InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC issues proposed rule for bank merger approvals
On January 29, the OCC announced a proposed rule for bank merger approvals under the Bank Merger Act (BMA). The OCC proposed changes to 12 CFR 5.33 to reflect its view that a business combination is a significant corporate transaction.
The OCC suggested two key changes to its business combination regulation (12 CFR 5.33). First, it proposed removing the expedited review procedures outlined in § 5.33(i). Currently, this provision automatically approves certain filings after the 15th day following the close of the comment period, but the OCC believes that no business combinations subject to § 5.33 should be approved solely based on elapsed time. Additionally, the OCC suggests removing paragraph (d)(3), as it pertains to defining applications eligible for expedited review. Second, the OCC proposes the removal of § 5.33(j), which outlines four scenarios allowing an applicant to use the OCC's streamlined business combination application instead of the full Interagency Bank Merger Act Application. The streamlined application seeks information on similar topics, but only requires detailed information if the applicant answers affirmatively to specific yes-or-no questions. Currently, a transaction eligible for the streamlined application also qualifies for expedited review, a feature the OCC is proposing to eliminate. Additionally, a new policy statement (proposed as Appendix A to 12 CFR part 5, subpart C) is introduced to provide clarity and guidance on general principles used by the OCC in reviewing applications under the BMA. The policy statement also covers considerations for financial stability, resources, prospects, and convenience and needs factors. Criteria for deciding whether to hold a public meeting on a BMA application were also outlined.
Comments from the public are due 60 days from the date of publication in the Federal Register.
FTC obtains injunction and monetary judgment against telemarketing company
On January 31, the U.S. District Court for the Northern District of Illinois finalized, in actions brought by the FTC, a permanent injunction and monetary judgment against a telemarketing company and certain individuals for violating the FTC Act, 15 U.S.C. § 45, and the Telemarketing and Consumer Fraud and Abuse Prevention Act, specifically the Telemarketing Sales Rule (“TSR”). The FTC’s motion for summary judgment was granted by the court, whereby the defendants were ordered to pay a monetary judgment for a civil penalty of $28,681,863.88 in favor of the FTC, and the defendants were permanently banned from participating in telemarketing or assisting and facilitating others engaged in telemarketing to consumers. The court found that the defendants violated the TSR by “initiating or causing the initiation of outbound telephone calls to consumers whose telephone numbers were on the National Do Not Call Registry… and by assisting and facilitating their inbound transfer partners’ violations of the TSR.” This final action comes after the FTC was granted its initial order for permanent injunction and other relief in November 2023.
CFPB reflects on 2023 enforcement actions; states upcoming enforcement goals
On January 29, the CFPB released a blog post on its enforcement actions from 2023, as well as its outlook for 2024. In 2023, the CFPB reportedly filed 29 enforcement actions and resolved six final orders on previously filed lawsuits. Compensation-wise, the Bureau required entities to pay approximately $3.07 billion in compensation to consumers and nearly $500 million in civil money penalties. The CFPB highlights some key enforcement actions from 2023, such as helping protect servicemembers from loan exploitation, as previously covered in Infobytes here, and taking action against the alleged illegal junk advance fees from credit repair services, also covered in Infobytes here.
Looking forward to 2024, the CFPB stated its intent to increase its capacity. The Bureau’s outlook falls in line with previous comments from a CFPB representative in an FTC panel, covered by InfoBytes here. The blog post provides greater detail, outlining the Bureau’s plans to hire more technology experts to help enforce the law against emerging technologies, as well as expanding its enforcement capacity by adding more attorneys, analysts, paralegals, and economists, among others.
White House provides three-month update on its AI executive order
On January 29, President Biden released a statement detailing how federal agencies have fared in complying with Executive Order 14110 regarding artificial intelligence (AI) development and safety. As previously covered by InfoBytes, President Biden’s Executive Order from October 30, 2023, outlined how the federal government can promote AI safely and in a secure way to protect U.S. citizens’ rights.
The statement notes that federal agencies have (i) used the Defense Production Act to have AI developers report vital information to the Department of Commerce; (ii) proposed a draft rule for U.S. cloud companies to provide computing power for foreign AI training, and (iii) completed risk assessments for “vital” aspects of society. The statement further outlines how the NSF (iv) managed a pilot program to ensure that AI resources are equitably accessible to the research and education communities; (v) began the EducateAI initiative to create AI educational opportunities in K-12 through undergraduate institutions; (vi) promoted the funding of a new Regional Innovation Engines to assist in creating breakthrough clinical therapies; (vii) the OPM launched the Tech Talent Task Force to accelerate hiring data scientists in the government, and (viii) the DHHS established an AI Task Force to provide “regulatory clarity” in health care. Lastly, the statement provides additional information on various agency activities that have been completed in response to the Executive Order. More on this can be found at ai.gov.
FFIEC publishes proposed extension of reporting obligations
On January 26, the Federal Financial Institutions Examination Council (FFIEC) approved the OCC, Fed, and FDIC’s publication for public comment of a proposal to extend several information collection items for three years. As previously covered by InfoBytes, the FFIEC last month put forth a similar three-year proposal on FFIEC 002 which affected the three Call Reports (FFIEC 031, 041, and 051). While this proposal includes those same four items, it adds two more: the Regulatory Capital Reporting for Institutions Subject to the Advanced Capital Adequacy Framework (FFIEC 101), and the Market Risk Regulatory Report for Institutions Subject to the Market Risk Capital Rule (FFIEC 102). The proposed changes include a new confidential report (FFIEC 102a) titled the Market Risk Regulatory Report that would “collect information necessary for the agencies to evaluate [an]… institution’s implementation of the market risk rule and validate a [bank’s] internal models used in preparing the FFIEC 102.” The revisions are related to the agencies’ capital rule proposal published on September 18, 2023. Comments are requested by March 25, 2024, and the revisions are planned to be effective as of September 30, 2025.
New York Governor proclaims January 21-27 as Data Privacy Awareness Week
On January 26, New York Governor, Kathy Hochul, issued a proclamation establishing January 21-27, 2024, as Data Privacy Awareness Week in partnership with several state agencies, including NYDFS. Generally celebrated as a Data Privacy Day, this will be the first time that the event expands to an entire week. This proclamation addresses ways that citizens can protect their personal information against bad actors. The week is designed to help “educate the public” and heighten the importance of data privacy. The press release highlights how consumers can keep their personal information private and protect themselves, including: keeping applications up to date; using unique and complex passwords for every account; enabling multi-factor authentication on devices; exercising caution when opening unsolicited links in emails or messages; limiting the amount of personal data collected by websites; considering what personal information is shared on social media; setting up a virtual private network, or VPN; and being careful when using public wi-fi networks.
California Attorney General investigates streaming services for CCPA violations
On January 26, California State Attorney General Rob Bonta announced an investigative initiative by issuing letters to businesses operating streaming apps and devices, accusing them of non-compliance with the California Consumer Privacy Act (CCPA). The focus of the investigation is the evaluation of streaming services’ adherence to the CCPA's opt-out requirements, in particular those businesses that sell or share consumer personal information. The investigation targets businesses failing to provide a direct mechanism for consumers wishing to prevent the sale of their data.
AG Bonta urged consumers to know about and exercise their rights under the CCPA, emphasizing the right to instruct businesses not to sell their personal information. The CCPA grants California consumers enhanced rights regarding the collection, sharing, and disclosure of their personal information by businesses, and compliance responsibilities include responding to consumer requests and providing necessary notices about privacy practices. AG Bonta noted that the right to opt-out under the CCPA mandates that businesses selling or sharing personal data for targeted advertising must facilitate an easy and minimal-step process for consumers to exercise their right. For example, users should be able to easily navigate their streaming service’s mobile application settings to enable the “Do Not Sell My Personal Information” option. The expectation is that this choice remains effective across various devices if users are logged into their accounts when electing to opt-out. Finally, Bonta added that consumers should be given easy access to a streaming service’s privacy policy outlining their CCPA rights.
NIST group releases drafts on TLS 1.3 best practices aimed at the financial industry
On January 30, the NIST National Cybersecurity Center of Excellence (NCCoE) released a draft practice guide, titled “Addressing Visibility Challenges with TLS 1.3 within the Enterprise.” The protocol in question, Transport Layer Security (TLS) 1.3, is the most recent iteration of the security protocol most widely used to protect communications over the Internet, but its implementation over TLS 1.2 (the prior version) remains challenging for major industries, including finance, that need to inspect incoming network traffic data for evidence of malware or other malicious activity. A full description of the project can be found here.
Compared to TLS 1.2, TLS 1.3 is faster and more secure, but the implementation of forward secrecy, i.e., protecting past sessions against compromises of keys or passwords used in future sessions, creates challenges related to data audit and legitimate inspection of network traffic. As a result, NIST released the practice guide to offer guidance on how to implement TLS 1.3 and meet required audit requirements without compromising the TLS 1.3 protocol itself. The practice guide suggests how businesses improve their technical methods, such as implementing passive inspection architecture either using “rotated bounded-lifetime [Diffie Helman] keys on the destination TLS server” or exported session keys, to support ongoing compliance with financial industry and other regulations––for continuous monitoring for malware and cyberattacks. The draft practice guide is currently under public review with Volumes A and B of the guide open until April 1, 2024. Volume A is a second preliminary draft of an Executive Summary and Volume B is a preliminary draft on the Approach, Architecture, and Security Characteristics.
Securities regulators issue guidance and an RFC on AI trading scams
On January 25, FINRA and the CFTC released advisory guidance on artificial intelligence (AI) fraud, with the latter putting out a formal request for comment. FINRA released an advisory titled “Artificial Intelligence (AI) and Investment Fraud” to make investors aware of the growing popularity of scammers committing investment fraud using AI and other emerging technologies, posting the popular scam tactics, and then offering protective steps. The CFTC released a customer advisory called “AI Won’t Turn Trading Bots into Money Machines,” which focused on trading platforms that claim AI-created algorithms can guarantee huge returns.
Specifically in FINRA’s notice, the regulator stated that registration is a good indicator of sound investment advice, and offers the Investor.gov tool as a means to check; however, even registered firms and professionals can offer claims that sound too good to be true, so “be wary.” FINRA also warned about investing in companies involved in AI, often using catchy buzzwords or making claims to “guarantee huge gains.” Some companies may engage in pump-and-dump schemes where promoters “pump” up a stock price by spreading false information, then “dump” their own shares before the stock’s value drops. FINRA’s guidance additionally discussed the use of celebrity endorsements to promote an investment using social media; FINRA states that social media has become “more saturated with financial content than ever before” leading to the rise of “finfluencers.” Finally, FINRA mentioned how AI-enabled technology allows scammers to create “deepfake” videos and audio recordings to spread false information. Scammers have been using AI to impersonate a victim’s family members, a CEO announcing false news to manipulate a stock’s price, or how it can create realistic marketing materials.
The CFTC’s advisory highlighted how scammers use AI to create algorithmic trading platforms using “bots” that automatically buy and sell. In one case cited by the CFTC, a scammer defrauded customers into selling him nearly 30,000 bitcoins, worth over $1.7 billion at the time. The CFTC posted a Request for Comment on the Use of Artificial Intelligence in CFTC-Regulated Markets. The Request listed eight questions addressing current and potential uses of AI by regulated entities, and several more addressing concerns regarding the use of AI in regulated markets and entities for the public to respond to.
SEC rejects petition to amend the “no admit/no deny policy”
On January 30, the SEC rejected a nonprofit’s 2018 rulemaking petition that requested an amendment to Rule 202.5(e) under Commission Rule of Procedure 192(a), which outlines the terms for the Commission's acceptance of settlements in enforcement actions. Specifically, the rule prohibits settlements imposing sanctions if a defendant can publicly deny the Commission's allegations.
The rejection letter emphasizes the SEC’s authority to investigate securities law violations and initiate enforcement actions, saying that considering the request “could undermine confidence in the Commission’s enforcement program.” The SEC highlights its reliance on consent judgments and the contractual nature of settlements, as well as the potential implications of the proposed amendment on the SEC’s settlement process, adding that “it could undermine confidence in the Commission’s enforcement program.” SEC Chair Gary Gensler said in a statement supporting the decision that “a settlement that allows the denial of wrongdoing undermines the value provided by the recitation of the facts, and it muddies the message to the public.”
The Commission has decided not to amend Rule 202.5(e), affirming that the rule is a valid exercise of its authority in pursuing enforcement actions and settling cases. The policy allows the SEC to retain the option of seeking legal remedies if a defendant publicly denies allegations after settling. The letter also emphasizes that the constitutional and statutory arguments presented in the petition lack merit and conflict with established legal precedent regarding the waiver of rights in civil settlements. The Commission underscores the importance of the “no-deny” provision in preserving its ability to challenge public denials in court and rejects the notion that settling defendants can later deny allegations without consequence.