InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC finalizes action against e-commerce platform for data breach cover up
On June 24, the FTC announced a final decision and order against two limited liability companies (respondents) accused of allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. As previously covered by InfoBytes, the respondents—former and current owners of an online customized merchandise platform—allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect customers’ personal information against unauthorized access and misrepresenting that appropriate steps were taken to secure consumer account information following security breaches. The complaint further alleged that respondents failed to apply readily available protections against well-known threats or adequately respond to security incidents, which resulted in the respondents’ network being breached multiple times. Under the terms of the final settlement, one of the respondents is required to pay $500,000 to victims of the data breaches. The other respondent is required to provide notice to consumers impacted by a 2019 data breach. Among other things, the order prohibits respondents from misrepresenting their privacy and security measures and requires that respondents implement comprehensive information security programs that are assessed by an independent third party.
Hawaii enacts licensing legislation
On June 17, the Hawaii governor signed two bills into law. HB 2113 permits money transmitter license applicants to submit to either a state or federal criminal history record check, rather than both, upon application. SB 1105 establishes that, in addition to application fees, and any fees required by NMLS, a mortgage loan originator licensee must pay a mortgage loan recovery fund fee of $200, and upon application for renewal of a license, a mortgage loan originator licensee must pay $100. The bill also permits a person aggrieved by the fraud, misrepresentation, or deceit of a mortgage loan originator company licensee to receive restitution payment upon a final court order. The bills are effective July 1.
CFPB updates FAQs on civil money penalties
On June 6, the CFPB updated its Civil Penalty Fund Frequently Asked Questions (FAQs). The FAQs, among other things: (i) present the Civil Penalty Fund Allocation Schedule; (ii) clarify basic definitions related to CFPB civil money penalties; (iii) clarify when the Bureau will begin to distribute funds; and (iv) explain redress and its difference from payments to victims from the Civil Penalty Fund.
Rep. McHenry introduces draft privacy legislation based on GLBA
On June 23, House Financial Services Ranking Member Patrick McHenry (R-NC) released a discussion draft of new federal legislation intended to modernize financial data privacy laws and provide consumers more control over the collection and use of their personal information. (See overview of the discussion draft here.) The draft bill seeks to build on the Gramm-Leach-Bliley Act (GLBA) to better align financial data protection law with evolving technologies that have innovated the financial system and the way in which consumers interact with financial institutions, including nonbank institutions. “Technology has fundamentally changed the way consumers participate in our financial system—increasing access and inclusion. It has also increased the amount of sensitive data shared with service providers. Our privacy laws—especially as they relate to financial data—must keep up,” McHenry said, emphasizing the importance of finding a way to “secure Americans’ privacy without strangling innovation.”
Among other things, the draft bill:
- Requires notice of collection activities. The GLBA currently requires that consumers be provided notice when their information is being disclosed to third parties. The draft bill updates this requirement to require financial institutions to provide notice when consumers’ nonpublic personal information is being collected.
- Recognizes the burden on small institutions. The draft bill stipulates that agencies shall consider compliance costs imposed on smaller financial institutions when promulgating rules.
- Amends the definition of a “financial institution.” The draft bill will update the definition to cover data aggregators in addition to financial institutions engaged in financial activities as described in 4(k) of the Bank Holding Company Act of 1956.
- Expands the definition of non-public information. The draft bill expands the definition of “personally identifiable financial information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” Publicly available information is not included in this definition. The definition of “consumer account credentials” will mean “nonpublic information (including a username, password, or an answer to a security question) that enables the consumer to access an account of the consumer at a financial institution.”
- Provides consumers access to data. The draft bill provides that financial institutions must, upon an authorized request from a consumer, disclose the data held, entities with which the financial institution shares consumer data, and a list of entities from whom the financial institution has received a consumer’s non-public personal information.
- Allows consumers to stop the collection and disclosure of their data. When a financial institution is required to terminate the collection and/or sharing of a consumer’s nonpublic personal information, the draft bill provides that a financial institution must notify third parties that data sharing is terminated and must require the third parties to also terminate collection and disclosure. Additionally, upon request from a consumer, the financial institution must delete any nonpublic personal information in its possession, and if required by law to retain the data, the financial institution may only use the data for that purpose.
- Minimizes data collection. The draft bill requires that financial institutions notify consumers of their data collection practices in their privacy policies, including the categories collected, how the information is collected, and the purposes for the collection. Consumers must be allowed an opportunity to opt-out of the collection of their data if not necessary for the provision of the product or service by that entity.
