Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • FTC to Host Small Business Roundtables Focusing on Cybersecurity

    Privacy, Cyber Risk & Data Security

    On July 20, the FTC announced it will host a series of public roundtables to discuss pressing challenges facing small businesses when protecting the security of their computers and networks. The feedback will be used to assist the FTC and its partners in creating additional cybersecurity education resources. The Engage, Connect, and Protect Initiative: Small Business and Data Security Roundtables are part of Acting FTC Chairman Maureen K. Ohlhausen’s initiative to help small businesses protect against cyberattacks. Earlier this year, Ohlhausen launched a website designed to provide guidance for small businesses on scams and cyberattacks, many of which lack the resources larger companies have to spend on cybersecurity. (See previous InfoBytes post here.)

    The first roundtable will be on July 25 in Portland, Oregon, in partnership with the National Cyber Security Alliance (NCSA), the SBA, and other organizations. On September 6, a second roundtable discussion will convene in Cleveland in collaboration with the SBA and the Council of Smaller Enterprises. The third roundtable in the series, sponsored by the NCSA, will occur later in September in Des Moines, Iowa.

    Privacy/Cyber Risk & Data Security Agency Rule-Making & Guidance FTC Small Business

    Share page with AddThis
  • House Appropriations Committee Approves Fiscal Year 2018 Funding Bills Affecting Housing and Urban Development, and Cybersecurity

    Federal Issues

    On July 17, the House Appropriations Committee (Committee) approved the fiscal year 2018 transportation, housing and urban development funding bill by a vote of 31-20. Of the total $56.5 billion in funding provided by the bill, $38.3 billion is allocated to the Department of Housing and Urban Development (HUD) for community planning and development, which is $487 million below fiscal year 2017 but $6.9 billion above President Trump’s request. According to Committee Chairman Rodney Frelinghuysen, the bill “includes responsible funding to ensure communities across the nation have access to necessary community development funds, and [will] provide housing to those who need it the most – including the poor, elderly, and disabled.”

    • A summary of the bill is available here.
    • A copy of the legislative text of the bill is available here.
    • A copy of the bill report is available here.

    On July 18, the Committee approved the fiscal year 2018 homeland security bill by a vote of 30-22. The bill allocates $703 million to cybersecurity programs, which is $18 million less than President Trump’s request but $33 million above fiscal 2017 levels.

    • A summary of the bill is available here.
    • A copy of the legislative text of the bill is available here.
    • A copy of the bill report is available here.

    Federal Issues Federal Legislation Financial CHOICE Act HUD Budget House Appropriations Committee Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • FTC Staff Supports FCC’s Proposal to Reverse Broadband Enforcement Authority

    Privacy, Cyber Risk & Data Security

    On July 17, FTC staff submitted its comments to the FCC in response to the FCC’s Notice of Proposed Rulemaking on Restoring Internet Freedom (NPRM), in favor of returning broadband enforcement authority to FTC. (See previous InfoBytes coverage here.) The NPRM would reverse a 2015 FCC decision, which changed the classification of broadband internet access service from an “information service to a common carrier service,” and resulted in a loss to the FTC’s authority. Currently, the FTC cannot regulate common carrier activities. FTC staff argued that with the exception of broadband providers, FTC jurisdiction covers virtually all other internet entities. Having one agency with enforcement authority over all internet entities would allow for “consistent standards and consistent application of those standards.” The result, the staff encouraged, would be the creation of a “level playing field for all companies operating in the Internet ecosystem.”

    Acting FTC Chairman Maureen K. Ohlhausen endorsed the staff comments and offered support for the NPRM to reverse the 2015 Title II classification of broadband internet access service as a way to “restore the FTC’s ability to protect broadband consumers under its general consumer protection and competition authority.” However, FTC Commissioner Terrell McSweeny dissented, stating that “[u]nless Congress repeals the common carrier exemption in the FTC Act, the FTC could continue to face challenges to its authority over common carriers.” Consequently, “[r]epealing these rules would be harmful for consumers and the marketplace . . . . Rather than roll[ing] back protections, we should augment them with renewed FCC vigor and a change to anachronistic barriers to FTC enforcement.”

    Privacy/Cyber Risk & Data Security FTC FCC Federal Issues Agency Rule-Making & Guidance Enforcement

    Share page with AddThis
  • Hawaii Enacts Law to Prohibit Release of Credit Information of Children, Others

    State Issues

    On July 5, Hawaii Governor David Y. Igge signed into law H.B. 651, which was devised to protect children and certain other individuals from identity theft and credit fraud. The law applies to “protected consumers,” defined as minors under the age of 16 years, incapacitated persons, and individuals with appointed guardians or conservators.

