InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
House committees move forward on data privacy
On March 1, the House Subcommittee on Innovation, Data, and Commerce, a subcommittee of the House Energy and Commerce Committee, held a hearing entitled “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy” to continue discussions on the need for comprehensive federal privacy legislation. House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) delivered opening remarks, commenting that discussions during the hearing will build upon the bipartisan American Data Privacy and Protection Act (ADPPA), which advanced through the committee last July by a vote of 53-2. As previously covered by InfoBytes, the ADPPA (see H.R. 8152) was sent to the House floor during the last Congressional session, but never came up for a full chamber vote. The bill has not been reintroduced yet.
A subcommittee memo highlighted that absent a comprehensive federal standard, “there are insufficient limits to what types of data companies may collect, process, and transfer.” The subcommittee flagged the data broker industry as an example of where there are limited restrictions or oversight to prevent the creation of consumer profiles that link sensitive data to individuals. Other areas of importance noted by the subcommittee relate to data security protections, data minimization requirements, digital advertising, and privacy enhancing technologies. The subcommittee heard from witnesses who agreed that a comprehensive privacy framework would benefit consumers.
One of the witnesses commented in prepared remarks that preemption is key, calling the current patchwork of state laws confusing and costly to businesses and consumers. “Consumers need a strong and consistent law to protect them across jurisdictions and market sectors, and to clarify what privacy rights they should expect and demand as they navigate the marketplace,” the witness said. The witness also stated that the FTC is currently relying on outdated law, noting that while Section 5 of the FTC Act is frequently used, “virtually all of the FTC’s privacy and data security cases are settlements. That means that many of the legal theories advanced, as well as the remedies obtained, have never been tested in court.”
In advance of the hearing, the California governor, the California attorney general, and the California Privacy Protection Agency sent a joint letter opposing preemption language contained in H.R. 8152. “[B]y prohibiting states from adopting, maintaining, enforcing, or continuing in effect any law covered by the legislation, [the ADPPA] would eliminate existing protections for residents in California and sister states,” the letter warned. The letter asked Congress “to set the floor and not the ceiling in any federal privacy law” and “allow states to provide additional protections in response to changing technology and data privacy protection practices.”
Separately, at the end of February, Chairman of the House Financial Services Committee, Patrick McHenry (R-NC) introduced the Data Privacy Act of 2023 (see H.R. 1165). The bill moved out of committee by a 26-21 vote, and now goes to the full House for consideration. Among other things, the bill would modernize the Gramm-Leach-Bliley Act to better align the statute with the evolving technological landscape. The bill would also ensure consumers understand how their data is being collected and used and grant consumers power to opt-out of the collection of their data and request that their data be deleted at any time. Additional provisions are intended to protect against the misuse or overuse of consumers’ personal data and impose disclosure requirements relating to data collection methods, how data is used and who it is shared with, data retention policies, and informed choice. The bill is designed to provide consistency across the country to reduce compliance burdens, McHenry said.
4th Circuit remands privacy suit to state court
On February 21, the U.S. Court of Appeals for the Fourth Circuit held that a proposed class action over website login procedures belongs in state court. Plaintiff alleged that after a nonparty credit reporting agency experienced a data breach, it used the defendant subsidiary’s website to inform customers whether their personal data had been compromised. Because the defendant’s website required the plaintiff to enter six digits of his Social Security number to access the information, the plaintiff alleged violations of South Carolina’s Financial Identity Fraud and Identity Theft Protection Act and the state’s common-law right to privacy. Under the state statute, companies are prohibited from requiring consumers to use six digits or more of their Social Security number to access a website unless a password, a unique personal identification number, or another form of authentication is also required. According to the plaintiff, the defendant’s website did not include this requirement.
