InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC announces Missouri disaster relief
On August 12, the FDIC issued FIL-39-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Missouri affected by severe storms and flooding from July 25-28. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements.
District Court awards injunctive relief to FTC in deceptive advertising case
On August 9, the U.S. District Court for the Northern District of Georgia ruled that the FTC provided “broad and detailed” evidence of alleged deceptive advertising and unfair fee practices in its $550 million case against a technology company and its CEO (collectively, “defendants”). As previously covered by InfoBytes, the FTC filed a suit in 2019, alleging the defendants made deceptive representations to customers and charged hidden, unauthorized fees in connection with the company’s “fuel card” products in violation of Section 5 of the FTC Act. In 2019, when the agency filed its lawsuit, legal precedent held that the FTC could obtain restitution for consumers directly through such civil proceedings in federal court. However, in April of 2021, the Supreme Court held in AMG Capital Management, LLC v. FTC that the FTC does not have statutory authority to obtain equitable monetary relief under Section 13(b) of the FTC Act. (Covered by InfoBytes here.) Following that decision, the FTC filed a motion to stay or voluntarily dismiss in an attempt to preserve the possibility of obtaining monetary relief for injured consumers in federal court while pursuing claims against the defendants through the agency’s administrative process, but the district court denied the motion, concluding that the “balance of equities does not weigh in favor of a stay or dismissal without prejudice.”
In its most recent order, the district court ruled that the FTC provided compelling and overwhelming evidence, including advertisements, internal marketing studies, and a “plethora of customer complaints” that showed the defendants are liable for multiple violations of the FTC Act. Among other things, the court noted that the evidence showed that the defendants knew that many customers were unaware of certain fees when they signed up for the fuel cards and that the defendants’ terms and conditions governing the fees were “inscrutable” and confusing. However, the district court partially granted defendants’ request for summary judgment on monetary relief, ruling that in light of the Supreme Court’s decision in AMG Capital Management, the FTC cannot obtain a monetary award for the violations until the agency exhausts its administrative litigation process. A hearing will be held to determine the nature of the required injunctive relief.
CFTC updates its interest rate swap clearing requirements as LIBOR ends
On August 12, the CFTC issued a final rule updating its interest rate swap clearing requirement under part 50 of the CFTC’s regulations. Among other things, the final rule eliminates the requirement to clear interest rate swaps referencing LIBOR and other interbank offered rates and replaces them with requirements to clear interest rate swaps referencing overnight, nearly risk-free reference rates. The final rule also “updates the swaps required to be submitted for clearing to a derivatives clearing organization (DCO) or an exempt DCO and the compliance dates for such swaps.” According to CFTC Chairman Rostin Behnam, the final rule “promotes financial stability and mitigates systemic risk,” and “is essential to ensure cross border harmonization in the interest rate swaps market.” The final rule is effective 30 days after publication in the Federal Register.
FHA issues RFI on Title I Manufactured Housing Programs
On August 11, FHA and Ginnie Mae issued FHA INFO 2022-76, which seeks public feedback on their Title I Manufactured Housing Programs. According to the request for input, FHA and Ginnie Mae are seeking input on, among other things: (i) opportunities to improve the use and effectiveness of the Title I manufactured housing program; (ii) Title I lender eligibility requirements; and (iii) how to make the programs more competitive in the primary and secondary markets. Responses are due by September 26.
Democrats ask OCC to rescind crypto guidance
On August 10, four U.S. Democratic Senators sent a letter to acting Comptroller of the Currency Michael Hsu urging the OCC to rescind November 2021 guidance permitting national banks to engage in certain cryptocurrency activities. According to the letter, the Senators “are concerned that the OCC’s actions on crypto may have exposed the banking system to unnecessary risk, and ask that [Hsu] withdraw existing interpretive letters that have permitted banks to engage in certain crypto-related activities.” The letter noted that the OCC unilaterally released interpretive letters related to cryptocurrencies in July 2020 (Interpretive Letter 1170), October 2020 (Interpretive Letter 1172), and January 2021 (Interpretive Letter 1174). In the letters, the Senators noted, the OCC determined that banks were permitted to engage in certain crypto-related activities, which include, among other things: (i) “providing cryptocurrency custody service for customers”; (ii) “holding deposits that serve as reserves for certain stablecoins”; and (iii) “operating independent node verification networks [] and stablecoins for payment activities.” The Senators argued that the letters “granted banks unfettered opportunity to engage in certain crypto activities and remain problematic” after the OCC issued another interpretive letter (Interpretive Letter 1179) under Hsu attempting to limit the risks posed by the policies set forth in the earlier letters. The Senators asked Hsu to provide information so that they can “better understand banks’ exposure to the crypto market” by August 24. The Senators also urged Hsu to work with the Fed and FDIC on replacing his agency’s existing crypto guidance with a more “comprehensive approach.”
Chopra considers banking to be “under threat”
On August 10, CFPB Director Rohit Chopra discussed the digital market before the 2022 National Association of Attorneys General Presidential Summit. In his remarks, Chopra first discussed the evolution of advertising models over time, describing how the persuasion of advertising continues to be used to target an individual based on “voluminous amounts of personal data.” Chopra also discussed HUD’s 2019 complaint against a social media platform, stating that it “illustrates the stark differences between traditional advertising and today’s digital marketing.” According to Chopra, the social media platform “helped advertisers limit the audience for ads and enabled advertisers to target specific groups of people to the exclusion of protected classes.” Chopra further noted that “state attorneys general have already begun to recognize that these platforms are not passive advertisers.” Chopra also noted that the CFPB recently issued an interpretive rule explaining that the service provider exemption for “time or space” will typically not apply to the digital marketing services offered by major platforms (covered by InfoBytes here). Chopra described that though “they may be providing space for ads, these firms are commingling many other features that go well beyond the exemption.” To conclude, Chopra expressed that “banking is under threat.” He described that “sensitive data is viewed as more valuable to firms than our actual selves,” and that “advances in technology should help our economy and society advance, rather than incentivizing a rush to seize our sensitive financial data and to allow tech giants to evade existing laws that other firms must comply with.”
CFPB: Digital marketing providers/big tech liable for UDAAP violations
On August 10, the CFPB issued an interpretive rule addressing when the CFPA’s UDAAP provisions cover digital marketing providers that commingle the targeting and delivery of advertisements to consumers with the provision of advertising “time or space.” Currently, traditional marketing firms are exempt from the CFPA provided they allow banks and other financial institutions “time and space” in traditional media outlets such as television and newspapers to advertise products. The Bureau stated, however, that digital marketers go beyond this approach when they harvest large amounts of information about consumers and use this data to shape their marketing content strategy.
Under the interpretive rule, this exception does not apply to firms that are materially involved in the development of content strategy. Due to the different nature of the services provided, behavioral marketing and advertising for financial institutions could subject marketers to legal liability depending on how those practices are designed and implemented, the Bureau said. Because “[d]igital marketing providers are typically materially involved in the development of content strategy when they identify or select prospective customers or select or place content in order to encourage consumer engagement with advertising,” the Bureau explained that digital marketers “engaged in this type of ad targeting and delivery are not merely providing ad space and time,” and therefore do not qualify under the “time or space” exception. The interpretive rule noted, among other things, that while a covered person may specify certain parameters of the intended audience for a financial product, the digital marketers’ ads and delivery algorithms “identify the audience with the desired characteristics and determine whether and/or when specific consumers see an advertisement.”
“When Big Tech firms use sophisticated behavioral targeting techniques to market financial products, they must adhere to federal consumer financial protection laws,” CFPB Director Rohit Chopra said in the announcement. “The CFPB, states, and other consumer protection enforcers can sue digital marketers to stop violations of consumer financial protection law: Service providers are liable for unfair, deceptive, or abusive acts or practices under the Consumer Financial Protection Act. When digital marketers act as service providers, they are liable for consumer protection law violations,” the Bureau added.
FHFA to require servicers to maintain fair lending data
On August 10, the FHFA announced that Fannie Mae and Freddie Mac will start requiring servicers to obtain and maintain borrowers’ fair lending data on their loans. Data must transfer with servicing throughout the mortgage term, the announcement states, adding that beginning March 1, 2023, servicers will be required to collect borrower data including age, race, ethnicity, gender, and preferred language. The update follows an announcement issued in May (covered by InfoBytes here), which requires lenders to collect information on the borrower’s language preference, and on any homebuyer education or housing counseling that the borrower received, so that lenders can increase their understanding of borrowers’ needs throughout the home buying process. To facilitate the upcoming changes, Freddie Mac issued servicing Bulletin 2022-17, which outlines servicing requirements and notes that data elements must be stored in a format that can be searched, queried, and transferred. Simultaneously, Fannie Mae issued SVC-2022-06 to incorporate the new fair lending data requirements into its Servicing Guide. “Having fair lending data travel with servicing will help servicers do the important work of providing assistance to borrowers in need, helping to further a sustainable and equitable housing finance system,” FHFA Director Sandra Thompson said, adding that this need arose from the foreclosure crisis and Covid-19 response.
CFPB: Financial services companies must safeguard consumer data
On August 11, the CFPB released Circular 2022-04 to reiterate that financial services companies may violate the CFPA’s prohibition on unfair acts or practices if they fail to safeguard consumer data. The Circular explained that, in addition to other federal laws governing data security for financial institutions, such as the Safeguards Rules issued under the Gramm-Leach-Bliley Act (which was updated in 2021 and covered by InfoBytes here), “covered persons” and “service providers” are required to comply with the prohibition on unfair acts or practices in the CFPA. Examples of when firms can be held liable for lax data security protocols are provided within the Circular, as are examples of widely implemented data security practices. The Bureau explained that inadequate data security measures may cause significant harm to a few consumers who become victims of targeted identity theft as a result, or may harm potentially millions of consumers if a large customer-base-wide data breach occurs. The Bureau reiterated that actual injury is not required to satisfy the unfairness prong in every case. “A significant risk of harm is also sufficient,” the Bureau said, noting that the “prong of unfairness is met even in the absence of a data breach. Practices that ‘are likely to cause’ substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.”
While the circular does not suggest that any of the outlined security practices are specifically required under the CFPA, it does provide examples of situations where the failure to implement certain data security measures might increase the risk of legal liability. Measures include: (i) using multi-factor authentication; (ii) ensuring adequate password management; and (iii) implementing timely software updates. “Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB Director Rohit Chopra said in the announcement. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
FTC probes cryptocurrency exchange operators
On August 9, the FTC issued an order denying a petition to quash a civil investigative demand (CID) against the operators of a cryptocurrency exchange regarding allegations of a December 2021 data breach. According to the order, the FTC “is investigating potential law violations arising out of [the company’s] operation and marketing of [the company], and whether Commission action to obtain monetary relief would be in the public interest.” The agency issued a virtually identical CID to the company on May 11 seeking details on what the company disclosed to consumers regarding the security of their crypto assets and how they have handled customer complaints. The FTC noted that investigation includes inquiries regarding the company’s “representations concerning its advertised exchange services; allegations that consumers have been denied access to their accounts; and concerns about the security of customer accounts especially in light of a publicly reported 2021 security breach that resulted in consumer loss of more than $200 million in cryptocurrency.” Among other things, the FTC is seeking to determine if the business practices of the operation in marketing and operating the company “constituted ‘unfair [or] deceptive . . . acts or practices . . . relating to the marketing of goods and services,’ or ‘[m]anipulative [c]onduct,’ ‘on the Internet’ (Resolution No. 2123125); constituted “deceptive or unfair acts or practices related to consumer privacy and/or data security’ in violation of Section 5 of the FTC Act (Resolution No. 1823036); or violated the GLB Act, its implementing rules, or Section 5 regarding ‘the privacy or security of consumer [financial] information.”