InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Gensler says penalties should not be “seen as the cost of doing business”
On November 2, SEC Chair Gary Gensler delivered remarks before the Practising Law Institute’s 54th Annual Institute on Securities Regulation, warning companies they may face enforcement consequences should they engage in misconduct. Explaining that penalties should not be “seen as the cost of doing business,” Gensler cautioned that “fraud is fraud, regardless of the types of investors you have defrauded and the types of securities used in the fraud.” Reminding companies that they are in violation of federal securities laws should they fail to register a security as required or fail to register an investment company, he highlighted a $100 million action taken against a New Jersey-based financial services crypto lending platform accused of failing to register the offers and sales of its retail credit lending product as one example of a company making materially false and misleading statements about its securities. (Covered by InfoBytes here.) Gensler also warned companies that improperly trading securities on inside information is a violation of securities laws, “regardless of the ‘form’ or ‘name’ of the securities involved,” and touched upon topics related to accountability, high-impact cases, working with partners at the federal, state, and international level, and professionals who violate public trust. Gensler stressed, however, that knowing when to pursue an enforcement action is important, and said that “[i]f the facts and the law merit we do not make a case,” he is “comfortable with that.” He added that the SEC rewards good behavior and encouraged companies to promptly self-report errors and cooperate with investigations. “If you mess up—and people do mess up sometimes—come in and talk to us, cooperate with our investigation, and remediate your misconduct,” he said.
6th Circuit affirms FCRA summary judgment
On November 4, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s summary judgment ruling in favor of a credit reporting agency (defendant) accused of violating the FCRA. According to the opinion, a father and son (plaintiff) filed Chapter 7 bankruptcy petitions just over a year apart with the same attorney. Both petitions had their similar names, identical address, and, mistakenly, the plaintiff’s social security number. Although the attorney corrected the social security number on the father’s bankruptcy petition the day after it was filed, the defendant allegedly failed to catch the amendment and erroneously reported the father’s bankruptcy on the plaintiff’s credit report for nine years. When the plaintiff noticed the error, he sent the defendant a letter and demanded a sum in settlement. The defendant removed the father’s bankruptcy filing from the plaintiff’s credit report. The plaintiff sued two credit reporting agencies, alleging they violated the FCRA by failing to “follow reasonable procedures to assure maximum possible accuracy” of his reported information. One of the agencies settled with the plaintiff. A district court granted the other defendant’s motion for summary judgment, which the plaintiff appealed.
On the appeal, the 6th Circuit noted that the plaintiff “has standing to bring this action, but also agree that he cannot establish that [defendant’s] procedures were unreasonable as a matter of law.” The appellate court found that, because the defendant gathered information from reliable sources and because someone “with at least some legal training” would have had to manually review the bankruptcy docket to notice that the Social Security number had been updated, the defendant did not violate the FCRA. The appellate court wrote that the defendant’s “processes strike the right balance between ensuring accuracy and avoiding ‘an enormous burden’ on consumer credit reporting agencies.” Furthermore, the 6th Circuit stated that, “[g]iven the sheer amount of data maintained by these companies, we know that consumers are ‘in a better position . . . to detect errors’ in their credit reports and inquire about a fix.”
CPPA says comments on modified draft privacy rules due November 21
On November 3, the California Privacy Protection Agency (CPPA) Board officially posted updated draft rules for implementing the Consumer Privacy Rights Act of 2020, which amends and builds on the California Consumer Privacy Act of 2018. The draft rules were previously released in advance of a CPPA Board meeting held at the end of October (see previous InfoBytes coverage here for a detailed breakdown of the proposed changes). A few notable changes between the versions include:
- A requirement that a business must treat an opt-out preference signal as a valid request to opt out of sale/sharing for not only that browser or device but also for “any consumer profile associated with that browser or device, including pseudonymous profiles.”
- A requirement that if a business does not ask a consumer to affirm their intent with regard to a financial incentive program, “the business shall still process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or devise and any consumer profile the business associates with that browser or device.” However if a consumer submits an opt-out of sale/sharing request but does not affirm their intent to withdraw from a financial incentive program, the business may ignore the opt-out preference signal with respect to the consumer’s participation in the financial incentive program.
- The addition of the following provision: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
Comments on the amended draft rules are due November 21 by 8 am PT.
