Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 14, NYDFS Superintendent Linda Lacewell announced that former Deputy Director of the CFPB, Leandra English, will serve as Special Policy Advisor to the Department. In her role, English will report directly to Lacewell and will manage and develop NYDFS’ policy initiatives involving consumers, financial services, and other issues. English will also be responsible for spearheading NYDFS’ policy development and analysis process, and assisting in the identification of common regulatory trends and risks across industries.
On January 13, Washington state lawmakers announced two bills designed to strengthen consumer access and control over personal data and regulate the use of facial recognition technology. Highlights of SB 6281, the Washington Privacy Act, include the following:
- Applicability. SB 6281 will apply to legal entities that conduct business or produce products or services that are targeted to Washington consumers that also (i) control or process personal data for at least 100,000 consumers; or (ii) derive more than 50 percent of gross revenue from the sale of personal data, in addition to processing or controlling the personal data of at least 25,000 consumers. Exempt from SB 6281, among others, are state and local governments, municipal corporations, certain protected health information, personal data governed by state and federal regulations, and employment records.
- Consumer rights. Consumers will be able to exercise the following concerning their personal data: access; correction; deletion; data portability; and opt-out rights, including the right to opt out of the processing of personal data for targeted advertising and the sale of personal data.
- Controller responsibilities. Controllers required to comply with SB 6281 will be responsible for (i) transparency; (ii) limiting the collection of data to what is required and relevant for a specified purpose; (iii) ensuring data is not processed for reasons incompatible with a specified purpose; (iv) securing personal data from unauthorized access; (v) prohibiting processing that violates state or federal laws prohibiting unlawful discrimination against consumers; (vi) obtaining consumer consent in order to process sensitive data; and (vii) ensuring contracts and agreements do not contain provisions that waive or limit a consumer’s rights. Controllers must also conduct data protection assessments for all processing activities that involve personal data, and conduct additional assessments each time a processing change occurs that “materially increases the risk to consumers.”
- State attorney general. SB 6821 does not create a private right of action for individuals to sue if there is an alleged violation. However, the AG will be permitted to bring actions and impose penalties of no more than $7,500 per violation. The AG will also be required to submit a report evaluating the liability and enforcement provisions of SB 6281 by 2022 along with any recommendations for change.
- Information sharing. SB 6281 will allow the state governor to enter into agreements with British Columbia, California, and Oregon, which will allow personal data to be shared for joint research initiatives.
- Facial Recognition. SB 6281 will establish limits on the commercial use of facial recognition services. Among other things, the bill will require third-party testing on all services prior to deployment for accuracy and unfair performance, conspicuous notice when a service is deployed in a public space, and will require companies to receive consumer consent prior to enrolling an image in a service used in a public space.
The second bill, SB 6280, will more specifically govern the use of facial recognition services by state and local government agencies, and, among other things, outlines provisions for the use of facial recognition services when identifying victims of crime, stipulates restrictions concerning ongoing surveillance, and requires agencies to produce an annual report containing a compliance assessment.
As previously covered by InfoBytes, last year, New York introduced proposed legislation (see S 5642) that seeks to regulate the storage, use, disclosure, and sale of consumer personal data by entities that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state. Provisions included in the measures introduced by New York and Washington state differ from those contained in the California Consumer Privacy Act (CCPA), which took effect January 1. (Previous InfoBytes coverage on the CCPA is available here.)
On January 9, NYDFS announced the creation of the Consumer Protection Task Force, which will help the department implement the “extensive consumer protections proposals” outlined in the governor’s recent proposal to expand state oversight and enforcement of the financial services industry. (See previous InfoBytes coverage on the governor’s proposal here.) Specifically, the task force will work on measures designed to enhance (i) regulatory oversight of debt collectors; (ii) protections against elder financial abuse; (iii) access to affordable banking services; and (iv) consumer protection laws to defend state residents against unfair, deceptive and abusive practices. Individuals named to the task force were chosen “based on their extensive experience and expertise in the areas of economic justice, housing, health and debt collection, and advocacy on behalf of communities throughout New York.”
On January 9, the Minnesota attorney general announced that an internet service provider (ISP) agreed to pay nearly $9 million in order to resolve allegations that it overcharged customers for phone, internet and cable services. In a separate action, on December 10, the Washington attorney general’s office announced that it entered into a $6.1 million consent decree with the same ISP to resolve similar claims of deceptive acts and practices. As previously covered by InfoBytes, the ISP entered into settlements over the same alleged actions with the states of Colorado on December 19, and Oregon on December 31.
