Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 14, the Massachusetts attorney general announced the launch of an investigation to determine if an international wireless carrier had proper safeguards in place to protect consumer and mobile device information after a major data breach that allegedly compromised personally-identifying information of more than 50 million people. According to the carrier’s announcement, in July, the carrier experienced a breach where personally-identifying information, such as names, drivers’ license information, Social Security numbers, and addresses, among other things, of approximately 13.1 million current customers and 40 million former and prospective customers were compromised. According to the AG, the office is also investigating the circumstances of the breach and the steps the company is taking to address it and notify consumers. The AG urged affected consumers to take precautions “to ensure their information is safe, and to prevent identity theft and fraud” as the carrier continues to contact individuals. She also encouraged customers to utilize the free theft protection services being offered by the carrier, such as scam and account take-over protection for their cell phones, and to take precautionary steps, such as placing a credit freeze on credit reports.
On September 15, acting Comptroller of the Currency Michael J. Hsu spoke before the Exchequer Club to discuss several agency priorities relating to reducing inequality, adapting to digitization, acting on climate change, and guarding against complacency. In prepared remarks, Hsu stressed the importance of safeguarding trust in banking. While he acknowledged the value of strong rules and regulations, Hsu cautioned that rules “are not adaptive to emerging risks” and “cannot perceive and respond to trends and developments that may erode or threaten trust.” He further emphasized that regulators must coordinate efforts to ensure stability and fairness, and pointed to the growth of cryptocurrency and decentralized finance as areas where it is imperative that regulators work together to ensure activities taking place within the banking system or those that are facilitated by banks are trustworthy. “Innovation is important, but safeguarding trust is paramount,” Hsu stressed. Additionally, Hsu noted that “coordination among all financial regulators will also be needed in the future to ensure a level playing field and limit regulatory arbitrage and to keep shadow banking at a safe distance from the regulated financial system. These goals cannot be achieved if the financial regulatory agencies, including state banking supervisors, do not work together. Public trust in bank regulators will rise or fall depending on our ability to do so.”
On September 16, the FDIC announced the launch of a new capital investment vehicle to support insured Minority Depository Institutions (MDIs) and Community Development Financial Institutions (CDFIs) that provide capital and financial services to low- and moderate-income, minority, and rural communities. The Mission-Driven Bank Fund supports the FDIC’s commitment to preserving and promoting mission-driven institutions, and provides investors with an opportunity to support these institutions, enabling MDIs and CDFIs to provide affordable financial products and services, stimulate economic and community development, and build opportunity and prosperity. Among other things, the fund’s collaborative investment framework will channel private capital and other resources to allow institutions to (i) raise the necessary capital to better serve their communities; (ii) weather economic downturns and recover faster; (iii) attract technical expertise to grow operations and expand services; (iv) “acquire, deploy, and maintain technology solutions”; and (v) “build capacity and scale.” The FDIC notes that it “will retain an advisory role to support the fund’s mission, but will not contribute capital to, manage, or be involved in investment decisions of, the fund.”
On September 15, FHFA issued a notice requesting public comment on a proposed rule that would amend the regulatory capital framework for Fannie Mae and Freddie Mac (collectively, “GSEs”). The proposed rule would amend the prescribed leverage buffer amount (PLBA) and the capital treatment of credit risk transfers (CRT) to encourage more distribution of credit risk between the GSEs and private investors. Specifically, FHFA is proposing to: (i) change the fixed PLBA equal to 1.5 percent of a GSE’s adjusted total assets to a dynamic PLBA of 50 percent of the GSE’s stability capital buffer; (ii) “replace the prudential floor of 10 percent on the risk weight assigned to any retained CRT exposure with a prudential floor of 5 percent on the risk weight assigned to any retained CRT exposure”; and (iii) eliminate the requirement that a GSE is required to apply an overall effectiveness adjustment to its retained CRT exposures in line with the framework’s securitization framework. Comments on the proposal must be submitted within 60 days of publication in the Federal Register.
On September 15, the FTC announced significant changes in the agency’s rulemaking process that represent “a significant step to increase public participation and accountability around the work of the FTC.” According to the announcement, the Commission approved changes to the FTC’s “Rules of Practice,” which are “designed to make it easier for members of the public to petition the agency for new rules or changes to existing rules that are administered by the FTC.” The changes, which are a key part in the opening of the FTC’s regulatory processes to public input and scrutiny, is a departure from the previous practice where the Commission did not have an obligation to address petitions for agency action. The updates clarify the information that is required for petition submissions and notes the data that the Commission finds helpful in its review. In addition, the changes require that the Commission publish petitions for rulemaking in the Federal Register and solicit public comment for the same. Finally, under the new rules, the Commission must provide petitioners with a specific point of contact in the agency and must respond to petitioners to communicate its decision regarding the petition. The new changes will also apply to requests by certain parties for special exemption from FTC rules, as well as petitions related to industry guidance issued by the Commission.
