InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York, Montana governors sign executive orders to safeguard net neutrality
On January 24, New York Governor Andrew M. Cuomo signed an executive order to protect net neutrality in his state, while earlier on January 22, Montana Governor Steve Bullock signed his own executive order designed to “safeguard internet freedom.” Both executive orders have been issued in response to the FCC’s Declaratory Ruling, Report and Order released last December to rollback the 2015 Open Internet Order rules (known as “Net Neutrality” rules), which removes the restrictions barring providers from slowing down or speeding up web traffic based on business relationships. Under Governor Cuomo’s direction, New York State’s government must refrain from entering into any internet service contracts with ISPs that do not agree to follow the Net Neutrality rules. Similarly, Governor Bullock ordered the procurement process for telecommunication services to require that contract recipients adhere to the neutrality principles.
As previously covered in InfoBytes, a coalition of 22 state attorneys general filed a protective petition for review in the D.C. Circuit Court of Appeals to block the FCC’s Order. See here for additional InfoBytes coverage on Net Neutrality rules.
NYDFS warns financial institutions of February 15 cybersecurity compliance certification deadline
On January 22, the New York Department of Financial Services (NYDFS) issued a reminder to all NYDFS-regulated banks, insurance companies, and other financial services institutions that the deadline to file cybersecurity certifications of compliance is February 15, 2018. Mandated by NYDFS’ cybersecurity regulation that went into effect March 1, 2017 (see previous InfoBytes coverage here), the certification covers the prior calendar year and must be filed electronically through the DFS cybersecurity portal. NYDFS Superintendent Maria T. Vullo also announced that going forward, cybersecurity will be incorporated into all department examinations, and cybersecurity-related questions will be added to NYDFS’ “first day letters” issued to commence examinations of financial services companies.
State AGs file protective petition to stop rollback of net neutrality rules; Senate Democrats announce plans to reverse FCC rule
On January 16, a coalition of 22 state attorneys general filed a protective petition for review in the D.C. Circuit Court of Appeals against the Federal Communications Commission (FCC) and the United States to block the FCC’s Declaratory Ruling, Report and Order released last December to rollback the 2015 Open Internet Order rules (known as “Net Neutrality” rules). As previously covered in InfoBytes, the rollback removes the restrictions barring providers from slowing down or speeding up web traffic based on business relationships, and places the enforcement authority of the new regulatory framework with the Federal Trade Commission (FTC).
In the petition, the states allege violations of the Administrative Procedure Act’s notice-and-comment rulemaking requirements, and claim that the FCC's actions with respect to Net Neutrality were “arbitrary, capricious, and an abuse of discretion.” According to a press release issued by New York Attorney General Eric T. Schneiderman:
The FCC’s new rule fails to justify the Commission’s departure from its long-standing policy and practice of defending net neutrality, while misinterpreting and disregarding critical record evidence on industry practices and harm to consumers and businesses. . . Moreover, the rule wrongly reclassifies broadband internet as a Title I information service, rather than a Title II telecommunications service, based on an erroneous and unreasonable interpretation of the Telecommunications Act. Finally, the rule improperly and unlawfully includes sweeping preemption of state and local laws.
Separately that same day, Senate Democrats announced plans to formally introduce a resolution of disapproval under the Congressional Review Act to reverse the FCC’s vote and restore the Net Neutrality rules. Once the rule is submitted to both houses of Congress, the resolution will be formally introduced, published in the Federal Register, and voted upon within 60 legislative days.
FTC report highlights 2017 privacy and data security enforcement work
On January 18, the FTC released its annual report on the agency’s privacy and data security work performed in 2017. Among other items, the report highlights consumer-related enforcement activities in 2017, including:
- a settlement with a ride-sharing company over allegations that it violated the FTC Act by making deceptive claims about its privacy and data practices (previously covered by InfoBytes here);
- the first EU-U.S. Privacy Shield action resulting in settlements with three companies over allegations that they falsely claimed they were certified to take part in the framework (previously covered by InfoBytes here); and
- a joint settlement with the New Jersey Attorney General against a “smart” television manufacturer for claims that it secretly gathered users’ viewing data and sold it to third parties who used the data for targeted advertising (previously covered by InfoBytes here).
The report also covers the FTC’s approval of TRUSTe’s proposed modifications to its safe harbor program under the Children’s Online Privacy Protection Act of 1998 (COPPA), previously covered by Infobytes here; and the agency’s actions related to the national “Do Not Call” Registry.
OCC highlights supervisory priorities in fall 2017 semiannual risk report
On January 18, the OCC announced the release of its Semiannual Risk Perspective for Fall 2017, identifying key risk areas for national banks and federal savings associations. Top supervisory priorities will focus on credit, operational, and compliance risk. As previously discussed in the spring 2017 semiannual report, compliance risk continues to be an ongoing concern, particularly as banks continue to adopt new technologies to help them comply with anti-money laundering rules and the Bank Secrecy Act (BSA), in addition to addressing increased cybersecurity challenges and new consumer protection laws. (See previous InfoBytes coverage here.) The OCC commented that these types of risks can be mitigated by banks with “appropriate due diligence and ongoing oversight.”
Specific areas of particular concern include the following:
- easing of commercial credit underwriting practices;
- increasing complexity and severity of cybersecurity threats, including phishing scams that are the primary method of breaching bank data systems;
- using limited third-party service providers for critical operations, which can create “concentrated points of failure resulting in systemic risk to the financial services sector”;
- compliance challenges under the BSA; and
- challenges in risk management involving consumer compliance regulations.
The report also raises concerns about new requirements under the Military Lending Act along with pending changes to data collection under the Home Mortgage Disclosure Act, which could pose compliance challenges. It further discusses a new standard taking effect in 2020 for measuring expected credit losses, which “may pose operational and strategic risk to some banks when measuring and assessing the collectability of financial assets.”
The data relied on in the report was effective as of June 30, 2017.
Ninth Circuit: payday lenders not vicariously liable under TCPA for text messages
On January 10, the U.S. Court of Appeals for the Ninth Circuit affirmed that three payday lenders and two marketing companies (together, the defendants) did not indirectly violate the Telephone Consumer Protection Act (TCPA) by accepting marketing help from a separate lead generator company that used a program to send text-messaged advertisements. In upholding the district court’s decision, the three judge panel concluded that “it is undisputed” that the defendants did not enter into a contract with the lead generator company, and further, that the lead generator company did not act as their agent or purported agent. The plaintiff-appellant that received the text-messaged advertisement—which directed consumers who clicked on the link within the message to a loan application website controlled by one of the defendants—filed a putative class action complaint, certified by the district court, against the defendants to allege that they were vicariously liable for sending the text messages in violation of the TCPA. Specifically, the plaintiff-appellant claimed the defendants ratified the lead generator company’s actions when they accepted leads even though they knew the leads were being generated through text messages. The district court granted summary judgments for all the defendants, and ruled they were not vicariously liable for the lead generator company’s actions, and that additionally, the plaintiff-appellant failed to present evidence that defendants had actual knowledge that the texts were being sent in violation of the TCPA. The appellate panel also noted that because one of the defendants—a contracted lead provider—had “no ‘knowledge of facts that would have led a reasonable person to investigate further,’ . . . [the defendant] cannot be deemed to have ratified [the] actions and therefore is not vicariously liable.”
FINRA releases 2018 regulatory and examinations priorities letter
On January 8, the Financial Industry Regulatory Authority (FINRA) published its Annual Regulatory and Examination Priorities Letter (2018 Letter), which focused on several broad issues within the securities industry, including improving the examination program to “implement a risk-based framework designed to better align examination resources to the risk profile of [] member firms.” As previously covered in InfoBytes, last July FINRA360 (a comprehensive self-evaluation and organizational improvement initiative) prompted the organization to announce plans currently underway to enhance operations by consolidating its existing enforcement teams into a single unit. In the 2018 Letter, FINRA announced ongoing efforts to work with member firms to understand the risks and benefits of fintech innovation such as blockchain technology, as well as the impact initial coin offerings (ICOs) and digital currencies have on broker-dealers.
Additional areas of regulatory and examination focus for FINRA in 2018 will include: (i) fraudulent activities and suspicious activity report filing requirements; (ii) business continuity planning; (iii) protection and verification of customer assets, including whether firms have implemented adequate controls and supervision methods along with measuring the effectiveness of cybersecurity programs; (iv) anti-money laundering monitoring and surveillance resources and policies and procedures; and (v) the role firms and other registered representatives play when effecting transactions in cryptocurrencies and ICOs—specifically with regard to the supervisory, compliance and operational infrastructure firms implement to “ensure compliance with relevant federal securities laws and regulations and FINRA rules.”
NYDFS updates cybersecurity regulation FAQs
Recently, the New York Department of Financial Services (NYDFS) updated its answers to FAQs relating to 23 NYCRR Part 500. As previously covered in InfoBytes, 23 NYCRR Part 500 took effect March 1 and establishes cybersecurity requirements for banks, insurance companies, and other financial services companies. The December updates to the FAQs address risk-based requirements affecting covered entities, including the following topics; (i) penetration testing and vulnerability assessments; (ii) third-party service provider due diligence requirements; (iii) limited notices of exemption; and (iv) record requirements.
FCC Votes to Overturn Net Neutrality Rules
On December 14, the FCC voted 3-2 to overturn the 2015 Open Internet Order rules (known as, “Net Neutrality” rules) which mandate that internet service providers (ISPs) treat all web content equally. The FCC released a draft order in November, which outlined the new framework for ISPs, including removing the restrictions barring the providers from slowing down or speeding up web traffic based on business relationships. ISPs are now required to publicly disclose information about their practices including any paid or affiliated prioritization of web content. The FCC places the enforcement authority of the new regulatory framework with the FTC. The order is effective upon OMB approval of the new requirements for ISP public disclosures.
Credit Reporting Agencies Must Comply With Emergency Regulations
On Tuesday, New York State adopted emergency regulations intended to “provide consumers with the means to protect themselves against identity theft” and assist those consumers who have fallen victim to such theft. The New York Department of State’s Division of Consumer Protection (the Division), which has the authority to promulgate rules and regulations related to consumer protection activities of all state agencies, announced the adoption of regulations as part of its Identify Theft Prevention and Mitigation Program (the Program). In a press release issued December 12 by the office of New York Governor Andrew M. Cuomo, the regulations will require consumer credit reporting agencies to comply with the following, among other things:
- provide responses within 10 days to information requests made by the Division when investigating, mediating, or mitigating a consumer’s identity theft complaint;
- identify dedicated points of contact to assist the Division’s effective administering of the program;
- make available to the Division a list and description of all business affiliations and contractual relationships that provide identity theft and credit monitoring-related products or services; and
- clearly disclose all fees associated with offered products and services marketed to prevent identity theft, and inform consumers of trial and cancellation provisions.
Consumer credit reporting agencies will be required to comply with these regulations, effective immediately. A to-be-announced public comment period will occur prior to the regulations’ final adoption.
As previously covered by InfoBytes, New York Department of Financial Services (NYDFS) has taken several steps to address cybersecurity concerns, including a September 18 announcement that the state would expand cybersecurity standards to cover credit reporting agencies. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations, would be required to initially register with NYDFS, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule.