InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Irish DPC fines global social media company €265 million over data scraping claims
On November 28, the Irish Data Protection Commission (DPC) announced the conclusion of a “data scraping” inquiry into the practices of a global social media company’s European operations. The inquiry, which included cooperation from all of the other data protection supervisory authorities in the EU, was commenced in April 2021 following media reports that personal data for which the company was responsible was available on the internet. According to the DPC, the inquiry focused on questions related to the company’s compliance with the GDPR’s obligation for “Data Protection by Design and Default.” Specifically, the DPC “examined the implementation of technical and organizational measures pursuant to Article 25 GDPR (which deals with this concept).” The decision, adopted on November 25, and agreed upon by all the other EU supervisory authorities, found that the company violated Articles 25(1) and 25(2) of the GDPR. The decision imposes a reprimand and requires the company to bring its processing into compliance by implementing several specific remedial actions within a particular timeframe. In addition, the company must pay an administrative fine of €265 million.
EU increases financial sector cybersecurity
On November 28, the Council of the European Union (EU) announced that it adopted legislation for a new cybersecurity directive intended to improve resilience and incident response capacities across the EU by replacing the NIS, the current directive on the security of network and information systems. According to the announcement, the new directive, called NIS2, is intended “to harmonise cybersecurity requirements and implementation of cybersecurity measures in different member states.” Among other things, the directive establishes minimum rules for a regulatory framework and mechanisms for effective cooperation among relevant authorities in each member state, according to the EU. Additionally, the directive updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement. The new directive has been aligned with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts. Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.
States ask FTC to increase consumer data privacy protections
On November 17, the Massachusetts attorney general announced that a coalition of more than 30 state AGs sent a letter to the FTC urging the Commission to consider the heightened sensitivity around consumers’ medical data, biometric data, and location data, along with other dangers that arise from data brokers and the surveillance of consumers in response to the FTC’s August advanced notice of proposed rulemaking (ANPR). As previously covered by InfoBytes, in August the FTC announced the ANPR covering a wide range of concerns about commercial surveillance practices, specifically related to the business of collecting, analyzing, and profiting from information about individuals. In the letter, the AGs expressed that they share the FTC’s concern about “the alarming amount of sensitive consumer data that is amassed, manipulated, and monetized.” The AGs noted, among other things, that many consumers are not even aware that their location information is being collected, and when a consumer wishes to disable location sharing, their options are quite limited. The coalition also urged the FTC to consider the risks of commercial surveillance practices that use or facilitate the use of facial recognition, fingerprinting, or other biometric technologies. The letter stated that “consumers provide this information to companies for security purposes or personal pursuits, such as to learn about their ancestry,” but are not always aware of when and how their data is collected. The AGs emphasized the persistent dangers of data brokers, and warned that data brokers profile consumers by scouring their information and use it to create profiles of certain consumers who are susceptible to certain advertising or are likely to buy certain products. In regard to data minimization, the letter emphasized that it is “vital that the Commission consider data minimization requirements and limitations.” The AGs encouraged the FTC “to examine the approach taken in the California, Colorado, Connecticut, Utah and Virginia consumer privacy laws,” and further explained that “each statute mandates that businesses tie and limit the collection of personal data to what is ‘reasonably necessary’ in relation to specified purposes.”
New York enacts protections for consumers with medical debt
On November 23, the New York governor signed S6522A/A7363A to prohibit certain hospitals and healthcare providers from placing liens on the primary residences of individuals with unpaid medical debts or garnishing wages to collect on unpaid bills or satisfy judgments arising from a medical debt lawsuit. “No one should face the threat of losing their home or falling into further debt after seeking medical care,” Governor Kathy Hochul said in an announcement. “I’m proud to sign legislation today that will end this harmful and predatory collection practice to help protect New Yorkers from these unfair penalties. The bill is effective immediately.
OCC revises civil money penalty manual
On November 29, the OCC announced revisions to its civil money penalty (CMP) manual. Specifically, the OCC revised the CMP matrix, which is a tool used to guide the OCC’s decision making in assessing CMPs. The revised CMP matrix, applicable to OCC-regulated institutions, allows for sufficient differentiation among varying levels of misconduct or by institution size, and includes updated mitigating factors to provide a stronger incentive for banks to fully address underlying deficiencies. The OCC also announced a revised Policies and Procedures Manual (PPM) for assessing CMPs. This version replaces the November 13, 2018, version conveyed by OCC Bulletin 2018-41, “OCC Enforcement Actions: OCC Enforcement Action Policies and Procedures Manuals.” Highlights of the PPM include, among other things; (i) revised mitigating factors of self-identification, remediation or corrective action, and restitution: (ii) increased scoring weight of mitigating factors; and (iii) a revised table titled “Suggested Action Based on Total Matrix Score and Total Assets of Bank.” The OCC further noted that the CMP matrix is not a substitute for sound supervisory judgment, and said the OCC may depart from the matrix suggestions when appropriate and when based on the specific facts and circumstances of each matter. The OCC will begin using the revisions on January 1, 2023.
