Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Rep. McHenry introduces draft privacy legislation based on GLBA

    Federal Issues

    On June 23, House Financial Services Ranking Member Patrick McHenry (R-NC) released a discussion draft of new federal legislation intended to modernize financial data privacy laws and provide consumers more control over the collection and use of their personal information. (See overview of the discussion draft here.) The draft bill seeks to build on the Gramm-Leach-Bliley Act (GLBA) to better align financial data protection law with evolving technologies that have innovated the financial system and the way in which consumers interact with financial institutions, including nonbank institutions. “Technology has fundamentally changed the way consumers participate in our financial system—increasing access and inclusion. It has also increased the amount of sensitive data shared with service providers. Our privacy laws—especially as they relate to financial data—must keep up,” McHenry said, emphasizing the importance of finding a way to “secure Americans’ privacy without strangling innovation.”

    Among other things, the draft bill:

    • Requires notice of collection activities. The GLBA currently requires that consumers be provided notice when their information is being disclosed to third parties. The draft bill updates this requirement to require financial institutions to provide notice when consumers’ nonpublic personal information is being collected.
    • Recognizes the burden on small institutions. The draft bill stipulates that agencies shall consider compliance costs imposed on smaller financial institutions when promulgating rules.
    • Amends the definition of a “financial institution.” The draft bill will update the definition to cover data aggregators in addition to financial institutions engaged in financial activities as described in 4(k) of the Bank Holding Company Act of 1956.
    • Expands the definition of non-public information. The draft bill expands the definition of “personally identifiable financial information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” Publicly available information is not included in this definition. The definition of “consumer account credentials” will mean “nonpublic information (including a username, password, or an answer to a security question) that enables the consumer to access an account of the consumer at a financial institution.”
    • Provides consumers access to data. The draft bill provides that financial institutions must, upon an authorized request from a consumer, disclose the data held, entities with which the financial institution shares consumer data, and a list of entities from whom the financial institution has received a consumer’s non-public personal information.
    • Allows consumers to stop the collection and disclosure of their data. When a financial institution is required to terminate the collection and/or sharing of a consumer’s nonpublic personal information, the draft bill provides that a financial institution must notify third parties that data sharing is terminated and must require the third parties to also terminate collection and disclosure. Additionally, upon request from a consumer, the financial institution must delete any nonpublic personal information in its possession, and if required by law to retain the data, the financial institution may only use the data for that purpose.
    • Minimizes data collection. The draft bill requires that financial institutions notify consumers of their data collection practices in their privacy policies, including the categories collected, how the information is collected, and the purposes for the collection. Consumers must be allowed an opportunity to opt-out of the collection of their data if not necessary for the provision of the product or service by that entity.
    • Provides informed choice and transparency. Under the draft bill, privacy terms and conditions must be transparent and easily understandable. The draft bill requires the disclosure of a financial institution’s privacy policies in a manner that provides consumers meaningful understanding of what data is being collected, the manner in which the data is collected, the purposes for which the data will be used, the right to opt-out, who has access to the data, how an entity is using the data, where the data will be shared, the data retention policies of the entity, the consumer’s termination rights, and the rights associated with that data for uses inconsistent with stated purpose, among others.
    • Stipulates liability for unauthorized access. The draft bill states that “[i]f the nonpublic personal information of a consumer is obtained from a financial institution (either due to a data breach or in any other manner) and used to make unauthorized access of the consumer’s account, the financial institution shall be liable to the consumer for the full amount of any damages resulting from such unauthorized access.’’
    • Requires preemption. The draft bill will preempt state privacy laws to create a national standard.

    The draft bill was introduced days after the House Subcommittee on Consumer Protection and Commerce heard testimony from consumer advocates and industry representatives on the recently proposed bipartisan American Data Privacy and Protection Act (covered by a Buckley Special Alert here).

    Federal Issues Privacy/Cyber Risk & Data Security Federal Legislation Gramm-Leach-Bliley Consumer Protection

    Share page with AddThis
  • CFPB to look at late fees on cards

    Agency Rule-Making & Guidance

    On June 22, the CFPB issued an Advance Notice of Proposed Rulemaking (ANPRM) soliciting information from credit card issuers, consumer groups, and the public regarding credit card late fees and late payments, and card issuers’ revenue and expenses. Under the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act) rules inherited by the CFPB from the Federal Reserve, credit card late fees must be “reasonable and proportional” to the costs incurred by the issuer as a result of a late payment. However, the rules provide for a safe harbor limit that allows banks to charge certain fees, adjusted for inflation, regardless of the costs incurred. Calling the current credit card late fees “excessive,” the Bureau stated it intends to review the “immunity provision” to understand how banks that rely on this safe harbor set their fees and to examine whether banks are escaping enforcement scrutiny “if they set fees at a particular level, even if the fees were not necessary to deter a late payment and generated excess profits.”

    In 2010, the Federal Reserve Board approved implementing regulations for the CARD Act that allowed credit card issuers to charge a maximum late fee, plus an additional fee for each late payment within the next six billing cycles (subject to an annual inflation adjustment). As the CFPB reported, the safe harbor limits are currently set at $30 and $41 respectively. The CFPB pointed out that in 2020, credit card companies charged $12 billion in late fee penalties. “Credit card late fees are big revenue generators for card issuers. We want to know how the card issuers determine these fees and whether existing rules are undermining the reforms enacted by Congress over a decade ago,” CFPB Director Rohit Chopra said. Chopra issued a separate statement on the same day discussing the current credit card market, questioning whether it is appropriate for card issuers to receive enforcement immunity if they hike the cost of credit card late fees each year by the rate of inflation. “Do the costs to process late payments really increase with inflation? Or is it more reasonable to expect that costs are going down with further advancements in technology every year?” he asked.

    Among other things, the ANPRM requests information relevant to certain CARD Act and Regulation Z provisions related to credit card late fees to “determine whether adjustments are needed.” The CFPB’s areas of inquiry include: (i) factors used by card issuers to determine late fee amounts and how the fee relates to the statement balance; (ii) whether revenue goals play a role in card issuers’ determination of late fees; (iii) what the costs and losses associated with late payments are for card issuers; (iv) the deterrent effects of late fees and whether other consequences are imposed when payments are late; (v) methods used by card issuers to facilitate or encourage timely payments such as autopay and notifications; (vi) how late are most cardholders’ late payments; and (vii) card issuers’ annual revenue and expenses related to their domestic consumer credit card operations. The Bureau stated that public input will inform revisions to Regulation Z, which implements the CARD Act and TILA. Comments on the ANPRM are due July 22.

    The ANPRM follows a June 17 Bureau blog post announcing the agency’s intention to review a “host of rules” inherited from other agencies such as the FTC and the Federal Reserve, including the CARD Act. (Covered by InfoBytes here.)

    Agency Rule-Making & Guidance Federal Issues Bank Regulatory CFPB Consumer Finance Federal Reserve CARD Act Regulation Z Fees Credit Cards

    Share page with AddThis
  • CFPB issues final rule re: credit reporting on human trafficking victims

    Agency Rule-Making & Guidance

    On June 23, the CFPB issued a final rule implementing amendments to the FCRA intended to assist victims of human trafficking. According to the Bureau’s announcement, the final rule prohibits credit reporting agencies (CRAs) from providing reports containing any adverse items of information resulting from human trafficking. The final rule amends Regulation V to implement changes to the FCRA enacted in December 2021 in the “Debt Bondage Repair Act,” which was included within the National Defense Authorization Act for Fiscal Year 2022. (Covered by InfoBytes here.)

    Among other things, the final rule establishes methods available for trafficking victims to submit documentation to CRAs establishing that they are a survivor of trafficking (including “determinations made by a wide range of entities, self-attestations signed or certified by certain government entities or their delegates, and documents filed in a court where a central issue is whether the person is a victim of trafficking”). The final rule also requires CRAs to block adverse information in consumer reports after receiving such documentation and ensure survivors’ credit information is reported fairly. CRAs will have four business days to block adverse information once it is reported and 25 business days to make a final determination as to the completeness of the documentation. All CRAs, regardless of reach or scope, must comply with the final rule, including both nationwide credit reporting companies and specialty credit reporting companies.

    The final rule takes July 25.

    Agency Rule-Making & Guidance Federal Issues CFPB Consumer Finance Credit Report Credit Reporting Agency FCRA Regulation V

    Share page with AddThis
  • Special Alert: House subcommittee hears testimony on privacy bill

    Privacy, Cyber Risk & Data Security

    The House Subcommittee on Consumer Protection and Commerce held a June 14 hearing, “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security,” to listen to testimony from consumer advocates and industry representatives on the recently proposed American Data Privacy and Protection Act (ADPPA).

    The bipartisan initiative faces new headwinds following June 22 remarks by Senate Commerce Chair Maria Cantwell (D-WA), who cited “major enforcement holes” in the legislation on preemption issues — but expressed hope that the sponsors could offer revisions. 

    Privacy/Cyber Risk & Data Security Federal Issues Special Alerts Federal Legislation Consumer Protection FTC House Subcommittee on Consumer Protection and Commerce

    Share page with AddThis
  • FDIC issues a proposed rule on assessments, revised deposit insurance assessment rates

    On June 21, the FDIC Board of Directors issued a notice of proposed rulemaking to increase deposit insurance assessment rates by 2 basis points for all insured depository institutions to increase the likelihood that the reserve ratio of the Deposit Insurance Fund (DIF) reaches the statutory minimum of 1.35 percent by September 2028, the statutory deadline. In September 2020, the FDIC adopted a DIF restoration plan to restore the reserve ratio to at least 1.35 percent by September 2028. However, according to the press release, insured deposits continued to grow and, as of March 31, the reserve ratio declined by 4 basis points to 1.23 percent. The FDIC also adopted on June 21 an Amended Restoration Plan, incorporating the increase in assessment rates to provide a buffer to ensure that the DIF achieves the 2028 target and accelerate capitalization of the fund toward the long-term 2 percent goal. In a memorandum providing an update on the restoration plan to the Board of Directors, the FDIC stated that “for the industry as a whole, staff estimate that the estimated annual increase in assessments would average 1% of income, which includes an average of 0.9% for small banks and an average of 1% percent for large and highly complex institutions.” The FDIC also released a Fact Sheet on the DIF, which provides information on the amended restoration plan and notice of proposed rulemaking on assessments and revised deposit insurance assessment rate. The FDIC released a statement regarding the DIF Restoration Plan to incorporate a uniform increase in initial base deposit insurance assessment rates of 2 basis points and to accelerate the time for the reserve ratio to reach the statutory minimum, stating that it “would allow the banking industry to remain a source of strength for the economy during a potential future downturn, and would promote public confidence in federal deposit insurance.” CFPB Director Rohit Chopra released a statement expressing his support for the Amended Plan and proposed increase, referring to these as “important short-term actions.” Chopra also expressed support for the Board to, in the long term, “explore a new mechanism to automatically adjust premiums upward and downward based on economic conditions, rather than relying on ad-hoc actions.” Comments are due by August 20.

    Bank Regulatory Federal Issues Agency Rule-Making & Guidance FDIC CFPB Deposit Insurance

    Share page with AddThis
  • CFPB shares consumer finance data

    Federal Issues

    On June 15, CFPB Deputy Director Zixta Martinez spoke before the Consumer Federation of America’s 2022 Consumer Assembly addressing recent research by the Bureau on payday loans, rent-a-bank schemes, overdraft and other banking fees, medical debt, and credit reporting. In her remarks, Martinez first discussed the Bureau’s report on consumer use of state payday loan extended payment plans, which she noted is “the first significant piece of research into extended payment plans” (covered by InfoBytes here). She assured advocates raising concerns about “rent-a-banks” that the Bureau shares those concerns and is focused on this issue. Turning to overdraft and other banking fees, Martinez described overdraft programs as “more like a maze than a service,” which often result in complicated charges being imposed on families who can least afford them, driving them into deeper debt. She pointed to the Bureau’s desire “to move toward a market that works for families and honest financial institutions alike,” recognizing positive shifts made by big banks towards reducing or eliminating such fees as well as the Bureau’s commitment to “returning vigorous competition to this market." Finally, Martinez addressed medical debt, noting that many of the “approximately 43 million Americans with $88 billion in allegedly unpaid medical bills on their credit reports” are trapped in a “bureaucratic doom-loop comprised of the healthcare, insurance, debt collection, and credit reporting industries.” To address this issue, Martinez explained that the Bureau is working broadly across the government and with the non-profit sector to ensure that medical debt does not impact job security, housing, or qualification for affordable credit, and is considering whether it is appropriate for such debt to be included on credit reports at all.

    Federal Issues CFPB Consumer Finance Medical Debt Overdraft

    Share page with AddThis
  • FTC issues report to Congress on use of AI

    Privacy, Cyber Risk & Data Security

    On June 16, the FTC issued a report to Congress regarding the use of artificial intelligence (AI), warning that policymakers should use caution when relying on AI to combat the spread of harmful online conduct. In the 2021 Appropriations Act, Congress directed the FTC to study and report on whether and how AI “may be used to identify, remove, or take any other appropriate action necessary to address” a wide variety of specified “online harms,” referring specifically to content that is deceptive, fraudulent, manipulated, or illegal. The report suggests that adoption of AI could be problematic, as AI tools can be biased, discriminatory, or inaccurate, and could rely on invasive forms of surveillance. To avoid introducing these additional harms, the report suggests lawmakers instead focus on developing legal frameworks to ensure no additional harm is caused by AI tools used by major technology platforms and others. The report further suggests that Congress, regulators, platforms, scientists, and others focus their attention on creating frameworks to address the following related considerations, among others: (i) the need for human intervention in connection with monitoring the use and decisions of AI tools intended to address harmful content; (ii) the need for meaningful transparency, “which includes the need for it to be explainable and contestable, especially when people’s rights are involved or when personal data is being collected or used”; and (iii) the need for accountability with respect to the data practices and results of the use of AI tools by platforms and other companies. Other recommendations include use of authentication tools, responsible use of inputs and outputs by data scientist, and using interventions, such as tools that slow the viral spread or otherwise limit the impact of certain harmful content.

    The Commission voted 4-1 at an open meeting to send the report to Congress. Commissioner Noah Joshua Phillips issued a dissenting statement, finding that the report provides “short shrift to how and why AI is being used to combat the online harms identified by Congress,” and instead “reads as a general indictment of the technology itself.”

    Privacy/Cyber Risk & Data Security Federal Issues FTC Artificial Intelligence Congress

    Share page with AddThis
  • FDIC updates Consumer Compliance Examination Manual’s UDAAP provisions

    On June 17, the FDIC announced updates to its Consumer Compliance Examination Manual (CEM). The CEM includes supervisory policies and examination procedures for FDIC examination staff when evaluating financial institutions’ compliance with federal consumer protection laws and regulations. The June update modifies Section VII Unfair, Deceptive, or Abusive Acts or Practices to reflect the FDIC’s existing supervisory authority regarding UDAP and UDAAP under Section 5 of the FTC Act, and Sections 1031 and 1036 of the Dodd-Frank Act, respectively. Among other updates, the new Section VII changes language related to the Equal Credit Opportunity Act and Fair Housing Act to add a reference to Dodd-Frank UDAAP provisions. The updated section provides the following:

    ECOA prohibits discrimination in any aspect of a credit transaction against persons on the basis of race, color, religion, national origin, sex, marital status, age (provided the applicant has the capacity to contract), the fact that an applicant’s income derives from any public assistance program, and the fact that the applicant has in good faith exercised any right under the Consumer Credit Protection Act. The FHA prohibits creditors involved in residential real estate transactions from discriminating against any person on the basis of race, color, religion, sex, handicap, familial status, or national origin. FTC UDAPs and Dodd-Frank UDAAPs that target or have a disparate impact on consumers in one of these prohibited basis groups may violate the ECOA or the FHA, as well as the FTC Act or the Dodd-Frank Act. Moreover, some state and local laws address discrimination against additional protected classes, e.g., handicap in non-housing transactions, or sexual orientation. Such conduct may also violate the FTC Act or the Dodd-Frank Act.

    With respect to the legal standards for “unfair” and “deceptive” under the FTC Act and Dodd-Frank, Section VII notes that these standards are “substantially similar.”

    Bank Regulatory Federal Issues FDIC Examination UDAAP UDAP Compliance FTC Act Dodd-Frank Fair Lending Discrimination ECOA Fair Housing Act

    Share page with AddThis
  • OCC announces disaster relief guidance

    On June 15, the OCC issued a proclamation permitting OCC-regulated institutions, at their discretion, to close offices affected by flooding in Montana “for as long as deemed necessary for bank operation or public safety.” The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the 2012 Bulletin, only bank offices directly affected by potentially unsafe conditions should close, and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.

    Bank Regulatory Federal Issues Disaster Relief OCC Consumer Finance

    Share page with AddThis
  • CFPB revising its rulemaking approach

    Federal Issues

    On June 17, CFPB Director Rohit Chopra announced in a blog post that the agency plans to move away from overly complicated and tailored rules. “Complexity creates unintended loopholes, but it also gives companies the ability to claim there is a loophole with creative lawyering,” Chopra said. The Bureau’s plan to implement simple, durable bright-line guidance and rules will better communicate the agency’s expectations and will provide numerous other benefits, he added.

    With regards to traditional rulemaking, the Bureau outlined several priorities, which include focusing on implementing longstanding Congressional directives related to consumer access to financial records, increased transparency in the small business lending marketplace, and quality control standards for automated valuation models under Sections 1033, 1071, and 1473(q) of the Dodd-Frank Act. Additionally, the Bureau stated it will assess whether it should use Congressional authority to register certain nonbank financial companies to identify potential violators of federal consumer financial laws.

    Chopra also announced that the Bureau is reviewing a “host of rules” that it inherited from other agencies such as the FTC and the Federal Reserve. “Many of these rules have now been tested in the marketplace for many years and are in need of a fresh look,” Chopra said. Specifically, the Bureau will (i) review rules originated by the Fed under the 2009 Credit CARD Act (including areas related to “enforcement immunity and inflation provisions when imposing penalties on customers”); (ii) review rules inherited from the FTC for implementing the FCRA to identify possible enhancements and changes in business practices; and (iii) review its own Qualified Mortgage Rules to assess aspects of the “seasoning provisions” (covered by a Buckley Special Alert) and explore ways “to spur streamlined modification and refinancing in the mortgage market.”

    The Bureau noted that it also plans to increase its interpretation of existing laws through its Advisory Opinion program and will continue to issue Consumer Financial Protection Circulars to provide additional clarity and encourage consistent enforcement of consumer financial laws among government agencies (covered by InfoBytes here and here).

    Federal Issues Bank Regulatory CFPB Consumer Finance FTC Federal Reserve Agency Rule-Making & Guidance CARD Act Consumer Reporting Agency Qualified Mortgage Dodd-Frank Nonbank FCRA AVMs Mortgages Credit Cards

    Share page with AddThis

Pages