InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC hosts forum on commercial surveillance and lax data security practices
On September 8, the FTC hosted a forum regarding its Advance Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security practices. As previously covered by InfoBytes, the ANPR was issued in August to solicit public comment on “the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.” The ANPR noted that there is increasing evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms. The forum featured remarks by FTC Chair Lina M. Khan, Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, as well as a staff presentation, two panel discussions, and comments from the public. Chair Khan noted in her remarks that the discussion and comments at the forum will be critical in determining the evidentiary basis for proceeding with a rulemaking and whether legal requirements needed for crafting any particular type of rule. However, some observers expressed concern that the FTC’s ANPR could undermine efforts to pass federal privacy legislation. Slaughter noted in her remarks that she “support[s] strong federal privacy legislation, but until there’s a law on the books, the commission has a duty to use all the tools we have to investigate and address unlawful behavior in the market.” Commissioners Slaughter and Bedoya also expressed the need for public engagement to understand commercial surveillance.
The first panel focused on industry perspectives on commercial surveillance and data security. When asked about some of the best practices or potential business models developed by businesses to mitigate consumer harm and protect data, a panelist noted that there are many approaches underway, but the guiding principle is that the process of documentation supports transparency by prompting processes and critical thinking of each step in the mission learning lifecycle. One panelist expressed concerns about businesses tracking personal data, stating that because retailers collect information about their customers when they make purchases online and may recommend related offerings, regulators “should not interfere with these direct relationships.” Another panelist warned against treating all data collection and processes equally, stressing that the FTC should use its enforcement tools against third parties.
The second panel featured consumer advocates discussing interests, concerns, risks, and harms related to commercial surveillance, in addition to mitigating consumer harms and protecting data. The advocates noted, among other things, that the FTC should impose heightened safeguards on sensitive data, such as precise location records and information associated with children. Additionally, the panelists advocated for establishing a regulation and broadening the FTC’s Section 5 unfairness authority that limits widescale tracking. Specifically, one panelist discussed how the FTC should approach a data minimization rule under Section 5, recommending that such a rule should ban secondary use and third-party disclosures. In regard to combating discrimination through data collection and advertising, a panelist noted that shifting data protection responsibilities from individuals onto companies could play an important part to ensure that data-driven algorithms that deliver ads or content are not discriminating against consumers.
Senate Democrats urge CFPB for guidance on P2P apps
On September 1, five Senate Democrats sent a letter to CFPB Director Rohit Chopra urging the Bureau to issue guidance to provide better tools to protect older Americans and their families from the increased prevalence of P2P fraud. The letter discussed that, according to the FTC, P2P apps are used by scammers because “the ease with which consumers may make payments to individuals they have never met on P2P platforms facilitates quick purchasing decisions.” The FTC also found that older adults are increasingly using payment apps or services, noting that P2P-related complaints received by the FTC tripled from 2019 to 2020, and older adults reported $10 million in losses associated with complaints related to payment apps and services in 2020 alone. The letter concluded that the CFPB should “move forward with the guidance under consideration, keeping in mind the disproportionate effect that frauds and scams have on communities of color and people with Limited English Proficiency.”
CFPB reports on nursing home debt collection
On September 8, the CFPB released an Issue Spotlight on nursing home debt collection, which focuses on the risk of financial harm that nursing homes and their debt collectors cause by attempting to collect invalid debts. The report, conducted by the Bureau’s Office of Financial Protection for Older Americans, analyzes consumer complaints, nursing home admission contracts, and debt collection lawsuits to assess risks to nursing home residents and their caregivers. In particular, the report found that many facilities include clauses in admission contracts that require caregivers to be a “responsible party” for the resident’s costs of care, or that otherwise subject the caregiver to financial liability should the admitted resident incur a debt. The report also found that nursing home residents stay for significant amounts of time, the average nursing home stay among residents being 1 year and 4 months, and that most older adults are not insured against the costs of long-term care. According to a statement by CFPB Director Rohit Chopra, he expects the "Office for Older Americans will emerge as a key pillar within the policymaking and law enforcement community on financial issues faced by older adults and their caregivers."
