Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC approves final expanded settlement with global ride-sharing company over data breaches
On October 26, the FTC announced its final approval of an expanded settlement with a global ride-sharing company over allegations that the company violated the FTC Act by deceiving consumers regarding the company’s privacy and data practices. Specifically, the company allegedly failed to closely monitor and audit its employees’ internal access to consumer and driver data. Furthermore, the company represented to consumers and drivers that personal information stored in its databases were secure, but, according to the FTC, the company failed to implement reasonable measures to prevent unauthorized access to consumers and driver data maintained by the ride-sharing company’s third-party cloud service provider. In April, the FTC announced it would be expanding the original settlement from August 2017 (previously covered by InfoBytes here), which covered a 2014 data breach, because it was discovered the company failed to disclose a subsequent data breach that occurred in 2016 for more than a year, despite the on-going FTC investigation of the 2014 data breach.
The expanded final settlement subjects the company to civil penalties if it fails to notify the FTC of future incidents involving unauthorized access to data. The settlement also, among other things, requires the company to implement a comprehensive privacy program, including biennial third-party privacy assessments for 20 years.
CFPB announces settlement with companies that allegedly delayed transfer of consumer payments to debt buyers
On October 4, the CFPB announced a settlement with a group of Minnesota-based companies that allegedly violated the Consumer Financial Protection Act when consumers made payments on debts that the companies had already sold to third parties, and the companies improperly delayed the forwarding of some of those payments to debt buyers. According to the consent order, the companies—whose practices include the purchasing, servicing, collection, and furnishing consumer-report information on consumer loans—partnered with third-party banks to sell merchandise on closed-end or open-end revolving credit. Within a few days, banks originated the loans and sold the receivables to the companies. The companies subsequently serviced the debts and sold the receivables to a third party. For defaulted accounts, the companies charged off the accounts and sold them to third-party debt buyers. According to the Bureau, the companies allegedly failed to notify consumers when their accounts were sold, failed to inform them who now owned the debt, and continued to accept direct pays from consumers. The Bureau contends that between 2013 and 2016, the companies delayed forwarding direct pays for more than 31 days in 18,000 instances, and in 3,500 of those instances, the companies did not forward the payments for more than a year. Moreover, the Bureau asserts that these delays led to misleading collection efforts, including collection activity on accounts consumers had completely paid off. The order requires the companies to pay a civil money penalty of $200,000, and improve their policies and procedures to prevent further violations.
FHFA issues guidance for third-party provider relationships
On September 28, FHFA released Advisory Bulletin AB 2018-08, which provides guidance to Fannie Mae and Freddie Mac, the Federal Home Loan Banks, and the Office of Finance (regulated entities) on the evaluation and management of risks associated with third-party provider relationships. (FHFA defines a third-party provider relationship as a “business arrangement between a regulated entity and another entity that provides a product or service.”)
The bulletin sets forth the structure and describes the features of the third-party provider risk management programs that FHFA expects regulated entities to establish. With respect to governance, the bulletin recommends such programs address: (i) the responsibilities of the board and senior management; (ii) policies, procedures, and internal standards; and (iii) the implementation of a reporting system to ensure management and the board are adequately informed. The bulletin also specifies that an effective program include policies and procedures that cover each of the following phases of a third-party provider relationship life cycle: (i) Risk Assessment; (ii) Due Diligence in Third-Party Provider Selection; (iii) Contract Negotiation; (iv) Ongoing Monitoring; and (v) Termination. The bulletin suggests that regulated entities should ensure that their third-party risk management corresponds with the level of risk and complexity of their third-party relationships and notes that not every aspect of the bulletin may apply to every relationship.
NYDFS releases updated guidance regarding indirect auto lending fair lending compliance
On August 23, the New York Department of Finance Services (NYDFS) released updated guidance reminding institutions engaged in indirect auto lending through third parties that they must comply with the state’s Fair Lending Law, despite the May repeal of the CFPB’s Bulletin 2013-02 on indirect auto lending and compliance with the Equal Credit Opportunity Act (ECOA). (The repeal was previously covered by InfoBytes here.) The updated guidance “consolidates, streamlines and reinforces previous guidance issued by [NYDFS]’s predecessor, the New York State Banking Department,” which applies to supervised financial institutions and their subsidiaries and affiliates (lenders). The guidance provides a list of actions lenders should take to develop a fair lending compliance program for indirect auto lending, including (i) submitting all applications for loans that are rejected or withdrawn to an automatic review by a higher-level supervisor; (ii) implementing a fair lending training program for both new hires and current employees; (iii) obtaining written agreements from all dealers that certify that the dealer acknowledges its responsibility to comply with fair lending laws and the policies and procedures contained in the fair lending plan; and (iv) extending fair lending plan principles to refinancing and collection practices.
Conference of State Bank Supervisors supports legislation to coordinate federal and state examinations of third-party service providers
On July 12, the Conference of State Bank Supervisors (CSBS) issued a statement to the Senate Banking Committee, offering support for legislation that would “enhance state and federal regulators’ ability to coordinate examinations of, and share information on, banks’ [third-party technology service providers (TSPs)] in an effective and efficient manner.” H.R. 3626, the Bank Service Company Examination Coordination Act, introduced by Representative Roger Williams, R-Texas, would amend the Bank Service Company Act to provide examination improvements for states by requiring federal banking agencies to (i) consult with the state banking agency in a reasonable and timely fashion, and (ii) take measures to avoid duplicating examination activities, reporting requirements, and requests for information. Currently, 38 states have the authority to examine TSPs, however, according to CSBS, amending the Bank Service Company Act would more appropriately define a state banking agency’s authority and role when it comes to examining potential risks associated with TSP partnerships. In its statement, CSBS also references a recent action taken by eight state regulators against a major credit reporting agency following its 2017 data breach that requires, among other things, a wide range of corrective actions, including improving oversight and ensuring sufficient controls are developed for critical vendors. (See previous InfoBytes coverage here.) The House Financial Services Committee advanced H.R. 3626 on June 24 on a unanimous vote.
OCC issues updates to Comptroller’s Handbook
On June 28, the OCC issued Bulletin 2018-18, which revises and updates certain booklets of the Comptroller’s Handbook. Among other things, the revisions and updates (i) clarify the applicability of each booklet to community, midsize, and large banks: (ii) incorporate Uniform Interagency Consumer Compliance Rating System revisions; (iii) provide asset management and Bank Secrecy Act/Anti-Money Laundering/Office of Foreign Assets Control risk assessment examiner guidance to ensure consistency with the Federal Financial Institutions Examination Council BSA/AML Examination Manual’s appendixes J and M; (iv) incorporate relevant aspects of the Dodd-Frank Act; (v) clarify the roles of banks’ boards of directors and management; and (vi) “include revised concepts and references regarding third-party risk management; new, modified, or expanded bank products or services; and corporate and risk governance.” The revised booklets are: Bank Supervision Process, Community Bank Supervision, Compliance Management Systems, Federal Branches and Agencies Supervision, and Large Bank Supervision.
OCC highlights key risks affecting the federal banking system in spring 2018 semiannual risk report
On May 24, the OCC released its Semiannual Risk Perspective for Spring 2018, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. Priorities focus on credit, operational, compliance, and interest risk, and while the OCC commented on the improved financial performance of banks from 2016 to early 2018, in addition to the “incremental improvement in banks’ overall risk management practices,” the agency also noted that risks previously highlighted in its Fall 2017 report have “changed only modestly.” (See previous InfoBytes coverage here.)
Specific areas of concern noted by the OCC include: (i) easing of commercial credit underwriting practices; (ii) increasing complexity and severity of cybersecurity threats; (iii) use of third-party service providers for critical operations; (iv) compliance challenges under the Bank Secrecy Act; (v) challenges in risk management involving consumer compliance regulations; and (vi) rising market interest rates, including certain risks associated with the “potential effects of rising interest rates, increasing competition for retail and commercial deposits, and post-crisis liquidity regulations for banks with total assets of $250 billion or more, on the mix and cost of deposits.” Additionally, concerns related to integrated mortgage disclosure requirements under TILA and RESPA previously considered a key risk have been downgraded to an issue to be monitored.
FTC settles with cellphone manufacturer over data security issues
On April 30, the FTC and a Florida cellphone manufacturer entered into a settlement over allegations that the manufacturer allowed third party data collection from customer phones after falsely claiming data collection was limited only to information needed by the third parties to perform requested services. According to the complaint, released at the same time as the settlement, the manufacturer contracted with a Chinese technology company to issue security and operating system updates to the manufacturer’s devices. When issuing those updates, the Chinese company collected and transferred personal information about the device owners without their consent or knowledge, including text messages, call logs, and contact lists. In November 2016, the public became aware of this practice and the manufacturer issued a notice informing its customers that the Chinese company changed its software to no longer collect the personal information. However, the manufacturer allegedly continued to allow this practice on older devices. The FTC alleges that the manufacturer failed to perform adequate due diligence in the selection of the Chinese company and failed to adopt and implement written security standards for their third-party providers. Under the settlement, the manufacturer, among other things, is (i) prohibited from future misrepresentations about security and privacy; (ii) required to establish and implement a comprehensive data security program; and (iii) subject to data security assessments every two years by a third party for the next 20 years.
House Financial Services Subcommittee conducts hearing on fintech opportunities and challenges
On January 30, the House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Examining Opportunities and Challenges in the Financial Technology (“Fintech”) Marketplace.” The Subcommittee issued a press release following the hearing and presented the following key takeaways:
- “Modern developments in digital technology are changing the way in which many financial services are offered and delivered”; and
- “Congress and the federal prudential regulators must continue to examine this innovative marketplace to understand the opportunities and challenges it presents, and to ensure that financial services entities are allowed to use fintech to deliver new products and services while also protecting consumers.”
Opening statements were presented by several members of the Subcommittee, including Subcommittee Vice Chair Keith Rothfus, R-PA, who noted that online lending, mobile banking, and other products could bring capital back to areas deserted by traditional banks. Subcommittee Chairman Blaine Luetkemeyer, R-MO, highlighted that loan originations passed through marketplace lenders accounted for nearly $40 billion over the past ten years, with online lenders often able to offer better lending terms. Luetkemeyer also discussed the rise of mobile banking and lending and raised the question presented by some states of whether fintech companies should be required to comply with current laws that apply to similar products. He stressed that understanding fintech’s capabilities “can better create an environment that fosters certainty and responsible innovation while maintaining consumer protections.” A broad range of topics were discussed at the hearing, including the following highlights:
- Madden v. Midland / True Lender. Companies that have chosen to partner with banks have also run into regulatory and legal roadblocks, including the recent decision in Madden v. Midland Funding, which determined that a nonbank entity taking assignment of debts originated by a national bank is not entitled to protection under the National Bank Act from state-law usury claims. (See Buckley Sandler Special Alert here.) In prepared remarks, Andrew Smith, Partner at Covington and Burling, LLP, stated that because of varying outcomes in true lender court challenges, the lack of certainty means that “market participants will no longer be willing to enter into these types of transactions, thereby depriving consumers, banks, and the economy of the many benefits of bank partnerships with fintech providers while also hampering the liquidity necessary to support a robust lending market.” Smith went on to discuss H.R. 4439, the Modernizing Credit Opportunities Act, which was introduced to “reconfirm and reinforce existing federal law with respect to a bank’s identity as the true lender of a loan with the assistance of a third-party service provider.” Smith emphasized that the legislation would “resolve any uncertainty about a bank’s ability to use third-party service providers by confirming the principle that when a bank enters into a loan agreement, it is the bank that has made the loan.”
