Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On April 16, the SEC’s Office of Compliance Inspections and Examinations issued a Risk Alert to discuss compliance issues related to Regulation S-P—the SEC’s primary rule regarding privacy notices and safeguard policies—and to provide assistance to registered investment advisors and broker-dealers (registrants) when issuing compliant privacy and opt-out notices. Regulation S-P requires registrants to provide customers with a clear and conspicuous notice accurately reflecting its privacy policies and practices, plus any options to opt out of sharing certain non-public personal information with nonaffiliated third parties. The notice must be sent annually throughout the duration of the customer relationship. Regulation S-P also requires registrants to implement written policies and practices reasonably designed to ensure that customer records and information are secure and protected against unauthorized access. The Risk Alert provides examples of common Regulation S-P compliance deficiencies and weaknesses, and advises registrants to “review their written policies and procedures, including implementation of those policies and procedures, to ensure that they are compliant with Regulation S-P.”
On April 4, the Arkansas governor signed SB 514, which establishes a process for state regulation of telecommunications service providers and third-party spoofing providers, and stiffens criminal penalties for persons who engage in illegal robocalling and spoofing practices. The act reclassifies “spoofing”—defined in the act as “displaying fictitious or misleading names or telephone numbers—and illegal robocalls as Class D felonies. Arkansas law previously classified these actions as misdemeanors. The act requires telecommunications providers to report, on an annual basis, to the Arkansas Public Service Commission, implemented measures for identifying and combating the illegal calls.
The Arkansas Attorney General issued a press release in which she noted that the legislation “reinforces how determined Arkansans are to stop these illegal calls and creates a path for enforcement to hold the bad actors accountable.” The act takes effect 90 days after adjournment of the legislature.
On April 2, the FDIC issued Financial Institution Letter FIL-19-2019 (Technology Service Provider Contracts), which describes examiner observations about gaps in financial institutions’ contracts with technology service providers (TSPs) that may require financial institutions to take additional steps to manage business continuity and incident response. Although not specifically referenced in FIL-19-2019, this latest FDIC guidance echoes themes set forth in the FDIC’s Office of Inspector General (OIG) Audit Report released in 2017 (covered in Infobytes here). Specifically, examiners noted contractual deficiencies in recent reports of examination, including failing to: (i) adequately define rights and responsibilities regarding business continuity and incident response, or provide sufficient detail to allow financial institutions to manage those processes and risks; (ii) consistently require TSPs to maintain a business continuity plan, establish data recovery standards, and commit to contractual remedies if the TSP missed a data recovery standard; (iii) sufficiently detail the TSP’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement; and (iv) clearly define key terms used in contractual provisions relating to business continuity and incident response.
FIL-19-2019 further stresses that supervised institutions are required to comply with the Interagency Guidelines Establishing Information Security Standards promulgated pursuant to the GLBA, which among other things sets forth expectations for managing TSP relationships through contractual terms and ongoing monitoring. The FDIC references prior guidance establishing regulatory expectations, including: (i) Guidance for Managing Third-Party Risk (FIL-44-2008, issued June 6, 2008); and (ii) the Business Continuity Booklet set forth in the FFIEC IT Examination Handbook, which was updated in February 2015 to include a new appendix specific to managing service provider risks (Appendix J: Strengthening the Resilience of Outsourced Technology Services). FIL-19-2019 also contains a reminder to depository institutions that the Bank Service Company Act requires depository institutions to provide written notice to their respective federal banking agency of contracts or relationships with TSPs that provide certain services, including check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, Internet banking, or mobile banking services.
On March 20, the North Dakota governor signed SB 2262, which, among other things, amends the state’s law covering the unauthorized use of personal identifying information (PII). Specifically, the bill expands the definition of PII to include, (i) an individual’s payment card information; (ii) an individual’s biometric data; and (iii) any other information that can be used to access a person's financial records. Under the bill, an individual is guilty of an offense if the individual “obtains or attempts to obtain, transfers, records, or uses or attempts to use” any PII of another individual, living or deceased, to obtain anything of value without consent of the other individual. The bill is effective August 1.
