Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Bowman discusses bank and third-party cyber risk management expectations

    On February 15, Federal Reserve Board Governor Michelle W. Bowman delivered remarks at the Midwest Cyber Workshop, during which she discussed topics related to third-party service provider reliance and regulatory expectations concerning cyber risk management. “While we expect banks to be in touch with us when an event happens, cyber events should not be the first time a cyber-risk conversation occurs between a bank and its regulator.” Community banks frequently cite cybersecurity as one of the top risks facing the banking industry, Bowman said, adding that bankers have mentioned difficulties in attracting and retaining the staff needed to mitigate cyber risk. She also noted that ransomware disproportionately impacts smaller banks that might not “have sufficient resources to protect against these attacks.”

    Pointing out that banks are becoming increasingly reliant on third-party service providers, Bowman said regulators should “consider the appropriateness of shifting the regulatory burden from community banks to more efficiently focus directly on service providers.” Regulators have authority to do so under the Bank Service Company Act, Bowman said, adding that “[i]n a world where third parties are providing far more of these services, it seems to me that these providers should bear more responsibility to ensure the outsourced activities are performed in a safe and sound manner.” She also referenced a 2021 final rule that requires banks to timely notify their primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place (covered by InfoBytes here). The reporting process, Bowman said, is also intended to streamline small banks’ efforts to monitor service providers (which are required to notify a bank-designated point of contact at each affected customer bank when a computer-security incident has occurred).

    “We look forward to working with you to assist in clarifying expectations, applying regulatory guidance or seeking feedback on cyber-risk management strategies,” Bowman said. “We encourage bank management teams to engage with regulatory points of contact whenever questions arise on cybersecurity matters just as with any other regulatory matter.”

    Bank Regulatory Federal Issues Privacy, Cyber Risk & Data Security Third-Party Federal Reserve

  • Parties reach agreement to resolve data scraping allegations


    On December 8, the U.S. District Court for the Northern District of California issued a consent judgment and permanent injunction against a now-defunct plaintiff data analytics company in an action concerning whether the plaintiff breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The case was sent back to the district court earlier this year by the U.S. Court of Appeals for the Ninth Circuit (on remand from the U.S. Supreme Court) after the appellate court affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. (Covered by Infobytes here.)

    As previously covered by InfoBytes, last month the district court ruled that the plaintiff breached its user agreement by creating fake accounts and copying url data as part of its scraping process. Nonetheless, at the time, the district court noted that there remained a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. The district court further questioned when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.

    On December 6, the parties separately reached an agreement to resolve all outstanding claims in the case. The final consent judgment enters a $500,000 judgment against the plaintiff and waives all other monetary relief. Additionally, the plaintiff is permanently enjoined from scraping or accessing the defendant’s platform without express written permission, whether directly or indirectly through a third party or whether logged in to an account or not. The plaintiff is also prohibited from developing, using, selling, or distributing any software or code for data collection from the defendant’s platform. The plaintiff must also delete all software code in its possession that is designed to access the defendant’s platform, must delete all member profile data in its possession (including data stored with a third party), and is barred from “using, distributing, selling, analyzing, or otherwise accessing any data” collected without the defendant’s express permission, whether directly or indirectly through a third party, among other requirements.

    Courts Privacy, Cyber Risk & Data Security Data Scraping Consumer Protection Appellate Ninth Circuit State Issues Third-Party

  • District Court says sellers may be vicariously liable for third-party TCPA violations


    On December 5, the U.S. District Court for the Western District of Washington denied an online retail pharmacy’s (defendant) motion for summary judgment in a TCPA suit. According to the order, the defendant engaged with a third party to call potential customers and transfer leads who were interested in the defendant’s services to its inbound call center. The order further noted that the third party contracted with another company to generate leads. Like the third party, the company did not make any calls but contracted with one or more vendors to place calls. The plaintiff received two calls from a prerecorded message that introduced itself as a person with the company. After asking the plaintiff if anyone in the household used prescription medications, among other things, he was transferred to an employee of the defendant who identified the defendant company by name and tried to sell the plaintiff their services. The plaintiff sued the defendant, arguing that it was “vicariously liable” for calls he received from a telemarketer that transferred the calls to the defendant’s sales representative. The defendant argued it was not directly liable under the TCPA because it did not directly place the calls to the plaintiff. The defendant also said it was not vicariously liable for calls placed by vendors because those vendors did not have express or implied actual authority to place calls for the defendant.

