Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • CFPB orders bank to pay $6.2 million; alleges overdraft fees violate CFPA, EFTA

    Federal Issues

    On December 7, the CFPB announced a consent order against a Virginia-based bank, alleging it engaged in deceptive acts and practices and failed to comply with Regulation E. According to the CFPB, the bank did not comply with Regulation E because it did not provide appropriate written disclosures before enrolling customers in its overdraft service and imposing overdraft fees. The CFPB alleged that under the bank’s procedures, branch employees would provide oral disclosures and obtain oral consent but did not provide customers with the required written consent form under Regulation E until the end of the account-opening process. According to the CFPB, while the bank changed its practices partway through the period covered by the consent order, the disclosures it provided were still inadequate. The bank allegedly “requested that new customers orally specify their enrollment decision before providing them with adequate written notice describing the [opt-in] service,” which thereby allegedly breached the Electronic Fund Transfer Act. 

    The CFPB also alleged the bank committed deceptive actions or practices when marketing opt-in overdraft services to consumers via telephone. Specifically, the CFPB alleged that the bank did not provide its customer service representatives with a script, which resulted in representatives failing to clearly differentiate between transactions covered by the bank’s standard versus its opt-in overdraft protection service. The CFPB asserted that these statements qualified as “representations and omissions of key information were likely to mislead consumers,” and that as a result, the Bank did not comply with the CFPA and Regulation E.  

    The consent order imposes a $1.2 million civil money penalty and requires the bank to refund at least $5 million to affected consumers. The consent order also requires the bank to obtain a new overdraft enrollment decision from affected consumers before charging overdraft fees. Moreover, the bank must also create and implement a comprehensive compliance plan to ensure its overdraft program complies with all applicable laws. Finally, the consent order requires the bank to monitor compliance, maintain records, and inform the CFPB of any changes or developments that could impact its compliance responsibilities in the consent order. 

    Federal Issues CFPB CFPA Regulation E Overdraft Disclosures Opt-In Enforcement

  • Updated Washington State Privacy Act re-introduced

    State Issues

    On January 5, the Washington State Privacy Act, SB 5062, (referred to as “2021 WPA” or “bill”) was re-introduced for the 2021-22 state legislative session with some notable changes from the 2020 version. (InfoBytes coverage of the 2020 Washington Privacy Act, SB 6281, available here.) Highlights of the 2021 WPA include:

    • Applicability. The bill will apply to legal entities that conduct business or produce products or services that are targeted to Washington consumers that also (i) control or process personal data for at least 100,000 consumers; or (ii) derive more than 25 percent of gross revenue from the sale of personal data, in addition to processing or controlling the personal data of at least 25,000 consumers (the 2020 version included a 50 percent gross revenue threshold). State and local governments, municipal corporations, certain protected health information, personal data governed by state and federal regulations, and employment records continue to be exempt from coverage. Additionally, the bill adds nonprofit corporations, air carriers, and institutions of higher education to the exemption list.
    • Consumer rights. Consumers will be able to exercise the following rights concerning their personal data: access; correction; deletion; access in a portable format; and opt-out rights, including the right to opt out of the processing of personal data for targeted advertising and the sale of personal data.
    • Controller responsibilities. Controllers required to comply with the bill will be responsible for (i) transparency in a privacy notice; (ii) limiting the collection of data to what is required and relevant for a specified purpose; (iii) ensuring data is not processed for reasons incompatible with a specified purpose; (iv) securing personal data from unauthorized access; (v) prohibiting processing that violates state or federal laws prohibiting unlawful discrimination against consumers; (vi) obtaining consumer consent in order to process sensitive data; and (vii) ensuring contracts and agreements do not contain provisions that waive or limit a consumer’s rights. Controllers must also conduct data protection assessments for all processing activities that involve personal data. Notably, the 2021 WPA removes the requirement from the 2020 legislation that controllers conduct additional assessments each time a processing change occurs that materially increases the risk to consumers.
    • State attorney general. The bill explicitly precludes a private right of action but permits the state attorney general to bring actions and impose penalties of no more than $7,500 per violation. The bill removes the 2020 requirement that the AG submit a report evaluating the liability and enforcement provisions by 2022, but requires the AG to work in concert with the state’s office of privacy and data protection on a technology review report to be submitted to the governor by December 2022.
    • Right to cure. The bill includes a new 30-day right to cure any alleged violation after a warning letter is sent by the AG identifying the specific provisions believed to have been violated.
    • Preemption. Similar to the 2020 WPA, the bill would preempt local laws, ordinances, and regulations, but includes an exception for any laws, ordinances or regulations “regarding the processing of personal data by controllers or processors” that were adopted prior to July 1, 2020.

    State Issues Privacy/Cyber Risk & Data Security State Legislation Opt-In State Attorney General Privacy Rule

  • Washington state introduces comprehensive privacy bill

    Privacy, Cyber Risk & Data Security

    On January 13, Washington state lawmakers announced two bills designed to strengthen consumer access and control over personal data and regulate the use of facial recognition technology. Highlights of SB 6281, the Washington Privacy Act, include the following:

    • Applicability. SB 6281 will apply to legal entities that conduct business or produce products or services that are targeted to Washington consumers that also (i) control or process personal data for at least 100,000 consumers; or (ii) derive more than 50 percent of gross revenue from the sale of personal data, in addition to processing or controlling the personal data of at least 25,000 consumers. Exempt from SB 6281, among others, are state and local governments, municipal corporations, certain protected health information, personal data governed by state and federal regulations, and employment records.
    • Consumer rights. Consumers will be able to exercise the following concerning their personal data: access; correction; deletion; data portability; and opt-out rights, including the right to opt out of the processing of personal data for targeted advertising and the sale of personal data.
    • Controller responsibilities. Controllers required to comply with SB 6281 will be responsible for (i) transparency; (ii) limiting the collection of data to what is required and relevant for a specified purpose; (iii) ensuring data is not processed for reasons incompatible with a specified purpose; (iv) securing personal data from unauthorized access; (v) prohibiting processing that violates state or federal laws prohibiting unlawful discrimination against consumers; (vi) obtaining consumer consent in order to process sensitive data; and (vii) ensuring contracts and agreements do not contain provisions that waive or limit a consumer’s rights. Controllers must also conduct data protection assessments for all processing activities that involve personal data, and conduct additional assessments each time a processing change occurs that “materially increases the risk to consumers.”
    • State attorney general. SB 6821 does not create a private right of action for individuals to sue if there is an alleged violation. However, the AG will be permitted to bring actions and impose penalties of no more than $7,500 per violation. The AG will also be required to submit a report evaluating the liability and enforcement provisions of SB 6281 by 2022 along with any recommendations for change.
    • Information sharing. SB 6281 will allow the state governor to enter into agreements with British Columbia, California, and Oregon, which will allow personal data to be shared for joint research initiatives.
    • Facial Recognition. SB 6281 will establish limits on the commercial use of facial recognition services. Among other things, the bill will require third-party testing on all services prior to deployment for accuracy and unfair performance, conspicuous notice when a service is deployed in a public space, and will require companies to receive consumer consent prior to enrolling an image in a service used in a public space.

    The second bill, SB 6280, will more specifically govern the use of facial recognition services by state and local government agencies, and, among other things, outlines provisions for the use of facial recognition services when identifying victims of crime, stipulates restrictions concerning ongoing surveillance, and requires agencies to produce an annual report containing a compliance assessment.

    As previously covered by InfoBytes, last year, New York introduced proposed legislation (see S 5642) that seeks to regulate the storage, use, disclosure, and sale of consumer personal data by entities that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state. Provisions included in the measures introduced by New York and Washington state differ from those contained in the California Consumer Privacy Act (CCPA), which took effect January 1. (Previous InfoBytes coverage on the CCPA is available here.)

    Privacy/Cyber Risk & Data Security Privacy Rule State Issues State Legislation Consumer Protection State Attorney General Opt-In

  • 11th Circuit reverses dismissal of EFTA action alleging inadequate overdraft notice, denies EFTA safe harbor defense

    Courts

    On August 27, the U.S. Court of Appeals for the 11th Circuit reversed the dismissal of a consumer’s action against her credit union, in which the consumer alleged the credit union used the wrong balance calculation method to impose overdraft fees. According to the opinion, the consumer filed suit against the credit union for using an “available balance” calculation method to impose overdraft fees on her account when the credit union allegedly agreed to use the “ledger balance” method at the time of account opening, in violation of the Electronic Fund Transfer Act (EFTA) and various state law contract claims. The district court dismissed the action, concluding that the agreements “unambiguously permitted [the credit union] to assess overdraft fees using the available balance calculation.”

    On appeal, the 11th Circuit disagreed with the district court’s interpretation of the agreements. The court noted that while the opt-in overdraft agreement used by the credit union is based on Regulation E’s (the EFTA’s implementing regulation) Model Form A-9, the model does not address which account balance calculation method is used to determine whether a transaction results in an overdraft. The language chosen by the credit union, according to the appellate court, is “ambiguous because it could describe either the available or the ledger balance calculation method for unsettled debits” and therefore, does not describe the calculation in a “clear and readily understandable way” as required by Regulation E. Because the language was ambiguous, the consumer did not have the opportunity to affirmatively consent to the overdraft service. Moreover, the appellate court concluded that the credit union was not protected under the EFTA’s safe harbor because it used the Model Form A-9 text. Specifically, the appellate court reasoned that the “safe-harbor provision insulates financial institutions from EFTA claims based on the means by which the institution has communicated its overdraft policy,” but does not provide a shield from allegations of inadequacy. Because the consumer argued that the credit union violated the EFTA due to its failure to prove enough information to allow for affirmative consent, the safe-harbor provision does not preclude liability.

    Courts Appellate Eleventh Circuit Regulation E Overdraft Consumer Finance Opt-In EFTA

Upcoming Events