InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC settles with retailers over deceptive product representation
On April 8, the FTC used its Penalty Offense Authority against two national retailers for allegedly engaging in false labeling and marketing tactics by presenting rayon textile products as bamboo. According to the complaints (see here and here), which were filed by the DOJ on behalf of the FTC, since at least 2015, the companies allegedly made false or unsubstantiated representations in violation of the FTC Act by improperly labeling and marketing textile fiber products as “made of bamboo” in both product titles and descriptions. The companies also, among other things, falsely marketed some of the “bamboo-derived” products as providing general environment benefits, such as being produced “free of harmful chemicals, using clean, non-toxic materials,” also in violation of the FTC Act. Additionally, in connection with the advertising of textile fiber products containing rayon, the companies allegedly made representations regarding the products’ fiber content without disclosing the full fiber content, in violation of the Textile Act and Textile Rules.
According to the proposed settlements (see here and here), the companies are, among other things: (i) prohibited from making deceptive claims, including false and/or unsubstantiated claims, relating to bamboo fiber products; (ii) prohibited from future violations of the FTC Act and Textile Act and Textile Rules; and (iii) ordered to pay $5.5 million total in penalties.
Khan outlines FTC’s plans to enforce privacy, data security
On April 11, FTC Chair Lina Khan spoke at the Opening General Session of the IAPP Global Privacy Summit 2022, focusing on the Commission’s’ approach to privacy and data security enforcement strategy. In her remarks, Khan offered observations on “the new political economy” of how American consumers’ data is “tracked, gathered, and used,” and identified how the Commission is adjusting to address these “new market realities.” She also raised broad questions about the current framework for policing “the use and abuse of individuals’ data.” Khan observed that digital technology now allows firms to collect vast amounts of data on a “hyper-granular level,” tracking individuals as they carry out daily tasks. The information collected includes precise personal location, web browsing history, health records, and a complete picture of ones social network of family and friends. This data, analyzed and aggregated at a huge scale, yields “stunningly detailed and comprehensive user profiles that can be used to target individuals with striking precision.” She acknowledged that this data can be put towards adding value for consumers but that consumers are often unaware that companies are monetizing their personal data at huge profits leading to business models that “incentivize endless tracking and vacuuming up of users’ data.” These incentives have rendered today’s digital economy as, quoting a scholar, “probably the most highly surveilled environment in the history of humanity.”
Khan also outlined three key aspects of the FTC’s approach to addressing the above risks to consumers:
- The FTC will focus on “dominant firms” causing “widespread harm.” This includes addressing conduct by the dominant firms themselves as well as “dominant middlemen” facilitating the conduct through unlawful data practices.
- The FTC is taking an interdisciplinary approach by “assessing data practices through both a consumer protection and competition lens” because widescale commercial surveillance and data collection practices have the potential to violate both consumer protection and antitrust laws. The FTC will also increase reliance on technologists such as data scientists, engineers, user design experts, and AI researchers to augment the skills of their lawyers, economists, and investigators.
- The FTC will focus on designing effective remedies “informed by the business strategies that specific markets favor and reward” and that are responsive to the new value that companies place on collected data. Such remedies may include bans from surveillance industries for companies and individuals, disgorgement, requiring updated security measures such as dual-factor authentication, and requiring the deletion of illegally collected data and any algorithms derived from the same.
Khan further indicated that the FTC is considering initiating rulemaking to address commercial surveillance practices and inadequate data security. She concluded by suggesting a paradigmatic shift away from the current framework used to assess unlawful data gathering. Specifically, she stated that “market realities may render the ‘notice and consent’ paradigm outdated and insufficient” – noting that users find privacy policies overwhelming and have no real alternatives to accepting their terms given the increasingly critical reliance on digital tools to navigate daily life. Khan called for new legislation to address these concerns, saying, “[W]e should approach data privacy and security protections by considering substantive limits rather than just procedural protections, which tend to create process requirements while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place. The central role that digital tools will only continue to play invites us to consider whether we want to live in a society where firms can condition access to critical technologies and opportunities on users surrendering to commercial surveillance.”
Agencies to update administrative enforcement proceedings
On April 13, the FDIC, OCC, Federal Reserve Board, and NCUA (collectively, “agencies”) announced they are issuing a notice of proposed rulemaking (NPRM) to modernize the agencies’ Uniform Rules of Practice and Procedure (Uniform Rules) applicable to formal administrative enforcement proceedings for insured depository institutions. As previously covered by InfoBytes, in March, the agencies issued an interagency proposal to update policies and procedures governing administrative proceedings for supervised financial institutions, which accounted for the routine use of electronic presentations in hearings and for use of technology in administrative proceedings, among other things. The proposed rule would recognize the use of electronic communications and technology in all aspects of administrative hearings to increase the accuracy and fairness of administrative adjudications. Among other things, the NPRM would (i) allow electronic signatures and filings; (ii) permit depositions to be held by remote means; (iii) modernize language and definitions; and (iv) extend certain filing time limits. Amended provisions also address additional topics including the authority of administrative law judges, adjudicatory proceedings, good faith certifications, ex parte communications, conflicts of interest, and expenses. The agencies also propose to modify their specific Local Rules of administrative practice and procedure applicable to enforcement actions brought by each agency. The OCC has already proposed to amend its rules on organization and functions to address service of process and to integrate its Uniform Rules and Local Rules so that a single set of rules applies to both national banks and federal savings associations Comments on both the interagency rulemaking and the OCC’s rulemaking are due 60 days after publication in the Federal Register.
OCC revises Comptroller’s Licensing Manual
On April 7, the OCC announced an updated version of the “General Policies and Procedures,” “Management Interlocks,” and “Public Notice and Comments” booklets of the Comptroller’s Licensing Manual. According to Bulletin 2022-11, the revised booklets replace booklets of the same title issued between January 2017 and October 2019. Additionally, the revised booklets, among other things: (i) reflect recent updates to 12 CFR 5 and other regulations; (ii) update guidance and references; and (iii) make other minor modifications and corrections throughout.
CFPB sues credit reporter and one of its executives
On April 12, the CFPB sued a credit reporting agency (CRA), two of its subsidiaries (collectively, “corporate defendants"), and a former senior executive for allegedly violating a 2017 enforcement order in connection with alleged deceptive practices related to their marketing and sale of credit scores, credit reports, and credit-monitoring products to consumers. The 2017 consent order required the corporate defendants to pay a $3 million civil penalty and more than $13.9 million in restitution to affected consumers as well as abide by certain conduct provisions (covered by InfoBytes here). The Bureau’s announcement called the corporate defendants “repeat offender[s]” who continued to engage in “digital dark patterns” that caused consumers seeking free credit scores to unknowingly sign up for a credit monitoring service with recurring monthly charges. According to the Bureau’s complaint, the corporate defendants, under the individual defendant’s direction, allegedly violated the 2017 consent order from the day it went into effect instead of implementing agreed-upon policy changes intended to stop consumers from unknowingly signing up for credit monitoring services that charge monthly payments. The Bureau claimed that the corporate defendants’ practices continued even after examiners raised concerns several times. With respect to the individual defendant, the Bureau contended that he had both the “authority and obligation” to ensure compliance with the 2017 consent order but did not do so. Instead, he allowed the corporate defendants to “defy the law and continue engaging in misleading marketing, even in the face of thousands of consumer complaints and refund requests.” The complaint alleges violations of the CFPA, EFTA/ Regulation E, and the FCRA/Regulation V, and seeks a permanent injunction, damages, civil penalties, consumer refunds, restitution, disgorgement and the CFPB’s costs.
CFPB Director Rohit Chopra issued a statement the same day warning the Bureau will continue to bring cases against repeat offenders. Dedicated units within the Bureau’s enforcement and supervision teams will focus on repeat offenders, Chopra stated, adding that the Bureau will also work with other federal and state law enforcement agencies when repeat violations occur. “Agency and court orders are not suggestions, and we are taking steps to ensure that firms under our jurisdiction do not engage in repeat offenses,” Chopra stressed. He also explained that the charges against the individual defendant are appropriate, as he allegedly, among other things, impeded measures to prevent unintended subscription enrollments and failed to comply with the 2017 consent order, which bound company executives and board members to its terms.
The CRA issued a press release following the announcement, stating that it considers the Bureau’s claims to be “meritless” and that as required by the consent order, the CRA “submitted to the CFPB for approval a plan detailing how it would comply with the order. The CFPB ignored the compliance plan, despite being obligated to respond and trigger deadlines for implementation. In the absence of any sort of guidance from the CFPB, [the CRA] took affirmative actions to implement the consent order.” Moreover, the CRA noted that “[r]ather than providing any supervisory guidance on this matter and advising [the CRA] of its concerns – like a responsible regulator would – the CFPB stayed silent and saved their claims for inclusion in a lawsuit, including naming a former executive in the complaint,” and that “CFPB’s current leadership refused to meet with us and were determined to litigate and seek headlines through press releases and tweets.”
OCC says bank partnerships crucial in community reinvestment and resilience
On April 7, the OCC highlighted measures that banks can take to collaborate with community development financial institutions (CDFIs), minority depository institutions (MDIs), and other community-based groups to assist communities recovering from the Covid-19 pandemic and natural disasters. In the agency’s latest edition of its Community Developments Investments newsletter, “Partners in Recovery: Community Reinvestment and Resilience,” the OCC discussed ways banks have partnered with CDFIs and MDIs to originate small business loans, and highlighted federal emergency programs created to provide resources to low- and moderate-income and minority communities and businesses recovering from the disproportionate effects of the pandemic. The newsletter also provided examples of bank-community partnerships and addressed the role that these partnerships play in both rebuilding communities following disasters and the pandemic and preparing for future crises through climate resilience planning and investment.
Biden orders agency action on medical debt
On April 11, the Biden administration released a Fact Sheet regarding an initiative to decrease “malicious” and “predatory” billing and collection practices related to medical debts, including holding medical providers and debt collectors “accountable for harmful practices.” According to the Fact Sheet, the administration has ordered several agencies to take actions intended to “lessen the burden of medical debt and increase consumer protection.” The Fact Sheet provides “guidance to all agencies to eliminate medical debt as a factor for underwriting in credit programs,” and states, among other things, that the: (i) FHFA is reviewing the credit models that Fannie Mae and Freddie Mac use; (ii) USDA is discontinuing “the inclusion of any recurring medical debts into borrower repayment calculations”; and (iii) VA is reviewing its underwriting guidelines to ensure it minimizes or eliminates medical debt reporting as a proxy for creditworthiness. Additionally, the Fact Sheet noted that the Department of Health and Human Services is requesting data from over 2,000 providers on medical bill collection practices, lawsuits against patients, financial assistance, financial product offerings, and third party contracting or debt buying practices. The Fact Sheet also noted that the CFPB “will investigate credit reporting companies and debt collectors” in regard to “patients’ and families’ rights,” which includes targeting “coercive credit reporting” and determining whether medical debts should be included in consumer credit reports.
Chopra offers warning on core service providers
On April 7, CFPB Director Rohit Chopra expressed concerns that “contracts written by the major core services providers are making it harder for local financial institutions to switch providers or use add-ons from outside technology providers.” In remarks to the CFPB’s Community Bank and Credit Union Advisory Councils, Chopra discussed downstream effects created by the heavily consolidated core services provider market on relationship banking and consumers. Chopra explained that these contracts “come with costly and unnecessary extra non-core banking services, longer contract periods, and stiff penalties and fees for ending contracts early or making other contract changes,” discourage smaller financial institutions from quickly adapting their own products and services to fit within the ever-evolving banking tech landscape, and overall make it more difficult for smaller financial institutions to compete with larger companies. Chopra announced that Bureau staff will work with core service providers and other federal agencies to examine the concentrated core platform marketplace’s impact on consumers and banks, and respond to questions related to banks’ collective bargaining on core services’ contracts. The Bureau also plans to collaborate with other agencies to examine third-party service providers and the potential referral of complaints.
FTC order targets credit reporter for UDAP violation
On April 7, the FTC finalized an order against a respondent business credit report provider to settle allegations that the respondent engaged in deceptive and unfair practices by failing to provide businesses with a clear, consistent, and reliable process to fix errors in their credit reports, even though the respondent was selling products to those businesses that purported to help the businesses improve their reports. The FTC’s administrative complaint also claimed that the respondent’s telemarketers deceptively pitched another service to businesses and falsely claimed that the businesses had to purchase the service in order for the respondent to complete the business’s credit profile. In addition, the respondent allegedly failed to disclose to businesses that the service’s subscription automatically renewed each year and that other renewal practices could lead to increasing costs (covered by InfoBytes here). Under the terms of the final order, the respondent is required to make substantial changes to its processes and provide refunds to harmed businesses. Measures include (i) deleting disputed information free of charge or conducting a reasonable reinvestigation to determine the accuracy of disputed information in a report of a business; (ii) complying with specific time periods within which to promptly investigate and correct errors; (iii) informing businesses of investigation results and providing businesses with free access to the revised information; (iv) making clear disclosures to businesses about the rate at which the firm accepts subscribers’ requests to add payment history information, as well as its limits for providing assistance in adding such information; (v) allowing current subscribers to cancel their services and obtain refunds; and (vi) placing restrictions on the respondent’s ability to automatically renew subscriptions or switch subscribers into a more expensive product.
Hsu discusses stablecoins, pushes for crypto banks
On April 8, acting Comptroller of the Currency Michael J. Hsu discussed stablecoin policy considerations in remarks before the Institute of International Economic Law at Georgetown University Law Center. Hsu called for the establishment of an “intentional architecture” for stablecoins developed along the principles of “[s]tability, interoperability and separability,” as well as “core values” of “privacy, security, and preventing illicit finance.” According to Hsu, one way to mitigate blockchain-related risks would be to “require that blockchain-based activities, such as stablecoin issuance, be conducted in a standalone bank-chartered entity, separate from any other insured depository institution [] subsidiary and other regulated affiliates.” Hsu also emphasized the need to evaluate whether stablecoin issuers should be required “to comply with a fixed set of safety and soundness-like requirements (as is the case with banks)” or be allowed to pick from a range of licensing options.
Additionally, Hsu raised the question about how separable stablecoin issuers should be. “Blockchain-based money holds the promise of being ‘always on,’ irreversible, programmable, and settling in real-time,” he explained. “With these benefits, however, come risks, especially if commingled with traditional banking and finance.” Specifically, Hsu cited concerns that a bank’s existing measures for managing liquidity risks associated with traditional payments “may not be effective for blockchain-based payments,” which could conceivably accumulate over a weekend and “outstrip a bank’s available liquidity resources.” Hsu also raised concerns related to the current “lack of interoperability” should stablecoins expand from trading to payments, and stressed that “[i]n the long run, interoperability between stablecoins and with the dollar—including a [central bank digital currency]—would help ensure openness and inclusion.” He added that this “would also help facilitate broader use of the U.S. dollar—not a particular corporate-backed stablecoin—as the base currency for trade and finance in a blockchain-based digital future.”