InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Virginia Consumer Data Protection Act Work Group issues final report
Recently, the Virginia Consumer Data Protection Act Work Group (Work Group) released its final report addressing several privacy topics related to enforcement, definitions and rulemaking authority, and consumer rights and education. The Virginia Consumer Data Protection Act (VCDPA), enacted in March and covered by InfoBytes here, created the Work Group to study findings, best practices, and recommendations before the VCDPA’s January 1, 2023 effective date. The report summarizes information that arose during six Work Group meetings held this year, including the following:
- Establishing an education initiative led by leadership outside of the Office of Attorney General (OAG) to help small to medium-sized businesses comply with the VCDPA.
- Allowing the OAG to pursue actual damages, should they exist, based on consumer harm.
- Employing an “ability to cure” option for violations where a potential cure is possible.
- Authorizing consumers to assert, and requiring companies to honor, a global opt-out setting as a single-step for consumers to opt-out of data collection.
- Sunsetting the “right to cure” provision following the first few years after the VCDPA’s enactment to prevent companies from exploiting the provision.
- Amending “‘the right to delete’ provision to be a ‘right to opt out of sale’ in order to promote compliance and restrict further dissemination of consumer personal data.”
- Studying specific data privacy protections for children.
- Encouraging the development of third-party software and browser extensions to enable users to universally opt out of data collection instead of opting out on each website.
- Recruiting nonprofit consumer and privacy organizations to address concerns related to the VCDPA’s definitions of “sale,” “personal data,” and “publicly available information,” and whether general demographic data used when promoting diversity and outreach to underserved populations should be included in the definition of “sensitive personal information.”
- Creating an education website containing information about consumers’ rights under the VCDPA. Additionally, the website could provide guidance for smaller businesses seeking to comply with the VCDPA, including sample data protection forms.
- Directing an agency to promulgate regulations because the VCDPA does not currently grant the OAG such authority.
The Work Group’s recommendations will be presented during the upcoming legislative session.
SEC whistleblower awards total $10.4 million
On November 22, the SEC announced awards totaling approximately $10.4 million to several whistleblowers who provided original information and voluntary assistance in three separate SEC enforcement actions. According to the first redacted order, the SEC awarded two whistleblowers roughly $7.5 million for providing original, significant information leading to a successful action and alerting staff to misconduct occurring in different geographic areas. Both whistleblowers’ substantial, ongoing assistance also conserved significant Commission time and resources. Additionally, the first whistleblower received an award for contributing to a related action brought by another agency. In the second redacted order, the SEC awarded more than $2.4 million to two whistleblowers whose information led to a successful enforcement action. According to the SEC, the first whistleblower voluntarily provided information prompting the opening of the investigation and provided significant assistance throughout the investigation by providing key pieces of evidence. The second whistleblower provided new information that significantly contributed to the success of the enforcement action. In the third redacted order, the SEC awarded whistleblowers roughly $435,000. The first whistleblower alerted SEC staff to potentially fraudulent conduct, which helped prompt the opening of the investigation, and provided additional information during the investigation. The second whistleblower met with SEC staff and provided new, highly valuable information early in the investigation that was vital in helping the staff develop its theory of liability.
The SEC has awarded approximately $1.2 billion to 233 individuals since issuing its first award in 2012.
CFPB releases draft strategic plan for FY 2022-26
On December 2, the CFPB released for public feedback its draft strategic plan for fiscal years 2022-2026, which outlines and communicates its mission, strategic goals, and objectives for the next five years.
External Factors Impacting the Bureau’s Strategic Goals and Objectives:
The Bureau identified four key external factors that may affect its strategic goals and objectives: (i) the continued effect of the Covid-19 pandemic on regulated markets; (ii) the increase of data security threats and resulting consumer harm as the role of data and technology in the consumer financial system continues to grow; (iii) rapid developments in the consumer financial marketplace technology; and (iv) executive, legislative, judicial, and state actions, including actions by other financial regulators, which may impact the financial regulatory environment and, in turn, the Bureau’s policy strategies.
Cross-Bureau Priorities:
With its “cross-functional, cross-Bureau approach,” the CFPB intends to address a number of outcomes for households and communities, “many of which reference the concept of equity.” To achieve the outcomes below, the Bureau will “embed a racial equity lens and focus [its] attention on these communities, recognizing that work to protect and empower underserved people benefits all people.”
