Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC finalizes gaming company order on dark patterns
On March 14, the FTC finalized an administrative order requiring a video game developer to pay $245 million in refunds to consumers allegedly tricked into making unwanted in-game purchases. As previously covered by InfoBytes, the FTC filed an administrative complaint claiming players were able to accumulate unauthorized charges without parental or card holder action or consent. The FTC alleged that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Under the terms of the final decision and order, the company is required to pay $245 million in refunds to affected card holders. The company is also prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the company is barred from blocking players from accessing their accounts should they dispute unauthorized charges.
Separately, last month the U.S. District Court for the Eastern District of North Carolina entered a stipulated order against the company related to alleged violations of the Children’s Online Privacy Protection Act (COPPA). The FTC claimed the company failed to protect underage players’ privacy and collected personal information without first notifying parents or obtaining parents’ verifiable consent. Under the terms of the order, the company is required to ensure parents receive direct notice of its practices with regard to the collection, use or disclosure of players’ personal information, and must delete information previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company is required to implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, obtain regular, independent audits, and pay a $275 million civil penalty (the largest amount ever imposed for a COPPA violation).
FTC examines small business credit reporting
On March 16, the FTC launched an inquiry into the small business credit reporting industry, seeking information from firms on how information is collected and processed for business credit reports, how these reports are marketed, and firms’ approaches for addressing factual errors contained in the reports. Firms are also asked to provide information on the types of services provided to businesses for monitoring or enhancing their own credit reports. The FTC noted that currently there is no federal law that specifically outlines credit reporting processes and protections for small businesses, unlike individual consumer credit reports, which are governed by the FCRA.
FTC asks how cloud computing affects competition and data security
On March 22, the FTC announced it is seeking information on cloud computing providers’ business practices with respect to the potential impact on competition and data security. FTC staff noted that the agency is also interested in how cloud computing is impacting specific industries, including healthcare, finance, transportation, e-commerce, and defense. The request for information (RFI) solicits feedback on a range of issues, including (i) market power and competition (e.g. do particular segments of the economy have to rely on a small handful of cloud service providers); (ii) contract negotiation flexibility; (iii) incentives given to customers to ensure they obtain more of their cloud services from a single provider; (iv) security risks (e.g. what are the data security implications if particular segments of the economy rely on a small number of cloud service providers, and are these providers competing on their ability to provide secure storage for customer data); (v) products or services tied to artificial intelligence; and (vi) how cloud providers identify and notify customers of security risks related to security design, implementation, or configuration. Comments on the RFI are due May 22.
Biden administration questions crypto assets
President Biden recently issued his sweeping economic report, in which the administration’s Council of Economic Advisers addressed numerous economic policy concerns, including the current crypto ecosystem and the perceived appeal of crypto assets. The report discussed claims made about the purported benefits of crypto assets, such as the decentralized custody and control of money, as well as the potential for “improving payment systems, increasing financial inclusion, and creating mechanisms for the distribution of intellectual property and financial value that bypass intermediaries that extract value from both the provider and recipient,” but argued that “[s]o far, crypto assets have brought none of these benefits.” The report countered that, in fact, “crypto assets to date do not appear to offer investments with any fundamental value, nor do they act as an effective alternative to fiat money, improve financial inclusion, or make payments more efficient; instead, their innovation has been mostly about creating artificial scarcity in order to support crypto assets’ prices—and many of them have no fundamental value.”
Arguing that these issues raise questions about the role of regulations in protecting consumers, investors, and the financial system on a whole, the report conceded that some of the potential benefits of crypto assets —including (i) serving as investment vehicles; (ii) offering money-like functions without having to rely on a single authority; (iii) enabling fast digital payments; (iv) improving the underbanked population’s access to financial services; and (v) improving the current financial technology infrastructure through distributed ledger technology—may be realized down the road. However, the report cautioned that “[m]any prominent technologists have noted that distributed ledgers are either not particularly novel or useful or they are being used in applications where existing alternatives are far superior.” Highlighting the risks and costs of crypto assets, the report asserted, among other things, that cryptocurrencies are not as effective as a medium of exchange and do not serve “as an effective alternative to the U.S. dollar” due to their use as both money and an investment vehicle.
FTC proposes changes to Negative Option Rule
On March 23, the FTC announced a notice of proposed rulemaking (NPRM) seeking feedback on proposed amendments to the agency’s Negative Option Rule, which is used to combat unfair or deceptive practices related to subscriptions, memberships, and other recurring-payment programs. (See also FTC fact sheet here.) Claiming that current laws and regulations do not clearly provide a consistent legal framework for these types of programs, the NPRM, which applies to all subscription features in all media, proposes to add a new “click to cancel” provision that would make it as easy for consumers to cancel their enrollment as it was to sign up. The NPRM would also require sellers to first ask consumers whether they want to hear about new offers or modifications before making a pitch when consumers are trying to cancel their enrollment. If a consumer says “no” a seller must immediately implement the cancellation process. Sellers would also be required to provide consumers who are enrolled in negative option programs with an annual reminder involving anything other than physical goods before they are automatically renewed.
Commissioner Christine Wilson issued a dissenting statement, in which she argued that while the NPRM “may achieve the goal of synthesizing the various requirements in one rule,” it “is not confined to negative option marketing [as it] also covers any misrepresentation made about the underlying good or service sold with a negative option feature.” Wilson commented, “as drafted, the Rule would allow the Commission to obtain civil penalties, or consumer redress under Section 19 of the FTC Act, if a marketer using a negative option feature made misrepresentations regarding product efficacy or any other material fact.”
OCC releases enforcement actions
On March 17, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a cease and desist order against a New York-based bank for allegedly engaging in unsafe or unsound practices related to its information technology security and controls, as well as its information technology risk governance and board of director/management oversight of its corporate risk governance processes. The OCC also found alleged deficiencies (including unsafe or unsound practices) in the bank’s Bank Secrecy Act (BSA)/anti-money laundering risk management controls in the following areas: “internal controls, BSA officer, customer identification program, customer due diligence, enhanced due diligence,  beneficial ownership,” and suspicious activity monitoring and reporting. The order requires the bank to, among other things, maintain a compliance committee, develop a corporate governance program to ensure appropriate board oversight, establish a written strategic plan and conduct an internal audit to assess the sufficiency of the bank’s internal controls program, implement information technology governance and security programs, and adopt an automated clearing house risk management program. The bank is also required to appoint a BSA officer to ensure adherence to the bank’s BSA/AML internal controls, conduct a suspicious activity review lookback, implement a customer information program that is reasonably designed to identify and verify beneficial owners of legal entity customers, and develop and adopt a BSA/AML model risk management process.
CFPB updates card survey to improve comparison shopping
On March 21, the CFPB announced updates to its terms of credit card plans (TCCP) survey. The updates are intended to “create a neutral data source” to help consumers comparison shop for credit cards and “find the best interest rates and products,” the Bureau explained. Previously, credit card data was compiled and made publicly available from the largest 25 issuers, as well as from a sample of at least 125 other issuers (as required by the Fair Credit and Charge Chard Disclosure Act of 1988). The refreshed TCCP survey will now allow issuers to voluntarily submit information about their credit card products to enable smaller credit card issuers to reach comparison shoppers and compete with bigger players. The TCCP survey will also include additional questions about credit card annual percentage rates, and will require issuers to report the minimum and maximum APR offered if it varies by credit score. According to the Bureau, allowing consumers to see the median APR for their credit score range will help them better compare products and estimate the potential cost of borrowing before applying. Additionally, the top 25 credit card issuers will have to provide information on all their credit cards instead of just their most popular products. Other issuers will be permitted to voluntarily submit information on multiple products. Expanded information reporting requirements include providing details on whether a product is a secured card or if it requires a deposit to open an account, as well as information about promotional terms of balance transfers, introductory rates, and cash advances.
HUD restores 2013 discriminatory effects rule
On March 17, HUD announced the submission of a final rule—Reinstatement of HUD’s Discriminatory Effects Standard—which would rescind the agency’s 2020 regulation governing Fair Housing Act (FHA or the Act) disparate impact claims and reinstate the agency’s 2013 discriminatory effects rule. Explaining that “the 2013 rule is more consistent with how the [FHA] has been applied in the courts and in front of the agency for more than 50 years,” HUD emphasized that it also “more effectively implements the Act’s broad remedial purpose of eliminating unnecessary discriminatory practices from the housing market.”
As previously covered by InfoBytes, in 2021, HUD proposed rescinding the 2020 rule, which was intended to align the 2013 rule with the U.S. Supreme Court’s 2015 ruling in Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc. The 2020 rule included, among other things, a modification of the three-step burden-shifting framework in its 2013 rule, several new elements that plaintiffs must show to establish that a policy or practice has a “discriminatory effect,” and specific defenses that defendants can assert to refute disparate impact claims. According to HUD’s recent announcement, the modifications contained within the 2020 rule complicated the discriminatory effects framework, created challenges for establishing whether a policy violates the FHA, and made it harder for entities regulated by the Act to assess whether their policies were lawful.
The final rule is effective 30 days after publication in the Federal Register. According to HUD, the 2020 rule never went into effect due to a preliminary injunction issued by the U.S. District Court for the District of Massachusetts, and the 2013 rule has been and currently is in effect. Regulated entities that have been complying with the 2013 rule will not need to change any practices currently in place to comply with the final rule, HUD said.
CFPB updates agency contact information
On March 20, the CFPB published a final rule in the Federal Register to make non-substantive technical corrections and updates to Bureau and other federal agency contact information found within Regulations B, E, F, J, V, X, Z and DD, including federal agency contact information that is required to be provided with ECOA adverse action notices and the FCRA Summary of Consumer Rights (available here). Additionally, the final rule “revises the chapter heading, makes various non-substantive changes to Regulations B and V, and provides a Bureau website address where the public may access certain APR tables referenced in Regulation Z.” The final rule is effective April 19, although the Bureau noted that the mandatory compliance date for the amendments to appendix A to Regulation B, appendix A to Regulation J, and appendix K to Regulation V is March 20, 2024.
FCC regulations target scam robotexts
On March 16, the FCC adopted its first regulations specifically targeting scam text messages sent to consumers. Recognizing that robotexts are generally covered under the TCPA’s limits against unwanted calls to mobile phones, the FCC stated that the new regulations will require mobile service providers to block certain robotexts that appear to be coming from phone numbers that are unlikely to transmit text messages, including invalid, unallocated, or unused numbers, as well as “numbers that the subscriber to the number has self-identified as never sending text messages, and numbers that government agencies and other well-known entities identify as not used for texting.” Mobile service providers will also be required “to establish a point of contact for text senders, or have providers require their aggregator partners or blocking contractors to establish such a point of contact, which senders can use to inquire about blocked texts.”
The FCC’s report and order also include a further notice of proposed rulemaking, which seeks to implement additional protections to further prevent illegal text messages. The proposal would “require terminating providers to block texts from a sender after they are on notice from the Commission that the sender is sending illegal texts, to extend the National Do-Not-Call Registry’s protections to text messages, and to ban the practice of marketers purporting to have written consent for numerous parties to contact a consumer, based on one consent.”
Comments are due 30 days after publication in the Federal Register.
- Keisha Whitehall Wolfe to discuss “Tips for successfully engaging your state regulator” at the MBA's State and Local Workshop
- Max Bonici to discuss “Enforcement risk and trends for crypto and digital assets (Part 2)” at ABA’s 2023 Business Law Section Hybrid Spring Meeting
- Jedd R. Bellman to present “An insider’s look at handling regulatory investigations” at the Maryland State Bar Association Legal Summit