    Based on research suggesting that minors may be targeted for identity theft due to their clean credit reports, the legislation permits representatives of protected consumers to place and remove security freezes on protected consumers’ credit files. Because one impediment to requesting such a freeze is the lack of an existing credit file, the legislation also requires consumer credit reporting agencies (CRAs) to create records for the protected consumers. A CRA may not release the protected person’s file when it is in a security freeze until the representative requests a removal of the freeze. In order to request a security freeze or a freeze removal, a protected person’s representative must provide proper identification and evidence of authority to the CRA. Additionally, with a few exceptions, the CRA may charge a fee not to exceed five dollars for each freeze or removal of a freeze to a protected person’s credit file.

    The law will go into effect on January 1, 2018.

    State Issues Credit Rating Agencies Debt Collection Fraud Privacy/Cyber Risk & Data Security State Legislation Consumer Reporting Agency

    Share page with AddThis
  • OCC Releases Spring 2017 Semiannual Risk Report

    Agency Rule-Making & Guidance

    On July 7, the Office of the Comptroller of the Currency (OCC) announced the release of its Semiannual Risk Perspective for Spring 2017 indicating key risk areas for national banks and federal savings associations. Acting Comptroller of the Currency Keith Noreika pointed out in his remarks that, “[w]hile these are risks that the system faces as a whole, we note that the risks differ from bank to bank based on size, region, and business model. Compliance, governance, and operational risk issues remain leading risk issues for large banks while strategic, credit, and compliance risks remain the leading issues for midsize and community banks.”

    The report details the four top risk areas:

    • Elevated strategic risk—banks are expanding into new products and services as a result of fintech competition. According to the report, this competition is increasing potential risks. The OCC hopes to finish developing a special purpose banking charter for fintech companies soon.
    • Increased compliance risk—banks must comply with anti-money laundering rules and the Bank Secrecy Act in addition to addressing increased cybersecurity challenges and new consumer protection laws.
    • Upswing in credit risk—underwriting standards for commercial and retail loans have been relaxed as banks exhibit greater enthusiasm for risk and attempt to maintain loan market share as competition increases.
    • Rise in operational risk—banks face increasingly complex cyber threats while relying on third-party service providers, which may be targets for hackers.

    The report used data for the 12 months ending December 31, 2016.

    Agency Rule-Making & Guidance OCC Risk Management Consumer Finance Payments Consumer Lending Privacy/Cyber Risk & Data Security Anti-Money Laundering Military Lending Act Compliance Bank Regulatory

    Share page with AddThis
  • Debt Collector Liable for Violating FDCPA and TCPA

    Courts

    On July 3, the Court of Appeals for the Third Circuit affirmed that a debt collector violated the Telephone Consumer Practices Act (TCPA) when it called a consumer’s cell phone without the consumer’s consent, resulting in a damages award of $34,500. Additionally, the appellate court reversed the district court’s decision regarding a Fair Debt Collection Practices Act (FDCPA) claim for sending a collection letter to the consumer without taking proper precautions to ensure the consumer’s account number would remain private. The debt collector put forth the defense of bona fide error regarding its alleged violations of the FDCPA. The appellate court, citing Supreme Court precedent, rejected the defense, holding that bona fide error could be claimed only in the case of a clerical or factual error, but a “mistaken interpretation of the law is inexcusable under the FDCPA’s bona fide error defense.” The Third Circuit remanded the FDCPA claim to the district court to enter judgment for the consumer and calculate the damages the debt collector must pay.

    Courts Privacy/Cyber Risk & Data Security Third Circuit Debt Collection TCPA FDCPA Appellate

    Share page with AddThis
  • FINRA Fines Financial Firms $2.4 Million for Improper Customer Records Storage

    Securities

    On July 5, the Financial Industry Regulatory Authority (FINRA) announced that several investment firms agreed to pay fines totaling $2.4 million for allegedly failing to maintain customer records in an electronic format that cannot be altered or destroyed. The firms all signed FINRA’s letters of Acceptance, Waiver, and Consent (AWC) containing allegations and proposed settlement terms for the alleged violations. See agreements here, here, and here.