In January, the NCUA issued a letter to board of directors and chief executive officers at federally insured credit unions outlining the agency’s 2020 supervisory priorities. Top supervisory priorities include:
- Bank Secrecy Act/Anti-Money Laundering (BSA/AML). Examinations will continue to focus on customer due diligence and beneficial ownership requirements. The NCUA will also collaborate with law enforcement and banking regulators on initiatives such as updates to the FFIEC’s BSA/AML examination manual and enforcement guidelines, guidance concerning politically exposed persons, and measures for improving suspicious activity and currency transaction report filing procedures.
- Consumer Financial Protection. Based on a rotating regulation review cycle, NCUA examiners will review compliance (at a minimum) with the following regulations: the Electronic Fund Transfer Act, Fair Credit Reporting Act, Gramm-Leach-Bailey (Privacy Act), Payday Alternative Lending and other small dollar lending, Truth in Lending Act, Military Lending Act, and the Servicemembers Civil Relief Act.
- Cybersecurity. In 2020 the NCUA will continue conducting cybersecurity maturity assessments for credit unions with assets over $250 million and will begin to assess those with assets over $100 million. In addition, the NCUA intends to pilot new procedures—scaled to an institution’s size and risk profile—to evaluate critical security controls during examinations between maturity assessments.
- LIBOR Cessation Planning. Examiners will assess credit unions’ planning related to the discontinuation of LIBOR. According to the NCUA, credit unions should “proactively transition away from instruments using LIBOR as a reference rate.”
Other areas of focus include credit risk, current expected credit losses, liquidity risk, and modernization updates. The extended examination cycle will continue to apply to qualifying credit unions.
Mortgage broker allegedly violated federal laws by posting customers’ personal information on website
On January 7, the FTC announced a proposed settlement with a California mortgage broker and his company to resolve alleged violations of the FTC Act, FCRA, Regulation P, and the Safeguards Rule. According to a complaint filed by the DOJ on behalf of the FTC, the defendants published the personal information of customers who posted negative reviews on a public website, including customers’ “sources of income, debt-to-income ratios, credit history, taxes, family relationships, and health.” The alleged posts containing negative financial information violated the defendants’ responsibilities under Regulation P (Privacy of Consumer Financial Information) as the required privacy disclosure provided to the customers stated that the defendants would not share personal information with any third party. Regulation P also “prohibits financial institutions from disclosing to any nonaffiliated third party any nonpublic personal information about a customer unless it has provided the customer with an opt-out notice, . . . a reasonable opportunity to opt out of the disclosure, and the customer has not opted out.” In this instance, customers were not given the opportunity to opt out of disclosure of their personal financial information in response to online consumer reviews, the complaint asserts. In addition, the complaint alleges that the defendants also violated the FTC Act by causing unfair or deceptive acts or practices that “deprived consumers of the ability to control whether and to whom they disclosed sensitive information.” The defendants also allegedly violated the FCRA by using consumer reports for impermissible purposes, and the FTC’s Safeguards Rule by failing to implement or maintain an adequate information security program. Under the terms of the proposed settlement, the defendants will pay a $120,000 civil penalty and are prohibited from (i) misrepresenting their privacy and data security practices; (ii) using consumer reports for anything other than a permissible purpose; (iii) not providing required privacy notices; and (iv) improperly disclosing nonpublic personal information to third parties. Among other things, the company is also prohibited from transferring, selling, sharing, collecting, maintaining, or storing nonpublic personal information unless it implements a comprehensive information security program; and must obtain independent third-party assessments of its information security program every two years.
On January 7, the Director of the FTC’s Bureau of Consumer Protection noted that the Commission has made “three major changes” in its data security orders to “improve data security practices and provide greater deterrence” by focusing on specificity, accountability, and responsibility. The first change increases the specificity of data security orders to “make the FTC’s expectations clearer” and “improve order enforceability.” The second change increases the accountability of the third-party assessors who review the comprehensive data security programs that the orders exact, by requiring assessors to include specific evidence for each determination and to accommodate requests from the FTC to review the assessments. The third change emphasizes executive responsibility. Yearly, companies will be required to present their data security programs to board and senior company executives who must certify the company’s compliance to the FTC. The announcement also pointed to a number of 2019 orders to demonstrate the “significant improvements” the agency has made with the three changes.
On December 20, the FTC announced it had filed suit for unfair and deceptive acts and practices in violation of the FTC Act against a fuel payment card services company (company) for its “problematic marketing and fee practices.” The FTC’s complaint, filed in U.S. District Court for the Northern District of Georgia, alleges that the company marketed the fuel payment cards to “companies that operate vehicle fleets” with false promises that the cards would provide (i) cost savings; (ii) protection from unauthorized card purchases; and (iii) “no set-up, transaction, or membership fees, including when used to purchase fuel at any of the thousands of locations nationwide that accept [the company’s] fuel cards.” In fact, according to the complaint, the company “has charged customers at least hundreds of millions of dollars in unexpected fees,” and “at least tens of millions of dollars in recurring fees for programs they have not ordered,” and, in spite of its marketing representing otherwise, the company has not provided advertised fuel savings, and has not provided fraud protection for unauthorized transactions. The complaint also claims that the company has not timely posted customer payments when received, leading to customers being levied additional fees for late charges and “related [i]nterest and [f]inance [c]harges even when the customers have paid their balance in full by the due date.” The FTC seeks permanent injunctive relief against the company to prevent future violations, as well as redress for those consumers injured by the FTC Act violations, “including rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies.”
On December 23, the New York governor signed S 3631, which amends the state’s insurance law to increase protections for New York consumers from unplanned charges at the end of a motor vehicle lease. The definition of “service contracts” is broadened to cover more comprehensive service contracts on motor vehicles leased for personal use. Service contracts covered by the law will now include agreements that apply to accidental damage and excess use and wear and tear, including missing parts of the vehicle, and items not covered by a warranty or other service agreement, as long as such services do not exceed the purchase price of the automobile. The law became effective when signed.
On December 19, the Colorado attorney general announced that an internet service provider (ISP) agreed to pay nearly $8.5 million in order to resolve allegations that it “unfairly and deceptively charg[ed] hidden fees, falsely advertis[ed] guaranteed locked prices, and fail[ed] to provide discounts and refunds it promised” to Colorado consumers in violation of the Colorado Consumer Protection Act. According to the announcement, in 2017 the AG’s office investigated the ISP and compiled information that the ISP had “systematically and deceptively overcharged consumers for services” since 2014 (see the complaint filed by the AG here). In the settlement, the ISP agreed to an order that requires it, among other things, to (i) refrain from making false and misleading statements to consumers in the marketing, advertising and sale of its products and services; (ii) accurately communicate monthly base charges as well as one-time fees, taxes, and other fees and surcharges to consumers; (iii) disclose any “internet cost recovery fee” or “broadband recovery fee” to consumers being charged the fees and allow the affected consumers to switch to different services if they wish to avoid the fees; (iv) refrain from charging an “internet or broadband cost recovery fee” on new orders; and (v) provide refunds to customers who were overcharged for services and to those customers who did not previously receive discounts that the ISP promised.
In a separate action, on December 31, the Oregon attorney general’s office announced that it entered into a $4 million Assurance of Voluntary Compliance with the same ISP to resolve similar claims of deceptive acts and practices in the advertising, sale, and billing of the ISP’s internet, telephone and cable services in violation of the Oregon Unlawful Trade Practices Act. According to the announcement, the Oregon DOJ started an investigation of the ISP in 2014 for allegedly “misrepresenting the price of services, failing to inform consumers of terms and conditions that could affect the price, and billing consumers for services they never received.” The ISP agreed to requirements that are very similar to those in the Colorado settlement. The announcement notes that the “Oregon DOJ will continue to lead a separate securities class action lawsuit arising from the same conduct.”
- Andrew W. Schilling to moderate "Expectations of in-house counsel from their law firm partners" at the ACI's 7th Annual Advanced Forum on False Claims and Qui Tam
- Buckley Webcast: Tips for navigating changes to the FHA recertification process
- Daniel P. Stipano to discuss "A 20/20 view on 2020’s legislative and regulatory outlook" at the ACAMS Anti-Financial Crime and Public Policy Conference
- Kari K. Hall and Michelle L. Rogers to discuss "Overdrafts and regulatory trends" at the CLE Alabama Banking Law Update
- Kathryn L. Ryan to discuss "Industry open forum session on NMLS usage" at the NMLS Annual Conference & Training
- Kathryn L. Ryan to discuss "Regulating innovative consumer lending products" at the NMLS Annual Conference & Training
- Daniel P. Stipano to moderate "Washington update" at the 17th Puerto Rican Symposium of Anti Money Laundering 2020 conference
- APPROVED Checkpoint Webcast: CFL overview
- Daniel P. Stipano to discuss "Pathway of the SARs: Tracking trajectories of suspicious activity reports from alerts to prosecution" at the ACAMS moneylaundering.com 25th Annual International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Which bud’s for you? A deep-dive into evolving marijuana laws" at the ACAMS moneylaundering.com 25th Annual International AML & Financial Crime Conference