InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
European Commission approves transatlantic data-transfer framework
On July 10, the European Commission adopted an adequacy decision as part of the EU-U.S. Data Privacy Framework, concluding that the U.S. “ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to U.S. companies under the new framework.” In the announcement, European Commission President Ursula von der Leyen stated that the “new EU-US Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.” She explained that with the new adequacy decision, personal data can now be transferred securely from the EU to U.S. companies participating in the framework without having to implement additional data protection safeguards. The framework will be administered by the Department of Commerce. Compliance by U.S. companies with their obligations under the framework will be enforced by the FTC.
As previously covered by InfoBytes, Presidents von der Leyen and Biden announced in March 2022 that they had reached an agreement in principle on a new transatlantic data flows framework to foster cross-border transfers of personal data from the EU to the U.S. Under the framework, the U.S. agreed to implement reforms and safeguards to “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” The announcement followed negotiations that began after the Court of Justice of the EU issued an opinion in the Schrems II case in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements.
The DOJ released a statement welcoming the European Commission’s adoption of the adequacy decision and expressing its eagerness to collaborate with the Commission, along with representatives from European data protection authorities, to ensure the ongoing implementation of data privacy safeguards.
Senators demand that CFPB address voice-cloning risks
On July 6, four Democrats on the Senate Banking Committee sent a letter to CFPB Director Rohit Chopra, in which they expressed their concerns about the emergence of voice cloning technology. The senators observed that “voice cloning, the process of reproducing an individual’s voice with high accuracy using AI and machine learning techniques, has seen remarkable advancements in recent years, and is increasingly being used in malicious ways.” The letter noted the “particularly alarming” use of voice cloning in financial scams, in which scammers use the technology to convincingly impersonate family, friends, and even financial advisors or bank employees. Many times, the letter mentioned, scammers target consumers “who often have no reimbursement recourse from banks and peer-to-peer payment apps.” The senators also highlighted the threat that this technology poses to financial institutions that utilize voice authentication services. The senators urged Chopra and the Bureau to review the risks posed by voice cloning technology and implement measures to effectively address the emerging threat to unsuspecting consumers.
Hawaii amends money transmitter provisions
On July 3, the Hawaii governor signed HB 1027 (the “Act”) into law, amending several provisions relating to the Money Transmitters Modernization Act. The Act adds and amends several definitions. Changes include defining “money,” “receiving money or monetary value for transmission,” and “tangible net worth.” The definition of “money transmission” has also been amended to clarify its connection to business done in Hawaii, and “stored value” has been amended to mean monetary value “that represents a claim against the issuer evidenced by an electronic or digital record and that is intended and accepted for use as a means of redemption for money or monetary value, or payment for goods or services.” Stored value does not include “a payment instrument or closed loop stored value, or stored value not sold to the public but issued and distributed as part of a loyalty, rewards, or promotional program.”
Among the various exemptions, the Act also provides for an exemption for an agent of the payee to collect and process a payment from a payor to the payee for goods or services, other than money transmission services, provided certain criteria is met. Additional exemptions include certain persons acting as intermediaries, persons expressly appointed as third-party service providers to an exempt entity, and registered futures commission merchants and securities broker-dealers, among others. Anyone claiming to be exempt from licensing may be required to provide information and documentation demonstrating their qualification for the claimed exemption.
The amendments outline numerous licensing application and renewal procedures, including largely adopting the net worth, surety bond, and permissible investment requirements set forth in the Money Transmission Modernization Act. Several other states have also recently enacted provisions relating to the licensing and regulation of money transmitters (see InfoBytes coverage here and here).
The Act took effect July 1.
States endorse CFPB’s policy statement on abusive conduct
On July 6, the California attorney announced that he had joined a coalition of state attorneys general in submitting a comment letter endorsing the CFPB’s recently issued policy statement on abusive conduct in consumer financial markets. The multi-state coalition comprises Arizona, California, Colorado, Connecticut, the District of Columbia, Delaware, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New York, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, and Wisconsin. In April, the Bureau issued a policy statement containing an “analytical framework” for identifying abusive conduct prohibited under the Consumer Financial Protection Act, in which it broadly defined abusive conduct as anything that obscures, withholds, de-emphasizes, renders confusing, or hides information about the key features of a product or service. (Covered by InfoBytes here.)
In their letter, the state attorneys general emphasized the importance of preventing abusive conduct in consumer financial markets and highlighted the partnership between states and the Bureau in achieving this goal. The states also commended the Bureau for providing a clear, analytical framework for what constitutes abusive acts or practices and expressed appreciation for the agency’s use of real enforcement actions as examples of illegal abusive conduct. The multi-state coalition applauded the flexibility and guidance provided by the policy statement and complimented the Bureau for acknowledging the realities of modern consumer markets by clarifying that both acts and omissions can hinder consumers’ understanding of terms and conditions, including the use of fine print or complex language that limits comprehension.
7th Circuit affirms dismissal of FCRA claims against subservicer
On July 5, the U.S. Court of Appeals for the Seventh Circuit affirmed summary judgment in favor of a defendant data furnisher in an FCRA case, holding that the plaintiff failed to establish that the defendant provided “patently incorrect or materially misleading information” to a credit reporting agency (CRA). Defendant was the subservicer for plaintiff’s mortgage and was responsible for accepting and tracking payments and providing payment data to the CRAs. After plaintiff failed to make her monthly payments, she resolved the delinquency through a short sale of her home. Several years later, plaintiff noticed that the closed mortgage account appeared on her credit reports as delinquent. She disputed the information to several CRAs. To confirm the accuracy of its records on plaintiff’s mortgage, one of the CRAs sent the defendant data furnisher four automated consumer dispute verification (ACDV) forms. In the ACDV responses, the defendant amended or verified several contested data points, including the pay rate and account history. The CRA reported this amended data to indicate on plaintiff’s credit report that she was currently delinquent on the mortgage with missed payments in the months following the short sale. After plaintiff applied for and was denied a new mortgage based on the credit report, plaintiff sued the defendant data furnisher for alleged violations of the FCRA, alleging that the defendant failed to conduct a reasonable investigation of the disputed data and provided false and misleading information to CRAs. The district court granted summary judgment in favor of the defendant, finding that plaintiff failed to make a threshold showing that the defendant’s data was incomplete or inaccurate.
On appeal, the 7th Circuit disagreed with plaintiff that “completeness or accuracy” under the FCRA “must be judged based, not on the ACDV response the data furnisher provided, but on the credit report generated from it.” The court reasoned that the text of the statute “says nothing about a credit report, let alone a duty of a data furnisher with respect to credit reports produced using its amended data. To the contrary, the statute sets out the data furnisher’s duties to investigate disputes, correct incomplete or inaccurate information, and report results from an investigation” to the CRA. Holding that “context can play a large role in determining completeness or accuracy” in this situation, the appellate court agreed with the district court that the data provided by the defendant to the CRA was “not materially misleading” and that “no reasonable jury could find” that the data meant that plaintiff was currently delinquent on her debt, particularly because of strong “contextual evidence”—specifically, that the disputed data appeared directly beside a status code showing that the account was closed. The appeals court affirmed summary judgment for the data furnisher.
1st Circuit confirms standing for data breach victims
On June 30, the U.S. Court of Appeals for the First Circuit overruled a district court’s dismissal of a putative class action against a home delivery pharmacy service for allegedly failing to prevent a 2021 data breach that exposed the personally identifiable information (PII) of over 75,000 patients. The class action complaint alleged state law claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty, and sought damages and injunctive relief. The putative class was comprised of U.S. residents whose PII was compromised in the data breach. The two named plaintiffs were former or current patients whose PII were compromised in the data breach, and one of the two named plaintiffs had her stolen PII used to file a fraudulent tax return. The district court dismissed the lawsuit for lack of Article III standing.
Affirming in part and reversing in part, the 1st Circuit held that the complaint “plausibly demonstrates” the plaintiffs’ standing to seek damages, applying the principles articulated by the Supreme Court in TransUnion LLC v. Ramirez, which clarified the type of concrete injury necessary to establish Article III standing (covered by InfoBytes here).
First, the court concluded that, with respect to the named plaintiff whose PII was used to file a fraudulent tax return, the complaint’s “plausible allegations of actual misuse” of the stolen PII constituted a “concrete injury in fact” for purposes of Article III standing. According to the 1st Circuit, there existed “an “obvious temporal connection” between the timing of the data breach and the filed return, among other facts. The appellate court also found that the fraudulent tax return could make it probable that more of the named plaintiff’s information could be further misused—changing the risk of future misuse from speculative to “imminent and substantial.”
Second, with respect to the named plaintiff for whom there was no allegation of actual misuse of PII, the court reasoned that “the complaint plausibly alleges a concrete injury in fact based on the material risk of future misuse of [plaintiff’s] PII and a concrete harm caused by exposure to this risk.” The appellate court also found that, because the data here was compromised in a “targeted attack,” then “it stands to reason that [such data] is more likely to be misused…and the risk of future misuse is heightened when the compromised data is particularly sensitive.”
Third, the court concluded that the complaint plausibly alleged a “separate concrete, present harm” caused by exposure to the risk of future harm, “based on the allegations of the plaintiffs’ lost time spent taking protective measures [against further identity theft] that would otherwise have been put to some productive use.” “The loss of this time is equivalent to a monetary injury, which is indisputably a concrete injury,” the appellate court wrote, adding that it joins other circuits in holding that time spent responding to a data breach is sufficient to establish standing.
Finally, the court held that plaintiffs lacked standing to pursue injunctive relief “because their desired injunctions would not likely redress their alleged injuries” as any such relief would only safeguard against future breaches and would not protect “plaintiffs from future misuse of their PII by the individuals they allege now possess it.”
District Court orders crypto platform and its CEO to disgorge and pay penalty in SEC case
On July 5, the U.S. District Court for the Southern District of New York ordered a crypto platform and its CEO to each pay a civil money penalty of $141,410, as well as to jointly pay disgorgement in the same amount, in a case brought by the SEC. The SEC filed a complaint in February 2021 alleging that the defendants violated the registration provisions of the Securities Act of 1933 in connection with their offer and sale of digital asset securities. According to the SEC, the defendants sold digital asset securities to hundreds of investors, including investors based in the United States, but failed to file a registration statement for the offering. The complaint further charged the defendants with denying prospective investors the material information required for such an offering to the public. The SEC alleged that the defendants raised at least $141,410 through their offering.
Neither defendant responded to the complaint, and the court accordingly entered an order of default against the defendants, permanently enjoining the defendants from violating the registration provisions of the Securities Act. The court also referred the case to a magistrate judge to make a recommendation regarding disgorgement and penalties. The magistrate judge concluded—and the court agreed—that there were sufficient facts supporting the SEC’s allegations against the defendants and that disgorgement and civil monetary penalties were appropriate remedies. In addition to the civil monetary penalty of $141,410 per defendant, the court held the defendants jointly and severally liable for disgorgement of $141,410 plus pre-judgment interest.
District Court orders individual to pay $148 million in student debt-relief scam
On July 7, the U.S. District Court for the Central District of California entered a final judgment and order against an individual defendant accused of operating and controlling a deceptive student loan debt relief operation. As previously covered by InfoBytes, in 2019, the CFPB, along with the Minnesota and North Carolina attorneys general and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation for allegedly deceiving thousands of student loan borrowers. The Bureau and the states alleged that since at least 2015, the debt relief operation violated the Consumer Financial Protection Act (CFPA), Telemarketing Sales Rule (TSR), FDCPA, and various state laws by charging and collecting over $95 million in illegal advance fees from student loan borrowers. In addition, the Bureau and the states claimed that the debt relief operation engaged in deceptive practices by misrepresenting the purpose and application of the fees they charged and the nature and benefits of their services. Specifically, the debt relief operation allegedly failed to inform borrowers that, among other things, (i) they would request that the loans be placed in forbearance and interest would continue to accrue during the forbearance period, thereby increasing the borrowers’ overall loan balances; and (ii) it was their practice to submit false information about the borrowers to student loan servicers to try to qualify borrowers for lower monthly payments. The individual defendant was accused of owning, controlling, and managing the student loan debt relief operation, materially participating in the operation’s affairs, and providing substantial assistance or support while knowing or consciously avoiding knowledge that the operation was engaging in illegal conduct.
The individual defendant was held liable, jointly and severally, in the amount of approximately $95,057,757, for the purpose of providing redress to affected borrowers. Because the individual defendant was found to have recklessly violated the TSR and the CFPA, the court also imposed second-tier civil monetary penalties of $147,985,000 to the Bureau, of which $5,000 will be paid to each state. The final judgment also imposes various forms of injunctive relief, including permanent bans on engaging in consumer financial products or services and violating the TSR, CFPA, and similar laws in Minnesota, North Carolina, and California. The individual defendant is also prohibited from disclosing, using, or benefiting from customer information obtained in connection with the offering or providing of the debt relief services, and may not “attempt to collect, sell, assign, or otherwise transfer any right to collect payment from any consumer who purchased or agreed to purchase” a debt relief service from any of the defendants.
Fed vice chair calls for higher capital for large banks
On July 10, Federal Reserve Board Vice Chair for Supervision Michael S. Barr delivered remarks at the Bipartisan Policy Center outlining proposed updates to capital standards. As part of his holistic review of capital standards for large banks, Barr concluded that the existing approach to capital requirements—including risk-based requirements, stress testing, risk-based capital buffers, and leverage requirements and buffers—was sound. He stated that the changes he proposes are intended to build on the existing foundation. Barr’s proposed updates include: (i) updating risk-based requirement standards to better reflect credit, trading, and operational risk, consistent with international standards adopted by the Basel Committee; (ii) evolving the stress test to capture a wider range of risks; and (iii) improving the measurement of systemic indicators under the global systemically important bank surcharge. Barr stated that at this time he was not recommending changes to the enhanced supplementary leverage ratio.
Barr also proposed implementing changes to the risk-based capital requirements, referred to as the “Basel III endgame,” which are intended to ensure that the U.S. minimum capital requirements require banks to hold adequate capital against their risk-taking. These proposed changes include: (i) with respect to a firm’s lending activities, the proposed rules would terminate the practice of relying on banks’ own individual estimates of their own risk and would instead adopt a more transparent and consistent approach; (ii) regarding a firm’s trading activities, the proposed rules would adjust the way that the firm measures market risk, better aligning market risk capital requirements with market risk exposure and providing supervisors with improved tools; and (iii) for operational losses, such as trading losses or litigation expenses, the proposed rules would replace an internal modeled operational risk requirement with a standardized measure.
Barr recommended that these enhanced capital rules apply only to banks and bank holding companies with $100 billion or more in assets. He emphasized that the proposed changes would not be fully effective for some years due to the notice and comment rulemaking process, and that any final rule would provide for an appropriate transition.
FHFA proposes amendments to strengthen Suspended Counterparty Program
On July 7, the FHFA issued a notice of proposed rulemaking and announced that it is seeking feedback on a proposed rule to amend the Suspended Counterparty Program (SCP) regulation. The SCP regulation currently requires FHFA-regulated entities to report to FHFA if they became aware of certain forms of misconduct committed within the past three years by individuals or institutions they do business with. The SCP regulation also grants FHFA the authority to issue orders directing the regulated entities to cease or refrain from doing business with certain counterparties.
According to FHFA Director Sandra L. Thompson, the proposed rule aims to strengthen FHFA’s ability to protect its regulated entities from business risks associated with misconduct, enabling them to continue serving as reliable sources of liquidity. The proposed rule would specifically authorize the suspension of business between regulated entities and counterparties who are found to have committed misconduct in the context of civil enforcement actions in connection with the management or ownership of real property. Furthermore, the proposed rule would allow FHFA to immediately suspend business without prior notice when misconduct has resulted in debarment, suspension, or limited denial of participation imposed by a federal agency. Comments on the proposed rule are due within 60 days of publication in the Federal Register.