On March 18, the Virginia governor signed HB 2396, which amends the Code of Virginia and requires an individual or entity owning or licensing computerized data that includes personal information to disclose all data breaches without “unreasonable delay” to the Virginia Attorney General and any affected Commonwealth residents. Under HB 2396, “personal information” is defined as “the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted.” The list of data elements was amended to add passport numbers and military identification numbers to the previous list, which included social security numbers, driver’s license numbers, and financial account numbers or credit/debit card numbers combined with codes or passwords that would grant access to a consumer’s financial account. The amendment is effective July 1.
On March 15, the FTC released its annual report highlighting the agency’s privacy and data security work in 2018. Among other items, the report highlights consumer-related enforcement activities in 2018, including:
- an expanded settlement with a global ride-sharing company over allegations that the company violated the FTC Act by deceiving consumers regarding the company’s privacy and data practices (covered by InfoBytes here).
- a settlement with a global online payments system company to resolve allegations that its payment and social networking service failed to adequately disclose to consumers that transfers to external bank accounts were subject to review and that funds could be frozen or removed based on a review of the underlying transaction (covered by InfoBytes here).
- a settlement with a Texas-based company over allegations that it violated the FCRA by failing to take reasonable steps to ensure the accuracy of tenant-screening information furnished to landlords and property managers (covered by InfoBytes here).
The report also highlighted the FTC’s hearings on big data, privacy, and competition conducted through its Hearings on Competition and Consumer Protection in the 21st Century initiative. (Covered by InfoBytes here and here.)
On March 12, Director of the CFPB, Kathy Kraninger, testified at a hearing held by the Senate Banking, Housing, and Urban Affairs Committee on the CFPB’s Semi-Annual Report to Congress. While Kraninger’s opening statement and question responses were similar to her comments made last week during a House Financial Services Committee hearing (detailed coverage here), notable highlights include:
- Fair Lending. Kraninger did not provide a status update on the Bureau’s pre-rulemaking activities as they relate to whether disparate impact is cognizable under ECOA, but emphasized that the Bureau is committed to the fair lending mission.
- Data Collection. In response to concerns over the Bureau’s history of expansive data collection, Kraninger noted that data collection is an especially important tool for rulemaking, but stated that going-forward she would ensure the Bureau only collects the information needed to carry out the Bureau’s mission, noting that the less personally identifiable information that is collected, the less that requires protection. She acknowledged the Bureau is reviewing the comments submitted in response to its fall 2018 data governance program report (covered by InfoBytes here) and stated the Bureau remains committed to reviewing the internal processes it has for collecting and using data.
- Military Lending Act (MLA). Kraninger stated that she disagrees with the Democratic Senator’s broad interpretation of Section 1024(b)(1)(C) of the Dodd-Frank Act allowing for the Bureau to examine for compliance with the MLA because that interpretation would permit the Bureau to examine for anything that is a “risk to consumers,” including things like safety and soundness, which is not currently under the Bureau’s purview. While she acknowledged that the Bureau has the direct authority to enforce the MLA, she repeatedly rejected the notion that this would also give the Bureau the authority to supervise for the MLA, as Dodd-Frank separates the Bureau’s enforcement and supervision powers.
- Payday Rule. Kraninger repeatedly emphasized that the reconsideration of the underwriting standards in the Payday Rule was to determine if the legal and factual basis used to justify certain practices as unfair and abusive was “robust” enough. She acknowledged that the Bureau will be reviewing all the comments to the proposal and that the evidence used for the original Rule will be part of the record for the reconsideration.
- GSE Patch. In response to questions regarding the 2021 expiration of the Qualified Mortgage (QM) Rule’s 43 percent debt-to-income ratio exception for mortgages backed by Fannie Mae and Freddie Mac (GSEs), Kraninger acknowledged the “non-QM” market hasn’t materialized over the last few years, as was originally anticipated. However, Kraninger was reluctant to provide any further details, noting that she would not be making any “dramatic changes” to the mortgage market. Additionally, she acknowledged that the GSE patch has the potential to expire at the end of the conservatorship as well.
- CFPB Structure. Kraninger did not specify whether she believes the Bureau should be led by a board, rather than a single director, or whether the Bureau should be under appropriations. Specifically Kraninger stated that she would “welcome any changes Congress made that would increase the accountability and transparency of the Bureau,” and would “dutifully carry out” legislation that would place the Bureau under appropriations if the President signed it.
