Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.
On March 17, the Office of the Comptroller of the Currency (OCC) released a list of administrative enforcement actions taken against banks and bank officers in February. Several of the reported actions included payment of civil money penalties (CMPs) for, among other things, violations of the Federal Trade Commission Act, Bank Secrecy Act (BSA) deficiencies, and unsafe or unsound practices by institution-affiliated parties for breaches of fiduciary duty. Among the actions containing CMPs a Tennessee bank fined $1 million for deficiencies related to billing practices with regard to an identity protection product consumers paid for but never received, and a California bank fined $1 million for continuous non-compliance with a 2010 Consent Order for BSA deficiencies including “inadequate risk assessment process[es], inadequate system of internal controls, inadequate suspicious activity monitoring and reporting process[es], inadequate customer due diligence and enhanced due diligence programs, ” as well as having a “BSA/AML independent audit [that] failed to identify . . . significant internal control weaknesses.”
Federal District Court Allows Discovery in Class Action Concerning Internet Company’s Collection of Biometric Data
In a Memorandum Opinion and Order handed down on February 27,a District Court in the Northern District of Illinois declined to dismiss a putative class action alleging that a cloud-based photographic storage service offered by an Internet company (the Company) violated the Illinois Biometric Information Privacy Act (BIPA) by automatically uploading plaintiffs’ mobile photos and allegedly scanning them to create unique face templates (or “faceprints”) for subsequent photo-tagging without consent. Specifically, the Court rejected the Company’s argument that application of BIPA to facial geometry scanning by by an internet service located outside of Illinois is an improper extraterritorial application of Illinois law.
The Plaintiffs alleged that the Company failed to both (i) obtain the necessary authorization or consent to the creation and subsequent storing of “faceprints” by the photo storage service, or (ii) make publicly available a data retention and destruction schedule as required under the BIPA. In responding to these claims, the Company argued that the term “biometric identifier,” as defined in the BIPA, does not extend to “in-person scans of facial geometry” and does not cover photographs or information derived from photographs. The Company also sought to dismiss the case on jurisdictional grounds, arguing that under principles of federalism, pre-emption, and the extra-jurisdictional application of state law, the BIPA cannot properly regulate activity – such as the storage of data on the Company’s servers – that does not occur “primarily and substantially” within the state of Illinois.
In analyzing the Company’s argument, the Court looked to the following two definitions set forth in the Illinois law:
- “Biometric identifier,” which is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and explicitly “do[es] not include writing samples, written signatures, photographs. . . .”; and
- “Biometric information,” which is defined as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual,” and explicitly “does not include information derived from items or procedures excluded under the definition of biometric identifiers.”
Ultimately, the Court disagreed with the Company’s reading of “biometric data” because, among other reasons, “nothing in the text of [the BIPA] directly supports this interpretation.” The Court deferred deciding on the Company’s arguments that the claims would require extraterritorial application of the statute and/or would violate the Dormant Commerce Clause by reaching beyond state boundaries, because, among other reasons, “[d]iscovery is needed to determine whether there are legitimate extraterritoriality concerns.”
On March 9, the Company filed a motion seeking permission to file an interlocutory appeal to the Seventh Circuit, with a request for a stay of further proceedings pending the appellate court’s decision on the request for an appeal.
OFR Director Delivers “Reducing the Regulatory Reporting Burden” Remarks at the Financial Data Summit
On March 16, the Office of Financial Research (OFR) posted remarks made by Director Richard Berner at the third annual Financial Data Summit hosted by the Data Transparency Coalition. "Reducing the Regulatory Reporting Burden" outlines OFR’s mission to identify areas of “duplication, overlap, and inefficiency in regulatory reporting,” presents steps to be undertaken in partnership with the Financial Stability Oversight Council (and its member agencies) to “improve data quality and reduce the reporting burden [by] requiring standards, including precise and agreed-on definitions, identifiers, and formats; industry-regulator agreement on essential data elements; adherence to best practices in data collection; and more data sharing among regulators,” and seeks participation and input from the private sector.
On March 13, the FTC announced a $25 million settlement with the operators of a national telemarketing scheme who allegedly stole millions of dollars from consumers in violation of the FTC Act and the Telemarketing Sales Rule. According to the complaint filed by the FTC in 2016, the defendants allegedly sold “bogus online investment opportunities” to consumers nationwide in the form of schemes such as opportunities to buy or invest in e-commerce related websites or credit card company/e-commerce website profit-sharing programs, and then pocketed the payments—some of which exceeded more than $20,000. The defendants did not admit or deny the facts alleged in the complaint in the stipulated final order with the FTC, which imposed a $25 million monetary judgment that was partially suspended. The order also prohibits the defendants from telemarketing, marketing investment opportunities, and selling or otherwise benefiting from consumers’ personal information.
