Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Senate Banking grills regulators on crypto

    Federal Issues

    On November 15, the Senate Committee on Banking, Housing, and Urban Affairs held a hearing entitled “Oversight of Financial Regulators: A Strong Banking and Credit Union System for Main Street” to hear from federal financial regulators about growing risks related to bank mergers, bailouts, climate change, crypto assets, and cyberattacks, among other topics. Committee Chairman Sherrod Brown (D-OH) opened the hearing by emphasizing that Congress “must stay vigilant and empower regulators with the tools to combat these growing risks,” and said that banks and credit unions must be able to partner with third parties in a manner that enables competition but without risking consumer money. He also warned that big tech companies and shadow banks should not be allowed to “play by different rules because of special loopholes.” In his opening statement, Ranking Member Patrick J. Toomey (R-PA) challenged the regulators to “not stray beyond their mandates into politically contentious issues or establish unnecessary new regulatory burdens,” pointing to the participation of the Federal Reserve Board, FDIC, and OCC in the Network for the Greening the Financial System as an example of politicizing financial regulation.

    Testifying at the hearing were the Fed’s Vice Chair for Supervision Michael S. Barr, NCUA Chair Todd M. Harper, acting FDIC Chairman Martin J. Gruenberg, and acting Comptroller of the Currency Michael J. Hsu. Cryptocurrency concerns were a primary focus during the hearing, where Toomey asked the regulators why they still have not provided public clarity on banks’ involvement in crypto activities, such as providing custody services or issuing stablecoins.

    Pointing to a major cryptocurrency exchange’s recent major collapse, Toomey pressed Hsu on whether the OCC “discourages banks from providing custody services” for crypto assets. Toomey speculated, “it seems to me if people had access to custody services provided by a wide range of institutions, including regulated financial institutions, they might be able to sleep more comfortably knowing that those assets are unlikely to be used for some completely inappropriate purpose.” Answering that the OCC discourages banks from engaging in activities that are not safe, sound, and fair, Hsu acknowledged that there are underlying fundamental issues and questions about what it means to control crypto through a custody “which have not been fully worked out.” Toomey emphasized that part of the obligation rests on the OCC to provide clarity on how banks could provide these services in a safe, sound, and fair manner, and stressed that currently these activities are operating in a space outside the regulatory perimeter. Barr agreed that it would be useful for the Fed to provide guidance to banks on how to safely custody crypto assets and said it is something he plans to work on with his colleagues.

    Toomy further noted that Congress’s failure “to pass legislation in this space and the failure of regulators to provide clear guidance has created ambiguity that has driven developers and entrepreneurs overseas where regulations are often lax at best.” Senator Bill Haggerty (R-TN) cautioned that lawmakers should not resort to a “heavy-handed” regulatory response to the cryptocurrency exchange’s collapse. “No amount of poorly considered, knee-jerk over-regulation here in the U.S. would have prevented a foreign-domiciled company like [the collapsed cryptocurrency exchange] from doing what it did,” Haggerty said. “The fact of the matter is that crypto, much like all of finance, isn’t beholden to a specific country or a specific legal system, and by not acting and by failing to provide legal clarity here in the United States, Congress only incentivizes activity to migrate outside of our country’s borders,” Haggerty stated, adding that it is “important to recognize that whatever happened with a bad actor running a centralized exchange and defrauding customers” has “nothing to do with the technology underpinning crypto itself.” When asked by Sen. John Kennedy (R-LA) which regulator was responsible for watching the collapsed cryptocurrency exchange, Gruenberg said “I think in the first instance, you’d probably want to engage with the market regulators, the SEC and the CFTC, to talk about the activities and the authorities in this area.”

    The regulators also discussed efforts to mitigate cybersecurity risks and strengthen information security within the banking industry. Hsu stressed during the hearing that “the greatest risk is the risk of complacency,” while noting in his prepared remarks that the OCC is aware of the risks associated with cybersecurity and has “encouraged banks to stay abreast of new technology and threats.” Barr pointed to the importance of operational resilience in his prepared remarks, noting that “technology-based failures, cyber incidents, pandemics, and natural disasters,” combined with the growing reliance on third-party service providers, expose banks to a range of operational risks that are often challenging to anticipate. Harper commented in his prepared remarks that the NCUA continues to provide guidance for credit unions to reinforce their ability to withstand potential cyberattacks, and recommends that credit unions report cyber incidents to the NCUA, the FBI, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In his prepared remarks, Gruenberg pointed to recent examination findings revealing that banks that have dedicated resources for implementing appropriate controls are better at defending against cyberattacks, and said the FDIC is “piloting technical examination aids that will help [] examiners focus on the controls [] found to be most effective in defending against these attacks.”

    The House Financial Services Committee also held a hearing later in the week that focused on similar topics with the regulators. Chair Maxine Waters (D-CA) and Rep. Patrick McHenry (R-NC) also announced that the committee will hold a hearing in December to investigate the aforementioned cryptocurrency exchange’s collapse and understand the broader consequences the collapse may have on the digital asset ecosystem.

    Federal Issues Digital Assets Privacy, Cyber Risk & Data Security Senate Banking Committee House Financial Services Committee FDIC OCC NCUA Federal Reserve Risk Management Third-Party Climate-Related Financial Risks Fintech

    Share page with AddThis
  • SEC proposes new requirements for advisors that outsource services to third parties


    On October 26, the SEC proposed new oversight requirements for outsourced investment advisory services. The proposed rule, issued under the Investment Advisers Act of 1940, would prohibit registered investment advisers from outsourcing certain services and functions without conducting due diligence prior to engaging a third-party service provider. The proposed rule would apply to advisors that outsource certain “covered functions,” including services or functions necessary for providing advisory services in compliance with federal securities laws that—if not performed or negligently performed—would result in material harm to clients. Under the proposed rule, advisors would also be required to periodically monitor a third party’s performance and reassess whether it is appropriate to continue to outsource its services and functions. Additionally, the SEC is proposing corresponding amendments so that it may collect “census-type information” about third-party service providers, as well as amendments that would require advisors to maintain books and records related to the proposed rule’s oversight obligations.

    SEC Chairman Gary Gensler released a statement supporting the proposed amendments. “[T]hese rules, if adopted, would better protect investors by requiring that investment advisers take steps to continue to meet their fiduciary and other legal obligations regardless of whether they are providing services in-house or through outsourcing, whether through third parties or affiliates,” Gensler said, explaining that the increased use of third-party service providers “has led staff to make several recommendations to ensure advisers that use them continue to meet their obligations to the investing public. When an investment adviser outsources work to third parties, it may lower the adviser’s costs, but it does not change an adviser’s core obligations to its clients.”

    Commissioner Hester M. Peirce criticized the proposed rule, with Peirce claiming the proposal “may end up abrogating fiduciary duty and replacing it with [a] predefined approach to best interest—one not responsive to unique facts and circumstances.” She also expressed concerns related to the proposal’s potential impact on smaller advisors that may face disproportionate competitive challenges. Commissioner Mark T. Uyeda also dissented, expressing concerns over whether “there is any observable problem related to investment advisers’ oversight of service providers that necessitates the blanket imposition of specified oversight requirements.”

    Securities Agency Rule-Making & Guidance Third-Party Investment Advisers Act

    Share page with AddThis
  • California fines cosmetics chain for privacy violations

    Privacy, Cyber Risk & Data Security

    On August 24, the California attorney general announced that following an investigative sweep into online retailers, it entered into a $1.2 million settlement with a cosmetics chain for its alleged failure to disclose to consumers that it was selling their personal information, failure to process user requests to opt-out of such sale via user-enabled global privacy controls, and failure to cure such violations within the 30-day period allowed by the California Consumer Privacy Act (CCPA). The action reaffirms the state’s commitment to enforcing the law and protecting consumers’ rights to fight commercial surveillance, AG Bonata said, emphasizing that “today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

    According to a complaint filed in California Superior Court, third parties monitored consumers’ purchases and created profiles to more effectively target potential customers. The company’s arrangement with these third parties constituted a sale of consumer personal information under the CCPA, therefore triggering certain basic obligations, including telling consumers that it is selling their information and allowing consumers to easily opt-out of the sale of their information. According to the complaint, the company failed to take any of these measures.

    Under the terms of the settlement, the company is required to pay a $1.2 million penalty and must disclose to California customers that it sells their personal data and provide a mechanism for consumers to opt out of a sale of their information, including through user-enabled global privacy controls like the Global Privacy Control (GPC). Additionally, the company must ensure its service provider agreements meet CCPA requirements and provide reports to the AG related to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.

    The press release also announced that notices were sent to several businesses alleging non-compliance concerning their failure to process consumer opt-out requests made via user-enabled global privacy controls. The AG reiterated that under the CCPA, “businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link. Businesses that received letters today have 30 days to cure the alleged violations or face enforcement action from the Attorney General.” 

    Privacy, Cyber Risk & Data Security State Issues Courts CCPA California Enforcement Settlement State Attorney General Opt-Out Third-Party

    Share page with AddThis
  • FDIC clarifies third party-related brokered deposit reporting requirements

    On July 15, the FDIC released a new Question and Answer (Q&A) and updated public information on its Banker Resource Center Brokered Deposits Page, reminding “FDIC-insured depository institutions (IDIs) that deposits swept from broker dealers with a primary purpose exception to unaffiliated IDIs must be reported as brokered if any additional third parties are involved that qualify as deposit brokers, as defined by Section 337.6 –Brokered Deposits, of the FDIC’s Rules and Regulations.” According to a statement released by the FDIC, Call Report data analysis submitted after the Brokered Deposits Final Rule took effect “suggests that some IDIs receiving sweep deposits from unaffiliated broker-dealers appear to be reporting the sweep deposits as non-brokered, despite the involvement of a third party that engages in facilitating the placement of deposits, including through engaging in matchmaking activities.” The agency emphasized that while an IDI may not have a direct relationship with an additional third party providing services to a broker dealer with a primary purpose exception, “when reporting sweep deposits, it is the IDI’s responsibility to file accurate Call Report data,” which may include reviewing agreements between the broker dealer and any additional third parties for any services that constitute matchmaking activities. The FDIC clarified, however, that banks will not be required to refile previous Call Reports “if, after good faith efforts, certain deposits were not previously reported as brokered by the IDI due to a misunderstanding of how the facilitation aspect of the deposit broker definition applies when additional third parties are involved.”

    Bank Regulatory Federal Issues FDIC Brokered Deposits Third-Party

    Share page with AddThis
  • FTC seeks to protect highly sensitive data

    Privacy, Cyber Risk & Data Security

    On July 11, the FTC’s Division of Privacy & Identity Protection published a blog post addressing risks associated with the sharing of highly personal information with strangers, particularly with respect to the use of technology that directly observes or derives sensitive information about users. The FTC noted that aside from location information, which is often automatically generated from consumers’ connected devices, consumers are also actively generating sensitive health information, including personal reproductive data, through apps on their devices. This “potent combination of location data and user-generated health data creates a new frontier of potential harms to consumers,” the FTC warned, pointing to the “ad tech and data broker ecosystem where companies have a profit motive to share data at an unprecedented scale and granularity.” Additionally, once the sensitive information is collected, the FTC said that consumers usually have no idea who has access to it, what the information is being used for, or that companies are profiting from the sale of their data. “The misuse of mobile location and health information–including reproductive health data–exposes consumers to significant harm,” the FTC stated. “Criminals can use location or health data to facilitate phishing scams or commit identity theft . . . and may subject people to discrimination, stigma, mental anguish, or other serious harms.” The FTC reminded companies that it is committed to using the full scope of its legal authorities to protect consumers’ privacy and that it “will vigorously enforce the law” to protect the security and privacy of consumers’ personal information. Companies are advised that sensitive information is protected by several federal and state laws and that making claims that data is “anonymous” or “has been anonymized” may be a deceptive trade practice under the FTC Act if untrue. 

