InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS: Global social media company must prevent app developers from transmitting users’ sensitive data
On February 18, New York Governor Andrew M. Cuomo accepted a report detailing the findings of an NYDFS investigation into whether sensitive personal information, including medical and personal data, was shared with a global social media company by application and website developers without users’ consent or knowledge. In 2019, the governor directed NYDFS to perform an investigation into the company’s collection of sensitive personal data from smartphone apps after a media report emerged that claimed app developers regularly sent sensitive data to the company. According to the NYDFS press release, the report’s findings conclude, among other things, that inadequate controls at the company allowed sensitive data to be wrongfully shared, and that the company “did little to track whether app developers were violating its policies” and to date has taken “no real action against developers” that transmit the data. The report outlines various remedial measures the company has undertaken as a result of the investigation, including (i) building and implementing a screening system to identify and block sensitive information prior to entering the company’s system; (ii) enhancing app developer education to better inform developers that they are obligated to avoid transmitting sensitive data; and (iii) taking measures to provide users more control over data that is collected about them, including from off-company activity. The report also includes recommendations for the company to implement to better protect consumer privacy and ensure app developers “are fully aware of the prohibition” on transmitting sensitive data. The steps include that the company should “do more [] to prevent developers from transmitting sensitive data in the first place rather than simply relying so heavily on a back-end screening system.” The report also urges the company to “undertake significant additional steps to police its own rules” by putting in place appropriate consequences for doing so.
NYDFS announces cybersecurity fraud alert
On February 16, NYDFS issued a cybersecurity fraud alert to regulated entities describing a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. NYDFS states that it has received reports from several regulated entities of “successful or attempted data theft” from websites providing instant rate quotes such as auto insurance rates, noting that even if NPI is redacted, “hackers have shown that they are adept at stealing the full unredacted NPI.” NYDFS advises regulated entities to review security controls for public-facing websites that display or transmit NPI (even redacted NPI), and reminds entities of their obligations under the state’s cybersecurity regulation to promptly report the theft of consumers’ NPI. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) The cybersecurity fraud alert furthers NYDFS’ commitment to improving cybersecurity protections for both consumers and the industry, and follows an enforcement action taken last year alleging cybersecurity regulation violations (see InfoBytes coverage of NYDYS’ complaint against a title insurer for allegedly failing to safeguard mortgage documents here), as well as the regulator’s recently issued cybersecurity insurance framework (covered by InfoBytes here).
NYDFS says climate-based activities may qualify for state CRA credit
On February 9, NYDFS issued new guidance stating that financing activities that support the climate resiliency of low- and moderate-income (LMI) and underserved communities may receive credit under the New York Community Reinvestment Act (the “New York CRA”). The industry letter notes that LMI and underserved communities are “disproportionally affect[ed]” by climate change because they “tend to be more susceptible to flooding and heat waves” and have “fewer resources to recover from natural disasters.” NYDFS reminds institutions that one way banking institutions subject to the New York CRA are evaluated is the extent to which their activity revitalizes or stabilizes both LMI geographies and underserved geographies, and that financing climate resiliency actions “may help mitigate climate change risks and at the same time revitalize or stabilize those geographic areas.” Accordingly, NYDFS outlines a non-exhaustive list of specific examples that may qualify for credit under the New York CRA, including (i) “renewable energy, energy-efficiency and water conservation equipment or projects for affordable housing…”; (ii) “microgrid or battery storage projects in LMI areas with high flood and/or wind risk…”; and (iii) “installation of air conditioning in multifamily buildings offering affordable housing….” Moreover, NYDFS states that banking institutions may also receive credit for climate resiliency promoting investments or loans to Community Development Financial institutions, among others.
NYDFS issues Cybersecurity Insurance Risk Framework
On February 4, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance. The new Cyber Insurance Risk Framework provides guidance for effectively managing cyber insurance risk and is the first guidance released by a U.S. regulator on this topic. In recognizing the growing risk and the challenges insurers face when trying to manage that risk, NYDFS advised insurers to “establish a formal strategy for measuring cyber insurance risk that is directed and approved by its board or other governing entity[.]” According to the guidance, the insurer’s strategy should be proportionate to the insurer’s risk and take into account “the insurer’s size, resources, geographic distribution, and other factors.” NYDFS also advised insurers to:
- Eliminate exposure to “silent” cyber insurance risk resulting from a cyber incident that an insurer is obligated to cover even though its policy “does not explicitly mention cyber incidents.”
- Evaluate systemic risk, including how catastrophic cyber events impact third-party vendors.
- Measure and assess potential cybersecurity gaps and vulnerabilities through a data-driven approach.
- Educate insureds and insurance producers on the value of cybersecurity measures, as well as the uses and limitations of cyber insurance.
- Recruit and hire employees with cybersecurity experience.
- Include a requirement in cyber insurance policies that victim-insureds notify law enforcement when a cyber attack occurs.
DFPI requests comment on CCFPL regulations
On February 4, the California Department of Financial Protection and Innovation (DFPI) released an Invitation for Comments on a proposed rulemaking to implement the California Consumer Financial Protection Law (CCFPL). As previously covered by InfoBytes, in September 2020, the governor signed AB 1864, which enacts the CCFPL and established the DFPI name change from the Department of Business Oversight. The CCFPL authorizes DFPI to establish rules relating to the covered persons, service providers, and consumer financial products or services outlined in the law. The invitation for comments describes specific topics for stakeholder consideration when providing comments, but DFPI notes that commenters may provide feedback on “any potential area for rulemaking.” Highlights of the topics for comment include:
- Exemptions. Whether or not DFPI should clarify the scope of the entities exempt from CCFPL.
- Registration Requirements. What industries should be required to first register with DFPI and what rules should be established to facilitate industry oversight, including records and reporting requirements.
- Complaint Handling. What requirements DFPI should establish with regard to timely responses to consumer complaints and inquiries, including timelines and substance of response.
- Consumer UUDAAP. Description of acts or practices that stakeholders believe qualify as “unlawful, unfair, deceptive, or abusive” in consumer transactions, including suggested “requirements DFPI should adopt to prevent the act or practice.”
- Commercial UDAAP and Data Collection. Description of acts or practices that stakeholders believe qualify as unfair, deceptive, and abusive in the commercial space, and whether or not DFPI should define specific acts or practices as unfair, deceptive, or abusive. Additionally, whether or not DFPI should require the collection and reporting of commercial financing data.
- Disclosures. Whether or not DFPI should prescribe rules covering the features of consumer financing disclosures and if so, what the requirements should cover.
- California Credit Cost Limitations. Whether or not DFPI should clarify the applicability of state credit cost limitations, including rate and fee caps, to consumer financial products and services.
Comments must be submitted by March 8.
DFPI issues first enforcement action against student debt-relief company
On February 3, the California Department of Financial Protection and Innovation (DFPI) announced the first-ever enforcement action under its new structure against a student loan debt-relief company and an investigation into others. According to the order, DFPI alleges, among other things, that an Irvine-based debt-relief company violated the Telemarketing Sales Rule (TSR) and the California Consumer Financial Protection Law (CCFPL) by charging consumers fees ranging from $2,100 to $26,510 to “‘wipe away’ their student loans by getting them ‘dismissed’ or ‘discharged,’” which the company could not achieve. Moreover, consumers often financed the payment of the company’s fees, resulting in more debt and the company refused to issue refunds when requested by some consumers. DFPI alleges the company’s actions constitute unlawful and deceptive practices under the CCFPL and violated the TSR’s prohibition of charging fees before performing services. Lastly, DFPI alleges the company was required to obtain a license under the state’s Student Loan Servicing Act (SLSA) because its actions constitute “servicing” student loans under the statute. The order requires the company to refund the fees collected from 18 consumers by March 15 and to pay a civil penalty of $45,000.
DFPI also announced it issued subpoenas to four other student loan debt-relief companies to determine whether the companies engage in or have engaged in any unlawful, unfair, deceptive, or abusive acts or practices and whether their activities require a license. Responses to the subpoenas are due in March.
DFPI: Certain bitcoin ATMs/kiosks not subject to MTA licensure
Recently, California’s Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the Money Transmission Act (MTA) related to bitcoin automated teller machines (ATMs) and kiosks. The letter explains that the sale and purchase of bitcoin through ATMs/kiosks in third-party retail locations described by the applicant company are not subject to licensure under the MTA because the sale and purchase of bitcoin from the company’s own inventory through a kiosk does not meet California’s definition of “money transmission.” In each instance, the transaction would only be between the consumer using the ATM/kiosk and the company, the bitcoin would be sent directly to the customer’s virtual currency wallet, and any bitcoin sold would be provided exclusively from the company’s own inventory. DFPI reminded the company that its determination is limited to the activities specified in the letter and does not extend to any other activities that the company may engage in. Moreover, the letter does not relieve the company from any FinCEN, federal, or state regulatory obligations.
DFPI launches debt collection investigation
On January 19, California’s Department of Financial Protection and Innovation (DFPI) announced the issuance of subpoenas to a dozen debt collection companies as part of its investigation into consumer complaints about alleged unlawful, unfair, deceptive, or abusive debt collection practices. This is DFPI’s first significant action since the California Consumer Financial Protection Law—which, among other things, expanded DFPI’s UDAAP authority by adding a prohibition on “abusive” acts or practices to California law—went into effect January 1 (covered by a Buckley Special Alert). According to DFPI, consumers across the country have filed complaints against the companies, alleging the debt collectors make repeated phone calls, fail to validate debts, and threaten to sue consumers for debts they do not owe. DFPI notes that the state’s new Debt Collection Licensing Act (enacted last September and covered by InfoBytes here) requires a person engaging in the business of debt collecting in the state of California to be licensed and provides for the regulation and oversight of debt collectors by the agency.
Florida amends licensing application procedures
On December 29, the Florida Department of Financial Services, Office of Financial Regulation (the “Office”) amended rules related to the application procedures for prospective loan originator, mortgage broker , and mortgage lender licensees to provide an additional 45 days for submission of additional application information and to provide for the disposition of incomplete applications. Specifically, the amended rules allow the Office to grant an extension request of up to an additional 45 days to submit any requested information during the application process, so long as the request is made within the initial 45-day deadline. Should a license applicant fail to provide the additional requested information within the approved timeframe, the application will be removed from further consideration by the Office and closed. The amended rules are effective January 18.
California proposes changes to Escrow Law
Recently, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed regulations (and accompanying statement of reasons) seeking to amend the state’s Escrow Law to clarify (i) the meanings of personal property and prohibited compensation; (ii) maintenance of books and preservation of records; and (iii) the annual report requirements. Among other things, the proposal adds “gametic material” to the definition of personal property to clarify that escrow agents may conduct transactions that hold and disburse funds under assisted reproduction agreements. Additionally, the update to the escrow books and records provisions are to “ensure that CPAs may participate in engagements to meet the annual audit report requirement for Escrow Law licensees without violating any rule of professional conduct.” Comments on the proposed regulatory amendments are due by February 15.