OFAC sanctions oil shipping network connected to IRGC-QF and Hizballah
On November 3, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against members of an international oil smuggling network for allegedly facilitating oil trades and generating revenue for Hizballah and the Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF). Included are “several key individuals and numerous front companies and vessels involved in blending oil to conceal the Iranian origins of the shipments and exporting it around the world in support of Hizballah and the IRGC-QF.” According to Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson, the responsible individuals “use a web of shell companies and fraudulent tactics including document falsification to obfuscate the origins of Iranian oil, sell it on the international market, and evade sanctions” in order to generate revenue to enable Hizballah and IRGC-QF terrorist activities. The sanctions follow the designation of another Iranian oil smuggling network earlier in May (covered by InfoBytes here). As a result, all property, and interests in property of the designated persons, “and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, must be blocked and reported to OFAC.” Unless authorized by general or specific OFAC licenses or otherwise exempt, OFAC regulations generally prohibit all transactions by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of designated individuals. OFAC further warned that “engaging in certain transactions with the individuals and entities designated today entails risk of secondary sanctions.” Additionally, OFAC warned that a foreign financial institution that knowingly conducts or facilitates a significant transaction on behalf of a Specially Designated Global Terrorist could be subject to U.S. correspondent or payable-through account sanctions.
FTC’s annual PrivacyCon focuses on consumer privacy and security issues
On November 1, the FTC held its annual PrivacyCon event, which hosted research presentations on a wide range of consumer privacy and security issues. Opening the event, FTC Chair Lina Khan stressed the importance of hearing from the academic community on topics related to a range of privacy issues that the FTC and other government bodies may miss. Khan emphasized that regulators cannot wait until new technologies fully emerge to think of ways to implement new laws for safeguarding consumers. “The FTC needs to be on top of this emerging industry now, before problematic business models have time to solidify,” Khan said, adding that the FTC is consistently working on privacy matters and is “prioritizing the use of creative ideas from academia in [its] bread-and-butter work” to craft better remedies to reflect what is actually happening. She highlighted a recent enforcement action taken against an online alcohol marketplace and its CEO for failing to take reasonable steps to prevent two major data breaches (covered by InfoBytes here). Khan noted that while the settlement’s requirements, such as imposing multi-factor authentication requirements and destroying unneeded user data, may not sound “very cutting-edge” they serve as a big step forward for government enforcers. Chief Technology Officer Stephanie Nguyen, who is responsible for leading the charge to integrate technologists across the FTC’s various lines of work, including consumer privacy, discussed the work of these technologists (including AI and security experts, software engineers, designers, and data scientists) to help develop remedies in data security-related enforcement actions and to push companies to not just do the minimum to remediate areas like unreasonable data security but to model best practices for the industry. “We want to see bad actors face real consequences,” Nguyen said, adding that the FTC wants to hold corporate leadership accountable as it did in the enforcement action Khan cited. Nguyen further stressed that there is also a need to address systemic risk by making companies delete illegally collected data and destroy any algorithms derived from the data.
The one-day conference featured several panel sessions covering a number of topics related to consumer surveillance, automated decision-making systems, children’s privacy, devices that listen to users, augmented/virtual reality, interfaces and dark patterns, and advertising technology. Topics addressed during the panels include (i) requiring data brokers to provide accurate information; (ii) understanding how data inaccuracies can disproportionately affect minorities and those living in poverty, and why relying on this data can lead to discriminatory practices; (iii) examining bias and discrimination risks when engaging in emotional artificial intelligence; (iv) understanding automated decision making systems and how the quality of these systems impact populations they are meant to represent; (v) recognizing the lack of transparency related to children’s data collection and use, and the impact various privacy laws, including the Children’s Online Privacy Protection Rule, the General Data Protection Regulation, and the California Consumer Privacy Act, have on the collection/use/sharing of personal data; (vi) recognizing challenges related to cookie-consent interfaces and dark patterns; and (vii) examining how targeted online advertising both in the U.S. and abroad affects consumers.
4th Circuit says website does not qualify for Section 230 immunity
On November 3, the U.S. Court of Appeals for the Fourth Circuit reversed and remanded a district court’s summary judgment ruling that a public records website, its founder, and two affiliated entities (collectively, “defendants”) could use Section 230 liability protections under the Communications Decency Act (CDA) to shield themselves from credit reporting violations. As previously covered by InfoBytes, plaintiffs alleged, among other things, that because the defendants’ website collects, sorts, summarizes, and assembles public record information into reports that are available for third parties to purchase, it qualifies as a consumer reporting agency (CRA) under the FCRA, and as such, must follow process-oriented requirements that the FCRA imposes on CRAs. However, the district court determined that the immunity afforded by Section 230 of the Communication and Decency Act applied to the FCRA and that the defendants qualified for such immunity and could not be held liable for allegedly disseminating inaccurate information and failing to comply with the law’s disclosure requirements.
