, including those resulting from unauthorized draws on borrowers’ bank accounts; (ii) requiring loan applicants to provide contact information for their employers, supervisors, and four personal references, and then repeatedly calling employers to seek payments when borrowers became delinquent; (iii) disclosing the borrower’s financial information during those calls and, in certain instances, asking the third party to make payments on the loan; (iv) misusing personal references for marketing purposes; and (v) advertising check-cashing and telephone reconnection services they were no longer providing.
While the companies have not admitted to the allegations, they have agreed to pay a $100,000 civil money penalty and are prohibited from continuing the illegal behavior.
On October 17, as part of its fall 2018 rulemaking agenda, the FTC announced that it plans to review potential updates to federal privacy rules on how banks protect consumer data. The planned recommendation—scheduled to be presented to FTC commissioners at the end of November—will incorporate recommendations by staff and the public on changing the Gramm-Leach-Bliley Act Safeguard Rules (the Rule) given the potential conflict between the Rule and state, local, or other federal laws or regulations. As previously covered by InfoBytes, the FTC requested comments on the Rule in 2016, seeking feedback on several specific questions relating to the Rule’s economic impact and benefits, potential conflicts, and how technological, economic, or other industry changes will affect the Rule.
Among other things, the FTC’s regulatory agenda will also address (i) 2016 amendments to the Telemarking Sales Rule; (ii) the periodic review of identity theft rules; (iii) issues related to the privacy of consumer financial information concerning vehicle disclosures; and (iv) credit monitoring for active duty military as required by the Economic Growth, Regulatory Relief, and Consumer Protection Act.
On August 10, the CFPB issued final amendments to Regulation P, which implements the Gramm-Leach-Bliley Act and provides, among other things, exemptions for financial institutions from sending annual privacy notices to consumers provided they meet certain conditions. The final rule—originally proposed in July 2016 (as previously covered in InfoBytes here)—implements a December 2015 statutory change in Section 75001 of the “Fixing America’s Surface Transportation Act,” which permits certain exemptions provided a qualifying financial institution (i) has not changed its privacy notice from the one previously delivered to its customer, and (ii) limits its sharing of a customer’s nonpublic personal information with nonaffiliated third parties so that a customer does not have the right to opt out, as otherwise afforded under the statute and Regulation P. The final rule will not affect the collection or use of a customer’s nonpublic personal information, and all financial institutions are still required to deliver initial privacy notices to customers. Moreover, the final rule establishes requirements for alternative delivery methods and provides deadlines for financial institutions that lose the exception and are required to resume delivery of annual privacy notices.
The amendments to Regulation P will take effect 30 days after publication in the Federal Register.
On February 23, the FTC announced a proposed settlement with a global online payments system company (company) to resolve a complaint filed in 2016 concerning allegations that its payment and social networking service (service) violated the FTC Act when it, among other things, failed to adequately disclose to consumers that transfers to external bank accounts were subject to review and that funds could be frozen or removed based on a review of the underlying transaction. According to FTC allegations, many consumers who relied on notifications from the service that funds were available for transfer found themselves unable to pay rent or other bills. In some instances, the service reversed transactions after initially notifying consumers the funds were available. Additionally, the service allegedly violated the Gramm-Leach-Bliley Act’s Privacy and Safeguard Rules (GLBA Rules) by misleading consumers about protections for their accounts when it claimed to use “bank-grade security systems” and failed to have a written security program or implement basic security safeguards. As a result, the FTC claims unauthorized users were able to, in certain cases, withdraw funds from consumer accounts or change passwords and/or associated email addresses without consumers being notified.
Under the proposed settlement, the company—which did not admit or deny liability and is not required to pay a fine—has agreed that it will not misrepresent any material restrictions on the use of its service, the extent of control provided by any privacy settings, and the extent to which it “implements or adheres to a particular level of security.” The company will also, among other things, make certain disclosures to consumers about its transaction and privacy practices, obtain biennial third-party assessments of its compliance with these rules for 10 years, and refrain from violating any provisions of the GLBA Rules.
FTC Announces Settlement with Operator of Online Tax Preparation Service Over Privacy and Security Allegations
On August 29, the FTC issued a press release announcing a settlement with the operator of a Georgia-based online tax preparation service to resolve allegations that the company failed to implement adequate security procedures to protect client information in violation of several federal privacy and security rules, including the Federal Trade Commission Act and the Gramm-Leach-Bliley Act’s Privacy Rule (Regulation P) and Safeguards Rule. In its complaint, the FTC alleged that the company violated the Safeguards Rule, which requires financial institutions under FTC jurisdiction toprotect customer information by developing, implementing, and maintaining a comprehensive information security program that satisfies certain requirements. The complaint alleged that, because the company failed to implement these requirements and did not have in place adequate risk-based authentication measures, hackers were able to conduct a “list validation attack” between October 2015 and December 2015, which gave them full access to nearly 9,000 customer accounts. Hackers then used the acquired information to engage in tax identity theft. In addition, the FTC alleges that the company failed to notify customers of the list validation attack or alterations until a user called in January 2016 to report suspicious activity, and failed to delivery privacy notices to customers as required by the Privacy Rule.
Under the terms of the decision and order, the company, among other things, is required for 10 years to obtain biennial independent third-party assessments to address the effectiveness of the company’s security programs and safeguard measures to “certify that [the company’s] security program(s) is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 29, at which point the FTC will decide whether to make the proposed consent order final.
On August 29, the FTC announced that it is requesting public comment on its Standards for Safeguarding Customer Information Rule (the Safeguards Rule). As required by the Gramm-Leach-Bliley Act, the Commission promulgated the Safeguards Rule to require all “financial institutions” over which the FTC maintains authority to “develop, implement and maintain a comprehensive information security program for handling customer information” (emphasis added). The FTC seeks comments on several specific questions relating to (i) the Safeguards Rule’s economic impact and benefits; (ii) potential conflict between the Safeguards Rule and state, local, or other federal laws or regulations; and (iii) how technological, economic, or other industry changes will affect the Safeguards Rule. Comments are due by November 7, 2016.
On July 1, the CFPB issued a proposed rule to amend Regulation P, which implements the Gramm-Leach-Bliley Act (GLBA) and requires, among other things, financial institutions to provide their customers with an annual notice that describes their privacy policies and procedures. The proposed amendment would implement a December 2015 statutory change in Section 75001 of the “Fixing America’s Surface Transportation Act” (FAST Act). Pursuant to the FAST Act, the GLBA was amended so that financial institutions meeting certain criteria no longer need to send annual privacy notices. The CFPB’s recently issued proposed rule would amend Regulation P to implement the GLBA amendment. The CFPB’s proposed rule would further amend Regulation P to (i) provide timing requirements for the delivery of annual privacy notices for a financial institution that may originally qualify for the annual notice exception but then later changes its policies or practices so that it no longer meets the exception criteria; (ii) remove the Regulation P provision that allows financial institutions to post privacy notices online because the CFPB “believes the alternative delivery method will no longer be used in light of the annual notice exception”; and (iii) make a technical correction to one of its definitions.
On December 4, President Obama signed into law H.R. 22, the “Fixing America’s Surface Transportation Act” (FAST Act). Although a transportation bill on its surface, the bill also contains various provisions that are intended to provide regulatory relief to community banks and improve the efficiency of state financial regulation. Significant provisions in the bill include: (i) establishing a process that allows parties, including banks and other stakeholders, to petition the CFPB for “rural” or “underserved” designations in certain areas for the purposes of the CFPB’s ability-to-repay rule; (ii) expanding the CFPB’s ability to exempt creditors serving rural or underserved areas from escrow requirements; (iii) granting greater flexibility to the CFPB in regards to treating a balloon loan as a qualified mortgage, if a community bank or creditor operating in a rural or underserved area extended the loan; (iv) increasing the threshold for 18-month exam cycles for well-capitalized banks from $500 million to $1 billion; and (v) authorizing the Nationwide Mortgage Licensing System – which state regulators use to license various nonbank financial services industries, such as money transmitters, payday lenders, and debt collectors – to process background checks for non-mortgage license applicants.
In addition, the act provides relief to all financial institutions meeting certain criteria from annual Gramm-Leach-Bliley privacy notice requirements. Pursuant the Gramm-Leach-Bliley Act (GLBA) and Regulation P, financial institutions were required to submit privacy notices, physically, or with consent electronically, to customers; in 2014, the CFPB amended Regulation P permitting institutions to post privacy notices online without customer consent, so long as certain criteria were met. The FAST Act’s statutory change in Section 75001 removes some of the criteria so that financial institutions do not have to send annual privacy notices so long as (i) their information sharing practices have not changed since its last notice; and (ii) they do not engage in information sharing that requires providing customers with an opt-out under the GLBA.
