InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC revises NSF guidance
On June 16, the FDIC updated its Supervisory Guidance on Multiple Re-Presentment NSF Fees to clarify its supervisory approach for addressing violations of law. This new guidance, FIL-32-2023, updates FIL-40-2022 (originally issued last August and covered by InfoBytes here), which warned supervised financial institutions that charging customers multiple non-sufficient funds (NSF) fees on re-presented unpaid transactions may increase regulatory scrutiny and litigation risk. The FDIC noted that since the issuance of FIL-40-2022, the agency has received additional data relating to the amount of consumer harm associated with NSF fees at particular institutions, as well as information regarding extensive, ongoing challenges institutions face to accurately identify re-presented transactions. Consequently, the FDIC made changes to its supervisory guidance to specify that it “does not intended to request an institution to conduct a lookback review absent a likelihood of substantial consumer harm.”
Hsu tells banks to approach AI cautiously
On June 16, Acting Comptroller of the Currency Michael J. Hsu warned that the unpredictability of artificial intelligence (AI) can pose significant risks to the financial system. During remarks presented at the American Bankers Association’s Risk and Compliance Conference, Hsu cautioned that banks must manage risks when adopting technologies such as tokenization and AI. Although Hsu reiterated his skepticism of cryptocurrency (covered by InfoBytes here), he acknowledged that AI and blockchain technology (where most tokenization efforts are currently focused) have the potential to present “significant” benefits to the financial system. He explained that trusted blockchains may improve settlement efficiency through tokenization of real-world assets and liabilities by minimizing lags and thereby reducing related frictions, costs, and risks. However, he warned that legal frameworks and risk and compliance capabilities for tokenizing real-world assets and liabilities at scale require further development, especially considering cross-jurisdictional situations and ownership and property rights.
With respect to banks’ adoption of AI, Hsu flagged AI’s “potential to reduce costs and increase efficiencies; improve products, services and performance; strengthen risk management and controls; and expand access to credit and other bank services.” But there are significant challenges, Hsu said, including bias and discrimination challenges in consumer lending, fraud, and risks created from the use of “generative” AI. Alignment is also the core challenge, Hsu said, explaining that because AI systems are built to learn and may not do what they are programed to do, governance and accountability challenges may become an issue. “Who can and should be held accountable for misaligned, unexpected, and harmful outcomes?” Hsu asked, pointing to banks’ use of third parties to develop and support their AI systems as an area of concern.
Hsu advised banks to approach innovation “responsibly and purposefully” and to proceed cautiously while keeping in mind three principles for managing risks: (i) innovate in stages, expand only when ready, and monitor, adjust and repeat; (ii) “build the brakes while building the engine” and ensure risk and compliance professionals are part of the innovation process; and (iii) engage with regulators early and often during the process and ask for permission, not forgiveness.
FDIC tells three companies to stop claims about deposit insurance
On June 15, the FDIC sent letters ordering three companies and certain of their officers to cease and desist from using the agency’s logo and making false and misleading statements about FDIC deposit insurance. The companies are required to take immediate corrective action to address the allegedly misleading statements. The FDIC maintained that the banks and/or its officers made false and misleading statements in English and Spanish suggesting that they are FDIC-insured. For one of the companies, the FDIC alleged that the company stated that insurance would protect customers’ cryptocurrency assets; that it had and that the company claimed a partner relationship with an FDIC-insured bank without identifying the insured institution in its consumer-facing materials; and that its false FDIC insurance claims were made through social media posts by the company and its chief marketing officer. Under the Federal Deposit Insurance Act, the announcement added, persons are prohibited “from representing or implying that an uninsured product is FDIC-insured or from knowingly misrepresenting the extent and manner of deposit insurance.” The FDIC requested a response within 15 days for two of the companies and 5 days for one.
CFPB looking at privacy implications of worker surveillance
On June 20, the CFPB released a statement announcing it will be “embarking on an inquiry into the data broker industry and issues raised by new technological developments.” The Bureau requested information in March about entities that purchase information from data brokers, the negative impacts of data broker practices, and the issues consumers face when they wish to see or correct their personal information. (Covered by InfoBytes here.) The findings from this inquiry will help the Bureau understand how employees’ personal information can find its way into the data broker market.
With similar intentions, the White House Office of Science and Technology Policy (OSTP) released a request for information (RFI) to learn more about the automated tools employers use to monitor, screen, surveil, and manage their employees. The OSTP blog post cited to an increase in the use of technologies that handle employees’ sensitive information and data. The OSTP also highlighted the Biden administration’s Blueprint for an AI Bill of Rights (covered by InfoBytes here), which underscored the importance of building in protections when developing new technologies and understanding associated risks. Responses to the RFI will be used to “inform new policy responses, share relevant research, data, and findings with the public, and amplify best practices among employers, worker organizations, technology vendors, developers, and others in civil society,” the OSTP said.
The CFPB’s response to the RFI described the agency’s concerns regarding risks to employees’ privacy, noting that it has long received complaints from the public about the lack of transparency and inaccuracies in the employment screening industry. Specifically mentioned are FCRA protections for consumers and guidelines around the sale of personal data. The Bureau also commented that employees may not be at liberty to determine how their information is used, or sold, and have no opportunity for recourse when inaccurately reported information affects their earnings, access to credit, ability to rent a home or buy a car, and more.
McHenry objects to FSOC’s proposed designation framework
On June 15, House Financial Services Committee Chairman Patrick McHenry sent a letter to Treasury Secretary Janet Yellen urging the Financial Stability Oversight Council (FSOC), which Yellen chairs, to “revisit” its proposals on nonbank financial firm risks. As previously covered by InfoBytes, in April, FSOC released a proposed analytic framework for financial stability risks to provide greater public transparency on how it identifies, assesses, and addresses potential risks “regardless of whether the risk stems from activities or firms.” The same day, FSOC also released for public comment proposed interpretive guidance relating to procedures for designating systemically important nonbank financial companies for Federal Reserve supervision and enhanced prudential standards.
McHenry’s letter raised concerns with FSOC’s decision to evaluate risks based on an entity’s size and not its activities. According to McHenry, FSOC’s April proposals will essentially undo changes it made in 2019, which incorporated principles considering a financial institution’s systematic risk rather than merely its size. In his announcement accompanying the letter, McHenry elaborated on his concerns, stating that “allowing FSOC to extend its supervisory reach beyond prudential institutions to nonbank entities in this way could pose significant regulatory consequences for our financial system.” McHenry claimed these institutions may engage in different activities, thus presenting different risks, and said the proposals do not take this into account. McHenry also argued that expanding the Fed’s oversight jurisdiction is not a “panacea for financial stability.”
SBA clarifies PPP eligibility of payroll costs
On June 13, the SBA added question #72 to its Paycheck Protection Program (PPP) Frequently Asked Questions clarifying whether “the amounts paid by a borrower to a third-party payer for the third-party payer’s employees to operate the borrower considered eligible payroll expenses for the purpose of calculating the maximum loan amount.” Previous guidance released in 2020 (FAQ #10) relayed that “payroll documentation provided by the payroll provider that indicates the amount of wages and payroll taxes reported to the IRS by the payroll provider for the borrower’s employees will be considered acceptable PPP loan payroll documentation.” However, because FAQ #10 was issued three days after the PPP began accepting applications and there have been conflicting interpretations of the guidance, the SBA administrator determined additional clarification was necessary.
After reviewing a September 2022 decision issued by the SBA Office of Hearings and Appeals, the administrator published FAQ #72, stating “payroll costs paid by a borrower to a third-party payer for the third-party’s employees to operate the borrower are eligible payroll costs for the purpose of calculating the borrower’s maximum loan amount, as long as the employees were not otherwise counted towards payroll costs on a PPP loan received by the third-party payer.” The administrator further explained that “payroll cost documentation which shows that a borrower paid a third-party payer for the employees of the third-party to operate the borrower will be permitted to support eligible payroll costs for the purpose of calculating the maximum loan amount as long as the employees were not otherwise counted towards payroll costs on another PPP loan, and all other PPP requirements are met, including the submission of payroll documentation that indicates the amount of wages and payroll taxes reported to the IRS by the third-party payer.”
FTC sues genetic testing company over privacy failures
On June 16, the FTC filed an administrative complaint against a California-based genetic testing company for allegedly deceiving consumers about its privacy and data security practices. Marking the FTC’s first case to focus on both the privacy and security of genetic information, the complaint claims the respondent (which sells DNA health test kits and provides health reports to consumers that include personal information) failed to secure genetic and health data and misled consumers about its ability to delete consumers’ data. These alleged actions contradicted claims made by the respondent on its website that personal health information is collected, processed, and stored “in a responsible, transparent and secure environment.” Additionally, the FTC alleged that the respondent failed to implement a policy to ensure DNA samples were destroyed by contract laboratories and made changes to its privacy policy that retroactively expanded the types of third parties authorized to share consumers’ data without notifying consumers or obtaining their consent. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in the announcement.
The respondent is further accused of storing unencrypted personal health information on a publicly accessible cloud storage repository. Several warnings about storing unencrypted data were allegedly sent to the respondent before customers were notified.
Under the terms of the proposed consent order, the respondent will be required to pay $75,000 to go towards consumer refunds. The respondent must also strengthen its protection measures, cease misrepresenting the extent of its security or privacy practices, and instruct third-party contract laboratories to delete all DNA samples that have been retained longer than 180 days. Additionally, the respondent must obtain consumers’ affirmative express consent before sharing health data with third parties, notify the FTC should consumers’ personal health information be compromised, and implement a comprehensive information security program to address the identified alleged security failures.
Fed publishes master accounts database
On June 16, the Federal Reserve Board published the Master Account and Services Database, which provides comprehensive, searchable information on which financial institutions have access to Federal Reserve Bank master accounts and financial services. The Fed explained that a master account is an account with a Reserve Bank, in which the Reserve Bank receives deposits for a financial institution. The Reserve Bank also provides financial services to financial institutions, similar to that of banks that provide services for its customers, like collecting checks, electronically transferring funds, and distributing and receiving cash and coin.
In the press release, the Fed explained the two components of the database: “The first component consists of financial institutions that currently have access to Reserve Bank master accounts and services. The second component consists of financial institutions that have requested access to master accounts and services after December 23, 2022, or had a request pending on that date, as well as the status of each request.” Both components of the database—the existing account database and the access requests database—will be updated quarterly.
CFPB finds issues in servicemember use of payment apps
On June 20, the CFPB released its Office of Servicemember Affairs Annual Report, highlighting financial threats associated with military families’ use of digital payment apps. The report analyzed complaints submitted by military families, veterans, and servicemembers (totaling 66,400 complaints in 2022 alone, a 55 percent increase from 2021). Notably, servicemembers’ complaints exceeded the percentage filed by all consumers for topics including debt collection, credit cards, mortgages, and more.
Top complaints are linked to: (i) fraud and scams when using digital payment apps; (ii) identity theft and unauthorized account access; and (iii) failure of digital payment app providers to provide timely solutions to servicemember complaints. The Bureau explained that servicemembers can be exposed to greater risks of fraud and scams when using a digital payment app—“[o]ften during a permanent change of duty station, servicemembers face the need to secure housing, a new automobile, or daycare during a short window, which often requires them to conduct more online transactions using digital payment apps.” The Bureau also found that servicemembers are prime targets for identity theft, noting that servicemembers complained that digital payment service providers give insufficient support in response to their complaints.
To address the emerging risks, the Bureau recommended that digital payment app providers invest in privacy and security technology for their apps to combat fraudulent activity. The Bureau also suggested providers improve their responsiveness, especially in the case of military families who may be on a tight timeline during a permanent change of station or deployment. The Bureau also recommended that providers implement tailored policies on fraud losses and automatic fraud detection in recognition of the unique circumstances military families face.
HUD says company offering homeowner aid violated FHA
On June 13, HUD announced a Charge of Discrimination against several entities and individuals accused of allegedly violating the Fair Housing Act by discriminating against New York City homeowners on the basis of race, color, or national origin. According to HUD, the seven complainants alleged that the respondents targeted them with offers of mortgage and foreclosure prevention assistance. Respondents allegedly filed illegitimate liens and instructed telemarketers to use “affinity marketing” to build relationships with elderly, vulnerable, and distressed homeowners by bringing up shared national origin and cultural practice. Homeowners who accepted respondents’ purported loan modification services were convinced to sign documents that unknowingly sold their homes to two entities named as respondents, HUD said, explaining that respondents would then attempt to force homeowners to vacate their homes. These efforts were disproportionately concentrated in neighborhoods with a high majority of persons of color (specifically persons of Black and Caribbean descent), HUD noted, adding that in order to persuade lenders to approve the short sale, some of the respondents would allegedly create private real estate listings for homeowners’ properties and present them to the bank as public listings, while falsely claiming no offers had been received in order to secure minimal sales prices. Homeowners were also allegedly promised that the short sales were part of the loan modification services and that the property would be transferred back into their names or that of a family member after a certain period, and that they would be able to remain in their homes until the title was returned. In fact, however, respondents intended to flip the properties for profit.
The charge will be heard by a U.S. administrative law judge unless a party elects to have the case heard in federal district court. HUD requested that the respondents be enjoined from continuing to discriminate against any person because of race, color, or national origin, and asked for damages to fully compensate the complainants, as well as the maximum civil penalty for each respondent.