FHA extends temporary partial waivers for specific HECM policies
On November 28, FHA announced FHA INFO 2022-98 to extend two temporary partial waivers to its Home Equity Conversion Mortgage (HECM) loss mitigation policies for senior borrowers impacted by the Covid-19 pandemic who continue to experience significant financial difficulties. The first temporary partial waiver concerns Mortgagee Letter 2015-11. FHA notes that the waiver “allows mortgagees to offer repayment plans to HECM borrowers with unpaid property charges regardless of their total outstanding arrearage.” The second waiver—concerning Mortgagee Letter 2016-07—“permits mortgagees to seek assignment of a HECM immediately after using their own funds to pay property taxes and insurance on or after March 1, 2020, by temporarily eliminating the three-year waiting period for such assignments.” Both waivers were set to expire at the end of December, but are now effective through December 31, 2023.
CSBS says FDIC board nominees lack state bank regulatory expertise
On November 29, the Conference of State Bank Supervisors sent a letter to Senator Sherrod Brown (D-OH), Chairman of the Senate Banking Committee, and Rep. Pat Toomey (R-PA), Ranking Member of the House Financial Services Committee, to express their disappointment that none of the nominees to the FDIC Board of Directors have state bank supervisory experience. Last month, President Biden nominated Martin Gruenberg, who has been serving as acting chairman, to serve as chair and member of the board, and in September, Travis Hill and Jonathan McKernan were nominated to fill the board’s two vacant seats (covered by InfoBytes here and here). At the time of the announcement, CSBS President and CEO James M. Cooper issued a statement encouraging the U.S. Senate to ask nominees how they intend to work with state bank regulators. Cooper reiterated in his follow-up letter that the FDI Act requires that at least one board member have state bank supervisory experience, especially since having the Comptroller of the Currency seated on the board represents the interest of national banks. According to Cooper, fulfilling this statutory requirement “can only be met by a person who has worked in state government as a supervisor of state-chartered banks, and as the legislative history notes, [is] someone with ‘state bank regulatory expertise and sensitivity to the issues confronting the dual banking system.’” Cooper asked that the slate of nominees confirmed by the Senate includes at least one individual who fulfills this requirement.
The following day, during the Senate Banking Committee’s nomination hearing, Republican senators questioned Gruenberg’s role in a dispute between Democratic board members and former Chairwoman Jelena McWilliams related to a joint request for information seeking public comment on revisions to the FDIC’s framework for vetting proposed bank mergers. McWilliams eventually announced her resignation at the end of last year (covered by InfoBytes here). Senator Pat Toomey (R-PA) called Gruenberg’s participation in the dispute “very disturbing,” and expressed concerns that his actions, along with some of his colleagues, “really undermines the [] FDIC and could have lasting implications.” Gruenberg countered that under the FDI Act, “the authority of the agency explicitly is vested in the board of directors, and the majority of the board has the authority to place items before the board.”
Some Republican senators also raised concerns with Gruenberg’s past involvement in Operation Choke Point, with Senator Steve Daines (R-MT) requesting that Gruenberg commit to actively preventing FDIC employees from “criticizing, discouraging or prohibiting banks from lending or doing business with any industries or customers that are operating in accordance with the law.” Gruenberg agreed to do so, saying this has been the FDIC’s policy. The FDIC’s current approach to cryptocurrency was also addressed, while Senator Cynthia Lummis (R-WY) took issue with the fact that none of the board nominees fulfill the Biden administration’s push for diversity and inclusion.
FTC takes action against debt relief operation
On November 30, the FTC announced an action against three individuals and their affiliated companies (collectively, “defendants”) for allegedly participating together in a credit card debt relief scheme since 2019. The FTC alleged in its complaint that the company violated the FTC Act and the Telemarketing Sales Rule (TSR) by using telemarketers to call consumers and pitch their deceptive scheme, falsely claiming to be affiliated with a particular credit card association, bank, or credit reporting agency and promising they could improve consumers’ credit scores after 12 to 18 months. The defendants also allegedly misrepresented that the upfront fee, which in some cases was as high as $18,000, was charged to consumers’ credit cards as part of the overall debt that would be eliminated, and therefore consumers would not actually have to pay this fee. The District Court for the Middle District of Tennessee granted the Commission’s request to temporarily shut down the scheme operated by the defendants and froze their assets. The complaint requests, among other things, a permanent injunction to prevent future violations of the FTC Act and the TSR by the defendants.
District Court grants MSJ for plaintiff in FDCPA suit
On November 21, the U. S. District Court for the Northern District of Illinois denied a defendant debt collection company’s motion for summary judgment and granted plaintiff’s motion for summary judgment in an FDCPA suit. According to the opinion, the plaintiff sent a letter to the defendant disputing the accuracy of the information being reported to the credit reporting agency, saying the amount of the debt was incorrect. The defendant received the letter on February 1, 2021, and on February 3, the defendant reported the debt to the CRA, but failed to note that the debt was disputed. The CRA then communicated information about plaintiff’s debt to additional third parties. The next reporting cycle for the plaintiff’s account closed on March 3, 2021. At that time, the defendant correctly reported that plaintiff’s debt was disputed. The defendant explained that although the servicer received the plaintiff’s dispute letter on February 1, 2021, “no one was able to analyze, process, and review” it until February 4, 2021, by which time it had already reported the debt to the CRA.
The defendant argued that it can take up to seven business days for its credit review team to review a dispute letter that it receives, and information about a disputed debt may be communicated to third parties in the interim. The defendant also argued that the plaintiff lacked standing to sue because there was no negative impact on her credit score as a result of the dispute not being transmitted.
According to the court, the defendant’s “system tolerates the communication of false information in cases where disputes arrive at its doorstep at the close of its monthly reporting periods, and it lacks procedures for promptly correcting information it later discovers was false at the time it was communicated to a third party.” The court also found that the plaintiff’s constitutional standing does not depend on proof of damage to her credit score.
Senators demand answers on collapsed cryptocurrency exchange; NYDFS seeks tougher crypto approach
On November 16, Senator Elizabeth Warren (MA-D) and Senator Richard Durbin (IL-D) sent a letter to the ex-CEO and his successor of a cryptocurrency exchange that filed for bankruptcy. In the letter, the senators requested a series of files from the cryptocurrency exchange, including copies of internal policies and procedures regarding the relationship between the firm and its affiliated crypto hedge fund. The senators stated that the cryptocurrency exchange’s customers and Americans “fear that they will never get back the assets they trusted to [the cryptocurrency exchange] and its subsidiaries.” Additionally, the senators argued that “the apparent lack of due diligence by venture capital and other big investment funds eager to get rich off crypto, and the risk of broader contagion across the crypto market that could multiply retail investors’ losses, ‘call into question the promise of the industry.’” The senators emphasized that “the public is owed a complete and transparent accounting of the business practices and financial activities leading up to and following the cryptocurrency lending firm's collapse and the loss of billions of dollars of customer funds.” Among other things, the senators asked the cryptocurrency exchange to provide requested information by November 28, including: (i) complete copies of all the firm’s and its subsidiaries’ balance sheets, from 2019 to the present; (ii) an explanation of how “a poor internal labeling of bank-related accounts” resulted in the firm’s liquidity crisis; (iii) a list of all the firm’s transfers to its affiliated crypto hedge fund; (iv) copies of all written policies and procedures regarding the relationship between the firm and its affiliated crypto hedge fund; and (v) an explanation of the $1.7 billion in the firm’s customer funds that were allegedly reported missing.
The same day, NYDFS Superintendent Adrienne Harris participated in a “fireside chat” before the Brooking Institute’s event, Digital asset regulation: The state perspective - Effective regulatory design and implementation for virtual currency. During the chat, Harris expressed her support for a national framework similar to what New York has because she believes that “it is proving itself to be a very robust and sustainable regime.” Harris also discussed NYDFS priorities regarding digital assets for the future, stating that crypto companies can expect more guidance on a number of key regulatory issues. Specifically, Harris disclosed that NYDFS will “have more to say on capitalization,” and “on consumer protection, disclosures, advertising … [and] complaints, making sure these companies have an easy way for consumers to complain.” She also warned that NYDFS will “bolster and broaden” its authority, adding that there is “lots of work for us to do to make clear the expectations that we have already, and to make sure that the things we have on the books equip us well to keep up with this marketplace.”
Senators Warren and Sheldon Whitehouse (D-RI) also sent a letter to the DOJ asking that the former CEO and any complicit company executives be held personally accountability for wrongdoing following the cryptocurrency exchange’s collapse.
On December 13, the House Financial Services Committee will hold a hearing to discuss the cryptocurrency exchange’s collapse and the possible implications for other digital asset companies.