- Equitable recovery from the COVID-19 pandemic: Continuing monitoring of pandemic recovery, with a focus on minority and traditionally underserved communities, including rising housing insecurity.
- Equitable access to and engagement with consumer finance infrastructure: Addressing obstacles that restrict access to credit or push consumers to higher cost products, in addition to “promoting transformation of financial marketplaces to serve all people.”
- Equitable wealth creation from home and small business ownership: Promoting equitable wealth creation in housing and small business markets, with a focus on minority and underserved communities. Specifically, the Bureau notes that (i) home ownership as a “key building block of wealth,” has become out of reach for young people and underserved communities due to record high home prices and tightened credit underwriting during the pandemic; and (ii) small businesses, especially women- and minority-owned, have faced more serve economic consequences from the pandemic.
- Fair, transparent, and competitive markets for consumer financial products and services: Promoting competition for the benefit of consumers and businesses, where “[t]he personal touch previously provided by local financial institutions has, in many instances, been replaced with institutions that take advantage of consumers without concern for their well-being.” The Bureau identified weakened competition in many markets as a contributing factor in the widening of racial, income, and wealth inequality, and noted that consolidations over the last several decades have “denied consumers the benefits of an open economy.”
- Privacy, access, and fairness in a new data-driven economy: Prioritizing its work to ensure consumer privacy and security remains at the forefront of the evolving data economy. The Bureau expressed specific concern with how consumer financial account data is accessed, transmitted, and stored, in addition to the potential racial equity impact from the increased use of algorithms in the decision-making process.
The Strategic Goals:
The Bureau identified four strategic goals, which are articulated by specific function within the agency:
- “Implement and enforce the law to ensure consumers have access to fair, transparent, and competitive markets that serve consumers’ needs and protect consumers from unfair, deceptive, and abusive practices, and from discrimination.” Objectives include issuing rules and guidance, supervising institutions, and enforcing federal consumer financial laws.
- “Empower consumers to live better financial lives, focusing on traditionally underserved people.” Objectives include engaging with consumers, creating and offering educational resources, handling complaints, and expanding relationships with stakeholders and government partners.
- “Inform public policy with data-driven analysis on consumers’ experiences with financial institutions, products, and services.” Objectives include monitoring markets and producing research reports.
- “Foster operational excellence and further commitment to workforce equity to advance the CFPB’s mission.” Objectives include cultivating a workforce aligned with the Bureau’s mission, implementing a forward-leaning workplace model, and utilizing innovative and optimized operational support.
The Bureau is requesting comments by January 3, 2022.
2nd Circuit reverses itself, finding no standing to sue for recording delays
On November 17, the U.S. Court of Appeals for the Second Circuit reversed its earlier determination that class members had standing to sue a national bank for allegedly violating New York’s mortgage-satisfaction-recording statutes, which require lenders to record borrowers’ repayments within 30 days. As previously covered by InfoBytes, the plaintiffs filed a class action suit alleging the bank’s recordation delay harmed their financial reputations, impaired their credit, and limited their borrowing capacity. While the bank did not dispute that the discharge was untimely filed, it argued that class members lacked Article III standing because they did not suffer actual damages and failed to plead a concrete harm under the U.S. Supreme Court’s decision in Spokeo Inc. v. Robins. At the time, the majority determined, among other things, that “state legislatures may create legally protected interests whose violation supports Article III standing, subject to certain federal limitations.” The alleged state law violations in this matter, the majority wrote, constituted “a concrete and particularized harm to the plaintiffs in the form of both reputational injury and limitations in borrowing capacity” during the recordation delay period. The majority further concluded that the bank’s alleged failure to report the plaintiffs’ mortgage discharge “posed a real risk of material harm” because the public record reflected an outstanding debt of over $50,000, which could “reasonably be inferred to have substantially restricted” the plaintiffs’ borrowing capacity.
