Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Fed, OCC, and FDIC release third-party risk management report for community banks

    Privacy, Cyber Risk & Data Security

    On May 3, the Fed, OCC, and FDIC (the regulators) released a report to help community banks assess their third-party relationship risk exposure. The report discusses key considerations in three areas: risk management, third-party relationship life cycle, and governance. In addition, the regulators’ report contained an appendix with additional resources, such as FFIEC interagency guidance and CISA cybersecurity protocols. With respect to risk management, the report suggested community banks apply more rigorous risk-management practices for third parties that support critical bank activities, such as those that could have a significant customer impact or have a significant impact on the bank’s financial condition. In describing the third-party relationship life cycle, the report identified five key stages of the life cycle – planning, due diligence, contract negotiation, ongoing monitoring, and termination. With respect to governance, the report described three key pillars: oversight and accountability, independent review, and documentation and reporting.

    Privacy, Cyber Risk & Data Security Third-Party Risk Management Communications Decency Act Bank Regulatory OCC Federal Reserve

  • 4th Circuit says website does not qualify for Section 230 immunity


    On November 3, the U.S. Court of Appeals for the Fourth Circuit reversed and remanded a district court’s summary judgment ruling that a public records website, its founder, and two affiliated entities (collectively, “defendants”) could use Section 230 liability protections under the Communications Decency Act (CDA) to shield themselves from credit reporting violations. As previously covered by InfoBytes, plaintiffs alleged, among other things, that because the defendants’ website collects, sorts, summarizes, and assembles public record information into reports that are available for third parties to purchase, it qualifies as a consumer reporting agency (CRA) under the FCRA, and as such, must follow process-oriented requirements that the FCRA imposes on CRAs. However, the district court determined that the immunity afforded by Section 230 of the Communication and Decency Act applied to the FCRA and that the defendants qualified for such immunity and could not be held liable for allegedly disseminating inaccurate information and failing to comply with the law’s disclosure requirements.

    On appeal, the 4th Circuit reviewed whether a consumer lawsuit alleging violations of the FCRA’s procedural and disclosure requirements and seeking to hold the defendants liable as the publisher or speaker of information provided by a third party is thereby preempted by Section 230. The appellate court agreed with an amicus brief filed in 2021 by the FTC, CFPB, and the North Carolina Department of Justice, which urged the appellate court to overturn the district court ruling on the basis that the court misconstrued Section 230—which they assert is unrelated to the FCRA—by extending immunity to “claims that do not seek to treat the defendant as the publisher or speaker of any third-party information.” According to the amicus brief, liability turns on the defendants’ alleged failure to comply with FCRA obligations to use reasonable procedures when preparing reports, to provide consumers with a copy of their files, and to obtain certifications and notify consumers when reports are furnished for employment purposes.

    The 4th Circuit held that Section 230(c)(1) of the CDA “extends only to bar certain claims, in specific circumstances, against particular types of parties,” and that the four claims raised in this case were not subject to those protections. “Section 230(c)(1) provides protection to interactive computer services,” the appellate court wrote, “[b]ut it does not insulate a company from liability for all conduct that happens to be transmitted through the internet.” Specifically, the appellate court said two of the counts—which allege that the defendants failed to give consumers a copy of their own report when requested and did not follow FCRA requirements when providing reports for employment purposes—do not seek to hold the defendants liable as a speaker or publisher, and therefore fall outside Section 230 protections. As for the remaining two counts related to claims that the defendant failed to ensure records for employment purposes were complete and up-to-date, or adopt procedures to assure maximum possible accuracy when preparing reports, the 4th Circuit concluded that the defendants “made substantive changes to the records’ content that materially contributed to the records’ unlawfulness. That makes [defendants] an information content provider, under the allegations, for the information relevant to Counts Two and Four, meaning that it is not entitled to § 230(c)(1) protection for those claims.”

    Courts Appellate Fourth Circuit FCRA Communications Decency Act Consumer Reporting Agency

Upcoming Events