    Privacy, Cyber Risk & Data Security FTC Consumer Protection Third-Party Drug Enforcement Administration

    Share page with AddThis
  • District Court approves final $85 million class action privacy settlement despite objections

    Privacy, Cyber Risk & Data Security

    On April 21, the U.S. District Court for the Northern District of California granted final approval of an $85 million class action settlement resolving privacy and data security allegations against a video conferencing provider. As previously covered by InfoBytes, consolidated class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to the more than 150 million class members (defined as individuals who “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication”), the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. Under the terms of the final settlement, the company will establish an $85 million fund to pay valid claims, fees and expenses, service payments, and taxes, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the settlement stipulates that the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company will educate users about available security features and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.

    The court considered several objections raised by certain class members, including concerns argued on behalf of a subclass of users who used the meeting application “as part of a business that was legally or contractually required to maintain client confidentiality as part of the services the business provided.” According to these objectors, the individual payment amounts are inadequate for individuals who held sensitive meetings. The court countered that the objectors’ claims did not differ from other class members and that the recovery is intended to cover users who did not receive the benefit of their bargain with the company, and not for “special harm arising from a duty to maintain client confidentiality.”

    Privacy/Cyber Risk & Data Security Courts Settlement Class Action Third-Party State Issues California

    Share page with AddThis
  • District Court denies class cert in data breach suit

    Privacy, Cyber Risk & Data Security

    On April 20, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for class certification in a lawsuit alleging a defendant hotel and restaurant group breached its contract when a data breach exposed the plaintiffs’ credit card account numbers and other private information. Plaintiffs alleged the defendant contracted with a third-party reservation site, which required consumers to provide payment card information and other personally identifying information (PII). The plaintiffs contended that during the data breach, hackers accessed customer data, and argued that “had [the third party] ‘employed multiple levels of authentication,’ rather than ‘single factor authorization,’ the ‘hacker would not . . . have been able to access the system.” Plaintiffs further claimed that the defendant served as the third party’s agent and was therefore responsible for its conduct.

    In declining to certify the class, the court ruled that the plaintiffs failed to successfully allege any of their three claims on behalf of the class. The court reviewed the plaintiffs’ breach of contract claims, which alleged that the defendant promised to safeguard class members’ PII but failed to provide notice on its website that a third party was processing the payment information. According to the court, the plaintiffs could not show that all of the proposed class members would have believed they were providing their information to the defendant because the defendant’s “Book Now” button sent the user to the third party’s website and the defendant’s privacy policy disclosed its use of third party websites. The court also rejected the plaintiffs’ assertion that the defendant disclosed personal information in violation of California Civil Code because the information was hacked rather than disclosed by either the defendant or the third party. With respect to the plaintiffs’ Texas Deceptive Trade Practices Act claims, the plaintiffs argued that the defendant’s statements about protective measures were misleading because the third party did not employ multi-layer authentication. The court concluded that class treatment of those claims was improper as it could not determine whether the practice was misleading for the entire class as the question is dependent on whether class members believed they were providing PII to the defendant or to the third party.

    Privacy/Cyber Risk & Data Security Courts Class Action Data Breach State Issues Third-Party

    Share page with AddThis
  • 9th Circuit: Defendant is liable for third-party calls


    Recently, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s ruling that a defendant knew its third-party contractor was making pre-recorded calls to prospective consumers without consumers’ consent in violation of the TCPA. As previously covered by InfoBytes, in December 2017, consumers filed a consolidated class action against a cruise line, alleging violations of, among other things, the TCPA for marketing calls made to class members’ cell phones using an automatic telephone dialing system between November 2016 and December 2017. The suit alleged that the defendant hired a company to generate leads and initiate telephone calls to prospective consumers for cruise packages. The U.S. District Court for the Southern District of California denied dismissal of the TCPA action for lack of subject matter jurisdiction, concluding that the Court’s decision in Barr v. American Association of Political Consultants Inc., did not invalidate the TCPA in its entirety from 2015 until July 2020. In Barr the U.S. Supreme Court held that the TCPA’s government-debt exception is an unconstitutional content-based speech restriction and severed the provision from the remainder of the statute. (Covered previously by InfoBytes here.)

    On the appeal, the issue was whether the defendant is liable under the TCPA for prerecorded voice calls made by the third-party contractor to the plaintiffs, who had not given prior express consent to be called. The 9th Circuit agreed with the district court’s decision in granting summary judgment for the defendant where the TCPA did not require the defendant to ensure that the third-party contractor had prior express consent for each call that it made to the defendant’s customers, nor did the defendant have actual authority over the third-party contractor. However, the 9th Circuit concluded that the defendant may be vicariously liable for the third-party contractor’s calls because it might have ratified them. The appellate court noted that the defendant knew that it received 2.1 million warm-transferred calls from the company between January 2017 and June 2018, but only 80,081 of those transfers were from individuals who had allegedly consented to receiving the calls. The defendant also had knowledge that there was a slew of mismatched caller data, and that the third-party contractor placed calls using prerecorded voices. The appellate court wrote that, “[t]hese facts, in combination with the evidence of widespread TCPA violations in the cruise industry, would support a finding that [the defendant] knew facts that should have led it to investigate [the company’s] work for TCPA violations.”

    Courts TCPA Class Action Autodialer U.S. Supreme Court Appellate Ninth Circuit Third-Party

    Share page with AddThis
  • CFPB sues debt collectors

    Federal Issues

    On January 10, the CFPB filed a complaint against three debt collection companies and their owners (collectively, “defendants”) for allegedly engaging in illegal debt-collection practices. According to the Bureau, the defendants purchase debt portfolios and place them with other collection companies or sell them. The complaint states that from September 2017 through April 2020, the defendants placed debts valued at more than $8 billion and asserts that the defendants knew or should have known that these third-party collection companies were engaging in unlawful and deceptive debt collection measures. The Bureau alleges the defendants were aware of the companies’ false statements to consumers because they received hundreds of complaints from consumers claiming the companies were threating to arrest or file lawsuits if the consumers’ debts were not paid imminently, and the defendants received recorded phone calls alerting them to the companies’ threats and false statements regarding credit reporting. Further, the Bureau claims that the defendants continued to place debts with and sold debts to these companies even after an internal review found major violations of federal law. The Bureau’s complaint, which alleges violations of the CFPA and the FDCPA, seeks consumer restitution, disgorgement, injunctive relief, and civil money penalties.

    Federal Issues CFPB Enforcement Debt Collection UDAAP Deceptive CFPA FDCPA Third-Party Consumer Finance

    Share page with AddThis
  • FTC settles with mortgage analytics company

    Federal Issues

    On December 22, the FTC announced the final approval of a settlement with a mortgage industry data analytics firm (defendant) for allegedly failing to develop, implement, and maintain a comprehensive information security program and ensure third-party vendors are capable of implementing and maintaining appropriate safeguards for customer information in violation of the Gramm-Leach Bliley Act’s Safeguards Rule. As previously covered by InfoBytes, in December 2020, the FTC alleged that a vendor hired by the defendant stored the unencrypted contents of mortgage documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was improperly accessed approximately 52 times. The FTC claimed, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of its vendors.

    The settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.

    FTC Commissioner Rebecca Kelly Slaughter provided a lone dissenting statement.

    Federal Issues FTC Enforcement Settlement Mortgages Gramm-Leach-Bliley Safeguards Rule Privacy/Cyber Risk & Data Security Third-Party Vendor Management Data Breach

    Share page with AddThis