The defendant moved the case to federal court under the Class Action Fairness Act and requested that the case be dismissed. Plaintiff filed an amended complaint in federal court, as well as a motion asking the district court to first determine whether it had subject matter jurisdiction, given the U.S. Supreme Court’s ruling in TransUnion LLC v. Ramirez, which clarified the type of concrete injury necessary to establish Article III standing (covered by InfoBytes here). Although the district court held that the plaintiff had alleged “an intangible concrete harm in the manner of an invasion of privacy,” which it said was enough to give it subject-matter jurisdiction “at this early stage of the case,” it dismissed the case after determining the plaintiff had not plausibly stated a claim.
In reversing and remanding the action, the 4th Circuit found that the plaintiff alleged only a bare statutory violation and had not pled a concrete injury sufficient to confer Article III standing in federal court. The appellate court vacated the district court’s decision to dismiss the case and ordered the district court to remand the case to state court. The 4th Circuit took the position that an intangible harm, such as a plaintiff “enduring a statutory violation” is insufficient to confer standing unless there is a separate harm “or a materially increased risk of another harm” associated with the violation. “[Plaintiff] hasn’t alleged—even in a speculative or conclusory fashion—that entering six digits of his SSN on [defendant’s] website has somehow raised his risk of identity theft,” the 4th Circuit said. In conclusion, the 4th Circuit wrote: “We offer no opinion about whether the alleged facts state a claim under the Act. Absent Article III jurisdiction, that’s a question for [plaintiff] to take up in state court.”
Republican lawmakers ask about risks of customers’ digital assets on balance sheets
On March 2, Senator Cynthia M. Lummis (R-WY) and Representative Patrick McHenry (R-NC) sent a letter to the Federal Reserve Board, FDIC, OCC, and NCUA requesting input on SEC guidance issued last year that directs cryptocurrency firms to account for customers’ digital assets on their balance sheets. Last April, the SEC issued Staff Accounting Bulletin No. 121 (SAB 121), covering obligations for safeguarding crypto-assets held by entities for platform users. Among other things, SAB 121 clarified that entities should track customer assets as a liability on their balance sheets. “[A]s long as Entity A is responsible for safeguarding the crypto-assets held for its platform users, including maintaining the cryptographic key information necessary to access the crypto-assets, the staff believes that Entity A should present a liability on its balance sheet to reflect its obligation to safeguard the crypto-assets held for its platform users,” SAB 121 explained.
Claiming that SAB 121 “purports to require banks, credit unions and other financial institutions to effectively place digital assets on their balance sheets,” the lawmakers argued that this “would trigger a massive capital charge,” and in turn would likely prevent regulated entities from engaging in digital asset custody. Rather, regulators should encourage regulated financial institutions to offer digital asset services, since they are subject to the highest level of oversight, the letter said. Among other things, the letter asked the regulators whether the SEC contacted them prior to issuing the guidance, and if they have directed regulated financial institutions to comply with SAB 121. The lawmakers also inquired whether the regulators “agree that SAB 121 potentially weakens consumer protection by preventing well-regulated banks, credit unions, and other financial institutions from providing custodial services for digital assets[.]” The letter pointed to the bankruptcy case of a now-defunct crypto lender, which classified all customers as unsecured creditors, as an example of the legal risk of requiring customer custodial assets be placed on an entity’s balance sheet. “SAB 121 places customer assets at greater risk of loss if a custodian becomes insolvent or enters receivership, violating the SEC’s fundamental mission to protect customers,” the lawmakers wrote.
