Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 6, the CFPB announced a settlement with an Indiana-based payday retail lender and affiliates (companies) in seven states to resolve alleged violations of the Consumer Financial Protection Act (CFPA), Truth in Lending Act (TILA), and Gramm-Leach-Bliley Act (GLBA) privacy protections. The CFPB alleges that the companies engaged in unfair acts or practices, failed to properly disclose annual percentage rates, and failed to provide consumers with required initial privacy notices.
Specifically, the Bureau alleges that the companies violated CFPA’s UDAAP provisions by, among other things, (i) failing to implement processes to prevent unauthorized charges, including those resulting from unauthorized draws on borrowers’ bank accounts; (ii) requiring loan applicants to provide contact information for their employers, supervisors, and four personal references, and then repeatedly calling employers to seek payments when borrowers became delinquent; (iii) disclosing the borrower’s financial information during those calls and, in certain instances, asking the third party to make payments on the loan; (iv) misusing personal references for marketing purposes; and (v) advertising check-cashing and telephone reconnection services they were no longer providing.
While the companies have not admitted to the allegations, they have agreed to pay a $100,000 civil money penalty and are prohibited from continuing the illegal behavior.
On August 10, the CFPB issued final amendments to Regulation P, which implements the Gramm-Leach-Bliley Act and provides, among other things, exemptions for financial institutions from sending annual privacy notices to consumers provided they meet certain conditions. The final rule—originally proposed in July 2016 (as previously covered in InfoBytes here)—implements a December 2015 statutory change in Section 75001 of the “Fixing America’s Surface Transportation Act,” which permits certain exemptions provided a qualifying financial institution (i) has not changed its privacy notice from the one previously delivered to its customer, and (ii) limits its sharing of a customer’s nonpublic personal information with nonaffiliated third parties so that a customer does not have the right to opt out, as otherwise afforded under the statute and Regulation P. The final rule will not affect the collection or use of a customer’s nonpublic personal information, and all financial institutions are still required to deliver initial privacy notices to customers. Moreover, the final rule establishes requirements for alternative delivery methods and provides deadlines for financial institutions that lose the exception and are required to resume delivery of annual privacy notices.
The amendments to Regulation P will take effect 30 days after publication in the Federal Register.
FTC Announces Settlement with Operator of Online Tax Preparation Service Over Privacy and Security Allegations
On August 29, the FTC issued a press release announcing a settlement with the operator of a Georgia-based online tax preparation service to resolve allegations that the company failed to implement adequate security procedures to protect client information in violation of several federal privacy and security rules, including the Federal Trade Commission Act and the Gramm-Leach-Bliley Act’s Privacy Rule (Regulation P) and Safeguards Rule. In its complaint, the FTC alleged that the company violated the Safeguards Rule, which requires financial institutions under FTC jurisdiction toprotect customer information by developing, implementing, and maintaining a comprehensive information security program that satisfies certain requirements. The complaint alleged that, because the company failed to implement these requirements and did not have in place adequate risk-based authentication measures, hackers were able to conduct a “list validation attack” between October 2015 and December 2015, which gave them full access to nearly 9,000 customer accounts. Hackers then used the acquired information to engage in tax identity theft. In addition, the FTC alleges that the company failed to notify customers of the list validation attack or alterations until a user called in January 2016 to report suspicious activity, and failed to delivery privacy notices to customers as required by the Privacy Rule.
Under the terms of the decision and order, the company, among other things, is required for 10 years to obtain biennial independent third-party assessments to address the effectiveness of the company’s security programs and safeguard measures to “certify that [the company’s] security program(s) is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 29, at which point the FTC will decide whether to make the proposed consent order final.
- Buckley Webcast: Maintaining privilege in cross-border internal investigations
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Daniel P. Stipano to discuss "The state of the BSA 2019: What’s working, what’s not, and how to improve it" at the West Coast Anti Money-Laundering Forum
- Buckley Webcast: The future of the Community Reinvestment Act
- Hank Asbill to discuss "Creative character evidence in criminal and civil trials" at the Litigation Counsel of America Spring Conference & Celebration of Fellows
- Buckley Webcast: Amendments to the CFPB's proposed debt collection
- Brandy A. Hood to discuss "Flood NFIP in the age of extreme weather events" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "UDAAP compliance" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Major state law developments" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Leveraging big data responsibly" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "State examination/enforcement trends" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Benjamin K. Olson to discuss "LO compensation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- APPROVED Webcast: State and SAFE Act licensing requirements for banks
- John C. Redding to discuss "TCPA compliance in the era of mobile" at the Auto Finance Risk Summit
- Buckley Webcast: The next consumer litigation frontier? Assessing the consumer privacy litigation and enforcement landscape in 2019 and beyond
- Buckley Webcast: Data breach litigation and biometric legislation
- Buckley Webcast: Trends in e-discovery technology and case law
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program