On September 15, the FTC warned health apps and connected devices collecting or using consumers’ health information that they must comply with the FTC’s Health Breach Notification Rule (Rule). The Rule requires companies to notify consumers and others if consumers’ health data is breached, and ensures that entities not covered by HIPPA are held accountable in the event of a security breach. Companies that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation per day. The FTC’s policy statement (approved by a 3-2 vote) clarifies the Rule’s scope and puts companies on notice of their reporting obligations. According to the FTC, health apps that are increasingly collecting sensitive and personal data from consumers have a responsibility to ensure the collected data is secured from unauthorized access. However, the FTC expressed concern that there are still few applicable privacy protections. “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” FTC Chair Lina M. Khan stated. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
On September 16, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to the Foreign Narcotics Kingpin Designation Act against a leader of a Columbia-based international drug trafficking organization. OFAC noted that the designated individual “strategically located maritime corridors in northern Colombia and collects a per kilogram tax from narcotics traffickers for protection and safe passage of multi-ton shipments of narcotics through the [organization’s] area of control.” OFAC also designated three individuals and two entities closely related to the organization’s leader for providing material support to the narcotics trafficking activities. As a result of the sanctions, all property and interests in property belonging to the sanctioned individual subject to U.S. jurisdiction are blocked and must be reported to OFAC. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons.
On September 15, the SEC announced whistleblower awards totaling nearly $114 million to two whistleblowers who provided information and assistance leading to successful SEC and related actions. According to the redacted order, the first whistleblower was awarded $110 million for providing “significant independent information that bridged the gap between certain publicly available information and the possible securities violations.” The SEC noted that the “$110 million award consists of an approximately $40 million award in connection with an SEC case and an approximately $70 million award arising out of related actions by another agency.” The $110 million award is the second-highest award in the program's history, following an approximately $114 million whistleblower award the SEC issued in October 2020 (covered by InfoBytes here). After the SEC staff opened an investigation and undertook significant investigative steps, a second whistleblower voluntarily provided original information and received an approximately $4 million award.
The SEC has awarded approximately $1 billion in whistleblower awards to 207 individuals since issuing its first award in 2012, which includes over $500 million in fiscal year 2021 alone.
On September 13, the California Department of Financial Protection and Innovation (DFPI) issued a notice detailing a new requirement that mortgage servicers provide information to DFPI describing the actions servicers are taking to help homeowners avoid foreclosure. According to the announcement, DFPI intends to “ensure that licensees tell consumers about assistance that is or will soon be available to delinquent mortgage borrowers and document their good faith efforts toward screening borrowers for applicable loan modifications, mortgage relief funds and other protections, including the upcoming federal Homeowner Assistance Fund,” which licensees are strongly encouraged to participate in. To protect vulnerable homeowners, DFPI will require licensees handling residential mortgages, either directly or through sub-servicers, to provide information describing the servicer’s: (i) screening process for determining borrower eligibility for foreclosure aid; (ii) compliance policies and procedures regarding loss mitigation; and (iii) assessment of the “magnitude of foreclosure risk among the loans they service.”
The same day, DFPI released a social media campaign designed to educate consumers about the California Homeowner Bill of Rights, the availability of HUD-certified housing counselors, and foreclosure options, among other things. The announcement also notes that DFPI recently launched a multi-pronged communications campaign to educate consumers and protect homeowners from foreclosure.
On September 14, the SEC announced a settlement with an alternative data provider and one of the company’s co-founders (collectively, "respondents") resolving allegations that the company violated antifraud provisions by engaging in deceptive practices and making material misrepresentations regarding alternative data. According to the order, the respondents understood that companies would share their confidential app performance data if they promised not to disclose it to third parties. As a result, the respondents assured companies that their data would be aggregated and anonymized before being used by a statistical model to generate estimates of app performance. However, the respondents, between 2014 and mid-2018, utilized non-aggregated and non-anonymized data to alter its model-generated estimates to make them more valuable to sell to trading firms. The SEC alleged that the respondents violated provisions of the Exchange Act, such as Section 10(b) and Rule 10b-5 thereunder, because their misrepresentations and other deceptive practices misled subscribers regarding how the company’s intelligence estimates were calculated. The order, to which the respondents consented, imposes civil money penalties of $300,000 and $10 million. The order also provides that the company must cease and desist from committing or causing any future violations of the Exchange Act, and prohibits the co-founder from serving as an officer or director of a public company for three years.
- Buckley Webcast: Best practices for incident-response planning in a dangerous and regulated world
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- APPROVED Webcast: California debt collection license requirement: Overview and analysis
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- Jeffrey P. Naimon to discuss “Regulators are gearing up: Are you ready?” at HousingWire Annual
- Amanda R. Lawrence and Elizabeth E. McGinn discuss “U.S. state privacy legislation – Are you compliant?” at the Privacy+Security Forum
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jeffrey P. Naimon to discuss "Truth in lending” at the American Bar Association National Institute on Consumer Financial Services Basics
- John R. Coleman and Amanda R. Lawrence to discuss “Consumer financial services government enforcement actions – The CFPB and beyond” at the Government Investigations & Civil Litigation Institute Annual Meeting
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek