Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS addresses multi-factor authentication weaknesses

    Privacy, Cyber Risk & Data Security

    On December 7, NYDFS issued guidance on multi-factor authentication (MFA) to all regulated entities. According to NYDFS, “MFA weaknesses are the most common cybersecurity gap exploited at financial services companies,” affecting both large companies and small businesses. The regulator noted that, since the Cybersecurity Regulation (23 NYCRR Part 500) went into effect (covered by InfoBytes here), MFA failures have continued to impact both financial services entities and consumers. From January 2020 to July 2021, more than 18.3 million consumers were affected by reported cyber incidents involving covered entities’ MFA failures, according to NYDFS. NYDFS has also taken two enforcement actions in the past year against companies whose failure to implement MFA fully resulted in unauthorized access to nonpublic information. The New York banking regulator is increasing its review of MFA during examinations and will focus on searching for common MFA failures discussed in the guidance. Covered entities are advised to consider carefully the importance of MFA as they implement their risk-based cybersecurity programs. Under the Cybersecurity Regulation, MFA is required for remote access, and must “be implemented beyond that as necessary to ensure effective access controls based on a comprehensive risk assessment.” The guidance provides examples of common problems related to MFA as well as recommendations for preventing problems.

    Privacy/Cyber Risk & Data Security State Issues NYDFS Bank Regulatory Risk Management Multi-Factor Authentication

    Share page with AddThis
  • OCC warns of key cybersecurity and climate-related banking risks

    Agency Rule-Making & Guidance

    On December 6, the OCC reported in its Semiannual Risk Perspective for Fall 2021 the key issues facing national banks and federal savings associations and the effects of Covid-19 on the federal banking industry. The agency reported that although banks showed resilience in the current environment with satisfactory credit quality and strong earnings, weak loan demand and low net interest margins continue to affect performance.

    The OCC identified elevated operational risk as banks continue to face increasingly complex cyberattacks, pointing to an increase in ransomware attacks across financial services. While innovation and technological advances can help counter such risks, the OCC warned they also come with additional concerns given the expansion of remote financial services offered through personally owned computers and mobile devices, remote work options due to the Covid-19 pandemic, and the reliance on third-party providers and cloud-based environments. “The adoption of innovative technologies to facilitate financial services can offer many benefits to both banks and their customers,” the report stated. “However, innovation may present risks. Risk management and control environments should keep pace with innovation and emerging trends and a comprehensive understanding of risk should be achieved to preserve effective controls. Examiners will continue to assess how banks are managing risks related to changes in operating environments driven by innovative products, services, and delivery channels.”

    The report calls on banks to “adopt robust threat and vulnerability monitoring processes and implement stringent and adaptive security measures such as multi-factor authentication or equivalent controls” to mitigate against cyber risks, adding that critical systems and records must be backed up and stored in “immutable formats that are isolated from ransomware or other destructive malware attacks.”

    The report further highlighted heightened compliance risks associated with the changing environment where banks serve consumers in the end stages of various assistance programs, such as the CARES Act’s PPP program and federal, state, and bank-initiated forbearance and deferred payment programs, which create “increased compliance responsibilities, high transaction volumes, and new types of fraud.”

    The report also discussed credit risks, strategic risk challenges facing community banks, and climate-related financial risks. The OCC stated it intends to request comments on its yet-to-be-published climate risk management framework for large banks (covered by InfoBytes here) and will “develop more detailed expectations by risk area” in 2022.

    Agency Rule-Making & Guidance Federal Issues OCC Bank Regulatory Covid-19 Risk Management Community Banks Climate-Related Financial Risks Privacy/Cyber Risk & Data Security Third-Party Risk Management

    Share page with AddThis
  • District Court grants preliminary approval in TCPA settlement


    On November 23, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement, resolving allegations that a publishing company utilized a third party telemarketer to place newspaper delivery service advertising calls with individuals who had previously requested not to be contacted. According to the plaintiff’s unopposed motion for preliminary approval of class action settlement, the defendant, through a third-party telemarketer, sent repeated and unsolicited telemarketing calls after the plaintiff terminated his relationship with the defendant and asked not to be called. The plaintiff alleged that the defendant violated the TCPA by sending telemarketing calls to him and others, despite their phone numbers’ registration with the National Do Not Call Registry, as well as for violations of the TCPA’s internal do-not-call rules. According to the plaintiff’s motion, the settlement (if approved) would establish a settlement class of 28,412 individuals who were solicited by the defendant’s telemarketing vendor between December 11, 2017 and April 15, 2021. The settlement would provide that all class members with an identifiable address, who do not opt out, receive a distribution from the $1.7 million settlement fund, which after attorneys’ fees and costs, is estimated to be nearly $30 per person, according to the motion.

    Courts Illinois Class Action TCPA Settlement Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Virginia Consumer Data Protection Act Work Group issues final report

    Privacy, Cyber Risk & Data Security

    Recently, the Virginia Consumer Data Protection Act Work Group (Work Group) released its final report addressing several privacy topics related to enforcement, definitions and rulemaking authority, and consumer rights and education. The Virginia Consumer Data Protection Act (VCDPA), enacted in March and covered by InfoBytes here, created the Work Group to study findings, best practices, and recommendations before the VCDPA’s January 1, 2023 effective date. The report summarizes information that arose during six Work Group meetings held this year, including the following:

    • Establishing an education initiative led by leadership outside of the Office of Attorney General (OAG) to help small to medium-sized businesses comply with the VCDPA.
    • Allowing the OAG to pursue actual damages, should they exist, based on consumer harm.
    • Employing an “ability to cure” option for violations where a potential cure is possible.
    • Authorizing consumers to assert, and requiring companies to honor, a global opt-out setting as a single-step for consumers to opt-out of data collection.
    • Sunsetting the “right to cure” provision following the first few years after the VCDPA’s enactment to prevent companies from exploiting the provision.
    • Amending “‘the right to delete’ provision to be a ‘right to opt out of sale’ in order to promote compliance and restrict further dissemination of consumer personal data.”
    • Studying specific data privacy protections for children.
    • Encouraging the development of third-party software and browser extensions to enable users to universally opt out of data collection instead of opting out on each website.
    • Recruiting nonprofit consumer and privacy organizations to address concerns related to the VCDPA’s definitions of “sale,” “personal data,” and “publicly available information,” and whether general demographic data used when promoting diversity and outreach to underserved populations should be included in the definition of “sensitive personal information.”
    • Creating an education website containing information about consumers’ rights under the VCDPA. Additionally, the website could provide guidance for smaller businesses seeking to comply with the VCDPA, including sample data protection forms.
    • Directing an agency to promulgate regulations because the VCDPA does not currently grant the OAG such authority.

    The Work Group’s recommendations will be presented during the upcoming legislative session.

    Privacy/Cyber Risk & Data Security State Issues Virginia

    Share page with AddThis
  • CFPB releases draft strategic plan for FY 2022-26

    Federal Issues

    On December 2, the CFPB released for public feedback its draft strategic plan for fiscal years 2022-2026, which outlines and communicates its mission, strategic goals, and objectives for the next five years.

    External Factors Impacting the Bureau’s Strategic Goals and Objectives:

    The Bureau identified four key external factors that may affect its strategic goals and objectives: (i) the continued effect of the Covid-19 pandemic on regulated markets; (ii) the increase of data security threats and resulting consumer harm as the role of data and technology in the consumer financial system continues to grow; (iii) rapid developments in the consumer financial marketplace technology; and (iv) executive, legislative, judicial, and state actions, including actions by other financial regulators, which may impact the financial regulatory environment and, in turn, the Bureau’s policy strategies. 

    Cross-Bureau Priorities:

    With its “cross-functional, cross-Bureau approach,” the CFPB intends to address a number of outcomes for households and communities, “many of which reference the concept of equity.” To achieve the outcomes below, the Bureau will “embed a racial equity lens and focus [its] attention on these communities, recognizing that work to protect and empower underserved people benefits all people.”

    • Equitable recovery from the COVID-19 pandemic: Continuing monitoring of pandemic recovery, with a focus on minority and traditionally underserved communities, including rising housing insecurity.
    • Equitable access to and engagement with consumer finance infrastructure: Addressing obstacles that restrict access to credit or push consumers to higher cost products, in addition to “promoting transformation of financial marketplaces to serve all people.”
    • Equitable wealth creation from home and small business ownership: Promoting equitable wealth creation in housing and small business markets, with a focus on minority and underserved communities. Specifically, the Bureau notes that (i) home ownership as a “key building block of wealth,” has become out of reach for young people and underserved communities due to record high home prices and tightened credit underwriting during the pandemic; and (ii) small businesses, especially women- and minority-owned, have faced more serve economic consequences from the pandemic.
    • Fair, transparent, and competitive markets for consumer financial products and services: Promoting competition for the benefit of consumers and businesses, where “[t]he personal touch previously provided by local financial institutions has, in many instances, been replaced with institutions that take advantage of consumers without concern for their well-being.” The Bureau identified weakened competition in many markets as a contributing factor in the widening of racial, income, and wealth inequality, and noted that consolidations over the last several decades have “denied consumers the benefits of an open economy.”
    • Privacy, access, and fairness in a new data-driven economy: Prioritizing its work to ensure consumer privacy and security remains at the forefront of the evolving data economy. The Bureau expressed specific concern with how consumer financial account data is accessed, transmitted, and stored, in addition to the potential racial equity impact from the increased use of algorithms in the decision-making process.

    The Strategic Goals:

    The Bureau identified four strategic goals, which are articulated by specific function within the agency:

    • “Implement and enforce the law to ensure consumers have access to fair, transparent, and competitive markets that serve consumers’ needs and protect consumers from unfair, deceptive, and abusive practices, and from discrimination.” Objectives include issuing rules and guidance, supervising institutions, and enforcing federal consumer financial laws.
    • “Empower consumers to live better financial lives, focusing on traditionally underserved people.” Objectives include engaging with consumers, creating and offering educational resources, handling complaints, and expanding relationships with stakeholders and government partners.
    • “Inform public policy with data-driven analysis on consumers’ experiences with financial institutions, products, and services.” Objectives include monitoring markets and producing research reports.
    • “Foster operational excellence and further commitment to workforce equity to advance the CFPB’s mission.” Objectives include cultivating a workforce aligned with the Bureau’s mission, implementing a forward-leaning workplace model, and utilizing innovative and optimized operational support.

    The Bureau is requesting comments by January 3, 2022.

    Federal Issues Agency Rule-Making & Guidance CFPB Covid-19 Privacy/Cyber Risk & Data Security Consumer Finance

    Share page with AddThis
  • District Court grants preliminary approval of privacy class action settlement


    On November 19, the U.S. District Court for the Northern District of California granted preliminary approval of a $58 million settlement in a class action against a fintech company (defendant) alleged to have accessed the personal banking data of users without first obtaining consent, in violation of California privacy, anti-phishing, and contract laws. The plaintiffs alleged the defendant obtained data from class members’ financial accounts without authorization. The plaintiffs also claimed the defendant collected class members’ bank login information through a user interface that made it appear as if class members were interfacing directly with their financial institution, when they were actually interfacing with the defendant.

    In granting preliminary approval of the settlement, the court determined it was unclear whether the plaintiffs would have prevailed on the merits at trial, particularly with regard to the “relatively untested” claim that the defendant practices breached California’s anti-phishing law. Several other claims originally brought by the plaintiffs were dismissed in May, including allegations that the defendant breached the Stored Communications Act, the Computer Fraud and Abuse Act, and California’s Unfair Competition Law. In addition to the $58 million settlement fund, the proposed settlement would also provide for injunctive relief.

    Courts California Class Action Privacy/Cyber Risk & Data Security State Issues Settlement

    Share page with AddThis
  • Chamber of Commerce requests access to FTC privacy-related communications

    Privacy, Cyber Risk & Data Security

    On November 19, the U.S. Chamber of Commerce sent FOIA requests to the FTC seeking, among other things, communications on consumer data privacy policies the FTC has discussed or considered as ordered by President Biden’s broad July 9 executive order, which tasked the FTC with establishing rules to address concerns about “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.” (Covered by InfoBytes here.) The Chamber is seeking all communications between FTC Chair and Commissioner Lina Khan and former commissioner Rohit Chopra related to the FTC’s Penalty Offense Authority and/or enforcement policy statements addressing privacy-related topics, as well as communications with the Center on Privacy and Technology at Georgetown Law. As previously covered by InfoBytes, the Center’s founder, Alvaro Bedoya, was nominated in September by President Biden to serve as an FTC commissioner. With respect to the requests for records related to the FTC’s Penalty Offense Authority, over the past few months the FTC has issued several warnings using its Penalty Offense Authority related to false money-making claims, misleading online endorsements, and unlawful for-profit education institution practices. (Covered by InfoBytes here, here, and here.) Among other things, the FOIA letters also request all records related to artificial intelligence, including communications between the FTC and the White House Office of Science and Technology Policy and/or the CFPB.

    Privacy/Cyber Risk & Data Security Chamber of Commerce FTC FOIA CFPB Biden

    Share page with AddThis
  • 11th Circuit to rehear Hunstein v. Preferred Collection & Management Services


    On November 17, the U.S. Court of Appeals for the Eleventh Circuit vacated an opinion in Hunstein v. Preferred Collection & Management Services, ordering an en banc rehearing of the case. The order vacates an 11th Circuit decision to revive claims that the defendant’s use of a third-party mail vendor to write, print, and send requests for medical debt repayment violated privacy rights established in the FDCPA. As previously covered by InfoBytes, in April, the 11th Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” According to the order issued sua sponte by the 11th Circuit, an en banc panel of appellate judges will convene at a later date to rehear the case.

    Courts Debt Collection Third-Party Disclosures Appellate Eleventh Circuit Vendor Hunstein FDCPA Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • New rule gives banks 36 hours to disclose cybersecurity incidents

    Agency Rule-Making & Guidance

    On November 18, the FDIC, Federal Reserve Board, and the OCC issued a final rule intended to enhance information sharing about cyber incidents that may affect the U.S. banking system. The final rule, among other things, requires a banking organization to timely notify its primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place. The final rule notes that notification is required for incidents that have affected, in certain circumstances: (i) the viability of a banking organization’s operations; (ii) its ability to deliver banking products and services; or (iii) the stability of the financial sector. Additionally, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially dispute or degrade, a banking organization’s customers for four or more hours. The final rule further provides that the notification requirement for bank service providers is important since “banking organizations have become increasingly reliant on third parties to provide essential services,” which may also experience computer-security incidents that could affect the support services they provide to banking organization customers, along with other significant impacts. The rule is effective April 1, 2022, and banking organizations are expected to comply with the final rule by May 1, 2022.

    Agency Rule-Making & Guidance Federal Issues FDIC OCC Federal Reserve Privacy/Cyber Risk & Data Security Bank Regulatory Third-Party

    Share page with AddThis
  • District Court approves e-commerce platform data breach settlement


    On November 4, the U.S. District Court for the District of Massachusetts granted final approval to a settlement in a class action against an alcohol e-commerce platform stemming from a data breach that allegedly compromised customers’ personally identifiable information. The plaintiffs’ memorandum of law requested approval of the class action settlement, which included a settlement class of 2.5 million individuals whose information was compromised. Class members claimed that the company did not publicly report the data breach until July 2020, and that customers’ information was available for purchase on the dark web. A complaint was filed against the defendant asserting claims of negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of several state consumer protection statutes. The defendant moved to compel arbitration, citing a provision in its terms of service, as well as a class action waiver that required customers to arbitrate their claims individually. However, the parties entered into settlement discussions and agreed to mediate their dispute. Under the terms of the settlement, which is valued between $3.35 million and $7.1 million, the defendant has agreed to pay all associated administration costs, attorneys’ fees and expenses, and incentive awards. Class members will receive individual cash payments and will also receive a pro rata portion of a pool of up to $447,750 in the form of a credit against the cost of service fees for future orders on the defendant’s platform. The defendant will also implement certain data security measures for two years.

    Courts Privacy/Cyber Risk & Data Security Data Breach Class Action Settlement State Issues

    Share page with AddThis