InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Supreme Court “relist” of CFPB petition for certiorari threatens prolonged legal limbo
The Supreme Court recently had the opportunity to grant the CFPB’s pending petition for certiorari seeking review of the U.S. Court of Appeals for the Fifth Circuit’s holding in Community Financial Services Association of America v. Consumer Financial Protection Bureau. The 5th Circuit found that the agency’s funding structure is unconstitutional, potentially voiding everything the CFPB has done or could do. The Justices considered the petition at their conference this past Friday, but the Court neither granted nor denied the petition. Instead, it “relisted” the petition for consideration at its conference this Friday, February 24.
The Court’s decision functions as a delay and does not necessarily suggest an ultimate denial of the petition. In recent practice, petitions have been relisted before being granted. Practically, this action makes it less likely that the case will be decided this term, leaving the agency, and the rules it issues, in a state of legal limbo for as much as another year or more. The possibility that the case will not be decided during this Supreme Court term may leave the CFPB’s actions subject to successful challenges in federal district courts in states subject to the 5th Circuit decision (Texas, Mississippi and Louisiana).
The CFPB was no doubt hoping to avoid this possible outcome. It filed the petition less than 30 days after the 5th Circuit’s decision and urged the Court to act quickly to decide the case during the current term, which typically ends in late June. In the petition the CFPB explained that the 5th Circuit’s decision would negatively impact the “CFPB’s critical work administering and enforcing consumer financial protection laws … because the decision below vacates a past agency action based on the purported Appropriations Clause violation, the decision threatens the validity of all past CFPB actions as well.” The CFPB argued that refusal to decide the case this term “threatens the ability of the CFPB to function and risks severe market disruption. Delaying review until next term would likely postpone resolution of the critical issues at stake until sometime in late 2023 and more likely 2024.”
The CFPB’s timeline was complicated by the Court’s agreement to extend the briefing schedule on the petition, in part to accommodate briefing on the Community Financial Services Association of America’s conditional cross-petition, which seeks review on other aspects of the 5th Circuit’s decision. The Court’s delay in acting on the CFPB’s petition complicates matters further. It is still possible that the Court could agree to hear the case and set it for expedited briefing so that it can be decided this term, but every indication so far is that the Court is in no hurry to decide this matter, even if it complicates life for the CFPB. Stay tuned. We may get action on the petition by the Court either Friday or next Monday.
Find continuing InfoBytes coverage here.
SEC proposes new protections for crypto assets
On February 15, the SEC proposed new rules to enhance protections for customer assets, including cryptocurrency assets, managed by registered investment advisers. (See also SEC Fact Sheet here.) The proposed rules would implement measures under the Investment Advisers Act of 1940 to address how client assets are safeguarded, and would broaden the definition of “asset class” to ensure investment advisers are protecting not only their clients’ securities and funds but also “other positions held in a client’s account,” including crypto assets.
Under the proposed rules, investment advisers would be required to, among other things, segregate such crypto assets into separate accounts for safekeeping, prevent commingling of assets with the adviser’s or another related persons’ assets, and place crypto assets with a qualified custodian such as a federal or state-chartered bank or savings association, a registered broker-dealer or futures commission merchant, or certain foreign financial institutions. Foreign financial institutions would have to adhere to enhanced requirements to serve as a qualified custodian.
In a statement accompanying the release of the proposed rules, SEC Chairman Gary Gensler stated that “advisers who trade an investor’s assets cannot circumvent the custody rule and the safeguards it provides.” Gensler added that the proposal would impose several recordkeeping requirements, and require, for the first time, that advisers and qualified custodians enter into written agreements to help guarantee that customer assets are being protected.
Comments on the proposed rules are due 60 days after publication in the Federal Register.
EU says EU-US Data Privacy Framework lacks adequate protections
On February 14, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs released a draft motion for a resolution concerning the adequacy of protections afforded under the EU-US Data Privacy Framework. As previously covered by InfoBytes, last October President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) to address the facilitation of transatlantic data flows between the EU and the U.S. The E.O. also outlined bolstered commitments that the U.S. will take under the EU-U.S. Data Privacy Framework (a replacement for the EU-U.S. Privacy Shield). In 2020, the Court of Justice of the EU (CJEU) annulled the EU-U.S. Privacy Shield after determining that, because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the EU’s General Data Protection Regulation (GDPR).
