InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California privacy agency holds public meeting on CPRA
On December 16, the California Privacy Protection Agency (CPPA) Board held a public meeting to discuss the ongoing status of the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here). The CPPA stated it anticipates conducting additional preliminary rulemaking in early 2023. After public input is received, the CPPA will discuss proposed regulatory frameworks for risk assessments, cybersecurity audits, and automated decisionmaking.
During the board meeting, the CPPA introduced sample questions and subject areas for preliminary rulemaking that will be provided to the public at some point in 2023, and finalized and approved at a later meeting. The questions and topics relate to, among other things, (i) privacy and security risk assessment requirements, including whether the CPPA should follow the approach outlined in the European Data Protection Board’s Guidelines on Data Protection Impact Assessment, as well as other models or factors the agency should consider; (ii) benefits and drawbacks for businesses should the CPPA accept a business’s risk assessment submission that was completed in compliance with GDPR’s or the Colorado Privacy Act’s requirements for these assessments; (iii) how the CPPA can ensure cybersecurity audits, assessments, and evaluations are thorough and independent; and (iv) how to address profiling and logic in automated decisionmaking, the prevalence of algorithmic discrimination, and whether opt-out rights with respect to a business’s use of automated decisionmaking technology differ across industries and technologies. The CPPA said it is also considering different rules for businesses making under $25 million in annual gross revenues.
FSOC annual report highlights digital asset, cybersecurity, and climate risks
On December 16, the Financial Stability Oversight Council (FSOC or the Council) released its 2022 annual report. The report reviewed financial market developments, identified emerging risks, and offered recommendations to mitigate threats and enhance financial stability. The report noted that “amid heightened geopolitical and economic shocks and inflation, risks to the U.S. economy and financial stability have increased even as the financial system has exhibited resilience.” The report also noted that significant unaddressed vulnerabilities could potentially disrupt institutions’ ability to provide critical financial services, including payment clearings, liquidity provisions, and credit availability to support economic activity. FSOC identified 14 specific financial vulnerabilities and described mitigation measures. Highlights include:
- Nonbank financial intermediation. FSOC expressed support for initiatives taken by the SEC and other agencies to address investment fund risks. The Council encouraged banking agencies to continue monitoring banks’ exposure to nonbank financial institutions, including reviewing how banks manage their exposure to leverage in the nonbank financial sector.
- Digital assets. FSOC emphasized the importance of enforcing existing rules and regulations applicable to the crypto-asset ecosystem, but commented that there are gaps in the regulation of digital asset activities. The Council recommended that legislation be enacted to grant rulemaking authority to the federal banking agencies over crypto-assets that are not securities. The Council said that regulatory arbitrage needs to be addressed as crypto-asset entities offering services similar to those offered by traditional financial institutions do not have to comply with a consistent or comprehensive regulatory framework. FSOC further recommended that “Council members continue to build capacities related to data and the analysis, monitoring, supervision, and regulation of digital asset activities.”
- Climate-related financial risks. FSOC recommended that state and federal agencies should continue to work to advance appropriately tailored supervisory expectations for regulated entities’ climate-related financial risk management practices. The Council encouraged federal banking agencies “to continue to promote consistent, comparable, and decision-useful disclosures that allow investors and financial institutions to consider climate-related financial risks in their investment and lending decisions.”
- Treasury market resilience. FSOC recommended that member agencies review Treasury’s market structure and liquidity challenges, and continue to consider policies “for improving data quality and availability, bolstering the resilience of market intermediation, evaluating expanded central clearing, and enhancing trading venue transparency and oversight.”
- Cybersecurity. FSOC stated it supports partnerships between state and federal agencies and private firms to assess cyber vulnerabilities and improve cyber resilience. Acknowledging the significant strides made by member agencies this year to improve data collection for managing cyber risk, the Council encouraged agencies to continue gathering any additional information needed to monitor and assess cyber-related financial stability risks.
- LIBOR transition. FSOC recommended that firms should “take advantage of any existing contractual terms or opportunities for renegotiation to transition their remaining legacy LIBOR contracts before the publication of USD LIBOR ends.” The Council emphasized that derivatives and capital markets should continue transitioning to the Secured Overnight financing Rate.
CFPB Director Rohit Chopra issued a statement following the report’s release, flagging risks posed by the financial sector’s growing reliance on big tech cloud service providers. “Financial institutions are looking to move more data and core services to the cloud in coming years,” Chopra said. “The operational resilience of these large technology companies could soon have financial stability implications. A material disruption could one day freeze parts of the payments infrastructure or grind other critical services to a halt.” Chopra also commented that FSOC should determine next year whether to grant the agency regulatory authority over stablecoin activities under Dodd-Frank. He noted that “[t]hrough the stablecoin inquiry, it has become clear that nonbank peer-to-peer payments firms serving millions of American consumers could pose similar financial stability risks” as these “funds may not be protected by deposit insurance and the failure of such a firm could lead to millions of American consumers becoming unsecured creditors of the bankruptcy estate, similar to the experience with [a now recently collapsed crypto exchange].”
Gaming company to pay $520 million to resolve FTC allegations
On December 19, the DOJ filed a complaint on behalf of the FTC against a video game developer for allegedly violating the Children’s Online Privacy Protection Act (COPPA) by failing to protect underage players’ privacy. The FTC also alleged in a separate administrative complaint that the company employed “dark patterns” to trick consumers into making unwanted in-game purchases, thus allowing players to accumulate unauthorized charges without parental involvement. (See also FTC press release here.)
According to the complaint filed in the U.S. District Court for the Eastern District of North Carolina, the company allegedly collected personal information from players under the age of 13 without first notifying parents or obtaining parents’ verifiable consent. Parents who requested that their children’s personal information be deleted allegedly had to take unreasonable measures, the FTC claimed, and the company sometimes failed to honor these requests. The company is also accused of violating the FTC Act’s prohibition against unfair practices when its settings enabled, by default, real-time voice and text chat communications for children and teens. These default settings, as well as a matching system that enabled children and teens to be matched with strangers to play the game, exposed players to threats, harassment, and psychologically traumatizing issues, the FTC maintained. While company employees expressed concerns about the default settings and players reported concerns, the FTC said that the company resisted turning off the default setting and made it difficult for players to figure out how to turn the voice chat off when the FTC did eventually take action.
Under the terms of a proposed court order filed by the DOJ, the company would be prohibited from enabling voice and text communications unless parents (of players under the age of 13) or teenage users (or their parents) provide affirmative consent through a privacy setting. The company would also be required to delete players’ information that was previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company must implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, and obtain regular, independent audits. According to the DOJ’s announcement, the company has agreed to pay $275 million in civil penalties—the largest amount ever imposed for a COPPA violation.
With respect to the illegal dark patterns allegations, the FTC claimed that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Players were able to purchase in-game content by pressing buttons without requiring any parental or card holder action or consent. Additionally, the company allegedly blocked access to purchased content for players who disputed unauthorized charges with their credit card companies, and threatened players with a lifetime ban if they disputed any future charges. Moreover, cancellation and refund features were purposefully obscured, the FTC asserted.
To resolve the unlawful billing practices, the proposed administrative order would require the company to pay $245 million in refunds to affected players. The company would also be prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the order would bar the company from blocking players from accessing their accounts should they dispute unauthorized charges.
Senate confirms Gruenberg, FDIC board members
On December 19, the U.S. Senate confirmed Martin J. Gruenberg to be a board member and chairman of the FDIC. Gruenberg has served as acting chairman since former chair, Jelena McWilliams, resigned a year ago. Since joining the FDIC Board of Directors in 2005, Gruenberg has served as vice chairman, chairman, and acting chairman. Prior to joining the FDIC, Gruenberg served on the staff of the Senate Banking Committee as senior counsel of the full committee, and as staff director of the Subcommittee on International Finance and Monetary Policy. (Covered by InfoBytes here.)
The senators also voted to confirm Travis Hill as vice chairman and Jonathan McKernan as an FDIC board member. As previously covered by InfoBytes, during his tenure at the FDIC, Hill previously served as senior advisor to the chairman and deputy to the chairman for policy. Prior to that, Hill served as senior counsel at the Senate Banking Committee. Jonathan McKernan is a senior counsel at the FHFA and currently is on detail from the agency to the Senate Banking Committee where he is counsel on the minority staff. Previously, McKernan served as a senior policy advisor at the U.S. Treasury Department.
On January 5, Gruenberg was sworn in as the 22nd FDIC chairman. The same day, Hill was sworn in as vice chairman and McKernan as a board member.
GSEs must seek FHFA preapproval for new products
On December 20, FHFA announced a final rule requiring Fannie Mae and Freddie Mac to provide advance notice of new activities and to obtain prior approval before launching new products. (See also fact sheet here.) Among other things, the final rule establishes that FHFA will determine which new activities merit public notice and comment and would be treated as new products subject to prior approval. Specifically, the final rule establishes that once a Notice of New Activity is deemed received, FHFA has 15 calendar days to determine if the new activity is a new product that merits public notice and comment. Additionally, the final rule establishes a public disclosure requirement for FHFA to publish its determinations on new activity and new product submissions. Among other things, if the agency “determines that a new activity is a new product, the final rule requires FHFA to publish a public notice soliciting comments on the new product for a 30-day period.” The final rule is effective 60 days after publication in the Federal Register.
HUD seeks public input on disaster recovery funds
On December 20, HUD released two new requests for information (RFIs) seeking public input on how to simplify, modernize, and more equitably distribute critical disaster recovery funds. According to HUD, the RFIs are a broader element of HUD’s newly published Climate Action Plan, “which emphasizes both equity and resilience in disaster recovery, as well as the Biden-Harris Administration’s commitment to strengthening low- and moderate-income communities.” HUD noted that the Community Development Block Grant Disaster Recovery and Mitigation focus on long-term recovery and resilience efforts, targeted to families with low- and moderate-incomes in the most impacted and distressed areas. HUD also noted that both funds are “unique” from other federal disaster assistance programs by FEMA and the SBA, as well as private insurance, because it is the only federal resource with the primary purpose of benefiting low- and moderate-income communities. HUD further noted that the RFIs will inform the policy that will tear down barriers and eliminate unnecessary administrative burden, as to provide better and quicker assistance to those affected.
Agencies release 2021 CRA data
On December 15, members of the FFIEC with Community Reinvestment Act responsibilities (Federal Reserve Board, FDIC, and the OCC) released 2021 Community Reinvestment Act data on small business, small farm, and community development lending. (See also fact sheet here.) The 685 reporting banks reported that they originated or purchased 9.4 million small-business loans totaling $371 billion, with the total number of loans originated by reporting banks increasing by approximately 12.6 percent from 2020. The dollar amount of these small business loans decreased by 21 percent, the report found. Additionally, roughly 47.1 percent of the reported small business loan originations and 59.3 percent of reported farm loans were made to firms with less than $1 million in revenue. With respect to community development lending activity, the agencies reported that based on data compiled from 618 banks, lending activity decreased by 10.1 percent from the amount reported in 2020.
Agencies release annual CRA asset-size threshold adjustments
On December 19, the Federal Reserve Board, FDIC, and OCC announced (see here and here) joint annual adjustments to the CRA asset-size thresholds used to define “small bank” and “intermediate small bank,” which are not subject to the reporting requirements applicable to large banks unless they choose to be evaluated as one. A “small bank” is defined as an institution that, as of December 31 of either of the prior two calendar years, had less than $1.503 billion in assets. An “intermediate small” bank is defined as an institution that, as of December 31 of both of the prior two calendar years, had at least $376 million in assets, and as of December 31 of either of the past two calendar years, had less than $1.503 billion in assets. The joint final rule takes effect on January 1, 2023.
States have their say on CFPB funding
Recently, a coalition of state attorneys general from 22 states, including the District of Columbia, filed an amicus brief supporting the CFPB’s petition for a writ of certiorari, which asked the U.S. Supreme Court to review whether the U.S. Court of Appeals for the Fifth Circuit erred in holding that the Bureau’s funding structure violates the Appropriations Clause of the Constitution. A separate coalition of 16 state attorneys general filed an amicus brief opposing the Bureau’s position and supporting the 5th Circuit’s decision, however these states also urged the Supreme Court to grant the Bureau’s petition to address whether the 5th Circuit’s conclusion was correct.
As previously covered by a Buckley Special Alert, the 5th Circuit’s October 19 holding found that although the Bureau spends money pursuant to a validly enacted statute, the structure violates the Appropriations Clause because (i) the Bureau obtains its funds from the Federal Reserve (not the Treasury); (ii) the agency maintains funds in a separate account; (iii) the Appropriations Committees do not have authority to review the agency’s expenditures; and (iv) the Bureau exercises broad authority over the economy. The case involves a challenge to the Bureau’s Payday Lending Rule, which prohibits lenders from attempting to withdraw payments for covered loans from consumers’ accounts after two consecutive withdrawal attempts have failed due to insufficient funds. As a result of the 5th Circuit’s decision, lenders’ obligation to comply with the rule (originally set for August 19, 2019, but repeatedly delayed) will be further delayed while the constitutional issue winds its way through the courts. The Bureau’s petition also asked the court to consider the 5th Circuit’s decision to vacate the Payday Lending Rule on the premise that it was promulgated at a time when the Bureau was receiving unconstitutional funding. (Covered by InfoBytes here.)
- Amicus brief supporting CFPB’s position. The 22 states urged the Supreme Court to review the 5th Circuit’s decision, arguing that the Bureau’s funding is lawful and that even if the Supreme Court were to find a constitutional defect in the funding scheme, vacating otherwise lawfully-promulgated regulations is neither justified nor compelled by law. “Left undisturbed, the court of appeals’ reasoning could jeopardize many of the CFPB’s actions from across its decade-long existence, to the detriment of both consumers protected by those actions and financial-services providers that rely on them to guide their conduct,” the states said. In their brief, the states argued, among other things, that the Supreme Court should grant the petition “to review at least the question of whether the court of appeals erred in vacating a regulation promulgated during a time when the CFPB received allegedly unconstitutional funding.” The states asserted that the decision “threatens substantial harm” to the states because the states and their residents “could stand to lose the benefits of the CFPB’s critical enforcement, regulatory, and informational functions if the decision [] stands and is interpreted to impair the CFPB’s ongoing operations.” With respect to questions related to the Bureau’s funding structure, the states claimed that it is altogether speculative as to whether the Bureau would have behaved differently if its funding had come from the Treasury rather than the Federal Reserve. Former Director Kraninger’s ratification and reissuance of the Payday Lending Rule “is strong evidence that the CFPB would have issued the same regulation once again, after any constitutional defect was corrected,” the states said.
- Amicus brief opposing CFPB’s position. The 16 opposing states argued, however, that the Supreme Court should grant the Bureau’s petition to provide states with “certainty over their role” in regulating the financial system, and should affirm the 5th Circuit’s decision to “restore the CFPB’s accountability to the states.” In their brief, the states asked the Supreme Court “to resolve this issue quickly” and to “reinvigorate the protections of the Appropriations Clause, not weaken them.” The states maintained that if the Supreme Court does not quickly resolve the dispute, states “will have to litigate the same issue in other districts and circuits over and over,” and “[a]ny continuing confusion could seriously impede the growth of the consumer-financial services market at a time when the economy is already strained.” According to the brief, congressional oversight “ensures a level of state participation that ordinary administrative processes don’t allow.” In summary, the states’ position is that the 5th Circuit’s decision on the funding question is correct and that the court “was right to vacate a rule enacted without constitutional funding.”
10th Circuit: Vendor knowledge of consumer debt is not a public disclosure
On December 16, the U.S. Court of Appeals for the Tenth Circuit affirmed a lower court’s dismissal of an FDCPA suit. According to the opinion, the plaintiff, who had student loan debt, received a collection letter from the defendant that listed the assigned balance as $184,580.73 and the debt balance as $217,657.60 without explaining the difference or that the debt could increase due to interest, fees, and other charges. The defendant, who used an outside mailer to compose and send the letters, sent her two more letters without providing an explanation for the balances. The plaintiff sued, alleging the defendant violated the FDCPA by communicating information about the debt to a vendor that printed and mailed the letters. According to the plaintiff, communicating this information violated FDCPA provisions that prohibit debt collectors from communicating with, in connection with the collection of any debt, any person without the consumer’s consent or court permission. The plaintiff also claimed that the defendant violated the FDCPA by misrepresenting the amount of the debt because it did not indicate that the amount of the debt may increase.
On the appeal, the appellate court affirmed dismissal after it found that the plaintiff lacked standing since neither of the plaintiff’s claims caused a concrete injury. First, the appellate court found that one private entity knowing about the plaintiff’s debt is not a public disclosure of private facts, which does not rise to the level of sustaining a concrete injury needed to sue in federal court. Second, regarding the substance of the letters, the appellate court noted that the plaintiff simply claimed that the letters she received caused her to be confused and to believe the debt was not accruing interest. However, the appellate court found that “confusion and misunderstanding are insufficient to confer standing.”