InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC updates licensing booklets
On February 28, the OCC issued Bulletin 2022-5 announcing the revision of the Articles of Association, Charter, and Bylaw Amendments, Fiduciary Powers, Subordinated Debt, and Subsidiaries and Equity Investments booklets of the Comptroller’s Licensing Manual. The updated booklets replace the booklets of the same title issued between June 2017 and January 2019. Among other clarifying changes, the updated booklets: (i) reflect recent updates to 12 CFR 5 and other regulations; (ii) remove references to outdated guidance and provide current references; and (iii) make other minor modifications and corrections.
Fed reshaping “novel institutions” guidelines
On March 1, the Federal Reserve Board announced that it is soliciting comments on a supplement to a previous proposal intended to ensure that the Fed’s banks utilize a transparent and consistent set of factors when reviewing requests to access Federal Reserve Bank accounts and payment services. The framework, which builds on a proposal from May 2021 (covered by InfoBytes here), would establish a three tier system. Tier 1 would consist of eligible institutions that are federally-insured, and would be “subject to a less intensive and more streamlined review.” Tier 2 would consist of certain eligible institutions or holding companies that are not federally-insured but subject to prudential supervision, and would generally receive an “intermediate” level of review. Tier 3 would consist of eligible institutions that are “not federally insured and not subject to prudential supervision by a federal banking agency at the institution or holding company level,” and, given their potential higher risk, “would be subject to the strictest level of review.” Comments close 45 days after publication in the Federal Register.
CFPB looks at removing medical debt from credit reports
On March 1, the CFPB announced plans to review whether data on unpaid medical bills should be included in consumer credit reports. The Bureau stated in its report, Medical Debt Burden in the United States, that research found $88 billion in medical debt on consumer credit reports, accounting for 58 percent of all uncollected debt tradelines reported to credit reporting agencies (CRAs). “Our credit reporting system is too often used as a tool to coerce and extort patients into paying medical bills they may not even owe,” CFPB Director Rohit Chopra said in a statement.
The Bureau noted that medical debt is often less transparent than other types of debt, due to opaque pricing, complicated insurance, charity care coverage, and pricing rules, reporting that in many instances, consumers may not even sign a billing agreement until after receiving treatment. Medical debts often end up in collections, the Bureau added, which can cause far-ranging repercussions even if the bill itself is inaccurate or erroneous. The report noted additional challenges for uninsured consumers, as well as for Black and Latino families, consumers with low incomes, veterans, older adults, and young adults of all races and ethnicities. The report further stated that the Covid-19 pandemic has exacerbated the situation, with costs and medical debt expected to increase post-pandemic, and found that medical debt weakens underwriting accuracy, as it is less predictive of future repayment than reporting on traditional credit obligations. The Bureau pointed out that it has seen dramatic effects when newer credit scoring models weigh medical collections tradelines less heavily, but noted that there has been very little adoption of this approach so far.
The Bureau stated it intends to examine CRAs to ensure they are collecting accurate information from medical debt collectors and expects CRAs to take action against furnishers who routinely report inaccurate information, including cutting off their access to the system. The Bureau also plans to work with the Department of Health and Human Services to make sure consumers are not forced to pay more than the amount due for medical debt. A January compliance bulletin reminded debt collectors and CRAs of their legal obligations under the FDCPA and the FCRA when collecting, furnishing information about, and reporting medical debts covered by the No Surprises Act. The Bureau also recently supported changes by the Department of Veterans Affairs to amend its regulations related to the conditions by which VA benefit debts or medical debts are reported to CRAs. (Covered by InfoBytes here and here.)
OFAC sanctions Belarusians for supporting Russian invasion of Ukraine
On February 24, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against 24 Belarusian individuals and entities due to Belarus’s support for, and facilitation of, Russia’s invasion of Ukraine. The sanctions focus on Belarus’s defense sector and financial institutions, which have close ties to Russia. OFAC stressed that the “Belarusian economy is highly dependent on key Russian financial institutions and their subsidiaries” and that restrictions imposed against the Public Joint Stock Company Sberbank of Russia, VTB Bank Public Joint Stock Company, and State Corporation Bank for Development and Foreign Economic Affairs Vnesheconombank, combined with the new measures taken against Belarusian banks “target nearly one-fifth of the country’s entire financial sector.” Specifically, OFAC designated two significant state-owned banks that directly or indirectly finance or conduct activity on behalf of the Government of Belarus (GoB). “Sanctioning these two GoB-owned banks, in addition to Russia-related restrictions imposed on three other systemically important Belarusian financial institutions, means that a significant portion of the Belarusian financial sector is now subject to U.S. sanctions,” OFAC stated. As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities that are in the U.S. or in the possession or control of U.S. persons, and “any entities that are owned, directly or indirectly, 50 percent or more” by the blocked persons are blocked and must be reported to OFAC. U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license.
In conjunction with the sanctions, OFAC issued numerous related directives and general licenses that provide for multiple exceptions, along with several new and updated frequently asked questions. A Buckley Special Alert provides additional details related to the evolving nature of the U.S. sanctions response to Russia’s invasion of Ukraine.
OFAC issues Afghanistan general license and related FAQs
On February 25, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued Afghanistan General License (GL) 20, Authorizing Transactions Involving Afghanistan or Governing Institutions in Afghanistan, which authorizes, to the extent required, all transactions involving Afghanistan and its governing institutions that would otherwise be prohibited by U.S. sanctions, excluding financial transfers to certain organizations and any blocked individual who is in a leadership role of a governing institution in Afghanistan, other than for the purpose of effecting the payment of taxes, fees, or import duties, or the purchase or receipt of permits, licenses, or public utility services, provided that such payments do not relate to luxury items or services, which do not support basic human needs. According to OFAC, this action is part of “the Biden Administration’s efforts to help address the substantial challenges facing Afghanistan’s economy.”