    In the agreements, FINRA emphasizes that financial firms are storing more and more sensitive customer data. FINRA asserts that broker-dealer electronic records must be complete and accurate to assist FINRA and other regulators in examinations and to ensure that member firms can conduct audits. Increasingly aggressive hacking attempts also enhance the need for firms to keep these records in the required format. According to the allegations in the agreements, the firms violated Section 17(a) of the Exchange Act of 1934 (the "Exchange Act"), NASD Rule 3110 and FINRA Rule 4511 by not maintaining electronic brokerage records in non-erasable and nonrewritable format, known as “WORM” format. The electronic records contained information about millions of securities transactions, millions of customer account records, numerous financial records, and records regarding anti-money laundering compliance.

    FINRA also asserts that the firms: (i) failed to give 90-day advance notice to FINRA before storing records electronically; (ii) failed to set up audit systems for retaining records electronically; (iii) failed to obtain attestation letters from vendors agreeing to provide all firm records to regulators, if needed; and (iv) failed to set up and enforce written procedures to ensure electronically stored records were retained in compliance with FINRA and federal securities laws.

    In addition to monetary sanctions, the firms agreed to review and update policies and procedures to ensure compliance with FINRA and federal securities laws. Additionally, the firms must submit remediation plans to FINRA for approval.

    Securities Privacy/Cyber Risk & Data Security FINRA Enforcement Settlement Investment Adviser

    Share page with AddThis
  • FTC Announces Settlement of More Than $104 Million with Company for Selling Sensitive Financial Information

    Privacy, Cyber Risk & Data Security

    On July 5, the FTC issued a press release announcing a settlement of more than $104 million with a lead generation company for allegedly misleading loan applicants with promises of matching consumers with lenders that could offer the best loan terms. Actually, the FTC asserts, defendants were selling the applications, including sensitive personal information such as Social Security numbers and bank account numbers, to anyone who would pay for them “without regard for how the information would be used or whether it would remain secure.”

    The proposed order accompanying the settlement states that defendants used deceptive and unfair acts or practices in the course of their lead generation activities, and permanently prohibits defendants from misrepresenting financial products or services to consumers. It also enjoins defendants from selling or transferring a consumer’s personal information unless the consumer has provided consent and provides that defendants may not benefit from any consumer information collected before the entry of the order. Further, defendants must destroy all personal consumer information in any form within 30 days after the order.

    In addition to the above settlement terms, the defendants agreed to (i) compliance monitoring, (ii) creating certain records for ten years after the date of entry of the order, and (iii) compliance reporting

    Although defendants have filed for bankruptcy, they agreed that the amount owed to the FTC in the settlement will not be dischargeable.

    Privacy/Cyber Risk & Data Security Courts Consumer Lending Internet Lending FTC

    Share page with AddThis
  • Data Breach Lawsuit Settled for $115 Million

    Privacy, Cyber Risk & Data Security

    On June 23, one of the nation’s largest health insurers agreed to pay $115 million to settle a data breach class action suit pending in the U.S. District Court for the Northern District of California. In 2015, the insurer announced that it had been hacked and that customer information had been compromised. On June 23, Plaintiffs submitted to the court a memorandum in support of the settlement. The settlement, if approved by the court, will provide almost 80,000 proposed class members with extended credit monitoring for at least two years. Additionally, the settlement will require the insurer to “implement or maintain meaningful, specific changes to its data security practices that directly address the security elements that Plaintiffs believe contributed to the breach,” including hiring independent consultants to perform annual IT risk assessments and compliance reviews, and providing the results of those audits to Plaintiffs’ counsel.

    Privacy/Cyber Risk & Data Security Fintech Data Breach Consumer Finance

    Share page with AddThis
  • FTC Releases Updates to COPPA Compliance Plan

    Agency Rule-Making & Guidance

    On June 21, the FTC released updated guidance designed to assist businesses when complying with the Children’s Online Privacy Protection Rule (COPPA), which regulates what websites and online services are required to do to ensure the protection of children’s privacy and safety online. Specifically, the updates address the following issues: (i) the method by which companies monitor the collection of personal data as technology evolves in order to stay compliant; (ii) they ways COPPA impacts the “Internet of Things” as new “connected devices” continue to expand beyond websites and mobile apps; and (iii) new methods such as “ knowledge-based authentication questions and using facial recognition to get a match with a verified photo ID” to obtain parental consent. Additionally, the FTC revised its Six-Step Compliance Plan for Your Business to help companies determine whether they are covered by COPPA and how to comply with the rule.

    Agency Rule-Making & Guidance FTC Privacy/Cyber Risk & Data Security Compliance Internet of Things

    Share page with AddThis

Pages