Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • 11th Circuit: Increased risk of identity theft is sufficient to bring FACTA claims

    Courts

    On April 22, the U.S. Court of Appeals for the 11th Circuit affirmed a district court’s ruling that including too many digits of a consumer’s credit card account number on a receipt was sufficient to constitute a concrete injury even if the consumer’s identity was not stolen. Under the Fair and Accurate Credit Transactions Act (FACTA), merchants are prohibited from including more than the final five digits of a consumer’s credit card number on a receipt. According to the opinion, the consumer filed a class action suit against a chocolate company, alleging that one of its stores printed the first six and last four digits of his account number on a receipt, which exposed the class members “to an elevated risk of identity theft.” When the parties sought approval of a proposed settlement, two unnamed class members contested the settlement on the grounds that, among other things, the consumer/class representative lacked standing to sue because he had not suffered a concrete injury as defined in the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins. The district court, however, approved the settlement.

    On appeal, the 11th Circuit held that an increased risk of identity theft is sufficient to bring claims under FACTA, and that the class representative’s “alleged injury is ‘particularized’ because the heightened risk of identity theft affected him ‘in a personal and individual way’—it was his credit card number that appeared on the receipt.” Moreover, the appellate court noted, “In our view, if Congress adopts procedures designed to minimize the risk of harm to a concrete interest, then a violation of that procedure that causes even a marginal increase in the risk of harm to the interest is sufficient to constitute a concrete injury.”

    Courts Appellate FACTA Privacy/Cyber Risk & Data Security Eleventh Circuit Class Action Settlement Spokeo

  • SEC reminds registrants of privacy notices and safeguard policies

    Securities

    On April 16, the SEC’s Office of Compliance Inspections and Examinations issued a Risk Alert to discuss compliance issues related to Regulation S-P—the SEC’s primary rule regarding privacy notices and safeguard policies—and to provide assistance to registered investment advisors and broker-dealers (registrants) when issuing compliant privacy and opt-out notices. Regulation S-P requires registrants to provide customers with a clear and conspicuous notice accurately reflecting its privacy policies and practices, plus any options to opt out of sharing certain non-public personal information with nonaffiliated third parties. The notice must be sent annually throughout the duration of the customer relationship. Regulation S-P also requires registrants to implement written policies and practices reasonably designed to ensure that customer records and information are secure and protected against unauthorized access. The Risk Alert provides examples of common Regulation S-P compliance deficiencies and weaknesses, and advises registrants to “review their written policies and procedures, including implementation of those policies and procedures, to ensure that they are compliant with Regulation S-P.”

    Securities SEC Privacy/Cyber Risk & Data Security Compliance Consumer Protection

  • Arkansas law stiffens criminal penalties for spoofing, robocalls

    State Issues

    On April 4, the Arkansas governor signed SB 514, which establishes a process for state regulation of telecommunications service providers and third-party spoofing providers, and stiffens criminal penalties for persons who engage in illegal robocalling and spoofing practices. The act reclassifies “spoofing”—defined in the act as “displaying fictitious or misleading names or telephone numbers—and illegal robocalls as Class D felonies. Arkansas law previously classified these actions as misdemeanors. The act requires telecommunications providers to report, on an annual basis, to the Arkansas Public Service Commission, implemented measures for identifying and combating the illegal calls.

    The Arkansas Attorney General issued a press release in which she noted that the legislation “reinforces how determined Arkansans are to stop these illegal calls and creates a path for enforcement to hold the bad actors accountable.” The act takes effect 90 days after adjournment of the legislature.

    State Issues State Legislation Privacy/Cyber Risk & Data Security Robocalls State Attorney General

  • FDIC issues guidance on gaps in technology service provider contracts

    Federal Issues

    On April 2, the FDIC issued Financial Institution Letter FIL-19-2019 (Technology Service Provider Contracts), which describes examiner observations about gaps in financial institutions’ contracts with technology service providers (TSPs) that may require financial institutions to take additional steps to manage business continuity and incident response. Although not specifically referenced in FIL-19-2019, this latest FDIC guidance echoes themes set forth in the FDIC’s Office of Inspector General (OIG) Audit Report released in 2017 (covered in Infobytes here). Specifically, examiners noted contractual deficiencies in recent reports of examination, including failing to: (i) adequately define rights and responsibilities regarding business continuity and incident response, or provide sufficient detail to allow financial institutions to manage those processes and risks; (ii) consistently require TSPs to maintain a business continuity plan, establish data recovery standards, and commit to contractual remedies if the TSP missed a data recovery standard; (iii) sufficiently detail the TSP’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement; and (iv) clearly define key terms used in contractual provisions relating to business continuity and incident response.

