InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FCC Denies Petition by MBA to Exempt Certain Mortgage Servicing Calls from Prior Express Consent Requirement
In an order dated November 15, the FCC’s Consumer and Governmental Affairs Bureau denied a petition by the Mortgage Bankers Association (MBA) that sought an exemption from the FCC’s prior express consent requirement for non-telemarketing residential mortgage servicing auto-dialer calls to wireless numbers. In its order, the Bureau concluded that MBA had failed to show (1) that the calls in question would be free of charge to consumers; and (2) that the parties seeking relief should be able to send non-time-sensitive calls to consumers without their consent.
Among other things, the Order explained that the Telephone Consumer Protection Act (TCPA) “reflects Congress’ recognition of the potential costs and privacy risks imposed on wireless consumers from the use of auto-dialer equipment, which can generate large numbers of unwanted calls” and accordingly, the FCC has generally attempted to balance and accommodate the legitimate business interests of callers in addition to recognized consumer privacy interests.
CFPB Launches Inquiry into Consumer Financial Data Access
On November 17, the CFPB formally announced the launch of an inquiry into the benefits and risks associated with consumers authorizing third-parties to access their financial and account information held by financial service providers. The CFPB has been investigating and assessing issues related to data access and technological innovation for some time, including through Project Catalyst.
As detailed in the Request for Information (Dkt No. CFPB-2016-0048) issued on November 17, the CFPB is focused on three main points of inquiry: (i) secure access for consumers – i.e., are consumers able to securely access, and authorize others to securely access, their financial records? Are there any “business burdens” that must be addressed to provide access and use of financial records?; (ii) third-party risk -- i.e., some financial institutions have expressed concern that providing third parties with access to records may compromise consumer privacy or put their funds at risk. The CFPB would like learn more about options for ensuring that financial records are securely obtained, stored and used; and (iii) consumer control -- i.e., to what extent are consumers able to control how shared data is being used by third-parties with authorized access? Are consumers able to limit the number of times those firms can access the data?
In prepared remarks delivered at a field hearing in Salt Lake City, UT, CFPB Director Richard Cordray explained: “The technology around digital financial records continues to develop and, so far, there are many unanswered questions about how the information is being shared, by and to whom, and how safely. As with any emerging industry, we are hearing about some bumps in the road. Both Fintech companies and financial institutions, as well as consumer groups, are describing to us the various challenges, risks and technological obstacles to further progress in this area.”
Eleventh Circuit Stays Enforcement of FTC's LabMD Order
In an order released November 10 in LabMD, Inc. v. FTC, the Eleventh Circuit stayed the execution of an FTC data security enforcement order against LabMD Inc. pending the appellate court’s own ruling on whether the agency acted on an unreasonable interpretation of what security companies must provide. LabMD, Inc. v. FTC, No. 16-16270-D, Order Granting Stay (11th Cir. Nov. 10, 2016).
The FTC had ruled in July that LabMD’s data security practices violated the FTC Act, clarifying and expanding upon the FTC’s authority to regulate corporate data security practices. After an FTC administrative law judge denied LabMD’s request to stay enforcement until the medical company had exhausted its remedies on appeal, LabMD appealed to the Eleventh Circuit, which granted the stay in a unanimous decision.
Noting that the case turns upon whether the FTC’s interpretation of the FTC Act is reasonable, the Appellate cCourt granted the stay based on its finding that (i) “there are compelling reasons why the FTC’s interpretation may not be reasonable”; (ii) complying with the FTC’s Order would cause LabMD irreparable harm given its financial situation, (iii) there would be no substantial injury to other parties given that LabMD is no longer operating, and (iv) the public interest factor was neutral. The appeal will now proceed on the merits of LabMD’s arguments for reversal of the FTC’s enforcement order.
FinCEN Issues Advisory and Supplemental FAQs on Cyber-Events and Cyber-Enabled Crime
On October 25, FinCEN issued advisory bulletin FIN-2016-A005 reminding financial institutions of their Bank Secrecy Act (BSA) obligations to report certain cyber-events and cyber-enabled crime. The advisory highlights the importance of (i) reporting cyber-events and cyber-enabled crime through Suspicious Activity Reports (SARs); (ii) including cyber-related information such as IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information, in SAR reporting; (iii) collaborating with BSA/AML, cybersecurity, and other in-house units to facilitate “a more comprehensive threat assessment and develop appropriate risk management strategies to identify, report, and mitigate cyber-events and cyber-enabled crime”; and (iv) sharing cyber-related information – including specific malware signatures, IP addresses and device identifiers, and virtual currency addresses that seem anonymous – amongst financial institutions for the “purpose of identifying and, where appropriate, reporting money laundering or terrorist activities.” Importantly, the advisory distinguishes between mandatory SAR reporting of cyber-events, providing three specific examples, and voluntary reporting of cyber-events. Per the advisory, “[c]yber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”
FinCEN simultaneously issued FAQs to supplement advisory bulletin FIN-2016-A005. The FAQs, which supersede 2001 FAQs regarding computer intrusion, provide answers to a set of nine questions. The FAQs address, among other things, (i) when cyber-related SAR reports should be filed; (ii) the type of information that should be included in cyber-related SARs; and (iii) cyber-event and cyber-enabled crime information sharing, pursuant to Section 314(b) of the USA PATRIOT Act, between financial institutions.
