Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On April 11, FTC Chair Lina Khan spoke at the Opening General Session of the IAPP Global Privacy Summit 2022, focusing on the Commission’s’ approach to privacy and data security enforcement strategy. In her remarks, Khan offered observations on “the new political economy” of how American consumers’ data is “tracked, gathered, and used,” and identified how the Commission is adjusting to address these “new market realities.” She also raised broad questions about the current framework for policing “the use and abuse of individuals’ data.” Khan observed that digital technology now allows firms to collect vast amounts of data on a “hyper-granular level,” tracking individuals as they carry out daily tasks. The information collected includes precise personal location, web browsing history, health records, and a complete picture of ones social network of family and friends. This data, analyzed and aggregated at a huge scale, yields “stunningly detailed and comprehensive user profiles that can be used to target individuals with striking precision.” She acknowledged that this data can be put towards adding value for consumers but that consumers are often unaware that companies are monetizing their personal data at huge profits leading to business models that “incentivize endless tracking and vacuuming up of users’ data.” These incentives have rendered today’s digital economy as, quoting a scholar, “probably the most highly surveilled environment in the history of humanity.”
Khan also outlined three key aspects of the FTC’s approach to addressing the above risks to consumers:
- The FTC will focus on “dominant firms” causing “widespread harm.” This includes addressing conduct by the dominant firms themselves as well as “dominant middlemen” facilitating the conduct through unlawful data practices.
- The FTC is taking an interdisciplinary approach by “assessing data practices through both a consumer protection and competition lens” because widescale commercial surveillance and data collection practices have the potential to violate both consumer protection and antitrust laws. The FTC will also increase reliance on technologists such as data scientists, engineers, user design experts, and AI researchers to augment the skills of their lawyers, economists, and investigators.
- The FTC will focus on designing effective remedies “informed by the business strategies that specific markets favor and reward” and that are responsive to the new value that companies place on collected data. Such remedies may include bans from surveillance industries for companies and individuals, disgorgement, requiring updated security measures such as dual-factor authentication, and requiring the deletion of illegally collected data and any algorithms derived from the same.
Khan further indicated that the FTC is considering initiating rulemaking to address commercial surveillance practices and inadequate data security. She concluded by suggesting a paradigmatic shift away from the current framework used to assess unlawful data gathering. Specifically, she stated that “market realities may render the ‘notice and consent’ paradigm outdated and insufficient” – noting that users find privacy policies overwhelming and have no real alternatives to accepting their terms given the increasingly critical reliance on digital tools to navigate daily life. Khan called for new legislation to address these concerns, saying, “[W]e should approach data privacy and security protections by considering substantive limits rather than just procedural protections, which tend to create process requirements while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place. The central role that digital tools will only continue to play invites us to consider whether we want to live in a society where firms can condition access to critical technologies and opportunities on users surrendering to commercial surveillance.”
On October 28, the U.S. District Court for the Northern District of Illinois denied a Delaware-based technology management service defendant’s motion to dismiss a putative class action that alleged it stored and collected biometric data from employees of companies that utilized the defendant’s timekeeping services. The court also granted the plaintiff’s motion to remand two of her three claims to state court because the plaintiff had not alleged an injury in fact sufficient to establish Article III standing in federal court for those claims.
The plaintiff alleged that the defendant violated the Illinois’ Biometric Information Privacy Act (BIPA) by selling time and attendance solutions to Illinois employers, including biometric-enabled hardware such as fingerprint and facial recognition scanners that collected and stored employee biometrics data. The plaintiff alleged that the defendant violated Section 15(a) of BIPA by failing to publish a retention schedule for the biometric data, violated Section 15(b) of BIPA by obtaining the plaintiff’s biometric data without first providing written disclosures and obtaining written consent, and violated section 15(c) of BIPA, by participating in the dissemination of her biometric data among servers. According to the district court, the plaintiff lacked standing regarding the Section 15(a) claim because the harm resulting from the defendant’s failure to publish a retention policy was not sufficiently particularized and the plaintiff had not otherwise alleged a concrete injury resulting from the violation. The district court concluded that the plaintiff’s Section 15(c) claim also lacked standing because, though she alleged that the defendant profits off its biometric data collection practices by marketing its biometric time clocks that utilize the software as “superior options” and “gains a competitive advantage”, the “complaint doesn't allege an injury in fact stemming from [the defendant’s] profiting off of [the plaintiff’s] biometric data.”
With regard to the Section 15(b) claim, the district court rejected the defendant’s argument that the requirement to inform clients regarding its biometric data collection and receiving written consent did not apply, noting that the defendant is right that it “doesn’t penalize mere possession of biometric information.” However, that does not help the defendant “because the complaint alleges that defendant did more than possess [the plaintiff’s] biometric information: it says that [the defendant] collected and obtained it.” Additionally, the district court rejected the defendant’s argument that it is not liable as a third-party vendor who lacks the power to obtain the required written releases from its clients’ employees. The district court stated that “while it’s probably true that [the defendant] wasn’t in a position to impose a condition of employment on its clients’ employees, the statutory definition of a written waiver doesn’t excuse vendors like [the defendant] from securing their own waivers before obtaining a person’s data.”
On March 31, the CFPB rescinded, effective April 1, the following policy statements, which provided temporary regulatory flexibility measures to help financial institutions work with consumers affected by the Covid-19 pandemic:
- A March 26, 2020, statement addressing the Bureau’s commitment to taking into account staffing and related resource challenges facing financial institutions related to supervision and enforcement activities.
- A March 26, 2020, statement postponing quarterly HMDA reporting requirements. (Covered by InfoBytes here.)
- A March 26, 2020, statement postponing annual data submission requirements related to credit card and prepaid accounts required under TILA, Regulation Z and Regulation E. (Covered by InfoBytes here.)
- An April 1, 2020, statement on credit reporting agencies and furnishers’ credit reporting obligations under the Fair Credit Reporting Act and Regulation V during the Covid-19 pandemic. The Bureau notes that the rescission “leaves intact the section entitled “Furnishing Consumer Information Impacted by COVID-19” which articulates the CFPB’s support for furnishers’ voluntary efforts to provide payment relief and that the CFPB does not intend to cite in examinations or take enforcement actions against those who furnish information to consumer reporting agencies that accurately reflect the payment relief measures they are employing.” (Covered by InfoBytes here.)
- An April 27, 2020, statement affirming that the Bureau would not take supervisory or enforcement action against land developers subject to the Interstate Land Sales Full Disclosure Act and Regulation J for delays in filing financial statements and annual reports of activity. (Covered by InfoBytes here.)
- A May 13, 2020, statement providing supervision and enforcement flexibility for creditors to resolve billing errors during the pandemic. (Covered by InfoBytes here.)
- A June 3, 2020, statement providing temporary flexibility for credit card issuers regarding electronic provision of certain disclosures during the Covid-19 pandemic in accordance with the E-Sign Act and Regulation Z. (Covered by InfoBytes here.)
The rescission also withdraws the Bureau as a signatory to the April 7, 2020, Interagency Statement on Loan Modifications and Reporting for Financial Institutions Working with Customers Affected by the Coronavirus (covered by InfoBytes here), and the April 14, 2020, Interagency Statement on Appraisals and Evaluations for Real Estate Related Financial Transactions Affected by the Coronavirus (covered by InfoBytes here).
Additionally, the Bureau issued Bulletin 2021-01 announcing changes to how it communicates supervisory expectations to institutions. Bulletin 2021-01 replaces Bulletin 2018-01 (covered by InfoBytes here), which previously created two categories of findings conveying supervisory expectations: Matters Requiring Attention (MRAs) and Supervisory Recommendations (SRs). Under the revised Bulletin, the Bureau notes that examiners “will continue to rely on [MRAs] to convey supervisory expectations” but will no longer issue formal written SRs, as the agency believes that MRAs will more effectively convey its supervisory expectations. The Bulletin further states that “Bureau examiners may issue MRAs with or without a related supervisory finding that a supervised entity has violated a Federal consumer financial law.”
On February 4, CFPB acting Director Dave Uejio published a blog post conveying his “broad vision” for the Division of Research, Markets, and Regulations (RMR). Uejio emphasized that in order for the Bureau to respond to his previously stated policy priorities—(i) relief for consumers facing hardship and economic crisis due to the Covid-19 pandemic, and (ii) racial equity (covered by InfoBytes here)—the agency must sharpen its focus on the consumer experience. To achieve this goal, Uejio is authorizing the Bureau’s use of its 1022(c)(4) data collection authority and has asked RMR to examine “the impact of specific industry practices on consumers’ daily budget and overall bottom line in order to target effective policy interventions.” Among other things, RMR has been asked to take the following immediate steps:
- Prepare an analysis assessing housing insecurities such as mortgage foreclosures, mobile home repossessions, and landlord-tenant evictions.
- Prepare an analysis to address pressing consumer financial barriers to racial equity in order to “inform research and rulemaking priorities,” and “[e]xplicity include in policy proposals the racial equity impact of the policy intervention.”
- Resume data collections paused due to Covid-19, including HMDA quarterly reporting, CARD Act data collection, PACE data collection, and the previously completed 1071 data collection.
- Focus mortgage servicing rulemaking on Covid-19 responses “to avert, to the extent possible, a foreclosure crisis” when pandemic forbearances end in March and April.
- Explore options for preserving the status quo with respect to QM and debt collection rules. (QM rules covered by InfoBytes here and a Buckley Special Alert; debt collection rules covered by InfoBytes here and here.)