In the draft resolution, the Committee urged the European Commission not to adopt any new adequacy decisions needed for the EU-U.S. Data Privacy Framework to officially take effect. According to the Committee, the framework “fails to create actual equivalence in the level of protection” provided to EU residents’ transferred data. Among other things, the Committee found that the government surveillance backstops outlined in the E.O. “are not in line” with “long-standing key elements of the EU data protection regime as related to principles of proportionality and necessity.” The Committee also expressed concerns that “these principles will be interpreted solely in light of [U.S.] law and legal traditions” and appear to take a “broad interpretation” to proportionality. The Committee also flagged concerns that the framework does not establish an obligation to notify EU residents that their personal data has been processed, “thereby undermining their right to access or rectify their data.” Additionally, “the proposed redress process does not provide for an avenue for appeal in a federal court,” thereby removing the possibility for EU residents to claim damages. Moreover, “remedies available for commercial matters” are “largely left to the discretion of companies, which can select alternative remedy avenues such as dispute resolution mechanisms or the use of companies’ privacy [programs],” the Committee said.
The Committee called on the Commission “to continue negotiations with its [U.S.] counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the CJEU,” and urged the Commission “not to adopt the adequacy finding.”
FDIC orders entities to stop making fraudulent deposit insurance representations
On February 15, the FDIC sent letters to four entities demanding that they stop making false or misleading representations about FDIC deposit insurance. Letters were sent to a cryptocurrency exchange and to a nonbank financial services provider demanding that the entities cease and desist from making false and misleading statements about FDIC deposit insurance and take immediate corrective action to address these statements. The FDIC also sent letters to two websites ordering them to remove similar false and misleading statements claiming that the crypto exchange and the nonbank financial services provider are FDIC-insured and that FDIC insurance will protect customers’ cryptocurrency or protect customers in the event of the nonbank’s failure. Under the Federal Deposit Insurance Act, persons are prohibited “from representing or implying that an uninsured product is FDIC-insured or from knowingly misrepresenting the extent and manner of deposit insurance.”
Bowman discusses bank and third-party cyber risk management expectations
On February 15, Federal Reserve Board Governor Michelle W. Bowman delivered remarks at the Midwest Cyber Workshop, during which she discussed topics related to third-party service provider reliance and regulatory expectations concerning cyber risk management. “While we expect banks to be in touch with us when an event happens, cyber events should not be the first time a cyber-risk conversation occurs between a bank and its regulator.” Community banks frequently cite cybersecurity as one of the top risks facing the banking industry, Bowman said, adding that bankers have mentioned difficulties in attracting and retaining the staff needed to mitigate cyber risk. She also noted that ransomware disproportionately impacts smaller banks that might not “have sufficient resources to protect against these attacks.”
Pointing out that banks are becoming increasingly reliant on third-party service providers, Bowman said regulators should “consider the appropriateness of shifting the regulatory burden from community banks to more efficiently focus directly on service providers.” Regulators have authority to do so under the Bank Service Company Act, Bowman said, adding that “[i]n a world where third parties are providing far more of these services, it seems to me that these providers should bear more responsibility to ensure the outsourced activities are performed in a safe and sound manner.” She also referenced a 2021 final rule that requires banks to timely notify their primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place (covered by InfoBytes here). The reporting process, Bowman said, is also intended to streamline small banks’ efforts to monitor service providers (which are required to notify a bank-designated point of contact at each affected customer bank when a computer-security incident has occurred).
“We look forward to working with you to assist in clarifying expectations, applying regulatory guidance or seeking feedback on cyber-risk management strategies,” Bowman said. “We encourage bank management teams to engage with regulatory points of contact whenever questions arise on cybersecurity matters just as with any other regulatory matter.”
Colorado releases privacy act updates
Last month, the Colorado attorney general released a third version of draft rules to implement and enforce the Colorado Privacy Act (CPA). A hearing on the proposed draft rules was held February 1. As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. The attorney general also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The attorney general previously released two versions of the draft rules last year (covered by InfoBytes here and here).
