InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed asks for comments on publicizing FRB master accountholders
On November 4, the Federal Reserve Board issued a notice and request for comment seeking feedback on proposed amendments to its Guidelines for Evaluating Account and Services Requests. Specifically, the proposed amendments would require the Federal Reserve Banks to publish a periodic list of depository institutions that have access to Reserve Bank accounts (often known as “master accounts”) and payment services. In August, the Fed adopted final guidance establishing “a transparent, risk-based, and consistent set of factors for Reserve Banks to use in reviewing requests to access these accounts and payment services.” Recognizing that the longstanding practice of both the Fed and the Reserve Banks “has been to not disclose account-related information to the general public on the basis that such information is considered confidential business information,” the Fed said it is considering “the potential benefits of expanding the disclosure of the names of institutions that have access to accounts and services” following comments received from stakeholders that called for greater public disclosure of account-related information. Comments are due 60 days after publication in the Federal Register.
FDIC’s Gruenberg discusses CRA rulemaking
On November 2, FDIC acting Chairman Martin J. Gruenberg delivered remarks before the National Association of Affordable Housing Lenders to address ongoing Community Reinvestment Act (CRA) rulemaking, the results of the FDIC’s most recent National Survey of Unbanked and Underbanked Households, and challenges from nonbank payment services. In his remarks, Gruenberg referenced the pending notice of proposed rulemaking (NPR) on the CRA issued in May by the FDIC, OCC, and the Federal Reserve Board (collectively, “agencies”). As previously covered by InfoBytes, the NPR would update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. Gruenberg stated that the agencies are committed to strengthening the law’s impact and “increasing transparency and predictability in its application,” and said the FDIC is currently reviewing approximately 1,000 unique comments received in response to the NPR. Gruenberg also discussed the results of the FDIC’s most recent National Survey of Unbanked and Underbanked Households. According to the biennial survey, an estimated 4.5 percent of U.S. households (representing 5.9 million households) lack a bank or credit union account, the lowest national unbanked rate since the FDIC survey began in 2009 (covered by InfoBytes here). Gruenberg noted that the survey found that the rate of unbanked households decreased consistently over the past decade, from 8.2 percent in 2011 to 4.5 percent in 2021. He also said that the survey indicated that 14.1 percent of households were underbanked, although demand for several nonbank products and services decreased. Gruenberg further commented that the survey revealed regulatory challenges in light of the array of options available to consumers, specifically nonbank online payment services. He explained that though “banked households were significantly more likely to use nonbank online payments services than unbanked households, the most common use cases were quite different between the two groups. Banked households most commonly reported that they used these services primarily to send or receive money from family or friends and to make online purchases, as a complement to a bank account. In contrast, the most common use cases among unbanked households revealed that they were using these services as they might otherwise have used bank accounts: paying bills, receiving income and as a vehicle to save or keep money safe.”
FTC fines ISP $100 million for dark patterns and junk fees
On November 3, the FTC announced an action against an internet phone service provider claiming the company imposed “junk fees” and made it difficult for consumers to cancel their services. The FTC alleged in its complaint that the company violated the FTC Act and the Restore Online Shoppers’ Confidence Act by imposing a series of obstacles, sometimes referred to as “dark patterns”, to deter and prevent consumers from canceling their services or stopping recurring charges. Consumers who were able to sign up for services online were allegedly forced to speak to a live “retention agent” on the phone during limited working hours in order to cancel their services. The company also allegedly employed a “panoply of hurdles” to cancelling consumers by, among other things, making it difficult for the consumer to locate the phone number on the website, obscuring contact information, failing to consistently transfer consumers to the appropriate number, imposing lengthy wait times, holding reduced operating hours for the cancellation line, and failing to provide promised callbacks. Additionally, the FTC claimed the company often informed consumers they would have to pay an early termination fee (sometimes hundreds of dollars) that was not clearly disclosed when they signed up for the services, and continued to illegally charge consumers without consent even after they requested cancellation. According to the FTC, consumers who complained often only received partial refunds.
Under the terms of the proposed stipulated order, the company will be required to take several measures, including (i) obtaining consumers’ express, informed consent to charge them for services; (ii) simplifying the cancellation process to ensure it is easy to find and use and is available through the same method the consumer used to enroll; (iii) ending the use of dark patterns to impede consumers’ cancellation efforts; and (iv) being transparent about the terms of any negative option subscription plans, including providing required disclosures as well as a simple mechanism for consumers to cancel the feature. The company will also be required to pay $100 million in monetary relief.
