InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB looking at privacy implications of worker surveillance
On June 20, the CFPB released a statement announcing it will be “embarking on an inquiry into the data broker industry and issues raised by new technological developments.” The Bureau requested information in March about entities that purchase information from data brokers, the negative impacts of data broker practices, and the issues consumers face when they wish to see or correct their personal information. (Covered by InfoBytes here.) The findings from this inquiry will help the Bureau understand how employees’ personal information can find its way into the data broker market.
With similar intentions, the White House Office of Science and Technology Policy (OSTP) released a request for information (RFI) to learn more about the automated tools employers use to monitor, screen, surveil, and manage their employees. The OSTP blog post cited to an increase in the use of technologies that handle employees’ sensitive information and data. The OSTP also highlighted the Biden administration’s Blueprint for an AI Bill of Rights (covered by InfoBytes here), which underscored the importance of building in protections when developing new technologies and understanding associated risks. Responses to the RFI will be used to “inform new policy responses, share relevant research, data, and findings with the public, and amplify best practices among employers, worker organizations, technology vendors, developers, and others in civil society,” the OSTP said.
The CFPB’s response to the RFI described the agency’s concerns regarding risks to employees’ privacy, noting that it has long received complaints from the public about the lack of transparency and inaccuracies in the employment screening industry. Specifically mentioned are FCRA protections for consumers and guidelines around the sale of personal data. The Bureau also commented that employees may not be at liberty to determine how their information is used, or sold, and have no opportunity for recourse when inaccurately reported information affects their earnings, access to credit, ability to rent a home or buy a car, and more.
McHenry objects to FSOC’s proposed designation framework
On June 15, House Financial Services Committee Chairman Patrick McHenry sent a letter to Treasury Secretary Janet Yellen urging the Financial Stability Oversight Council (FSOC), which Yellen chairs, to “revisit” its proposals on nonbank financial firm risks. As previously covered by InfoBytes, in April, FSOC released a proposed analytic framework for financial stability risks to provide greater public transparency on how it identifies, assesses, and addresses potential risks “regardless of whether the risk stems from activities or firms.” The same day, FSOC also released for public comment proposed interpretive guidance relating to procedures for designating systemically important nonbank financial companies for Federal Reserve supervision and enhanced prudential standards.
McHenry’s letter raised concerns with FSOC’s decision to evaluate risks based on an entity’s size and not its activities. According to McHenry, FSOC’s April proposals will essentially undo changes it made in 2019, which incorporated principles considering a financial institution’s systematic risk rather than merely its size. In his announcement accompanying the letter, McHenry elaborated on his concerns, stating that “allowing FSOC to extend its supervisory reach beyond prudential institutions to nonbank entities in this way could pose significant regulatory consequences for our financial system.” McHenry claimed these institutions may engage in different activities, thus presenting different risks, and said the proposals do not take this into account. McHenry also argued that expanding the Fed’s oversight jurisdiction is not a “panacea for financial stability.”
Fed publishes master accounts database
On June 16, the Federal Reserve Board published the Master Account and Services Database, which provides comprehensive, searchable information on which financial institutions have access to Federal Reserve Bank master accounts and financial services. The Fed explained that a master account is an account with a Reserve Bank, in which the Reserve Bank receives deposits for a financial institution. The Reserve Bank also provides financial services to financial institutions, similar to that of banks that provide services for its customers, like collecting checks, electronically transferring funds, and distributing and receiving cash and coin.
In the press release, the Fed explained the two components of the database: “The first component consists of financial institutions that currently have access to Reserve Bank master accounts and services. The second component consists of financial institutions that have requested access to master accounts and services after December 23, 2022, or had a request pending on that date, as well as the status of each request.” Both components of the database—the existing account database and the access requests database—will be updated quarterly.