The third set of draft rules seeks to address additional concerns raised through public comments and makes a number of changes, including:
- Clarifying definitions. The modifications add, delete, and amend several definitions, including those related to “bona fide loyalty program,” “information that a [c]ontroller has a reasonable basis to believe the [c]onsumer has lawfully made available to the general public,” “publicly available information,” “revealing,” and “sensitive data inference” or “sensitive data inferences.” Among other things, the definition of “publicly available information” has been narrowed by removing the exception to the definition that had excluded publicly available information that has been combined with non-publicly available information. Additionally, sensitive data inferences now refer to inferences which “are used to” indicate certain sensitive characteristics.
- Right to opt out and right to access. The modifications outline controller requirements for complying with opt-out requests, including when opt-out requests must be completed, as well as provisions for how privacy notice opt-out disclosures must be sent to consumers, and how consumers are to be provided mechanisms for opting-out of the processing of personal data for profiling that results in the provision or denial of financial or lending services or other opportunities. With respect to the right to access, controllers must implement and maintain reasonable data security measures when processing any documentation related to a consumer’s access request.
- Right to correct and right to delete. Among other changes, the modifications add language providing consumers with the right to correct inaccuracies and clarify that a controller “may decide not to act upon a [c]onsumer’s correction request if the [c]ontroller determines that the contested [p]ersonal [d]ata is more likely than not accurate” and has exhausted certain specific requirements. The modifications add requirements for when a controller determines that certain personal data is exempted from an opt-out request.
- Notice and choice of universal opt-out mechanisms. The modifications specify that disclosures provided to consumers do not need to be tailored to Colorado or refer to Colorado “or to any other specific provisions of these rules or the Colorado Privacy Act examples.” Additionally, a platform, developer, or provider that provides a universal opt-out mechanism may, but is not required to, authenticate that a user is a resident of the state.
- Controller obligations. Among other things, a controller may choose to honor an opt-out request received through a universal opt-out mechanism before July 1, 2024, may respond by choosing to opt a consumer out of all relevant opt-out rights should the universal opt-out mechanism be unclear, and may choose to authenticate that a user is a resident of Colorado but is not required to do so.
- Purpose specification. The modifications state that controllers “should not specify so many purposes for which [p]ersonal [d]ata could potentially be processed to cover potential future processing activities that the purpose becomes unclear or uninformative.” Controllers must modify disclosures and necessary documentation if the processing purpose has “evolved beyond the original express purpose such that it becomes a distinct purpose that is no longer reasonably necessary to or compatible with the original express purpose.”
- Consent. The modifications clarify that consent is not freely given when it “reflects acceptance of a general or broad terms of use or similar document that contains descriptions of [p]ersonal [d]ata [p]rocessing along with other, unrelated information.” Requirements are also provided for how a controller may proactively request consent to process personal data after a consumer has opted out.
- User interface design, choice architecture, and dark patterns. The modifications provide that a consumer’s “ability to exercise a more privacy-protective option shall not be unduly longer, more difficult, or time-consuming than the path to exercise a less privacy-protective option.” The modifications also specify principles that should be considered when designing a user interface or a choice architecture used to obtain consent, so that it “does not impose unequal weight or focus on one available choice over another such that a [c]onsumer’s ability to consent is impaired or subverted.”
Additional modifications have been made to personal data use limitations, technical specifications, public lists of universal opt-out mechanisms, privacy notice content, loyalty programs, duty of care, and data protection assessments. Except for provisions with specific delayed effective dates, the rules take effect July 1 if finalized.
On February 28, the attorney general announced that the revised rules were adopted on February 23, but are subject to a review by the attorney general and may require additional edits before they can be finalized and published in the Colorado Register.
California Dept. of Real Estate reminds licensees of fiduciary duty requirements
The California Department of Real Estate (DRE) recently reminded real estate licensees with a mortgage loan origination (MLO) endorsement of their fiduciary duty to borrowers. DRE licensees (including brokers, salespersons, and broker-associates supervised by a broker) who provide mortgage brokerage services to a borrower act as a fiduciary of that borrower, the DRE said, explaining that this “includes placing the economic interest of the borrower ahead of their own.” The Bulletin noted that California courts have held that the fiduciary relationship not only requires the broker to act in the highest good faith toward their client but also prohibits the broker from obtaining any advantage over the client by virtue of the fiduciary relationship. Licensees who violate their fiduciary duties may face DRE-disciplinary action against their real estate license and/or MLO endorsement and may also expose themselves to civil liability.