- Provides informed choice and transparency. Under the draft bill, privacy terms and conditions must be transparent and easily understandable. The draft bill requires the disclosure of a financial institution’s privacy policies in a manner that provides consumers meaningful understanding of what data is being collected, the manner in which the data is collected, the purposes for which the data will be used, the right to opt-out, who has access to the data, how an entity is using the data, where the data will be shared, the data retention policies of the entity, the consumer’s termination rights, and the rights associated with that data for uses inconsistent with stated purpose, among others.
- Stipulates liability for unauthorized access. The draft bill states that “[i]f the nonpublic personal information of a consumer is obtained from a financial institution (either due to a data breach or in any other manner) and used to make unauthorized access of the consumer’s account, the financial institution shall be liable to the consumer for the full amount of any damages resulting from such unauthorized access.’’
- Requires preemption. The draft bill will preempt state privacy laws to create a national standard.
The draft bill was introduced days after the House Subcommittee on Consumer Protection and Commerce heard testimony from consumer advocates and industry representatives on the recently proposed bipartisan American Data Privacy and Protection Act (covered by a Buckley Special Alert here).
Fed announces enforcement actions against Minnesota and Arkansas state banks
On June 21, the Federal Reserve Board released civil penalty orders against two state banks, both relating to alleged violations of the National Flood Insurance Act (NFIA) and its implementing regulation, Regulation H. The first civil penalty order, against a Minnesota-based bank, assessed a $4,950 penalty for an alleged pattern or practice of violations of Regulation H but does not specify the number or the precise nature of the alleged violations. The second civil penalty order, against an Arkansas-based bank, assessed a $13,950 penalty for an alleged pattern or practice of violations of Regulation H without specifying the number or precise nature of the alleged violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,000 per violation.
CFPB to look at late fees on cards
On June 22, the CFPB issued an Advance Notice of Proposed Rulemaking (ANPRM) soliciting information from credit card issuers, consumer groups, and the public regarding credit card late fees and late payments, and card issuers’ revenue and expenses. Under the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act) rules inherited by the CFPB from the Federal Reserve, credit card late fees must be “reasonable and proportional” to the costs incurred by the issuer as a result of a late payment. However, the rules provide for a safe harbor limit that allows banks to charge certain fees, adjusted for inflation, regardless of the costs incurred. Calling the current credit card late fees “excessive,” the Bureau stated it intends to review the “immunity provision” to understand how banks that rely on this safe harbor set their fees and to examine whether banks are escaping enforcement scrutiny “if they set fees at a particular level, even if the fees were not necessary to deter a late payment and generated excess profits.”
In 2010, the Federal Reserve Board approved implementing regulations for the CARD Act that allowed credit card issuers to charge a maximum late fee, plus an additional fee for each late payment within the next six billing cycles (subject to an annual inflation adjustment). As the CFPB reported, the safe harbor limits are currently set at $30 and $41 respectively. The CFPB pointed out that in 2020, credit card companies charged $12 billion in late fee penalties. “Credit card late fees are big revenue generators for card issuers. We want to know how the card issuers determine these fees and whether existing rules are undermining the reforms enacted by Congress over a decade ago,” CFPB Director Rohit Chopra said. Chopra issued a separate statement on the same day discussing the current credit card market, questioning whether it is appropriate for card issuers to receive enforcement immunity if they hike the cost of credit card late fees each year by the rate of inflation. “Do the costs to process late payments really increase with inflation? Or is it more reasonable to expect that costs are going down with further advancements in technology every year?” he asked.
Among other things, the ANPRM requests information relevant to certain CARD Act and Regulation Z provisions related to credit card late fees to “determine whether adjustments are needed.” The CFPB’s areas of inquiry include: (i) factors used by card issuers to determine late fee amounts and how the fee relates to the statement balance; (ii) whether revenue goals play a role in card issuers’ determination of late fees; (iii) what the costs and losses associated with late payments are for card issuers; (iv) the deterrent effects of late fees and whether other consequences are imposed when payments are late; (v) methods used by card issuers to facilitate or encourage timely payments such as autopay and notifications; (vi) how late are most cardholders’ late payments; and (vii) card issuers’ annual revenue and expenses related to their domestic consumer credit card operations. The Bureau stated that public input will inform revisions to Regulation Z, which implements the CARD Act and TILA. Comments on the ANPRM are due July 22.
The ANPRM follows a June 17 Bureau blog post announcing the agency’s intention to review a “host of rules” inherited from other agencies such as the FTC and the Federal Reserve, including the CARD Act. (Covered by InfoBytes here.)