Uejio also noted that he “will be assessing regulatory actions taken by the previous leadership and adjusting as necessary and appropriate those not in line with [the Bureau's] consumer protection mission and mandate,” and that he wants to “preserve, where possible, maximum policy flexibility” for President Biden’s nominee once confirmed.
On March 26, the CFPB announced several regulatory flexibility measures to help financial companies work with consumers affected by Covid-19. Specifically, the measures postpone certain industry data collections on Bureau-related rules. These include:
- HMDA. Quarterly information reporting by certain mortgage lenders as required under HMDA and Regulation C will not be expected during this time. However, entities should continue collecting and recording HMDA data in anticipation of making annual submissions. Entities will be provided information by the Bureau on when and how to commence new quarterly HMDA data submissions. (See statement here.)
- TILA. During this time, annual submissions required under TILA, Regulation Z, and Regulation E “concerning agreements between credit card issuers and institutions of higher education; quarterly submission of consumer credit card agreements; collection of certain credit card price and availability information; and submission of prepaid account agreements and related information” will not be expected. (See statement here.)
- Section 1071. A survey seeking information from financial institutions on the cost of compliance in connection with pending rulemaking on Section 1071 of the Dodd-Frank Act has been postponed. As previously covered by InfoBytes, under the terms of a stipulated settlement resolving a 2019 lawsuit that sought an order compelling the Bureau to issue a final rule implementing Section 1071, the Bureau agreed to outline a proposal for collecting data and studying discrimination in small-business lending.
- PACE Financing. A survey of firms providing Property Assessed Clean Energy (PACE) financing to consumers for the purposes of implementing Section 307 of the Economic Growth, Regulatory Relief, and Consumer Protection Act has been postponed.
- Supervision and Enforcement. The Bureau’s policy statement provides “that it does not intend to cite in an examination or initiate an enforcement action against any entity for failure to submit to the Bureau” specified information related to credit card and prepaid accounts. However, the Bureau’s announcement advises entities to “maintain records sufficient to allow them to make delayed submissions pursuant to Bureau guidance.” With respect to operational challenges facing institutions due to Covid-19, the Bureau states that it will work with institutions when scheduling examinations and other supervisory activities to minimize disruption and burden. “[W]hen conducting examinations and other supervisory activities and in determining whether to take enforcement action, the Bureau will consider the circumstances that entities may face as a result of the [Covid-19] pandemic and will be sensitive to good-faith efforts demonstrably designed to assist consumers,” the announcement states.
On March 20, the Nevada Financial Institutions Division issued guidance deeming a collection agency a non-essential business under the Nevada Governor’s orders to close non-essential business. The guidance mentioned in particular that courts in Las Vegas have suspended issuing defaults on civil actions, suspended issuing orders for the examination of a judgment debtor, and suspended the issuance of any writ of execution. Collection agencies licensed or certified in Nevada must cease collection efforts until April 16.
On May 14, the California Reinvestment Coalition (CRC) announced it filed a lawsuit in the U.S. District Court for the Northern District of California against the CFPB for allegedly failing to implement Section 1071 of the Dodd-Frank Act, which requires the Bureau to collect and disclose data on lending to small, women, and minority-owned businesses. In the complaint, the CRC argues that the failure to implement Section 1071 violates two provisions of the Administrative Procedures Act. Specifically, the CRC alleges the that Bureau has “unlawfully withheld and unreasonably delayed” the implementation of Section 1071 since Dodd Frank’s passage in 2011, and also, that the Bureau has acted “arbitrarily and capriciously” by informing financial institutions to “not to make [the] inquiries, nor compile, maintain, and submit [the loan application] data” required by Section 1071. The CRC claims that the failure to collect and publish the data has harmed its ability to advocate for access to credit, advise organizations working with women and minority-owned small businesses, and work with lenders to arrange investment in low-income and communities of color. The CRC is seeking the court to invalidate the Bureau’s countermanding of Section 1071’s requirements on financial institutions and an order or writ compelling the Bureau to issue a final rule implementing Section 1071.
On September 12, the full Senate Committee on Banking, Housing, and Urban Affairs held a hearing entitled “Examining the Fintech Landscape” to discuss topics concerning fintech innovation and the regulatory landscape. Committee Chairman Mike Crapo (R-Idaho) opened the hearing by asserting that while fintech firms provide “new and innovative products and services in areas such as marketplace lending, digital payments and currencies, wealth management, insurance and more . . . [u]ncertainty remains around questions like data security and the proper regulatory treatment to ensure consumers and the financial system are safeguarded.” Sen. Crapo said that he welcomes the opportunity to learn more about fintech innovations, the impact on the financial system, and the current regulatory approach to this sector.
Sen. Sherrod Brown (D-Ohio), ranking member of the Committee, also released an opening statement in which he called for the need to “improve federal oversight of data collection and data security,” especially in light of the recent credit reporting data breach. (See previous InfoBytes summary here.) Sen. Brown noted that he is interested in understanding “how Congress can encourage fintech innovation to make it easier for community banks to serve their customers, comply with important safety and soundness and anti-money laundering rules.”
The three witnesses offered numerous insights related to the fintech industry, including (i) the need to manage risk without stifling fintech innovation; (ii) the importance of creating consistent standards and a regulatory framework; (iii) the need to clearly outline the definition of fintech firms and digital lenders; (iv) challenges when using algorithms and alternative data to assess creditworthiness; and (v) concerns regarding state preemption in the fintech space. The witnesses also answered questions concerning the concept of utilizing a regulatory sandbox to allow fintech firms to operate on a limited basis to test new ideas, and offered support for an innovation office, which would help fintech firms and regulators understand the emerging landscape.
- Mr. Lawrance Evans, Director, Financial Markets, U.S. Government Accountability Office (testimony);
- Mr. Eric Turner, Research Analysis, S&P Global Market Intelligence (testimony); and
- Mr. Frank Pasquale, Professor of Law, University of Maryland Francis King Carey School of Law (testimony).
On September 6, the CFPB ordered an online loan lead aggregator to pay $100,000 for its alleged involvement in selling leads to small-dollar lenders and installment loan purchasers who then extended loans that were void in whole or in part under the borrower’s state laws. The consent order alleges that the California-based company knew the state of residence for each lead sold, yet “regularly sold [l]eads for consumers located in states where the resulting loan was void or the lender had no legal right to collect the principal, interest, or fees from the consumer based on state-licensing requirements or interest-rate limits.” The order also claims that, because the company knows the identity of each purchaser prior to the sale of the loan, it should also know (i) whether the purchaser is likely to comply with the state laws, or (ii) whether the leads it sells will result in loans exceeding state usury interest rate limits or fail to be in compliance with the consumer’s state laws. Pursuant to the consent order, in addition to the $100,000 civil money penalty, the company must (i) “undertake reasonable efforts to ensure” leads do not result in loans that are void under the laws of the consumer’s state; (ii) obtain, among other things, copies of licenses required by each state for its end users “where the absence of such a license would render a loan void in whole or in part under the laws of that state”; (iii) implement procedures for reviewing loans that result from its leads to ensure compliance with privacy and other laws; (iv) establish a policy to prohibit lenders from making loans that are likely to result in loans that are void under the consumer’s state-licensing requirements or interest-rate limits and “refrain from conveying” leads for such loans; and (v) submit registration for the Bureau’s Company Portal.
On the same day, the CFPB also entered into a $250,000 settlement with the company’s president and primary owner for his alleged actions cited in a 2016 complaint involving his role as the operator of a different online lead aggregator. (See previous InfoBytes summary here.) In addition to the civil money penalty, the president has agreed to (i) make efforts to guarantee that all loans offered to consumers are valid in the states where they live; (ii) ensure that there is no misleading, inaccurate, or false information contained in the consumer-facing content of all lead generators from which leads are accepted; and (iii) require all lead generators to “prominently disclose to consumers an accurate description” of how leads will be received, conveyed, and processed. The president has neither admitted nor denied the CFPB’s allegations.
Legislation Proposed to Create Consistent Financial Data Reporting Standards Across Federal Agencies
On March 16, Congressmen Darrell Issa (R-Calif.) and Jared Polis (D-Colo.) introduced the Financial Transparency Act of 2017 (H.R. 1530), a bipartisan bill intended “to amend securities, commodities, and banking laws to make the information reported to financial regulatory agencies electronically searchable.” Specifically, H.R. 1530 would require the Treasury Department to disseminate data standards for all financial regulatory agencies, while directing each agency to transform its regulatory reporting regime from disconnected documents into standardized, searchable data. The bill further provides that any information required by other laws to be public must be published as open data, and includes specific directives for the SEC to improve that agency’s existing data reporting regime.
Additional details concerning the proposed measure are explained in a summary prepared by www.datacoalition.org. U.S. Representative Randy Hultgren (R-IL)—one of the bill’s co-sponsors and current Vice Chairman of the House Subcommittee on Capital Markets, Securities and Investment—has also promoted the legislation in an op-ed for The Guardian, entitled How to stop the next Bernie Madoff.
- Jedd R. Bellman to discuss “The CFPB’s crackdown on collection junk fees and the growing anti-CFPB rhetoric” at an Accounts Recovery webinar
- Benjamin W. Hutten to discuss “Latest on AML regulations and impact of economic sanctions” at a Mortgage Bankers Association webinar
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar