InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Biden announces FTC nominees
On July 3, President Biden announced his intention to nominate Andrew N. Ferguson and Melissa Holyoak to serve as Republican members of the FTC. Ferguson currently serves as the solicitor general of the Commonwealth of Virginia where he oversees appellate litigation of the state and its agencies. Prior to his time as solicitor general, Ferguson served as chief counsel to U.S. Senate Republican Leader Mitch McConnell, chief counsel for nominations and constitution to then-Judiciary Committee Chairman Lindsey Graham (R-SC), and senior special counsel to then-Judiciary Committee Chairman Chuck Grassley (R-IA). Ferguson also has extensive antitrust experience, including in litigation before the FTC and DOJ.
Holyoak is currently the solicitor general with the Utah Attorney General’s Office where she oversees areas including civil appeals, criminal appeals, constitutional defense, and the antitrust and data privacy divisions. She is an experienced litigator, where much of her 20 years of practice has focused on consumer protection, Biden said. Before joining the Utah Attorney General’s Office, Holyoak was president and general counsel of the Hamilton Lincoln Law Institute, a Washington, D.C.-based public interest firm that represents consumers challenging unfair class actions and regulatory overreach.
Following the announcement, FTC Chair Lina M. Khan issued a statement congratulating the nominees. The two seats have been vacant since former Commissioner Christine Wilson announced her resignation earlier in the year (covered by InfoBytes here).
Biden administration launches NIST working group on AI
On June 22, the Biden administration announced that the National Institute of Standards and Technology (NIST) launched a new public working group on generative AI. The Public Working Group on Generative AI will reportedly help NIST develop guidance surrounding the special risks posed by AI in order to help organizations and support initiatives to address the opportunities and challenges associated with generative AI’s creation of code, text, images, videos, and music. “The public working group will draw upon volunteers, with technical experts from the private and public sectors, and will focus on risks related to this class of AI, which is driving fast-paced changes in technologies and marketplace offerings” NIST stated. NIST also outlined the immediate, midterm, and long-term goals for the group. Initially, the working group will research how the NIST AI Risk Management Framework can be used to support AI technology development. The working group’s midterm goal will be to support NIST in testing, evaluation and measurement related to generative AI. In the long term, the group will explore the application of generative AI to address challenges in health, environment, and climate change. NIST encourages those interested in joining the working group to submit a form no later than July 9.
CFPB looking at privacy implications of worker surveillance
On June 20, the CFPB released a statement announcing it will be “embarking on an inquiry into the data broker industry and issues raised by new technological developments.” The Bureau requested information in March about entities that purchase information from data brokers, the negative impacts of data broker practices, and the issues consumers face when they wish to see or correct their personal information. (Covered by InfoBytes here.) The findings from this inquiry will help the Bureau understand how employees’ personal information can find its way into the data broker market.
With similar intentions, the White House Office of Science and Technology Policy (OSTP) released a request for information (RFI) to learn more about the automated tools employers use to monitor, screen, surveil, and manage their employees. The OSTP blog post cited to an increase in the use of technologies that handle employees’ sensitive information and data. The OSTP also highlighted the Biden administration’s Blueprint for an AI Bill of Rights (covered by InfoBytes here), which underscored the importance of building in protections when developing new technologies and understanding associated risks. Responses to the RFI will be used to “inform new policy responses, share relevant research, data, and findings with the public, and amplify best practices among employers, worker organizations, technology vendors, developers, and others in civil society,” the OSTP said.
The CFPB’s response to the RFI described the agency’s concerns regarding risks to employees’ privacy, noting that it has long received complaints from the public about the lack of transparency and inaccuracies in the employment screening industry. Specifically mentioned are FCRA protections for consumers and guidelines around the sale of personal data. The Bureau also commented that employees may not be at liberty to determine how their information is used, or sold, and have no opportunity for recourse when inaccurately reported information affects their earnings, access to credit, ability to rent a home or buy a car, and more.