CFPB issues final rule re: credit reporting on human trafficking victims
On June 23, the CFPB issued a final rule implementing amendments to the FCRA intended to assist victims of human trafficking. According to the Bureau’s announcement, the final rule prohibits credit reporting agencies (CRAs) from providing reports containing any adverse items of information resulting from human trafficking. The final rule amends Regulation V to implement changes to the FCRA enacted in December 2021 in the “Debt Bondage Repair Act,” which was included within the National Defense Authorization Act for Fiscal Year 2022. (Covered by InfoBytes here.)
Among other things, the final rule establishes methods available for trafficking victims to submit documentation to CRAs establishing that they are a survivor of trafficking (including “determinations made by a wide range of entities, self-attestations signed or certified by certain government entities or their delegates, and documents filed in a court where a central issue is whether the person is a victim of trafficking”). The final rule also requires CRAs to block adverse information in consumer reports after receiving such documentation and ensure survivors’ credit information is reported fairly. CRAs will have four business days to block adverse information once it is reported and 25 business days to make a final determination as to the completeness of the documentation. All CRAs, regardless of reach or scope, must comply with the final rule, including both nationwide credit reporting companies and specialty credit reporting companies.
The final rule takes July 25.
District Court approves $1.4 million FCRA settlement
On June 17, the U.S. District Court for the Southern District of California granted final approval of a class action settlement resolving claims that a hospitality company violated the FCRA and various California laws. According to the order, plaintiffs filed a putative class action alleging that the company violated the FCRA by failing to make proper disclosures and obtain proper authorization during its hiring process. Additionally, the plaintiffs claimed that the company’s background check forms were allegedly defective because they “contained information for multiple states for whom background checks were run” in violation of California’s Investigative Consumer Reporting Agencies Act and other California laws. Under the terms of the settlement, the defendant will pay nearly $1.4 million, of which class members will receive $821,714 in total ($63.29 per class member), $10,127 will go towards settlement administration costs, $349,392 will cover attorneys’ fees, and $5,000 will be paid to each of the two named plaintiffs.
States reach $1.25 million data breach settlement with cruise line
On June 22, a coalition of state attorneys general from 45 states and the District of Columbia announced a $1.25 million settlement with a Florida-based cruise line, resolving allegations that it compromised the personal information of employees and consumers as a result of a data breach. According to the announcement, in March 2020 the company publicly reported that the breach involved an unauthorized actor gaining access to certain employee email accounts. The breach notifications sent to the AGs' offices stated the company first became aware of suspicious email activity in late May of 2019, approximately 10 months before it reported the breach. An ensuing multistate effort focused on the company’s email security practices and compliance with state breach notification statutes. The announcement explained that “’unstructured’ data breaches, like the [company’s] breach, involve personal information stored via email and other disorganized platforms” and that “[b]usinesses lack visibility into this data, making breach notification more challenging and causing further risks for consumers with the delays.”
Under the terms of the settlement, the company has agreed to provisions designed to strengthening its email security and breach response practices, including, among other things: (i) implementing and maintaining a breach response and notification plan; (ii) requiring email security training for employees; (ii) instituting multi-factor authentication for remote email access; (iii) requiring the use of strong, complex passwords, password rotation, and secure password storage for password policies and procedures; (iv) maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and (v) undergoing an independent information security assessment, consistent with past data breach settlements.
FinCEN issues statement on independent ATM customer due diligence
On June 22, FinCEN issued a statement providing clarity to banks on the application of a risk-based approach to conducting customer due diligence (CDD) on independent Automated Teller Machine (ATM) owners or operators, consistent with FinCEN’s 2016 CDD Rule. As previously covered by InfoBytes, FinCEN issued a final rule imposing standardized CDD requirements for banks, broker-dealers, mutual funds, futures commission’s merchants, and brokers in commodities in May 2016. The rule established that covered institutions must identify any natural person that owns, directly or indirectly, 25 percent or more of a legal entity customer or that exercises control over the entity. The rule also established ongoing monitoring for reporting suspicious transactions and, on a risk basis, updating customer information. The recently released statement explained that the level of money laundering and terrorism financing risk varies with these customers, and that they do not automatically present a higher level of risk. FinCEN pointed to certain customer information that may be useful for banks in making determinations on the risk profile of independent ATM owner or operator customers, including, among other things: (i) organizational structure and management; (ii) operating policies, procedures, and internal controls; (iii) currency servicing arrangements; (iv) source of funds if a bank account is not used to replenish the ATM; and (v) description of expected and actual ATM activity levels.