FCC launches Privacy and Data Protection Task Force
On June 14, FCC Chairwoman Jessica Rosenworcel announced the establishment of the Commission’s new Privacy and Data Protection Task Force. According to the announcement, the task force will coordinate efforts across the FCC on rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors. These coordinated measures, Rosenworcel said, are intended to protect against and respond to data breaches involving telecommunications providers and those related to cyber intrusions. Measures will also address supply chain vulnerabilities involving third-party vendors that service regulated communications providers. Speaking to the Center for Democracy and Technology Forum on Data Privacy, Rosenworcel commented that data monetization is big business and that “market incentives to keep our data and slice and dice it to inform commercial activity are enormous” and only increasing. She provided examples of data aggregators selling individual geolocation data and said this demonstrates how information can be monetized. Rosenworcel further explained that the task force will also provide input on Commission efforts to modernize the FCC’s data breach rules. As previously covered by InfoBytes, the FCC issued a notice of proposed rulemaking in January to launch a formal proceeding for strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information.
CFPB releases regulatory agenda
The Office of Information and Regulatory Affairs recently released the CFPB’s spring 2023 regulatory agenda. Key rulemaking initiatives that the agency expects to initiate or continue include:
- Overdraft fees. The Bureau is considering whether to engage in pre-rulemaking activity in November to amend Regulation Z with respect to special rules for determining whether overdraft fees are considered finance charges.
- FCRA rulemaking. The Bureau is considering whether to engage in pre-rulemaking activity in November to amend Regulation V, which implements the FCRA. In January, the Bureau issued its annual report covering information gathered by the Bureau regarding certain consumer complaints on the three largest nationwide consumer reporting agencies (CRAs). CFPB Director Rohit Chopra noted that the Bureau “will be exploring new rules to ensure that [the CRAs] are following the law, rather than cutting corners to fuel their profit model.” (Covered by InfoBytes here.)
- Insufficient funds fees. The Bureau is considering whether to engage in pre-rulemaking activity in November regarding non-sufficient fund (NSF) fees. The Bureau commented that while NSF fees have been a significant source of fee revenue for depository institutions, recently some institutions have voluntarily stopped charging such fees.
- Amendments to FIRREA concerning automated valuation models. On June 1, the Bureau issued a joint notice of proposed rulemaking (NPRM) with the Federal Reserve Board, OCC, FDIC, NCUA, and FHFA to develop regulations to implement quality control standards mandated by the Dodd-Frank Act concerning automated valuation models used by mortgage originators and secondary market issuers. (Covered by InfoBytes here.) Previously, the Bureau released a Small Business Regulatory Enforcement Fairness Act (SBREFA) outline and report in February and May 2022 respectively. (Covered by InfoBytes here.)
- Section 1033 rulemaking. Section 1033 of Dodd-Frank provides that covered entities, such as banks, must make available to consumers, upon request, transaction data and other information concerning consumer financial products or services that the consumer obtains from the covered entity. Over the past several years, the Bureau has engaged in a series of rulemaking steps to prescribe standards for this requirement, including the release of a 71-page outline of proposals and alternatives in advance of convening a panel under the SBREFA and the issuance of a final report examining the impact of the Bureau’s proposals to address consumers’ personal financial data rights. (Covered by InfoBytes here.) Proposed rulemaking may be issued in October.
- Property Assessed Clean Energy (PACE) financing. The Bureau issued an NPRM last month to extend TILA’s ability-to-repay requirements to PACE transactions. (Covered by InfoBytes here.) The proposed effective date is at least one year after the final rule is published in the Federal Register (“but no earlier than the October 1 which follows by at least six months Federal Register publication”), with the possibility of a further extension to ensure compliance with a TILA timing requirement.
- Supervision of Larger Participants in Consumer Payment Markets. The Bureau is considering whether to engage in pre-rulemaking activity next month to define larger participants in consumer payment markets and further the scope of the agency’s nonbank supervision program.
- Nonbank registration. The Bureau announced its intention to identify repeat financial law offenders by establishing a database of enforcement actions taken against certain nonbank covered entities. (Covered by InfoBytes here.) The Bureau anticipates issuing a final rule later this year.
