Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 18, the Virginia governor signed HB 2396, which amends the Code of Virginia and requires an individual or entity owning or licensing computerized data that includes personal information to disclose all data breaches without “unreasonable delay” to the Virginia Attorney General and any affected Commonwealth residents. Under HB 2396, “personal information” is defined as “the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted.” The list of data elements was amended to add passport numbers and military identification numbers to the previous list, which included social security numbers, driver’s license numbers, and financial account numbers or credit/debit card numbers combined with codes or passwords that would grant access to a consumer’s financial account. The amendment is effective July 1.
On March 15, the FTC released its annual report highlighting the agency’s privacy and data security work in 2018. Among other items, the report highlights consumer-related enforcement activities in 2018, including:
- an expanded settlement with a global ride-sharing company over allegations that the company violated the FTC Act by deceiving consumers regarding the company’s privacy and data practices (covered by InfoBytes here).
- a settlement with a global online payments system company to resolve allegations that its payment and social networking service failed to adequately disclose to consumers that transfers to external bank accounts were subject to review and that funds could be frozen or removed based on a review of the underlying transaction (covered by InfoBytes here).
- a settlement with a Texas-based company over allegations that it violated the FCRA by failing to take reasonable steps to ensure the accuracy of tenant-screening information furnished to landlords and property managers (covered by InfoBytes here).
The report also highlighted the FTC’s hearings on big data, privacy, and competition conducted through its Hearings on Competition and Consumer Protection in the 21st Century initiative. (Covered by InfoBytes here and here.)
On March 12, Director of the CFPB, Kathy Kraninger, testified at a hearing held by the Senate Banking, Housing, and Urban Affairs Committee on the CFPB’s Semi-Annual Report to Congress. While Kraninger’s opening statement and question responses were similar to her comments made last week during a House Financial Services Committee hearing (detailed coverage here), notable highlights include:
- Fair Lending. Kraninger did not provide a status update on the Bureau’s pre-rulemaking activities as they relate to whether disparate impact is cognizable under ECOA, but emphasized that the Bureau is committed to the fair lending mission.
- Data Collection. In response to concerns over the Bureau’s history of expansive data collection, Kraninger noted that data collection is an especially important tool for rulemaking, but stated that going-forward she would ensure the Bureau only collects the information needed to carry out the Bureau’s mission, noting that the less personally identifiable information that is collected, the less that requires protection. She acknowledged the Bureau is reviewing the comments submitted in response to its fall 2018 data governance program report (covered by InfoBytes here) and stated the Bureau remains committed to reviewing the internal processes it has for collecting and using data.
- Military Lending Act (MLA). Kraninger stated that she disagrees with the Democratic Senator’s broad interpretation of Section 1024(b)(1)(C) of the Dodd-Frank Act allowing for the Bureau to examine for compliance with the MLA because that interpretation would permit the Bureau to examine for anything that is a “risk to consumers,” including things like safety and soundness, which is not currently under the Bureau’s purview. While she acknowledged that the Bureau has the direct authority to enforce the MLA, she repeatedly rejected the notion that this would also give the Bureau the authority to supervise for the MLA, as Dodd-Frank separates the Bureau’s enforcement and supervision powers.
- Payday Rule. Kraninger repeatedly emphasized that the reconsideration of the underwriting standards in the Payday Rule was to determine if the legal and factual basis used to justify certain practices as unfair and abusive was “robust” enough. She acknowledged that the Bureau will be reviewing all the comments to the proposal and that the evidence used for the original Rule will be part of the record for the reconsideration.
- GSE Patch. In response to questions regarding the 2021 expiration of the Qualified Mortgage (QM) Rule’s 43 percent debt-to-income ratio exception for mortgages backed by Fannie Mae and Freddie Mac (GSEs), Kraninger acknowledged the “non-QM” market hasn’t materialized over the last few years, as was originally anticipated. However, Kraninger was reluctant to provide any further details, noting that she would not be making any “dramatic changes” to the mortgage market. Additionally, she acknowledged that the GSE patch has the potential to expire at the end of the conservatorship as well.
- CFPB Structure. Kraninger did not specify whether she believes the Bureau should be led by a board, rather than a single director, or whether the Bureau should be under appropriations. Specifically Kraninger stated that she would “welcome any changes Congress made that would increase the accountability and transparency of the Bureau,” and would “dutifully carry out” legislation that would place the Bureau under appropriations if the President signed it.
- Student Lending. Kraninger stated that the Bureau intends to re-engage with the Department of Education on a Memorandum of Understanding (MOU) to assist with complaint and information sharing once a new Student Loan Ombudsmen has been hired. The MOUs were previously terminated by the Department in August 2018 (covered by Infobytes here).
On March 5, Attorneys General from all 50 states, as well as from the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, sent a letter to the Senate Committee on Commerce, Science, and Transportation supporting a recently introduced bipartisan bill to combat illegal robocalls. Among other things, S. 151, the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), would: (i) grant the FCC three years to take action against robocall violations, instead of the current one-year window; (ii) authorize the agency to issue penalties of up to $10,000 per robocall; and (iii) require service providers to implement the FCC’s new call authentication framework. The AGs state that they “are encouraged that the TRACED Act prioritizes timely, industrywide implementation of call authentication protocols,” and note their support for an interagency working group that the bill would establish consisting of members from the DOJ, FCC, FTC, CFPB, other relevant federal agencies, state AGs, and non-federal stakeholders.
On March 5, the FTC released proposed amendments to two rules that protect the privacy and security of customer data held by financial institutions. The agency seeks comments on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule requires financial institutions to develop, implement, and maintain comprehensive information security programs, whereas the Privacy Rule requires financial institutions to notify customers about information-sharing practices, as well as enable customers to opt out of sharing their information with certain third parties. The FTC’s proposed amendments to the Safeguards Rule would, among other things, add more detailed requirements for financial institutions, including mandatory encryption of customer data and the use of multi-factor authentication to prevent unauthorized access to customer information. The proposed amendments to the Privacy Rule would change the rule to account for statutory changes in the Dodd-Frank Act, which gave the majority of the FTC’s rulemaking authority for the Privacy Rule to the CFPB with the exception of certain motor vehicle dealers. The agency plans to remove examples of financial institutions that do not apply to motor vehicle dealers, as well as clarify when annual customer privacy notices must be provided. In addition, the FTC proposes to expand the definition of “financial institution” in both rules to include “finders,” which include persons or entities that charge a fee to introduce consumers to a lender.
On February 26, the U.S. District Court for the Middle District of Florida granted final approval and class certification, following a final approval hearing, to a settlement resolving class action allegations concerning a data breach involving an international fast-food chain. According to the amended motion for final approval, the data breach occurred in 2016 and involved third-party malware installation on certain franchises’ point of sale systems, which targeted and compromised customer payment card related data. The class ultimately asserted the following claims—breach of implied contract, negligence, and violations of several state consumer laws—and requested reimbursement for (i) costs associated with time spent addressing identity theft or fraud; (ii) losses caused by restricted access to funds; (iii) costs associated with credit reports and credit monitoring; (iv) bank and payment card fees; (v) unauthorized charges; and (vi) documented time spent dealing with the repercussions of the data breach. Under the terms of the settlement, the fast-food chain will pay up to $5,000 per eligible class member as reimbursement for documented out-of-pocket expenses, and up to $15 an hour for up to two hours of undocumented time spent dealing with the repercussions of the data breach. The court also approved $1.02 million in attorneys’ fees and approximately $139,000 in costs to class counsel.
On February 25, the California Attorney General announced a legislative proposal that would amend several aspects of the California Consumer Privacy Act (CCPA). The CCPA was originally enacted in June 2018 (covered by a Buckley Special Alert) and subsequently amended in September 2018 (covered by InfoBytes here). The CCPA, which carries an effective date of January 1, 2020, on most provisions, sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information. Under SB 561, which was introduced on February 22, the law would be amended to (i) expand the right of California citizens to bring private legal actions, removing aspects of the law that provided exclusivity to the AG; (ii) remove provisions that would allow companies to request guidance from the California AG on how to comply with the law, instead allowing the AG to publish general guidance; and (iii) would allow enforcement actions to be brought immediately, removing the 30-day cure window.
On February 27, the FTC announced a $5.7 million settlement with the operators of a video social networking app concerning alleged violations of the Children’s Online Privacy Protection Case (COPPA). Among other things, the FTC claims the operators failed to provide parents notice of its information collection practices, illegally collected personal information from children under the age of 13 without first obtaining verifiable parental consent, failed to delete personal information when parents requested, and retained information “longer than reasonably necessary to fulfill the purpose for which the information was collected.” Under COPPA, operators of websites and online services directed at children are prohibited from collecting personal information of children under the age of 13, unless the company has explicit parental consent. The FTC alleges that the operators knew a “significant percentage” of its users were under 13 and received thousands of complaints from parents that their children under 13 had created accounts on the app. While neither admitting nor denying the allegations, the operators have agreed to the monetary penalty, will change their business practices to comply with COPPA, and will remove all videos made by children younger than 13. According to the FTC, this settlement is the largest civil penalty obtained to date by the agency for COPPA violations.
On February 14, the FCC released a notice of proposed rulemaking intended to strengthen its rules against caller ID spoofing and expand the agency’s enforcement efforts against illegal spoofed text messages and phone calls, including those from overseas. The proposed rules would enact requirements in the recently passed RAY BAUM’S Act of 2018, and expand Truth in Caller ID Act prohibitions against the transmittal of “misleading or inaccurate caller ID information (‘spoofing’) with the intent to defraud, cause harm, or wrongfully obtain anything of value” to text messages and calls to U.S. residents originating from outside the U.S.
The FCC seeks comments on the proposed rules—adopted unanimously at the agency’s February 14 meeting—on, among other things, what changes to the Truth in Caller ID rules can be made “to better prevent inaccurate or misleading caller ID information from harming consumers.” Comments will be due 60 days after publication in the Federal Register.
On February 13, Senate Committee on Banking, Housing, and Urban Affairs Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) invited stakeholder feedback on “the collection, use and protection of sensitive information from financial regulators and private companies” as a means of informing potential future legislation. In a press release issued by the committee, Crapo noted, “Given the exponential growth and use of data, and corresponding data breaches, it is worth examining how the Fair Credit Reporting Act should work in a digital economy, and whether certain data brokers and other firms serve a function similar to the original consumer reporting agencies.” He further stressed the importance of understanding how consumer data is compiled and protected, and how consumers are able to access and correct sensitive information. The release sought answers to five questions designed to help examine ways in which legislation, regulation, or the implementation of best practices can (i) provide consumers better control over their financial data, as well as timely data breach notifications; (ii) ensure consumers receive disclosures concerning both the type of information being collected and its purpose for collection; (iii) provide consumers control over how their data is being used—including the sharing of information by third-parties; (iv) protect consumer data and ensure the accuracy of reported information in a consumer’s credit file; and (v) allow consumers the ability to “easily identify and exercise control of data that is being . . . collected and shared” as a determining factor when establishing whether a consumer is eligible for, among other things, credit or employment.
- Heidi M. Bauer and Dan Ladd to discuss "'So you want to form a joint venture' — Licensing strategies for successful JVs" at RESPRO26
- Tim Lange to discuss "Update from 2019 NMLS Conference" at the California Mortgage Bankers Association Mortgage Quality & Compliance Committee webinar
- Jonice Gray Tucker to to discuss "DC policy: Everything but the kitchen sink" at CBA Live
- Jonice Gray Tucker to discuss "Small business & regulation: How fair lending has evolved & where are we heading?" at CBA Live
- Daniel P. Stipano to discuss "Lessons learned from ABLV and other major cases involving inadequate compliance oversight" at the ACAMS International AML & Financial Crime Conference
- Jon David D. Langlois to discuss "Transaction management-issues surrounding purchase & sale agreements, post acquisition integration & trailing docs" at the Investment Management Network Residential Mortgage Servicing Rights Forum
- Daniel P. Stipano to discuss "A year in the life of the CDD final rule: A first anniversary assessment" at the ACAMS International AML & Financial Crime Conference
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Daniel P. Stipano to discuss "The state of the BSA 2019: What’s working, what’s not, and how to improve it" at the West Coast Anti Money-Laundering Forum
- Hank Asbill to discuss "Creative character evidence in criminal and civil trials" at the Litigation Counsel of America Spring Conference & Celebration of Fellows
- Brandy A. Hood to discuss "Flood NFIP in the age of extreme weather events" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "UDAAP compliance" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "State examination/enforcement trends" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Benjamin K. Olson to discuss "LO compensation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Major state law developments" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Leveraging big data responsibly" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program