FCC, FTC Issue Joint Statement on Broadband Data Security Regulation; Senate Resolution Introduced to Repeal FCC Privacy Rules
On March 1, FCC Chairman Ajit Pai and acting FTC Chairman Maureen K. Ohlhausen issued a Joint Statement announcing an FCC Order (Stay Order) staying the enactment of certain data security provisions (§ 64.2005) adopted by the Commission late last year as part of its Broadband Privacy Order while the Commission and Congress consider an appropriate resolution of the broader Net Neutrality proceeding. Absent a stay, the rule was set to go into effect on March 2. Separate and apart from explaining the Stay Order, the Joint Statement effectively serves as a commitment by both the FCC and FTC to return “jurisdiction over broadband providers’ privacy and data security practices … to the FTC, the nation’s expert agency with respect to these important subjects.” Moreover, the statement also highlights what might be considered a guiding principle behind the new leadership at both the FCC and the FTC – namely, that “[a]ll actors . . . should be subject to the same rules” and “[t]he federal government shouldn’t favor one set of companies over another.”
The Stay Order arose out of an October 2016 decision to amend the Broadband Privacy Order to include new “sector-specific privacy rules” that the FCC determined were “necessary to address the distinct characteristics of telecommunications services.” This final version, the Broadband Privacy Order – was published in the Federal Register (81 Fed. Reg. 87,274) on December 2, 2016.
This amendment marked a substantial change from the original language included in the order as proposed back in March 2016, where the Commission “propose[d] to apply the traditional privacy requirements of the Communications Act to . . . broadband Internet access service (BIAS).” Then-commissioner and current FCC Chairman Pai strongly disagreed with the amendment at the time, filing a dissenting statement in which he argued, that “it makes no sense” for the FCC to enact “rules that apply very different regulatory regimes based on the identity of the online actor” because, among other reasons, it will inhibit competition in the online advertising market and also “lead to consumer confusion about which online companies can and cannot use their data.” Thereafter, eleven separate timely petitions to reconsider the October 2016 Order were filed, along with a petition requesting that the Commission stay the effective date of the Order.
The decision to delay the enactment of the new privacy regulations relied on Chairman Pai’s earlier argument that the data security rule as amended is not consistent with current FTC privacy standards, and thus found the March 2 effective date to be based on the incorrect underlying assumption that “carriers should already be largely in compliance with these requirements because the reasonableness standard adopted in [the] Order . . . resemble the obligation to which they were previously subject pursuant to Section 5 of the FTC Act.” As made clear by Chairman Pai in the Joint Statement, “[t]he stay will remain in place only until the FCC is able to rule on a petition for reconsideration of its privacy rule.”
Notably, shortly after the release of the Joint Statement, on March 7, Sen. Jeff Flake (R-Ariz), chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, introduced a joint resolution to formally provide for “congressional disapproval” of 81 Fed. Reg. 87,274, i.e., the Broadband Privacy Order referenced above, under the Congressional Review Act (CRA). The CRA is a 1996 law that empowers Congress to repeal federal regulations. According to a statement released by his office, Sen. Flake—who has long opposed the privacy regulations at issue—sent a letter back in January of last year to FCC Chairman Tom Wheeler expressing concerns that the FCC is “overreaching its authority” with its planned broadband regulations. The Arizona Senator thereafter, on May 11, 2016, chaired a Privacy, Technology and the Law Subcommittee hearing seeking “answers on the legality of the proposed FCC rules and the consequences for consumers and the future of the internet.” And, most recently, on March 1, Sen. Flake wrote a Wall Street Journal op-ed laying out his position on the matter.
As previously covered in InfoBytes, on November 17 the CFPB launched an inquiry into the benefits and risks associated with consumers authorizing third-parties to access their financial and account information held by financial service providers. In response to the Bureau’s Request for Information (Dkt No. CFPB-2016-0048), consumer and industry groups have offered their thoughts and positions concerning the issue. A summary of several comment letters is included below:
American Bankers Association (ABA). The ABA submitted a comment letter in which it noted that “technology is fundamentally changing the way financial services are being delivered,” but urged the CFPB, subject to certain enumerated regulatory limitations, to “fairly address both the opportunities and risks” in order to “give consumers innovative services that they can trust.” Among other things, the ABA discussed the need for the Bureau to clarify data aggregator responsibility for maintaining the privacy and security of consumer financial data. Specifically, the ABA recommended that the CFPB: (i) impose breach notification obligations; (ii) confirm liability assignments under Regulation E; (iii) subject larger data aggregators to supervisory oversight; and (iv) educate consumers about the choices, responsibilities, and risks presented.
Financial Services Roundtable (FSR). FSR and its technology policy division responded with a letter highlighting the importance of innovation and collaboration and outlining five core elements the group believes should be considered in assessing this "evolving ecosystem." These elements are: (i) security and privacy; (ii) data access and use transparency; (iii) clarity of liability; (iv) customer choice and control; and (v) technology neutrality. FSR also encouraged the CFPB to avoid unnecessary rulemaking or standard-setting that would “blunt innovation.”
Independent Community Bankers of America (ICBA). The ICBA urged the CFPB, subject to certain enumerated regulatory limitations, to carefully consider the privacy, regulatory burden, data security, and legal implications posed by third-party account access. Among other things, the ICBA expressed concern that “non-bank entities” do not take the same care in protecting consumer privacy and data as community banks and stated that community banks “must be able to protect customer data without having to meet new regulatory mandates which increase the risk of breach and/or consumer loss.” ICBA’s letter also stated that consumers’ rights to have access to their own information should be balanced with ensuring that consumer privacy is not needlessly threatened.
Americans for Financial Reform (AFR). AFR and a coalition of consumer groups set forth the organizations’ position that “the digital economy should ensure consumers can access and use records about themselves, and that consumers can choose to authorize third-parties to access such data on their behalf to support their financial health and facilitate competition among financial services providers.” Among other things, the letter stressed the need for “standards to enforce compliance with Section 1033 to benefit consumers who utilize online data aggregation and other applications.” Additionally, the letter urged the CFPB to confirm that consumers “retain their legal protections vis-a-vis account-holding institutions if unauthorized charges are made to their accounts when they use data aggregation services.”
Financial Innovation Now (FIN). FIN expressed the organization’s belief that regulation of permissioned access to consumer financial account data is “not necessary at this time.” Rather, FIN argued for “standards for permissioned access to consumer financial account data,” which could be “developed by industry, regularly reviewed and updated.” Ultimately, FIN pushed for consumer access to consumer financial account data “securely and easily, using whatever secure application or technology they wish, without charges or restrictions that unreasonably favor any one application or technology over another.”
U.S. Companies Settle FTC Charges that They Deceived Consumers About International Privacy Program Participation
On February 22, the FTC announced that it had reached settlements with three U.S. companies over charges that the companies falsely represented their participation in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) system in their online privacy policies. Participation requires an official review and certification, a process none of the three companies underwent according to the three complaints. The complaints alleged violations of the FTC Act due to deceptive statements made by the companies that they participated in the APEC CBPR system. The settlement terms bar the defendants from “misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.”
FDIC Releases 2016 Annual Report; Separately, FDIC’s OIG Issues Report Critical of Bank Service Provider Contracts
On February 15, the FDIC released its 2016 Annual Report–which includes, among other things, the audited financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund. The report also provides an overview of key FDIC initiatives, performance results and other aspects of FDIC operations.
Separately, on the same day, the FDIC’s Office of Inspector General (OIG) released an Audit Report (EVAL-17-004) on the adequacy of a small but random sample of contracts between FDIC-supervised institutions and their technology service providers (TSPs), in light of federal law and banking agency guidance on customer privacy-protection and how to properly manage third-party relationships. All sampled contracts had been designated as “critical” or “high” risk to the supervised institutions’ operations. The OIG specifically evaluated, and generally found insufficient, the clarity of contract provisions on TSP obligations regarding: (i) business continuity planning; and (ii) responding to and reporting on cybersecurity incidents. Despite the insufficiencies noted, the OIG acknowledged that because many contracts were negotiated before some of the relevant guidance was issued, “more time is needed to allow FDIC and FFIEC efforts to have a demonstrable” impact on contractual language.
As a result of these findings, the OIG recommended—and FDIC management agreed—that the agency, after allowing appropriate time for current guidance to be implemented, conduct a “full horizontal review to assess” any continued presence of the contractual insufficiencies noted in the report. The FDIC will “prepare” that horizontal review in 2018.
Federal Judge Sentences Hacker to Eight Years for Cyber Heists that Caused More than $55 Million in Losses
On February 10, the United States Attorney for the Eastern District of New York announced that the Honorable Kiyo A. Matsumoto levied an eight year prison sentence against a Turkish citizen charged with organizing and carrying out three cyber-attacks on global financial institutions between 2011 and 2013 which resulted in more than $55 million in losses. Last March, the defendant pleaded guilty to “computer intrusion conspiracy, access device fraud conspiracy, and effecting transactions with unauthorized access devices.” Specifically, the defendant and his associates were alleged to have repeatedly hacked into debit card processing systems, manipulated account balances, stole customers’ PINs, and transferred that information to associates who then encoded debit cards with the stolen data in order to make fraudulent ATM withdrawals. The DOJ further alleged that the hackers targeted databases companies maintained for prepaid debit cards and effectively eliminated the card accounts’ withdrawal limits in what are called “unlimited operations.” The defendant was also ordered to pay $55,080,226.14 in restitution as part of his sentence.
On February 9, the New York Attorney General’s (NYAG’s) office announced two settlements with mobile app developers who allegedly omitted information about their data collection practices in their privacy policies. While the investigation revealed that neither developer misused their customers’ personal information or improperly disclosed such information to third parties, the NYAG’s office determined that both companies failed to properly disclose the fact that they had collected the information as required by law. Both companies have agreed to add privacy policies to their apps.