InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC increases dark patterns enforcement
On October 28, the FTC announced a new enforcement policy statement warning companies against using illegal dark patterns that could “trick or trap consumers into subscription services” which are sometimes used by sellers in automatic renewal subscriptions, continuity plans, free-to-pay or free-to-pay conversions, and pre-notification plans. According to the FTC, the agency is enhancing its enforcement due to increasing complaints about the financial harms caused by deceptive sign-up tactics, including unauthorized charges or continuous billing that is impossible to cancel. The policy statement, among other things, “puts companies on notice that they will face legal action if their sign-up process fails to provide clear, up-front information, obtain consumers’ informed consent, and make cancellation easy.” According to the enforcement policy statement, businesses are required to follow three requirements, or be subject to law enforcement action: (i) disclose clearly and conspicuously all material terms of the product or service; (ii) receive the consumer’s express informed consent prior to charging them for a product or service; and (iii) provide easy and simple cancellation to the consumer.
CFPB releases report on consumer credit disputes
On November 2, the CFPB released a report on credit report disputes that outlined the demographic characteristics of disputers and the outcomes for accounts with dispute flags. The report highlighted that consumers in majority Black and Hispanic neighborhoods, as well as younger consumers and those with low credit scores, are far more likely to have disputes on their credit reports. The post—part of a series documenting trends in consumer credit outcomes during the Covid-19 pandemic (the first covered by InfoBytes here)—used data on auto loan, student loan, and credit card accounts opened between 2012 and 2019. Among other things, the report found that majority Black and Hispanic neighborhoods continue to face significant challenges with credit records; for example, in almost every credit category outlined in the report, consumers residing in majority Black areas were more than twice as likely to have disputes on their credit reports compared to consumers residing in majority white areas. For auto loans, consumers in majority Black areas were more than three times as likely to have disputes appear on their credit reports compared to majority white areas. The report also noted that approximately 40 percent of student loans with dispute flags are deleted within four years of the dispute, although this represents less than 0.2 percent of all student loans opened between 2012 and 2019.
According to Director Rohit Chopra, “[e]rror-ridden credit reports are far too prevalent and may be undermining an equitable recovery.” The report noted that “an important subject for future research is whether these patterns are driven by differences across groups and credit types in the type or frequency of the underlying issues that result in a dispute flag, or whether they are driven by furnishers’ practices for reporting dispute flags or responding to disputes.” Additionally, the Bureau said in its press release that it “is committed to further researching the root causes of credit information disputes, as well as investigating the reasons for the demographic disparities found in the report.” As previously covered by InfoBytes, the CFPB, along with the FTC and the North Carolina Department of Justice, filed an amicus brief in support of the consumer plaintiffs in Henderson v. The Source for Public Data, L.P., arguing that a public records website, its founder, and two affiliated entities cannot use Section 230 liability protections to shield themselves from credit reporting violations.
Chopra testifies on CFPB direction
On October 27, newly sworn in CFPB Director Rohit Chopra appeared for the first time before the House Financial Services Committee to offer some of the first insights into his priorities at the Bureau. Chopra’s opening remarks focused on concerns regarding “Big Tech” and its control over the flow of money in the economy (these comments followed the issuance of information requests to six technology companies, covered by InfoBytes here). Chopra also focused on a need to ensure robust competition in financial markets and listen to local financial institutions and nascent players about obstacles they face when seeking to challenge dominant incumbents. Chopra also stressed the importance of holding “repeat offenders” accountable, highlighted an intent to coordinate efforts with federal and state regulators, and indicated a preference for scrutinizing larger market participants over smaller entities. He noted, however, potential leniency for companies that self-identify their own issues and violations. Additional highlights of the hearing include the following:
Enforcement. Chopra noted that “markets work well when rules are easy to follow and easy to enforce.” He also expressed his view that the CFPB should focus its resources on larger industry participants and “repeat offenders” rather than “strong-arming” small businesses into settlements to create law. Chopra also expressed a preference for setting regulatory guidelines through enforcement, indicating that “markets work well when rules are easy to follow, and easy to enforce.”
Section 1033 of Dodd-Frank. With respect to implementing this set of requirements, which deals with consumers’ rights to access information about their financial accounts, Chopra indicated a desire to “unlock more competition,” but warned that there also needs to be assurance that “banks and nonbanks are operating under the same set of rules” and that there is “not regulatory arbitrage.” While Chopra did not specify a timeline for promulgating the final rule implementing this section, he noted that the process is underway and that the Bureau is consulting with various experts. (Issuance of the ANPR was covered by InfoBytes here.)
Abusive acts and practices. Chopra said that he agreed with former acting Director Dave Uejio’s decision to rescind a policy statement on “abusive” conduct issued by former Director Kathy Kraninger. Chopra stated he has “huge aspirations to create durable jurisprudence” regarding the definition of “abusive” in Dodd-Frank. He noted that “it could be a mix” of judicial decisions and “how the CFPB may use rules and guidance to help articulate those standards.”
Cryptocurrency and stablecoins. Chopra expressed concerns about the potential for big payment platforms to process stablecoins—cryptocurrencies pegged to stable commodities or currencies like the dollar. However, Chopra clarified that it is not his intention to use his regulatory authority to ban or limit the use of cryptocurrency or blockchain technology. Regarding the CFPB’s role in cryptocurrency, Chopra claimed that depending on the laws implicated, there is a “fact-based determination as to any sort of law that cryptocurrencies or digital currencies have to comply with.” He further described that this is “something that the CFPB is working with the other regulators on,” and emphasized that “where digital payments [are] involved, the Electronic Fund Transfer Act is a key law with key consumer protections.”
QM Rule. When asked about the postponement of the mandatory compliance date of the General Qualified Mortgage final rule to October 2022 (covered by InfoBytes here), Chopra said he is eager “to hear of places where it needs to be changed” but emphasized that the postponement was before his time and that the rule has gone into effect. He also stated that “QM is a key part of the mortgage market and the mortgage regulatory guidelines.” Therefore, he wants to ensure that the CFPB is always looking at it to make sure the objectives that Congress laid forward in Dodd-Frank are being carried out. When asked about his support of the proposed change in the QM rule, Chopra said he did not know but wants “to make sure he understands the full basis of it.”
Chopra echoed such sentiments in his October 28 testimony before the Senate Banking Committee.
FTC updates Safeguards Rule for financial institutions
On October 27, the FTC announced a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. The final rule follows a 2019 notice of proposed rulemaking (covered by InfoBytes here) and makes the following modifications to the existing rule:
- Adds specific criteria financial institutions must undertake when conducting a risk assessment and implementing an information security program, including provisions related to access controls, data inventory and classification, authentication, encryption, disposal procedures, and incident response, among others. The final rule also adds measures to ensure employee training and service provider oversight are effective.
- Requires financial institutions to designate a single qualified individual to oversee the information security program. Periodic reports must also be made to an institution’s board of directors or governing bodies.
- Provides an exemption from requirements related to written risk assessments, incident response plans, and annual reporting to the board of directors, for financial institutions that collect information on fewer than 5,000 consumers.
- Expands the definition of “financial institution” to include “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.” Included in the definition are “finders” (i.e. companies that bring together buyers and sellers of products or services that fall within the scope of the Safeguards Rule).
- Adds several definitions and related examples into the Safeguards Rule itself instead of incorporating them through a reference from a related FTC rule.
Provisions of the final rule under Section 314.5 are effective one year after the date of publication in the Federal Register. The remainder of the provisions are effective 30 days following publication.
Additionally, the FTC issued a supplemental notice of proposed rulemaking seeking comments on a proposal to further amend the Safeguards Rule to require financial institutions to report security events to the Commission where a determination has been made that consumer information has been misused, or is reasonably likely to be misused, in an event affecting at least 1,000 consumers. Comments are due 60 days after publication in the Federal Register.
The FTC also announced a final rule adopting largely technical changes to its authority under the Privacy of Consumer Financial Information Rule (Privacy Rule) under the Gramm-Leach-Bliley Act, which requires financial institutions to inform consumers about their information-sharing practices and allow consumers the ability to opt out of having their information shared with certain third parties. The Privacy Rule is amended to revise the rule’s scope, modify the definitions of “financial institution” and “federal functional regulator,” and update requirements pertaining to annual customer privacy notices. The FTC noted that these changes align the Privacy Rule with changes made under Dodd-Frank and the FAST Act.
CFPB announces new chiefs for supervision and enforcement
On October 29, the CFPB announced two significant leadership changes within the Bureau. Lorelei Salas will serve as the Assistant Director for Supervision Policy as well as the Acting Assistant Director for Supervision Examinations. Salas’ experience prior to joining the Bureau includes serving as Commissioner of the New York City Department of Consumer and Worker Protection where she focused on pursuing corporations that employed unlawful, predatory practices targeting low-income and immigrant consumers. Her background also includes expertise in immigration, housing, and employment, as well as consumer and worker protection laws.
Eric Halperin will serve as Assistant Director for the Office of Enforcement. Halperin previously served as executive director at a legal defense nonprofit group and served in the Obama administration as the acting Deputy Assistant Attorney General, overseeing the civil rights division’s fair housing, fair lending and employment non-discrimination enforcement program.
FATF updates statements concerning jurisdictions with AML/CFT/CPF deficiencies
On October 26, the Financial Crimes Enforcement Network (FinCEN) announced updates to the Financial Action Task Force (FATF) statements concerning jurisdictions with strategic anti-money laundering, countering the financing of terrorism, and combating weapons of mass destruction proliferation financing (AML/CFT/CPF) deficiencies. Specifically, to ensure compliance with international standards, the FAFT updated the following two statements: (i) Jurisdictions under Increased Monitoring, which identifies jurisdictions with strategic deficiencies in their AML/CFT/CPF regimes that have committed to, or are actively working with, the FATF to address those deficiencies in accordance with an agreed upon timeline and; (ii) High-Risk Jurisdictions Subject to a Call for Action, which identifies jurisdictions with significant strategic deficiencies in their AML/CFT/CPF regimes and instructs FATF members to apply enhanced due diligence, and in the most serious cases, apply counter-measures to protect the international financial system from such risks. Notably, Jordan, Mali, and Turkey have been added to the Jurisdictions under Increased Monitoring, while Botswana and Mauritius have been removed from the list. Among other things, through the announcement, FinCEN further instructed financial institutions to comply with U.S. prohibitions against the opening or maintaining of any correspondent accounts, whether directly or indirectly, for North Korean or Iranian financial institutions, which are already prohibited under existing U.S. sanctions and FinCEN regulations. As previously covered by InfoBytes, FinCEN last announced updates to the FATF statements in July.
11th Circuit’s new opinion says plaintiff still has standing to sue in outsourced debt collection letter action
On October 28, the U.S. Court of Appeals for the Eleventh Circuit issued a split opinion in Hunstein v. Preferred Collection & Management Services, vacating its April 21 decision but still finding that the plaintiff had standing to sue. As previously covered by InfoBytes, last April the 11th Circuit reviewed the district court’s dismissal of plaintiff’s claims that the disclosure of medical debt to a mail vendor violated the FDCPA’s third-party disclosure provisions. The 11th Circuit originally held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” At the time, the appellate court determined that communicating debt-related personal information with the third-party mail vendor is a concrete injury under Article III. Even though the plaintiff did not allege a tangible injury, the appellate court held, in a matter of first impression, that under the circumstances, the plaintiff alleged a communication “in connection with the collection of any debt” within the meaning of § 1692c(b).
In its most recent opinion, the majority wrote that it was vacating its prior opinion “[u]pon consideration of the petition for rehearing, the amicus curiae briefs submitted in support of that petition, and the Supreme Court’s intervening decision in TransUnion LLC v. Ramirez.” The appellate court first re-examined whether the plaintiff had standing to sue. Among other things, the majority held that while the plaintiff cannot demonstrate “a risk of real harm,” he was able to show standing “through an intangible injury resulting from a statutory violation.” Further, the majority determined that TransUnion reaffirmed its conclusion that the plaintiff “alleged a harm that bears a close relationship to a harm that has traditionally been recognized in American courts.” (In TransUnion, the Court concluded, among other things, that “[i]n looking to whether a plaintiff’s asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts, we do not require an exact duplicate.”) The majority further concluded that Congress’s judgment also favors the plaintiff because Congress indicated that violations of § 1692c(b) constitute a concrete injury.
The appellate court next considered the merits of the case, with the majority concluding that the plaintiff adequately stated a claim that the transmittal of personal debt-related information to the vendor constituted a communication within the meaning of § 1692c(b)’s phrase “in communication with the collection of the debt.”
Judge Tjoflat dissented, arguing that the April decision was issued before TransUnion, and following the Supreme Court’s reasoning, the plaintiff did not have standing because he did not suffer a concrete injury, and that there is an important difference between a plaintiff’s statutory cause of action to sue over a violation of federal law and “a plaintiff’s suffering concrete harm because of the defendant’s violation of federal law.” Judge Tjoflat further added that a “simple transmission of information along a chain that involves one extra link because a company uses a mail vendor to send out the letters about debt is not a harm at which Congress was aiming.”
9th Circuit denies bid to block Arizona’s dealer data privacy law
On October 25, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a motion for preliminary injunction against enforcement of an Arizona statute designed to strengthen privacy protections for consumers whose data is collected by auto dealers. Under the Dealer Law, database providers are prohibited from limiting access to dealer data by dealer-authorized third parties and are required to create a standardized framework to facilitate access. The plaintiffs—technology companies that license dealer management systems (DMS)—sued the Arizona attorney general and the Arizona Automobile Dealers Association in an attempt to stop the Dealer Law from taking effect. The plaintiffs contended that the Dealer Law is preempted by the Copyright Act because it gives dealers the right to access plaintiff’s systems and create unlicensed copies of its dealer management system, application programming interfaces, and data compilations. The plaintiffs further claimed the Dealer Law is a violation of the U.S. Constitution’s contracts clause.
On appeal, the 9th Circuit agreed that the plaintiffs were not entitled to a preliminary injunction. The appellate court concluded that the Dealer Law was not preempted by the Copyright Act, because, among other things, the plaintiffs could comply with the Dealer Law without having to create a new copy of its software to process third-party requests. Moreover, the 9th Circuit noted that even if the plaintiffs had to create copies of their DMS on their servers to process third-party requests, they failed to established that those copies would infringe their reproduction right, and the copies the plaintiffs took objection to “would be copies of its own software running on its own servers and not shared with anyone else.” The appellate court further held that the Dealer Law was not a violation of the U.S. Constitution’s contracts clause because, among other things, plaintiffs did not show that complying with the Dealer Law prevented them from being able to keep dealer data confidential. “Promoting consumer data privacy and competition plainly qualify as legitimate public purposes,” the appellate court wrote. “[Plaintiffs] point[] out that the Arizona Legislature did not make findings specifying that those were the purposes motivating the enactment of the statute, but it was not required to do so. The purposes are apparent on the face of the law.”
2nd Circuit: Turkish bank not immune from sanctions
On October 22, the U.S. Court of Appeals for the Second Circuit upheld a district court’s ruling against a Turkish state-owned commercial bank (defendant) denying its bid for immunity based on its characterization of an “instrumentality” of a foreign service, which is not entitled to immunity from criminal prosecution at common law. The U.S. government alleged that the bank converted Iranian oil money into gold and hid the transactions as purchases of goods to avoid conflicting sanctions against Iran. The district court denied the defendant’s motion to dismiss and partially concluded that the defendant was not immune from prosecution because the Foreign Sovereign Immunities Act (FSIA) confers immunity on foreign services only in civil proceedings. Furthermore, the district court concluded that, “even assuming arguendo that FSIA did confer immunity to foreign sovereigns in criminal proceedings, [the defendant’s] conduct would fall within FSIA’s commercial activity exception.” Additionally, the district court rejected the defendant’s “contention that it was entitled to immunity from prosecution under the common law, noting that [the defendant] failed to cite any support for its claim on this basis.” The district court found that the defendant’s characterization of its activities as sovereign in nature “conflates the act with its purpose,” finding that the lender's alleged money laundering was the type of activity regularly carried out by private businesses. The fact that the defendant is majority-owned by the Turkish Government is irrelevant under FSIA even if it is related to Turkey’s foreign policy because “literally any bank can violate sanctions.”
On appeal, the 2nd Circuit noted that it was unnecessary to resolve a question presented in the case—if foreign governments can assert immunity against criminal, as well as civil, charges—since money laundering would qualify as a commercial activity exception. The appellate court noted that, “[t]he gravamen of the Indictment is not that [the bank] is the Turkish Government’s repository for Iranian oil and natural gas proceeds in Turkey,” but that “it is [the bank’s] participation in money laundering and other fraudulent schemes designed to evade U.S. sanctions that is the ‘core action.’” And, “because those core acts constitute ‘an activity that could be, and in fact regularly is, performed by private-sector businesses,’ those acts are commercial, not sovereign, in nature.” The opinion also notes that “[e]ven assuming the FSIA applies in criminal cases—an issue that we need not, and do not, decide today—the commercial activity exception to FSIA would nevertheless apply to [the defendant’s] charged offense conduct.” The appellate court agreed with the district court, concluding that the bank must face criminal charges in the U.S. for allegedly assisting Iran evade economic sanctions by laundering approximately $20 billion in Iranian oil and gas revenues.
OCC to focus supervisory efforts on non-SOFR rates after LIBOR ends
On October 26, acting Comptroller of the Currency Michael J. Hsu warned banks not to be complacent when transitioning away from LIBOR. Hsu reiterated that federal regulators will not allow new contracts that use LIBOR as a reference rate after December 31. Hsu stressed that banks must look outside of activities that directly involve LIBOR exposure, such as lending, derivatives activities, and market-making capacities, to screen for LIBOR exposure in other contexts, such as LIBOR-based loan participation interests or as part of an instrument for a bank’s investment or liquidity portfolio paying LIBOR-based income or otherwise reflecting LIBOR exposures. As previously covered by InfoBytes, the CFPB, Federal Reserve Board, FDIC, NCUA, and OCC recently released a joint statement providing supervisory considerations for institutions when choosing an alternative reference rate. Hsu addressed the use of these alternative reference rates and reminded banks that they are expected to be able to demonstrate that their replacement rate is robust and appropriately tailored to their risk profile. He further commented that because the Secured Overnight Financing Rate (SOFR) “provides a robust rate suitable for use in most products, with underlying transaction volumes that are unmatched by other alternatives,” the OCC will initially focus its supervisory efforts on non-SOFR rates.