Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 22, Ranking Member James Comer (R-KY), Committee on Oversight and Reform, and Ranking Member Cathy McMorris Rodgers (R-WA), Committee on Energy and Commerce, sent a follow-up letter to a global social media company claiming it may have provided misleading or false information about its data sharing and privacy practices related to China. According to the lawmakers, the company claimed in a briefing to the committee that it does not track users’ internet data if they are not using the app, and that China-based employees cannot access U.S. users’ location-specific data—both of which appear to be “misleading at best, and at worst, false.” The lawmakers referenced reports alleging the company “clandestinely” gathers U.S. users’ sensitive internet history, and expressed concerns about statements made by employees responsible for company data that “‘it is impossible to keep data that should not be stored in [China] from being retained in [China]-based servers.’” Claiming the company has withheld information, the lawmakers are seeking additional information, including documents and communications related to the monitoring of U.S. users’ browsing data and location tracking.
On October 24, Democratic lawmakers sent letters to the leaders of the SEC, CFTC, Treasury Department, Federal Reserve, FDIC, OCC and CFPB regarding concerns about “the revolving door between  financial regulatory agencies and the cryptocurrency (crypto) industry.” In the letters, the lawmakers argued “that the crypto revolving door risks corrupting the policymaking process and undermining the public’s trust in our financial regulators.” The letters also noted that Treasury saw the most movement from the Treasury Department, with 31 former employees joining the crypto industry. The SEC was second with 28 former employees, according to Tech Transparency Project. The lawmakers argued that “Americans should be able to trust that financial rules are crafted to reduce risk, improve security, and ensure the fair and efficient functioning of the market,” and that “Americans should be confident that regulators are working on behalf of the public, rather than auditioning for a high-paid lobbying job upon leaving government service.” The letters requested that the agencies provide information by November 7, including answers to inquiries about each agency’s ethics guidelines and polices in place to protect the agency from being influenced by current or former employees’ potential conflicts of interest.
On October 14, the House Subcommittee on Economic and Consumer Policy sent a letter to CFPB Director Rohit Chopra requesting information and documents on the Bureau’s efforts to combat cryptocurrency-related fraud. In the letter, Representative Raja Krishnamoorthi (D-IL) expressed concerns that Congress “may need” to pass legislation to help “bring stability to the digital asset industry.” He also argued that “a lack of a central authority to flag suspicious transactions in many situations, the irreversibility of transactions," and the consumers and investors' limited understanding has made “cryptocurrency a preferred transaction method for scammers.” Among other things, the letter asked the Bureau to provide information by October 28 concerning (i) its efforts to combat crypto-related scams and fraud and inform consumers about the risks related to investments in cryptocurrencies; (ii) its authority to identify and investigate potentially fraudulent digital assets or accounts used on cryptocurrency exchanges associated with illicit activities; (iii) its regulatory authority concerning cryptocurrencies; and (vi) documents setting out the existing framework for interagency cooperation on the regulation of cryptocurrencies. Krishnamoorthi also requested that the Bureau provide answers by October 21 to several questions, such as “what tools, including but not limited to code audits, disclosure requirements, or consumer alerts, could provide consumers with additional information to better assess the risks associated with a digital asset?” and “should cryptocurrency holdings be treated as commodities, securities, or both?”
On October 13, Chairman of the Select Subcommittee on the Coronavirus Crisis James E. Clyburn sent a letter to CFPB Director Rohit Chopra addressing reports that nationwide consumer reporting agencies (CRAs) were less responsive to consumer complaints and disputes related to credit report errors during the Covid-19 pandemic. According to Clyburn, investigative reports allegedly revealed that the CRAs, which are legally obligated to address errors contained in consumer credit reports, did not always investigate these disputes and purportedly used “broad and speculative criteria” to determine whether a dispute was submitted by an unauthorized third party. The letter also expressed concerns that the CRAs’ alleged “overreliance on data furnishers” raises questions about the sufficiency of the CRAs’ dispute investigations, and that, moreover, using different levels of automation to resolve disputes and complaints is creating variability in the quality and thoroughness of their investigations. Clyburn expressed concerns that by failing to investigate certain legitimate disputes, identify and correct erroneous information, or provide the Bureau with information on the outcomes of the complaint investigations, the CRAs may be failing to meet their obligations under the FCRA. He asked Chopra to review the CRAs for possible statutory violations and to “consider investigating whether the CRAs have made sufficient revisions to their procedures for identifying and taking corrective action against unreliable furnishers.”
On September 20, House Financial Services Committee Ranking Member Patrick McHenry (R-NC) and House Oversight and Reform Committee Ranking Member James Comer (R-KY) sent a letter to CFPB Director Rohit Chopra asking him to provide information to Congress regarding the authorities delegated to the Bureau that justify its current and upcoming regulatory actions. According to the letter, McHenry and Comer point to the U.S. Supreme Court’s decision in West Virginia vs. EPA, which “invoked the ‘major questions doctrine’ to reject an attempt by the EPA to exceed its statutory authority.” The letter further explained that “[u]nder this doctrine, an agency must point to ‘clear congressional authorization for the authority it claims.’” The EPA could not identify such an authorization, according to McHenry and Comer, and the court further rejected the EPA’s attempt to exceed its statutory authority. The letter stated that “clear delegation of authority contemplated by the Court is not limited to just rulemaking but extends to other agency actions.” McHenry and Comer proceeded to list director-driven “initiatives” that they claim, “circumvent not only Congressional intent, but the Administrative Procedure Act.” They further requested that the Bureau provide a list of all actions that CFPB intends to take during the remainder of 2022, and “[a] list of all expected actions, including but not limited to major rulemaking, staff guidance, advisory opinions, interpretive rules, and the specific Congressional authority for each rulemaking,” by September 30. McHenry and Comer concluded the letter by noting that both committees intend to exercise “robust investigative and legislative powers,” and seek to assert Congress’ Article I responsibilities to ensure that neither the director nor the Biden administration “continue to exceed Congressional authorizations.”
On September 1, Speaker of the House Nancy Pelosi (D-CA) released a statement commending the House Energy and Commerce Committee’s work on advancing the American Data Privacy and Protection Act (ADPPA) to the House floor (covered by InfoBytes here). However, Pelosi also recognized preemption concerns raised by the California governor, the California Privacy Protection Agency, and other top state leaders. “With so much innovation happening in our state, it is imperative that California continues offering and enforcing the nation’s strongest privacy rights,” Pelosi said. “California’s landmark privacy laws and the new kids age-appropriate design bill, both of which received unanimous and bipartisan support in both chambers, must continue to protect Californians—and states must be allowed to address rapid changes in technology.” Praising measures in the ADPPA that would give consumers the right, for the first time, to seek damages in court for violations of their privacy rights, Pelosi said the House “will continue to work with Chairman Pallone to address California’s concerns.” As previously covered by InfoBytes, the ADPPA also received criticism from several state attorneys general who argued, among other things, that “Congress should adopt a federal baseline, and continue to allow states to make decisions about additional protections for consumers residing in their jurisdictions,” instead of preempting areas of state privacy regulation.
On August 30, the Subcommittee on Economic and Consumer Policy of the House Committee on Oversight and Reform announced that Representative Raja Krishnamoorthi (D-IL), Chair of the Subcommittee, sent letters to the U.S. Treasury Department, SEC, CFTC, and FTC, in addition to five digital asset exchanges, requesting information on how they are combating cryptocurrency-related fraud and scams. According to his letters, Chairman Krishnamoorthi is “concerned about the growth of fraud and consumer abuse linked to cryptocurrencies.” He further added that “[t]he lack of a central authority to flag suspicious transactions in many situations, the irreversibility of transactions, and the limited understanding many consumers and investors have of the underlying technology make cryptocurrency a preferred transaction method for scammers.” In the letters to the federal agencies, he stated that “the federal government has been slow to curb cryptocurrency scams and fraud,” and that “[e]xisting federal regulations do not comprehensively or clearly cover cryptocurrencies under all circumstances.” In one of the letters to the digital asset exchanges, Krishnamoorthi noted that “cryptocurrency exchanges must themselves act to protect consumers conducting transactions through their platforms.” The letters requested that all recipients provide information to the subcommittee outling “steps they are taking to combat cryptocurrency-related fraud and scams and additional actions that are needed to protect Americans” in order to “help Congress understand what they are doing to protect consumers and inform legislative solutions to bring stability to the digital asset industry.”
On August 23, Representative Tom Emmer (R-MN) sent a letter to Treasury Secretary Janet Yellen raising privacy and due process concerns related to recent “first-of-their-kind” sanctions issued against a virtual currency mixer accused of allegedly laundering more than $7 billion in virtual currency, including more than $455 million stolen by a Democratic People’s Republic of Korea state-sponsored hacking group that is separately subject to U.S. sanctions (covered by InfoBytes here). The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) said the sanctions resulted from the company “having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.” (Covered by InfoBytes here.)
Emmer stressed, however, that adding the company to OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List seemed to diverge from previous OFAC precedent since several of the company’s designated “smart contract addresses” do not appear to be a person, entity, or property, but rather are distributed technological tools that are not controlled by any entity or natural person. “OFAC has a long, commendable history of utilizing financial sanctions to enhance the national security of the United States,” the letter said. “Nonetheless, the sanctioning of neutral, open-source, decentralized technology presents a series of new questions, which impact not only our national security but the right to privacy of every American citizen.” Emmer referenced May 2019 guidance issued by FinCEN (covered by InfoBytes here), which he said drew “a distinction between ‘providers of anonymizing services’ (including ‘mixers’)” which are subject to Bank Secrecy Act obligations and “‘anonymizing software providers’” which are not. Emmer recognized that OFAC is not bound by FinCEN regulations, but said it is his understanding that the sanctioned company is “simply the anonymizing software deployed on the blockchain.”
Emmer requested clarification from Treasury on several questions, including the factors OFAC considers when designating technology to the SDN List and how OFAC plans to “uphold the appeals process for the sanctioned addresses that have no ability to appeal the sanction to OFAC” because they “are smart contracts with no agency, corporate or personal, and as such cannot speak for themselves or those whose funds they hold.”
On August 16, Chairman of the Committee on the Judiciary Jerrold Nadler (D-NY) and Chairman of the Committee on Homeland Security Bennie Thompson (D-MS) sent a letter to multiple government agency leaders, requesting information on their purchases and use of personal data from data brokers. According to the chairmen, “[c]ompanies participating in the data market acquire user information for package and sale through social media, mobile applications, web hosts, and other sources,” and such products “can include precise details on individuals’ location history, internet activity, and utilities information, to name a few.” The letter further noted that, “improper government acquisition of this data can thwart statutory and constitutional protections designed to protect Americans’ due process rights.” The letter also pointed out that the agencies receiving the letter “have contracts with numerous data brokers, who provide detailed information on millions of Americans.” The chairmen requested a briefing from the agencies, in addition to documents and communications related to contracts the government has had with data brokers, legal analyses on the use of personal data, and parameters and limitations set on the use of the data by the end of August.
On July 28, House Financial Services Committee Ranking Member Patrick McHenry (R-NC) and two other Republican members sent a letter to CFPB Director Rohit Chopra, expressing their concerns that the Bureau has been “colluding” with states to “intimidate companies by conspiring with state agencies to pursue duplicative enforcement actions” in the financial services industry. The letter recognizes that state AGs “may enforce the CFPA in cases where the CFPB has not,” but argues that “the statute does not allow for a state attorney general to become a party to an existing CFPB enforcement action.” As previously covered by InfoBytes, the Bureau issued an interpretive rule in May addressing states’ authority to bring enforcement actions for violations of federal consumer financial protection laws, including the CFPA. The representatives argue that although the CFPB has a duty to enforce the CFPA and protect consumers from predatory and discriminatory practices, the Bureau’s interpretive rule is “akin to deputizing state attorneys general to enforce the CFPA on behalf of the CFPB – something Congress did not authorize.” The letter concludes with a request for documents and information from the Bureau by August 12, including (i) the legal authority that allows the CFPB to “recruit state attorneys general to join existing CFPB actions"; (ii) any “safeguards” the CFPB has in place to avoid “redundant and duplicative state actions”; and (iii) “all documents and communications between offices of state attorneys general and the CFPB since October 12, 2021” and “all information regarding complaints filed in a judicial court received by the CFPB pursuant to 12 USC § 5552.”