InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Approves Modifications to COPPA Safe Harbor Program
On July 31, the FTC announced it has approved TRUSTe’s proposed modifications to its Children’s Online Privacy Protection Rule's (COPPA) safe harbor program. As previously covered in InfoBytes, COPPA regulates what websites and online services are required to do to ensure the protection of children’s privacy and safety online. The safe harbor program allows the FTC to review and approve “self-regulatory guidelines” submitted by industry groups that implement “the same or greater protections for children” as those contained in the COPPA Rule, and subjects approved groups to safe harbor review and disciplinary procedures instead of formal enforcement action. Among the approved modifications is a change which requires all participants to conduct a comprehensive annual internal assessment of any third-party or service provider that collects personal information from children on their websites or through online services.
FTC to Host Joint Conference on Protecting Military Consumers
On July 27, the FTC announced it is partnering with state and local authorities to host the Protecting Military Consumers: A Common Ground Conference on September 7 in Los Angeles to provide training on consumer fraud and other issues affecting servicemembers and their families. The conference is geared towards military attorneys, law enforcement personnel, and consumer protection officials, and will include the following topics:
- student loans and for-profit colleges;
- identity theft and imposter scams;
- debt collections;
- mortgage disputes; and
- real estate fraud.
Additionally, the conference will discuss several federal, state, and local consumer protection laws, including the Servicemembers Civil Relief Act, the Military Lending Act, and FTC and CFPB rules and regulations.
Earlier in July, the FTC held a Military Consumer Financial Workshop to educate consumers on financial issues and scams they may face. (See previous InfoBytes coverage here.)
FinCEN, California U.S. Attorney Assess Civil Money Penalties Against Virtual Currency Transmitter and Operator for AML Violations
On July 27, the Financial Crimes Enforcement Network (FinCEN), in partnership with the U.S. Attorney’s Office for the Northern District of California, assessed a more than $110 million civil money penalty against an internet-based, foreign-located virtual currency transmitter for willfully violating the anti-money laundering (AML) provisions of the Bank Secrecy Act. A second, separate $12 million penalty was assessed against one of the company’s operators, a Russian national. Additionally, a California grand jury handed down a 21-count indictment against the currency transmitter and the Russian national. According to allegations, the company exchanged fiat currency in addition to virtual currencies such as bitcoin, and “facilitated transactions involving ransomware, computer hacking, identity theft, tax refund fraud schemes, public corruption, and drug trafficking.” The company also processed transactions using stolen funds.
Pursuant to the terms of the assessment, from November 2011 through the present, both the company and the operator allegedly failed to (i) meet money services business (MSB) registration requirements; (ii) implement an effective AML program; (iii) detect suspicious transactions or file suspicious activity reports; and (iv) obtain and retain records for transmitted funds of $3,000 or more. FinCEN warned that regardless of ownership or location, foreign-located MSBs are “required to comply with U.S. AML laws and regulations . . . including AML program, MSB registration, suspicious activity reporting, and recordkeeping requirements.”
This is the first action FinCEN has taken against a foreign-located MSB conducting business in the U.S.
FTC Announces Weekly Blog on Reasonable Data Security Practices
On July 21, the FTC announced a new initiative as part of ongoing efforts to provide guidance to businesses on protecting and securing consumer data. Each Friday, the FTC will post a new blog that will build on the FTC’s Start with Security principles, and will showcase hypothetical examples using material from closed investigations, FTC law enforcement actions, and questions from businesses. The first blog post, “Stick with Security: Insights into FTC Investigations,” highlights practical approaches for businesses to take in securing consumer data based on examples gleaned from FTC complaints and orders. The post also examines emerging themes from closed FTC data security investigations that did not necessarily result in FTC law enforcement.
FTC to Host Small Business Roundtables Focusing on Cybersecurity
On July 20, the FTC announced it will host a series of public roundtables to discuss pressing challenges facing small businesses when protecting the security of their computers and networks. The feedback will be used to assist the FTC and its partners in creating additional cybersecurity education resources. The Engage, Connect, and Protect Initiative: Small Business and Data Security Roundtables are part of Acting FTC Chairman Maureen K. Ohlhausen’s initiative to help small businesses protect against cyberattacks. Earlier this year, Ohlhausen launched a website designed to provide guidance for small businesses on scams and cyberattacks, many of which lack the resources larger companies have to spend on cybersecurity. (See previous InfoBytes post here.)
The first roundtable will be on July 25 in Portland, Oregon, in partnership with the National Cyber Security Alliance (NCSA), the SBA, and other organizations. On September 6, a second roundtable discussion will convene in Cleveland in collaboration with the SBA and the Council of Smaller Enterprises. The third roundtable in the series, sponsored by the NCSA, will occur later in September in Des Moines, Iowa.
House Appropriations Committee Approves Fiscal Year 2018 Funding Bills Affecting Housing and Urban Development, and Cybersecurity
On July 17, the House Appropriations Committee (Committee) approved the fiscal year 2018 transportation, housing and urban development funding bill by a vote of 31-20. Of the total $56.5 billion in funding provided by the bill, $38.3 billion is allocated to the Department of Housing and Urban Development (HUD) for community planning and development, which is $487 million below fiscal year 2017 but $6.9 billion above President Trump’s request. According to Committee Chairman Rodney Frelinghuysen, the bill “includes responsible funding to ensure communities across the nation have access to necessary community development funds, and [will] provide housing to those who need it the most – including the poor, elderly, and disabled.”
- A summary of the bill is available here.
- A copy of the legislative text of the bill is available here.
- A copy of the bill report is available here.
On July 18, the Committee approved the fiscal year 2018 homeland security bill by a vote of 30-22. The bill allocates $703 million to cybersecurity programs, which is $18 million less than President Trump’s request but $33 million above fiscal 2017 levels.
FTC Staff Supports FCC’s Proposal to Reverse Broadband Enforcement Authority
On July 17, FTC staff submitted its comments to the FCC in response to the FCC’s Notice of Proposed Rulemaking on Restoring Internet Freedom (NPRM), in favor of returning broadband enforcement authority to FTC. (See previous InfoBytes coverage here.) The NPRM would reverse a 2015 FCC decision, which changed the classification of broadband internet access service from an “information service to a common carrier service,” and resulted in a loss to the FTC’s authority. Currently, the FTC cannot regulate common carrier activities. FTC staff argued that with the exception of broadband providers, FTC jurisdiction covers virtually all other internet entities. Having one agency with enforcement authority over all internet entities would allow for “consistent standards and consistent application of those standards.” The result, the staff encouraged, would be the creation of a “level playing field for all companies operating in the Internet ecosystem.”
Acting FTC Chairman Maureen K. Ohlhausen endorsed the staff comments and offered support for the NPRM to reverse the 2015 Title II classification of broadband internet access service as a way to “restore the FTC’s ability to protect broadband consumers under its general consumer protection and competition authority.” However, FTC Commissioner Terrell McSweeny dissented, stating that “[u]nless Congress repeals the common carrier exemption in the FTC Act, the FTC could continue to face challenges to its authority over common carriers.” Consequently, “[r]epealing these rules would be harmful for consumers and the marketplace . . . . Rather than roll[ing] back protections, we should augment them with renewed FCC vigor and a change to anachronistic barriers to FTC enforcement.”
Hawaii Enacts Law to Prohibit Release of Credit Information of Children, Others
On July 5, Hawaii Governor David Y. Igge signed into law H.B. 651, which was devised to protect children and certain other individuals from identity theft and credit fraud. The law applies to “protected consumers,” defined as minors under the age of 16 years, incapacitated persons, and individuals with appointed guardians or conservators.
Based on research suggesting that minors may be targeted for identity theft due to their clean credit reports, the legislation permits representatives of protected consumers to place and remove security freezes on protected consumers’ credit files. Because one impediment to requesting such a freeze is the lack of an existing credit file, the legislation also requires consumer credit reporting agencies (CRAs) to create records for the protected consumers. A CRA may not release the protected person’s file when it is in a security freeze until the representative requests a removal of the freeze. In order to request a security freeze or a freeze removal, a protected person’s representative must provide proper identification and evidence of authority to the CRA. Additionally, with a few exceptions, the CRA may charge a fee not to exceed five dollars for each freeze or removal of a freeze to a protected person’s credit file.
The law will go into effect on January 1, 2018.
OCC Releases Spring 2017 Semiannual Risk Report
On July 7, the Office of the Comptroller of the Currency (OCC) announced the release of its Semiannual Risk Perspective for Spring 2017 indicating key risk areas for national banks and federal savings associations. Acting Comptroller of the Currency Keith Noreika pointed out in his remarks that, “[w]hile these are risks that the system faces as a whole, we note that the risks differ from bank to bank based on size, region, and business model. Compliance, governance, and operational risk issues remain leading risk issues for large banks while strategic, credit, and compliance risks remain the leading issues for midsize and community banks.”
The report details the four top risk areas:
- Elevated strategic risk—banks are expanding into new products and services as a result of fintech competition. According to the report, this competition is increasing potential risks. The OCC hopes to finish developing a special purpose banking charter for fintech companies soon.
- Increased compliance risk—banks must comply with anti-money laundering rules and the Bank Secrecy Act in addition to addressing increased cybersecurity challenges and new consumer protection laws.
- Upswing in credit risk—underwriting standards for commercial and retail loans have been relaxed as banks exhibit greater enthusiasm for risk and attempt to maintain loan market share as competition increases.
- Rise in operational risk—banks face increasingly complex cyber threats while relying on third-party service providers, which may be targets for hackers.
The report used data for the 12 months ending December 31, 2016.
Debt Collector Liable for Violating FDCPA and TCPA
On July 3, the Court of Appeals for the Third Circuit affirmed that a debt collector violated the Telephone Consumer Practices Act (TCPA) when it called a consumer’s cell phone without the consumer’s consent, resulting in a damages award of $34,500. Additionally, the appellate court reversed the district court’s decision regarding a Fair Debt Collection Practices Act (FDCPA) claim for sending a collection letter to the consumer without taking proper precautions to ensure the consumer’s account number would remain private. The debt collector put forth the defense of bona fide error regarding its alleged violations of the FDCPA. The appellate court, citing Supreme Court precedent, rejected the defense, holding that bona fide error could be claimed only in the case of a clerical or factual error, but a “mistaken interpretation of the law is inexcusable under the FDCPA’s bona fide error defense.” The Third Circuit remanded the FDCPA claim to the district court to enter judgment for the consumer and calculate the damages the debt collector must pay.