U.S., UK enter agreement in principle on data flow
On June 8, President Biden presented an agreement in principle to allow for the free flow of data between the U.S. and the UK. Announced as part of the administration’s “Atlantic Declaration for a Twenty-First Century U.S.-UK Economic Partnership,” the “data bridge” would facilitate data flows between the two countries while ensuring strong, effective privacy protections. “The trusted and secure flow of data across our borders is foundational to efforts to further innovation,” the White House said in the announcement. “We are working to finalize our respective assessments swiftly to implement this framework.” A joint statement issued by the UK Secretary of State for Science, Innovation, and Technology, the Rt. Hon. Chloe Smith MP, and U.S. Secretary of Commerce Gina M. Raimondo reiterated the two countries’ commitment to establishing “a data bridge that would restore a robust and reliable mechanism for UK-US data flows.” The data bridge would also help facilitate data transfers to U.S. organizations that rely on other data transfer mechanisms under UK law, the joint statement said.
Meanwhile, the U.S. and the EU are working to finalize the EU-US Data Privacy Framework (covered by InfoBytes here)—a replacement for the EU-U.S. Privacy Shield, which was annulled by the Court of Justice of the EU in 2020 after the court determined that data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the EU’s General Data Protection Regulation.
OFAC announces new Sudan E.O., issues and amends several sanctions general licenses and FAQs
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) recently announced several sanctions-related actions, including President Biden’s new Executive Order (E.O.) Imposing Sanctions on Certain Persons Destabilizing Sudan and Undermining the Goal of a Democratic Transition. The E.O. expands the scope of a 2006 Executive Order following the determination that recent events in Sudan “constitute[] an unusual and extraordinary threat to the national security and foreign policy of the United States.” The E.O. outlines specific prohibitions and provides that all property and interests in property that are in the U.S. or that later come in the U.S., or that are in the possession or control of any of the identified U.S. persons must be blocked and may not be transferred, paid, exported, withdrawn, or otherwise dealt in. Concurrently, OFAC issued a new FAQ clarifying which sanctions authorities are applicable to Sudan and the Sudanese government.
OFAC also issued Venezuela-related General License (GL) 42, which authorizes certain transactions related to the negotiation of settlement agreements with the IV Venezuelan National Assembly and certain other entities. The authorized transactions must relate to debt owed by the Venezuelan government, Petróleos de Venezuela, S.A., or any entity owned, directly or indirectly, 50 percent or more. GL 42 does not authorizes transactions involving the Venezuelan National Constituent Assembly convened by Nicolas Maduro or the National Assembly seated on January 5, 2021. OFAC also released three new related FAQs and one amended FAQ.
Additionally, OFAC released cyber-related GL 1C, which authorizes certain transactions with Russia’s Federal Security Service that would normally be prohibited by the Weapons of Mass Destruction Proliferators Sanctions Regulations, and issued three amended cyber-related FAQs. A few days later, OFAC issued Russia-related GL 8G, which authorizes certain transactions related to energy that would otherwise be prohibited by E.O. 14024, involving certain entities, including Russia’s central bank. OFAC clarified that GL 8G does not authorize prohibited transactions related to (i) certain sovereign debt of the Russian Federation; (ii) the “opening or maintaining of a correspondent account or payable-through account for or on behalf of any entity subject to Directive 2 under E.O. 14024, Prohibitions Related to Correspondent or Payable-Through Accounts and Processing of Transactions Involving Certain Foreign Financial Institutions”; and (iii) or “[a]ny debit to an account on the books of a U.S. financial institution of the Central Bank of the Russian Federation,” among others.
Biden administration questions crypto assets
President Biden recently issued his sweeping economic report, in which the administration’s Council of Economic Advisers addressed numerous economic policy concerns, including the current crypto ecosystem and the perceived appeal of crypto assets. The report discussed claims made about the purported benefits of crypto assets, such as the decentralized custody and control of money, as well as the potential for “improving payment systems, increasing financial inclusion, and creating mechanisms for the distribution of intellectual property and financial value that bypass intermediaries that extract value from both the provider and recipient,” but argued that “[s]o far, crypto assets have brought none of these benefits.” The report countered that, in fact, “crypto assets to date do not appear to offer investments with any fundamental value, nor do they act as an effective alternative to fiat money, improve financial inclusion, or make payments more efficient; instead, their innovation has been mostly about creating artificial scarcity in order to support crypto assets’ prices—and many of them have no fundamental value.”
Arguing that these issues raise questions about the role of regulations in protecting consumers, investors, and the financial system on a whole, the report conceded that some of the potential benefits of crypto assets —including (i) serving as investment vehicles; (ii) offering money-like functions without having to rely on a single authority; (iii) enabling fast digital payments; (iv) improving the underbanked population’s access to financial services; and (v) improving the current financial technology infrastructure through distributed ledger technology—may be realized down the road. However, the report cautioned that “[m]any prominent technologists have noted that distributed ledgers are either not particularly novel or useful or they are being used in applications where existing alternatives are far superior.” Highlighting the risks and costs of crypto assets, the report asserted, among other things, that cryptocurrencies are not as effective as a medium of exchange and do not serve “as an effective alternative to the U.S. dollar” due to their use as both money and an investment vehicle.
Biden administration urges states to join fee crack down
On March 8, the Biden administration convened a gathering of state legislative leaders to hold discussions about so-called “junk fees”—described as the “unnecessary, unavoidable, or surprise charges” that obscure true prices and are often not disclosed upfront. While the announcement acknowledged actions taken by federal agencies over the past few years to crack down on these fees, the administration recognized the role states play in advancing this effort. The Guide for States: Cracking Down on Junk Fees to Lower Costs for Consumers outlined actions states can take to address these fees, and provided several examples of alleged junk fees, including hotel resort fees, debt settlement fees, event ticketing fees, rental car and car purchase fees, and cable and internet fees. The guide also highlighted “the banking industry’s excessive and unfair reliance on banking junk fees.” The administration pointed out that a number of businesses have changed their policies in response to the increased scrutiny of junk fees and said several banks have ended fees for overdraft protection. The same day, the CFPB released a new Supervisory Highlights, which focused on junk fees uncovered in deposit accounts and the auto, mortgage, student, and payday loan servicing markets (covered by InfoBytes here).
Additionally, HUD Secretary Marcia L. Fudge published an open letter to the housing industry and state and local governments, encouraging them to “limit and better disclose fees charged to renters in advance of and during tenancy.” Fudge noted that “actions should aim to promote fairness and transparency for renters while ensuring that fees charged to renters reflect the actual and legitimate costs to housing providers.”
California Attorney General Rob Bonta also issued a statement responding to the administration’s call to end junk fees. “Transparency and full disclosure in pricing are crucial for fair competition and consumer protection,” Bonta said, explaining that in February the state senate introduced legislation (see SB 478) to prohibit the practice of hiding mandatory fees.
Biden administration releases National Cybersecurity Strategy
On March 2, the Biden administration announced the release of its National Cybersecurity Strategy (Strategy) in a continued effort to provide a safe and secure digital ecosystem for Americans. The Strategy, which expands on other steps taken by the administration in this space (covered by InfoBytes here), focuses on several key pillars for building and enhancing collaboration, including:
- Defending critical infrastructure. The Strategy will expand the use of minimum cybersecurity requirements in critical sectors, harmonize regulations to reduce compliance burdens, ensure public-private collaboration is able to defend critical infrastructure and essential services, and defend and modernize federal networks and incident response policies.
- Disrupting and dismantling threat actors. Under the Strategy, tools will be strategically employed to disrupt adversaries, and the private sector will be used to disrupt activities. Ransomware threats will also be addressed through a comprehensive federal approach “in lockstep” with international partners.
- Shaping market forces to drive security and resilience. In an effort “to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable,” the Strategy proposes to (i) promote privacy and security of personal data; (ii) “[shift] liability for software products and services to promote secure development practices”; and (iii) ensure investments in new infrastructure are supported by federal grant programs.
- Investing in a resilient future. The Strategy promotes coordinated, collaborative actions for reducing systemic technical vulnerabilities across the digital ecosystem and improving resiliency against transnational digital repression. The Strategy also prioritizes cybersecurity research and development for emerging technologies, including postquantum encryption, digital identity solutions, and clean energy infrastructure, and stresses the importance of developing a diverse, robust national cyber workforce.
- Forging international partnerships to pursue shared goals. The Strategy intends to leverage international coalitions and partnerships to counter threats to the digital ecosystem through the use of joint preparedness, response, and cost imposition, which will enable partners to better defend themselves against cyber threats. The U.S. will also work with international partners to create secure, reliable global information and communications technology supply chains and operational technology products and services.
While “next-generation technologies are reaching maturity at an accelerating pace, creating new pathways for innovation while increasing digital interdependencies,” the announcement warned that state and non-state actors are developing and executing campaigns that threaten the digital ecosystem. The Biden administration’s Strategy aims to address those threats.
FHA reduces mortgage insurance premiums to improve home affordability
On February 22, FHA announced a 30 basis point reduction in the annual premium charged to mortgage borrowers, resulting in mortgage insurance premiums of 0.55 percent for most borrowers seeking FHA-insured mortgages (down from 0.85 percent). (See also Mortgagee Letter 2023-05.) The reduction will apply to nearly all FHA-insured Single Family Title II forward mortgages, and is applicable to all eligible property types including single family homes, condominiums, and manufactured homes, all eligible loan-to-value ratios, and all eligible base loan amounts. According to the announcement, the reduction is intended to build on steps taken by the Biden administration to make homeownership more affordable and accessible, particularly for households of color, and could save an estimated 850,000 borrowers an average of $800 annually. As previously covered by InfoBytes, last September HUD modified FHA’s underwriting policies to allow lenders to consider a first-time homebuyer’s positive rental payment history as an additional factor in determining eligibility for an FHA-insured mortgage, and in March, the Property Appraisal and Valuation Equity Task Force outlined steps for addressing alleged racial bias in home appraisals (covered by InfoBytes here). Additional actions taken by HUD to improve homeownership accessibility can be found here.
EU says EU-US Data Privacy Framework lacks adequate protections
On February 14, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs released a draft motion for a resolution concerning the adequacy of protections afforded under the EU-US Data Privacy Framework. As previously covered by InfoBytes, last October President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) to address the facilitation of transatlantic data flows between the EU and the U.S. The E.O. also outlined bolstered commitments that the U.S. will take under the EU-U.S. Data Privacy Framework (a replacement for the EU-U.S. Privacy Shield). In 2020, the Court of Justice of the EU (CJEU) annulled the EU-U.S. Privacy Shield after determining that, because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the EU’s General Data Protection Regulation (GDPR).
In the draft resolution, the Committee urged the European Commission not to adopt any new adequacy decisions needed for the EU-U.S. Data Privacy Framework to officially take effect. According to the Committee, the framework “fails to create actual equivalence in the level of protection” provided to EU residents’ transferred data. Among other things, the Committee found that the government surveillance backstops outlined in the E.O. “are not in line” with “long-standing key elements of the EU data protection regime as related to principles of proportionality and necessity.” The Committee also expressed concerns that “these principles will be interpreted solely in light of [U.S.] law and legal traditions” and appear to take a “broad interpretation” to proportionality. The Committee also flagged concerns that the framework does not establish an obligation to notify EU residents that their personal data has been processed, “thereby undermining their right to access or rectify their data.” Additionally, “the proposed redress process does not provide for an avenue for appeal in a federal court,” thereby removing the possibility for EU residents to claim damages. Moreover, “remedies available for commercial matters” are “largely left to the discretion of companies, which can select alternative remedy avenues such as dispute resolution mechanisms or the use of companies’ privacy [programs],” the Committee said.
The Committee called on the Commission “to continue negotiations with its [U.S.] counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the CJEU,” and urged the Commission “not to adopt the adequacy finding.”