InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC orders prison contractor to fix security exposures after data breach
On November 16, the FTC issued a proposed order against an integrated technology services company finding a violation of Section 5(a) of the Federal Trade Commission Act. According to the order, the company offered various products and services to jails, prisons, and detention facilities. These products and services included means of communication between incarcerated and non-incarcerated individuals, and, among other things, allowed non-incarcerated individuals to deposit funds into the accounts of incarcerated individuals. According to the complaint, and due to the nature of its operations, the company collected individuals’ sensitive personally identifiable information, including names, addresses, passport numbers, driver’s license numbers, Social Security numbers, and financial account information, some of which was exposed as a result of a data breach in August 2020 due to a misconfiguration in the company’s cloud storage environment.
In its decision, the FTC ordered the company to, among other things, (i) implement a comprehensive data security program, including “change management” measures and multifactor authentication; (ii) notify users affected by the data breach, who had not yet received notice, and offer credit monitoring and identity protection products; (iii) inform consumers and facilities within 30 days of future data breaches; and (iv) notify the FTC within 10 days of reporting any security incident to local, state, or federal authorities.
CFPB report on FDCPA highlights medical debt collection issues
On November 16, the CFPB released its annual Fair Debt Collection Practices Act report, which highlighted challenges specific to medical debt collection. For example, 8,500 complaints were submitted in 2022 related to medical debt collection and described problems such as collectors billing for services never received, collecting the wrong amounts, miscommunication with insurance companies or financial assistance programs, or placing bills on credit reports without prior consumer contact. The report emphasized collectors may violate federal law when they pursue inaccurate medical bills and stressed the need for medical debt collectors to comply with the Fair Debt Collection Practices Act, the No Surprises Act, and the Fair Credit Reporting Act.
The report also includes developments in state law regarding medical debt collection, including recent legislation in Colorado, New York, Maine, and Nevada. Additionally, the report contains sections related to supervision of debt collection activities, enforcement actions, education and outreach initiatives, rulemaking, and research and policy initiatives.
CFPB’s Chopra testifies at Senate Banking Committee hearing
On November 30, the Director of the CFPB, Rohit Chopra, testified during the Senate Banking Committee’s hearing on the Bureau’s Semi-Annual Report to Congress. The Senate Banking Committee questioned Chopra on the Bureau’s oversight of financial institutions providing benefits under the Servicemembers Civil Relief Act (SCRA), medical debt collection, so-called “junk fees,” and the increasing popularity of buy now, pay later (BNPL) products.
In response to questions regarding SCRA, Director Chopra stated that the CFPB estimates that fewer than 10% of servicemembers receive the 6% pre-service rate cap on loans as required by the SCRA. In response to a question on BNPL popularity, Chopra noted there was a high amount of BNPL usage on Black Friday, and the CFPB plans on creating basic consumer protection standards.
Director Chopra stated that the CFPB is developing rules or researching potential activity in several areas, including: (i) reporting certain medical debts to the credit bureaus; (ii) BNPL standards; and (iii) protecting consumer data, particularly in the context of credit reporting.
CFPB releases its spring 2023 semi-annual report
The CFPB recently issued its semi-annual report to Congress covering the Bureau’s work for the period beginning October 1, 2022 and ending March 31, 2023. The report, which is required by Dodd-Frank, includes, (i) a list of significant rules and orders (including final rules, proposed rules, pre-rule materials, and upcoming plans and initiatives); (ii) an analysis of consumer complaints, (iii) lists of public supervisory and enforcement actions, (iv) assessments of actions by state regulators and attorneys generals related to consumer financial law; (v) assessment of fair lending enforcement and rulemaking; and (vi) an analysis of efforts to increase workforce and contracting diversity.
SEC charges crypto firm for failing to register and mitigate risk factors
On November 20, the SEC filed a complaint in the U.S. District Court of the Northern District of California against a crypto trading platform, which allows customers to buy and sell crypto assets through an online market, for allegedly acting as an unregistered securities exchange, broker, dealer, and clearing agency. The SEC is also claimed defendant’s business practices, internal controls, and recordkeeping were inadequate and presented additional risks to consumers, that would also be prohibited had defendant been properly registered with the commission. For instance, the SEC cited practices including commingling billions of dollars of consumers’ cash and crypto assets with defendant’s own crypto assets and cash, which defendant’s 2022 independent auditor identified as “a significant risk of loss."
Director of the SEC’s Division of Enforcement, Gurbir S. Grewal said, “[Defendant’s] choice of unlawful profits over investor protection is one we see far too often in this space, and today we’re both holding [defendant] accountable for its misconduct and sending a message to others to come into compliance.”
The SEC seeks to (i) permanently enjoin defendant from violating Section 5 and section 17A of the Exchange Act; (ii) permanently enjoin defendant from offering or selling securities through crypto asset staking programs; (iii) disgorge defendant’s allegedly illegal gains and pay prejudgment interest; and (iv) impose a civil money penalty.
IOSCO releases report advising country regulators on crypto asset regulation
On November 16, the International Organization of Securities Commissions (IOSCO) released a report titled “Policy Recommendations for Crypto and Digital Asset Markets” for centralized financial bodies to put forth parallel, global policies on crypto assets, including a country’s stablecoin.
IOSCO’s report aims to protect retail investors from illegal crypto-asset market activities, including regulatory non-compliance, financial crime, fraud, market manipulation, and money laundering that have led to investor losses. The report puts forth 18 policy recommendations summarized within six key themes: conflicts from firms doing too much at once; market manipulation, insider trading, and fraud; cross-border risks and regulatory cooperation; operational and technological risks; and retail access, suitability, and distribution. ISOCO maintains its principles on global regulation are within the “same activities, same risks, same regulation/regulatory outcomes.” IOSCO also mentioned it plans on releasing a second report on decentralized finance before the year’s end.
CFTC speech highlights new executives, dataset use, and AI Task Force
On November 16, the Chairman of the CFTC, Rostin Behnam, delivered a speech during the 2023 U.S. Treasury Market Conference held in New York where he showcased the CFTC’s plans to better use data and roll out an internal AI task force. One of the CFTC’s initiatives comes with the hiring of two new executive-level roles: a Chief Data Officer and a Chief Data Scientist. These executives will manage how the CFTC uses AI tools, and oversee current processes, including understanding large datasets, cleaning the datasets, identifying and monitoring pockets of stress, and combating spoofing.
The CFTC also unveiled its plans to create an AI Task Force and to “gather[] information about the current and potential uses of AI by our registered entities, registrants, and market participants in areas such as trading, risk management, and cybersecurity.” The Commission plans to obtain feedback for the AI Task Force through a formal Request for Comment process in 2024. The CFTC hopes these comments will help the agency create a rulemaking policy on “safety and security, mitigation of bias, and customer protection.”
Fed releases paper on debt substitution dynamics
On November 21, the Fed released a paper concluding that when mortgage rates rise on cash-out refinancings, households do not significantly increase overall borrowing, but instead switch to alternative borrowing options (i.e. credit cards, personal loans, HELOCs, and second liens). Analyzing rate increases and using monetary policy surprises from 2006 to 2021, the paper finds that changes in cash-out refinancing are balanced by shifts to alternative borrowing.
The paper’s findings further reveal that higher mortgage rates and the amount borrowed through cash-out refinancing have a positive correlation. The parallel showcases a pattern where borrowers are choosing the most cost-effective borrowing option based on the size of their liquidity need, the paper noted. The paper suggests that the way borrowers react to changes in monetary policy, like interest rate adjustments, can depend on whether they have existing mortgages and what interest rates they have on those mortgages. The paper also suggests that while some borrowers might change their mortgage terms when interest rates shift, others might choose different types of loans that don't change their original mortgage rate. This offsets the impact of changing monetary policies on refinancing decisions, the paper explained.
OCC releases enforcement actions
On November 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a cease and desist order against an Indiana bank for allegedly engaging in unsafe or unsound practices, related to corporate governance and enterprise risk management, credit underwriting and administration, liquidity risk management, and interest rate risk management. The order requires the bank to, among other things, (i) provide quarterly reports detailing corrective action and efforts to comply with the order; (ii) develop a written strategic plan; (iii) maintain specified capital ratios; (iv) engage an independent third party to review board and management supervision; (v) submit a written concentration risk management program and a written liquidity risk management program; (vi) adopt a credit underwriting and administration program; (vii) submit and adopt a written adequate allowance for credit losses; and (viii) adopt a written credit derivatives program.
CFPB approves pilot program for construction loans
On November 21, the CFPB announced it approved an application from a community banking trade organization to pilot disclosures for construction loans. The application was submitted pursuant to the CFPB’s trial policy programs under Section 1032(e) of Dodd-Frank. According to the community banking trade organization, the application aims to increase the number of affordable loans that combine a construction phase loan with a mortgage, all within a single set of closing costs, i.e., a single-close construction-to-permanent loan. The community banking trade organization hopes to increase the number of these specific loans because first-time homebuyers in rural and small-town communities are more likely to build their first home than purchase existing ones. The community banking trade organization also stated that the current loan disclosure requirements offered by the CFPB were designed for either standard home purchase or refinance mortgage loans. The Bureau states that it wishes to receive applications for this pilot disclosure from lenders rather than single-market participants.