InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC, FinCEN release results of digital identity tech sprint
On September 9, the FDIC and FinCEN announced key takeaways and solution summaries from a recent “Tech Sprint” to develop solutions for banks and regulators to help measure the effectiveness of digital identity proofing. As previously covered in InfoBytes, in January, the FDIC’s technology lab, FDiTech, and FinCEN announced the launch of a Tech Sprint challenging participants “to develop solutions for financial institutions and regulators to help measure the effectiveness of digital identity proofing—the process used to collect, validate, and verify information about a person.” The FDIC and FinCEN sought solutions that included, among other things: (i) increasing efficiency and account security; (ii) reducing fraud and other forms of identity-related crime; (iii) reducing the risk of money laundering and terrorist financing; and (iv) fostering customer confidence in the digital banking environment.
The Tech Sprint resulted in proposed solutions that followed one of three distinct approaches: (i) tools that would measure the effectiveness of identity proofing systems; (ii) development of a scoring methodology for remote identity proofing; and (iii) envisioning an identity provider consortium or platform. The release also noted that multiple participating teams referenced the use of source verification, interoperability, and emerging technologies such as zero knowledge proofs and multi-party computation for secure, privacy-protecting data sharing.
CISA issues RFI on new cyber incident reporting requirements
On September 9, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) from critical infrastructure owners and operators on how to develop new data breach reporting regulations related to ransomware and other malicious attacks. The RFI will inform CISA’s promulgation of proposed regulations as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Specifically, the agency is requesting feedback on definitions and terminology for the proposed rules, the form and content of reports, incident reporting requirements, enforcement procedures, and information protection policies. Once the final regulation is published, CISA will use information obtained from cyber-incident reports submitted by covered entities to “deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends and understand how malicious cyber actors are perpetrating their attacks, and quickly share that information with network defenders to warn other potential victims,” the RFI explained. CISA will also host a series of public listening sessions across the country to receive additional input as it develops the proposed regulations. Comments on the RFI are due November 14.
District Court grants final approval in BIPA class action
On September 1, the U.S. District Court for the Northern District of Illinois granted final approval of a $6.8 million class action settlement in a biometric privacy data suit. According to the plaintiff’s memorandum of law in support of her unopposed motion for final approval of the settlement, the plaintiff alleged that the defendant violated Illinois law by collecting fingerprint scan data from Illinois users of vending machine systems without written notice and consent. According to the settlement, class members include all individuals who scanned their finger(s) in one or more of defendants’ vending systems in Illinois between August 23, 2014 and November 2021, which totals approximately 63,450 individuals. Each class member will receive approximately $413, and the settlement includes roughly $2.2 million in attorney fees for class counsel.
2nd Circuit upholds public service loan relief settlement
On September 7, the U.S. Court of Appeals for the Second Circuit affirmed a class action settlement reached between a student loan servicer and borrowers who claimed the servicer failed to inform them of a loan forgiveness program for public service employees. As previously covered by InfoBytes, the settlement required the servicer—who denied any allegations of wrongful conduct and damages—to put in place enhancements to identify borrowers who may qualify for Public Service Loan Forgiveness (PSLF) and “distribute comprehensive and accurate information about how to qualify, which are meaningful business practice enhancements.” The servicer was also required to fund a $2.25 million non-profit program to provide counseling to borrowers at all stages of the repayment process. The settlement also approved service awards for the named plaintiffs. In affirming the settlement, the appellate court rejected arguments raised by objectors who claimed, among other things, that the cy pres award would not benefit the class and “that the settlement improperly released monetary claims.”
“The cy pres award funds Public Service Promise and thereby assists all class members in navigating PSLF and determining whether they have a viable individual monetary claim against [the servicer],” the panel wrote, acknowledging that other circuit courts have recognized that class members can indirectly benefit from defendants paying appropriate third parties. “[T]he reforms will also benefit the remaining class members who, for example, are no longer with [the servicer] or who no longer have student loans, by providing them accurate information about the PSLF and helping them determine whether they have viable individual claims for damages,” the 2nd Circuit said.
Agencies push to implement Basel III
On September 9, the FDIC, OCC, and Federal Reserve Board reaffirmed their commitment to implementing enhanced regulatory capital requirements that align with Basel III standards issued by the Basel Committee on Banking Supervision in 2017. The agencies announced they are currently developing—and will issue “as soon as possible”—a joint proposed rule on new capital standards for large banking organizations. The agencies noted that community banks are subject to different capital requirements and will not be affected by the proposal.
Financial Services Committee Republicans ask Fed for clarification on CBDC
On September 7, Republican members of the House Financial Services Committee submitted a letter to Federal Reserve Vice Chair Lael Brainard in response to a May hearing examining the potential impact of a Central Bank Digital Currency (CBDC). The letter, among other things, requested that Brainard provide her testimony regarding the Fed’s authority under the Federal Reserve Act to issue a CBDC (and without separate specific authorizing federal legislation). Specifically, the members requested that Brainard clarify: (i) the Fed’s motivation for issuing a CBDC; (ii) the need for Congress to support a Fed-issued CBDC; (iii) the Fed’s position on individual retail accounts at the Fed; (iv) the need for Congress to authorize an intermediated CBDC model; and (v) the need for “strong support” from the Executive Branch. The members asked for a response in writing by September 30.
Treasury says financial system is critical in addressing climate change
On September 9, the U.S. Treasury Department’s Under Secretary for Domestic Finance Nellie Liang spoke at the Office of Financial Research’s Climate Implications for Financial Stability Conference discussing the Department’s efforts to assess climate-related risks to the economy, financial institutions, and investors. Pointing to several studies showing the increasing economic and financial costs of climate change, Liang noted that the financial system has a “critical role to play” in addressing climate-related financial risks and that regulators and standard setters have a “responsibility to make the financial system more resilient to climate change.” In particular, Liang identified a Financial Stability Oversight Council (FSOC) report that contained numerous recommendations for its members to consider to address climate change-related threats to financial stability. She also discussed interagency working groups created by FSOC to “bring together the agencies and leverage their efforts to improve data quality and availability, data infrastructure, climate risk metrics, and scenario analysis.” According to Liang, ongoing research—such as that presented at the event regarding how a bank’s climate commitments, the tax code, or borrowers’ scope disclosures “affect the[] cost and availability of credit, and the sensitivity of market-based measures of financial firms’ stress to climate risks”—is “important for regulators and policymakers to better understand private behavior and how incentives can help to manage climate-related financial risks.”
FinCEN stresses importance of reliable digital interactions
On September 7, speaking before the 2022 Federal Identity Forum & Exposition in Atlanta, Georgia, acting Deputy Director of FinCEN Jimmy Kirby addressed the importance digital identity plays in FinCEN’s mission as it relates to privacy and cybersecurity, particularly with respect to protecting the U.S. financial system from illicit finance. This includes helping financial institutions comply with various reporting requirements, such as filing suspicious activity reports and currency transaction reports and ensuring that recordkeeping requirements under the Customer Identification Program and Customer Due Diligence rules are met. While Kirby recognized that digital identity frameworks have the potential to “spur innovation in financial products and services across the legacy financial system, as well as digital assets and emerging central bank digital currencies,” he stressed it is vital that digital identity is handled correctly through the implementation of “identity solutions that preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system.” Focusing on topics related to emerging threats and responsible innovation, Kirby emphasized the need for financial institutions to implement measures for knowing who their customers are, both on the front end and throughout the customer relationship, and to take steps to prevent identity theft and fraud. Kirby also discussed the importance of fostering responsible innovation and developing infrastructure, information sharing, and standards that mitigate the risks associated with digital identities.
Treasury issues guidance on Russian oil sales cap
On September 9, the U.S. Treasury Department announced preliminary guidance on implementing a maritime services policy and related price exception for seaborne Russian oil. As previously covered by InfoBytes, OFAC recently announced that it planned to publish preliminary guidance on implementing the price cap to provide a high-level overview of the directive, including how U.S. persons can comply in advance of formal guidance and legal implementation. According to the preliminary guidance, the policy is intended to establish a framework for Russian oil to be exported by sea under a capped price, and establish a ban on services for any shipments of seaborne Russian oil above the capped price. Objectives of the guidance include: (i) maintaining a reliable supply of seaborne Russian oil to the global market; (ii) reducing upward pressure on energy prices; and (iii) reducing the revenues the Russian Federation earns from oil after its own war of choice in Ukraine has inflated global energy prices. The policy contains an exception, which applies to “jurisdictions or actors that purchase seaborne Russian oil at or below a price cap to be established by the coalition (the “price exception”).” The policy, which relates to a broad range of services in connection with the maritime transportation of Russian Federation origin crude oil and petroleum products, will become effective December 5, 2022 for the maritime transportation of crude oil and on February 5, 2023 for the maritime transportation of petroleum products.
FTC hosts forum on commercial surveillance and lax data security practices
On September 8, the FTC hosted a forum regarding its Advance Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security practices. As previously covered by InfoBytes, the ANPR was issued in August to solicit public comment on “the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.” The ANPR noted that there is increasing evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms. The forum featured remarks by FTC Chair Lina M. Khan, Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, as well as a staff presentation, two panel discussions, and comments from the public. Chair Khan noted in her remarks that the discussion and comments at the forum will be critical in determining the evidentiary basis for proceeding with a rulemaking and whether legal requirements needed for crafting any particular type of rule. However, some observers expressed concern that the FTC’s ANPR could undermine efforts to pass federal privacy legislation. Slaughter noted in her remarks that she “support[s] strong federal privacy legislation, but until there’s a law on the books, the commission has a duty to use all the tools we have to investigate and address unlawful behavior in the market.” Commissioners Slaughter and Bedoya also expressed the need for public engagement to understand commercial surveillance.
The first panel focused on industry perspectives on commercial surveillance and data security. When asked about some of the best practices or potential business models developed by businesses to mitigate consumer harm and protect data, a panelist noted that there are many approaches underway, but the guiding principle is that the process of documentation supports transparency by prompting processes and critical thinking of each step in the mission learning lifecycle. One panelist expressed concerns about businesses tracking personal data, stating that because retailers collect information about their customers when they make purchases online and may recommend related offerings, regulators “should not interfere with these direct relationships.” Another panelist warned against treating all data collection and processes equally, stressing that the FTC should use its enforcement tools against third parties.
The second panel featured consumer advocates discussing interests, concerns, risks, and harms related to commercial surveillance, in addition to mitigating consumer harms and protecting data. The advocates noted, among other things, that the FTC should impose heightened safeguards on sensitive data, such as precise location records and information associated with children. Additionally, the panelists advocated for establishing a regulation and broadening the FTC’s Section 5 unfairness authority that limits widescale tracking. Specifically, one panelist discussed how the FTC should approach a data minimization rule under Section 5, recommending that such a rule should ban secondary use and third-party disclosures. In regard to combating discrimination through data collection and advertising, a panelist noted that shifting data protection responsibilities from individuals onto companies could play an important part to ensure that data-driven algorithms that deliver ads or content are not discriminating against consumers.