- Marketplace Lending. During his testimony, witness Nathaniel Hoopes, Executive Director at the Marketplace Lending Association, highlighted the role marketplace lending platforms (MPPs) have had in delivering products to underserved consumers, but emphasized that a lot of work still needs to happen for more of the “broad American ‘middle class’ to fully realize and benefit from the potential of MPPs specifically and fintech more broadly.” He also expressed support for the Special Purpose National Bank charter currently under consideration by the OCC.
- Regulatory Sandboxes. Witness Brian Knight, Director of the Program on Financial Regulation and Senior Research Fellow at the Mercatus Center at George Mason University, suggested in his prepared remarks various methods to improve the current regulatory environment, and opined that lawmakers could allow firms that participate in a regulatory sandbox program and comply with its requirements to avoid liability as long as the firm makes “customers whole if the firm causes harm owing to a violation of the law.” Knight added that states could be allowed to grant special non-depository charters similar to those offered by the OCC. And while witness Professor Adam J. Levitin of the Georgetown University Law Center agreed that sandboxes would allow companies to explore new ideas with the understanding that customers must be protected, he cautioned that the fragmentation of the regulatory system around fintech makes it hard for experimentation, and that risk would need to be regulated.
- Virtual Currencies. Knight discussed his concerns with initial coin offerings (ICOs) and commented that while ICOs “may enable firms to access capital more effectively than traditional methods, there are significant concerns that they are being used by both outright frauds and well-meaning but ignorant firms to obtain capital in contravention of existing laws governing the sales of securities, commodities futures contracts, and products and services.” However, Knight testified that despite the potential for risk, peer-to-peer payments, cryptocurrencies, and other innovations demonstrate potential, and that innovative lenders are replacing banks in communities where it is no longer profitable for those banks to serve.
- Inconsistent Regulations. During his testimony, witness Brian Peters, Executive Director at Financial Innovation Now, advocated for improved coordination among regulators and stressed that the “current structure is needlessly fragmented and inconsistent among federal regulators, and varies widely across state jurisdictions.” Peters also commented on the need to modernize the regulatory structure to keep pace with innovation and meet consumers’ needs.
OCC highlights supervisory priorities in fall 2017 semiannual risk report
On January 18, the OCC announced the release of its Semiannual Risk Perspective for Fall 2017, identifying key risk areas for national banks and federal savings associations. Top supervisory priorities will focus on credit, operational, and compliance risk. As previously discussed in the spring 2017 semiannual report, compliance risk continues to be an ongoing concern, particularly as banks continue to adopt new technologies to help them comply with anti-money laundering rules and the Bank Secrecy Act (BSA), in addition to addressing increased cybersecurity challenges and new consumer protection laws. (See previous InfoBytes coverage here.) The OCC commented that these types of risks can be mitigated by banks with “appropriate due diligence and ongoing oversight.”
Specific areas of particular concern include the following:
- easing of commercial credit underwriting practices;
- increasing complexity and severity of cybersecurity threats, including phishing scams that are the primary method of breaching bank data systems;
- using limited third-party service providers for critical operations, which can create “concentrated points of failure resulting in systemic risk to the financial services sector”;
- compliance challenges under the BSA; and
- challenges in risk management involving consumer compliance regulations.
The report also raises concerns about new requirements under the Military Lending Act along with pending changes to data collection under the Home Mortgage Disclosure Act, which could pose compliance challenges. It further discusses a new standard taking effect in 2020 for measuring expected credit losses, which “may pose operational and strategic risk to some banks when measuring and assessing the collectability of financial assets.”
The data relied on in the report was effective as of June 30, 2017.
- Keisha Whitehall Wolfe to discuss “Tips for successfully engaging your state regulator” at the MBA's State and Local Workshop
- Max Bonici to discuss “Enforcement risk and trends for crypto and digital assets (Part 2)” at ABA’s 2023 Business Law Section Hybrid Spring Meeting
- Jedd R. Bellman to present “An insider’s look at handling regulatory investigations” at the Maryland State Bar Association Legal Summit