InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB Issues Principles Concerning Security and Transparency for Financial Data Sharing and Third-Party Aggregation
On October 18, the CFPB published guidelines entitled “Consumer Protection Principles” (Principles), which are “intended to reiterate the importance of protecting consumers” when companies, including “fintech” firms, banks, and other financial institutions, get authorization from consumers to access their account data that reside in separate organizations to provide products and services. Earlier this year, industry groups responded to a CFPB request for information and weighed in on the benefits and risks associated with consumers authorizing third parties to access their financial and account information held by financial service providers. (See previous InfoBytes summary here.) Along with the Principles, the CFPB published a summary of stakeholder insights, which highlights the feedback received by the Bureau. Separately, on October 16, Senator Edward J. Markey (D-Mass.) sent a letter to Director Richard Cordray raising concerns about data security during the transfer of consumer data to third-party aggregators and highlighting the need for transparency concerning the use of the data.
The Principles address the following areas: (i) data access; (ii) data scope and usability; (iii) control of data and informed consent; (iv) payment authorizations; (v) data security; (vi) transparency on data access rights; (vii) data inaccuracies; (viii) dispute rights and unauthorized access resolution; and (ix) mechanisms for efficient and effective accountability.
Notably, the Bureau recognized that there already exist statutes and regulations that apply to consumer protections in this market. As such, the Principles “are not intended to alter, interpret, or otherwise provide guidance on—although they may accord with—the scope of those existing protections,” and therefore do not establish “binding requirements.”
G-7 Releases Follow-Up Report on Fundamental Elements for Cybersecurity Assessment
On October 13, G-7 finance ministers and central bank governors released a report titled G-7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector to provide guidance on G-7 countries’ (Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States) expectations for effective cybersecurity assessments for the financial sector. The non-binding fundamental building blocks contained within the report build upon guidance issued last year by G-7, and provide tools for institutions to evaluate the performance and assessment of cybersecurity practices. (See previous InfoBytes coverage here.) In the current report, G-7 outlines five desirable outcomes organizations can strive to achieve when developing cybersecurity capabilities, along with five assessment components assessors can use when developing effective practices for cyber risk management.
“Cybersecurity, particularly in the financial sector, is a top priority for the United States, and we are pleased to work with the members of the G-7 to advance a common approach that enhances resiliency," Treasury Secretary Steven T. Mnuchin stated in a press release announcing the report. “Technology has become the global engine driving innovation and economic growth, and it provides a channel for the financial sector to engage customers and counterparties. However, this trend brings increased cyber risk, which is real, dynamic, and evolving.”
OCC Acting Comptroller Shares Thoughts on Opportunities to Reduce Regulatory Burdens
On October 5, OCC Acting Comptroller of the Currency Keith Noreika spoke before the 2017 Midsize Bank Coalition of America Chief Risk Officer Meeting to discuss opportunities for regulatory reform.
According to Noreika, one area of concern relates to the adverse effect arbitrary asset thresholds pose to the annual stress test requirements required under the Dodd-Frank Act because the burden “is not commensurate with the systemic risks presented by an institution.” Given the amount of diversity in the business models of banks who have around $10 billion in assets, “regulators need the ability and authority to tailor their supervision to the unique risks presented by individual banks.” Noreika suggested an approach that would give federal banking agencies the authority to tailor statutory stress testing requirements without an asset threshold, thus reducing the risk of banks growing beyond the threshold to offset increased costs or staying below the threshold to avoid unwelcome scrutiny.
Noreika also urged for interagency harmonization of guidance and policies to avoid conflicting regulatory guidance when addressing cybersecurity issues.
Additionally, Noreika addressed the CFPB’s arbitration rule as an example of the need to work “to ensure regulation is balanced and appropriate by speaking up when we see proposed rules that may adversely affect the business of banking, have systemic effects, or result in perverse unintended consequences.” Noreika stated that prior to the publication of the final arbitration rule, the OCC requested access to the data the CFPB used to develop and support the rule in order to conduct an independent review. However, it was not until after the rule was published that the CFPB made the data available. According to OCC findings, the rule will adversely impact consumers by increasing costs. Community banks, Noreika noted, will also bear the burden of increased legal costs from defending lawsuits.
Finally, Noreika commented that banks continue to face challenges when trying to implement Bank Secrecy Act compliance programs and adapt to new requirements under TRID, HMDA, and the Military Lending Act.
Coalition of State Attorneys General Urge Credit Reporting Agencies to Offer No-Fee Credit Freeze
On October 10, a coalition of 37 state attorneys general sent letters (here and here) to the CEOs of two major credit reporting agencies (CRAs), urging them to stop charging fees to consumers seeking credit freezes as a measure to protect against identity theft in light of a third CRA’s massive data breach. On September 15, as previously reported in InfoBytes, 34 state attorneys general sent a letter to the breached CRA’s legal counsel requesting it disable fee-based credit monitoring services. The October 10 letters note that currently seven states prohibit CRAs from charging fees to consumers for credit freezes and at least two other states have proposed legislation that would require CRAs to offer free credit freezes.
Senate Special Committee Hearing Focuses on Continuing Efforts to Combat Illegal Robocalls
On October 4, the Senate Special Committee on Aging (Committee) held a hearing entitled “Still Ringing Off the Hook: An Update on Efforts to Combat Robocalls” to discuss efforts to combat illegal robocalls. Committee Chairman Susan M. Collins (R-Me.) opened the hearing by reinforcing the importance of utilizing technology not only to block robocalls but to better understand the scams that continue to impact consumers. Sen. Collins also stressed the positive impact “aggressive law enforcement” has had on these efforts.
According to a hearing-related press release issued by the FTC, the Commission received more than 3.4 million robocall complaints from consumers in 2016 and at least another 3.5 million complaints between January and August 2017. The FTC’s ongoing efforts to address these complaints include: (i) initiating enforcement actions targeting robocall violators; (ii) cooperating with law enforcement at the state, federal, and international level to develop solutions to prevent and detect calls; and (iii) as previously discussed in InfoBytes, publicly posting robocall numbers received from consumer complaints to help enable industry groups develop call-blocking solutions. The following four witnesses offered testimony on industry and state efforts to protect consumers from scams and increase education efforts.
- Ms. Lois C. Greismann, Associate Director of the Division of Marketing Practices, Bureau of Consumer Protection, FTC (testimony);
- The Honorable Josh Shapiro, Pennsylvania Attorney General (testimony);
- Mr. Kevin Rupy, Vice President for Law and Public Policy, USTelecom (testimony); and
- Ms. Genie Barton, President, BBB Institute for Marketplace Trust (testimony).
FTC, Department of Education Announce Education Technology Workshop to Explore Privacy Issues
On October 4, the FTC and the Department of Education issued a notice announcing a joint Ed Tech (education technology) workshop to examine the challenges concerning privacy implications as more schools are using school-issued personal computing devices. The workshop will discuss issues surrounding the FTC’s Children’s Online Privacy Protection Act Rule (COPPA) as it applies to schools and how it intersects with the Department of Education’s Family Educational Rights and Privacy Act, which is designed to protect the privacy of students’ education records. The workshop, which is open to the public, will be held in Washington, D.C., on December 1.
As previously covered in InfoBytes, the FTC made modifications to COPPA’s safe harbor program this past July that now require all participants to conduct a comprehensive annual internal assessment of any third-party or service provider that collects personal information from children on their websites or through online services, in addition to issuing updates in June regarding resources companies can use to ensure COPPA compliance.
FTC to Hold Informational Injury Workshop
On September 29, the FTC announced it will host an “informational injury” workshop on December 12 to examine the types of injuries consumers face when information about them is misused , as well as the tradeoffs when collecting, using, or sharing consumers’ personal information. In preparation for the workshop, the FTC is seeking public input concerning a range of issues such as (i) the types of qualitative consumer injuries resulting from privacy and data security incidents; (ii) the best ways to assess or quantify injury; and (iii) the cost benefit analysis of collecting, using, and sharing information when facing potential injury. The FTC will accept comments through October 27.
White House Releases Proclamation Announcing National Cybersecurity Awareness Month
On September 30, President Trump issued a Proclamation announcing October 2017 as National Cybersecurity Awareness Month. As part of the initiative, the Department of Homeland Security (DHS) issued tools and resources for both consumers and organizations to manage cybersecurity risk. As previously covered in InfoBytes, the President issued an Executive Order earlier this year entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” that requires agencies to submit risk management reports to DHS and develop recommendations for cybersecurity improvements affecting all critical infrastructure, including the financial services industry.
OCC Releases Bank Supervision Operating Plan for Fiscal Year 2018
On September 28, the OCC’s Committee on Bank Supervision released its bank supervision operating plan (Plan) for fiscal year (FY) 2018. The Plan outlines the agency’s supervision priorities and specifically highlights the following supervisory focus areas: (i) cybersecurity and operational resiliency; (ii) commercial and retail credit loan underwriting, concentration risk management, and the allowance for loan and lease losses; (iii) business model sustainability and viability and strategy changes; (iv) Bank Secrecy Act/anti-money laundering compliance management; and (v) change management to address new regulatory requirements.
The annual Plan guides the development of supervisory strategies for individual national banks, federal savings associations, federal branches, and federal agencies, and service providers.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered.
Senate Judiciary Tech Subcommittee to Hold Hearing on Data Breach; New Credit Reporting Agency CEO Speaks Out
On September 27, interim CEO, Paulino do Rego Barros Jr., spoke out for the first time since a major credit reporting agency (agency) appointed him to the role the previous day. In addition to issuing an apology, Barros stated that the agency is extending the deadline to sign up for their credit monitoring services and free credit freezes through the end of January 2018. He also made the commitment that by January 31, the agency will offer a new service for consumers to control access to their personal credit data. As previously reported in InfoBytes, the agency is still in the process of responding to the data breach that impacted approximately 143 million U.S. consumers.
On October 4, the Senate Judiciary Subcommittee on Privacy, Technology and the Law will hold a hearing on the agency’s data breach to continue to monitor data-broker cybersecurity. The hearing is scheduled for 2:30 pm in the Dirksen Senate Office Building 226.