InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California enacts new data broker regulations
The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion mechanism” to make a streamlined method for consumers to delete their collected information available by January 1, 2026.
Among other amendments, businesses that meet the definition of a data broker will be required to register every year with the CPPA, instead of with the attorney general. Additionally, the Act requires data brokers to provide more information during its yearly registration, including: (i) if they collect the personal information of minors; (ii) if the data broker collects consumers’ precise geolocation; (iii) if they collect consumers’ reproductive health care data; (iv) “[b]eginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency”; and (v) a link on its website with details on how consumers may delete their personal information, correct inaccurate personal information, learn what personal information is collected and how it is being used, learn how to opt out of the sale or sharing of personal information, learn how to access their collected personal information, and learn how to limit the use and disclosure of their sensitive personal information. Moreover, administrative fines for violations of the Act, payable to the CPPA, have increased from $100 to $200, and data brokers that fail to delete information for each deletion request face a penalty of $200 per day the information is not deleted.
The Act further requires that data brokers submit a yearly report of the number of requests received for consumer information deletion, and the number of requests denied. The yearly report must also include the median and mean number of days in which the data broker responded to those requests.
California enacts two privacy bills AB 1194 and AB 947
On October 8, the California governor signed two bills, AB 947 amending the California Consumer Privacy Act of 2018, and AB 1194 amending the California Privacy Rights Act (CPRA) of 2020. AB 947 amends the definition of “sensitive personal information” to include any personal information that reveals a consumer’s citizenship or immigration status. AB 1194 will ensure that when a consumer’s personal information relates to “accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services,” business are obligated to comply with CPRA, except in cases where the information is in an aggregated, deidentified form and is not sold or shared. CRPA already empowers consumers to request the deletion of their personal information, with some exceptions to accommodate a business's obligations to adhere to federal, state, or local laws, fulfill court orders, respond to subpoenas for information, or cooperate with government agencies in emergency situations involving potential risks to a person's life or physical well-being.
AB 947 is effective January 1, 2024 and AB 1194 is effective July 1, 2024.
FDIC seeks comments on proposed and stricter governance guidelines for regional banks
On October 11, the FDIC published a request for comment on proposed corporate governance and risk management guidelines that would apply to all insured state nonmember banks, state-licensed insured branches of foreign banks, and insured state savings associations that are subject to Section 39 of the Federal Deposit Insurance Act (FDI Act), with total consolidated assets of $10 billion or more on or after the effective date of the final guidelines.
The proposed guidelines cover board of director’s obligations, composition, duties, and committee structure that must be met to meet the standard of good corporate governance. The proposed guidelines state that the board will ultimately be responsible for the affairs of the covered institution and each individual member must abide by certain legal duties. Under the proposed guidelines, the board of directors must, among other things: (i) evaluate and approve a strategic plan covering at least a three-year period; (ii) establish policies and procedures by which the covered institution operates; (iii) establish a code of ethics covering legal requirements, such as insider information, disclosure, and self-dealing; (iv) provide active oversight of management; (v) exercise independent judgement; and (vi) select and appoint qualified executive officers. Additionally, the board will be required to maintain a majority of independent directors on the board and should consider diversity of demographic representation, opinion, experience, and ownership level when choosing its board members. The proposed guidelines would also require that the board have an audit committee, a compensation committee, a trust committee (if the covered institution has trust powers), and a risk committee.
Comments must be received by the FDIC by December 11, 2023.
Chopra foreshadows expanding oversight over digital payments
On October 6, CFPB Director Rohit Chopra spoke at a digital payments event where he described the risks posed by private digital currencies and digital payments systems and provided steps that would increase the CFPB oversight so as to help protect consumers from these risks.
Chopra stated that from a consumer regulator’s perspective, it is important to safeguard against the risks of private currencies issued by nonbanks, which include the potential for sudden devaluation of the digital currency, intrusive data surveillance, censorship, private regulations that favor the issuer’s commercial interests, challenges with error resolution, and consumer fraud.
Further, Chopra shared what he believes are warranted steps to ensure that private digital dollars and payments systems do not harm consumers:
- The CFPB will issue supplemental orders to certain large technology platforms to acquire more data and information to better ascertain their business practices, especially with respect to the use of sensitive personal data and any issuance of private currencies.
- To reduce the harms of errors, hacks, and unauthorized transfers, the Bureau will explore providing additional guidance on the applicability of the Electronic Fund Transfer Act with respect to private digital dollars and other virtual currencies for consumer and retail use.
- The CFPB will use appropriate authorities to conduct supervisory examinations of nonbanks operating consumer payment platforms, including the authority over service providers to large depository institutions and the authority over large participants, which would subject nonbanks meeting a particular size threshold to CFPB supervision.
- The Bureau will publish a proposed rule regarding personal financial data rights pursuant to Section 1033 of the Consumer Financial Protection Act, which will seek to accelerate America’s shift to open, competitive, and decentralized banking, while also seeking to safeguard against misuse of personal financial data.
Additionally, Chopra stated the Financial Stability Oversight Council should consider exercising its authority under Title VIII of the Dodd-Frank Act to designate activity as, or as likely to become, a systemically important payment, clearing, or settlement activity so as to provide other agencies with critical oversight and tools to ensure that a stablecoin is actually stable.
Congressional Democrats urge White House to make AI principles mandatory
On October 12, a coalition of more than two dozen Democratic senators and House members urged President Biden to make any anticipated executive order on how the federal government handles artificial intelligence (AI) technology binding on the federal government and those who receive federal funds, and not a mere statement of principles. “By turning the AI Bill of Rights from a non-binding statement of principles into federal policy, your administration would send a clear message to both private actors and federal regulators: AI systems must be developed with guardrails,” the Democrat’s letter states. Additionally, these legislators asked the president to incorporate the White House Blueprint for an AI Bill of Rights, a voluntary roadmap that identifies five principles intended to guide both the government’s and private companies’ design, use and deployment of automated systems fueled by AI (covered by InfoBytes here).
CFPB reports decline in NSF fees by depository financial institutions, saving consumers billions
On October 11, the CFPB’s Offices of Consumer Populations and Markets announced that through its analysis of a number of depository financial institutions it had determined that the imposition of non-sufficient fund (NSF) fee by these entities were on the decline, saving an estimated $2 billion annually for consumers going forward. Specifically, the CFPB determined that “[n]early two-thirds of banks with over $10 billion in assets have eliminated NSF fees,” “[n]early three-fourths of the banks that earned the most in overdraft/NSF fee revenue in 2021, including 27 of the top 30 earners, have eliminated NSF fees” and “[a]mong credit unions with over $10 billion in assets, 16 of 20 continue to charge NSF fees, including four of the five largest.” It was ultimately determined larger banks have been more likely to eliminate NSF fees. Based on the CFPB’s estimates, for banks “with over $10 billion in assets, 97% of NSF fee revenue has been eliminated.”
Automotive management company settles with DOJ to resolve False Claims Act allegations
On October 11, an automotive management company settled claims by the Department of Justice alleging that the company had violated the False Claims Act by knowingly providing false information in support of its Paycheck Protection Program (PPP) loan forgiveness application.
According to the DOJ’s allegations, the automotive management company certified it was a small business with fewer than 500 employees when in fact it shared common operational control with dozens of automobile dealerships with more than 3,000 employees in total.
CFPB issues guidance on “excessive” account information fees, returns $140 million to consumers
On October 11, the CFPB issued an advisory opinion concerning consumers’ requests for information regarding their accounts with large banks and credit unions (financial institutions). According to the Bureau, Section 1034(c) of the Consumer Financial Protection Act (the “law”) requires insured depository institutions that offer consumer financial products or services and that have total assets of more than $10 billion, as well as their affiliates, to “comply in a timely manner with consumer requests for information concerning their accounts for consumer financial products and services, subject to limited exceptions.” The advisory opinion includes the following guidance and interpretations:
- Requirements of the law apply even if a customer does not expressively invoke the law.
- Requirements of the law apply to consumer requests for information including information that appears on periodic statements or in online portals including: (i) the amount of the balance in a deposit account; (ii) the interest rate on a loan or credit card; (iii) individual transactions or payments; (iv) bill payments; (vi) recurring transactions; (vii) terms and conditions; and (viii) fee schedules.
- The term “supporting written documentation” in the law requires financial institutions to provide, upon request, “written documents that will substantiate information provided in response to consumer questions, or that will assist consumers with understanding or verifying information regarding their accounts.”
- Financial institutions must provide account information and documentation that is in their “control” and “possession.” This excludes (i) confidential commercial information; (ii) information collected to prevent fraud or money laundering or detecting or making any report regarding unlawful conduct; (iii) information required by law to be kept as confidential; and (iv) supervisory information and nonpublic information.
- The law does not contain language stating or suggesting that financial institutions cannot impose unreasonable conditions on consumer information, but there is no reason Congress intended for the law to allow financial institutions to do so. Generally, the Bureau believes requiring fees and obstacles that impede a consumer’s ability to access their rights granted by the law is a violation of the provision. A financial institution could violate this law by imposing “excessively long wait times to make a request to a customer service representative, requiring consumers to submit the same request multiple times, requiring consumers to interact with a chatbot that does not understand or adequately respond to consumers’ requests, or directing consumers to obtain information that the institution possesses from a third party instead,” among other things.
- There is no fixed time limit for an institution to respond to a consumer’s request, but the CFPB does not view the timing requirements of this law to differ from the timing requirements of other applicable federal laws or regulations.
- Responses must provide all information requested accurately to be considered compliant.
CFPB Director Rohit Chopra delivered remarks on a press call, in which he emphasized that the Bureau’s investigations have uncovered many examples of junk fee-related misconduct by large financial institutions. He reminded consumers that financial institutions should not charge them excessive fees when trying to manage their finances. “Congress passed a law a decade ago requiring heightened customer service standards," said Chopra. "To date, this law has not been enforced. We are changing that.” Chopra also announced that later this month, the CFPB will propose rules to create more competition in banking to make switching financial institutions for better rates and less junk fees, more accessible.
The CFPB additionally issued the results of its recent oversight inspections of major financial institutions, which resulted in financial institutions refunding $140 million in junk fees, $120 million of which were for “surprise overdraft fees and double-dipping on non-sufficient funds fees.”
FTC announces second request for public comment on rule to ban “junk fees”
On October 11, the FTC released a notice of proposed rulemaking meant to prohibit unfair and deceptive, costly fees, also known as “junk fees.” After announcing its Advance Notice of Proposed Rulemaking last year (covered by InfoBytes here), and after considering more than 12,000 public comments, the FTC determined that some businesses misrepresent overall costs by omitting mandatory fees from advertised prices until consumers are “well into completing the transaction,” and fail to adequately explain the nature and amount of fees. The Commission is seeking another round of comments for its proposed rule, which, for any entity that “offers goods or services” to consumers, would prohibit:
- Offering, displaying, or advertising an amount a consumer may pay without “clearly and conspicuously” disclosing the “total price,” which must be displayed “more prominently than any other pricing information.”
- Misrepresenting “the nature and purpose of any amount a consumer may pay.”
- Disclosing “any other pricing information” besides the total price “more prominently” than disclosures of the total price in an “offer, display, or advertisement.”
The proposed rule would also grant the FTC more robust enforcement authority to seek refunds for harmed consumers and impose monetary penalties of up to $50,120 per violation. The proposed rule also requires businesses to include any mandatory costs for ancillary goods or services in their price disclosures.
The FTC is working alongside the CFPB, OCC, FCC, HUD and the Department of Transportation to develop and implement rules banning junk fees. The CFPB has also issued guidance emphasizing that large banks and credit unions are prohibited from imposing unreasonable obstacles on customers, such as charging excessive fees, for basic information about their accounts. Further, the White House has called on federal agencies “to reduce or eliminate hidden fees, charges, and add-ons for everything from banking services to cable and internet bills to airline and concert tickets.”
The Commission is seeking public input on 37 questions, with comments due 60 days after publication in the Federal Register.
Software provider settles allegations related to data breach
On October 5, a software provider serving nonprofit fundraising entities agreed to pay almost $50 million to settle claims with 49 states and the District of Columbia alleging that the provider maintained insufficient data security measures and inadequately responded to a 2020 data breach. Specifically, the settlement resolved claims that the software provider violated state consumer protection laws, breach-notification laws, and the Health Insurance Portability and Accountability Act (HIPAA).
According to the allegations, the data breach exposed donor information, including Social Security numbers and financial records, of over 13,000 nonprofit groups and organizations and the provider waited two months before informing these clients of the breach.
The settlement requires the provider to improve its cybersecurity protections and breach notification procedures.
Earlier this year, the software provider also settled claims with the SEC for $3 million to address allegations of misleading disclosures relating to the same 2020 data breach.