Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York Attorney General reaches largest ever COPPA settlement to resolve violations of children’s privacy
On December 4, the New York Attorney General announced the largest Children’s Online Privacy Protection Act (COPPA) settlement in U.S. history—totaling approximately $6 million —to resolve allegations with a subsidiary of a telecommunications company that allegedly conducted billions of auctions for ad space on hundreds of websites it knew were directed to children under the age of 13. According to the Attorney General’s office, the subsidiary collected and disclosed personal data on children through auctions for ad space, allowing advertisers to track and serve targeted ads to children without parental consent. Under COPPA, operators of websites and other online services are prohibited from collecting or sharing the information of children under the age of 13 unless they give notice and have express parental consent. Among other things, the subsidiary also allegedly placed ads on other exchanges that possessed the capability to auction ad space on child-directed websites, but that when it won ad space on COPPA-covered websites, the subsidiary treated the space as it would any other and collected user information to serve targeted ads.
Under the terms of the settlement, the subsidiary must (i) create a comprehensive COPPA compliance program, which requires annual COPPA training for staff, regular compliance monitoring, and the retention of service providers that can comply with COPPA, as well as a third party who will assess the privacy controls; (ii) enable website operators that sell ad inventory to indicate what portion of a website is subject to COPPA; and (iii) destroy the personal data it collected on children.
On December 3, the OCC released its Semiannual Risk Perspective for Fall 2018, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. The report focuses on risks to the federal banking system based on five areas: the operating environment, bank performance, special topics in emerging risk, trends in key risks, and supervisory actions. Overall, loans and bank profitability grew in 2018 as the U.S. economy continued to grow. Moreover, recent examination findings indicate incremental improvements in banks’ general risk management practices. Specific risk areas of concern noted by the OCC include: (i) the origination quality of new loans and potential embedded risks from previously successive years of relaxed underwriting standards; (ii) an increasingly complex operating environment, including the continually evolving threat to cybersecurity; (iii) elevated money-laundering risks; and (iv) rising market interest rates, including certain risks associated with heightened competition for deposits.
The report also notes that outstanding enforcement actions continue to decline since peaking in 2010, which, according to the OCC, reflects an overall improvement in, among other things, banks’ risk management practices. The leading cause of current enforcement actions continues to be compliance or operational failures.
On November 30, the FDIC announced a list of administrative enforcement actions taken against banks and individuals in October. Included among the actions is an order to pay a civil money penalty of $9,600 issued against a Louisiana-based bank for alleged violations of the Flood Disaster Protection Act in connection with alleged failures to obtain flood insurance coverage on loans at or before origination or renewal.
Consent orders were also issued against three separate banks related to alleged weaknesses in their Bank Secrecy Act (BSA) and/or BSA/anti-money laundering (BSA/AML) compliance programs. (See orders here, here, and here.) Among other things, the banks are ordered to: (i) implement comprehensive written BSA/AML compliance programs, which include revising BSA risk assessment policies, developing a system of BSA internal controls, and enhancing suspicious activity monitoring and reporting and customer due diligence procedures; (ii) conduct independent testing; and (iii) implement effective BSA training programs. The FDIC further requires the Florida and New Jersey-based banks to conduct suspicious activity reporting look-back reviews.
In addition, a Kentucky-based bank was ordered to pay a civil money of $300,000 for allegedly violating TILA by “failing to clearly and conspicuously disclose required information related to the [b]ank’s Elastic line of credit product” and Section 5 of the FTC ACT by “using a processing order for certain deposit account transactions contrary to the processing orders disclosed in the [b]ank’s deposit account disclosures.”
There are no administrative hearings scheduled for December 2018. The FDIC database containing all 17 enforcement decisions and orders may be accessed here.
On November 27, the Senate Committee on Commerce, Science and Transportation’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security conducted a hearing to discuss, among other topics, whether the FTC should be granted expanded authority over consumer data privacy and security. The hearing entitled “Oversight of the Federal Trade Commission” heard from the Chairman of the FTC as well as the agency’s four commissioners. Ranking Member Senator Bill Nelson’s opening statement discussed the need for providing additional resources to the FTC in order to ensure the agency is able to perform its mandated duties and effectively protect U.S. consumers from unfair or deceptive acts or practices. The five witnesses agreed that enforcement remains a priority for the FTC and called for comprehensive consumer privacy legislation that would clarify the agency’s authority and the rules relating to data security and breach notification, while fostering competition and innovation to the benefit of consumers. Specifically, FTC Chairman Joseph Simons stated he would support federal data security legislation if it provided the following three items: (i) the ability to seek civil money penalties to effectively deter unlawful conduct; (ii) jurisdiction over nonprofits and common carriers; and (iii) broad rulemaking authority to issue implementing rules under the Administrative Procedures Act for consumer protection issues such as privacy and data security. Commissioner Rohit Chopra also emphasized the need for Congress to support the FTC’s authority under Section 13B of the FTC Act, which authorizes the FTC to seek preliminary and permanent injunctions against companies and individuals.
However, Senator Blumenthal argued that too often the FTC has “fallen short” on protecting consumer privacy, particularly in terms of enforcement and pressing challenges. According to Senator Blumenthal, big tech companies misuse their power and consent orders are not “vigorously and adequately enforced.” He argued that the FTC must have the tools and resources to establish meaningful penalties for first offenses that pose a credible deterrent and recognize state attorneys general to ensure violations are investigated and punished.