OFAC settles with Indian tobacco company on North Korean transactions
On March 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $332,500 settlement with an India-registered tobacco company to resolve allegations that it “requested payment in U.S. dollars for its indirect exportation of tobacco to the Democratic People’s Republic of Korea [(DPRK)].” According to OFAC’s web notice, in late 2016, an assistant manager at the company and a representative from a Thai intermediary began communicating about a prospective order of tobacco from a DPRK customer. A decision was eventually made not to include the DPRK customer or to list the DPRK in trade documents for the order. Rather, the order listed the Thai intermediary as the customer and China as the destination. OFAC maintained that the company issued three invoices to the Thai intermediary for its tobacco orders, and asked that payments be sent in USD to either the company’s bank account at a non-U.S. bank in India or to the India-branch of a U.S. bank. Between July and August 2017, four Hong Kong-organized intermediaries remitted funds to the company for these shipments and made five payments totaling approximately $369,228. Four of the five USD payments were sent to the non-U.S. bank, causing three U.S. financial institutions to clear the payments. The fifth payment was sent to the India-branch of a U.S. bank. By directing the Hong Kong intermediaries to remit payments in USD, OFAC claimed the company “caused U.S. correspondent banks that processed the payments, as well as the foreign branch of a U.S. bank, to export financial services to or otherwise facilitate the exportation of tobacco to the DPRK” in violation of the North Korea Sanctions Regulations.
In arriving at the settlement amount, OFAC determined, among other things, that several managers had actual knowledge of the alleged conduct at issue, and that the company “acted recklessly” by “fail[ing] to exercise a minimal degree of caution or care for U.S. sanctions laws and regulations and caus[ing] U.S. financial institutions to export financial services or otherwise facilitate the exportation of tobacco to the DPRK.”
OFAC also considered various mitigating factors, including that the company has not received a penalty notice from OFAC in the preceding five years. Additionally, the company undertook remedial measures upon learning of the alleged violations, cooperated with OFAC throughout the investigation, and agreed to toll the statute of limitations, the notice said.
Providing context for the settlement, OFAC said that this action “highlights the deceptive practices DPRK entities use to evade U.S. and international sanctions and acquire revenue-generating goods, such as by employing intermediaries in various countries to coordinate shipping and make payments.”
OFAC sanctions timeshare fraud network
On March 2, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 14059, against eight Mexican companies connected to timeshare fraud on behalf of the Cartel de Jalisco Nueva Generacion (CJNG). The CJNG is also designated under E.O. 14059. OFAC described timeshare fraud typology, explaining that schemes often involve third-party scammers who claim to have ready buyers and make unsolicited purchase offers to timeshare owners. If these offers are accepted, the scammers ask timeshare owners to pay advance fees and taxes to “facilitate or expedite the sale with assurances of reimbursement upon closing.” However, timeshare owners, after making multiple payments, eventually realize that the offers do not exist and lose their money, OFAC said. In conjunction with the sanctions, OFAC issued an alert warning that perpetrators of timeshare fraud may falsely claim to represent OFAC to appear legitimate and further their fraud.
As a result of the sanctions, all property and interests in property of the designated persons located in the U.S. or held by U.S. persons is blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons unless authorized by an OFAC-issued general or specific license, or exempt. OFAC further warned that “U.S. persons may face civil or criminal penalties for violations of E.O. 14059 and the Kingpin Act.”
Fannie says appraisals are no longer required to establish market value
On March 1, Fannie Mae issued a Selling Guide announcement to introduce a range of options for establishing a property’s market value, noting that it is “moving away from implying that an appraisal is a default requirement.” As part of Fannie’s efforts to improve the efficiency and accuracy of the home valuation process, it is rolling out choices that balance “traditional appraisals with appraisal alternatives.” Options introduce the term “value acceptance,” which will be “used in conjunction with the term ‘appraisal waiver’ to better reflect the actual process of using data and technology to accept the lender-provided value.” A new option, “value acceptance + property data” will use property data collected by vetted third parties that conduct interior and exterior data collection on a property. This data will be used by the lender to confirm property eligibility (an appraisal will not be required). “Hybrid appraisals” will be “based on interior and exterior property data collection by a vetted and trained third-party that is provided to an appraiser to inform the appraisal.” Fannie explained that hybrid appraisals will be “permitted for certain one-unit transactions where value acceptance + property data was initially started, but changes in loan characteristics results in the transaction not being eligible for that option.”
The updates also allow for alternative methods to the Appraisal Update and/or Completion Report, including a borrower/builder attestation letter verifying completion of construction, and a borrower attestation letter confirming completion of repairs for existing construction. The updates also provide additional guidance on the use of sweat equity and revise timelines and expectations for lenders’ prefunding and post-closing quality control reviews, among other things.
FHA proposes to ease branch office registration
On March 1, FHA published FHA INFO 2023-14 announcing a proposed rule to eliminate a requirement that mortgagees and lenders register all branch offices conducting FHA business with HUD. Currently, all FHA-approved mortgagees and lenders are required to register any branch office where they originate Title I or II loans or submit applications for mortgage insurance. Due to technological advances and remote service delivery, this requirement is inconsistent with current industry practices, FHA said, explaining that the proposed rule will grant mortgagees and lenders the choice as to whether to register and maintain branch offices with HUD. The proposed rule also will make branch registration fees applicable only to those branch offices registered with HUD. Unregistered branch offices will not be subject to unnecessary registration fees and will not be placed on the HUD Lender List Search page. Comments on the proposed rule are due May 1.
FTC orders refunds over compromised health data
On March 2, the FTC filed a complaint against an online counseling service alleging the respondent violated the FTC Act by monetizing consumers’ sensitive health data for targeted advertising purposes. As part of the process to sign up for the respondent’s counseling services, consumers are required to provide sensitive mental health information, as well as other personal information. Consumers are promised that their personal health data will not be used or disclosed except for limited purposes, such as for counseling services. However, the FTC claimed the respondent used and revealed consumers’ sensitive health data to third parties for advertising purposes. According to the FTC, the respondent failed to maintain sufficient policies or procedures to protect the sensitive information and did not obtain consumers’ affirmative express consent before disclosing the health data. The respondent also allegedly failed to limit how third parties could use the health data and denied reports that it revealed consumers’ sensitive information.
Under the terms of the proposed consent order, the respondent will be required to pay $7.8 million in partial refunds to affected users and will be banned from disclosing health information to certain third parties for re-targeting advertising purposes. This will be the first FTC action returning funds to consumers whose health data was compromised. The respondent will also be prohibited from misrepresenting its sharing practices and must also (i) obtain users’ affirmative express consent before disclosing personal information to certain third parties for any purpose; (ii) implement a comprehensive privacy program with strong safeguards to protect users’ data; (iii) instruct third parties to delete shared personal data; and (iv) implement a data retention schedule imposing limits on how long personal data can be retained.
9th Circuit concludes district attorneys can sue national banks in state court
On February 27, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s decision to abstain from enjoining a state action brought by a California county district attorney (DA) against a national bank, concluding that the enforcement action was not an exercise of “visitorial powers.” According to the opinion, the DA launched an investigation into the bank’s vendor and issued the bank an investigative subpoena seeking records of its banking activities. The bank objected, claiming the request “improperly infringes on the exclusive visitorial powers of the [OCC]” because it sought to inspect the bank’s books and records. The bank subsequently filed a complaint in the U.S. District Court for the Central District of California asking the court to enjoin the state action and requesting injunctive relief to prevent the DA from taking any action to enforce federal and state lending, debt collection, and consumer laws against the bank, or from exercising visitorial powers in violation of the National Bank Act (NBA). The DA withdrew his investigative subpoena and moved to dismiss for lack of subject matter jurisdiction on the ground that the case was now moot. The motion to dismiss was denied on the premise that the DA had not demonstrated that a “renewed investigative subpoena against [the bank] ‘could not be reasonably be expected.’”
The DA then filed a complaint in state court claiming the bank violated California law by hiring a third-party vendor to place “extensive harassing” debt collection phone calls to residents in the state. The complaint alleged violations of California’s Unfair Competition Law, the Rosenthal Fair Debt Collections Practices Act, and the right to privacy under the California Constitution. In federal court, the bank moved for summary judgment, arguing that the state action was an improper exercise of visitorial powers. The district court, however, ruled that the Younger v. Harris abstention (in which a federal court refrains from staying or enjoining pending state criminal prosecutions absent extraordinary circumstances or state civil enforcement actions when certain conditions are met) applied. The bank appealed.
The 9th Circuit considered two questions: (i) whether the Younger abstention was correctly applied, and (ii) whether the DA’s state court action “was an impermissible exercise of visitorial powers vested exclusively with the OCC.” The 9th Circuit held that the district court was correct in applying the Younger abstention doctrine because (i) “the state action qualified as an ‘ongoing’ judicial proceeding because no proceedings of substance on the merits had taken place in the federal action”; (ii) the state court action implicated an important state interest in consumer protection and nothing in federal law bars a DA from suing a national bank; (iii) the bank had the option to raise a federal defense under the NBA in the state court action; and (iv) the injunction the bank requested in the federal action would interfere with the state court proceeding. The 9th Circuit also rejected the bank’s arguments that the state action constituted an illegal exercise of visitorial powers that only belongs to the OCC or state attorneys general. The 9th Circuit cited the U.S. Supreme Court’s decision in Cuomo v. Clearing House Ass’n, L.L.C., in which the high court “held that bringing a civil lawsuit to enforce a non-preempted state law is not an exercise of visitorial powers,” and that “a sovereign’s ‘visitorial powers’ and its power to enforce the law are two different things.” Relying on the Cuomo holding, the 9th Circuit found that accepting the bank’s position “would mean that actions brought against national banks by federal or state agencies or, for that matter, individuals would be forbidden as unlawful exercises of visitorial powers.” “Such a result is wrong. It contradicts established law and is unsupported by any legal authority cited by [the bank]” and would additionally “raise serious anti-commandeering concerns under the Tenth Amendment.”
Treasury seeks to advance CBDCs
On March 1, Treasury Undersecretary for Domestic Finance Nellie Liang announced that the Treasury Department will lead a new senior-level working group to advance work on a U.S. central bank digital currency (CBDC). As previously discussed in a Treasury report released last September on the future of money and payments (covered by InfoBytes here), Treasury was called to lead an interagency working group to complement work undertaken by the Federal Reserve Board to consider the implications of a U.S. CBDC. The working group will consist of leaders from Treasury, the Fed, and White House offices, including the Council of Economic Advisors, National Economic Council, National Security Council, and Office of Science and Technology Policy. In the coming months the working group “will begin to meet regularly to discuss a possible CBDC and other payments innovations,” Liang said during a workshop titled “Next Steps to the Future of Money and Payments.” The working group will focus on three main policy objectives: (i) how a U.S. CBDC would affect U.S. global financial leadership; (ii) potential national security risks posed by a CBDC; and (iii) the implications for privacy, illicit finance, and financial inclusion if a CBDC is created.
To support discussions on a possible CBDC and other payment innovations, Liang said the working group will develop an initial set of findings and recommendations. Those findings and recommendations may relate to whether a U.S. CBDC would help advance certain policy objectives, what features would be required for a U.S. CBDC to advance these objectives, choices for resolving CBDC design trade-offs, and areas where additional technological research and development might be useful.
Liang commented that the working group will also “engage with allies and partners to promote shared learning and responsible development of CBDCs.” She pointed out that CBDC efforts are already underway in jurisdictions around the world, with 11 countries already having fully launched CBDCs, “while central banks in other major jurisdictions are researching and experimenting with CBDCs, with some at a fairly advanced stage.” Liang stressed that regardless of whether a CBDC is adopted in the U.S., the country “has an interest in ensuring that CBDCs interact safely and efficiently with the existing financial infrastructure; that they support financial stability and the integrity of the international financial system; that global payment systems are efficient, innovative, competitive, secure, and resilient; and that global payments systems continue to reflect broader shared democratic values, like openness, privacy, accessibility, and accountability to the communities that rely upon them.”