In withdrawing its earlier opinion, the 2nd Circuit found that the Supreme Court’s June decision in TransUnion v. Ramirez (which clarified what constitutes a concrete injury for the purposes of Article III standing in order to recover statutory damages, and was covered by InfoBytes here) “bears directly on our analysis.” The parties filed supplemental briefs addressing the potential impacts of the TransUnion ruling on the 2nd Circuit’s previous decision. The bank argued that while “New York State Legislature may have implicitly recognized that delayed recording can create [certain] harms,” the plaintiffs cannot allege that they suffered these harms. Class members challenged that “the harms that the Legislature aimed to preclude need not have come to fruition for a plaintiff to have suffered a material risk of real harm sufficient to seek the statutory remedy afforded by the Legislature.” Citing the Supreme Court’s conclusion of “no concrete harm; no standing,” the appellate court concluded, among other things, that class members failed to allege that delayed recording caused a cloud on the property’s title, forced them to pay duplicate filing fees, or resulted in reputational harm. Moreover, while publishing false information can be actionable, the appellate court pointed out that the class “may have suffered a nebulous risk of future harm during the period of delayed recordation—i.e., a risk that someone (a creditor, in all likelihood) might access the record and act upon it—but that risk, which was not alleged to have materialized, cannot not form the basis of Article III standing.” The appellate court further stated that in any event class members may recover a statutory penalty in state court for reporting the bank’s delay in recording the mortgage satisfaction.
District Court grants preliminary approval of privacy class action settlement
On November 19, the U.S. District Court for the Northern District of California granted preliminary approval of a $58 million settlement in a class action against a fintech company (defendant) alleged to have accessed the personal banking data of users without first obtaining consent, in violation of California privacy, anti-phishing, and contract laws. The plaintiffs alleged the defendant obtained data from class members’ financial accounts without authorization. The plaintiffs also claimed the defendant collected class members’ bank login information through a user interface that made it appear as if class members were interfacing directly with their financial institution, when they were actually interfacing with the defendant.
In granting preliminary approval of the settlement, the court determined it was unclear whether the plaintiffs would have prevailed on the merits at trial, particularly with regard to the “relatively untested” claim that the defendant practices breached California’s anti-phishing law. Several other claims originally brought by the plaintiffs were dismissed in May, including allegations that the defendant breached the Stored Communications Act, the Computer Fraud and Abuse Act, and California’s Unfair Competition Law. In addition to the $58 million settlement fund, the proposed settlement would also provide for injunctive relief.
SEC levies $18 million fine for mishandling MNPI
On November 19, the SEC announced that an investment company affiliate of a global consulting firm agreed to pay $18 million to settle alleged compliance failures. The affiliate provided investment services to current and former partners and employees of the consulting firm. The SEC alleged that the affiliate failed to maintain adequate policies and procedures to prevent firm partners from misusing material nonpublic information (MNPI) gained from consulting clients to make investment decisions. The SEC alleged that the affiliate invested hundreds of millions of dollars in companies that the firm was advising. According to the SEC, certain firm partners oversaw these investments and had access to MNPI, such as financial results, planned bankruptcy filings, mergers and acquisitions, among other things, as a result of the consulting work they did for the firm.
According to the cease-and-desist order, allowing active firm partners, “individuals who had access to MNPI about issuers in which [affiliate] funds were invested, to oversee and monitor [the affiliate’s] investment decisions presented an ongoing risk of misuse of MNPI.” The SEC claimed that the affiliate allegedly violated Sections 204A and 206(4) of the Investment Advisers Act of 1940 (related to the prevention and misuse of MNPI and prohibited investment adviser transactions), as well as Rule 206(4)-7 (concerning compliance policies and procedures). Without admitting or denying the findings, the affiliate consented to the entry of the cease-and-desist order, a censure, and the $18 million penalty.
District Court partially grants SEC’s motion in confidentiality agreements case
On November 17, the U.S. District Court for the Southern District of New York partially granted the SEC’s (plaintiff) motion for summary judgment in a case questioning the extent to which confidentiality agreements can prevent communication with the SEC regarding potential violations of securities laws. The court found that the Commission did not exceed its authority on a count of impeding SEC rules that is connected to a broader civil suit accusing an online store and its CEO (collectively, “defendants”) of stealing nearly $6 million from investors. The plaintiff alleged that the defendants impeded “individuals’ communication with the SEC regarding potential securities laws violations by enforcing or threatening to enforce confidentiality agreements that would prevent individuals’ communications thereof,” in violation of Rule 21F-17 of the Exchange Act. According to the order, in its stock purchase agreements, the defendants allegedly required investors to reject communication with “governmental or administrative agencies or enforcement bodies for the purpose of commencing or otherwise prompting investigation or other action.” The defendants allegedly used lawsuits to prevent communications that would violate its confidentiality agreements, and advertised these suits “to chill further communication,” which the court ruled were “undoubtedly ‘action[s] to impede’ communications, especially where the Rule explicitly prohibits ‘enforcing, or threatening to enforce’ such agreements.” The district court also denied the defendants' cross-motion for summary judgment stating that “the Court is still not persuaded that Rule 21F-17 exceeds the SEC’s rulemaking nor that it violates the First Amendment,” and concluded that the defendants’ conduct violated Rule 21F-17.