The same day, the CFPB released Circular 2022-05, which asks the question: “Can debt collection and consumer reporting practices relating to nursing home debts that are invalid under the Nursing Home Reform Act [(NHRA)] violate the Fair Debt Collection Practices Act (FDCPA) and Fair Credit Reporting Act (FCRA)?” The Circular explained, though the Bureau does not enforce the NHRA, that the NHRA prohibits a nursing facility from conditioning a resident’s admission or continued stay on receiving a guarantee of payment from a third party, such as a relative or friend. The Circular also highlighted certain practices related to the collection of nursing home debts that are invalid under the NHRA and its implementing regulation that also violate the FDCPA and FCRA. The Bureau also issued a joint letter with the Centers for Medicare & Medicaid Services to nursing facilities and debt collectors reminding them of their responsibilities under the NHRA, FDCPA, and FCRA.
OCC issues expectations for protecting non-public information
On September 7, the OCC issued Bulletin 2022-21, Information Security: Expectations for Protecting Non-public OCC Information on Institution- or Other Non-OCC-Owned or Managed Video Teleconferencing Services, outlining its expectations for protecting non-public OCC information shared on video teleconferencing services that are operated or managed by an institution or any other party. The OCC reiterated that banks and other parties in possession of such information are prohibited from disclosure without the agency’s prior approval, except under certain limited circumstances. Further, the prohibition extends to the disclosure of information displayed, processed, stored, or transmitted by information systems, including video teleconferencing services. The Bulletin states that non-public OCC information is the property of the OCC and includes, among other things: (i) “OCC reports of examination, including ratings such as CAMELS and the Uniform Rating System for Information Technology ratings”; (ii) “supervisory correspondence”; (iii) “institution responses to supervisory correspondence”; (iv) “investigatory files”; and (v) “certain enforcement-related information, including matters requiring attention.” The OCC also listed several security expectations for any videoconference in which non-public OCC information will be communicated, which includes using an encrypted connection, moderating the meetings, making no recordings or transcriptions, and ensuring the videoconference service is securely configured and routinely patched to protect against cyber intrusion and data loss.
Fed vice chair for supervision outlines future priorities
On September 7, Federal Reserve Board Vice Chair for Supervision Michael Barr laid out his goals for making the financial system safer and fairer during a speech at the Brookings Institution, highlighting priorities related to risk-focused capital frameworks and bank resiliency, mergers and acquisitions, digital assets and stablecoins, climate-related financial risks, innovation, and Community Reinvestment Act modernization plans. Addressing issues related to resolvability, Barr signaled that the Fed would begin “looking at the resolvability of some of the other largest banks [in addition to globally systemically important banks] as they grow and as their significance in the financial system increases.” With respect to bank mergers, Barr commented that “the advantages that firms seek to gain through mergers must be weighed against the risks that mergers can pose to competition, consumers and financial stability.” He said he plans to work with Fed staff to assess how the agency performs merger analysis and whether there are areas for improvement. Barr also discussed financial stability risks posed by new forms of private money created through stablecoins and stressed that Congress should work quickly to enact legislation for bringing stablecoins (especially those intended to serve as a means of payment) within the prudential regulatory perimeter. He added that the Fed plans to make sure that the crypto activity of supervised banks “is subject to the necessary safeguards that protect the safety of the banking system as well as bank customers,” and said “[b]anks engaged in crypto-related activities need to have appropriate measures in place to manage novel risks associated with those activities and to ensure compliance with all relevant laws, including those related to money laundering.”
