InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Republican senators oppose FTC’s ANPR on data privacy and security
On November 3, three Republican Senators sent a letter to FTC Chair Lina Khan expressing their opposition to the FTC’s Advanced Notice of Proposed Rulemaking (ANPR) for the Trade Regulation Rule on Commercial Surveillance and Data Security. As previously covered by InfoBytes, in August the FTC announced the ANPR covering a wide range of concerns about commercial surveillance practices, specifically related to the business of collecting, analyzing, and profiting from information about individuals. In the letter, the Senators argued that both consumers and businesses would benefit if Congress enacted comprehensive federal legislation addressing data privacy. According to the Senators, the FTC “lacks the authority to create preemptive standards” and the proposed rulemaking “would only add uncertainty and confusion to an already complicated regulatory landscape, increasing compliance costs, reducing competition, and ultimately harming consumers.” The Senators requested that the FTC withdraw its rulemaking proposal, explaining that “[c]onsumer data privacy and security are complex issues which will require standards that are robust, adaptive, and can balance the interests of consumers with the needs of businesses.” The Senators noted that they believe “that this balance can only be struck within federal legislation that is comprehensive and preemptive, such that the law creates a single national standard.”
FTC takes action against ed tech provider for lax data security
On October 31, the FTC announced an administrative action against an education technology (ed tech) provider claiming that the company’s allegedly poor data security practices exposed millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords. According to the FTC’s complaint, due to the company’s alleged failure to adequately protect the personal information collected from its users and employees, the company experienced four data breaches beginning in September 2017, when a phishing attack granted a hacker access to employees’ direct deposit information. Less than a year later, another data breach involved a former employee using login information the company shared with employees and outside contractors to gain access to a third-party cloud database containing personal data for roughly 40 million users. In the following two years, the company experienced two more data breaches through phishing attacks that exposed sensitive employee data, including medical and financial information. Claiming violations of Section 5(a) of the FTC Act, the Commission alleged the company failed to implement basic security measures, stored personal data insecurely, and failed to implement a written security policy until January 2021, despite experiencing three phishing attacks.
Under the terms of the proposed decision and order, the company would be required to take several measures to address the alleged conduct, including (i) documenting and limiting data collection; (ii) providing users access to collected data and allowing them to submit requests for deletion; (iii) implementing multifactor authentication or another authentication method to protect user and employee accounts; and (iv) implementing a comprehensive information security program that would encrypt consumer data and provide security training to employees, among other things.
This action is part of the FTC’s ongoing efforts to make sure ed tech providers protect and secure personal data they collect and do not collect more information than necessary. As previously covered by InfoBytes, the FTC issued a policy statement in May warning ed tech providers that they must fully comply with all provisions of the Children’s Online Privacy Protection Act when gathering data about children. The FTC emphasized that ed tech providers may not harvest or monetize children’s data, cannot force children to disclose more information than is reasonably necessary for participating in their educational services, and must have procedures in place to keep the data secure, among other things.
VA proposes amendments to IRRRL requirements
On November 1, the Department of Veterans Affairs (VA) published a proposed rule in the Federal Register, which would amend the agency’s rules on VA-backed interest rate reduction refinancing loans (IRRRLs). Specifically, the proposed amendments would update existing VA IRRRL regulations to meet current statutory requirements for determining whether the agency can guarantee or insure a refinance loan. The amendments would modify current regulations to reflect requirements related to, among other things, net tangible benefit, recoupment, and seasoning standards. Additionally, due to confusion among program participants, VA is proposing clarifications to minimize the risk of lender noncompliance, thereby safeguarding veterans, easing lender concerns, reducing potential instability in the secondary loan market, and insulating taxpayers from unnecessary financial risk. Comments on the proposed rule are due January 3, 2023.
4th Circuit vacates $10.6 million judgment, orders district court to reevaluate class standing
On October 28, the U.S. Court of Appeals for the Fourth Circuit remanded a $10.6 million damages award it had previously approved in light of the U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez. As previously covered by InfoBytes, in January, the Supreme Court vacated the judgment against the defendants and ordered the 4th Circuit to reexamine its decision in light of TransUnion (which clarified the type of concrete injury necessary to establish Article III standing, and was covered by InfoBytes here). Previously, a divided 4th Circuit affirmed a district court’s award of $10.6 million in penalties and damages based on a summary judgment that an appraisal practice common before 2009 was unconscionable under the West Virginia Consumer Credit and Protection Act (covered by InfoBytes here). During the appeal, the defendants argued that summary judgment was wrongfully granted and that the class should not have been certified since individual issues predominated over common ones, but the appellate court majority determined, among other things, that there was not a large number of uninjured members within the plaintiffs’ class because plaintiffs paid for independent appraisals and “received appraisals that were tainted.” At the time, the 4th Circuit “concluded that the ‘financial harm’ involved in paying for a product that was ‘never received’ was ‘a classic and paradigmatic form of injury in fact.’” On remand, the 4th Circuit considered questions of standing and ultimately determined that TransUnion requires the district court to reevaluate the standing of class members.
Treasury official discusses cyber threats to financial sector
On November 1, Deputy Secretary of the Treasury Wally Adeyemo provided an update during the semi-annual joint session of the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC) on Treasury’s efforts to protect the agency and the financial sector from cyber threats. Adeyemo noted that actions taken to safeguard national security include “modernizing Treasury’s IT systems with an elevated cybersecurity threat focus, as well as ramping up partnerships with the financial and regulatory sectors far ahead of Russia’s unprovoked invasion of Ukraine to ensure swift, coordinated responses to thwart cyber attacks.” He further stressed the importance of fortifying these partnerships and remaining vigilant to heightened threats. Adeyemo also discussed how Russia’s invasion of Ukraine demonstrated the interconnectedness of the global financial sector and why enhancing operational resilience in major global banking hubs and vulnerable regions is a top priority for the Department. He called on FBIIC senior leaders to continue to drive Treasury’s “successful cloud and data protection workstreams forward,” while also building new initiatives focusing on other urgent, systemic risk issues that include the participation of FSSCC partners. “Reporting cybersecurity issues and vulnerabilities early and often enables us to better protect the broader financial sector,” Adeyemo said.
FHFA to host “tech sprints” on housing finance fintech solutions
On November 2, FHFA published a notice in the Federal Register announcing plans to hold a series of competitions called “Tech Sprints” to solicit innovative solutions on ways to advance housing finance fintech in a safe, sound, responsible, and equitable manner. Recognizing the significant effects that regulated entities’ potential use of fintech products and innovations could have on the mortgage market and market participants, FHFA said it wants to gather information about new and emerging technologies that may have applications in the mortgage space. Two tech sprints are planned each year over the next three years, with participation expected from housing finance industry members as well as other industries, such as tech companies, mortgage companies, academia, industry groups, and other members of the public. FHFA is accepting comments through January 3, 2023, on the necessity of the information collection, the burden of such collection, and ways to minimize the burden on members and project sponsors when providing information on ways to enhance the quality, utility, and clarity of the information collected from the Tech Sprints.
FinCEN reports significant increase in ransomware-related BSA filings in 2021
On November 1, FinCEN reported that ransomware continues to pose a significant threat to U.S. infrastructure, businesses, and the public, with ransomware-related Bank Secrecy Act (BSA) filings in 2021 accounting for nearly $1.2 billion. Issued pursuant to the Anti-Money Laundering Act of 2020, FinCEN’s Financial Trend Analysis examines ransomware activities for calendar year 2021, with a particular focus on ransomware trends in BSA data from July-December 2021. According to FinCEN, reported ransomware-related incidents have substantially increased from 2020, with roughly 75 percent of these incidents reported during the second half of 2021 emanating from or connected to actors in Russia. Highlights from the report include: (i) the number and total U.S. dollar value for ransomware-related incidents during 2021 far exceeds data for any previous year, with FinCEN reporting a 188 percent increase from 2020 to 2021 (possibly reflecting either an increase of ransomware-related incidents or improved reporting and detection); (ii) an average of 132 and a median of 136 ransomware-related incidents per month were reported during the review period (Treasury’s October 2021 measures to combat ransomware — covered by InfoBytes here — and potentially associated reporting obligations may have contributed to the overall rise in 2021 filings, FinCEN noted); and (iii) of the 793 ransomware-related incidents reported during the second half of 2021, 594 (roughly 75 percent) pertained to Russia-related variants.
The same day, Deputy Secretary of the Treasury Wally Adeyemo hosted participants from 36 countries during the second International Counter Ransomware Initiative Summit where attendees examined the challenges presented by ransomware and discussed the U.S.’s whole-of-government approach for responding to serious threats posed by bad actors.
