InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
House committees move forward on data privacy
On March 1, the House Subcommittee on Innovation, Data, and Commerce, a subcommittee of the House Energy and Commerce Committee, held a hearing entitled “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy” to continue discussions on the need for comprehensive federal privacy legislation. House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) delivered opening remarks, commenting that discussions during the hearing will build upon the bipartisan American Data Privacy and Protection Act (ADPPA), which advanced through the committee last July by a vote of 53-2. As previously covered by InfoBytes, the ADPPA (see H.R. 8152) was sent to the House floor during the last Congressional session, but never came up for a full chamber vote. The bill has not been reintroduced yet.
A subcommittee memo highlighted that absent a comprehensive federal standard, “there are insufficient limits to what types of data companies may collect, process, and transfer.” The subcommittee flagged the data broker industry as an example of where there are limited restrictions or oversight to prevent the creation of consumer profiles that link sensitive data to individuals. Other areas of importance noted by the subcommittee relate to data security protections, data minimization requirements, digital advertising, and privacy enhancing technologies. The subcommittee heard from witnesses who agreed that a comprehensive privacy framework would benefit consumers.
One of the witnesses commented in prepared remarks that preemption is key, calling the current patchwork of state laws confusing and costly to businesses and consumers. “Consumers need a strong and consistent law to protect them across jurisdictions and market sectors, and to clarify what privacy rights they should expect and demand as they navigate the marketplace,” the witness said. The witness also stated that the FTC is currently relying on outdated law, noting that while Section 5 of the FTC Act is frequently used, “virtually all of the FTC’s privacy and data security cases are settlements. That means that many of the legal theories advanced, as well as the remedies obtained, have never been tested in court.”
In advance of the hearing, the California governor, the California attorney general, and the California Privacy Protection Agency sent a joint letter opposing preemption language contained in H.R. 8152. “[B]y prohibiting states from adopting, maintaining, enforcing, or continuing in effect any law covered by the legislation, [the ADPPA] would eliminate existing protections for residents in California and sister states,” the letter warned. The letter asked Congress “to set the floor and not the ceiling in any federal privacy law” and “allow states to provide additional protections in response to changing technology and data privacy protection practices.”
Separately, at the end of February, Chairman of the House Financial Services Committee, Patrick McHenry (R-NC) introduced the Data Privacy Act of 2023 (see H.R. 1165). The bill moved out of committee by a 26-21 vote, and now goes to the full House for consideration. Among other things, the bill would modernize the Gramm-Leach-Bliley Act to better align the statute with the evolving technological landscape. The bill would also ensure consumers understand how their data is being collected and used and grant consumers power to opt-out of the collection of their data and request that their data be deleted at any time. Additional provisions are intended to protect against the misuse or overuse of consumers’ personal data and impose disclosure requirements relating to data collection methods, how data is used and who it is shared with, data retention policies, and informed choice. The bill is designed to provide consistency across the country to reduce compliance burdens, McHenry said.
Fannie says appraisals are no longer required to establish market value
On March 1, Fannie Mae issued a Selling Guide announcement to introduce a range of options for establishing a property’s market value, noting that it is “moving away from implying that an appraisal is a default requirement.” As part of Fannie’s efforts to improve the efficiency and accuracy of the home valuation process, it is rolling out choices that balance “traditional appraisals with appraisal alternatives.” Options introduce the term “value acceptance,” which will be “used in conjunction with the term ‘appraisal waiver’ to better reflect the actual process of using data and technology to accept the lender-provided value.” A new option, “value acceptance + property data” will use property data collected by vetted third parties that conduct interior and exterior data collection on a property. This data will be used by the lender to confirm property eligibility (an appraisal will not be required). “Hybrid appraisals” will be “based on interior and exterior property data collection by a vetted and trained third-party that is provided to an appraiser to inform the appraisal.” Fannie explained that hybrid appraisals will be “permitted for certain one-unit transactions where value acceptance + property data was initially started, but changes in loan characteristics results in the transaction not being eligible for that option.”
