Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Federal Privacy Stakeholder Meeting Addresses Mobile Application Transparency

    Fintech

    Recently, the multi-stakeholder process established in connection with the White House’s February 2012 privacy report met to discuss mobile application transparency, including a voluntary code of conduct for mobile application developers. The code covers mobile application short form notices intended to provide consumers enhanced transparency about data collection and sharing practices. Application developers that choose to adopt the voluntary code would employ short form notices that describe (i) the collection of types of certain data – including biometrics, browser history, phone or text log, financial information, location, and more – whether or not consumers know that it is being collected, (ii) a means of accessing a long form privacy policy, if any exists, (iii) the sharing of user-specific data, if any, with certain third parties – e.g. consumer data resellers, data analytics providers, ad networks, and government entities, and (iv) the identity of the entity providing the application. In addition to being voluntary, the code exempts common application collection and sharing activities for operational purposes.

    Mobile Commerce Privacy/Cyber Risk & Data Security

  • DOJ Announces Five Indictments in Largest Known Data Breach Case

    Fintech

    On July 25, the DOJ announced the indictment of five individuals accused of conspiring in a worldwide hacking and data breach scheme that targeted major corporate networks, stole more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses. The DOJ believes the defendants and others conspired to use a “SQL injection attack” to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world. Once started, the attacks could last months while the defendants worked to steal user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders, and subsequently sell the data to end-users who used the data to make fraudulent ATM withdrawals or credit card purchases. The DOJ’s action was based on the findings of an extensive Secret Service investigation.

    DOJ Privacy/Cyber Risk & Data Security

  • Florida District Court Orders Disgorgement of Profits from Unfair, Deceptive Online Payday Loan Referral Practices

    Fintech

    On July 18, the U.S. District Court for the Middle District of Florida held that an online payday loan referral business engaged in unfair and deceptive billing practices and failed to provide adequate disclosures to its customers. FTC v. Direct Benefits Group, LLC, No. 11-1186, 2013 WL 3771322 (M.D. Fla. Jul. 18, 2013). The FTC alleged that the defendants violated the FTC Act by obtaining consumers’ bank account information through payday loan referral websites and debiting their accounts without their consent. The FTC also alleged that the defendants failed to adequately disclose that, in addition to using consumers’ financial information for a payday loan application, they would use it to charge them for enrollments in unrelated programs and services. During a bench trial, the parties presented evidence and arguments regarding the content and operation of the websites and whether consumers could enroll in the referral programs without taking affirmative steps to do so. The court agreed with the FTC’s claims that the defendants’ practices were deceptive and held that the “pop-up box” used to enroll consumers in the programs at issue was misleading. The court explained that the defendants’ website and the online payday loan application form created the overall impression that they were intended for applying for payday loans and that the bank account information that applicants were asked to enter would be used for deposit of the payday loan—not so that the account could or would be debited for the purchase of an unrelated product or service. Further, the court held that the defendants’ disclosures were not clear and conspicuous under the principles included in the FTC’s “.com disclosures guidance.” The court also held that the FTC established that the billing practices were unfair, and ordered the defendants to disgorge over $9.5 million and permanently cease the practices at issue.

    FTC Payday Lending Lead Generation Internet Lending

  • NIST Releases Minor Updates to Digital Signature Standard

    Fintech

    On July 23, the National Institute of Standards and Technology released a revised digital standard used to ensure the integrity of electronic documents and the identity of the signer. The revised standard includes no major changes, but does update the standard to align it with other publications so that all NIST documents offer consistent guidance regarding the use of random number generators. Another revision concerns the use of prime number generators, which requires random initial values for searching for prime numbers.

    Electronic Signatures NIST

  • Fourth Circuit Relies on E-Sign Act to Hold Electronic Agreement May Effect A Valid Transfer of Copyright

    Fintech

    On July 17, the U.S. Court of Appeals for the Fourth Circuit held that under the E-Sign Act, an electronic transfer may satisfy the requirements for transfer of a copyright under the Copyright Act, even though the Copyright Act itself does not define the “writing” or “signature” required to effectuate a transfer. Metro. Reg. Info. Sys., Inc. v. Am. Home Realty Network, Inc. No. 12-2102, 2013 WL 3722365 (Jul. 17, 2013). In this case, the company that operates the online real estate listing service MLS sued a competitor real estate referral service, contending that the referral service collected and used information without authorization – including photographs of listed properties – that MLS compiled for its customers. In order to submit photos to the MLS, customers are required to click a button and agree to certain terms of use. The court agreed with the MLS operator that its customers’ acceptance of the terms of use operated as a transfer of copyrights in any photograph provided to the MLS, and that as such the competitor service may have violated the Copyright Act through its unauthorized use of the materials. Noting the paucity of case law applying the E-Sign Act to instruments conveying copyrights, the court looked to cases in which circuit courts have applied the E-Sign Act to the Federal Arbitration Act’s protections that pertain only to written arbitration agreements, including the Second Circuit’s holding in Specht v. Netscape Comms. Corp., 605 F.3d 17 (2nd Cir. 2002). Based on the analysis in those cases, the court explained that “[t]o invalidate copyright transfer agreements solely because they were made electronically would thwart the clear congressional intent embodied in the E-Sign Act.” The court held that an electronic agreement may effect a valid transfer of copyright interests under the Copyright Act.  As such, the court affirmed the district court’s preliminary injunction prohibiting MLS’s competitor from displaying the MLS photographs.

    ESIGN Electronic Signatures

  • Ninth Circuit Holds FAA Preempts Montana's Public Policy Against Enforcing Contracts of Adhesion

    Fintech

    On July 15, the U.S. Court of Appeals for the Ninth Circuit held that the Federal Arbitration Act (FAA) preempts Montana’s public policy invalidating adhesive agreements running contrary to the reasonable expectations of a party. Mortensen v. Bresnan Comms. LLC, No. 11-35823, 2013 WL 3491415 (9th Cir. Jul. 15, 2013). In this case, the plaintiffs filed a putative class action against an internet service provider (ISP) that participated in a trial program in which the ISP’s customer’s personal information allegedly was passed on to an advertising company in violation of the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and state privacy and property laws. The ISP moved to compel arbitration, arguing that the welcome kit’s its service technicians delivered included mandatory arbitration provisions that required application of New York law to any disputes. The court vacated a trial court’s order declining to enforce arbitration, holding that AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740 (2011), requires that the FAA preempt Montana’s reasonable expectations/fundamental rights rule, despite the state’s interest in protecting its consumers from unfair agreements, because that rule has a disproportionate impact on arbitration agreements. As a result, the court also held that the district court erred in not applying New York law because a state’s preempted public policy was an impermissible basis on which to reject the parties’ choice-of-law selection. The court vacated the district court’s order declining to enforce the arbitration clause and choice-of-law clause and remanded with instructions to apply New York law to the arbitration agreement.

    Arbitration U.S. Supreme Court Privacy/Cyber Risk & Data Security

  • FTC Extends Time to Comment on Proposed TSR Changes

    Fintech

    On July 12, the FTC extended the comment deadline on proposed changes to its Telemarketing Sales Rule (TSR). In May, the FTC proposed to prohibit the use of certain payment methods it believes are favored by “fraudulent telemarketers,” and sought comments by July 29, 2013. Because a slightly modified version of the original proposal was published in the Federal Register on July 9, 2013, the FTC now will accept comments through August 8, 2013.

    FTC Payment Systems Agency Rule-Making & Guidance

  • Federal, State Officials Focus on Employee Payroll Cards

    Fintech

    On July 11, a group of Democratic Senators urged the CFPB and the Department of Labor to “take swift action” regarding prepaid payroll cards. The Senators expressed concern that workers do not understand the “excessive fees” and “harmful practices” associated with such cards, and suggested that those fees and practices - specifically, those relating to ATM use, balance inquiry, swipe purchases, overdraft, and inactivity, among others – may violate the Electronic Fund Transfer Act and its implementing regulation, Regulation E. The lawmakers asked the CFPB to conduct a study to better understand these fees and their impact on workers, and to clarify through a rulemaking or other supervisory action the options employers must provide to their employees under Regulation E. The Senators’ letter follows reports of an investigation by New York Attorney General Eric Schneiderman into potential state law violations related to employers’ use of payroll cards.

    CFPB State Attorney General Prepaid Cards EFTA

  • NACHA Bulletin Addresses Reinitiation of Returned Debits

    Fintech

    On July 15, the Electronic Payments Association (NACHA), the organization that manages the ACH Network, issued a bulletin that describes the provisions of NACHA’s operating rules regarding the “reinitiation” of returned ACH debit entries and the collection of return fees. With respect to the “reinitiation” of returned ACH debit entries the bulletin outlines  the limited circumstances under which the rules permits originators and originating depository financial institutions (ODFIs) to reinitiate returned entries. First, an originator or an ODFI may reinitiate a returned entry up to two times if the entry was returned for reasons of insufficient or uncollected funds. Second, an originator or an ODFI may reinitiate a returned entry for reason of stop payment, but only if the receiver of the entry reauthorized the reinitiation after the return of the original entry. Finally, unless authorization has been revoked, an originator or an ODFI may reinitiate an entry returned for any other reason, as long as the originator or ODFI has corrected or remedied the reason for the return. In instances where authorization has been revoked, an originator or ODFI may not be reinitiated. Additionally, in order for a reinitiation of a returned entry to take place within the ACH Network, it must take place within 180 days of the settlement date of the original entry. With respect to the collection of return fees, the bulletin explains that (i) a return fee entry may be initiated only to the extent permitted by applicable law, and only for an entry that was returned for reasons of insufficient or uncollected funds; (ii) originators and ODFIs must provide specific prior notice prior to charging return fees; (iii) return fees must be specifically labeled as return fees in any entry description; (iv) only one return fee may be assessed with respect to any returned entry; and (v) a return fee may not be assessed with respect to the return of a return fee entry (i.e., no “fees on fees”).

    Payment Systems Bank Compliance NACHA

  • NIST Releases Draft Outline of Cybersecurity Framework

    Fintech

    On July 2, the National Institute of Standards and Technology (NIST) released a draft outline of a framework to improve the cybersecurity of certain critical infrastructure. It proposes a core structure for the framework and includes a user's guide and an executive overview that describes the purpose, need, and application of the framework in business. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. It solicited and recently analyzed public comments about the voluntary framework. Based on certain comments that emphasized the importance of executive involvement in managing cyber risks, the framework is designed to help business leaders evaluate how prepared their organizations are to deal with cyber threats and their impacts. NIST also released a draft compendium of existing standards, practices, and guidelines to reduce cyber risks to critical infrastructure industries. It plans to publish the official draft Cybersecurity Framework for public comment in October 2013.

    Privacy/Cyber Risk & Data Security NIST

Pages

Upcoming Events