OFAC sanctions key ISIS-K financial facilitator
On November 22, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order (E.O.) 13224, as amended, against an individual it claims is acting as a financial facilitator for the Islamic State’s Khorasan Province (ISIS-K). According to OFAC, ISIS-K was previously designated as a Specially Designated Global Terrorist under E.O. 13224, and as a Foreign Terrorist Organization by the Department of State in 2016. The designated individual, OFAC stated, has provided support to ISIS-K’s Afghani operations “by facilitating international financial transactions that fund human trafficking networks and facilitating the movement of foreign fighters who seek to escalate tensions in Afghanistan and the region.” According to OFAC Director Andrea Gacki, this designation “underscores the United States’ determination to prevent ISIS-K and its members from exploiting the international financial system to support terrorist acts in Afghanistan and beyond.” OFAC’s action was handled in coordination with the Department of State, which designated three individuals as Specially Designated Global Terrorists for their roles as leaders of ISIS-K.
As a result, all property and interests in property belonging to the designated individual subject to U.S. jurisdiction are blocked, and any “entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons must be blocked and report to OFAC.” U.S. persons are generally prohibited from engaging in transactions with the designated individual unless authorized by a general or specific OFAC license or otherwise exempt. OFAC warned that the agency “can prohibit or impose strict conditions on the opening or maintaining in the United State[s] of a correspondent account or a payable-through account by a foreign financial institution that either knowingly conducted or facilitated any significant transaction on behalf of a Specially Designated Global Terrorist.” OFAC further noted that that engaging in certain transactions with the designated individual “entails risk of secondary sanctions pursuant to E.O. 13224, as amended.”
New York reaches $1.2 million settlement with debt collectors
On November 16, the New York attorney general announced a settlement with an illegal debt collection scheme operation and its operator (collectively, “respondents”) to resolve allegations that the respondents used illegal tactics to collect consumer debt, which included false threats of criminal action, wage garnishment, driver’s license suspension, and lawsuits. According to the AG, the operator started his debt collection career collecting debts with a network of New York-based debt collectors that settled with the CFPB and New York AG in 2019 to resolve allegations that the defendants engaged in improper debt collection tactics in violation of the CFPA, the FDCPA, and various New York laws. (Covered by InfoBytes here.) Using different names, the operator allegedly continued to use deceptive and illegal threats to collect on consumer debts. In addition, the AG claimed the operator was a debt broker, “selling debts to and placing debts for collection with other collectors that engaged in egregious violations of the law.”
Under the terms of the settlement agreement, the respondents, among other things, must pay $1.2 million to the office of the AG in restitution and penalties and must dissolve all of the associated debt collection companies. The respondents are also permanently banned from engaging in consumer debt collection, consumer debt brokering, consumer lending, debt settlement, credit repair services, and payment processing.
Agencies discuss crypto-asset next steps
On November 23, the FDIC, OCC, and Federal Reserve Board issued a joint statement summarizing a recent series of interagency “policy sprints” focused on crypto-assets. During the policy sprints, the agencies conducted preliminary analysis on issues related to banking organizations’ potential involvement in crypto-asset-related activities, and identified and assessed key risks related to safety and soundness, consumer protection and compliance. The agencies also, among other things, analyzed the applicability of existing regulations and guidance on this space and identified several areas where additional public clarity is needed. Throughout 2022, the agencies intend to provide greater clarity on whether certain crypto-asset-related activities conducted by banking organizations are legally permissible. The agencies also plan to expand upon their safety and soundness expectations related to: (i) crypto-asset safekeeping and traditional custody services; (ii) ancillary custody services; (iii) facilitation of customer purchases and the sale of crypto-assets; (iv) loans collateralized by crypto-assets; (v) issuance and distribution of “stablecoins”; and (vi) activities involving a bank’s holding of crypto-assets on its balance sheet. The joint statement, which does not alter any current regulations, also states that the agencies plan to “evaluate the application of bank capital and liquidity standards to crypto-assets for activities involving U.S. banking organizations” and that the agencies will continue to monitor developments in this space as the market evolves.