Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 14, the FCC released a notice of proposed rulemaking intended to strengthen its rules against caller ID spoofing and expand the agency’s enforcement efforts against illegal spoofed text messages and phone calls, including those from overseas. The proposed rules would enact requirements in the recently passed RAY BAUM’S Act of 2018, and expand Truth in Caller ID Act prohibitions against the transmittal of “misleading or inaccurate caller ID information (‘spoofing’) with the intent to defraud, cause harm, or wrongfully obtain anything of value” to text messages and calls to U.S. residents originating from outside the U.S.
The FCC seeks comments on the proposed rules—adopted unanimously at the agency’s February 14 meeting—on, among other things, what changes to the Truth in Caller ID rules can be made “to better prevent inaccurate or misleading caller ID information from harming consumers.” Comments will be due 60 days after publication in the Federal Register.
On February 13, Senate Committee on Banking, Housing, and Urban Affairs Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) invited stakeholder feedback on “the collection, use and protection of sensitive information from financial regulators and private companies” as a means of informing potential future legislation. In a press release issued by the committee, Crapo noted, “Given the exponential growth and use of data, and corresponding data breaches, it is worth examining how the Fair Credit Reporting Act should work in a digital economy, and whether certain data brokers and other firms serve a function similar to the original consumer reporting agencies.” He further stressed the importance of understanding how consumer data is compiled and protected, and how consumers are able to access and correct sensitive information. The release sought answers to five questions designed to help examine ways in which legislation, regulation, or the implementation of best practices can (i) provide consumers better control over their financial data, as well as timely data breach notifications; (ii) ensure consumers receive disclosures concerning both the type of information being collected and its purpose for collection; (iii) provide consumers control over how their data is being used—including the sharing of information by third-parties; (iv) protect consumer data and ensure the accuracy of reported information in a consumer’s credit file; and (v) allow consumers the ability to “easily identify and exercise control of data that is being . . . collected and shared” as a determining factor when establishing whether a consumer is eligible for, among other things, credit or employment.
On February 13, the U.S. District Court for the District of Nevada rejected a cloud communication company’s motion to dismiss a TCPA class action. According to the opinion, the plaintiffs’ alleged the company “collaborated as to the development, implementation, and maintenance of [a] telemarketing text message program,” which was used by a theater production company to send text messages without prior consent in violation of the TCPA and the Nevada Deceptive Trade Practices Act (NDTPA). The company moved to dismiss the claims, arguing, among other things, that it was not liable under the TCPA because it was a “transmitter” and not an “initiator” of communications. Citing the FCC’s previous determination that, under certain circumstances transmitters may be held liable under the TCPA, the court rejected this argument, concluding that the company took steps necessary to send the automated messages and that its “alleged involvement was to an extent that [it] could be considered to have initiated the contact.” Moreover, the court determined the plaintiff sufficiently alleged injury under the TCPA, concluding that violations of privacy and injury to the “quiet use and enjoyment of [a] cellular telephone” are consistent with the purpose of the TCPA. The court did dismiss the plaintiff’s NDTPA claims, however, holding that the transaction did not involve the sale or lease of goods or services as the law requires.
On February 14, the FDIC released its 2018 Annual Report, which includes, among other things, the audited financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund. The report also provides an overview of key FDIC initiatives, performance results, and other aspects of FDIC operations, supervision developments, and regulatory enforcement. Highlights of the report include: (i) the FDIC’s efforts to adopt and issue proposed rules on key regulations under the Economic Growth, Regulatory Relief and Consumer Protection Act (EGRRCPA); (ii) efforts to strengthen cybersecurity oversight and help financial institutions mitigate cyber risk; (iii) supervision focus on Bank Secrecy Act/Anti-Money Laundering compliance; and (iv) financial institution letters providing regulatory relief to institutions affected by natural disasters. The report also highlights the FDIC’s monitoring of financial technology developments through its various research groups and committees to better understand how technological efforts may affect the financial market. Lastly, the report covers the agency’s efforts to encourage de novo bank applications, including the December 2018 request for information soliciting comments on the deposit insurance applications process (covered by InfoBytes here).
On February 11, a bipartisan group of 29 state Attorneys General, the District of Columbia Attorney General, and an official from the Hawaii Office of Consumer Protection, responded to the FTC’s request for comment on whether the agency should make changes to its identity theft detection rules (the Red Flags Rule and the Card Issuers Rule), which require financial institutions and creditors to take certain actions to detect signs of identity theft affecting their customers. (Covered by InfoBytes here.)
In their response, the Attorneys General urge the FTC not to repeal the Rules, arguing that it “would place consumers at greater risk of identity theft, especially consumers in states that have not enacted” laws that complement the Rules. Instead, the response letter requests the FTC modify the Rules to “ensure their continued relevance” and “keep pace with the ingenuity of identity thieves.” The suggestions include: (i) that notices of changes to email addresses and cell phone numbers be sent to both the prior and updated addresses and phone numbers, an expansion of the current use of mailing addresses; (ii) the encouragement of more current forms of authentication, including multi-factor authentication, to replace examples which imply that knowledge-based authentication by itself is sufficient; and (iii) the addition of new suspicious activity examples related to the use of an account, such as a covered account accessed by unknown devices or IP addresses, an unauthorized user unsuccessfully trying to guess account passwords through multiple attempts, and attempts by foreign IP addresses to access multiple accounts in a close period of time.
District court orders TCPA suit to mediation, states FCC’s interpretation of autodialer may take years
On February 1, the U.S. District Court for the Eastern District of Missouri issued an order referring the parties in a putative TCPA class action to mediation. The plaintiff’s complaint alleges that the defendant’s insurance company sent her text messages without her consent using an automatic telephone dialing system (autodialer). In response, the defendant argued that the software it used to send the text messages does not qualify as an autodialer because it calls numbers from a pre-set list, instead of one that is randomly or sequentially generated. The defendant further argued that the case should be stayed because the FCC is currently considering whether systems such as the one at issue qualify as autodialers under the TCPA following the D.C. Circuit’s March 2018 ruling in ACA International v. FCC, which set aside the FCC’s 2015 interpretation of an autodialer as “unreasonably expansive.” (Covered by a Buckley Special Alert.) The decision to refer the case to mediation comes after the court’s August 2018 order denying the defendant’s motion to stay the proceeding. In that order the court explained that, although the FCC issued a notice in May 2018 (covered by InfoBytes here) seeking comments on the interpretation of the TCPA, the rulemaking process would likely take years and may not even resolve the issue in the case.
NYDFS’ cybersecurity FAQs provide process for covered entities that no longer qualify for exemptions
On February 2, NYDFS updated its answers to FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See here for previous InfoBytes coverage on updates to the FAQs.) Among other things, the update outlines the procedures covered entities must follow if the entity ceases to qualify for exemptions under Section 500.19. Covered entities who no longer qualify for an exemption will have 180 days from the end of their most recent fiscal year to comply with all applicable requirements of 23 NYCRR Part 500. NYDFS further notes that covered entities may be required to periodically refile their exemptions to ensure qualification.
On January 31, NYDFS issued a reminder for regulated entities that the final deadline for implementing NYDFS’s cybersecurity regulation ends March 1. Under the new regulation, banks, insurance companies, mortgage companies, money transmitters, licensed lenders and other financial services institutions regulated by NYDFS are required to implement a cybersecurity program to protect consumer data. The last step in the implementation timeline requires covered entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and nonpublic information accessible to, or held by, such third parties. NYDFS also reminded regulated entities that the deadline to file their second certification of compliance via NYDFS’ cybersecurity portal is February 15.
Previously InfoBytes coverage on NYDFS’ cybersecurity regulation are available here.
On January 22, the Financial Industry Regulatory Authority (FINRA) issued new guidance on areas member firms should consider when seeking to improve their compliance, supervisory, and risk management programs. The 2019 FINRA Risk Monitoring and Examination Priorities Letter (2019 Priorities Letter) examines both new priorities as well as areas of ongoing concern, including the adequacy of firms’ cybersecurity programs. FINRA notes, however, that the 2019 Priorities Letter does not repeat topics previously addressed in prior letters, and advises member firms that it will continue to review ongoing obligations for compliance. Topics FINRA plans to focus on in the coming year include:
- Firms’ use of regulatory technology to help compliance efforts become “more efficient, effective, and risk-based.” FINRA will work with firms to understand risks and concerns related to supervision and governance systems, third party vendor management, and safeguarding customer data;
- Supervision of digital assets, including coordinating with the SEC to review how firms determine whether a given digital asset is a security and whether firms are implementing adequate controls and supervisions related to digital assets, such as complying with anti-money laundering and Bank Secrecy Act rules and regulations;
- Assessment of firms’ compliance with FinCEN’s Customer Due Diligence rule, which requires firms to identify beneficial owners of legal entity customers (as previously covered by InfoBytes here); and
- Financial risks, including credit risks, funding and liquidity planning.
On January 10, the Massachusetts Governor signed HB 4806, following the House and Senate’s adoption of amendments to the bill. The bill, which is effective April 10, amends current law related to security breaches and the protection of consumer financial and credit information. Among other provisions, the amendments to the current law:
- Prohibit users from requesting or obtaining the consumer credit report of a consumer unless the user obtains the consumer’s prior written, verbal, or electronic consent, and discloses the user's reason for accessing the consumer report to the consumer prior to obtaining consent.
- Require every consumer reporting agency to disclose to consumers, when properly identified, (i) the nature, contents, and substance of all information on file (except medical information) at the time of the request; (ii) the sources of all credit information; and (iii) “the recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request.”
- State that a consumer reporting agency may not charge a fee to any consumer for placing, lifting, or removing a security freeze from a consumer report.
- Specify that a consumer reporting agency may not “knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer's credit.”
- Require persons who experience a security breach to report specific information to the state Attorney General, as well as certify that their credit monitoring services are in compliance.
- State that consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services.
- Require persons who experience a breach that compromises social security numbers to provide at least 18 months of free credit monitoring for affected individuals.
- Daniel P. Stipano to discuss "Dynamic customer due diligence and beneficial ownership from KYC to ongoing CDD and the new rule implementation" at the Puerto Rican Symposium of Anti-Money Laundering
- Michelle L. Rogers to discuss "Preparing for servicing exams in the current regulatory environment" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Jon David D. Langlois to discuss "Regulatory risks of convenience fees" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- APPROVED Webcast: NMLS Annual Conference & Ombudsman Meeting: Review and recap
- Brandy A. Hood to discuss "Keeping your head above water in flood insurance compliance" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Melissa Klimkiewicz to discuss "Servicing super session" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Jessica L. Pollet to discuss "Law & compliance speedsmarts" at the American Financial Services Association Law & Compliance Symposium
- Daniel P. Stipano to discuss "Lessons learned from recent high profile enforcement actions" at the Florida International Bankers Association AML Compliance Conference
- Moorari K. Shah to provide "Regulatory update – California and beyond" at the National Equipment Finance Association Summit
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Spring Regulatory Compliance School
- Aaron C. Mahler to discuss "Regulation B/fair lending" at the National Association of Federally-Insured Credit Unions Spring Regulatory Compliance School
- Heidi M. Bauer to discuss "'So you want to form a joint venture' — Licensing strategies for successful JVs" at RESPRO26
- Jonice Gray Tucker to to discuss "DC policy: Everything but the kitchen sink" at CBA Live
- Jonice Gray Tucker to discuss "Small business & regulation: How fair lending has evolved & where are we heading?" at CBA Live
- Daniel P. Stipano to discuss "Lessons learned from ABLV and other major cases involving inadequate compliance oversight" at the ACAMS International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "A year in the life of the CDD final rule: A first anniversary assessment" at the ACAMS International AML & Financial Crime Conference
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Hank Asbill to discuss "Creative character evidence in criminal and civil trials" at the Litigation Counsel of America Spring Conference & Celebration of Fellows
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program