Hsu focusing on fintech partnerships, crypto activities
On September 7, acting Comptroller of the Currency Michael J. Hsu delivered remarks before the TCH + BPI Annual Conference in New York where he provided an update on agency priorities related to “guarding against complacency, addressing inequality, adapting to digitalization, and managing climate-related risk.” Among other things, Hsu’s prepared remarks highlighted the fact that while the banking industry needs to adapt to digitalization, it is important to maintain a “careful and cautious” approach to cryptocurrency activities. He referred to OCC Interpretive Letter 1179 (covered by InfoBytes here), which clarifies that national banks and federal savings associations should not engage in certain crypto activities unless they are able to “demonstrate, to the satisfaction of its supervisory office, that [they have] controls in place to conduct the activity in a safe and sound manner.” Hsu further noted in his remarks that the regulators’ careful and cautious approach helps explain, at least in part, why the federally-regulated banking system has been largely unaffected by the recent failure of several crypto platforms.
Hsu also stressed the need to develop a better understanding of bank-fintech arrangements, stressing that these partnerships are growing at an exponential rate and are becoming more complicated. While “[t]echnological advances can offer greater efficiencies to banks and their customers[,] [t]he benefit of those efficiencies… are lost if a bank does not have an effective risk management framework, and the effect of substantial deficiencies can be devastating,” Hsu said. He added that the OCC is “currently working on a process to subdivide bank-fintech arrangements into cohorts with similar safety and soundness risk profiles and attributes” to “enable a clearer focus on risks and risk management expectations,” and stated that the agency is coordinating with other regulators to make sure there is “a shared understanding of how the financial system is evolving and that regulatory arbitrage and races to the bottom are minimized.” During his speech, Hsu also touched upon topics related to climate-related risks, economic inequality and structural barriers to financial inclusion, and the importance of maintaining strong risk management discipline.
OCC releases strategic plan
On September 6, the OCC released its draft FY 2023-2027 strategic plan, which focuses on “the agency’s approach to achieve three strategic goals and fulfill its mission to ensure that national banks and federal savings associations operate in a safe and sound manner, provide fair access to financial services, treat customers fairly, and comply with applicable laws and regulations.” The OCC noted that it will invest in its people, operations, processes, and technology to meet strategic goals for FY 2023-2027 that focus on (i) agility and learning; (ii) credibility and trust; and (iii) leading on supervision in an evolving banking system. Other priorities outlined in the strategic plan include promoting an organizational culture that seeks workforce diversity inclusive of thought, experiences, and knowledge, bringing multiple perspectives on issues, and enhancing an adaptive mindset and culture of continuous learning. The OCC noted that the strategic plan will promote the strengthening and modernizing of community banks, with a focus on small businesses and underserved communities. In particular, the plan directs the agency to develop guidance and outreach to facilitate community banks’ digital transition, minimize the regulatory burden on banks as much as possible, and facilitate de novo community bank activity to reach unbanked and underbanked customers.
OCC orders bank to improve oversight of fintech partnerships
Recently, a national bank disclosed an agreement reached with the OCC that requires the bank to improve its oversight and management of third-party fintech partnerships. According to an SEC filing, the OCC found unsafe or unsound practices related to the bank’s third-party risk management, Bank Secrecy Act (BSA)/anti-money laundering risk management, suspicious activity reporting, and information technology control and risk governance. Under the terms of the agreement, the bank must, within 10 days of the agreement, appoint a compliance committee comprised mostly of members from outside the bank to meet at least quarterly and provide progress reports outlining the results and status of the mandated corrective actions. Within 60 days of the agreement, the bank must also adopt and implement guidelines for assessing risks posed by third-party fintech partnerships and address how the bank “identifies and assesses the inherent risks of the products, services, and activities performed by the third-parties, including but not limited to BSA, compliance, operational, liquidity, counterparty and credit risk as applicable.” Additionally, the bank must establish criteria for their board of directors' review and approval of third-party fintech relationship partners, as well as how it will assess “BSA risk for each third-party fintech relationship partner, including risk associated with money laundering, terrorist financing, and sanctions risk as well as the third-party’s processes for mitigating such risks and complying with applicable laws and regulations.” The agreement also requires due diligence, monitoring, and contingency plan measures.
