InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
U.K. FSA Fines Banks for Slow Response to Payment Protection Insurance Customer Complaints
On February 19, the U.K.’s Financial Services Authority announced a fine against three related banks for failing to promptly redress customers lodging complaints about the banks’ payment protection insurance (PPI) product. The FSA states that over a 10 month period, the bank failed to pay redress within the FSA-required 28-day period for nearly a quarter of the banks’ customers who submitted complaints regarding PPI, with some customers waiting over six months for payment. The FSA states that its investigation revealed (i) the banks failed to establish an adequate process for preparing redress payments to send to PPI complainants; (ii) bank staff engaged on the redress process did not have the collective knowledge and experience to ensure that the process worked properly; (iii) the banks failed to effectively track PPI redress payments; (iv) the banks failed to monitor effectively whether they were making all payments of PPI redress promptly and did not gather sufficient management information to identify, in a timely manner, the full nature and extent of the payments failings; and (v) the banks’ approach to risk management when preparing redress payments to send to PPI complainants was ineffective. The FSA has been active in addressing PPI issues. Last month, the FSA and the Office of Fair Trading jointly published final guidance to help prevent the problems associated with PPI recurring in a new generation of products. The FSA’s guidance for payment protection products within its jurisdiction stresses that firms should ensure that product features reflect the needs of the consumers they are targeting. It describes the importance of (i) identifying the target market for protection products; (ii) ensuring that the cover offered meets the needs of that target market; and (iii) avoiding the creation of barriers to comparing, exiting or switching cover.
President Obama Issues Executive Order on Cybersecurity
On February 12, President Obama issued an Executive Order (EO) titled Improving Critical Infrastructure Cybersecurity, and a related Presidential Policy Directive (PPD). The EO establishes a process to facilitate sharing of cybersecurity information among private firms in critical infrastructure sectors and the federal government, and tasks the National Institute of Standards and Technology (NIST) with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. The EO also includes provisions designed to protect privacy and civil liberties. The financial services sector is one of the many sectors identified as a critical sector, and the EO and PPD name the Treasury Department as the federal entity responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating or supporting the security and resilience programs and associated activities for critical financial services firms. On February 13, NIST initiated the process to develop the best practices framework by announcing a request for information from critical infrastructure owners and operators, federal agencies, state, local, territorial and tribal governments, standards-setting organizations, other members of industry, consumers, solution providers and other stakeholders. NIST is required by the EO to prepare a preliminary framework by October 10, 2013, and a final framework by February 12, 2014.
UK's HM Treasury Unveils Bank Break-Up Legislation, Expects Passage Next Year
On February 4, Britain’s HM Treasury introduced legislation—entitled the Banking Reform Bill—that would provide regulators with new authority to break up a bank if its investment activities put deposits at risk. The legislation goes a step beyond previously proposed policies that would merely require banks to separate retail banking from investment banking. Under the proposed legislation, in addition to requiring that institutions ring-fence deposits, the Bank of England could force an institution to sell off certain businesses if it determines that the institution has failed to protect retail banking activities from high-risk investments. The bill also would, among other things, provide depositors preference if a bank becomes insolvent, and set new leverage caps. The introduction of the bill is the first step in the legislative process, which Britain’s Chancellor of the Exchequer stated he expects to be finalized next year.
HHS Issues New HIPAA Rules
On January 17, the Department of Health and Human Services (HHS) issued a new rule under the Health Insurance Portability and Accountability Act (HIPAA). The omnibus rule is intended to enhance patient privacy protections, provide new rights with regard to patient health information, and strengthen the government’s enforcement abilities. For example, the new rights allow patients to (i) request a copy of their electronic medical record in an electronic form and (ii) instruct their provider not to share information about their treatment with their health plan when the patient pays by cash. The rule also sets limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of individuals’ health information without their permission. While the rules are of general interest as an important development regarding privacy rights, HIPAA protections can, in some circumstances, apply to financial service providers. Not only may financial services firms need to take note as a provider of health care benefits to their employees, but also because the rule expands applicability of HIPAA requirements to “business associates” of health care providers, health plans, and other entities that process health insurance claims and receive protected health information.
Basel Committee Relaxes Liquidity Standards
On January 7, the Basel Committee released its revised Liquidity Coverage Ratio (LCR), a component of the comprehensive Basel III accords that also address capital standards. The committee’s LCR is intended to promote short-term resilience of a bank's liquidity risk and reduce the risk of the banking sector harming the broader economy by failing to absorb shocks arising from financial and economic stress. The LCR requires that a bank have an adequate stock of unencumbered high-quality liquid assets that can be converted into cash easily and immediately in private markets to meet a 30-day liquidity stress scenario. The revised LCR updates standards originally adopted by the Committee in 2010. Given slower than expected strengthening of the banking system and the broader economy, and in response to industry requests, the Committee decided to expand the range of eligible assets to include corporate debt, unencumbered equities, and highly-rated residential mortgage-backed securities. The Committee also clarified its intention to allow banks use their high-quality liquid assets in times of stress. Finally, the Committee revised the timetable for phase-in of the standard. The standard will take effect as planned on January 1, 2015, but the minimum requirement will begin at 60%, rising 10 percentage points each year until full implementation on January 1, 2019.
FTC Announces Departure of Consumer Protection Director
On December 17, the FTC announced that the Director of its Bureau of Consumer Protection, David Vladeck, will leave the agency on December 31, 2012. Since taking the position in 2009, Mr. Vladeck has led the Bureau’s focus on financial fraud and consumer privacy. Charles Harwood, who currently serves as a Deputy Director in the Bureau, will take over as Acting Director of the Bureau of Consumer Protection. The FTC also announced that Eileen Harrington, the agency’s Executive Director, will retire at the end of year, and that Pat Bak, who currently serves as Deputy Executive Director, will serve as Acting Executive Director.
DOJ Announces LIBOR-related Criminal Charges and Penalties, Regulators Announce Parallel Civil Enforcement Actions
On December 19, both federal law enforcement and U.S. and foreign regulatory authorities announced that a Japanese bank and its Swiss bank parent company agreed to pay more than $1.5 billion to resolve criminal and civil investigations into the firms’ role in the manipulation of the London Interbank Offered Rate (LIBOR), a global benchmark rate used in financial products and transactions. The DOJ announced that the Japanese bank has signed a plea agreement, whereby the bank agreed to pay a $100 million fine and plead guilty to one count of engaging in a scheme to defraud counterparties to interest rate derivatives trades by secretly manipulating LIBOR benchmark interest rates. In addition, its parent company entered into a non-prosecution agreement (NPA), whereby the parent company agreed to pay an additional $400 million penalty, admit to specified facts, and assist the DOJ with its ongoing LIBOR investigation. The DOJ explained that the NPA reflects the parent company’s substantial cooperation in discovering and disclosing LIBOR misconduct within the institution and recognizes the significant remedial measures undertaken by new management to enhance internal controls. Domestic and foreign regulators also announced penalties and disgorgement to resolve parallel civil investigations, including a $700 million penalty obtained by the CFTC, $259.2 million as a result of a U.K. Financial Services Authority action, and $64.3 million to resolve a Swiss Financial Markets Authority action.
FTC Orders Data Brokers to Provide Consumer Data Practices Information
On December 18, the FTC issued orders requiring nine data brokerage companies to provide information about (i) the nature and sources of the consumer information the data brokers collect, (ii) how they use, maintain, and disseminate the information, and (iii) the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold. The FTC states that it plans to use the data to study privacy practices in the data broker industry, and to make recommendations as to how the industry could improve its privacy practices. Earlier this year, members of the House and Senate issued separate requests for similar material. The brokers targeted by the various requests and orders overlap only in part.
FTC Finalizes Children's Online Privacy Rule Amendments
On December 19, the FTC announced final amendments to the Children’s Online Privacy Protection Act Rule. According to the FTC’s release, the final amendments (i) include geolocation information, photographs, and videos in the list of “personal information” that cannot be collected from children under 13 without parental notice and consent, (ii) offer companies a streamlined, voluntary, and transparent approval process for new ways of getting parental consent, (iii) close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent, (iv) require compliance by such third parties in some of those cases, (v) require compliance by persistent identifiers that can recognize users over time and across different websites or online services, (vi) require that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential, (vii) require that covered website operators adopt reasonable procedures for data retention and deletion, and (viii) strengthen the FTC’s oversight of self-regulatory safe harbor programs. The amendments also modify several other key definitions in the rule. Notably, the revised definition of “operator” clarifies that the rule covers a child-directed site or service that integrates outside services that collect personal information from its visitors, but it does not extend liability to platforms that merely offer the public access to child-directed apps. FTC Commissioner Maureen Ohlhausen voted against the amendments and issued a dissenting statement in which she argued that the new definition of “operator” goes beyond what Congress authorized by imposing obligations on websites or online services that do not collect personal information from children or have access to or control of such information collected by a third party.
UN Commission Publishes Report of Working Group on Electronic Commerce
Recently, the United Nations Commission on International Trade Law (UNCITRAL) published the Report of Working Group IV (Electronic Commerce), reflecting the group’s work during its forty-sixth session, held in late October and early November. The report describes the Working Group’s continued efforts to explore issues related to electronic transferable records and to address the need for an international regime to facilitate the cross-border use of such records. During this most recent session, the Working Group considered in detail the legal issues relating to the use of electronic transferrable records, and developed parameters for a set of rules to address those issues. Working Group members expressed broad support for a draft model law that would incorporate the parameters identified, while allowing for flexibility when addressing differences in national substantive laws. Some members also expressed support for the preparation of guidance texts, such as a legislative guide, and Working Group members discussed the possible consideration of a binding instrument, such as a treaty, to establish a legal framework for the cross-border transfer of electronic records. The Working Group will follow up on these issues during its forty-seventh session to be held in New York from May 13-17, 2013.