InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court grants $5 million settlement for alleged data breach
On November 5, the U.S. District Court for the Northern District of California granted preliminary approval of a class action settlement resolving claims against a grocery store chain after a data breach allegedly compromised personal information in its software. According to the plaintiffs’ notice of motion and motion for preliminary approval of class action settlement, a software vendor notified its clients, including the grocery store, that its software had been breached. As a result of the breach, hackers accessed personally identifiable information (PII) of approximately 3.82 million of the grocery store’s pharmacy customers and employees. Under the preliminary settlement, claimants may choose to receive either (i) a cash payment, with an estimated value between $18 and $91 for non-California residents and between $36 and $182 for California residents; (ii) two years of credit monitoring and insurance services; or (iii) reimbursement of any documented losses of up to $5,000. The proposed settlement also contains “robust injunctive relief,” including requirements that the grocery store chain (i) confirm that class members’ sensitive PII is secured; (ii) monitor the dark web for five years for fraudulent activity related to class members' PII; and (iii) enhance its third-party vendor risk management program. The district court also noted that any class member can appear at the fairness hearing to object to any aspect of the settlement, and that class members have 75 days after being notified of the deal to file their written objections or opt out of the settlement. The proposed settlement would not resolve any claims against the software vendor. Additionally, the court issued an order denying a motion to intervene by a group of objectors finding that they failed to “identify a protectable interest that will be impaired if they are unable to intervene.”
Agencies adopt standardized approach for counterparty credit risk Call Report
On November 9, the FDIC, Federal Reserve Board, and the OCC announced the publication of final regulatory reporting changes in the Federal Register applicable to three versions of the Call Report (FFIEC 031, FFIEC 041, and FFIEC 051). In July, the agencies proposed to revise and extend the Call Report for three years, and requested public comments on proposed changes to clarify instructions for reporting of deferred tax assets (DTAs) and to add a new item related to the standardized approach for counterparty credit risk (SA–CCR). (See FIL-53-2021.) Following the comment period, the agencies are proceeding with the proposed SA-CCR-related reporting change to the Call Report, which will take effect with the December 31, 2021 report date, subject to approval by the Office of Management and Budget. However, proposed instruction revisions related to DTAs are not final as the agencies continue to consider comments received on the proposed rule on tax allocation agreements. (See FIL-29-2021.) Supervised financial institutions are encouraged to review the proposed regulatory change. Redline copies of the Call Report and related draft reporting instructions are available on the FFIEC’s webpage here.
Fed cites need to increase oversight of nonbank mortgage companies
On November 8, Federal Reserve Board Governor, Michelle W. Bowman, spoke at the “Women in Housing and Finance Public Policy Luncheon” regarding U.S. housing and the mortgage market. Bowman observed that home prices have increased in the past year and a half, stating that “[i]n September, about 90 percent of American cities had experienced rising home prices over the past three months, and the home price increases were substantial in most of these cities,” which “raise[s] the concern that housing is overvalued and that home prices may decline.” She discussed several factors leading to the demand for housing as including (i) low interest rates; (ii) accumulated savings; and (iii) increased income growth. Additionally, she pointed out that mortgage refinancing has surged due to the decrease in long-term interest rates, and that nonbank servicers utilized the proceeds from the “refinacings to fund the advances associated with forbearance.” However, Bowman added that higher home prices and rising rents contributed to inflationary pressures in the economy. Bowman stated that the “multifamily rental market is at historic levels of tightness, with over 95 percent occupancy in major markets,” and she anticipates that these housing supply issues are unlikely to reverse materially in the short term, suggesting that there will be higher levels of inflation caused by housing. With respect to forbearance, Bowman said, “1.2 million borrowers were still in forbearance, down from a peak of 4.7 million in June 2020” on mortgage payments. Bowman stated that, “[f]orbearance, foreclosure moratorium, and fiscal support have kept distressed borrowers in their homes.” Bowman warned that transitioning borrowers from mortgage forbearance to modification may be a “heavy lift” for some servicers. Bowman disclosed that the Fed will be monitoring what happens as borrowers reach the end of the forbearance on mortgage payments and estimates that 850,000 of those in forbearance will reach the end of their forbearance period in January 2022, and “the temporary limitations on foreclosures put in place by the Consumer Financial Protection Bureau will expire at the end of the year.” Bowman recommended that state and federal regulators collaborate to collect data, identify risks, and strengthen oversight of nonbank mortgage companies.
OCC urges bank boards to promote climate risk management
On November 8, acting Comptroller of the Currency Michael J. Hsu discussed climate change risk at the OCC headquarters, highlighting areas for large bank boards of directors to consider when promoting and accelerating improvements in climate risk management practices. According to Hsu, bank boards play a “pivotal role” in actions against climate change, which poses significant risks to the financial system. Hsu compared credit risk management and climate risk management, stating that “strong credit risk management capabilities can provide the assurance and confidence needed for a bank to make risky credit decisions prudently, strong climate risk management capabilities can enable the same prudent risk taking with regards to climate-related business opportunities.” Additionally, Hsu noted that, by the end of this year, the OCC will issue a high-level framework guidance for large banks regarding climate risk management. Hsu also outlined several areas for board members to consider, including evaluating an institution’s overall exposure to climate change, estimating the exposure to a carbon tax, and assessing an institution’s most acute vulnerabilities to climate change events. Hsu stated that “now is the time” to identify and understand vulnerabilities impacting continuity and disaster recovery planning.
FTC permanently bans payment processor from debt relief processing
On November 8, the FTC announced the permanent ban of a payment processor from processing debt relief payments and ordered payment of $500,000 in consumer redress. According to the FTC’s complaint, the payment processor and its owner (collectively, “defendants”) allegedly processed roughly $31 million in consumer payments on behalf of a student loan debt relief operation charged by the FTC in 2019 for allegedly engaging in deceptive practices when marketing and selling their debt relief services. As previously covered by InfoBytes, the FTC claimed the operators (i) charged borrowers illegal advance fees; (ii) falsely claimed they would service and pay down their student loans; and (iii) obtained borrowers’ credentials in order to change consumers’ contact information and prevent communications from loan servicers. The FTC alleged the defendants processed payments from tens of thousands of consumers even though they were aware of numerous issues with the scheme and had received complaints from consumers and banks. The FTC further alleged that the defendants continued to process payments until the FTC took enforcement action against the operation.
Under the terms of the settlement, the defendants are permanently prohibited from processing payments for debt relief services and student loan entities and are banned from processing payments for any merchant unless there is a signed, written contract. The defendants are also required to screen prospective high-risk clients to determine whether such clients are, or are likely to be, engaging in deceptive or unfair activities. In addition, the settlement imposes a $27.5 million judgment against the defendants, which is largely suspended following the payment of $500,000, due to the defendants’ inability to pay the full amount.
New York expands consumer protections
On November 8, the New York governor signed several pieces of legislation relating to consumer protection. Among those, S.153 enacts The Consumer Credit Fairness Act, which expands consumer protections against abusive debt collection by, as explained by NYDFS acting Superintendent Adrienne A. Harris, “address[ing] known predatory debt collection practices, barring an abusive common tactic engaged by predatory debt collectors which is to sue on time-barred consumer debts for which they lack even the most basic of documentation.” Certain parts of the Consumer Credit Fairness Act are effective immediately. S.4823, effective 30 days after being signed into law, prohibits utility companies from engaging in harassment, oppression, or abuse when coordinating with a residential customer. According to the press release, this legislation responds “to various unscrupulous practices that utility corporations engage in, such as creating a ‘payment agreement’ with customers that encourage customers to take large down payments in exchange for utilities such as energy not being shut down.” S.1199 requires the Public Service Commission to have at least one member who is an expert in consumer advocacy. It will also go into effect 30 days after being signed into law.
SEC proposes amendments to electronic filing requirements
On November 4, the SEC announced two proposed amendments (Updating EDGAR Filing Requirements and Electronic Submission of Applications for Orders under the Advisers Act and the Investment Company Act, Confidential Treatment Requests for Filings on Form 13F, and Form ADV-NR; Amendments to Form 13F), which update electronic filing requirements. These proposed amendments are intended to increase efficiency, transparency, and operational resiliency by modernizing how information is submitted to the SEC and disclosed. The proposed rule and form amendments would require, among other things, certain forms to be filed or submitted electronically and would make technical amendments to certain forms to require structured data reporting and eliminate outdated references. According to the SEC, the Commission currently allows, and at times requires, certain forms to be filed or submitted in paper format. The SEC also noted that publicly filed electronic submissions would be more readily accessible to the public and would be available in a searchable format on the SEC’s website. The public comment period will be open for 30 days after publication in the Federal Register.
The same day, the SEC published a fact sheet clarifying, among other things, how the rule applies and what is required under the proposed amendments. According to a statement released by SEC Chair Gary Gensler, “just as we are hoping to update our rules for market participants in the face of rapidly changing technology, it’s also important that we update our rules to make filing obligations more efficient.”
Treasury and DOJ announce sanctions and charges in ransomware attacks, FinCEN updates ransomware guidance
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13694 as amended against two ransomware operators and a virtual currency exchange network. According to OFAC, the virtual currency exchange, and its associated support network, are being designated for allegedly facilitating financial transactions for ransomware actors. OFAC is also designating two individuals allegedly associated with perpetuating ransomware incidents against the U.S., and who are part of a cybercriminal group that has engaged in ransomware activities and has received over $200 million in ransom payments. As a result of the sanctions, “all property and interests in property of the designated targets that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them” and “any entities 50 percent or more owned by one or more designated persons are also blocked.” According to OFAC, the sanctions are a part of a set of actions focused on disrupting criminal ransomware actors and virtual currency exchanges that launder the proceeds of ransomware, which “advance the Biden Administration’s counter-ransomware efforts to disrupt ransomware infrastructure and actors and address abuse of the virtual currency ecosystem to launder ransom payments.” Additionally, the DOJ announced charges against the sanctioned individuals under OFACs designations, seizing approximately $6.1 million in alleged ransomware payments.
The same day, FinCEN issued an advisory, which updated and replaced its October 1, 2020 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (covered by InfoBytes here). The updated advisory is in response to the recent increase in ransomware attacks against critical U.S. infrastructure. The updated advisory also reflects information released by FinCEN in its Financial Trend Analysis Report, which discusses ransomware trends and includes information on current trends and typologies of ransomware and associated payments as well as recent examples of ransomware incidents. Additionally, the updated advisory describes financial red flag indicators of ransomware-related illicit activity to assist financial institutions in identifying and reporting suspicious transactions related to ransomware payments, consistent with obligations under the Bank Secrecy Act.
Illinois enacts the Protecting Household Privacy Act
Earlier this year, the Illinois governor signed HB 2553 to create the Protecting Household Privacy Act. Among other things, the act specifies when state law enforcement agencies may acquire and use data from household electronic devices. The act defines “household electronic data” as information or input provided by a person to a household electronic device that is capable of facilitating electronic communications. (A “household electronic device” excludes personal computing devices and digital gateway devices.) The act generally prohibits law enforcement agencies from obtaining household electronic data “or direct[ing] the acquisition of household electronic data from a private third party.” Exceptions to this prohibition include when a law enforcement agency first obtains a warrant, an emergency situation arises, or the owner of the household electronic device lawfully consents to the acquisition of the data. The act also states that it shall not “be construed to require a person or entity to provide household electronic data to a law enforcement agency,” except as provided under certain provisions outlined in Section 15. The act further requires entities disclosing household electronic data to “take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request.” Additionally, the act outlines information retention limits, which provide, among other things, that if a law enforcement agency obtains household electronic data and does not file criminal charges, it must destroy the data within 60 days unless subject to certain circumstances. The act is effective January 1, 2022.
New York enacts robocall measures
On November 8, the New York governor signed measures to help prevent robocalls and increase consumer protections. The measures build upon federal actions to combat robocalls and “will enable telecom companies to prevent these calls from coming in in the first place, as well as empower our state government to ensure that voice service providers are validating who is making these calls so enforcement action can be taken against bad actors,” Governor Kathy Hochul stated.
S.6267a requires telecommunication companies to block certain calls, including those from (i) numbers that are not valid North American numbering plan numbers; (ii) numbers that are not allocated to a provider by the North American numbering plan administrator or the pooling administrator; and (iii) unused numbers that are allocated to a provider. According to the governor’s press release, the act codifies into state law the provisions of an FCC 2017 rule that took effect in June 2021 and allows telecommunications companies to proactively block calls from certain numbers. (Covered by InfoBytes here.) These types of numbers, the release states, “are indicative of ‘spoofing’ schemes in which the true caller identity is masked behind a fake, invalid number.” The act takes effect immediately.
The second act, S.4281a, requires voice services providers to authenticate calls using the STIR/SHAKEN call authentication framework. As previously covered by InfoBytes, in 2020, the FCC, pursuant to the TRACED Act, adopted new rules requiring providers to implement the STIR/SHAKEN framework by June 2021. Under New York’s new measure, providers have up to 12 months to implement this framework or an “alternative technology that provides comparable or superior capability to verify and authenticate caller identification in the internet protocol networks of voice service providers.” Violators face a fine of up to $100,000 for each offense per day that the framework is not in place. This act is also effective immediately.