Among other things, the hearing also discussed topics addressing: (i) the FTC’s ongoing series of public hearings reexamining the agency’s approach to consumer privacy in light of changing technologies (see previous InfoBytes coverage here); (ii) federal preemption versus state-by-state laws and the risk of inconsistencies and compliance challenges; (iii) the potential use of the FTC’s Section 6B authority, which would allow requests to be sent to the tech industry to understand what data is collected from consumers and how that information is used, shared, and sold; (iv) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; (v) data minimization controls; and (vi) notice and comment rulemaking authority.
On November 20, the Colorado Department of Regulatory Agencies Division of Securities (Division) released a statement announcing four new cease-and-desist orders taken against companies for allegedly selling unregistered securities through initial coin offerings (ICOs) to Colorado consumers. The orders come as a result of investigations conducted by the Division’s ICO Task Force, which was created to investigate potentially fraudulent activity. According to the announcement, the Colorado Securities Commissioner has now signed orders for 18 cases against ICOs, and currently has at least two additional pending orders.
On November 15, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include cease and desist orders, civil money penalty orders, formal agreements, prompt corrective action directives, removal/prohibition orders, and terminations of existing enforcement actions. Two notable enforcement actions are discussed below.
On October 25, the OCC issued a consent order against a Louisiana-based bank related to examination findings from 2018 wherein the bank failed to adopt and implement an adequate Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program. Among other conditions, the consent order requires the bank to (i) develop and implement an ongoing BSA/AML risk assessment program; (ii) adopt an independent audit program to conduct a review of the bank’s BSA/AML compliance program; and (iii) submit a written progress report within 30 days after the end of each calendar quarter that details actions undertaken to ensure compliance with the consent order’s provisions. The bank neither admitted nor denied the OCC’s findings and is not required to pay a civil money penalty.
On October 23, the OCC assessed a $100 million civil money penalty against a national bank for alleged deficiencies in the bank’s BSA/AML compliance programs. Specifically, the alleged deficiencies include the failure to comply with a 2015 consent order in a timely manner, which required the bank to, among other things, adopt and implement an adequate BSA/AML compliance program and file timely Suspicious Activity Reports. The consent order acknowledges that the bank has undertaken corrective action to remedy the deficiencies noted by the OCC.
On November 13, the Federal Reserve Board announced an enforcement action against an Illinois state bank for allegedly violating the National Flood Insurance Act (NFIA) and Regulation H, which implements the NFIA. The consent order assesses a $15,000 penalty against the bank, but does not specify the number or the precise nature of the alleged violations. The maximum civil money penalty for a pattern or practice of violations under the NFIA is $2,000 per violation.
On November 9, the CFPB issued its semi-annual report to Congress, covering the Bureau’s work from October 1, 2017 to March 30, 2018. The report, which is required by the Dodd-Frank Act, addresses, among other things, problems faced by consumers with regard to consumer financial products or services; significant rules and orders adopted by the Bureau; and various supervisory and enforcement actions taken during the majority of acting Director Mick Mulvaney’s tenure. Specifically, the report includes (i) a summary of five “significant” state Attorney General actions pursuant to Section 1042 of the Dodd-Frank Act, which allows states to enforce the federal law; (ii) a review of the Bureau’s fair lending efforts, noting that it “conducted fewer fair lending supervisory events. . .than in the prior period,” but “cleared a substantially higher number of MRAs or MOU items from past supervisory events than in the prior period”; (iii) a discussion of non-prime and secured credit cards marketed to consumers; and (iv) a list of upcoming initiatives, which includes requests for information regarding, among other things, the Bureau’s consumer complaint and consumer inquiry handling processes, the Bureau’s inherited regulations and inherited rulemaking authorities, the Bureau’s adopted regulations and new rulemaking authorities, Bureau rulemaking processes, Bureau public reporting practices of consumer complaint information, Bureau external engagements, the Bureau’s supervision program, and the Bureau’s enforcement processes.
Notably, the report also discusses the budget for FY 2018, acknowledging the unusual January 2018 request for zero dollars in funding for the Bureau’s quarterly operations (previously covered by InfoBytes here). As for FY 2019, Mulvaney most recently requested nearly $173 million for Q1, which is still significantly below former Bureau Director Richard Cordray’s FY 2017 Q1 request of $217 million.
On November 13, the OCC issued OCC Bulletin 2018-41, announcing the release of Policies and Procedures Manual 5310-13 (PPM 5310-13), which outlines the OCC’s policy and framework for taking enforcement actions against institution-affiliated parties (IAP) of national banks, federal savings associations, and foreign banks’ federal branches and agencies. Among other things, PPM 5310-13 explains the definition of an individual who qualifies as an IAP and describes common enforcement actions taken against current or former IAPs, which include “violations of law, regulation, final agency orders, conditions imposed in writing, or written agreements; unsafe or unsound practices; or breaches of fiduciary duty.” PPM 5310-13 also outlines procedures and processes related to most informal and formal IAP enforcement actions.
Additionally, the OCC issued updated policies and procedures (see PPMs 5310-3 and 5000-7) concerning bank enforcement actions and related matters, as well as civil money penalties, to ensure consistency with PPM 5310-13. All three PPMs are effective immediately.
On November 6, the FCC announced that it sent letters to voice providers urging them to participate in “traceback” efforts to help the FCC identify the source of illegal spoofed robocalls. The FCC released copies of the letters that it sent to eight voice providers that are not currently assisting with the USTelecom Industry Traceback Group’s program, which seeks to trace the robocalls that pass through the voice providers’ networks to the originating provider.
In the announcement, the FCC notes that: (i) traceback efforts assist the FCC in identifying the source of illegal calls; and (ii) the FCC receives more complaints from consumers regarding unwanted calls—including scam calls that use spoofing to trick consumers—than any other subject. The FCC emphasizes that “consistent participation of all network operators is critical for helping consumers and enforcing the law.”