InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
EU Court of Justice: Orders to remove defamatory content issued by member state courts can be applied worldwide
On October 3, the European Court of Justice held that a social media company can be ordered to remove, worldwide, defamatory content previously declared to be unlawful “irrespective of who required the storage of that information.” The decision results from a 2016 challenge brought by a former Austrian politician against the social media company’s Ireland-based operation—responsible for users located outside of the U.S. and Canada—to remove defamatory posts and comments made about her on a user’s personal page that was accessible to any user. The social media company disabled access to the content after an Austrian court issued an interim order, which found the posts to be “harmful to her reputation,” and ordered the social media company to cease and desist “publishing and/or disseminating photographs” showing the former politician “if the accompanying text contained the assertions, verbatim and/or [used] words having an equivalent meaning as that of the comment” originally at issue. On appeal, the higher regional court upheld the order but determined that “the dissemination of allegations of equivalent content had to cease only as regards [to] those brought to the knowledge of the [social media company] by the [former politician] in the main proceedings, by third parties or otherwise.”
The Austrian Supreme Court of Justice requested that the EU Court of Justice adjudicate whether the cease and desist order may also be “extended to statements with identical wording and/or having equivalent content of which it is not aware” under Article 15(1) of Directive 2000/31 (commonly known as the “directive on electronic commerce”). Specifically, the EU Court of Justice considered (i) whether Directive 2000/31 generally precludes a host provider that has not “expeditiously removed illegal information”—including identically worded items of information—from removing content wordwide; (ii) if Directive 2000/31 does not preclude the host provider from its obligations, “does this also apply in each case for information with an equivalent meaning”; and (iii) does Directive 2000/31 also apply to “information with an equivalent meaning as soon as the operator has become aware of this circumstance.”
According to the judgment, Directive 2000/31 “does not preclude those injunction measures from producing effects worldwide,” holding that a national court within the member states may order host providers to remove posts it finds defamatory or illegal. However, the judges concluded that such an order must function “within the framework of the relevant international law.”
California addresses robocall spoofing
On October 2, the California governor signed SB 208, the “Consumer Call Protection Act of 2019,” which requires telecommunications service providers (TSPs) to implement specified technological protocols to verify and authenticate caller identification for calls carried over an internet protocol network. Specifically, the bill requires TSPs to implement “Secure Telephone Identity Revisited (STIR) and Secure Handling of Asserted information using toKENs (SHAKEN) protocols or alternative technology that provides comparable or superior capability by January 1, 2021. The bill also authorizes the California Public Utilities Commission and the Attorney General to enforce certain parts of 47 U.S.C. 227, making it unlawful for any person within the U.S. to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value.
As previously covered by InfoBytes, in June 2019, the FCC adopted a Notice of Proposed Rulemaking (NPRM) requiring voice providers to implement the “SHAKEN/STIR” caller ID authentication framework. The FCC argued that once “SHAKEN/STIR” is implemented, it would “reduce the effectiveness of illegal spoofing and allow bad actors to be identified more easily.”
CSBS seeks comments on money services businesses model law
On October 1, the Conference of State Bank Supervisors (CSBS) issued a request for comments on its Draft Model Law Language for money services businesses (MSBs). According to CSBS, state regulation of MSBs is a primary part of Vision 2020—a state regulator initiative to modernize the regulation of fintech companies and other non-banks by creating an integrated, 50-state system of licensing and supervision. (Previously covered by InfoBytes here.) The model MSB law draft addresses recommendations made by the Payments Subgroup of the Fintech Industry Advisory Panel, and “is based on and overlays the Uniform Money Services Act.” In addition, the draft amends definitions and interpretations that vary between states, and consists of three primary policies: (i) regulations “must sufficiently protect consumers from harm, including all forms of loss”; (ii) regulations “must enable the states’ ability to prevent bad actors from entering the money services industry”; and (iii) regulations “must preserve public confidence in the financial services sector, including the states’ ability to coordinate.” According to the Fintech Industry Advisory Panel, differences in standards and procedures for change in control have created significant administrative burdens, which the working group addressed by standardizing change of control triggers and the definition of control persons. The draft also includes implementation language designed to provide the legal framework to facilitate interstate coordination and the adoption of consistent standards and processes. The proposed language is adapted from current state laws, which focus “on permitting interstate supervision and creating parity between national and state chartered banks.” CSBS notes that using these models will grant states the legal authority to adjust to new products, risks, processes, and technological capabilities in a coordinated manner.