- Terms and conditions registry for supervised nonbanks. At the beginning of the year, the Bureau issued an NPRM that would create a public registry of terms and conditions used in non-negotiable, “take it or leave it” nonbank form contracts that “claim to waive or limit consumer rights and protections.” Under the proposal, supervised nonbank companies would be required to report annually to the Bureau on their use of standard-form contract terms that “seek to waive consumer rights or other legal protections or limit the ability of consumers to enforce or exercise their rights” and would appear in a publicly accessible registry. (Covered by InfoBytes here.) The Bureau anticipates issuing a final rule later this year.
- Credit card penalty fees. The Bureau issued an NPRM in February to solicit public feedback on proposed changes to credit card late fees and late payments and card issuers’ revenue and expenses. (Covered by InfoBytes here.) Under the CARD Act rules inherited by the Bureau from the Fed, credit card late fees must be “reasonable and proportional” to the costs incurred by the issuer as a result of a late payment. A final rule may be issued later this year.
- LIBOR transition. In April, the Bureau issued an interim final rule, amending Regulation Z, which implements TILA, to update various provisions related to the LIBOR transition. Effective May 15, the interim final rule further addresses LIBOR’s sunset on June 30, by incorporating references to the SOFR-based replacement—the Fed-selected benchmark replacement for the 12-month LIBOR index—into Regulation Z. (Covered by InfoBytes here.)
Chopra says open-banking rule is coming
On June 12, CFPB Director Rohit Chopra announced that the agency is currently working to propose a rule that will assist consumers in making the switch to open banking. Chopra explained how consumers are “deadlocked” when it comes to control of their personal financial data, and consequentially cannot switch banks or apply for loans. Considering this issue, Chopra declared, “The CFPB is working to accelerate the shift to open banking through a new personal data rights rule intended to break down these obstacles, jumpstart competition, and protect financial data.” Chopra also discussed the topic of maintaining open market principles and stressed that the Bureau does not intend to micromanage this space but rather release consumers from a situation preventing them from participating in open banking. He ensured that open banking will generally be managed through standard-setting outside of the agency, and that the Bureau intends to safeguard fair standards at play. Chopra also shared his concerns about the power of large players in the market, warning that standard-setting organizations must consider consumers and smaller actors’ interests as well. The Bureau’s new rule will be open for comments in the coming months and is expected to finalize in 2024.
Agencies propose ROV guidance
On June 8, the CFPB joined the Federal Reserve Board, FDIC, NCUA, and the OCC to request comments on proposed interagency guidance relating to reconsiderations of value (ROV) for residential real estate valuations. The proposed guidance advises financial institutions on policies that would afford consumers an opportunity to introduce evidence that was not previously considered in the original appraisal. The proposal references the occurrence of “deficiencies” in real estate valuations, which can be due to errors or omissions, valuation methods, assumptions, or other factors. According to the proposed guidance, these kind of valuation deficiencies can “prevent individuals, families, and neighborhoods from building wealth through homeownership by potentially preventing homeowners from accessing accumulated equity, preventing prospective buyers from purchasing homes, making it harder for homeowners to sell or refinance their homes, and increasing the risk of default.” Also noted is the risk non-credible valuations pose to financial institutions, which may lead to loan losses, violations of law, fines, civil money penalties, damages, and civil litigation.
The proposed guidance (i) provides direction on how ROVs overlap with appraisal independence requirements and compliance with relative laws and regulations; (ii) identifies how financial institutions can implement and improve existing ROV policies while remaining compliant with regulations, preserving appraiser independence, and being responsive to consumers; (iii) explains how deficiencies can pose risk to financial institutions and describes how ROV policies should be factored into risk management functions; and (iv) provides examples of ROV policies, procedures, control systems, and complaint processes to address deficient valuations.
Comments on the proposed guidance are due within 60 days of publication in the Federal Register.