- Student Lending. Kraninger stated that the Bureau intends to re-engage with the Department of Education on a Memorandum of Understanding (MOU) to assist with complaint and information sharing once a new Student Loan Ombudsmen has been hired. The MOUs were previously terminated by the Department in August 2018 (covered by Infobytes here).
On March 5, Attorneys General from all 50 states, as well as from the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, sent a letter to the Senate Committee on Commerce, Science, and Transportation supporting a recently introduced bipartisan bill to combat illegal robocalls. Among other things, S. 151, the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), would: (i) grant the FCC three years to take action against robocall violations, instead of the current one-year window; (ii) authorize the agency to issue penalties of up to $10,000 per robocall; and (iii) require service providers to implement the FCC’s new call authentication framework. The AGs state that they “are encouraged that the TRACED Act prioritizes timely, industrywide implementation of call authentication protocols,” and note their support for an interagency working group that the bill would establish consisting of members from the DOJ, FCC, FTC, CFPB, other relevant federal agencies, state AGs, and non-federal stakeholders.
On March 5, the FTC released proposed amendments to two rules that protect the privacy and security of customer data held by financial institutions. The agency seeks comments on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule requires financial institutions to develop, implement, and maintain comprehensive information security programs, whereas the Privacy Rule requires financial institutions to notify customers about information-sharing practices, as well as enable customers to opt out of sharing their information with certain third parties. The FTC’s proposed amendments to the Safeguards Rule would, among other things, add more detailed requirements for financial institutions, including mandatory encryption of customer data and the use of multi-factor authentication to prevent unauthorized access to customer information. The proposed amendments to the Privacy Rule would change the rule to account for statutory changes in the Dodd-Frank Act, which gave the majority of the FTC’s rulemaking authority for the Privacy Rule to the CFPB with the exception of certain motor vehicle dealers. The agency plans to remove examples of financial institutions that do not apply to motor vehicle dealers, as well as clarify when annual customer privacy notices must be provided. In addition, the FTC proposes to expand the definition of “financial institution” in both rules to include “finders,” which include persons or entities that charge a fee to introduce consumers to a lender.
On February 26, the U.S. District Court for the Middle District of Florida granted final approval and class certification, following a final approval hearing, to a settlement resolving class action allegations concerning a data breach involving an international fast-food chain. According to the amended motion for final approval, the data breach occurred in 2016 and involved third-party malware installation on certain franchises’ point of sale systems, which targeted and compromised customer payment card related data. The class ultimately asserted the following claims—breach of implied contract, negligence, and violations of several state consumer laws—and requested reimbursement for (i) costs associated with time spent addressing identity theft or fraud; (ii) losses caused by restricted access to funds; (iii) costs associated with credit reports and credit monitoring; (iv) bank and payment card fees; (v) unauthorized charges; and (vi) documented time spent dealing with the repercussions of the data breach. Under the terms of the settlement, the fast-food chain will pay up to $5,000 per eligible class member as reimbursement for documented out-of-pocket expenses, and up to $15 an hour for up to two hours of undocumented time spent dealing with the repercussions of the data breach. The court also approved $1.02 million in attorneys’ fees and approximately $139,000 in costs to class counsel.
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Daniel P. Stipano to discuss "The state of the BSA 2019: What’s working, what’s not, and how to improve it" at the West Coast Anti Money-Laundering Forum
- Buckley Webcast: The future of the Community Reinvestment Act
- Hank Asbill to discuss "Creative character evidence in criminal and civil trials" at the Litigation Counsel of America Spring Conference & Celebration of Fellows
- Buckley Webcast: Amendments to the CFPB's proposed debt collection
- Brandy A. Hood to discuss "Flood NFIP in the age of extreme weather events" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "UDAAP compliance" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Major state law developments" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Leveraging big data responsibly" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "State examination/enforcement trends" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Benjamin K. Olson to discuss "LO compensation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- APPROVED Webcast: State and SAFE Act licensing requirements for banks
- John C. Redding to discuss "TCPA compliance in the era of mobile" at the Auto Finance Risk Summit
- Buckley Webcast: The next consumer litigation frontier? Assessing the consumer privacy litigation and enforcement landscape in 2019 and beyond
- Buckley Webcast: Data breach litigation and biometric legislation
- Buckley Webcast: Trends in e-discovery technology and case law
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Douglas F. Gansler to discuss "Role of state AGs in consumer protection" at a George Mason University Law & Economics Center symposium