Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC addresses importance of effective incident response and breach disclosure

    Privacy, Cyber Risk & Data Security

    On May 20, the FTC’s Team CTO and the Division of Privacy and Identity Protection published a blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures. The blog noted that the FTC Act creates a de facto data breach notification requirement because failure to disclose can increase the likelihood that affected parties will suffer harm. The post outlines effective security breach detection and response programs, which can: (i) permit an organization time to take remedial actions to counter, prevent, or mitigate an attack; (ii) prevent and minimize consumer harm from breaches; (iii) provide valuable information to the prevention function of a security team; and (vi) remove an attacker and allow for post-breach remedial measures. According to the FTC, failure to maintain such practices could indicate a lack of competition in the marketplace. The post stated that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” Listing recent cyber-related FTC enforcement actions, the post explained that deceptive statements can limit consumers’ ability to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts. Looking at these cases together, the post further noted that “companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely.”

    Privacy/Cyber Risk & Data Security Federal Issues FTC FTC Act Data Breach Consumer Protection

    Share page with AddThis
  • CFPB, New York reach $4 million settlement with debt collection operation

    Federal Issues

    On May 25, the U.S. District Court for the Western District of New York entered a stipulated final judgment and order in an action taken by the CFPB, in partnership with the New York attorney general, resolving allegations that a debt collection operation based near Buffalo, New York, which includes six companies, three owners, and two managers (collectively, “defendants”), engaged in deceptive tactics to induce consumer payments. (See also CFPB press release here.) As previously covered by InfoBytes, the CFPB filed a complaint in 2020 against the defendants for allegedly violating the CFPA, FDCPA, and various New York laws by using illegal tactics to induce consumer payments, such as (i) threatening arrest and imprisonment; (ii) claiming consumers owed more debt than they actually did; (iii) threatening to contact employers about the existence of the debt; (iv) harassing consumers and third parties by using “intimidating, menacing, or belittling language”; and (v) failing to provide debt verification notices. Under the terms of the settlement, the defendants must pay a $2 million penalty to the CFPB and a $2 million penalty to the New York AG. The judgment provides that if the defendants fail to make timely payments, each penalty amount would increase to $2.5 million. The judgment also permanently bans the defendants from engaging in debt collection operations and prohibits them from engaging in deceptive practices in connection with consumer financial products or services.

    Federal Issues CFPB State Issues State Attorney General Consumer Finance New York CFPA FDCPA Enforcement Settlement

    Share page with AddThis
  • Ginnie announces Digital Collateral Program and eGuide enhancements

    Federal Issues

    On May 23, Ginnie Mae announced enhancements to its Digital Collateral Program and released updated guidance for the securitization of eNotes. According to the announcement, the revised Digital Collateral Guide (eGuide) applies to all existing eIssuers and provides eligibility and technological requirements for interested applicants. The announcement noted that Ginnie Mae’s digital program has received continued interest since Ginnie Mae securitized its first eNote in January 2021. The current participants in the Ginnie Mae program are existing issuers, which is a requirement under the program. After a successful pilot phase of its new Digital Collateral Program, Ginnie Mae said that it will reopen the program to new applicants on June 21. Additionally, enhancements to the program include the ability to perform eModifications to eNotes, streamlined procedures for Release of Secured Party requests, and the acceptance of eNotes using a Power of Attorney. The eGuide updates are effective June 1.

    Federal Issues Ginnie Mae Digital Collateral Mortgages

    Share page with AddThis
  • FDIC highlights operational risks in 2022 Risk Review

    On May 20, the FDIC released its 2022 Risk Review, summarizing emerging risks in the U.S. banking system observed during 2021 in four broad categories: credit risk, market risk, operational risk, and climate-related financial risk. According to the FDIC, the current risk review expands upon coverage in prior reports by examining operational risks to banks resulting from cyber threats, illicit finance, and climate-related financial risks. Monitoring these risks is among the agency’s top priorities, the FDIC said, explaining that the number of ransomware attacks in the banking industry increased in 2021, and that the “number and sophistication of cyber attacks also increased with remote work and greater use of digital banking tools.” Additionally, “threats from illicit activities continue to pose risk management challenges to banks.” The FDIC noted that the banking environment improved in 2021 as the economy recovered but stated that recovery was uneven across industries and regions. While “[f]inancial market conditions were generally supportive of the economy and banking industry in 2021,” they began to deteriorate in early 2022 with the onset of the Russian invasion of Ukraine, the FDIC said.

    Bank Regulatory Federal Issues FDIC Risk Management Illicit Finance Financial Crimes Privacy/Cyber Risk & Data Security Climate-Related Financial Risks

    Share page with AddThis
  • OCC releases enforcement actions

    On May 19, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a cease and desist order against an Alaska-based bank for allegedly engaging in Bank Secrecy Act/anti-money laundering (BSA/AML) program violations. The bank allegedly “failed to adopt and implement a compliance program that adequately covers the required BSA/AML program elements, including, in particular, internal controls for customer due diligence and procedures for monitoring suspicious activity, BSA officer and staff, and training.” The order requires the bank to, among other things, establish a compliance committee, submit a BSA/AML action plan, and develop a written suspicious activity monitoring and reporting program.

    Bank Regulatory Federal Issues Financial Crimes Anti-Money Laundering OCC Enforcement Bank Secrecy Act SARs

    Share page with AddThis
  • FTC considers changes to strengthen advertising and endorsement guidelines against fake and manipulated reviews

    Federal Issues

    On May 19, the FTC announced it is considering changes to strengthen its advertising guidelines to address fake and manipulative reviews, as well as concerns over inadequate disclosure tools. The Commission unanimously voted to submit a notice of proposed changes to its “Guides Concerning the Use of Endorsements and Testimonials in Advertising” (Endorsement Guides), which were enacted in 1980 and amended in 2009. Under the Endorsement Guides, advertisers are required “to be upfront with consumers and clearly disclose unexpected material connections between endorsers and a seller of an advertised product.” In February 2020, the FTC issued a request for comments on, among other things, whether the Endorsement Guides are effective at addressing concerns in the marketplace, as well as issues related to social media disclosures, incentive reviews, and affiliate links. According to the Commission’s announcement, the proposed changes (i) warn “social media platforms that some of their tools for endorsers are inadequate and may open them up to liability”; (ii) clarify that the Endorsement Guides cover fake reviews; (iii) add a new principle, which provides that “in procuring, suppressing, boosting, organizing, or editing consumer reviews, advertisers should not distort or misrepresent what consumers think of their products”; (iv) clarify that social media tags are covered by the Endorsement Guides; (v) modify “the definition of ‘endorsers’ to bring virtual influencers—that is, computer-generated fictional characters—under the guides”; (v) provide an example addressing the microtargeting of a discrete group of consumers; and (vi) introduce a new section addressing concerns related to child-directed advertising.

    A public event will be hosted by the FTC on October 19 to address topics including “children’s capacity at different ages and developmental stages to recognize and understand advertising content and distinguish it from other content,” and the “need for and efficacy of disclosures as a solution for children of different ages, including the format, timing, placement, wording, and frequency of disclosures.”

    Federal Issues FTC Endorsements Advertisement Agency Rule-Making & Guidance Disclosures

    Share page with AddThis
  • FTC cracks down on ed tech providers’ COPPA compliance

    Federal Issues

    On May 19, the FTC warned providers of education technology (ed tech) tools for children that they must fully comply with all provisions of the Children’s Online Privacy Protection Act (COPPA). The Commission voted unanimously to approve a policy statement clarifying how COPPA applies to ed tech tools that gather data about children, while underscoring prohibitions on harvesting and monetizing children’s data. The policy statement explained that ed tech providers cannot force children to disclose more information than is reasonably necessary for participating in their educational services and are prohibited from using collected data for marketing or advertising purposes. Additionally, providers are prohibited from retaining children’s data for longer than necessary to fulfill the purpose for which it was collected, and must have procedures in place to keep the data secure. The FTC noted that “even absent a breach, COPPA-covered ed tech providers violate COPPA if they lack reasonable security.” Providers that fail to comply with COPPA may face civil penalties as well as new requirements and limitations on their business practices to stop the unlawful conduct. The policy statement comes as the FTC reexamines COPPA. As previously covered by InfoBytes, the Commission launched a rule review in 2019.

    Federal Issues FTC COPPA Privacy/Cyber Risk & Data Security Ed Tech

    Share page with AddThis
  • Financial Services Committee Republicans concerned about CFPB UDAAP manual and administrative adjudications

    Federal Issues

    On May 19, nineteen Financial Services Committee Republicans sent a letter to CFPB Director Rohit Chopra expressing concerns about the agency’s new UDAAP supervisory policy and the recent changes to CFPB administrative adjudication procedures. As previously covered by a Buckley Special Alert, the Bureau revised its UDAAP exam manual to highlight the CFPB’s view that its broad authority under UDAAP allows it to address discriminatory conduct in the offering of any financial product or service. With the March announcement, the Bureau made clear its view that any type of discrimination in connection with a consumer financial product or service could be an “unfair” practice — and, therefore, the CFPB can bring discrimination claims related to non-credit financial products. According to the letter, “the CFPB’s new [UDAAP] supervisory policy and the recent changes to CFPB administrative adjudication procedures deviate significantly from past practices.” The letter further argued that “Congress enacted the fair lending laws and delegated their enforcement to the CFPB, clearly defining the limits of CFPB’s jurisdiction.” Additionally, the letter noted that “[e]xtending ECOA’s disparate treatment and disparate impact analysis to non-credit financial products and services ignores these clear limits.” The legislators also contended that “[i]n addition to radically reinterpreting UDAAP, changes to the way the CFPB will supervise for UDAAP will impose significant new responsibilities on supervised entities.”

    The letter also expressed concerns regarding changes recently made to the rules governing CFPB administrative adjudications. As previously covered by InfoBytes, in February the Bureau published a procedural rule and request for public comment in the Federal Register to update its Rules of Practice for Adjudication Proceedings. The Bureau indicated that the amendments would provide greater procedural flexibility, providing parties earlier access to relevant information, expanding deposition opportunities, and making various changes related to “timing and deadlines, the content of answers, the scheduling conference, bifurcation of proceedings, the process for deciding dispositive motions, and requirements for issue exhaustion, as well as other technical changes.” According to the letter, this represents a “disturbing” action that is “contrary to [Chopra’s] comments about intending to establish durable jurisprudence made during testimony before the House Financial Services Committee in October 2021,” and “does not abide by typical notice and comment procedures.” The nineteen House Republicans on the Committee stated their view that “it is appropriate for the CFPB to immediately revert back to the previous Rules of Practice and conduct notice and comment rulemaking before [] any new procedures become effective.”

    Federal Issues House Financial Services Committee Consumer Finance CFPB UDAAP ECOA Supervision

    Share page with AddThis
  • FDIC reinstates SARC as final review in supervisory appeals

    On May 17, the FDIC adopted revised Guidelines for Appeals of Material Supervisory Determinations to reinstate the Supervision Appeals Review Committee (SARC) as the final level of review in the agency’s supervisory appeals process. The SARC’s restoration appears to eliminate the independent Office of Supervisory Appeals, which was created and staffed in 2021. The Office of Supervisory Appeals was designed to have final authority to resolve appeals by a panel of reviewing officials and be independent from other divisions within the FDIC that have authority to issue material supervisory determinations (covered by InfoBytes here).

    According to the revised guidelines, the SARC will include one inside member of the FDIC’s Board of Directors (serving as chairperson); a deputy or special assistant to each of the other inside board members; and the general counsel as a non-voting member. The guidelines provide a list of material supervisory determinations, including CAMELS, IT, trust, and CRA ratings; consumer compliance ratings; loan loss reserve provision determinations; TILA restitutions; and decisions to initiate informal enforcement actions (such as memoranda of understanding).

    The guidelines apply to all FDIC-supervised financial institutions, including state nonmember banks, industrial banks, and insured U.S. branches of non-U.S. banks.

    While public comments from industry had supported an independent supervisory appeals process, the revised guidelines are posted in final (not draft) form on the FDIC’s website, with the FIL asserting that the guidelines take effect May 17 (before the comment period concludes on June 21). The notice and request for comments was published in the Federal Register on May 20.

    Bank Regulatory Federal Issues FDIC Of Interest to Non-US Persons Supervision Appeals

    Share page with AddThis
  • FDIC releases process for MDI designation requests

    On May 19, the FDIC released a process for insured institutions or applicants for deposit insurance to submit requests for recognition as a minority depository institution (MDI). As previously covered by InfoBytes, last June the FDIC approved and released an updated Statement of Policy Regarding Minority Depository Institutions to enhance the agency’s efforts to preserve and promote MDIs. 

    The updated statement of policy details the framework by which the FDIC implements objectives set forth in Section 308 of FIRREA and describes agency initiatives for fulfilling its MDI statutory goals. According to the FDIC, “supervised institutions or applicants for deposit insurance that seek to be recognized as an MDI may submit a written request, signed by a duly authorized officer or representative of the institution or applicant, at any time to the appropriate regional office.” Supervised institutions are also able to submit requests in connection with a merger application or a change in control notice. Requests should contain sufficient information in support of the designation, and the FDIC will send a letter acknowledging recognition of the institution as an MDI if an institution has met the eligibility requirements.

    Bank Regulatory Federal Issues FDIC Minority Depository Institution Supervision False Claims Act / FIRREA

    Share page with AddThis