Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • States enact data breach notification laws; Oregon prohibits fees for security freezes

    Privacy, Cyber Risk & Data Security

    On March 21, the South Dakota governor signed SB 62, which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers either by mail; electronic notice; or, in certain circumstances, substitute notice (e.g., a posting on the company’s website or notification to statewide media). The law gives the state Attorney General the authority to prosecute a failure to disclose a data breach as a deceptive act or practice under South Dakota’s consumer protection laws, which can result in penalties of up to $10,000 a day per violation. A disclosure is not required if notice is given to the state Attorney General and following an “appropriate investigation,” the company determines that the breach “will not likely result in harm to the affected person.” The law is effective July 1.

    A similar measure was signed by the Oregon governor on March 16. Effective on or about June 10, Oregon’s SB 1551 mandates that a person or entity that “owns, licenses, or otherwise possesses personal information” that suffered a security breach must notify the affected consumers within 45 days and, if more than 250 consumers were affected, must also notify the state Attorney General. The person or entity must also undertake reasonable measures to “determine scope of breach of security and to restore reasonable integrity, security and confidentiality of personal information.” Additionally, the law sets out guidelines regarding credit monitoring services and security freezes:

    • Credit Monitoring Services. Among other things, SB 1551 provides that if a person or entity offers free credit monitoring services to affected consumers, the entity may not require a credit or debit card number as a condition for the service. If additional identity theft services are offered for a fee, the person or entity must “separately, distinctly, clearly and conspicuously” disclose the charging of the fee.
    • Security Freezes. SB 1551 prohibits a consumer reporting agency from charging a fee for placing, temporarily lifting, or removing a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. Recently, Michigan, Utah, Washington, and Virginia enacted similar prohibitions (previously covered by InfoBytes, here, here, and here).

    Privacy/Cyber Risk & Data Security Courts Damages Data Breach Credit Reporting Agency Security Freeze State Legislation

  • New York Attorney General reaches $230 million settlement for international company’s RMBS misconduct

    Securities

    On March 21, the New York Attorney General announced a $230 million settlement with two divisions of an international financial services company to resolve allegations that the company made misrepresentations in the sale of residential mortgage-backed securities (RMBS) in violation of New York’s Martin Act and Section 63(12) of New York’s Executive Law. According to the settlement agreement, the investigation focused on 15 securitizations sold by the company between 2006 and 2007. In addition to the alleged misrepresentations in each of the securitizations’ prospectus and prospectus supplements, the company also included loans in the sales portfolio that diligence reports flagged for underwriting and valuation issues. The $230 million settlement includes $41 million to New York State and $189 million to consumer relief programs.

    Securities RMBS State Attorney General State Issues Mortgages

  • CFPB releases RFI on inherited rules, extends comment period for first three RFIs

    Federal Issues

    On March 22, the CFPB released its ninth Request for Information (RFI) in a series seeking feedback on the Bureau’s operations. This RFI solicits public comment to assist the Bureau in deciding “whether it should amend the regulations or exercise the rulemaking authorities that it inherited from certain other Federal agencies.” Specifically, the Bureau is seeking feedback regarding its “Inherited Regulations” – the consumer financial laws that were previously vested in other federal agencies but were transferred to the CFPB assumed by the Dodd-Frank Act. The RFI seeks information related to all aspects of the Inherited Regulations, including (i) whether the Inherited Regulations should be tailored to an institution of a particular size or are incompatible with new technologies; (ii) changes the Bureau could make to the Inherited Regulations to more effectively meet the specific law’s statutory purpose; (iii) changes the Bureau could make to the Inherited Regulations to advance the statutory purposes stated in Section 1021 of the Dodd-Frank Act; (iv) whether the Bureau should introduce pilots, field tests, demonstrations or other activities to better analyze the cost/benefits of potential Inherited Regulations; and (v) where the Bureau could exercise more of its rulemaking authority to better align with the objectives of the applicable consumer financial laws. The RFI is expected to be published in the Federal Register on March 26. Comments will be due 90 days from publication.

