InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB reports on consumer reporting companies' compliance violations
On April 8, the CFPB released its Supervisory Highlights on consumer reporting companies (CRC) and furnishers from April to December 2023. With respect to CRCs, the CFPB found deficiencies related to (i) placing identity theft blocks on consumer reports, (ii) blocking adverse items identified by a consumer as the result of human trafficking, and (iii) the accuracy of information in consumer reports.
For identity theft, the CFPB noted that some CRCs automatically declined to implement identity theft blocks based on overly broad, disqualifying criteria that did not support a reasonable determination, in violation of the FCRA. CRCs also failed to properly notify these customers that they declined these identity blocks.
Regulation V required CRCs to block adverse items of information identified by a consumer from human trafficking. While CRCs must block these items within four business days of such request, the CFPB found CRCs either failed to timely block these items or that CRCs blocked some, but not all such items.
In failing to ensure the maximum possible accuracy of consumer reports, the CFPB found that CRCs (i) inadequately monitored dispute metrics that may suggest a furnisher would not a reliable source of information about consumers, and (ii) failed to implement procedures to ensure the accuracy of information provided by unreliable furnishers and continued to include such information in reports.
With respect to furnishers, the CFPB similarly found deficiencies in accuracy, dispute investigation, and identity theft requirements. Specifically, CFPB examiners found that furnishers reported incomplete or inaccurate information for several months or even years after determining the information was incomplete or inaccurate. Additionally, furnishers that received direct disputes both continued to report such information and failed to notify CRCs of the disputed information. The report also noted that furnishers who received proper identity theft reports continued to furnish information regarding the consumer before confirming the accuracy of the information with the consumer.
CFPB focuses on in-game video game market and its consumer protection issues
On April 4, the CFPB released a report titled “Banking in video games and virtual worlds” that examined the gaming industry and the consumer financial systems that affect it. The Bureau’s report identified three key findings: (i) a network of financial products and services has entered the gaming industry to leverage and support the transfer of gaming assets and currency; (ii) the increased value of these assets has led to an increase of hacking attempts, account theft, scams, and unauthorized transactions; and (iii) the consumer data collected by gaming companies was bought, sold, and traded between companies, which can pose a risk to gaming customers. As a result, the CFPB will intend to monitor these issues in gaming and other such non-traditional markets to ensure companies comply with federal consumer financial protection laws.
The report noted that the proliferation of gaming and the evolution of the industry to offering in-game purchases and gaming assets has created the need for an infrastructure to enable fiat currency to flow into and out of games and virtual worlds. This can include transactions within the game, trading virtual items with other players, buying products on secondary markets, converting gaming assets to traditional currency, withdrawals of that currency, and/or using third parties to convert and withdraw the currency. As a result, companies have established financial products and services that increasingly resemble traditional financial products, like loans, payment processing, and money transmission.
In addition to the gaming economy creating a relatively new and unregulated financial marketplace, the Bureau identified additional risks similar to those found in the traditional market surrounding fraud, identity theft, money laundering, and privacy. For example, the report noted that these highly valuable gaming assets have made player accounts vulnerable to phishing and hacking attempts as well as unauthorized transactions. However, efforts by the FTC or CFPB to address complaints related to this activity have been met with a “buyer beware” approach by gaming companies.
Further, gaming companies collect a significant amount of data on players as a way to personalize the experience. However, the companies use this data to monetize gameplay to entice more spending as well as buy, sell and trade this data. The report noted that (i) the use of personal data can result in highly individualized pricing and (ii) the storage and transfer of consumer data poses privacy risks for gamers. In light of these various issues, the CFPB plans to work with other agencies to monitor both these non-traditional financial products and services as well as the companies that collect and sell sensitive consumer data.
UK financial regulators issue new authority on securities sandbox
On April 3, the U.K.’s Financial Conduct Authority and the Bank of England released a consultation paper seeking comments on their proposal to implement the Digital Securities Sandbox (DSS), a new regime for financial firms to work on a testing ground for new technologies regarding digital assets. The goal of this testing ground would allow these firms to better issue, trade, and settle digital securities. The U.K. regulators believed that using securities on distributed ledgers (i.e., digital securities) has the potential to consolidate trade functions and reduce settlement times, reducing risk and streamlining processes. The DSS would oversee developing financial technologies, such as distributed ledger technology (DLT), during security trading. The three aims of the DSS would include promoting a safe and efficient financial system by removing potential barriers, protecting financial stability using DLT, and promoting market integrity. The securities regulated by the DSS include equities, bonds, money market instruments, and emissions allowances; however, unbacked cryptocurrencies (e.g., bitcoin) would remain outside the scope. The first sandbox entrants are expected after fall 2024.