FCC Adopts Privacy Rules for Broadband Providers
On October 27, the FCC adopted privacy rules regulating consumers’ use of broadband internet services. As previously covered in InfoBytes, the FCC issued revised proposed privacy rules for broadband internet service providers (ISPs) in early October to provide consumers with “increased choice, transparency and security online.” Like the proposed rules, the adopted rules (i) require ISPs to obtain confirmative consent to use and share sensitive information; and (ii) permit ISPs to share non-sensitive information unless a customer opts-out.
Because the scope of the rules is limited to broadband service providers and other telecommunication carriers, the FTC maintains its authority over the privacy practices of websites and other “edge services.” In support of the newly adopted FCC rules, FTC Chairwoman commented that “[t]he rules will provide robust privacy protections, including protecting sensitive information such as consumers’ social security numbers, precise geolocation data, and content of communications, and requiring reasonable data security practices.”
California AG Harris Launches New Consumer Privacy Tool
On October 14, California AG Harris released an online complaint form designed to help consumers report potential violations of the California Online Privacy Protection Act (CalOPPA). Pursuant to the CalOPPA, commercial websites and online services collecting consumer information are required to post privacy policies that include “the categories of information collected, the types of the third parties with whom the operator may share that information, instructions regarding how the consumer can review and request changes to his or her information, and the [policy’s] effective date.” As part of AG Harris’s “multi-pronged” effort to improve online privacy for consumers, the form will allow consumers to “crowdsource” privacy policy violations, thus “exponentially increasing the California Department of Justice’s ability to identify and notify those in violation of CalOPPA.”
Federal Banking Agencies Consider Joint ANPR to Address Cybersecurity Standards
On October 19, the FDIC, the OCC, and the Federal Reserve, issued an Advanced Notice of Proposed Rulemaking (ANPR) to further the “development of enhanced cyber risk management standards for the largest and most interconnected entities under their respective supervisory jurisdictions, and those entities’ service providers.” These standards, according to the ANPR, are intended to “increase the operational resilience” of supervised entities and their service providers and, based on the interconnectedness of these entities, “reduce the impact on the financial system in case of a cyber event experienced by one of these entities.” The ANPR proposes organizing enhanced cyber standards into the following categories: (i) cyber risk governance; (ii) cyber risk management; (iii) internal dependency management; (iv) external dependency management; and (v) incident response. The ANPR further explains that the banking agencies “are considering implementing the enhanced standards in a tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector.” Comments on the ANPR, which would not apply to community banks, are due January 17, 2017.
FFIEC Releases FAQs on Cybersecurity Assessment Tool
On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.
Federal Reserve Board Member Recognizes Blockchain Technology's Potential; Warns of Associated Risks
On October 7, at the Institute of International Finance Annual Meeting Panel on Blockchain, Federal Reserve Board member Lael Brainard delivered a speech titled “Distributed Ledger Technology: Implications for Payments, Clearing, and Settlement.” Brainard acknowledged blockchain technology as possibly the “most significant development in many years in payments, clearing, and settlement” and outlined its potential “to transform the way financial market participants transfer, store, and maintain ownership records of digitized assets.” Brainard highlighted payment technology changes as a particular regulatory focus and emphasized the Federal Reserve’s “responsibilities for promoting the safety and efficiency of the payments and settlements systems; supervising financial institutions engaged in payments, clearing and settlement; and safeguarding financial stability.” The following potential benefits of blockchain technology are among those discussed in Brainard’s speech: (i) faster processing and reduced costs in cross-border payments and trade finance; (ii) transparency, reduced costs, and faster settlements within securities markets; and (iii) cryptography as a secure way of transmitting and storing data. Brainard cautioned that, notwithstanding the technology’s promise, certain risks associated with financial technological developments and innovation remain, particularly in the areas of settlement, operations, cybersecurity, money laundering, and terrorist financing. Brainard concluded by highlighting the Federal Reserve’s commitment to industry engagement as blockchain technology evolves, noting that stakeholders “will work together to foster socially beneficial innovation, while insisting that risks are thoroughly understood, managed, and controlled.”
Treasury and Federal Reserve Support G-7 Elements of Cybersecurity for the Financial Sector
On October 11, the U.S. Department of the Treasury announced that the Group of Seven (G-7) countries – comprised of the United States, Canada, France, Germany, Italy, Japan, and the United Kingdom – issued fundamental elements to “help address cyber risks facing the financial sector from both entity-specific and system-wide perspectives.” In Fundamental Elements of Cybersecurity for the Financial Sector, G-7 outlines eight elements for private and public entities within the financial sector to use as “building blocks” for confronting cyber-related issues, the first of which is to establish and implement tailored cybersecurity strategies and operational frameworks that should be tailored to an entity’s nature, size, complexity, risk profile, and culture. G-7’s remaining seven elements are as follows: (i) define and facilitate effective governance structures to ensure accountability; (ii) identify cyber risks and implement control assessments, including systems, policies, procedures, and training; (iii) “establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises”; (iv) ensure that incident response policies are effective and guarantee timeliness; (v) establish and test contingency plans that help to ensure effective recovery of critical functions and operations; (vi) share cybersecurity information with internal and external stakeholders, including threat indicators, vulnerabilities, and incidents; and (vii) develop a review process that addresses, among other things, evolving cyber risks. In support of the G-7 elements, Federal Reserve Vice Chairman Stanley Fischer stated that they are “a crucial step in furthering hardening each link in the chain of our global financial system.”