FCC launches inquiry to reduce cyber risks
On February 25, the FCC adopted a Notice of Inquiry proposed by FCC Chairwoman Jessica Rosenworcel that would launch an inquiry into the vulnerabilities of the internet’s global routing system, in response to the increasing risk of cyberattacks stemming from Russia’s invasion of Ukraine. The adopted inquiry solicits public comments on vulnerabilities threatening the security and integrity of the Border Gateway Protocol, which is central to the global routing of internet traffic. The inquiry also intends to evaluate how these security risks could impact the transmission of data through email, e-commerce, and bank transactions to interconnected Voiceover Internet Protocol and 911 calls and how best to address any identified challenges. Comments are due 30 days after publication in the Federal Register, with replies due 30 days later.
Utah legislature passes privacy bill
Recently, the Utah legislature passed SB 227, which would enact the Utah Consumer Privacy Act and establish a framework for controlling and processing consumers’ personal data in the state. (See also senate and house approved amendments here.) Highlights of the bill include:
- Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that also “has annual revenue of $25,000,000 or more” and “controls or processes personal data of 100,000 or more consumers” or “derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.” Certain entities are exempt from the bill’s requirements, including governmental entities and third parties under contract with a governmental entity that acts on behalf of that entity; tribes; institutions of higher education; nonprofits; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; financial institutions and affiliates subject to federal privacy disclosure requirements; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
- Consumer rights. Under the bill, consumers will be able to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data.
- Controllers’ and processors’ responsibilities. Under the bill, data controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, “unless the request is the consumer’s second or subsequent request during the same 12-month period.” Data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing deidentified data or pseudonymous data.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it gives the Division of Consumer Protection investigative power and grants the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. The attorney general may also recover reasonable investigation and litigation expenses.
- Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the controller or processor written notice. The controller or processor then has 30 days to cure the alleged violation before the attorney general can file suit.
If enacted in its current form, the bill would take effect December 31, 2023.
Virginia passes amendments on CDPA for data deletion
On February 25, the Virginia House and Senate passed HB 381, which amends Section 59.1-577 of the Virginia Consumer Data Protection Act (VCDPA) related to consumers’ data deletion requests. Specifically, the amendment provides that a controller that has obtained a consumer’s personal data from a third party “shall be deemed in compliance with a consumer’s request to delete such data . . . by either (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using such retained data for any other purpose . . . or (ii) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant” to the VCDPA. As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill now heads to the governor.
Irish DPC releases annual report
On February 24, the Irish Data Protection Commission (DPC) released their 2021 Annual Report. According to the report, the EU’s General Data Protection Regulations (GDPR) enforcement efforts have gained “significant momentum” by, among other things: (i) “resolving thousands of complaints”; (ii) “processing thousands more data breach notifications”; (iii) “imposing fines and corrective measures”; (iv) “auditing the gamut of Irish political parties”; and (v) “settling its enforcement action in relation to certain processing elements of the Public Services Card on terms protective of the data rights of citizens generally.” Among other things, the report discussed new data regulation regimes, such as the Digital Markets Act, the E-Privacy Regulation, and the Artificial Intelligence Act, “which demonstrate that the GDPR was never going to resolve all data issues in one single legislative instrument.” The report also outlined the DPC’s regulatory strategy for the next five years, which it released in December and includes placing a focus on mounting “targeted actions aimed at ensuring children and more vulnerable internet users are protected in personal data terms—without shutting off their access.”
Fed, NYDFS fine Pakistan bank over $50 million for AML deficiencies
On February 24, the Federal Reserve Board and NYDFS announced an enforcement action against a Pakistan-based bank for alleged anti-money laundering (AML) violations. According to the Fed’s consent order and NYDFS’s consent order, following examinations conducted by the Fed and NYDFS in 2014 and 2015, the bank’s New York branch was identified as having deficiencies in its AML compliance and risk management programs, including compliance with related federal laws, rules, and regulations. According to the NYDFS press release, the bank did not comply with a Written Agreement with the Fed and NYDFS entered into in 2016 in which the bank acknowledged oversight and compliance deficiencies and agreed to remediate them. According to NYDFS, “[t]hese continued failures revealed that the Branch’s senior management were unwilling or unable to promote a culture of compliance, adequate resources were not provided for compliance programs, and the Bank failed to adequately supervise the Branch by allowing problems to worsen year after year. The conditions at the Branch demonstrated severe weaknesses, and unsafe, unsound conditions requiring urgent restructuring.”
Under the terms of the consent orders, the bank is required to pay civil money penalties of approximately $20.4 million to the Fed and $35 million to NYDFS. In addition to the monetary penalties, the bank is required to, among other things: (i) create a written plan detailing enhancements to the policies and procedures of the bank’s BSA/AML compliance program, its Suspicious Activity Monitoring and Reporting program, and its customer due diligence requirements; (ii) engage an independent consultant to conduct a comprehensive evaluation of the bank’s remediation efforts; and (iii) submit a status report within 60 days regarding a system of internal controls “reasonably designed to ensure compliance with BSA/AML requirements.” NYDFS acknowledged the bank’s “cooperation with the investigation and its ongoing remedial efforts.”