The updates also allow for alternative methods to the Appraisal Update and/or Completion Report, including a borrower/builder attestation letter verifying completion of construction, and a borrower attestation letter confirming completion of repairs for existing construction. The updates also provide additional guidance on the use of sweat equity and revise timelines and expectations for lenders’ prefunding and post-closing quality control reviews, among other things.
FHA proposes to ease branch office registration
On March 1, FHA published FHA INFO 2023-14 announcing a proposed rule to eliminate a requirement that mortgagees and lenders register all branch offices conducting FHA business with HUD. Currently, all FHA-approved mortgagees and lenders are required to register any branch office where they originate Title I or II loans or submit applications for mortgage insurance. Due to technological advances and remote service delivery, this requirement is inconsistent with current industry practices, FHA said, explaining that the proposed rule will grant mortgagees and lenders the choice as to whether to register and maintain branch offices with HUD. The proposed rule also will make branch registration fees applicable only to those branch offices registered with HUD. Unregistered branch offices will not be subject to unnecessary registration fees and will not be placed on the HUD Lender List Search page. Comments on the proposed rule are due May 1.
FTC orders refunds over compromised health data
On March 2, the FTC filed a complaint against an online counseling service alleging the respondent violated the FTC Act by monetizing consumers’ sensitive health data for targeted advertising purposes. As part of the process to sign up for the respondent’s counseling services, consumers are required to provide sensitive mental health information, as well as other personal information. Consumers are promised that their personal health data will not be used or disclosed except for limited purposes, such as for counseling services. However, the FTC claimed the respondent used and revealed consumers’ sensitive health data to third parties for advertising purposes. According to the FTC, the respondent failed to maintain sufficient policies or procedures to protect the sensitive information and did not obtain consumers’ affirmative express consent before disclosing the health data. The respondent also allegedly failed to limit how third parties could use the health data and denied reports that it revealed consumers’ sensitive information.
Under the terms of the proposed consent order, the respondent will be required to pay $7.8 million in partial refunds to affected users and will be banned from disclosing health information to certain third parties for re-targeting advertising purposes. This will be the first FTC action returning funds to consumers whose health data was compromised. The respondent will also be prohibited from misrepresenting its sharing practices and must also (i) obtain users’ affirmative express consent before disclosing personal information to certain third parties for any purpose; (ii) implement a comprehensive privacy program with strong safeguards to protect users’ data; (iii) instruct third parties to delete shared personal data; and (iv) implement a data retention schedule imposing limits on how long personal data can be retained.
Treasury seeks to advance CBDCs
On March 1, Treasury Undersecretary for Domestic Finance Nellie Liang announced that the Treasury Department will lead a new senior-level working group to advance work on a U.S. central bank digital currency (CBDC). As previously discussed in a Treasury report released last September on the future of money and payments (covered by InfoBytes here), Treasury was called to lead an interagency working group to complement work undertaken by the Federal Reserve Board to consider the implications of a U.S. CBDC. The working group will consist of leaders from Treasury, the Fed, and White House offices, including the Council of Economic Advisors, National Economic Council, National Security Council, and Office of Science and Technology Policy. In the coming months the working group “will begin to meet regularly to discuss a possible CBDC and other payments innovations,” Liang said during a workshop titled “Next Steps to the Future of Money and Payments.” The working group will focus on three main policy objectives: (i) how a U.S. CBDC would affect U.S. global financial leadership; (ii) potential national security risks posed by a CBDC; and (iii) the implications for privacy, illicit finance, and financial inclusion if a CBDC is created.
To support discussions on a possible CBDC and other payment innovations, Liang said the working group will develop an initial set of findings and recommendations. Those findings and recommendations may relate to whether a U.S. CBDC would help advance certain policy objectives, what features would be required for a U.S. CBDC to advance these objectives, choices for resolving CBDC design trade-offs, and areas where additional technological research and development might be useful.