Republican senators oppose FTC’s ANPR on data privacy and security
On November 3, three Republican Senators sent a letter to FTC Chair Lina Khan expressing their opposition to the FTC’s Advanced Notice of Proposed Rulemaking (ANPR) for the Trade Regulation Rule on Commercial Surveillance and Data Security. As previously covered by InfoBytes, in August the FTC announced the ANPR covering a wide range of concerns about commercial surveillance practices, specifically related to the business of collecting, analyzing, and profiting from information about individuals. In the letter, the Senators argued that both consumers and businesses would benefit if Congress enacted comprehensive federal legislation addressing data privacy. According to the Senators, the FTC “lacks the authority to create preemptive standards” and the proposed rulemaking “would only add uncertainty and confusion to an already complicated regulatory landscape, increasing compliance costs, reducing competition, and ultimately harming consumers.” The Senators requested that the FTC withdraw its rulemaking proposal, explaining that “[c]onsumer data privacy and security are complex issues which will require standards that are robust, adaptive, and can balance the interests of consumers with the needs of businesses.” The Senators noted that they believe “that this balance can only be struck within federal legislation that is comprehensive and preemptive, such that the law creates a single national standard.”
FTC takes action against ed tech provider for lax data security
On October 31, the FTC announced an administrative action against an education technology (ed tech) provider claiming that the company’s allegedly poor data security practices exposed millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords. According to the FTC’s complaint, due to the company’s alleged failure to adequately protect the personal information collected from its users and employees, the company experienced four data breaches beginning in September 2017, when a phishing attack granted a hacker access to employees’ direct deposit information. Less than a year later, another data breach involved a former employee using login information the company shared with employees and outside contractors to gain access to a third-party cloud database containing personal data for roughly 40 million users. In the following two years, the company experienced two more data breaches through phishing attacks that exposed sensitive employee data, including medical and financial information. Claiming violations of Section 5(a) of the FTC Act, the Commission alleged the company failed to implement basic security measures, stored personal data insecurely, and failed to implement a written security policy until January 2021, despite experiencing three phishing attacks.
Under the terms of the proposed decision and order, the company would be required to take several measures to address the alleged conduct, including (i) documenting and limiting data collection; (ii) providing users access to collected data and allowing them to submit requests for deletion; (iii) implementing multifactor authentication or another authentication method to protect user and employee accounts; and (iv) implementing a comprehensive information security program that would encrypt consumer data and provide security training to employees, among other things.
This action is part of the FTC’s ongoing efforts to make sure ed tech providers protect and secure personal data they collect and do not collect more information than necessary. As previously covered by InfoBytes, the FTC issued a policy statement in May warning ed tech providers that they must fully comply with all provisions of the Children’s Online Privacy Protection Act when gathering data about children. The FTC emphasized that ed tech providers may not harvest or monetize children’s data, cannot force children to disclose more information than is reasonably necessary for participating in their educational services, and must have procedures in place to keep the data secure, among other things.
VA proposes amendments to IRRRL requirements
On November 1, the Department of Veterans Affairs (VA) published a proposed rule in the Federal Register, which would amend the agency’s rules on VA-backed interest rate reduction refinancing loans (IRRRLs). Specifically, the proposed amendments would update existing VA IRRRL regulations to meet current statutory requirements for determining whether the agency can guarantee or insure a refinance loan. The amendments would modify current regulations to reflect requirements related to, among other things, net tangible benefit, recoupment, and seasoning standards. Additionally, due to confusion among program participants, VA is proposing clarifications to minimize the risk of lender noncompliance, thereby safeguarding veterans, easing lender concerns, reducing potential instability in the secondary loan market, and insulating taxpayers from unnecessary financial risk. Comments on the proposed rule are due January 3, 2023.
4th Circuit vacates $10.6 million judgment, orders district court to reevaluate class standing
On October 28, the U.S. Court of Appeals for the Fourth Circuit remanded a $10.6 million damages award it had previously approved in light of the U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez. As previously covered by InfoBytes, in January, the Supreme Court vacated the judgment against the defendants and ordered the 4th Circuit to reexamine its decision in light of TransUnion (which clarified the type of concrete injury necessary to establish Article III standing, and was covered by InfoBytes here). Previously, a divided 4th Circuit affirmed a district court’s award of $10.6 million in penalties and damages based on a summary judgment that an appraisal practice common before 2009 was unconscionable under the West Virginia Consumer Credit and Protection Act (covered by InfoBytes here). During the appeal, the defendants argued that summary judgment was wrongfully granted and that the class should not have been certified since individual issues predominated over common ones, but the appellate court majority determined, among other things, that there was not a large number of uninjured members within the plaintiffs’ class because plaintiffs paid for independent appraisals and “received appraisals that were tainted.” At the time, the 4th Circuit “concluded that the ‘financial harm’ involved in paying for a product that was ‘never received’ was ‘a classic and paradigmatic form of injury in fact.’” On remand, the 4th Circuit considered questions of standing and ultimately determined that TransUnion requires the district court to reevaluate the standing of class members.
Treasury official discusses cyber threats to financial sector
On November 1, Deputy Secretary of the Treasury Wally Adeyemo provided an update during the semi-annual joint session of the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC) on Treasury’s efforts to protect the agency and the financial sector from cyber threats. Adeyemo noted that actions taken to safeguard national security include “modernizing Treasury’s IT systems with an elevated cybersecurity threat focus, as well as ramping up partnerships with the financial and regulatory sectors far ahead of Russia’s unprovoked invasion of Ukraine to ensure swift, coordinated responses to thwart cyber attacks.” He further stressed the importance of fortifying these partnerships and remaining vigilant to heightened threats. Adeyemo also discussed how Russia’s invasion of Ukraine demonstrated the interconnectedness of the global financial sector and why enhancing operational resilience in major global banking hubs and vulnerable regions is a top priority for the Department. He called on FBIIC senior leaders to continue to drive Treasury’s “successful cloud and data protection workstreams forward,” while also building new initiatives focusing on other urgent, systemic risk issues that include the participation of FSSCC partners. “Reporting cybersecurity issues and vulnerabilities early and often enables us to better protect the broader financial sector,” Adeyemo said.
FHFA to host “tech sprints” on housing finance fintech solutions
On November 2, FHFA published a notice in the Federal Register announcing plans to hold a series of competitions called “Tech Sprints” to solicit innovative solutions on ways to advance housing finance fintech in a safe, sound, responsible, and equitable manner. Recognizing the significant effects that regulated entities’ potential use of fintech products and innovations could have on the mortgage market and market participants, FHFA said it wants to gather information about new and emerging technologies that may have applications in the mortgage space. Two tech sprints are planned each year over the next three years, with participation expected from housing finance industry members as well as other industries, such as tech companies, mortgage companies, academia, industry groups, and other members of the public. FHFA is accepting comments through January 3, 2023, on the necessity of the information collection, the burden of such collection, and ways to minimize the burden on members and project sponsors when providing information on ways to enhance the quality, utility, and clarity of the information collected from the Tech Sprints.
FinCEN reports significant increase in ransomware-related BSA filings in 2021
On November 1, FinCEN reported that ransomware continues to pose a significant threat to U.S. infrastructure, businesses, and the public, with ransomware-related Bank Secrecy Act (BSA) filings in 2021 accounting for nearly $1.2 billion. Issued pursuant to the Anti-Money Laundering Act of 2020, FinCEN’s Financial Trend Analysis examines ransomware activities for calendar year 2021, with a particular focus on ransomware trends in BSA data from July-December 2021. According to FinCEN, reported ransomware-related incidents have substantially increased from 2020, with roughly 75 percent of these incidents reported during the second half of 2021 emanating from or connected to actors in Russia. Highlights from the report include: (i) the number and total U.S. dollar value for ransomware-related incidents during 2021 far exceeds data for any previous year, with FinCEN reporting a 188 percent increase from 2020 to 2021 (possibly reflecting either an increase of ransomware-related incidents or improved reporting and detection); (ii) an average of 132 and a median of 136 ransomware-related incidents per month were reported during the review period (Treasury’s October 2021 measures to combat ransomware — covered by InfoBytes here — and potentially associated reporting obligations may have contributed to the overall rise in 2021 filings, FinCEN noted); and (iii) of the 793 ransomware-related incidents reported during the second half of 2021, 594 (roughly 75 percent) pertained to Russia-related variants.
The same day, Deputy Secretary of the Treasury Wally Adeyemo hosted participants from 36 countries during the second International Counter Ransomware Initiative Summit where attendees examined the challenges presented by ransomware and discussed the U.S.’s whole-of-government approach for responding to serious threats posed by bad actors.