InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed asks for comments on publicizing FRB master accountholders
On November 4, the Federal Reserve Board issued a notice and request for comment seeking feedback on proposed amendments to its Guidelines for Evaluating Account and Services Requests. Specifically, the proposed amendments would require the Federal Reserve Banks to publish a periodic list of depository institutions that have access to Reserve Bank accounts (often known as “master accounts”) and payment services. In August, the Fed adopted final guidance establishing “a transparent, risk-based, and consistent set of factors for Reserve Banks to use in reviewing requests to access these accounts and payment services.” Recognizing that the longstanding practice of both the Fed and the Reserve Banks “has been to not disclose account-related information to the general public on the basis that such information is considered confidential business information,” the Fed said it is considering “the potential benefits of expanding the disclosure of the names of institutions that have access to accounts and services” following comments received from stakeholders that called for greater public disclosure of account-related information. Comments are due 60 days after publication in the Federal Register.
FDIC’s Gruenberg discusses CRA rulemaking
On November 2, FDIC acting Chairman Martin J. Gruenberg delivered remarks before the National Association of Affordable Housing Lenders to address ongoing Community Reinvestment Act (CRA) rulemaking, the results of the FDIC’s most recent National Survey of Unbanked and Underbanked Households, and challenges from nonbank payment services. In his remarks, Gruenberg referenced the pending notice of proposed rulemaking (NPR) on the CRA issued in May by the FDIC, OCC, and the Federal Reserve Board (collectively, “agencies”). As previously covered by InfoBytes, the NPR would update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. Gruenberg stated that the agencies are committed to strengthening the law’s impact and “increasing transparency and predictability in its application,” and said the FDIC is currently reviewing approximately 1,000 unique comments received in response to the NPR. Gruenberg also discussed the results of the FDIC’s most recent National Survey of Unbanked and Underbanked Households. According to the biennial survey, an estimated 4.5 percent of U.S. households (representing 5.9 million households) lack a bank or credit union account, the lowest national unbanked rate since the FDIC survey began in 2009 (covered by InfoBytes here). Gruenberg noted that the survey found that the rate of unbanked households decreased consistently over the past decade, from 8.2 percent in 2011 to 4.5 percent in 2021. He also said that the survey indicated that 14.1 percent of households were underbanked, although demand for several nonbank products and services decreased. Gruenberg further commented that the survey revealed regulatory challenges in light of the array of options available to consumers, specifically nonbank online payment services. He explained that though “banked households were significantly more likely to use nonbank online payments services than unbanked households, the most common use cases were quite different between the two groups. Banked households most commonly reported that they used these services primarily to send or receive money from family or friends and to make online purchases, as a complement to a bank account. In contrast, the most common use cases among unbanked households revealed that they were using these services as they might otherwise have used bank accounts: paying bills, receiving income and as a vehicle to save or keep money safe.”
FTC fines ISP $100 million for dark patterns and junk fees
On November 3, the FTC announced an action against an internet phone service provider claiming the company imposed “junk fees” and made it difficult for consumers to cancel their services. The FTC alleged in its complaint that the company violated the FTC Act and the Restore Online Shoppers’ Confidence Act by imposing a series of obstacles, sometimes referred to as “dark patterns”, to deter and prevent consumers from canceling their services or stopping recurring charges. Consumers who were able to sign up for services online were allegedly forced to speak to a live “retention agent” on the phone during limited working hours in order to cancel their services. The company also allegedly employed a “panoply of hurdles” to cancelling consumers by, among other things, making it difficult for the consumer to locate the phone number on the website, obscuring contact information, failing to consistently transfer consumers to the appropriate number, imposing lengthy wait times, holding reduced operating hours for the cancellation line, and failing to provide promised callbacks. Additionally, the FTC claimed the company often informed consumers they would have to pay an early termination fee (sometimes hundreds of dollars) that was not clearly disclosed when they signed up for the services, and continued to illegally charge consumers without consent even after they requested cancellation. According to the FTC, consumers who complained often only received partial refunds.
Under the terms of the proposed stipulated order, the company will be required to take several measures, including (i) obtaining consumers’ express, informed consent to charge them for services; (ii) simplifying the cancellation process to ensure it is easy to find and use and is available through the same method the consumer used to enroll; (iii) ending the use of dark patterns to impede consumers’ cancellation efforts; and (iv) being transparent about the terms of any negative option subscription plans, including providing required disclosures as well as a simple mechanism for consumers to cancel the feature. The company will also be required to pay $100 million in monetary relief.