    According to the district court, courts may hold sellers such as the defendant vicariously liable for TCPA violations of third-party callers “where the plaintiff establishes an agency relationship, as defined by federal common law, between the defendant and the third-party caller.” The court further wrote that labeling the contracted company “an independent contractor in the agreement with [the defendant] does not foreclose a finding that an agency relationship existed.” The district court also noted that there was a “genuine issue” of material fact as to whether the defendant had an agency relationship with the contracted company’s vendor.

    Courts TCPA Third-Party

  • Senate Banking grills regulators on crypto

    Federal Issues

    On November 15, the Senate Committee on Banking, Housing, and Urban Affairs held a hearing entitled “Oversight of Financial Regulators: A Strong Banking and Credit Union System for Main Street” to hear from federal financial regulators about growing risks related to bank mergers, bailouts, climate change, crypto assets, and cyberattacks, among other topics. Committee Chairman Sherrod Brown (D-OH) opened the hearing by emphasizing that Congress “must stay vigilant and empower regulators with the tools to combat these growing risks,” and said that banks and credit unions must be able to partner with third parties in a manner that enables competition but without risking consumer money. He also warned that big tech companies and shadow banks should not be allowed to “play by different rules because of special loopholes.” In his opening statement, Ranking Member Patrick J. Toomey (R-PA) challenged the regulators to “not stray beyond their mandates into politically contentious issues or establish unnecessary new regulatory burdens,” pointing to the participation of the Federal Reserve Board, FDIC, and OCC in the Network for the Greening the Financial System as an example of politicizing financial regulation.

    Testifying at the hearing were the Fed’s Vice Chair for Supervision Michael S. Barr, NCUA Chair Todd M. Harper, acting FDIC Chairman Martin J. Gruenberg, and acting Comptroller of the Currency Michael J. Hsu. Cryptocurrency concerns were a primary focus during the hearing, where Toomey asked the regulators why they still have not provided public clarity on banks’ involvement in crypto activities, such as providing custody services or issuing stablecoins.

    Pointing to a major cryptocurrency exchange’s recent major collapse, Toomey pressed Hsu on whether the OCC “discourages banks from providing custody services” for crypto assets. Toomey speculated, “it seems to me if people had access to custody services provided by a wide range of institutions, including regulated financial institutions, they might be able to sleep more comfortably knowing that those assets are unlikely to be used for some completely inappropriate purpose.” Answering that the OCC discourages banks from engaging in activities that are not safe, sound, and fair, Hsu acknowledged that there are underlying fundamental issues and questions about what it means to control crypto through a custody “which have not been fully worked out.” Toomey emphasized that part of the obligation rests on the OCC to provide clarity on how banks could provide these services in a safe, sound, and fair manner, and stressed that currently these activities are operating in a space outside the regulatory perimeter. Barr agreed that it would be useful for the Fed to provide guidance to banks on how to safely custody crypto assets and said it is something he plans to work on with his colleagues.

    Toomy further noted that Congress’s failure “to pass legislation in this space and the failure of regulators to provide clear guidance has created ambiguity that has driven developers and entrepreneurs overseas where regulations are often lax at best.” Senator Bill Haggerty (R-TN) cautioned that lawmakers should not resort to a “heavy-handed” regulatory response to the cryptocurrency exchange’s collapse. “No amount of poorly considered, knee-jerk over-regulation here in the U.S. would have prevented a foreign-domiciled company like [the collapsed cryptocurrency exchange] from doing what it did,” Haggerty said. “The fact of the matter is that crypto, much like all of finance, isn’t beholden to a specific country or a specific legal system, and by not acting and by failing to provide legal clarity here in the United States, Congress only incentivizes activity to migrate outside of our country’s borders,” Haggerty stated, adding that it is “important to recognize that whatever happened with a bad actor running a centralized exchange and defrauding customers” has “nothing to do with the technology underpinning crypto itself.” When asked by Sen. John Kennedy (R-LA) which regulator was responsible for watching the collapsed cryptocurrency exchange, Gruenberg said “I think in the first instance, you’d probably want to engage with the market regulators, the SEC and the CFTC, to talk about the activities and the authorities in this area.”

    The regulators also discussed efforts to mitigate cybersecurity risks and strengthen information security within the banking industry. Hsu stressed during the hearing that “the greatest risk is the risk of complacency,” while noting in his prepared remarks that the OCC is aware of the risks associated with cybersecurity and has “encouraged banks to stay abreast of new technology and threats.” Barr pointed to the importance of operational resilience in his prepared remarks, noting that “technology-based failures, cyber incidents, pandemics, and natural disasters,” combined with the growing reliance on third-party service providers, expose banks to a range of operational risks that are often challenging to anticipate. Harper commented in his prepared remarks that the NCUA continues to provide guidance for credit unions to reinforce their ability to withstand potential cyberattacks, and recommends that credit unions report cyber incidents to the NCUA, the FBI, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In his prepared remarks, Gruenberg pointed to recent examination findings revealing that banks that have dedicated resources for implementing appropriate controls are better at defending against cyberattacks, and said the FDIC is “piloting technical examination aids that will help [] examiners focus on the controls [] found to be most effective in defending against these attacks.”

    The House Financial Services Committee also held a hearing later in the week that focused on similar topics with the regulators. Chair Maxine Waters (D-CA) and Rep. Patrick McHenry (R-NC) also announced that the committee will hold a hearing in December to investigate the aforementioned cryptocurrency exchange’s collapse and understand the broader consequences the collapse may have on the digital asset ecosystem.

    Federal Issues Digital Assets Privacy, Cyber Risk & Data Security Senate Banking Committee House Financial Services Committee FDIC OCC NCUA Federal Reserve Risk Management Third-Party Climate-Related Financial Risks Fintech

  • SEC proposes new requirements for advisors that outsource services to third parties


    On October 26, the SEC proposed new oversight requirements for outsourced investment advisory services. The proposed rule, issued under the Investment Advisers Act of 1940, would prohibit registered investment advisers from outsourcing certain services and functions without conducting due diligence prior to engaging a third-party service provider. The proposed rule would apply to advisors that outsource certain “covered functions,” including services or functions necessary for providing advisory services in compliance with federal securities laws that—if not performed or negligently performed—would result in material harm to clients. Under the proposed rule, advisors would also be required to periodically monitor a third party’s performance and reassess whether it is appropriate to continue to outsource its services and functions. Additionally, the SEC is proposing corresponding amendments so that it may collect “census-type information” about third-party service providers, as well as amendments that would require advisors to maintain books and records related to the proposed rule’s oversight obligations.

    SEC Chairman Gary Gensler released a statement supporting the proposed amendments. “[T]hese rules, if adopted, would better protect investors by requiring that investment advisers take steps to continue to meet their fiduciary and other legal obligations regardless of whether they are providing services in-house or through outsourcing, whether through third parties or affiliates,” Gensler said, explaining that the increased use of third-party service providers “has led staff to make several recommendations to ensure advisers that use them continue to meet their obligations to the investing public. When an investment adviser outsources work to third parties, it may lower the adviser’s costs, but it does not change an adviser’s core obligations to its clients.”

    Commissioner Hester M. Peirce criticized the proposed rule, with Peirce claiming the proposal “may end up abrogating fiduciary duty and replacing it with [a] predefined approach to best interest—one not responsive to unique facts and circumstances.” She also expressed concerns related to the proposal’s potential impact on smaller advisors that may face disproportionate competitive challenges. Commissioner Mark T. Uyeda also dissented, expressing concerns over whether “there is any observable problem related to investment advisers’ oversight of service providers that necessitates the blanket imposition of specified oversight requirements.”

    Securities Agency Rule-Making & Guidance Third-Party Investment Advisers Act

  • California fines cosmetics chain for privacy violations

    Privacy, Cyber Risk & Data Security

    On August 24, the California attorney general announced that following an investigative sweep into online retailers, it entered into a $1.2 million settlement with a cosmetics chain for its alleged failure to disclose to consumers that it was selling their personal information, failure to process user requests to opt-out of such sale via user-enabled global privacy controls, and failure to cure such violations within the 30-day period allowed by the California Consumer Privacy Act (CCPA). The action reaffirms the state’s commitment to enforcing the law and protecting consumers’ rights to fight commercial surveillance, AG Bonata said, emphasizing that “today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

    According to a complaint filed in California Superior Court, third parties monitored consumers’ purchases and created profiles to more effectively target potential customers. The company’s arrangement with these third parties constituted a sale of consumer personal information under the CCPA, therefore triggering certain basic obligations, including telling consumers that it is selling their information and allowing consumers to easily opt-out of the sale of their information. According to the complaint, the company failed to take any of these measures.

    Under the terms of the settlement, the company is required to pay a $1.2 million penalty and must disclose to California customers that it sells their personal data and provide a mechanism for consumers to opt out of a sale of their information, including through user-enabled global privacy controls like the Global Privacy Control (GPC). Additionally, the company must ensure its service provider agreements meet CCPA requirements and provide reports to the AG related to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.

    The press release also announced that notices were sent to several businesses alleging non-compliance concerning their failure to process consumer opt-out requests made via user-enabled global privacy controls. The AG reiterated that under the CCPA, “businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link. Businesses that received letters today have 30 days to cure the alleged violations or face enforcement action from the Attorney General.” 

    Privacy, Cyber Risk & Data Security State Issues Courts CCPA California Enforcement Settlement State Attorney General Opt-Out Third-Party

  • FDIC clarifies third party-related brokered deposit reporting requirements

    On July 15, the FDIC released a new Question and Answer (Q&A) and updated public information on its Banker Resource Center Brokered Deposits Page, reminding “FDIC-insured depository institutions (IDIs) that deposits swept from broker dealers with a primary purpose exception to unaffiliated IDIs must be reported as brokered if any additional third parties are involved that qualify as deposit brokers, as defined by Section 337.6 –Brokered Deposits, of the FDIC’s Rules and Regulations.” According to a statement released by the FDIC, Call Report data analysis submitted after the Brokered Deposits Final Rule took effect “suggests that some IDIs receiving sweep deposits from unaffiliated broker-dealers appear to be reporting the sweep deposits as non-brokered, despite the involvement of a third party that engages in facilitating the placement of deposits, including through engaging in matchmaking activities.” The agency emphasized that while an IDI may not have a direct relationship with an additional third party providing services to a broker dealer with a primary purpose exception, “when reporting sweep deposits, it is the IDI’s responsibility to file accurate Call Report data,” which may include reviewing agreements between the broker dealer and any additional third parties for any services that constitute matchmaking activities. The FDIC clarified, however, that banks will not be required to refile previous Call Reports “if, after good faith efforts, certain deposits were not previously reported as brokered by the IDI due to a misunderstanding of how the facilitation aspect of the deposit broker definition applies when additional third parties are involved.”

    Bank Regulatory Federal Issues FDIC Brokered Deposits Third-Party

  • FTC seeks to protect highly sensitive data

    Privacy, Cyber Risk & Data Security

    On July 11, the FTC’s Division of Privacy & Identity Protection published a blog post addressing risks associated with the sharing of highly personal information with strangers, particularly with respect to the use of technology that directly observes or derives sensitive information about users. The FTC noted that aside from location information, which is often automatically generated from consumers’ connected devices, consumers are also actively generating sensitive health information, including personal reproductive data, through apps on their devices. This “potent combination of location data and user-generated health data creates a new frontier of potential harms to consumers,” the FTC warned, pointing to the “ad tech and data broker ecosystem where companies have a profit motive to share data at an unprecedented scale and granularity.” Additionally, once the sensitive information is collected, the FTC said that consumers usually have no idea who has access to it, what the information is being used for, or that companies are profiting from the sale of their data. “The misuse of mobile location and health information–including reproductive health data–exposes consumers to significant harm,” the FTC stated. “Criminals can use location or health data to facilitate phishing scams or commit identity theft . . . and may subject people to discrimination, stigma, mental anguish, or other serious harms.” The FTC reminded companies that it is committed to using the full scope of its legal authorities to protect consumers’ privacy and that it “will vigorously enforce the law” to protect the security and privacy of consumers’ personal information. Companies are advised that sensitive information is protected by several federal and state laws and that making claims that data is “anonymous” or “has been anonymized” may be a deceptive trade practice under the FTC Act if untrue. 

    Privacy, Cyber Risk & Data Security FTC Consumer Protection Third-Party Drug Enforcement Administration

  • District Court approves final $85 million class action privacy settlement despite objections

    Privacy, Cyber Risk & Data Security

    On April 21, the U.S. District Court for the Northern District of California granted final approval of an $85 million class action settlement resolving privacy and data security allegations against a video conferencing provider. As previously covered by InfoBytes, consolidated class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to the more than 150 million class members (defined as individuals who “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication”), the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. Under the terms of the final settlement, the company will establish an $85 million fund to pay valid claims, fees and expenses, service payments, and taxes, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the settlement stipulates that the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company will educate users about available security features and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.

    The court considered several objections raised by certain class members, including concerns argued on behalf of a subclass of users who used the meeting application “as part of a business that was legally or contractually required to maintain client confidentiality as part of the services the business provided.” According to these objectors, the individual payment amounts are inadequate for individuals who held sensitive meetings. The court countered that the objectors’ claims did not differ from other class members and that the recovery is intended to cover users who did not receive the benefit of their bargain with the company, and not for “special harm arising from a duty to maintain client confidentiality.”

    Privacy/Cyber Risk & Data Security Courts Settlement Class Action Third-Party State Issues California

  • District Court denies class cert in data breach suit

    Privacy, Cyber Risk & Data Security

    On April 20, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for class certification in a lawsuit alleging a defendant hotel and restaurant group breached its contract when a data breach exposed the plaintiffs’ credit card account numbers and other private information. Plaintiffs alleged the defendant contracted with a third-party reservation site, which required consumers to provide payment card information and other personally identifying information (PII). The plaintiffs contended that during the data breach, hackers accessed customer data, and argued that “had [the third party] ‘employed multiple levels of authentication,’ rather than ‘single factor authorization,’ the ‘hacker would not . . . have been able to access the system.” Plaintiffs further claimed that the defendant served as the third party’s agent and was therefore responsible for its conduct.

    In declining to certify the class, the court ruled that the plaintiffs failed to successfully allege any of their three claims on behalf of the class. The court reviewed the plaintiffs’ breach of contract claims, which alleged that the defendant promised to safeguard class members’ PII but failed to provide notice on its website that a third party was processing the payment information. According to the court, the plaintiffs could not show that all of the proposed class members would have believed they were providing their information to the defendant because the defendant’s “Book Now” button sent the user to the third party’s website and the defendant’s privacy policy disclosed its use of third party websites. The court also rejected the plaintiffs’ assertion that the defendant disclosed personal information in violation of California Civil Code because the information was hacked rather than disclosed by either the defendant or the third party. With respect to the plaintiffs’ Texas Deceptive Trade Practices Act claims, the plaintiffs argued that the defendant’s statements about protective measures were misleading because the third party did not employ multi-layer authentication. The court concluded that class treatment of those claims was improper as it could not determine whether the practice was misleading for the entire class as the question is dependent on whether class members believed they were providing PII to the defendant or to the third party.

    Privacy/Cyber Risk & Data Security Courts Class Action Data Breach State Issues Third-Party


Upcoming Events