Liang commented that the working group will also “engage with allies and partners to promote shared learning and responsible development of CBDCs.” She pointed out that CBDC efforts are already underway in jurisdictions around the world, with 11 countries already having fully launched CBDCs, “while central banks in other major jurisdictions are researching and experimenting with CBDCs, with some at a fairly advanced stage.” Liang stressed that regardless of whether a CBDC is adopted in the U.S., the country “has an interest in ensuring that CBDCs interact safely and efficiently with the existing financial infrastructure; that they support financial stability and the integrity of the international financial system; that global payment systems are efficient, innovative, competitive, secure, and resilient; and that global payments systems continue to reflect broader shared democratic values, like openness, privacy, accessibility, and accountability to the communities that rely upon them.”
CFPB publishes BNPL borrower profiles
On March 2, the CFPB released a report examining the financial profiles of Buy Now, Pay Later (BNPL) borrowers using data pulled from the agency’s Making Ends Meet survey and its access to credit bureau data. The report follows previous Bureau research conducted on the BNPL market (covered by InfoBytes here). The Bureau observed that, while many BNPL borrowers used the product without any noticeable markers of financial stress, these borrowers (as compared to non-BNPL borrowers) were, on average, more likely to have higher credit card debt and utilization rates and were more likely to have revolving balances on their credit cards. BNPL borrowers also had lower credit scores and higher utilization rates of alternative financial services such as payday loans and pawn loans that charge high interest rates and were more likely to incur bank account overdrafts. The report noted, however, that while BNPL borrowers generally have access to traditional credit products, they are more likely to borrow using retail accounts, personal loans, student loans, and auto loans compared to non-BNPL borrowers (BNPL borrowers were more than twice as likely to be delinquent on at least one of those products by 30 days or longer). The Bureau commented though “that many of these differences pre-date [BNPL] use and [the report] highlights the need for further research into whether the products have any causal impact on consumer indebtedness.” Black, Hispanic, and female consumers are also more likely than average to use BNPL products, the report found, along with consumers with income between $20,001-$50,000.
FHA codifies SOFR for LIBOR-based ARMs
On March 1, FHA published a final rule in the Federal Register removing LIBOR as an approved index for adjustable-rate mortgages (ARMs) and replacing it with the Secured Overnight Financing Rate (SOFR) as the approved index for newly-originated forward ARMs. The final rule also codifies HUD’s removal of LIBOR and approval of SOFR as an index for newly-originated home equity conversion mortgages (HECM) ARMs, and establishes “a spread-adjusted SOFR index as the Secretary-approved replacement index to transition existing forward and HECM ARMs off LIBOR.” Additionally, the final rule makes several clarifying changes and establishes a 10 percentage points maximum lifetime adjustment cap for monthly adjustable rate HECMs. The agency considered comments received to its proposed rule published last October (covered by InfoBytes here), and said the updated policy will now “generally align with Fannie Mae, Freddie Mac, and Ginnie Mae's policies replacing LIBOR with the SOFR index.” The final rule is effective March 31.
Biden administration releases National Cybersecurity Strategy
On March 2, the Biden administration announced the release of its National Cybersecurity Strategy (Strategy) in a continued effort to provide a safe and secure digital ecosystem for Americans. The Strategy, which expands on other steps taken by the administration in this space (covered by InfoBytes here), focuses on several key pillars for building and enhancing collaboration, including:
- Defending critical infrastructure. The Strategy will expand the use of minimum cybersecurity requirements in critical sectors, harmonize regulations to reduce compliance burdens, ensure public-private collaboration is able to defend critical infrastructure and essential services, and defend and modernize federal networks and incident response policies.
- Disrupting and dismantling threat actors. Under the Strategy, tools will be strategically employed to disrupt adversaries, and the private sector will be used to disrupt activities. Ransomware threats will also be addressed through a comprehensive federal approach “in lockstep” with international partners.
- Shaping market forces to drive security and resilience. In an effort “to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable,” the Strategy proposes to (i) promote privacy and security of personal data; (ii) “[shift] liability for software products and services to promote secure development practices”; and (iii) ensure investments in new infrastructure are supported by federal grant programs.
- Investing in a resilient future. The Strategy promotes coordinated, collaborative actions for reducing systemic technical vulnerabilities across the digital ecosystem and improving resiliency against transnational digital repression. The Strategy also prioritizes cybersecurity research and development for emerging technologies, including postquantum encryption, digital identity solutions, and clean energy infrastructure, and stresses the importance of developing a diverse, robust national cyber workforce.
- Forging international partnerships to pursue shared goals. The Strategy intends to leverage international coalitions and partnerships to counter threats to the digital ecosystem through the use of joint preparedness, response, and cost imposition, which will enable partners to better defend themselves against cyber threats. The U.S. will also work with international partners to create secure, reliable global information and communications technology supply chains and operational technology products and services.
While “next-generation technologies are reaching maturity at an accelerating pace, creating new pathways for innovation while increasing digital interdependencies,” the announcement warned that state and non-state actors are developing and executing campaigns that threaten the digital ecosystem. The Biden administration’s Strategy aims to address those threats.
CFPB highlights problems with cash-benefit programs
On March 1, the CFPB released an Issue Spotlight exploring the challenges that recipients of public benefits programs offering cash assistance face when accessing funds through financial products or services. According to the report, financial products used to deliver public benefits, such as Social Security and unemployment compensation, are delivered through various methods—particularly prepaid cards—that may subject consumers to high fees and reduce the amount of funds the individual is able to receive.
The Bureau noted that some prepaid cards charge numerous fees that cut away at a consumer’s available funds. According to the Federal Reserve, $1.3 billion in transaction fees (including maintenance, balance inquiry, customer service, or ATM fees) were collected by prepaid card administrators in 2020. The report also found that due to significant variations in program structure and delivery at the state and county level, the amount and types of fees charged to access cash assistance vary. Additionally, inadequate and untimely customer service often prevents consumers from being able to correct problems with their accounts or access funds, the report said. Consumers highlighted concerns such as having inadequate protections against unauthorized transfers, paying high costs to replace a card, and experiencing insufficient or hypersensitive fraud filters that cause delays and account freezing. The report also flagged concerns about consumers being told to use a prepaid card issued by a particular financial institution, rather than being allowed to deposit funds into an account at an institution of their choice, thereby limiting competition.
The Bureau said it will continue to monitor and take action against entities who violate federal consumer financial protection laws and will share the report’s findings with federal and state agencies that administer public benefits programs.
DOJ announces $9 million redlining settlement with Ohio bank
On February 28, the DOJ announced a settlement with an Ohio-based bank to resolve allegations that the bank engaged in a pattern or practice of lending discrimination by engaging in “redlining” in the Columbus metropolitan area. The DOJ’s complaint claimed that from at least 2015 to 2021, the bank failed to provide mortgage lending services to Black and Hispanic neighborhoods in the Columbus area. The DOJ also alleged that all of the bank’s branches were concentrated in majority-white neighborhoods, and that the bank did not take meaningful measures to compensate for not having a physical presence in majority-Black and Hispanic communities.
Under the proposed consent order, the bank will, among other things, (i) invest a minimum of $7.75 million in a loan subsidy fund for majority-Black and Hispanic neighborhoods in the Columbus area to increase access to credit for home mortgage, improvement, and refinance loans, and home equity loans and lines of credit; (ii) invest $750,000 to go towards outreach, advertising, consumer financial education, and credit counseling initiatives; (iii) invest $500,000 to be spent in developing community partnerships to expand access to residential mortgage credit for Black and Hispanic consumers; (iv) establish one new branch and one new mortgage loan production office in majority-Black and Hispanic neighborhoods in the Columbus area (the bank must “ensure that a minimum of four mortgage lenders, at least one of whom is Spanish-speaking, are assigned to serve these neighborhoods” and employ a full-time community development officer to oversee lending in these neighborhoods); and (v) conduct a community credit needs assessment to identify financial services needs in majority-Black and Hispanic census tracts in the Columbus area. The announcement cited the bank’s cooperation with the DOJ to remedy the identified redlining concerns.