On May 7, the CFPB issued a proposed rule that would provide financial institutions an alternative method for delivering annual privacy notices. The Gramm-Leach-Bliley Act (GLBA) and Regulation P require financial institutions to, among other things, provide annual privacy notices to customers—either in writing or electronically with consumer consent. Industry generally has criticized the current annual notice requirement as ineffective and burdensome, with most financial institutions providing the notices by U.S. postal mail. The proposed rule would allow financial institutions, under certain circumstances, to comply with the GLBA annual privacy notice delivery requirements by (i) continuously posting the notice in a clear and conspicuous manner on a page of their websites, without requiring a login or similar steps to access the notice; and (ii) mailing the notices promptly to customers who request them by phone.
Specifically, under the CFPB’s proposal, a financial institution subject to the GLBA privacy notice requirements would be permitted to post annual notices online, provided the institution:
- Does not share the customer’s nonpublic personal information with nonaffiliated third parties in a manner that triggers GLBA opt-out rights;
- Does not include on its annual privacy notice a Fair Credit Reporting Act (FCRA) § 603(d)(2)(A)(iii) notice regarding the ability to opt out of information sharing with the institution’s affiliates;
- Does not use its annual privacy notice as the only notice provided to satisfy affiliate marketing opt-out notice requirements under section 624 of FCRA;
- Has not changed the information included in the privacy notice since the customer received the previous notice;
- Uses the model form provided in Regulation P; and
- Inserts a clear and conspicuous statement, at least once per year on a notice or disclosure the institution issues under any other provision of law, announcing that the annual privacy notice is available on the institution’s website, such notice has not changed since the previous notice, and a copy of such notice will be mailed to customers who request it by calling a toll-free telephone number.
The CFPB cites the following benefits of the proposed rule:
- Provides consumers with constant access to privacy policies;
- Incentivizes financial institutions to limit their data sharing with unaffiliated third parties;
- Allows consumers who are concerned about their personal information to comparison shop before deciding which financial institution to use; and
- Reduces the cost for companies to provide annual privacy notices.
The proposed rule would provide some relief to industry, particularly where broader bipartisan legislative solutions have failed to gain substantial traction. Last year, the House passed legislation that would fully exempt a financial institution from the annual notice requirement if it (i) provides nonpublic personal information only in accordance with specified requirements, and (ii) has not changed its policies and practices with regard to disclosing nonpublic personal information from its most recent disclosure. A similar Senate bill introduced early last year has not moved forward, though its sponsor, Senator Sherrod Brown (D-OH), pressed the CFPB director about the issue during a hearing last fall.
The CFPB’s proposal will remain open for comment for 30 days following its publication in the Federal Register.
- Daniel P. Stipano to discuss "Dynamic customer due diligence and beneficial ownership from KYC to ongoing CDD and the new rule implementation" at the Puerto Rican Symposium of Anti-Money Laundering
- Michelle L. Rogers to discuss "Preparing for servicing exams in the current regulatory environment" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Jon David D. Langlois to discuss "Regulatory risks of convenience fees" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- APPROVED Webcast: NMLS Annual Conference & Ombudsman Meeting: Review and recap
- Brandy A. Hood to discuss "Keeping your head above water in flood insurance compliance" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Melissa Klimkiewicz to discuss "Servicing super session" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Jessica L. Pollet to discuss "Law & compliance speedsmarts" at the American Financial Services Association Law & Compliance Symposium
- Daniel P. Stipano to discuss "Lessons learned from recent high profile enforcement actions" at the Florida International Bankers Association AML Compliance Conference
- Moorari K. Shah to provide "Regulatory update – California and beyond" at the National Equipment Finance Association Summit
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Spring Regulatory Compliance School
- Aaron C. Mahler to discuss "Regulation B/fair lending" at the National Association of Federally-Insured Credit Unions Spring Regulatory Compliance School
- Heidi M. Bauer to discuss "'So you want to form a joint venture' — Licensing strategies for successful JVs" at RESPRO26
- Jonice Gray Tucker to to discuss "DC policy: Everything but the kitchen sink" at CBA Live
- Jonice Gray Tucker to discuss "Small business & regulation: How fair lending has evolved & where are we heading?" at CBA Live
- Daniel P. Stipano to discuss "Lessons learned from ABLV and other major cases involving inadequate compliance oversight" at the ACAMS International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "A year in the life of the CDD final rule: A first anniversary assessment" at the ACAMS International AML & Financial Crime Conference
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Hank Asbill to discuss "Creative character evidence in criminal and civil trials" at the Litigation Counsel of America Spring Conference & Celebration of Fellows
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program