Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On April 4, the Colorado Court of Appeals reversed the trial court’s ruling assessing civil penalties against a foreclosure law firm for allegedly failing to disclose that its principals had an ownership interest in one of its vendors. The appeals court found that the civil penalty was not warranted because the failure to disclose “did not significantly impact members of the public as actual or potential consumers.” According to the opinion, the State of Colorado brought an enforcement action against a foreclosure law firm and its affiliated vendors, alleging, among other things, that the law firm and its vendors violated the Colorado Consumer Protection Act (the Consumer Act) by making “false or misleading statements of fact concerning the price” of their foreclosure services. The State argued that the relationship between the law firm and its vendors allowed the vendors to charge for services in excess of the market rate, pass on those costs to the law firm’s customers, and share a portion of the inflated costs with the law firm. While the trial court rejected two of the State’s claims against the defendants, it concluded that the law firm committed a deceptive practice under the Consumer Act that, “significantly impact[ed] the public as actual or potential consumers,” by failing to disclose its affiliated relationship with one of the vendors.
On appeal, the appellate court rejected the trial court’s conclusion that the alleged deception significantly impacted the public, noting that the deception was confined to two clients, Fannie Mae and Freddie Mac, in the context of their private agreements with the firm. Because the misrepresentation was in the context of a private relationship, and the tax-paying public were not “consumers of the law firm’s services for purposes of the Consumer Act,” the appellate court found the trial court erred when awarding the civil penalties under the Act. Moreover, the appellate court affirmed the trial court’s rejection of the State’s other claims against the law firm.
On April 2, the FDIC issued Financial Institution Letter FIL-19-2019 (Technology Service Provider Contracts), which describes examiner observations about gaps in financial institutions’ contracts with technology service providers (TSPs) that may require financial institutions to take additional steps to manage business continuity and incident response. Although not specifically referenced in FIL-19-2019, this latest FDIC guidance echoes themes set forth in the FDIC’s Office of Inspector General (OIG) Audit Report released in 2017 (covered in Infobytes here). Specifically, examiners noted contractual deficiencies in recent reports of examination, including failing to: (i) adequately define rights and responsibilities regarding business continuity and incident response, or provide sufficient detail to allow financial institutions to manage those processes and risks; (ii) consistently require TSPs to maintain a business continuity plan, establish data recovery standards, and commit to contractual remedies if the TSP missed a data recovery standard; (iii) sufficiently detail the TSP’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement; and (iv) clearly define key terms used in contractual provisions relating to business continuity and incident response.
FIL-19-2019 further stresses that supervised institutions are required to comply with the Interagency Guidelines Establishing Information Security Standards promulgated pursuant to the GLBA, which among other things sets forth expectations for managing TSP relationships through contractual terms and ongoing monitoring. The FDIC references prior guidance establishing regulatory expectations, including: (i) Guidance for Managing Third-Party Risk (FIL-44-2008, issued June 6, 2008); and (ii) the Business Continuity Booklet set forth in the FFIEC IT Examination Handbook, which was updated in February 2015 to include a new appendix specific to managing service provider risks (Appendix J: Strengthening the Resilience of Outsourced Technology Services). FIL-19-2019 also contains a reminder to depository institutions that the Bank Service Company Act requires depository institutions to provide written notice to their respective federal banking agency of contracts or relationships with TSPs that provide certain services, including check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, Internet banking, or mobile banking services.
On May 24, the OCC released its Semiannual Risk Perspective for Spring 2018, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. Priorities focus on credit, operational, compliance, and interest risk, and while the OCC commented on the improved financial performance of banks from 2016 to early 2018, in addition to the “incremental improvement in banks’ overall risk management practices,” the agency also noted that risks previously highlighted in its Fall 2017 report have “changed only modestly.” (See previous InfoBytes coverage here.)
Specific areas of concern noted by the OCC include: (i) easing of commercial credit underwriting practices; (ii) increasing complexity and severity of cybersecurity threats; (iii) use of third-party service providers for critical operations; (iv) compliance challenges under the Bank Secrecy Act; (v) challenges in risk management involving consumer compliance regulations; and (vi) rising market interest rates, including certain risks associated with the “potential effects of rising interest rates, increasing competition for retail and commercial deposits, and post-crisis liquidity regulations for banks with total assets of $250 billion or more, on the mix and cost of deposits.” Additionally, concerns related to integrated mortgage disclosure requirements under TILA and RESPA previously considered a key risk have been downgraded to an issue to be monitored.
On January 18, the OCC announced the release of its Semiannual Risk Perspective for Fall 2017, identifying key risk areas for national banks and federal savings associations. Top supervisory priorities will focus on credit, operational, and compliance risk. As previously discussed in the spring 2017 semiannual report, compliance risk continues to be an ongoing concern, particularly as banks continue to adopt new technologies to help them comply with anti-money laundering rules and the Bank Secrecy Act (BSA), in addition to addressing increased cybersecurity challenges and new consumer protection laws. (See previous InfoBytes coverage here.) The OCC commented that these types of risks can be mitigated by banks with “appropriate due diligence and ongoing oversight.”
Specific areas of particular concern include the following:
- easing of commercial credit underwriting practices;
- increasing complexity and severity of cybersecurity threats, including phishing scams that are the primary method of breaching bank data systems;
- using limited third-party service providers for critical operations, which can create “concentrated points of failure resulting in systemic risk to the financial services sector”;
- compliance challenges under the BSA; and
- challenges in risk management involving consumer compliance regulations.
The report also raises concerns about new requirements under the Military Lending Act along with pending changes to data collection under the Home Mortgage Disclosure Act, which could pose compliance challenges. It further discusses a new standard taking effect in 2020 for measuring expected credit losses, which “may pose operational and strategic risk to some banks when measuring and assessing the collectability of financial assets.”
The data relied on in the report was effective as of June 30, 2017.
CFPB Issues Principles Concerning Security and Transparency for Financial Data Sharing and Third-Party Aggregation
On October 18, the CFPB published guidelines entitled “Consumer Protection Principles” (Principles), which are “intended to reiterate the importance of protecting consumers” when companies, including “fintech” firms, banks, and other financial institutions, get authorization from consumers to access their account data that reside in separate organizations to provide products and services. Earlier this year, industry groups responded to a CFPB request for information and weighed in on the benefits and risks associated with consumers authorizing third parties to access their financial and account information held by financial service providers. (See previous InfoBytes summary here.) Along with the Principles, the CFPB published a summary of stakeholder insights, which highlights the feedback received by the Bureau. Separately, on October 16, Senator Edward J. Markey (D-Mass.) sent a letter to Director Richard Cordray raising concerns about data security during the transfer of consumer data to third-party aggregators and highlighting the need for transparency concerning the use of the data.
The Principles address the following areas: (i) data access; (ii) data scope and usability; (iii) control of data and informed consent; (iv) payment authorizations; (v) data security; (vi) transparency on data access rights; (vii) data inaccuracies; (viii) dispute rights and unauthorized access resolution; and (ix) mechanisms for efficient and effective accountability.
Notably, the Bureau recognized that there already exist statutes and regulations that apply to consumer protections in this market. As such, the Principles “are not intended to alter, interpret, or otherwise provide guidance on—although they may accord with—the scope of those existing protections,” and therefore do not establish “binding requirements.”
On September 18, the Community Home Lenders Association and the Community Mortgage Lenders of America sent a joint letter to Treasury Secretary Mnuchin urging relief for smaller independent mortgage bankers from CFPB supervision, enforcement, and vender management audits. Specifically, the trade groups requested support for legislation that would help eliminate the risk of enforcement actions from the CFPB for smaller nonbanks. The letter cites the conclusions drawn in the Treasury Report on financial regulations, released in June (this report was a product of the February Executive Order, covered by a Buckley Sandler Special Alert). Of particular interest from the trade groups was the report’s conclusion that Congress should repeal the CFPB’s supervisory authority and return the supervision of nonbanks to state regulators.
On August 30, the CFPB posted revisions to its Compliance Management Review Examination Procedures—part of its Supervision and Examination Manual—that is intended to provide guidance for institutions when developing and maintaining compliance management systems (CMS). The Bureau advises that to maintain legal compliance, institutions must integrate and support an effective CMS “into the overall framework for product design, delivery, and administration across their entire product and service lifecycle,” and are required to manage relationships with service providers to ensure compliance with applicable federal consumer financial laws. The CFPB notes that an effective CMS is comprised of two interdependent control components: (i) “Board and Management Oversight”; and (ii) a “Compliance Program,” including policies and procedures, training, monitoring and/or auditing, and consumer complaint response processes. Updates have been made to the Examination Report Template–which provides the scope of review and consumer compliance rating based on the findings of the exam—and the Supervisory Letter Template–which references matters requiring attention or that need to be corrected based on the Bureau’s review.
Basel Committee on Banking Supervision Issues Consultative Document on Implications of Fintech for the Banking Industry
As waves of innovative financial technology (fintech) continue to reshape the financial services landscape, banking institutions and their supervisors have invested significant effort in analyzing its impact and developing an appropriate response. On August 31, the Basel Committee on Banking Supervision (BCBS), the primary global standard setter for the prudential regulation of banks, weighed in. Through the release of a consultative document, Sound Practices: Implications of fintech developments for banks and bank supervisors, the BCBS identified 10 key observations, accompanied by 10 recommendations, for banks and bank supervisors to address the challenges posed by advances in fintech.
The report summarizes the main findings of a BCBS task force established to analyze developments in fintech and their impact on the banking industry. Quantifying the size and growth of fintech is difficult; among other reasons, most jurisdictions have not formally defined “fintech” (notably, the report includes a glossary of terms and acronyms related to the delivery of fintech products and services, and is the first attempt by the BCBS to provide a common definition in this space). Yet the significant number of financial products and services derived from fintech innovations and the trend of rising investment in fintech companies globally warrants attention. As the BCBS acknowledges, while the impact of fintech on banking remains uncertain, “that change could be fast-paced and significant.”
In its report, the BCBS observes that the rise of fintech innovation has resulted in “a battle for the customer relationship and customer data,” the result of which “will be crucial in determining the future role of banks.” To assess the impact of the evolution of fintech products and services, the BCBS identified five stylized scenarios describing the potential impact of fintech on banks. In addition, the BCBS assessed six case studies focused on specific innovations (e.g., big data, cloud computing, innovative payment services, and neo-banks), in order to understand the individual risks and opportunities of a specific fintech development through the different scenarios. The extent to which banks or new fintech entrants will own the customer relationship varied across each scenario. However, in almost every scenario, the position of the incumbent banks will be challenged. The BCBS finds that “a common theme across the various scenarios is that banks will find it increasingly difficult to maintain their current operating models, given technological change and customer expectations.”
In analyzing fintech’s potential impact, the BCBS analyzes previous waves of innovation in banking, such as ATMs, electronic payments, and the Internet. While each of these have changed the face of banking, the BCBS highlights two key differences as it concerns fintech’s potential impact: the current pace of innovation is faster now than in previous decades and the pace of adoption has also increased. As a result, the Committee warns, “the effects of innovation and disruption can happen more quickly than before, implying that incumbents may need to adjust faster.”
The BCBS stated that banking standards and supervisory expectations “should be adaptive to new innovations, while maintaining appropriate prudential standards.” Against this backdrop, the Committee concluded its report with 10 key observations and recommendations for consideration by banks and bank supervisors.
- The overarching need to ensure safety and soundness and high compliance standards without inhibiting beneficial innovation in the banking sector;
- Key risks for banks related to fintech developments, including strategic/profitability risks, operational, cyber and compliance risks;
- Implications for banks of the use of innovative enabling technologies;
- Implications for banks of the growing use of third parties, via outsourcing and/or partnerships;
- Cross-sectoral cooperation between supervisors and other relevant authorities;
- International cooperation between banking supervisors;
- Adaptation of the supervisory skillset;
- Potential opportunities for supervisors to use innovative technologies ("suptech");
- Relevance of existing regulatory frameworks for new innovative business models; and
- Key features of regulatory initiatives set up to facilitate fintech innovation.
By issuing this guidance, BCBS is prompting global regulators to address technological advancements and novel business models with the same sense of urgency that the banking and fintech industries are employing. It will be incumbent on the financial services industry – traditional and novel business models alike – to work together to inform and shape what those supervisory guidelines will look like.
Comments on BCBS’s consultative document will be accepted through October 31, 2017.
On August 15, the FTC issued a press release announcing a settlement with a ride-sharing company over allegations that it violated the Federal Trade Commission Act by making deceptive claims about its privacy and data practices. According to the complaint, the company allegedly failed to closely monitor and audit its employees’ internal access to consumer and driver data. Furthermore, the company represented to consumers and drivers that personal information stored in its databases were secure, but, according to the FTC, failed to implement reasonable measures to prevent unauthorized access to consumers and driver data maintained by the ride-sharing company’s third-party cloud service provider. Both counts, the FTC alleged, demonstrated false or misleading representations. In the press release, FTC Acting Chairman Maureen K. Ohlhausen said, “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
Under the terms of the decision and order, the company has agreed to establish, implement, and maintain a written “comprehensive privacy program,” reasonably designed to: (i) “address privacy risks related to the development and management of new and existing products and services for consumers,” and (ii) “protect the privacy and confidentiality of Personal Information.” The company is also required to obtain biennial independent third-party assessments to address privacy controls requirements and “certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of Personal Information and that the controls have operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 15, at which point the FTC will decide whether to make the proposed consent order final.
On August 7, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert entitled “Observations from Cybersecurity Examinations,” which provides findings and observations concerning industry practices and legal and compliance issues related to cybersecurity preparedness. The SEC examined 75 SEC registered firms as part of its Cybersecurity 2 Initiative and noted an improvement overall in terms of (i) creating and implementing cybersecurity policies and procedures and response plans; (ii) conducting periodic risk assessments to identify threats and vulnerabilities; (iii) implementing measures to ensure regular system maintenance checks; (iv) maintaining processes for identifying cybersecurity roles and responsibilities; (v) receiving authority from customers and shareholders concerning fund transfer authority; and (vi) conducting vendor risk assessments or requiring risk management from vendors. However, the SEC identified areas in need of improvement, such as failure to tailor or enforce policies and procedures or conduct adequate system maintenance to safeguard customer information. Also included in the alert are examples of best practices and guidance for firms to follow when implementing cybersecurity-related policies and procedures.
Separately, that same day the International Monetary Fund (IMF) released a working paper discussing cyber risk awareness and the policy measures, regulatory frameworks, and supervisory measures affecting financial institutions’ approaches to systemic cyber risk. The IMF paper, entitled “Cyber Risk, Market Failures, and Financial Stability,” presents an overview of recent cyberattacks on the financial services industry, and stresses that cyber risk management requires that risks identified as part of a threat identification process must be “actively managed” to “ensure that cybersecurity-related measures are appropriate for and commensurate with the underlying risk.” Risk avoidance, risk reduction, and risk transfer are options for effective management. The paper further notes that, as a result of a predominance of cyber risk assessment centering on individual institutions (which constructs a relatively narrow view), insufficient attention has been given to systemic cyber risk that occurs commonly when financial institutions are exposed to “access vulnerabilities, risk concentration, risk correlations, or contagion effects (including through reputational channels).” The paper states that a need exists for regulatory reform and effective policy change “to build resilience through investment in cyber security while giving institutions flexibility to address the risks in the way they see as optimal.” Suggestions for measures—including national and international coordination—to strengthen resilience to cyber risk are also provided.
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Daniel P. Stipano to discuss "The state of the BSA 2019: What’s working, what’s not, and how to improve it" at the West Coast Anti Money-Laundering Forum
- Buckley Webcast: The future of the Community Reinvestment Act
- Hank Asbill to discuss "Creative character evidence in criminal and civil trials" at the Litigation Counsel of America Spring Conference & Celebration of Fellows
- Buckley Webcast: Amendments to the CFPB's proposed debt collection
- Brandy A. Hood to discuss "Flood NFIP in the age of extreme weather events" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "UDAAP compliance" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Major state law developments" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Leveraging big data responsibly" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "State examination/enforcement trends" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Benjamin K. Olson to discuss "LO compensation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- APPROVED Webcast: State and SAFE Act licensing requirements for banks
- John C. Redding to discuss "TCPA compliance in the era of mobile" at the Auto Finance Risk Summit
- Buckley Webcast: The next consumer litigation frontier? Assessing the consumer privacy litigation and enforcement landscape in 2019 and beyond
- Buckley Webcast: Data breach litigation and biometric legislation
- Buckley Webcast: Trends in e-discovery technology and case law
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Douglas F. Gansler to discuss "Role of state AGs in consumer protection" at a George Mason University Law & Economics Center symposium