OFAC sanctions terrorist weapons trafficking network tied to ISIS-Somalia
On November 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against the Islamic State in Somalia (ISIS-Somalia) — marking the first time this affiliate of the Islamic State of Iraq and Syria (ISIS) is being designated. The action follows designations taken by OFAC earlier in the month against a network of financial facilitators who hold leadership roles and are key interlocutors between the group and local companies in Somalia (covered by InfoBytes here). According to OFAC, the designated persons serve as “critical nodes for a weapons trafficking network that is closely integrated with ISIS-Somalia,” and maintain “strong ties to al-Qa’ida in the Arabian Peninsula (AQAP) and al-Shabaab.” Addressing the significance of the sanctions, Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said “[t]oday, we take direct aim at the networks funding and supplying both ISIS-Somalia and al-Shabaab that support their violent acts. The involvement of those designated today in other criminal activity, including piracy and illegal fishing, demonstrates the extent of ISIS-Somalia’s integration with illicit networks and other terrorist organizations operating in the region.” “Treasury is committed to working with partners in the region to disrupt the financing of ISIS and al-Shabaab,” Nelson said.
As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the individuals or entities designated today may themselves be exposed to designation, OFAC warned, adding that foreign financial institutions that knowingly facilitate significant transactions or provide significant financial services to any of the sanctioned persons could also be subject to U.S. sanctions.
CFPB provides update on student loan borrowers
On November 2, the CFPB’s Office of Research released an update showing that student loan borrowers are increasingly likely to struggle to make monthly payments when federal Covid-19 payment suspensions end in January 2023. The findings follow a report issued in April discussing the credit health of student loan borrowers during the pandemic (covered by InfoBytes here). According to the April report, researchers found that borrowers most at risk when payment suspension ends include those who are 30 to 49 years of age and who live in low-income, high-minority census tracts. However, the Bureau pointed out that since the report was released, inflation has risen and delinquencies and balances have increased for consumers across credit products—both of which may contribute to potential payment challenges for borrowers. The Bureau also noted that during this time, payment suspensions were extended through the end of 2022, and President Biden announced a student debt cancellation plan to reduce payment burdens for many borrowers and completely eliminate loans for others (covered by InfoBytes here).
The Bureau’s recent findings examined data from its Consumer Credit Panel (a deidentified sample of credit records from one of the nationwide consumer reporting agencies) on consumers who are expected to resume scheduled loan payments at the end of the suspension. Findings show, among other things, that (i) an increasing number of borrowers are 60 days or more past due on a non-student-loan credit account since mid-2021; (ii) monthly payments across credit products aside from student loans have increased; and (iii) since the April report, delinquencies on non-student-loan products have risen further, with an overall increase in the number of borrowers (5.1 million to 5.5 million) who meet two or more potential risk factors that indicate a borrower may struggle when the payment suspensions end. These risk factors are: “pre-pandemic delinquencies on student loans, pre-pandemic payment assistance on student loans, multiple student loan servicers, delinquencies on other credit products since the start of the pandemic, and new non-medical collections during the pandemic.” The Bureau noted, however, that as many as one-third of borrowers with two or more risk factors may have their balances completely canceled under the student debt cancellation plan, so “despite worsening credit outcomes overall, the cancellation of some student loan debt means that fewer student loan borrowers are likely to be at risk of payment difficulties when federal student loan payments resume in January 2023 than they otherwise would be.”
Chopra says CFPB is examining industry standard settings
On November 2, CFPB Director Rohit Chopra delivered prepared remarks before a public meeting of the Bureau’s Consumer Advisory Board briefly touching upon on several topics related to the Buy Now Pay Later market, big tech and data collection, peer-to-peer payment platforms, and Section 1033 rulemaking concerning consumers’ rights to their personal financial data. Notably, Chopra raised an area of discussion concerning industry standard-setting organizations and providers of critical infrastructure. Recognizing that private organizations play a major role in setting standards across sectors of the economy, Chopra emphasized that “[d]ecentralized, open banking will likely rely on fair standard-setting, through an amalgam of legally binding rules and industry developed standards.” He warned though that it “can be difficult to achieve fair standard-setting, since incumbents will have a strong economic interest when it comes to protecting their turf.” Chopra pointed to the telecommunications and health care industries as areas where private organizations “are not neutral, but are instead owned or governed by certain market participants” and where other players may also integrate a function akin to a lobbying or trade association. Explaining that the Bureau has been devoting a lot of time to this space, Chopra said the agency is gathering insights into other countries’ experiences, such as the UK’s Open Banking Implementation Entity (which was established to provide critical services and infrastructure), as well as domestic developments. He stated the Bureau will develop rulemaking with a practical mindset of how requirements would be operationalized in the market.