Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • DOJ will not charge researchers who report cybersecurity flaws in “good faith”

    Agency Rule-Making & Guidance

    On May 19, the DOJ revised its policy for charging cases under the Computer Fraud and Abuse Act (CFAA), directing prosecutors to not charge researchers who report cybersecurity flaws in “good faith.” The policy directive informs prosecutors that the DOJ will not prosecute security researchers that access computers “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public.” Instead, the policy directive focuses the DOJ’s resources “on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer— such as one email account—and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.” The new policy directive explains, however, that “claiming to be conducting security research is not a free pass for those acting in bad faith,” and provides that “discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research,’ is not in good faith.”

    Agency Rule-Making & Guidance DOJ Computer Fraud and Abuse Act Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • FCC acts to ensure gateway providers stop international robocalls

    Agency Rule-Making & Guidance

    On May 19, the FCC unanimously adopted proposed rules to ensure gateway providers that channel international call traffic comply with STIR/SHAKEN caller ID authentication protocols and validate the identity of the providers whose traffic they are routing to help weed out robocalls. As part of the agency’s robocall mitigation efforts, the proposed rules would require gateway providers to (i) “develop and submit traffic mitigation plans to the Robocall Mitigation Database”; (ii) “apply STIR/SHAKEN caller ID authentication to all unauthenticated foreign-originated Session Initiation Protocol (SIP) calls with U.S. North American Numbering Plan (NANP) numbers”; and (iii) “respond to traceback requests in 24 hours, block calls where it is clear they are conduits for illegal traffic, and implement ‘know your upstream provider’ obligations.”

    “Gateway providers serve as a critical choke-point for reducing the number of illegal robocalls received by American consumers,” the FCC stated in its announcement. “The new rules require gateway providers to participate in robocall mitigation, including blocking efforts, take responsibility for illegal robocall campaigns on their networks, cooperate with FCC enforcement efforts, and quickly respond to efforts to trace illegal robocalls to their source.” Non-compliance may cause a gateway provider to lose its ability to operate. The FCC also announced it is requesting further comments on a proposal to expand robocall mitigation requirements to intermediate providers in the U.S. and not just gateway providers. The agency will also decide whether anti-robocall and spoofing rules should also apply to these intermediate providers, as they are currently not required to certify with the Robocall Mitigation Database.

    Requiring domestic entry points to use STIR/SHAKEN, register in the Robocall Mitigation Database, and comply with traceback requests from the FCC and law enforcement will help the agency “figure out where these junk calls are originating from overseas,” FCC Chairwoman Jessica Rosenworcel said in a statement. “These measures will help us tackle the growing number of international robocalls. Because we can’t have these scam artists multiplying abroad and hiding from our regulatory reach. We also can’t have them hiding from our state counterparts.” To aid efforts, the FCC announced that to date 36 states have signed memoranda of understanding with the agency to share resources and information to reduce robocalls.

    Agency Rule-Making & Guidance FCC Robocalls STIR/SHAKEN State Issues State Attorney General

    Share page with AddThis
  • FTC considers changes to strengthen advertising and endorsement guidelines against fake and manipulated reviews

    Federal Issues

    On May 19, the FTC announced it is considering changes to strengthen its advertising guidelines to address fake and manipulative reviews, as well as concerns over inadequate disclosure tools. The Commission unanimously voted to submit a notice of proposed changes to its “Guides Concerning the Use of Endorsements and Testimonials in Advertising” (Endorsement Guides), which were enacted in 1980 and amended in 2009. Under the Endorsement Guides, advertisers are required “to be upfront with consumers and clearly disclose unexpected material connections between endorsers and a seller of an advertised product.” In February 2020, the FTC issued a request for comments on, among other things, whether the Endorsement Guides are effective at addressing concerns in the marketplace, as well as issues related to social media disclosures, incentive reviews, and affiliate links. According to the Commission’s announcement, the proposed changes (i) warn “social media platforms that some of their tools for endorsers are inadequate and may open them up to liability”; (ii) clarify that the Endorsement Guides cover fake reviews; (iii) add a new principle, which provides that “in procuring, suppressing, boosting, organizing, or editing consumer reviews, advertisers should not distort or misrepresent what consumers think of their products”; (iv) clarify that social media tags are covered by the Endorsement Guides; (v) modify “the definition of ‘endorsers’ to bring virtual influencers—that is, computer-generated fictional characters—under the guides”; (v) provide an example addressing the microtargeting of a discrete group of consumers; and (vi) introduce a new section addressing concerns related to child-directed advertising.

    A public event will be hosted by the FTC on October 19 to address topics including “children’s capacity at different ages and developmental stages to recognize and understand advertising content and distinguish it from other content,” and the “need for and efficacy of disclosures as a solution for children of different ages, including the format, timing, placement, wording, and frequency of disclosures.”

    Federal Issues FTC Endorsements Advertisement Agency Rule-Making & Guidance Disclosures

    Share page with AddThis
  • FDIC approves final rule for trust, mortgage servicing account insurance

    On May 18, the FDIC published a final rule that amends the deposit insurance regulations for trust accounts and mortgage servicing accounts. According to the FDIC, the final rule is “intended to make the deposit insurance rules easier to understand for depositors and bankers, facilitate more timely insurance determinations for trust accounts in the event of a bank failure, and enhance consistency of insurance coverage for mortgage servicing account deposits.”

    The final rule, among other things: (i) establishes updates to the Banker Resources Guide Deposit Insurance Page with the Small Entity Compliance Guide (Community Bank Information) to promote understanding of the regulations; (ii) amends the deposit insurance regulations by merging the revocable and irrevocable trusts categories; (iii) “amends the regulation to expand the current per-borrower coverage of up to $250,000 to include any funds paid into the account to satisfy the principal and interest obligation of the mortgagors to the lender”; and (iv) establishes that certain “depositors within excess of $1.25 million in trusts deposits at a particular IDI may want to make changes given the new coverage limits” effective April 1, 2024.

    Bank Regulatory Federal Issues FDIC Agency Rule-Making & Guidance Mortgages Mortgage Servicing Deposit Insurance

    Share page with AddThis
  • CFPB affirms states may enforce CFPA and other federal laws

    Agency Rule-Making & Guidance

    On May 19, the CFPB issued an interpretive rule addressing states’ authority to bring enforcement actions for violations of federal consumer financial protection laws, including the CFPA. Though the Bureau is charged with, among other things, administering, interpreting, and enforcing federal consumer financial laws, a category that includes the CFPA itself, the agency said it is not the only enforcer of these laws. According to the interpretive rule, “states can enforce [federal consumer financial laws] to the full extent authorized under those laws—including against entities that are not covered persons or service providers (and thus not subject to liability under section 1036(a)(1)(A)) and including against national banks and Federal savings associations.”

    The interpretive rule establishes:

    • States can enforce any provision of the CFPA, which includes making it unlawful for covered persons or service providers to violate any provision of federal consumer financial protection law. This provision covers the CFPA itself, in addition to its 18 enumerated consumer laws and certain other laws, along with any rule or order prescribed by the Bureau under the CFPA, an enumerated consumer law, or pursuant to certain other authorities.
    • States can pursue claims and actions against a broad range of entities. The interpretive rule states that “the limitations on the Bureau’s authority in sections 1027 and 1029 generally do not constrain States’ enforcement authority.” States can bring actions against a broader cross-section of companies and individuals.
    • States may pursue actions under section 1042 even if the Bureau is pursuing a concurrent enforcement action against the same entity. States are not restricted from bringing enforcement actions in coordination with the Bureau, and may also bring an enforcement action to stop or remediate harm that is not addressed by an action taken by the Bureau against the same entity. “Nothing in the [CFPA] precludes these complementary enforcement activities that serve to protect consumers at both the national and state levels,” the Bureau said in its announcement.

    The Bureau stated the interpretive rule is a “part of the CFPB’s expansion of its efforts to support state enforcement activity,” and noted that it “plans to consider other steps to promote state enforcement of federal consumer financial protection law, including ways to facilitate victim redress.”

    Agency Rule-Making & Guidance CFPB State Issues Enforcement CFPA Consumer Finance

    Share page with AddThis
  • FDIC rule seeks to thwart misrepresentations about deposit insurance

    On May 17, the FDIC approved a final rule implementing its authority to prohibit any person or organization from making misrepresentations about FDIC deposit insurance or misusing the FDIC’s name or logo. According to the FDIC, the final rule responds to the “increasing number of instances where individuals or entities have misused the FDIC’s name or logo, or have made false or misleading representations about deposit insurance.” To promote transparency on the FDIC’s processes for investigating and enforcing potential breaches of prohibitions under Section 18(a)(4) of the Federal Deposit Insurance Act, the final rule clarifies the agency’s procedures for identifying, investigating, and where necessary, taking formal and informal action to address potential violations, and establishes a primary point-of-contact for receiving complaints and inquiries about potential misrepresentations regarding deposit insurance. The final rule takes effect 30 days after publication in the Federal Register.

    In response, the CFPB released Consumer Financial Protection Circular 2022-02 to provide that covered firms are likely in violation of the CFPA’s prohibition on deceptive acts or practices “if they misuse the name or logo of the FDIC or engage in false advertising or make material misrepresentations to the public about deposit insurance, regardless of whether such conduct (including the misrepresentation of insured status) is engaged in knowingly.” As previously covered by InfoBytes, the newly introduced circulars serve as policy statements for other agencies with consumer financial protection responsibilities. Specifically, the Bureau warned that (i) “[m]isrepresenting the FDIC logo or name will typically be a material misrepresentation”; (ii) claiming “financial products or services are ‘regulated’ by the FDIC or ‘insured’ or ‘eligible for’ FDIC insurance are likely deceptive if those claims expressly or implicitly indicate that the product or service is FDIC-insured when that is not in fact the case” (e.g. emerging financial products and services including digital assets and crypto-assets); and (iii) misusing the FDIC’s name or logo creates harm for firms that engage in honest advertising and marketing. CFPB Director Rohit Chopra, as an FDIC board member, announced the Bureau’s support for the final rule. “Misrepresentation claims about deposit insurance are particularly relevant today,” Chopra noted. “FDIC staff has noted an uptick in potential violations in recent years. We are especially concerned about potential misconduct involving novel technologies, including so-called stablecoins and other crypto-assets. While new technologies may yield significant benefits for households, workers, and small businesses, they nonetheless pose risks to consumers who may be baited by misrepresentations or false advertisements about deposit insurance.”

    Acting Comptroller of the Currency Michael J. Hsu specifically called out the timeliness of the final rule in light of changes in the marketplace, technological developments, and rapidly evolving consumer behaviors. The final rule “is especially important in light of the growth of nonbank crypto firms and fintechs and their relationships with banks,” Hsu stated. “The potential for consumer confusion about the status of cash held at these firms is high and this final rule will help provide clarity.”

    Bank Regulatory Federal Issues Agency Rule-Making & Guidance FDIC CFPB OCC FDI Act CFPA UDAAP Deceptive

    Share page with AddThis
  • CFPB seeks consistent enforcement of consumer financial law

    Federal Issues

    On May 16, the CFPB launched a new system for providing transparent guidance on how the agency intends to administer and enforce federal consumer financial laws. Consumer Financial Protection Circular 2022-01 discusses the broad variety of agencies responsible for enforcing federal consumer financial law, including the CFPA’s prohibition on unfair, deceptive, and abusive acts or practices, and 18 other “enumerated consumer laws” (some of which provide for private enforcement). The circulars will serve as policy statements under the Administrative Procedure Act for other agencies with consumer financial protection responsibilities such as the FDIC, OCC, Federal Reserve Board, and NCUA. Because other federal agencies, including the DOJ, the FTC, the Farm Credit Administration, and the Departments of Transportation and Agriculture, also have certain enforcement responsibilities, the Bureau stressed the importance of ensuring entities subject to the jurisdiction of multiple agencies receive consistent expectations regardless of a company’s status. Specifically, the circulars “will provide background information about applicable law, articulate considerations relevant to the CFPB’s exercise of its authorities, and advise other parties with authority to enforce federal consumer financial law.” The Bureau announced it has identified several issues that would benefit from clear and consistent enforcement and strongly encouraged other agencies to reach out to the Bureau with suggestions for new circulars. Circulars will be authorized by CFPB Director Rohit Chopra and published on the Bureau’s website and in the Federal Register. The Bureau also welcomes feedback on any issued circulars.

    Federal Issues CFPB Consumer Finance Enforcement CFPA Agency Rule-Making & Guidance

    Share page with AddThis
  • Agencies issue revised interagency flood insurance Q&As

    On May 11, the FDIC, OCC, Federal Reserve Board, NCUA, and the Farm Credit Administration jointly issued revised, reorganized, and expanded interagency questions and answers (Q&As) regarding federal flood insurance laws. The revised Q&As supersede versions published in 2009 and 2011, and consolidate Q&As proposed by the agencies in 2020 and 2021 (covered by InfoBytes here). Reflecting significant changes to flood insurance requirements made by the Biggert-Waters Flood Insurance Reform Act and the Homeowner Flood Insurance Affordability Act, as well as regulations issued by the agencies to implement these laws, the revised Q&As consist of 144 Q&As (including 24 private flood insurance Q&As) covering a range of topics, including the escrow of flood insurance premiums, the detached structure exemption to the mandatory flood insurance purchase requirement, force placement procedures, and the acceptance of flood insurance policies issued by private insurers. The agencies also made non-substantive revisions to certain Q&As to provide more direct responses to questions asked, additional clarity, or make technical corrections. In response to concerns raised by several commenters, the agencies confirmed that they are providing the interagency Q&As “as guidance only,” and clarified that “all the Q&As apply to all policies, whether [National Flood Insurance Program] or a flood insurance policy issued by a private insurance company, unless otherwise noted in the Q&A.” Additionally, the agencies noted “that they are working individually and on an interagency basis to address financial risks associated with climate change consistent with the [a]gencies’ regulatory and supervisory authorities,” and therefore “decline to make changes to any of the Q&As in response to climate risk change.

    Bank Regulatory Federal Issues Agency Rule-Making & Guidance OCC FDIC Federal Reserve NCUA Farm Credit Administration Risk Management Flood Insurance Mortgages National Flood Insurance Program

    Share page with AddThis
  • CFPB: ECOA protection extends past application process

    Federal Issues

    On May 9, the CFPB issued an advisory opinion to affirm its interpretation that ECOA bars lenders from discriminating against customers after they have applied for and received credit, not just during the application process. The Bureau’s opinion and analysis interprets ECOA and its implementing rule, Regulation B, as applying to the “approval, denial, renewal, continuation, or revocation of any open-end consumer credit account,” and is consistent with the agency’s joint amicus brief filed last December with the DOJ, Federal Reserve Board, and FTC, which argued that the term “applicant” as used in ECOA/Regulation B, includes both those seeking credit, as well as persons who have sought and have received credit (i.e., current borrowers). (Covered by InfoBytes here.) This has been the agency’s “longstanding position,” the Bureau stressed, noting it was the view of federal agencies prior to the Bureau’s creation as well.

    However, “[d]espite this well-established interpretation, the Bureau is aware that some creditors fail to acknowledge that ECOA and Regulation B plainly apply to circumstances that take place after an extension of credit has been granted, including a revocation of credit or an unfavorable change in the terms of a credit arrangement,” the advisory opinion stated, explaining that ECOA prohibits creditors from lowering a borrower’s available line of credit or subjecting a borrower to more aggressive collections practices on a prohibited basis, such as race or national origin. “In addition, the Bureau is aware that some creditors fail to provide applicants with required notifications that include a statement of the specific reasons for the adverse action taken or disclose an applicant’s right to such a statement.” Creditors are required to provide “adverse action notices” when denying a loan, the Bureau wrote, adding that these notices are required when the terms of an existing loan are modified or terminated. “This interpretation of ECOA, therefore, forecloses a potential loophole that could effectively swallow much of the Act. Such a loophole would be plainly inconsistent with ECOA,” the advisory opinion stressed. While the Bureau acknowledged that “a few other district court decisions have interpreted ‘applicant’ to include only persons actively seeking credit,” the agency stressed that the district courts “read ‘applicant’ in isolation instead of reading this statutory term in context, as required by the Supreme Court,” and that “no court of appeals has endorsed these district courts’ narrow reading.” 

    As previously covered by InfoBytes, the Bureau finalized its Advisory Opinions Policy in 2020. Under the policy, entities seeking to comply with existing regulatory requirements are permitted to request an advisory opinion in the form of an interpretive rule from the Bureau (published in the Federal Register for increased transparency) to address areas of uncertainty.

    Federal Issues CFPB Fair Lending Consumer Finance ECOA Agency Rule-Making & Guidance Advisory Opinion Regulation B

    Share page with AddThis
  • Special Alert: Breaking down the proposed CRA overhaul

    Federal Issues

    The federal banking agencies last week announced their highly anticipated proposal to revamp and modernize regulations implementing the Community Reinvestment Act. The proposal may significantly impact the compliance obligations of large banks, which the proposal generally defines as those with assets greater than $2 billion, while granting smaller banks the option of continuing to comply under the existing framework. The proposal aims to bring to a close the CRA reform process that began more than a decade ago, and was marked most recently by the OCC’s decision to pull back its 2020 regulatory overhaul (as covered by InfoBytes here).

    Federal Issues Bank Regulatory Special Alerts Federal Reserve OCC FDIC CRA Agency Rule-Making & Guidance

    Share page with AddThis