    On March 19, the CFPB extended the comment period of the first three RFIs released in the series to 90 days (previously covered by InfoBytes here, here, and here). The comment periods were originally set for 60 days after publication in the Federal Register but now the 90-day deadline applies to the following to match those of subsequent issuance:

     

    Federal Issues RFI CFPB Succession Agency Rule-Making & Guidance

  • Financial Stability Board issues letter to G20 Finance Ministers and Central Bank Governors

    Fintech

    On March 18, the Financial Stability Board (FSB) released a letter previously sent to G20 Finance Ministers and Central Bank Governors on March 13, which set forth priorities designed to “reinforce the G20’s objective of strong, sustainable and balanced growth.” Among other things, FSB presented its initial assessment that “crypto-assets do not pose risks to global financial stability at this time” due to their “small size” and “limited use for real economy and financial transaction”; however, FSB stressed that this assessment is subject to change should crypto-assets become more widely used or integrated within the regulated financial system. “Crypto-assets raise a host of issues around consumer and investor protection, as well as their use to shield illicit activity and for money laundering and terrorist financing,” the letter stated. “At the same time, the technologies underlying them have the potential to improve the efficiency and inclusiveness of both the financial system and the economy.” The letter also described priority deliverables FSB planned to implement, such as (i) Basel III banking reforms; (ii) policy to de-risk correspondent banking; (iii) a toolkit on governance measures to address misconduct risk; (iv) evaluations of certain financial reforms; and (v) a financial sector cybersecurity lexicon. The FSB also noted that it would continue to shift away from policy development and instead focus on the transparency and efficiency of its existing programs.

    Fintech Digital Assets Cryptocurrency G20 Financial Stability Board Basel

  • Indiana amends financial services legislation, adds allowable charges

    State Issues

    On March 13, the Indiana governor signed HB 1397 and SB 377, which make a variety of changes to various Indiana banking, consumer, and financial services laws administered by the state’s Department of Financial Institutions (DFI). Among other things, HB 1397 amends Indiana’s Universal Commercial Credit Code (UCCC) to codify current DFI practice, which allows for additional charges in connection with a consumer credit sale or loan, including charges for a skip-a-payment service ($25 maximum), an expedited payment service ($10 maximum), and a guaranteed asset protection agreement. The legislation also adds electronic funds transfers to the list of return payments that may be assessed a $25 charge. For payday loans, the legislation clarifies that a borrower, during the third consecutive loan or any subsequent consecutive loan, may request an extended payment plan if the rescission period has expired and the borrower has not previously defaulted on the outstanding loan. Indiana’s SB 377 allows for the director of DFI to use certain technology solutions to oversee compliance with and enforce state laws associated with the regulation of payday loans.

    Both pieces of legislation are effective July 1. 

    State Issues Lending UCCC Payday Lending Consumer Finance State Legislation

  • FTC challenges virtual currency “chain referral schemes”—creates new working group

    Fintech

    On March 16, the FTC announced that a U.S. District Court for the Southern District of Florida granted a temporary restraining order against four individuals who allegedly promoted cryptocurrency “chain referral schemes” in violation of the FTC Act. According to the complaint, the defendants falsely promised that by paying a small sum in virtual currency to enroll, such as bitcoin or Litecoin, the participant could earn significant returns. Three of the defendants promoted schemes that claimed participants could turn $100 into $80,000 in monthly income based on recruiting additional participants, when in actuality most of the participants failed to recoup their initial investments. Additionally, the fourth defendant promoted another scheme, which promised virtual currency investors a fixed rate of return on bitcoin investments in a passive investment operation and a multilevel investment program which participants would receive a commission for recruiting more investors. The scheme allegedly ended within two months of opening and many investors failed to recover the initial investments.

    On the same day, the FTC announced a new FTC Blockchain Working Group, which will (i) “build on FTC staff expertise in cryptocurrency and blockchain technology through resource sharing and by hosting outside experts”; (ii) “facilitate internal communication and external coordination on enforcement actions and other related projects”; and (iii) “serve as an internal forum for brainstorming potential impacts on the FTC’s dual missions and how to address those impacts.” The announcement highlighted the properties of cryptocurrencies that make the payment form susceptible to scammers, including the fact that it can be transferred electronically without requiring validation from a trusted third party source. 

    Fintech Virtual Currency Enforcement FTC Courts

  • FTC reaches $45.5 million settlement with companies over illegal telemarketing calls

    Privacy, Cyber Risk & Data Security

    On March 16, the FTC and three Utah-based movie companies (defendants) agreed to a proposed stipulated final order settling charges that they violated the FTC Act and the Telemarketing Sales Rule (TSR). In 2011, the DOJ filed a complaint on behalf of the FTC, which alleged defendants engaged in abusive telemarketing practices by making more than 117 million deceptive and unlawful calls to consumers to pitch movies and induce DVD sales in violation of the TSR, including 99 million calls to numbers on the Do Not Call Registry. In 2016, a federal court jury found the defendants guilty of six TSR violations and collectively responsible for the more than 117 million unlawful calls alleged in the complaint. The jury additionally found that the defendants had “actual or implied knowledge of the TSR violations,” meaning that the court was allowed to assess civil penalties under the FTC Act. According to the FTC’s press release, this was the first-ever jury verdict in an action to enforce the TSR and DNC Registry rules.

    The proposed stipulated final order bans the defendants from engaging in the alleged misconduct, orders the defendants to train and monitor its solicitors to ensure compliance with the TSR, and imposes a $45.5 million civil money penalty, of which $487,735 is suspended unless it is determined that the financial statements defendants submitted to the FTC contain any inaccuracies.

    Privacy/Cyber Risk & Data Security FTC DOJ FTC Act Telemarketing Sales Rule Settlement

  • Mississippi passes amendment concerning open-end credit finance charges

    State Issues

    On March 15, the Mississippi governor signed House Bill 1338, which amends sections of the Mississippi Code by authorizing state chartered or domiciled banks that offer open-end credit to assess finance charges, credit service charges, and other fees and charges “at rates and amounts . . . that financial institutions domiciled in other states are permitted to impose and collect when extending credit to Mississippi customers. . . .” In doing so, the amendment strives to retain existing financial services within the state. The amendment takes effect July 1.

    State Issues State Legislation Credit Cards Debit Cards

  • OCC announces March 2018 enforcement actions and terminations

    Federal Issues

    On March 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such parties. The new enforcement actions include a cease and desist order, a civil money penalty order, notices filed, and recently terminated enforcement actions. Two notable actions are as follows:

    Cease and Desist Consent Order. On February 12, the OCC issued a consent order against a New Jersey-based bank for deficiencies related to its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) rules and regulations. Among other things, the consent order requires the bank to (i) appoint an independent third-party consultant to conduct a review of the bank’s BSA/AML compliance program; (ii) review and update a comprehensive BSA/AML compliance action plan and monitoring system; (iii) create a comprehensive training program for “appropriate operational and supervisory personnel, and the Board of Directors, to ensure their awareness of their responsibility for compliance with” the BSA; (iv) develop policies and procedures related to the collection of customer due diligence and enhanced due diligence when opening accounts; (v) appoint a BSA officer; (vi) develop and conduct ongoing BSA/AML risk assessments to monitor accounts for “high-risk customers”; and (vii) conduct a “Look-Back” plan to determine whether suspicious activity was timely identified and reported by the bank and whether additional SARs should be filed for previously unreported suspicious activity. Furthermore, the bank is prohibited from opening new accounts for commercial customers designated as “medium risk or higher” in areas such as “money services businesses, foreign or domestic correspondent banks, payment processors, or cash-intensive businesses” without prior authorization. The bank, while agreeing to the terms of the consent order, has neither admitted nor denied any wrongdoing.

    Termination of enforcement action. On February 14, the OCC terminated a 2002 consent order issued against a Texas-based payday lender after determining that “the safe and sound operation of the banking system does not require the continued existence of” previously issued restrictions. In 2002, the OCC claimed the payday lender engaged in “unsafe and unsound” practices, including violations of ECOA and TILA for failing to safeguard customers’ loan files. Among other things, the consent order fined the payday lender a $250,000 civil money penalty, imposed record-keeping requirements, and prohibited it from “entering into any kind of written or oral agreement to provide any services, including payday lending, to any national bank or its subsidiaries without the prior approval of the OCC.”

    Federal Issues OCC Enforcement Bank Secrecy Act Anti-Money Laundering Payday Lending Customer Due Diligence

  • Multiple states address cost of security freezes

    State Issues

    On March 19, the Michigan governor signed legislation, HB 5094, which amends the Michigan Security Freeze Act to prohibit consumer reporting agencies (CRAs) from charging a fee for “placing, temporarily lifting, or removing a security freeze” on a credit report. Previously, the state allowed for a fee of up to $10 to use the service, if the consumer had not previously filed a police report alleging identity theft. HB 5094 is effective immediately.

    On March 15, the Utah governor signed legislation, HB 45, which amends the Utah Consumer Credit Protection Act to prohibit CRAs from charging a fee in connection with placing or removing a security freeze. Additionally, the bill also prohibits CRAs from charging a fee in connection with mobile applications through which a consumer would place or remove a security freeze. The legislation outlines the manner in which a consumer may request a security freeze and the requirements CRAs must follow in responding to the requests. Previously, Utah allowed for CRAs to charge a “reasonable fee” in connection with a security freeze service. 

    State Issues Credit Reporting Agency Privacy/Cyber Risk & Data Security Data Breach Security Freeze State Legislation

Pages

Upcoming Events