Licensees are reminded that they are required to be aware of all laws, regulations, and rules governing their activities, including the federal Loan Originator Compensation (LO Comp) Rule, which “prohibits loan originators, including brokers, from receiving compensation based on the terms of consumer mortgage transactions.” Prior to the LO Comp Rule, mortgage brokers often received commissions that varied based on the terms of the mortgage loans they obtained for their clients, and in many cases received larger commissions on loans carrying less advantageous terms (e.g., loans with a higher interest rate would result in a larger commission than the same loan with a lower interest rate). The LO Comp Rule now prohibits this practice.
The Bulletin also reminded licensees that receiving greater compensation for acting against the economic interests of a consumer would also violate a broker’s fiduciary responsibility to place the economic interest of their client ahead of their own, should the decision be motivated by a financial desire to increase compensation. Further, licensees may not steer or direct a borrower to close a loan with a particular lender in exchange for receiving a higher commission unless the transaction is the best loan for the borrower. Licensees must also disclose to a borrower the costs and expenses associated with the loan, and disclose all compensation received in the transaction. Taking any secret or undisclosed compensation, commission, or profit is also prohibited, the Bulletin said.
Treasury roundtable examines effectiveness of Russian sanctions and export controls
On February 10, Deputy Secretary of the Treasury Wally Adeyemo convened a roundtable to hear from sanctions and U.S. foreign policy experts on the effectiveness of the unprecedented sanctions and export controls imposed on Russia by a coalition of more than 30 countries. Over the past year, the countries have imposed economic restrictions on Russia with the intention of disrupting Russia’s military supply chains and denying the Russian government funding for its war against Ukraine. Adeyemo discussed progress made on these fronts, and said the strain on Russia’s military can be seen through the government’s attempts to backfill equipment and supplies through third parties in permissive jurisdictions or sanctioned countries. Adeyemo said that in the upcoming weeks and months, Treasury intends to increase “its focus on countering sanctions evasion, including by targeting facilitators and third-country providers that may wittingly or unwittingly help Russia replenish the supplies and material it desperately needs to support its military.”
NYC Banking Commission to combat lending and employment discrimination
On February 10, the New York City Banking Commission, which consists of the city’s mayor, the comptroller, and the Commissioner of the Department of Finance, announced two transparency measures to combat lending and employment discrimination by designated banks. Designated banks are those eligible to hold NYC deposits and are expected to provide approved banking products and services for city entities. The announcement states that beginning with this year’s biennial designation cycle, a public comment process will now be included prior to and during the Banking Commission’s public hearing to designate banks that will be eligible to hold deposits of city funds. Revisions have also been made to the certifications that banks are required to submit ahead of designation in order “to reinforce the obligation for depository banks to provide detailed plans and specific steps to combat different forms of discrimination in their operations.” NYC Mayor Eric Adams added “[t]hese new steps will ensure the Banking Commission is designating only those banks that have shown that they can protect taxpayer money and that are committed to promoting equity in all aspects of their operations.”
CSBS says state regulators need access to FinCEN’s beneficial ownership database
On February 14, the Conference of State Bank Supervisors commented that FinCEN should be more explicit in its inclusion of state regulators as agencies that can request access to FinCEN’s forthcoming secure, non-public beneficial ownership information database. (See comment letter here.) As previously covered by InfoBytes, last December FinCEN issued a notice of proposed rulemaking (NPRM) to implement provisions of the Corporate Transparency Act (CTA) that govern the access to and protection of beneficial ownership information (BOI). The NPRM proposed regulations for establishing who may request beneficial ownership information, how the information must be secured, and non-compliance penalties, and also addressed aspects of the database that are currently in development. Agreeing that the new database would help enhance anti-money laundering and countering the financing of terrorism standards and help prevent the use of privacy to hide illicit activity from law enforcement and government authorities, CSBS asked that the final rule “explicitly define state regulators so that there is no confusion about their ability to access BOI when examining state-chartered banks and non-depository trust companies for compliance with customer due diligence requirements under the Bank Secrecy Act (BSA).” According to CSBS, state regulators conducted over 1,200 BSA exams in 2021. CSBS further pointed out that being able request BOI on an as needed basis would aid investigative and enforcement responsibilities for both state-chartered banks and state-licensed nonbank financial services providers.