On appeal, the 4th Circuit reviewed whether a consumer lawsuit alleging violations of the FCRA’s procedural and disclosure requirements and seeking to hold the defendants liable as the publisher or speaker of information provided by a third party is thereby preempted by Section 230. The appellate court agreed with an amicus brief filed in 2021 by the FTC, CFPB, and the North Carolina Department of Justice, which urged the appellate court to overturn the district court ruling on the basis that the court misconstrued Section 230—which they assert is unrelated to the FCRA—by extending immunity to “claims that do not seek to treat the defendant as the publisher or speaker of any third-party information.” According to the amicus brief, liability turns on the defendants’ alleged failure to comply with FCRA obligations to use reasonable procedures when preparing reports, to provide consumers with a copy of their files, and to obtain certifications and notify consumers when reports are furnished for employment purposes.
The 4th Circuit held that Section 230(c)(1) of the CDA “extends only to bar certain claims, in specific circumstances, against particular types of parties,” and that the four claims raised in this case were not subject to those protections. “Section 230(c)(1) provides protection to interactive computer services,” the appellate court wrote, “[b]ut it does not insulate a company from liability for all conduct that happens to be transmitted through the internet.” Specifically, the appellate court said two of the counts—which allege that the defendants failed to give consumers a copy of their own report when requested and did not follow FCRA requirements when providing reports for employment purposes—do not seek to hold the defendants liable as a speaker or publisher, and therefore fall outside Section 230 protections. As for the remaining two counts related to claims that the defendant failed to ensure records for employment purposes were complete and up-to-date, or adopt procedures to assure maximum possible accuracy when preparing reports, the 4th Circuit concluded that the defendants “made substantive changes to the records’ content that materially contributed to the records’ unlawfulness. That makes [defendants] an information content provider, under the allegations, for the information relevant to Counts Two and Four, meaning that it is not entitled to § 230(c)(1) protection for those claims.”
Plaintiff wins $148,000 in data breach suit
On November 3, the U.S. District Court for the District of Minnesota granted a plaintiff technical consulting and software development company’s motion for summary judgment in a data breach suit. According to the order, an unknown bad actor gained unauthorized access to the email account of a plaintiff’s employee and created multiple “rules” that interfered with the proper receipt of incoming emails. The bad actor sent emails to and from the account, at times impersonating the employee and at times impersonating clients. The plaintiff issued two invoices to a particular client while these rules were in place: one invoice was for $137,000 for the plaintiff’s services, and the other invoice was for an additional $39,962. The bad actor emailed the client, posing as the employee, and wrote that it had “recently changed banks and our previous account . . . has been closed, hence, all payments effective immediately will be made directly to our new bank account in compliance with the policy of the company.” The bad actor requested confirmation as to when the client would pay the first invoice “so we can forward our new bank account details.” The client sent the payment to an account controlled by the bad actor. After discovering the bad actor’s conduct, the plaintiff recovered some of that money with the help of the U.S. Secret Service but sought insurance coverage for nearly $148,000, court records show. The defendant had insured the plaintiff under a technology professional liability (TPL) policy that incorporated a Data Breach Coverage Form, which included a “Cyber Business Interruption and Extra Expense” clause. The plaintiff submitted a claim to the defendant seeking coverage under the policy for the money lost to the bad actor. The defendant denied the plaintiff’s claim for coverage. The plaintiff sued, alleging that the defendant’s denial of coverage breached the TPL policy. The court found that using “‘impairment’ rather than ‘interruption’ in the Clause itself demonstrates that the TPL policy specifically grants coverage when a business suffers something less than a total suspension of operations.” The court further noted that the policy covers the loss, granted summary judgment to the plaintiff on its claim that the defendant breached the policy by denying coverage, and awarded the plaintiff nearly $148,000 in damages.
Fed asks for comments on publicizing FRB master accountholders
On November 4, the Federal Reserve Board issued a notice and request for comment seeking feedback on proposed amendments to its Guidelines for Evaluating Account and Services Requests. Specifically, the proposed amendments would require the Federal Reserve Banks to publish a periodic list of depository institutions that have access to Reserve Bank accounts (often known as “master accounts”) and payment services. In August, the Fed adopted final guidance establishing “a transparent, risk-based, and consistent set of factors for Reserve Banks to use in reviewing requests to access these accounts and payment services.” Recognizing that the longstanding practice of both the Fed and the Reserve Banks “has been to not disclose account-related information to the general public on the basis that such information is considered confidential business information,” the Fed said it is considering “the potential benefits of expanding the disclosure of the names of institutions that have access to accounts and services” following comments received from stakeholders that called for greater public disclosure of account-related information. Comments are due 60 days after publication in the Federal Register.
FDIC’s Gruenberg discusses CRA rulemaking
On November 2, FDIC acting Chairman Martin J. Gruenberg delivered remarks before the National Association of Affordable Housing Lenders to address ongoing Community Reinvestment Act (CRA) rulemaking, the results of the FDIC’s most recent National Survey of Unbanked and Underbanked Households, and challenges from nonbank payment services. In his remarks, Gruenberg referenced the pending notice of proposed rulemaking (NPR) on the CRA issued in May by the FDIC, OCC, and the Federal Reserve Board (collectively, “agencies”). As previously covered by InfoBytes, the NPR would update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. Gruenberg stated that the agencies are committed to strengthening the law’s impact and “increasing transparency and predictability in its application,” and said the FDIC is currently reviewing approximately 1,000 unique comments received in response to the NPR. Gruenberg also discussed the results of the FDIC’s most recent National Survey of Unbanked and Underbanked Households. According to the biennial survey, an estimated 4.5 percent of U.S. households (representing 5.9 million households) lack a bank or credit union account, the lowest national unbanked rate since the FDIC survey began in 2009 (covered by InfoBytes here). Gruenberg noted that the survey found that the rate of unbanked households decreased consistently over the past decade, from 8.2 percent in 2011 to 4.5 percent in 2021. He also said that the survey indicated that 14.1 percent of households were underbanked, although demand for several nonbank products and services decreased. Gruenberg further commented that the survey revealed regulatory challenges in light of the array of options available to consumers, specifically nonbank online payment services. He explained that though “banked households were significantly more likely to use nonbank online payments services than unbanked households, the most common use cases were quite different between the two groups. Banked households most commonly reported that they used these services primarily to send or receive money from family or friends and to make online purchases, as a complement to a bank account. In contrast, the most common use cases among unbanked households revealed that they were using these services as they might otherwise have used bank accounts: paying bills, receiving income and as a vehicle to save or keep money safe.”
FTC fines ISP $100 million for dark patterns and junk fees
On November 3, the FTC announced an action against an internet phone service provider claiming the company imposed “junk fees” and made it difficult for consumers to cancel their services. The FTC alleged in its complaint that the company violated the FTC Act and the Restore Online Shoppers’ Confidence Act by imposing a series of obstacles, sometimes referred to as “dark patterns”, to deter and prevent consumers from canceling their services or stopping recurring charges. Consumers who were able to sign up for services online were allegedly forced to speak to a live “retention agent” on the phone during limited working hours in order to cancel their services. The company also allegedly employed a “panoply of hurdles” to cancelling consumers by, among other things, making it difficult for the consumer to locate the phone number on the website, obscuring contact information, failing to consistently transfer consumers to the appropriate number, imposing lengthy wait times, holding reduced operating hours for the cancellation line, and failing to provide promised callbacks. Additionally, the FTC claimed the company often informed consumers they would have to pay an early termination fee (sometimes hundreds of dollars) that was not clearly disclosed when they signed up for the services, and continued to illegally charge consumers without consent even after they requested cancellation. According to the FTC, consumers who complained often only received partial refunds.
Under the terms of the proposed stipulated order, the company will be required to take several measures, including (i) obtaining consumers’ express, informed consent to charge them for services; (ii) simplifying the cancellation process to ensure it is easy to find and use and is available through the same method the consumer used to enroll; (iii) ending the use of dark patterns to impede consumers’ cancellation efforts; and (iv) being transparent about the terms of any negative option subscription plans, including providing required disclosures as well as a simple mechanism for consumers to cancel the feature. The company will also be required to pay $100 million in monetary relief.