InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
House Subcommittee on Digital Commerce and Consumer Protection Holds Hearing to Discuss Consumer Fintech Needs
On June 8, the House Energy and Commerce Committee’s Subcommittee on Digital Commerce and Consumer Protection held a hearing to discuss financial products and services offered by the fintech industry to meet consumer needs. (See previous InfoBytes coverage here.) Committee Chairman Rep. Bob Latta (R-Ohio) opened the hearing asserting, “There are serious opportunities for companies to reach consumers with new products to help them create a rainy-day fund for the first time, pay their mortgage securely, rebuild their credit, budget and manage multiple income streams, and invest their earnings . . . Cybersecurity [specifically] is an ongoing challenge, and one the Energy and Commerce Committee is tackling head on.” The June 8 hearing included testimony and recommendations from the following witnesses:
- Ms. Jeanne Hogarth, Vice President at Center for Financial Services Innovation (CFSI) (statement). Hogarth stated that nearly three out of five American face financial health struggles and spoke about challenges fintech entrepreneurs may face when trying to help consumers, such as (i) “facilitat[ing] interstate and regulatory comity that enables consumers to access and use fintech products and service that promote financial health”; (ii) “support[ing] consumers’ access to their own data”; and (iii) “creat[ing] opportunities for pilot testing of both financial products and services and financial services regulations.” Hogath also detailed CFSI’s Financial Solutions Lab, which identifies financial health challenges faced by consumers and encourages companies to develop ways to address these issues.
- Mr. Javier Saade, Managing Director at Fenway Summer Ventures (statement). Saade—whose venture capital firm backs emerging fintech companies—stressed the importance of understanding and mitigating associated risks as financial innovation continues to expand. Growth is supported and encouraged, he noted, provided entrepreneurs understand that the “’fail fast and often’ approach, typical of tech-driven startups in other sectors, may not be well suited for the financial services industry.” Furthermore, Saade stated that because “nearly 30 million U.S. households either have no access to financial products or obtain products outside of the banking system . . . even modest strides in achieving economic inclusion present the single largest addressable opportunity in fintech.”
- Ms. Christina Tetreault, Staff Attorney at Consumer Union (statement). Tetreault, speaking on behalf of Consumer Union (the policy division of Consumer Reports), stated that while financial technology such as virtual currencies, digital cash, and distributed ledgers have the “potential to increase consumer access to safe financial products and return a measure of control to consumers,” safeguards devised between lawmakers and providers must be implemented with appropriate federal and state financial regulator oversight.
- Mr. Peter Van Valkenburgh, Research Director at Coin Center (statement). Coin Center is a non-profit organization, which focuses on “public policy ramifications of digital currencies and open blockchain networks.” Van Valkenburgh emphasized the need for Congress to (i) create a nationwide federal money transmission license as an alternative to “state by state licensing,” which, in his opinion, emphasizes the needs of individual states rather than addressing the health and risk profile as a whole; and (ii) create a federal safe harbor to “protect Americans developing open blockchain infrastructure.” Van Valkenburgh also encouraged the Office of the Comptroller of the Currency to establish federal “fintech charters” to promote a unified approach to regulating blockchain companies.
Vermont Governor Enacts Law Including Blockchain Application
On June 8, Vermont Governor Phil Scott signed into law legislation (S. 135), which would, among other things, allow for broader business and legal application of blockchain technology to promote economic development. Additionally, S. 135 requires the Center for Legal Innovation at Vermont Law School, the Commissioner of Financial Regulation, the Secretary of Commerce and Community Development, and the Vermont Attorney General to prepare a joint report for the General Assembly on “findings and recommendations,” as well as policy proposals and “measurable goals and outcomes” concerning “potential opportunities and risks presented by developments in financial technology.” The new law follows the passage of House Bill 868 last June, which defined blockchain as “a mathematically secured, chronological, and decentralized consensus ledger or database,” and formally recognized blockchain-notarized documents as having legal bearing in a court of law.
As previously reported in InfoBytes, Arizona recently enacted a similar law (AZ H.B. 2417) recognizing blockchain signatures and smart contracts under state law.
FTC to Host Third PrivacyCon Event, Issues Call for Presentations
On June 8, the FTC announced it will hold its third PrivacyCon, which will “expand collaboration among leading privacy and security researchers, academics, industry representatives, consumer advocates, and the government” to explore “the privacy and security implications of emerging technologies, such as the Internet of Things, artificial intelligence and virtual reality.” Specific topics will cover ways to quantify the harm when companies fail to secure consumer information, and how to “balance the costs and benefits of privacy-protective technologies and practices.” Additionally, the FTC issued a call for presentations to receive research and input on a several areas such as (i) the “nature and evolution of privacy and security risks”; (ii) “quantifying costs and benefits of privacy from a consumer perspective” and business perspective; and (iii) “incentives, market failures, and interventions.” Presentation submissions must be made by November 17, 2017. The event will take place on February 28, 2018 in Washington, DC.
FTC Obtains Multiple Judgments Against California and Florida-Based Robocall Operations
The FTC recently entered judgments against robocalling operations based in California and Florida who engaged in activities that violated, among other things, the Telemarketing Sales Rule (TSR) and the Telemarketing Consumer Fraud and Abuse Prevention Act.
California Default Judgments. On June 2, the FTC announced a California federal district court judge approved default judgments against an individual and each of the nine corporations for which he was an “actual or de facto owner, officer or manager” (Defendants). According to the FTC’s complaint, over a period spanning approximately seven years, the Defendants allegedly initiated—or helped to initiate—“billions” of illegal robocalls without receiving written permission from consumers. Many of the calls made were to numbers on the Do Not Call (DNC) Registry to “induce the purchase of goods or services” such as auto warranties, home security systems, or search engine optimization services. Violations of the TSR cited include knowingly assisting and facilitating telemarketers engaged in abusive practices. According to the terms of the default judgments, the individual has been assessed a $2.7 million penalty, and the Defendants are permanently banned from all telemarketing activities.
Florida Consent Order. On June 5, the FTC and the Florida Attorney General entered eight stipulated orders against Orlando-based individuals and companies—18 Defendants in total—who violated the TSR, Telemarketing and Consumer Fraud and Abuse Prevention Act, and Florida’s Telemarketing and Consumer Fraud and Abuse Act for, among others things, using robocalls to sell credit card interest rate reduction programs, in addition to calling numbers on the DNC Registry. According to the joint complaint, the Defendants allegedly engaged in the following violations: (i) offered debt relief programs but failed to provide promised services; (ii) misrepresented their affiliations with consumers’ banks or credit card companies; (iii) unfairly authorized charges without obtaining consent; (iv) received fees prior to providing debt relief services; (v) failed to transmit telemarketer information; (vi) used prerecorded messages to “induce the purchase of goods or services”; and (vii) failed to make oral disclosures. The stipulated orders settle charges against all Defendants and require that they stop the “allegedly illegal conduct.” Some of the Defendants have also been issued financial penalties. Furthermore, the FTC entered a $4.8 million judgment against 12 Defendants identified as the primarily parties for the scam. This amount represents the full amount of consumer harm caused. All stipulated orders can be accessed through the FTC press release.
CFPB Monthly Complaint Snapshot Highlights Complaints from Older Consumers
On May 31, the CFPB released Vol. 23 of its Monthly Complaint Report. This month’s report highlights complaints from “older consumers” defined as those who voluntarily report their age as 62 or older. Since it began accepting complaints, the Bureau has received over 1 million complaints—more than 100,000 from older consumers. The report focuses on these complaints, with some of the most common in 2017 including:
- Reverse mortgage servicing issues, which are unique to this group of consumers. Many of the complaints surround older consumers attempting to stay in their home after the death of the borrowing spouse, occasionally ending in foreclosure;
- Financial scams and identity theft issues are often difficult to recover from—especially for consumers on fixed-incomes;
- Credit card issues such as introductory offers may cause confusion for older consumers in understanding credit terms and conditions or the difference between zero interest and deferred interest. Additionally, many older consumers struggle with billing disputes, unwanted subscription services and credit monitoring; and
- Escrow issues, especially when the consumer is trying to benefit from tax relief programs.
The graph shown in a blog on the Bureau’s website compares complaints from consumers 62 and older with complaints from consumers under 62. Although both groups of consumers reported complaints for many of the same products, the graph shows that mortgages, debt collection and credit cards, in that order, are the top three products for those 62 and older—whereas debt collection, mortgages and credit reporting are the top three for those under 62. Additionally, the report reveals that almost a quarter of all complaints from older consumers came from residents of California, Texas, and Florida.
NASAA to Convene Roundtable on Cybersecurity Developments
On May 31, the North American Securities Administrators Association (NASAA) announced it will hold a cybersecurity roundtable for industry experts to discuss latest developments as well as strategies for investment advisers and broker-dealers to protect personal client information. In addition to convening representatives from state securities agencies and the financial services industry, roundtable discussions will also feature representatives from the FBI, Treasury, and the SEC. The event will take place June 23 from 9 a.m. to 3:30 p.m. in Washington, DC. Registration information can be accessed here.
FFIEC Releases Update to Cybersecurity Assessment Tool to Aid Institution Preparedness
On May 31, the Federal Financial Institutions Examination Council (FFIEC) announced the release of an update to the Cybersecurity Assessment Tool (CAT) developed to aid institutions in determining their risk profiles, identifying risks, and determining cybersecurity preparedness. The update details changes made to the FFIEC IT Examination Handbook and provides a revised mapping in Appendix A to the updated Information Security and Management booklets. The press release notes that “[m]anagement of financial institutions and management of third-party service providers are primarily responsible for assessing and mitigating their entities’ cybersecurity risk. Outlined in Appendix A, the CAT is a framework designed to provide a “repeatable and measurable process” to measure cybersecurity in areas such as cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. The CAT also provides “additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.” Financial institutions access addition cybersecurity risk management information here.
President Trump Releases 2018 Budget Proposal; Key Areas of Reform Target Financial Regulators, Cybersecurity, and Student Loans
On May 23, the White House released its fiscal 2018 budget request, A New Foundation for American Greatness, along with Major Savings and Reforms, which set forth the President’s funding proposals and priorities. The mission of the President’s budget is to bring spending under control by proposing savings of $57.3 billion in discretionary programs, including $26.7 billion in program eliminations and $30.6 billion in reductions.
Financial Regulators. The budget stresses the importance of reducing the cost of complying with “burdensome financial regulations” adopted by independent agencies under the Dodd-Frank Act. However, the proposal provides few details about how the reform applies to federal financial services regulators. Identifying the CFPB specifically, the budget states that restructuring the Bureau is necessary in order to “ensure appropriate congressional oversight and to refocus [the] CFPB’s efforts on enforcing the law rather than impeding free commerce.” Major Savings and Reforms assert that subjecting the Bureau to the congressional appropriations process would “impose financial discipline and prevent future overreach of the Agency into consumer advocacy and activism.” The budget projects further savings of $35 billion through the end of 2027, resulting from legal, regulatory, and policy changes to be recommended by the Treasury once it completes its effectiveness review of existing laws and regulations in collaboration with the Financial Stability Oversight Council. The Treasury review is being performed as a result of the Executive Order on Core Principals.
Dept. of Housing and Urban Development. As previously reported in InfoBytes, the budget proposes that funding be eliminated for the following: (i) small grant programs such as the Self-Help Homeownership Opportunity Program, which includes, among others, the Capacity Building for Community Development and Affordable Housing Program (a savings of $56 million); (ii) the CHOICE Neighborhoods program (a savings of $125 million), stating state and local governments should fund strategies for neighborhood revitalization; (iii) the Community Development Block Grant (a savings of $2.9 billion), over claims that it “has not demonstrated results”; and (iv) the HOME Investment Partnerships Programs (a savings of $948 million). The budget also proposes reductions to the Native American Housing Block Grant and plans to reduce costs across HUD’s rental assistance programs through legislative reforms. Rental assistance programs generally comprise about 80 percent of HUD’s total funding.
Cybersecurity. The budget states that it “supports the President’s focus on cybersecurity to ensure strong programs and technology to defend the Federal networks that serve the American people, and continues efforts to share information, standards, and best practices with critical infrastructure and American businesses to keep them secure.” Law enforcement and cybersecurity personnel across the Department of Homeland Security (DHS), Department of Defense, and the FBI will see budget increases to execute efforts to counter cybercrime. Furthermore, the National Cybersecurity and Communications Integration Center—which DHS uses to respond to infrastructure cyberattacks—will receive an increase under the budget.
Student Loan Reform. Under the proposed budget, a single income driven repayment plan (IDR) would be created that caps monthly payments at 12.5 percent of discretionary income—an increase from the 10 percent cap some current payment plans offer. Furthermore, balances would be forgiven after a specific number of repayment years—15 for undergraduate debt, 30 for graduate. In doing so, the Public Service Loan Forgiveness program and subsidized loans will be eliminated, and reforms will be established to “guarantee that borrowers in IDR pay an equitable share of their income.” These proposals will only apply to loans originated on or after July 1, 2018, with the exception of loans provided to borrowers in order to finish their “current course of study.”
Dept. of the Treasury. The budget proposes to, among other things: (i) eliminate funding for new Community Development Financial Institutions Fund grants (a savings of $220 million); and (ii) reduce funding for the Troubled Asset Relief Program by 50 percent, “commensurate with the wind-down of TARP programs” (a savings of $21 million).
Response from Treasury. In a statement released by the Treasury, Secretary Steven T. Mnuchin said the budget “prioritizes investments in cybersecurity, and maintains critical funding to implement sanctions, combat terrorist financing, and protect financial institutions from threats.” Furthermore, it also would “achieve savings through reforms that prevent taxpayer bailouts and reverse burdensome regulations that have been harmful to small businesses and American workers.”
New York AG Settles Charges with Tech Company Over WiFi Lock Vulnerabilities
On May 22, New York Attorney General Eric T. Schneiderman announced that a Utah-based tech company agreed to settle allegations that, among other things, its wireless doors and padlocks failed to protect consumers’ personal information, leaving consumers vulnerable to hacking and theft. This action marks the first time the Attorney General’s office has taken legal action against a wireless security company for failing to protect private data. Results from an August 2016 study, conducted by independent security researchers, reveal that the tech company’s Bluetooth-enabled locks “transmitted passwords between the locks and the user’s smartphone . . . without encryption” and also contained “weak default passwords.” Both issues allowed perpetrators to intercept passwords and undo the locks. Under the terms of the settlement, the company agreed to reform its data security practices and implement a comprehensive security program.
U.S. Retailer Settles States’ Investigation Over 2013 Data Breach, Fined $18.5 Million in Settlement
On May 23, a major U.S. retailer reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the retailer’s 2013 data breach, which affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. According to multiple state attorneys general, this represents the largest multistate data breach deal to date. According to the states’ investigation, the November 2013 security breach occurred when cyberattackers accessed the retailer’s customer service database to install malware that was able to capture consumers’ personal information, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs. Under the terms of the Assurance of Voluntary Compliance, the retailer agreed to do the following, including:
- develop, implement, and maintain a comprehensive Information Security Program (Program) and required safeguards;
- employ an executive or officer with information security experience responsible for executing the Program and advising the CEO and Board of Directors of security-related issues;
- develop and implement risk-based policies and procedures for auditing vendor compliance with the Program;
- maintain and support software on its network for data security purposes;
- maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
- segment its cardholder data environment from the rest of its computer network;
- undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication;
- deploy and maintain a file integrity monitoring solution; and
- hire a third-party to conduct a comprehensive security assessment.
The majority of the terms last five years.
States involved issued press releases announcing their portions of the settlement. California Attorney General Xavier Becerra stated that California will be receiving more than $1.4 million from the settlement, the largest share of any state. Illinois, which co-led the investigation with the state of Connecticut, will receive more than $1.2 million from the settlement, according to Attorney General Lisa Madigan, who stated, “Today’s settlement . . . establishes industry standards for companies that process payment cards and maintain secure information about their customers.” Connecticut Attorney General George Jepsen noted that the retailer “deserves credit for its actions in response to this breach, including its cooperation with our investigation and negotiations that led to this settlement. I'm also hopeful that this settlement will serve to inform other companies as to what is expected of them in terms of the security of their consumers' information.”