The agreement further stipulates that the bank’s board and management shall, within 90 days, (i) set up written BSA risk assessment guidelines; (ii) adopt an independent audit program; (iii) implement expanded risk-based policies, procedures, and processes to obtain and analyze appropriate customer due diligence, enhanced due diligence, and beneficial ownership information, including for fintech businesses; (iv) develop and adhere to a set of standards to ensure timely suspicious activity monitoring and reporting; and (v) establish a program to assess and manage the bank’s information technology activities, including those conducted by third-party partners. The bank must also conduct a suspicious activity review lookback within 30 days.
Hsu discusses challenges facing community banks
On September 1, acting Comptroller of the Currency Michael J. Hsu delivered remarks before the Texas Bankers Association in Dallas focusing on the importance of community banks and the challenges and opportunities of digitalization. In his remarks, Hsu emphasized the OCC’s commitment to community banks, noting that more than 85 percent of the charters that the OCC supervises are community banks, which total nearly 900 individual institutions. He said that the OCC seeks to support community banks in five areas: (i) assessments; (ii) de novo licensing; (iii) risk-based supervision; (iv) local presence and national perspective; and (v) regulation. In particular, Hsu said the OCC is working to provide increased support for community banks by streamlining the licensing process for de novo banks and updating its approach to risk-based supervision. Hsu noted that the recent reduction in assessments is part of an effort by regulators to encourage community banks to invest in digital technologies. He stated that his “experiences in the 2008 financial crisis taught [him] about the disastrous consequences that can result from an unlevel playing field where regulatory arbitrage and races to the bottom are allowed to fester.” He added that while he has been at the OCC, the agency has been “requiring fintechs seeking a bank charter to be subject to the same requirements as all national banks and we are engaging with our peer agencies to limit regulatory arbitrage.” Hsu also noted that in order to “level the playing field,” the OCC will make a 40 percent reduction in assessment fees on a bank's first $200 million in assets and a 20 percent reduction on bank assets between $200 million and $20 billion. Hsu said that the cuts will result in a $41.3 million reduction in assessments for community banks in 2023. Hsu explained that “[t]he purpose of this adjustment is to level the playing field with the cost of supervision compared to state community bank charters, and that “[t]he recalibration will not reduce the quality of OCC supervision or the resources available to community banks.” Hsu mentioned that he is “hopeful” that the reduction gives community banks “extra breathing space and capacity to invest and seize opportunities related to digitalization, compliance, cybersecurity, and personnel.”
Pelosi cites preemption concerns in federal privacy bill
On September 1, Speaker of the House Nancy Pelosi (D-CA) released a statement commending the House Energy and Commerce Committee’s work on advancing the American Data Privacy and Protection Act (ADPPA) to the House floor (covered by InfoBytes here). However, Pelosi also recognized preemption concerns raised by the California governor, the California Privacy Protection Agency, and other top state leaders. “With so much innovation happening in our state, it is imperative that California continues offering and enforcing the nation’s strongest privacy rights,” Pelosi said. “California’s landmark privacy laws and the new kids age-appropriate design bill, both of which received unanimous and bipartisan support in both chambers, must continue to protect Californians—and states must be allowed to address rapid changes in technology.” Praising measures in the ADPPA that would give consumers the right, for the first time, to seek damages in court for violations of their privacy rights, Pelosi said the House “will continue to work with Chairman Pallone to address California’s concerns.” As previously covered by InfoBytes, the ADPPA also received criticism from several state attorneys general who argued, among other things, that “Congress should adopt a federal baseline, and continue to allow states to make decisions about additional protections for consumers residing in their jurisdictions,” instead of preempting areas of state privacy regulation.