Comment are due November 1.
Class certification granted in FCRA suit against credit reporting agency
On October 1, the U.S. District Court for the Central District of California granted a plaintiff’s motion for class certification in an action against a national credit reporting agency for allegedly failing to follow reasonable procedures to assure maximum possible accuracy in the plaintiffs’ credit reports, in violation of the FCRA. As previously covered by InfoBytes, the credit reporting agency allegedly failed to delete all of the accounts associated with a defunct loan servicer, despite statements claiming to have done so in January 2015. As of October 2015, 125,000 accounts from the defunct loan servicer were still being reported, and the accounts were not deleted until April 2016. The class action alleges that the credit reporting agency violated the FCRA by continuing to report the past-due accounts, even after deleting portions of the positive payment history on the accounts. After the district court initially granted summary judgment in favor of the credit reporting agency, the U.S. Court of Appeals for the Ninth Circuit revived the lawsuit, holding that a “reasonable jury could conclude that [the credit reporting agency’s] continued reporting of [the account], either on its own, or coupled with the deletion of portions of [the consumer’s] positive payment history on the same loan, was materially misleading.”
In certifying a class of all persons whose credit report contained an account originated after January 21, 2015, from the defunct loan servicer, the district court concluded that the “Defendant’s failure to use maximum reasonable procedures to prevent the continued reporting of delinquent [loan servicer] accounts—presents a clear risk of material harm to Plaintiff’s concrete interest in accurate credit reporting.” The court rejected the credit reporting agency’s argument that the named plaintiff must prove standing on behalf of the entire class, determining that “for all the same reasons Plaintiff has standing, it’s at least possible that the unnamed class members also have standing.” Moreover, the court rejected the argument that damages should be an individual question because many class members “likely suffered no injury at all.” The court concluded that the fact that each class member may “collect slightly different amounts of statutory damages is insufficient, without more, to defeat a showing of predominance in this case.”
OCC issues final stress test revisions
On October 2, the OCC issued the final rule revising the stress testing requirements for OCC-supervised institutions, consistent with changes made by Section 401 of the Economic Growth, Regulatory Relief, and Consumer Protection Act. The final rule remains unchanged from the proposed rule, which was issued by the OCC in December 2018 (previously covered by InfoBytes here). The final rule (i) changes the minimum threshold for applicability from $10 billion to $250 billion; (ii) revises the frequency of required stress tests for most FDIC-supervised institutions from annual to biannual; and (iii) reduces the number of required stress testing scenarios from three to two. Specifically, OCC-supervised institutions that are covered institutions will “be required to conduct, report, and publish a stress test once every two years, beginning on January 1, 2020, and continuing every even-numbered year thereafter.” The final rule also adds a new defined term, “reporting year,” which will be the year in which a covered bank must conduct, report, and publish its stress test. The final rule requires certain covered institutions to still conduct annual stress tests, but this is limited to covered institutions that are consolidated under holding companies required to conduct stress tests more frequently than once every other year. Lastly, the final rule removes the “adverse” scenario—which the OCC states has provided “limited incremental information”—and requires stress tests to be conducted under the “baseline” and “severely adverse” stress testing scenarios. The final rule is effective November 24.
McWilliams highlights upcoming CRA examination updates for MDIs, encourages partnerships between community banks and fintechs
On October 2, FDIC Chairman Jelena McWilliams spoke at the National Bankers Association’s annual convention to discuss the agency’s objectives regarding minority depository institutions (MDIs). McWilliams highlighted recent FDIC initiatives, including past and future roundtable discussions between large and minority banks regarding potential partnership opportunities. McWilliams noted that many large banks are unaware of how these partnerships can count for Community Reinvestment Act (CRA) credit. Therefore, the FDIC is updating its examiner instructions for CRA performance evaluations to identify activities involving MDIs. McWilliams also reminded attendees about the upcoming inaugural meeting of the agency’s new MDI Subcommittee to its Advisory Committee on Community Banking, which will focus on issues, tools, and resources unique to MDIs. One of the subcommittee’s goals, she noted, is to “identify additional opportunities to provide regulatory relief for MDIs with less-complex balance sheets while maintaining safety and soundness.” Concerning the FDIC’s franchise-marketing process for failing MDIs, McWilliams commented that “[g]oing forward, when a new marketing initiative begins, we will provide a two-week window exclusively for MDIs,” and will also contact all qualified MDIs on the bid list and provide technical assistance.
Earlier, on October 1, McWilliams delivered keynote remarks at the Federal Reserve Bank in St. Louis, in which she warned community banks that their ability to survive and thrive depends on their ability to innovate and adapt to changing technology. Specifically, McWilliams discussed the growth of digitization, open banking, machine learning/artificial intelligence, and personalization, stressing that banking technology is advancing at a “relentless pace.” Consequently, “we all must challenge ourselves to think about what that means for the future of the banking industry, and community banks in particular.” McWilliams noted, however, that community banks’ inability to keep pace with innovation is due to both cost and regulatory uncertainty. “The cost to innovate is in many cases prohibitively high for community banks. They often lack the expertise, the information technology, and research and development budgets to independently develop and deploy their own technology.” She suggested that community banks partner with fintech firms that have already developed, tested, and rolled out new technology, and emphasized that her goal is for the FDIC to lay “the foundation for the next chapter of banking by encouraging innovation that meets consumer demand, promotes community banking, reduces compliance burdens, and modernizes our supervision.”
DOJ sues Maryland car dealership for ECOA violations
On September 30, the DOJ announced it filed a lawsuit in the U.S. District Court for the District of Maryland alleging that a Maryland used car dealership and its owner and manager violated ECOA by offering different terms of credit based on race to consumers seeking to finance cars. According to the complaint, between September 2017 and April 2018, compliance testing done by the DOJ concluded that the defendants’ “actions, policies, and practices discriminate against applicants on the basis of race with respect to credit transactions…by offering more favorable terms to white testers than to African American testers with similar credit characteristics.” Specifically, the complaint alleged that African American testers were, among other things, (i) told they needed higher down payment amounts than white testers for the same car; (ii) quoted higher bi-weekly payments for “buy here, pay here” financing than white testers for the same car; and (iii) not offered to fund down payments in two installments, as compared to white testers. The DOJ also alleges that the conduct was “intentional, willful, and taken in disregard of the rights of others” and seeks injunctive relief and monetary relief.
Pre-checked box does not give consent to cookies under EU privacy directive and GDPR
On October 1, the European Court of Justice held that, under the Privacy and Electronic Communications Directive (ePrivacy Directive), a website user does not “consent” to the use of a cookie when a website provides a “pre-checked box” that needs to be deselected for a user to withdraw consent. According to the judgment, a consumer group brought an action in German court against a German lottery company, challenging the website’s use of a pre-checked box allowing the website to place a cookie—text files stored on the user’s computer allowing website providers to collect information about a user’s behavior when the user visits the website—unless the consumer deselected the box. The consumer group argued that the pre-selection of the box is not valid consent under the ePrivacy Directive. The lower court had upheld the action in part, but, following an appeal, the German Federal Court of Justice stayed the proceedings and referred the matter to the EU Court of Justice.
The Court agreed with the consumer group, concluding that the practice violated the law by not requiring users to give active, express consent to the use of the cookies. Specifically, the Court noted that the 2009 amendments to Article 5(3) of the ePrivacy Directive, which requires the website user to give “his or her consent, having been providing with clear and comprehensive information,” must be interpreted literally “to which action is required on the part of the user in order to give his or her consent.” Because the box allowing the use of cookies was checked by default, “[i]t is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited,” and therefore, it would “appear impossible” to determine whether a user gave consent to the cookies by not “deselecting a pre-ticked checkbox nor, in any event, whether that consent had been informed.” The Court noted that “[a]ctive consent is thus now expressly laid down in [the EU General Data Protection Regulation (GDPR)],” and that it “expressly precludes ‘silence, pre-ticked boxes or inactivity’ from constituting consent.’” Moreover, the Court held the ePrivacy Directive also requires that, among other information, “the service provider must [disclose] to a website user . . . the duration of the operations of cookies and whether or not third parties may have access to those cookies” to give effect to “clear and comprehensive information.”
D.C. Circuit upholds majority of FCC order overturning net neutrality rules
On October 1, the U.S. Court of Appeals for the D.C. Circuit issued a decision, which mostly ratifies the FCC’s 2017 reversal of the net neutrality rules barring internet service providers (ISPs) from slowing down or speeding up web traffic based on business relationships. (See previous InfoBytes coverage here.) Notably, however, the decision vacates a portion of the FCC’s 2018 Restoring Internet Freedom Order (Order), which preempted states from issuing their own net neutrality rules on requirements that the FCC “‘repealed or decided to refrain from imposing’ in the Order or that [are] ‘more stringent’ than the Order.”
The D.C. Circuit held that the FCC’s decision to reclassify broadband internet access as a Title I service under the Telecommunications Act—allowing for a “light-touch” regulatory framework for ISPs instead of the more heavily regulated Title II—deserves Chevron deference. The appellate court also noted that while “[p]etitioners dispute that the transparency rule, market forces, or existing antitrust and consumer protection laws can adequately protect internet openness. . . . [we] are ultimately unpersuaded.”
The D.C. Circuit also concluded that the FCC failed to adequately address how the reversal of the net neutrality rules could affect public safety issues, holding that the FCC must address this issue. The appellate court stressed that “[u]nlike most harms to edge providers incurred because of discriminatory practices by broadband providers, the harms from blocking and throttling during a public safety emergency are irreparable.” Additionally, the appellate court instructed the FCC to revisit its analysis on how the reversal will affect the regulation of pole attachments as well as low-income households that receive the internet through an FCC subsidy program. Furthermore, while the appellate court concluded that the FCC overreached its authority in prohibiting states from passing their own net neutrality rules, Judge Williams—who concurred in part and dissented in parted—reasoned that the internet cannot be divided into state markets, and that state actions “would frustrate an agency’s authorized policy.”
OCC outlines fiscal year 2020 supervision priorities
On October 1, the OCC’s Committee on Bank Supervision released its bank supervision operation plan (Plan) for fiscal year 2020. The Plan outlines the agency’s supervision priorities and specifically highlights the following supervisory focus areas: (i) cybersecurity and operational resiliency; (ii) Bank Secrecy Act/anti-money laundering compliance; (iii) commercial and retail credit loan underwriting; (iv) effects of changing interest rates on bank activities and risk exposures; (v) preparation necessary for the current expected credit losses accounting standard, as well the potential phase-out of the London Interbank Offering Rate; and (vi) technological innovation and implementation.
The annual plan guides the development of supervisory strategies for individual national banks, federal savings associations, federal branches, federal agencies, service providers, and agencies of foreign banking organizations. Updates about these priorities will be provided in the OCC’s Semiannual Risk Perspective.