Agencies finalize guidance on managing third parties
On June 6, the OCC, Federal Reserve Board, and FDIC issued interagency guidance to aid banking organizations in managing risks related to third-party relationships, including relationships with financial technology-focused entities. (See also FDIC FIL-29-2023 and Federal Reserve Board memo here.) The joint guidance, final as of June 6, replaces each agency’s existing general guidance on third-party risk management and is directed to all supervised banking organizations. Designed to streamline government guidance on mitigating risks when working with third parties, the final guidance establishes principles for banking organizations to consider when implementing risks management practices. Banking organizations are advised to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.
After considering public comments received on proposed guidance issued in July 2021 (covered by InfoBytes here), the final guidance provides directions and expectations for oversight at all stages in the life cycle of a third-party relationship, including topics relating to planning, due diligence and third-party selection, contract negotiations, ongoing monitoring, and termination. Guidance on conducting independent reviews, maintaining documentation, and reporting is also included. The agencies advised banking organizations, particularly community banks, to review illustrative examples to help align risk management practices with the scope and risk profile of their third-party relationships. Additionally, banking organizations should maintain a complete inventory of their third-party relationships, identify higher-risk and critical activities, periodically conduct reviews to determine whether risks have changed over time, and update risk management practices accordingly, the agencies said.
The final guidance emphasizes that the agencies will review a banking organization’s third-party risk management practices as part of the standard supervisory process. When assessing whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, examiners will, among other things, (i) evaluate a banking organization’s ability to oversee and manage third party relationships; (ii) assess the effects of those relationships on a banking organization’s risk profile and operational performance; (iii) perform transaction testing to evaluate whether activities performed by a third party comply with applicable laws and regulations; (iv) conduct conversations relating to any identified material risks and deficiencies with senior management and board of directors; (v) review how a banking organization remediates any deficiencies; and (vi) consider supervisory findings when rating a banking organization.
The agencies stressed that they may take corrective measures, including enforcement actions, to address identified violations or unsafe or unsound banking practices by the banking organization or its third party. The agencies further announced that they plan to immediately engage with community banks and will develop additional resources in the future to help these organizations manage relevant third-party risks.
FTC seeks to work with states on combatting fraud
On June 7, the FTC announced it is soliciting public comments on how the Commission can work more effectively with state attorneys general to prevent and inform consumers about potential fraud. The FTC said in its announcement that the agency and the AGs share a common mission to protect the public from “deceptive or unfair business practices and from unfair methods of competition through law enforcement, advocacy, research, and education.” The request for public comments comes as a result of the FTC Collaboration Act of 2021 (the “Act”), which requires the Commission to not only solicit public comments, but also to consult directly with interested stakeholders. Signed into law last year, the Act directs the FTC to conduct a study on how to streamline and leverage the relationship between the Commission and the AGs to better protect Americans from fraud and hold those committing malicious acts accountable. The FTC requests comments specifically regarding: (i) the roles and responsibilities of the Commission and AGs that best advance collaboration and consumer protection; (ii) how resources should be dedicated to further such collaboration and consumer protection; and (iii) the accountability mechanisms that should be implemented to promote collaboration and consumer protection between the FTC and AGs.
The completed report will be submitted to the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science, and Transportation. Comments are due 60 days after publication in the Federal Register.
CFPB revises supervision and examination manual
On June 5, the CFPB revised its Supervision and Examinations Manual to incorporate minor changes for larger participants under “Module 7 - Consumer Alerts, Identity Theft, and
Human Trafficking Provisions.” The updates specifically included FCRA and Regulation V requirements that prohibit credit reporting agencies (CRAs) from including information in consumer reporting in cases of human trafficking. Notably, the final rule regarding credit reporting on human trafficking victims was issued in 2022 (previously covered by InfoBytes here). The CFPB also stated that all CRAs must “establish and maintain written policies and procedures reasonably designed to ensure and monitor the compliance of the consumer reporting agency and its employees with the requirements of 12 CFR 1022.142.”