Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 6, the CFPB announced a settlement with an Indiana-based payday retail lender and affiliates (companies) in seven states to resolve alleged violations of the Consumer Financial Protection Act (CFPA), Truth in Lending Act (TILA), and Gramm-Leach-Bliley Act (GLBA) privacy protections. The CFPB alleges that the companies engaged in unfair acts or practices, failed to properly disclose annual percentage rates, and failed to provide consumers with required initial privacy notices.
Specifically, the Bureau alleges that the companies violated CFPA’s UDAAP provisions by, among other things, (i) failing to implement processes to prevent unauthorized charges, including those resulting from unauthorized draws on borrowers’ bank accounts; (ii) requiring loan applicants to provide contact information for their employers, supervisors, and four personal references, and then repeatedly calling employers to seek payments when borrowers became delinquent; (iii) disclosing the borrower’s financial information during those calls and, in certain instances, asking the third party to make payments on the loan; (iv) misusing personal references for marketing purposes; and (v) advertising check-cashing and telephone reconnection services they were no longer providing.
While the companies have not admitted to the allegations, they have agreed to pay a $100,000 civil money penalty and are prohibited from continuing the illegal behavior.
On August 10, the CFPB issued final amendments to Regulation P, which implements the Gramm-Leach-Bliley Act and provides, among other things, exemptions for financial institutions from sending annual privacy notices to consumers provided they meet certain conditions. The final rule—originally proposed in July 2016 (as previously covered in InfoBytes here)—implements a December 2015 statutory change in Section 75001 of the “Fixing America’s Surface Transportation Act,” which permits certain exemptions provided a qualifying financial institution (i) has not changed its privacy notice from the one previously delivered to its customer, and (ii) limits its sharing of a customer’s nonpublic personal information with nonaffiliated third parties so that a customer does not have the right to opt out, as otherwise afforded under the statute and Regulation P. The final rule will not affect the collection or use of a customer’s nonpublic personal information, and all financial institutions are still required to deliver initial privacy notices to customers. Moreover, the final rule establishes requirements for alternative delivery methods and provides deadlines for financial institutions that lose the exception and are required to resume delivery of annual privacy notices.
The amendments to Regulation P will take effect 30 days after publication in the Federal Register.
FTC Announces Settlement with Operator of Online Tax Preparation Service Over Privacy and Security Allegations
On August 29, the FTC issued a press release announcing a settlement with the operator of a Georgia-based online tax preparation service to resolve allegations that the company failed to implement adequate security procedures to protect client information in violation of several federal privacy and security rules, including the Federal Trade Commission Act and the Gramm-Leach-Bliley Act’s Privacy Rule (Regulation P) and Safeguards Rule. In its complaint, the FTC alleged that the company violated the Safeguards Rule, which requires financial institutions under FTC jurisdiction toprotect customer information by developing, implementing, and maintaining a comprehensive information security program that satisfies certain requirements. The complaint alleged that, because the company failed to implement these requirements and did not have in place adequate risk-based authentication measures, hackers were able to conduct a “list validation attack” between October 2015 and December 2015, which gave them full access to nearly 9,000 customer accounts. Hackers then used the acquired information to engage in tax identity theft. In addition, the FTC alleges that the company failed to notify customers of the list validation attack or alterations until a user called in January 2016 to report suspicious activity, and failed to delivery privacy notices to customers as required by the Privacy Rule.
Under the terms of the decision and order, the company, among other things, is required for 10 years to obtain biennial independent third-party assessments to address the effectiveness of the company’s security programs and safeguard measures to “certify that [the company’s] security program(s) is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 29, at which point the FTC will decide whether to make the proposed consent order final.
- Daniel P. Stipano to discuss "Dynamic customer due diligence and beneficial ownership from KYC to ongoing CDD and the new rule implementation" at the Puerto Rican Symposium of Anti-Money Laundering
- Michelle L. Rogers to discuss "Preparing for servicing exams in the current regulatory environment" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Jon David D. Langlois to discuss "Regulatory risks of convenience fees" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- APPROVED Webcast: NMLS Annual Conference & Ombudsman Meeting: Review and recap
- Brandy A. Hood to discuss "Keeping your head above water in flood insurance compliance" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Melissa Klimkiewicz to discuss "Servicing super session" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Jessica L. Pollet to discuss "Law & compliance speedsmarts" at the American Financial Services Association Law & Compliance Symposium
- Daniel P. Stipano to discuss "Lessons learned from recent high profile enforcement actions" at the Florida International Bankers Association AML Compliance Conference
- Moorari K. Shah to provide "Regulatory update – California and beyond" at the National Equipment Finance Association Summit
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Spring Regulatory Compliance School
- Aaron C. Mahler to discuss "Regulation B/fair lending" at the National Association of Federally-Insured Credit Unions Spring Regulatory Compliance School
- Heidi M. Bauer to discuss "'So you want to form a joint venture' — Licensing strategies for successful JVs" at RESPRO26
- Jonice Gray Tucker to to discuss "DC policy: Everything but the kitchen sink" at CBA Live
- Jonice Gray Tucker to discuss "Small business & regulation: How fair lending has evolved & where are we heading?" at CBA Live
- Daniel P. Stipano to discuss "Lessons learned from ABLV and other major cases involving inadequate compliance oversight" at the ACAMS International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "A year in the life of the CDD final rule: A first anniversary assessment" at the ACAMS International AML & Financial Crime Conference
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Hank Asbill to discuss "Creative character evidence in criminal and civil trials" at the Litigation Counsel of America Spring Conference & Celebration of Fellows
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program