Republican senators oppose FTC’s ANPR on data privacy and security
On November 3, three Republican Senators sent a letter to FTC Chair Lina Khan expressing their opposition to the FTC’s Advanced Notice of Proposed Rulemaking (ANPR) for the Trade Regulation Rule on Commercial Surveillance and Data Security. As previously covered by InfoBytes, in August the FTC announced the ANPR covering a wide range of concerns about commercial surveillance practices, specifically related to the business of collecting, analyzing, and profiting from information about individuals. In the letter, the Senators argued that both consumers and businesses would benefit if Congress enacted comprehensive federal legislation addressing data privacy. According to the Senators, the FTC “lacks the authority to create preemptive standards” and the proposed rulemaking “would only add uncertainty and confusion to an already complicated regulatory landscape, increasing compliance costs, reducing competition, and ultimately harming consumers.” The Senators requested that the FTC withdraw its rulemaking proposal, explaining that “[c]onsumer data privacy and security are complex issues which will require standards that are robust, adaptive, and can balance the interests of consumers with the needs of businesses.” The Senators noted that they believe “that this balance can only be struck within federal legislation that is comprehensive and preemptive, such that the law creates a single national standard.”
FTC takes action against ed tech provider for lax data security
On October 31, the FTC announced an administrative action against an education technology (ed tech) provider claiming that the company’s allegedly poor data security practices exposed millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords. According to the FTC’s complaint, due to the company’s alleged failure to adequately protect the personal information collected from its users and employees, the company experienced four data breaches beginning in September 2017, when a phishing attack granted a hacker access to employees’ direct deposit information. Less than a year later, another data breach involved a former employee using login information the company shared with employees and outside contractors to gain access to a third-party cloud database containing personal data for roughly 40 million users. In the following two years, the company experienced two more data breaches through phishing attacks that exposed sensitive employee data, including medical and financial information. Claiming violations of Section 5(a) of the FTC Act, the Commission alleged the company failed to implement basic security measures, stored personal data insecurely, and failed to implement a written security policy until January 2021, despite experiencing three phishing attacks.
Under the terms of the proposed decision and order, the company would be required to take several measures to address the alleged conduct, including (i) documenting and limiting data collection; (ii) providing users access to collected data and allowing them to submit requests for deletion; (iii) implementing multifactor authentication or another authentication method to protect user and employee accounts; and (iv) implementing a comprehensive information security program that would encrypt consumer data and provide security training to employees, among other things.
This action is part of the FTC’s ongoing efforts to make sure ed tech providers protect and secure personal data they collect and do not collect more information than necessary. As previously covered by InfoBytes, the FTC issued a policy statement in May warning ed tech providers that they must fully comply with all provisions of the Children’s Online Privacy Protection Act when gathering data about children. The FTC emphasized that ed tech providers may not harvest or monetize children’s data, cannot force children to disclose more information than is reasonably necessary for participating in their educational services, and must have procedures in place to keep the data secure, among other things.
VA proposes amendments to IRRRL requirements
On November 1, the Department of Veterans Affairs (VA) published a proposed rule in the Federal Register, which would amend the agency’s rules on VA-backed interest rate reduction refinancing loans (IRRRLs). Specifically, the proposed amendments would update existing VA IRRRL regulations to meet current statutory requirements for determining whether the agency can guarantee or insure a refinance loan. The amendments would modify current regulations to reflect requirements related to, among other things, net tangible benefit, recoupment, and seasoning standards. Additionally, due to confusion among program participants, VA is proposing clarifications to minimize the risk of lender noncompliance, thereby safeguarding veterans, easing lender concerns, reducing potential instability in the secondary loan market, and insulating taxpayers from unnecessary financial risk. Comments on the proposed rule are due January 3, 2023.
FHFA to host “tech sprints” on housing finance fintech solutions
On November 2, FHFA published a notice in the Federal Register announcing plans to hold a series of competitions called “Tech Sprints” to solicit innovative solutions on ways to advance housing finance fintech in a safe, sound, responsible, and equitable manner. Recognizing the significant effects that regulated entities’ potential use of fintech products and innovations could have on the mortgage market and market participants, FHFA said it wants to gather information about new and emerging technologies that may have applications in the mortgage space. Two tech sprints are planned each year over the next three years, with participation expected from housing finance industry members as well as other industries, such as tech companies, mortgage companies, academia, industry groups, and other members of the public. FHFA is accepting comments through January 3, 2023, on the necessity of the information collection, the burden of such collection, and ways to minimize the burden on members and project sponsors when providing information on ways to enhance the quality, utility, and clarity of the information collected from the Tech Sprints.
CFPB provides update on student loan borrowers
On November 2, the CFPB’s Office of Research released an update showing that student loan borrowers are increasingly likely to struggle to make monthly payments when federal Covid-19 payment suspensions end in January 2023. The findings follow a report issued in April discussing the credit health of student loan borrowers during the pandemic (covered by InfoBytes here). According to the April report, researchers found that borrowers most at risk when payment suspension ends include those who are 30 to 49 years of age and who live in low-income, high-minority census tracts. However, the Bureau pointed out that since the report was released, inflation has risen and delinquencies and balances have increased for consumers across credit products—both of which may contribute to potential payment challenges for borrowers. The Bureau also noted that during this time, payment suspensions were extended through the end of 2022, and President Biden announced a student debt cancellation plan to reduce payment burdens for many borrowers and completely eliminate loans for others (covered by InfoBytes here).
The Bureau’s recent findings examined data from its Consumer Credit Panel (a deidentified sample of credit records from one of the nationwide consumer reporting agencies) on consumers who are expected to resume scheduled loan payments at the end of the suspension. Findings show, among other things, that (i) an increasing number of borrowers are 60 days or more past due on a non-student-loan credit account since mid-2021; (ii) monthly payments across credit products aside from student loans have increased; and (iii) since the April report, delinquencies on non-student-loan products have risen further, with an overall increase in the number of borrowers (5.1 million to 5.5 million) who meet two or more potential risk factors that indicate a borrower may struggle when the payment suspensions end. These risk factors are: “pre-pandemic delinquencies on student loans, pre-pandemic payment assistance on student loans, multiple student loan servicers, delinquencies on other credit products since the start of the pandemic, and new non-medical collections during the pandemic.” The Bureau noted, however, that as many as one-third of borrowers with two or more risk factors may have their balances completely canceled under the student debt cancellation plan, so “despite worsening credit outcomes overall, the cancellation of some student loan debt means that fewer student loan borrowers are likely to be at risk of payment difficulties when federal student loan payments resume in January 2023 than they otherwise would be.”
Chopra says CFPB is examining industry standard settings
On November 2, CFPB Director Rohit Chopra delivered prepared remarks before a public meeting of the Bureau’s Consumer Advisory Board briefly touching upon on several topics related to the Buy Now Pay Later market, big tech and data collection, peer-to-peer payment platforms, and Section 1033 rulemaking concerning consumers’ rights to their personal financial data. Notably, Chopra raised an area of discussion concerning industry standard-setting organizations and providers of critical infrastructure. Recognizing that private organizations play a major role in setting standards across sectors of the economy, Chopra emphasized that “[d]ecentralized, open banking will likely rely on fair standard-setting, through an amalgam of legally binding rules and industry developed standards.” He warned though that it “can be difficult to achieve fair standard-setting, since incumbents will have a strong economic interest when it comes to protecting their turf.” Chopra pointed to the telecommunications and health care industries as areas where private organizations “are not neutral, but are instead owned or governed by certain market participants” and where other players may also integrate a function akin to a lobbying or trade association. Explaining that the Bureau has been devoting a lot of time to this space, Chopra said the agency is gathering insights into other countries’ experiences, such as the UK’s Open Banking Implementation Entity (which was established to provide critical services and infrastructure), as well as domestic developments. He stated the Bureau will develop rulemaking with a practical mindset of how requirements would be operationalized in the market.
CISA releases new cybersecurity performance goals
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) released a new report outlining baseline cross-sector cybersecurity performance goals (CPGs) for all critical infrastructure sectors. The report follows a July 2021 national security memorandum issued by President Biden, which required CISA to coordinate with the National Institute of Standards and Technology (NIST) and the interagency community to create fundamental cybersecurity practices for critical infrastructure, primarily to help small- and medium-sized organizations improve their cybersecurity efforts. The CPGs were informed by existing cybersecurity frameworks and guidance, as well as real-world threats and adversary tactics, techniques, and procedures observed by the agency and its partners. CISA noted in the report that the CPGs are not comprehensive but instead “represent a minimum baseline of cybersecurity practices with known risk-reduction value broadly applicable across all sectors, and will be followed by sector-specific goals that dive deeper into the unique constraints, threats, and maturity of each sector where applicable.” Organizations may choose to voluntarily adopt the CPGs in conjunction with broader frameworks like the NIST Cybersecurity Framework. “The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques,” CISA said in its announcement.