DOJ’s Covid-19 Fraud Enforcement reports ongoing civil fraud and consumer protection actions
On April 9, the DOJ released a report on Covid-19 fraud, organizing various federal enforcement agencies and inspectors general, as well as state strike forces, in their collective pursuits against civil fraud on financial remedies under Covid-19. The Department’s Covid-19 Fraud Enforcement Task Force (CFETF) reported over 400 settlements and judgments and seized over $1.4 billion in fraudulently obtained CARES Act funds.
The report noted that the Civil Fraud Section continues to investigate fraudulent claims under the False Claims Act (FCA) and FIRREA, including with respect to grant recipients, PPE procurement, and payment advances. As two notable examples, a Florida management company paid $9 million for knowingly violating the FCA to obtain PPP loan forgiveness, and a New Jersey public relations firm paid $2.24 million for similar violations where it was found ineligible for the loan since it was registered under the Foreign Agent Registration Act. The DOJ also acted against purveyors of faulty PPE, individuals who tampered with Covid-19 vaccines, and those who sold fraudulent covid products online—filing under the Covid-19 Consumer Protection Act. The DOJ touted its $1 million judgment against a company that marketed vitamins that allegedly protected against Covid-19. Further, the National Unemployment Insurance Fraud Tax Force found hundreds of pandemic fraud leads and has seized over $3.3 billion in suspected pandemic fraud.
Kentucky enacts a comprehensive data privacy law for controllers
On April 4, Kentucky enacted HB 15 (the “Act”) which will apply to persons who conduct business that produces products or services that are targeted towards Kentucky residents. The Act will also apply to companies handling personal data of at least (i) 100,000 consumers, or (ii) 25,000 consumers and derive over 50 percent gross revenue from the sale of personal data. The Act does not apply to various entities, including: (i) city or state agencies, or political subdivisions of the state; (ii) financial institutions and their affiliates, as well as data subject to the Gramm-Leach-Bliley Act; (iii) covered entities or businesses governed by HIPAA regulations; and (iv) nonprofit organizations. Enforcement of the Act will be through Kentucky’s Attorney General.
The Act will impose several requirements on controllers, including: (i) limiting collection of personal data to what is relevant and necessary for the disclosed purposes; (ii) implementing reasonable administrative, technical, and physical data security measures to safeguard the confidentiality, integrity, and accessibility of personal data; (iii) refraining from processing personal data for undisclosed purposes unless the consumer consents; and (iv) obtaining explicit consent before processing sensitive data, particularly from known children, in accordance with the Children’s Online Privacy Protection Act. Controllers will also need to conduct and document a data protection impact assessment for certain activities, such as targeted advertising, selling personal data, and profiling. Furthermore, controllers will be required to furnish consumers with a privacy notice containing information on the categories and purposes of data processing, consumer rights, appeals processes, and disclosures to third parties.
The Act will grant consumers the right to confirm whether their personal data is being processed by a controller and to access that data, except where doing so would expose trade secrets. Also, consumers will have the right to rectify any inaccuracies, as well as the right to have their personal data deleted or to receive a copy of their personal data processed by the controller in a portable and easily usable format. This will allow transmission to another controller without impediment where processing is typically automated. Further, consumers will have the right to opt out of processing for targeted advertising, sale of personal data, or profiling for solely automated decisions with significant legal effects. Controllers must respond to consumer rights requests within 45 days and may be given another possible 45-day via an extension if necessary. Controllers and processors will be given a 30-day cure period during which they must confirm in writing that alleged violations have been rectified and pledge to prevent future breaches. The Act will go into effect January 1, 2026.
Arizona enacts new money transmission requirements
On April 8, the Governor of Arizona signed into law SB 1034 which will amend money transmission requirements for licensees. The new law will require a licensee, before transmitting any money (either in person or electronically), to provide consumer fraud warnings on the associated risks and dangers, instructions on how to stop a money transmission (if that option is available), and a statement that the money not be returned after the transmission is completed. The law will not apply to (i) an electronic funds transfer to another person that is not available for immediate use, (ii) electronic funds transfers made with a gift certificate, and (iii) a licensee that can provide proof of presenting its employees an annual fraud prevention training that covers “the indicia of fraud associated” with electronic money transfers. The law will go into effect on July 7 (90 days after enactment).
Seventeen State Attorneys General comment on CFPB overdraft proposal
State attorneys general (AGs) from 17 states recently sent a letter to the CFPB endorsing its proposed rule to amend TILA. The 17 states included New York as principal, California, Colorado, Connecticut, Delaware, the District of Columbia, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, North Carolina, Oregon, Pennsylvania, and Washington. As previously covered by InfoBytes, the proposed amendments would treat overdraft credits as loans, which would make them subject to consumer protections.
The AGs argued that the historical basis for excluding overdraft fees from TILA protections would be obsolete due to how the fees are assessed, the high fee amount, and the large number of overdraft transactions. The AGs wrote that closing the loophole would protect consumers by providing customers with disclosures so they can better understand the cost and enable them to comparison shop. The AGs supported a benchmark fee of $3, which is the lowest fee amount proposed by the CFPB, and argued that even a $6 fee would “undercount the volume of transactions generating a fee post-enactment” of the proposed rule. Finally, the AGs urged the CFPB to extend the proposed rule to both “very large financial institutions” (those with more than $10 billion in assets) and small financial institutions.
Utah appellate court upholds ruling for defendant in FDCPA case
Recently, the Utah Court of Appeals affirmed a lower court’s decision granting summary judgment in favor of a defendant debt collector in an FDCPA case. According to the court, defendant’s registration as a debt collection agency had lapsed in Utah when it sent the plaintiff a debt collection letter. Later, when still not registered as a collection agency, defendant served plaintiff with a collection complaint and filed it with the district court. Plaintiff did not contest the complaint, leading to defendant moving for a default judgment, which the district court granted in 2020. Thereafter, plaintiff filed suit against defendant for illegally pursuing the prior collection action, and summary judgment was entered against plaintiff.
On appeal, the court turned to a recent similar case that supported the lower court’s decision that a registration violation was not actionable under the Utah Consumer Sales Practices Act (UCSPA). Regarding plaintiff’s FDCPA claim, the court found that plaintiff did not argue for a different resolution under the FDCPA compared to the Utah Code. Plaintiff contended that since both statutes prohibited the same practices in debt collection, her FDCPA claim should also be valid under the UCSPA. However, as plaintiff did not preserve any argument distinguishing her FDCPA claim from her UCSPA claim, the court affirmed the dismissal of both the FDCPA and UCSPA claims.
Fed releases enforcement action against Wyoming-based bank holding company
On April 4, the Federal Reserve released an enforcement action against a Wyoming-based bank holding company as part of a September 2023 inspection that found alleged deficiencies related to the “fintech business strategy, board oversight, capital, earnings, liquidity, risk management, and compliance.” The consent order with the bank holding company requires the holding company to: (i) serve as a source of strength to its bank subsidiary; (ii) submit a written plan to strengthen board oversight, including a staffing assessment and succession plan; (iii) submit a written plan to strengthen its risk management program, including adopting written policies and procedures to manage compliance and fraud risks; (iv) submit an enhanced liquidity risk management program, a capital plan, and a written business plan to improve earnings; and (v) ensure compliance with regulations governing affiliate transactions. The consent order additionally placed limits on the holding company’s fintech activities and required the holding company to submit a wind-down plan for fintech-related business. According to the consent order, following the September 2023 inspection, the holding company had voluntarily stopped pursuing its fintech business strategy and had been winding down all related activities.
FDIC’s Gruenberg speaks on plans for economic inclusion
On April 4, Federal Deposit Insurance Corp. Chairman, Martin J. Gruenberg, delivered a speech on the FDIC’s economic inclusion strategy. The speech highlighted the FDIC’s commitment to economic inclusion, efforts to understand the size and characteristics of the unbanked market, and past FDIC economic inclusion efforts.
When Chairman Gruenberg highlighted previous FDIC inclusion efforts, he noted that the unbanked rate fell from 8.2 to 4.5 percent during the decade ending in 2021, with even steeper decreases for some minority populations. He also announced a new economic inclusion strategic plan to expand customers’ participation in the banking system and help households achieve greater financial security. The plan would intend to help customers build credit, including through small-dollar lending programs with affordable rates, and calls for specific steps to encourage bank lending and investments in low- and moderate-income neighborhoods.