    FIL-19-2019 further stresses that supervised institutions are required to comply with the Interagency Guidelines Establishing Information Security Standards promulgated pursuant to the GLBA, which among other things sets forth expectations for managing TSP relationships through contractual terms and ongoing monitoring. The FDIC references prior guidance establishing regulatory expectations, including: (i) Guidance for Managing Third-Party Risk (FIL-44-2008, issued June 6, 2008); and (ii) the Business Continuity Booklet set forth in the FFIEC IT Examination Handbook, which was updated in February 2015 to include a new appendix specific to managing service provider risks (Appendix J: Strengthening the Resilience of Outsourced Technology Services). FIL-19-2019 also contains a reminder to depository institutions that the Bank Service Company Act requires depository institutions to provide written notice to their respective federal banking agency of contracts or relationships with TSPs that provide certain services, including check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, Internet banking, or mobile banking services.

    Federal Issues FDIC Examination Vendor Management Privacy/Cyber Risk & Data Security

  • North Dakota expands personal identifying information law

    State Issues

    On March 20, the North Dakota governor signed SB 2262, which, among other things, amends the state’s law covering the unauthorized use of personal identifying information (PII). Specifically, the bill expands the definition of PII to include, (i) an individual’s payment card information; (ii) an individual’s biometric data; and (iii) any other information that can be used to access a person's financial records. Under the bill, an individual is guilty of an offense if the individual “obtains or attempts to obtain, transfers, records, or uses or attempts to use” any PII of another individual, living or deceased, to obtain anything of value without consent of the other individual. The bill is effective August 1.

    State Issues State Legislation Privacy/Cyber Risk & Data Security

  • Virginia requires breach of personal information notification

    State Issues

    On March 18, the Virginia governor signed HB 2396, which amends the Code of Virginia and requires an individual or entity owning or licensing computerized data that includes personal information to disclose all data breaches without “unreasonable delay” to the Virginia Attorney General and any affected Commonwealth residents. Under HB 2396, “personal information” is defined as “the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted.” The list of data elements was amended to add passport numbers and military identification numbers to the previous list, which included social security numbers, driver’s license numbers, and financial account numbers or credit/debit card numbers combined with codes or passwords that would grant access to a consumer’s financial account. The amendment is effective July 1.

    State Issues State Legislation Privacy/Cyber Risk & Data Security Data Breach State Attorney General

  • FTC report highlights 2018 privacy and data security work

    Privacy, Cyber Risk & Data Security

    On March 15, the FTC released its annual report highlighting the agency’s privacy and data security work in 2018. Among other items, the report highlights consumer-related enforcement activities in 2018, including:

    • an expanded settlement with a global ride-sharing company over allegations that the company violated the FTC Act by deceiving consumers regarding the company’s privacy and data practices (covered by InfoBytes here).
    • a settlement with a global online payments system company to resolve allegations that its payment and social networking service failed to adequately disclose to consumers that transfers to external bank accounts were subject to review and that funds could be frozen or removed based on a review of the underlying transaction (covered by InfoBytes here).
    • a settlement with a Texas-based company over allegations that it violated the FCRA by failing to take reasonable steps to ensure the accuracy of tenant-screening information furnished to landlords and property managers (covered by InfoBytes here).

    The report also highlighted the FTC’s hearings on big data, privacy, and competition conducted through its Hearings on Competition and Consumer Protection in the 21st Century initiative. (Covered by InfoBytes here and here.)

    Privacy/Cyber Risk & Data Security FTC Enforcement Settlement FCRA Consumer Finance

  • CFPB defends MLA and Payday Rule position in Senate hearing

    Federal Issues

    On March 12, Director of the CFPB, Kathy Kraninger, testified at a hearing held by the Senate Banking, Housing, and Urban Affairs Committee on the CFPB’s Semi-Annual Report to Congress. While Kraninger’s opening statement and question responses were similar to her comments made last week during a House Financial Services Committee hearing (detailed coverage here), notable highlights include:

    • Fair Lending. Kraninger did not provide a status update on the Bureau’s pre-rulemaking activities as they relate to whether disparate impact is cognizable under ECOA, but emphasized that the Bureau is committed to the fair lending mission.
    • Data Collection. In response to concerns over the Bureau’s history of expansive data collection, Kraninger noted that data collection is an especially important tool for rulemaking, but stated that going-forward she would ensure the Bureau only collects the information needed to carry out the Bureau’s mission, noting that the less personally identifiable information that is collected, the less that requires protection. She acknowledged the Bureau is reviewing the comments submitted in response to its fall 2018 data governance program report (covered by InfoBytes here) and stated the Bureau remains committed to reviewing the internal processes it has for collecting and using data.
    • Military Lending Act (MLA). Kraninger stated that she disagrees with the Democratic Senator’s broad interpretation of Section 1024(b)(1)(C) of the Dodd-Frank Act allowing for the Bureau to examine for compliance with the MLA because that interpretation would permit the Bureau to examine for anything that is a “risk to consumers,” including things like safety and soundness, which is not currently under the Bureau’s purview. While she acknowledged that the Bureau has the direct authority to enforce the MLA, she repeatedly rejected the notion that this would also give the Bureau the authority to supervise for the MLA, as Dodd-Frank separates the Bureau’s enforcement and supervision powers.
    • Payday Rule. Kraninger repeatedly emphasized that the reconsideration of the underwriting standards in the Payday Rule was to determine if the legal and factual basis used to justify certain practices as unfair and abusive was “robust” enough. She acknowledged that the Bureau will be reviewing all the comments to the proposal and that the evidence used for the original Rule will be part of the record for the reconsideration.
    • GSE Patch. In response to questions regarding the 2021 expiration of the Qualified Mortgage (QM) Rule’s 43 percent debt-to-income ratio exception for mortgages backed by Fannie Mae and Freddie Mac (GSEs), Kraninger acknowledged the “non-QM” market hasn’t materialized over the last few years, as was originally anticipated. However, Kraninger was reluctant to provide any further details, noting that she would not be making any “dramatic changes” to the mortgage market. Additionally, she acknowledged that the GSE patch has the potential to expire at the end of the conservatorship as well.
    • CFPB Structure. Kraninger did not specify whether she believes the Bureau should be led by a board, rather than a single director, or whether the Bureau should be under appropriations. Specifically Kraninger stated that she would “welcome any changes Congress made that would increase the accountability and transparency of the Bureau,” and would “dutifully carry out” legislation that would place the Bureau under appropriations if the President signed it.
    • Student Lending. Kraninger stated that the Bureau intends to re-engage with the Department of Education on a Memorandum of Understanding (MOU) to assist with complaint and information sharing once a new Student Loan Ombudsmen has been hired. The MOUs were previously terminated by the Department in August 2018 (covered by Infobytes here).

    Federal Issues CFPB Senate Banking Committee House Financial Services Committee Fair Lending ECOA Disparate Impact Payday Rule Privacy/Cyber Risk & Data Security GSE Military Lending Act

  • State AGs support bipartisan bill to combat illegal robocalls

    Privacy, Cyber Risk & Data Security

    On March 5, Attorneys General from all 50 states, as well as from the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, sent a letter to the Senate Committee on Commerce, Science, and Transportation supporting a recently introduced bipartisan bill to combat illegal robocalls. Among other things, S. 151, the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), would: (i) grant the FCC three years to take action against robocall violations, instead of the current one-year window; (ii) authorize the agency to issue penalties of up to $10,000 per robocall; and (iii) require service providers to implement the FCC’s new call authentication framework. The AGs state that they “are encouraged that the TRACED Act prioritizes timely, industrywide implementation of call authentication protocols,” and note their support for an interagency working group that the bill would establish consisting of members from the DOJ, FCC, FTC, CFPB, other relevant federal agencies, state AGs, and non-federal stakeholders.

    Privacy/Cyber Risk & Data Security State Attorney General State Issues Consumer Complaints FCC Federal Legislation Robocalls Consumer Protection

  • FTC seeks comments on Safeguards and Privacy rules

    Federal Issues

    On March 5, the FTC released proposed amendments to two rules that protect the privacy and security of customer data held by financial institutions. The agency seeks comments on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule requires financial institutions to develop, implement, and maintain comprehensive information security programs, whereas the Privacy Rule requires financial institutions to notify customers about information-sharing practices, as well as enable customers to opt out of sharing their information with certain third parties. The FTC’s proposed amendments to the Safeguards Rule would, among other things, add more detailed requirements for financial institutions, including mandatory encryption of customer data and the use of multi-factor authentication to prevent unauthorized access to customer information. The proposed amendments to the Privacy Rule would change the rule to account for statutory changes in the Dodd-Frank Act, which gave the majority of the FTC’s rulemaking authority for the Privacy Rule to the CFPB with the exception of certain motor vehicle dealers. The agency plans to remove examples of financial institutions that do not apply to motor vehicle dealers, as well as clarify when annual customer privacy notices must be provided. In addition, the FTC proposes to expand the definition of “financial institution” in both rules to include “finders,” which include persons or entities that charge a fee to introduce consumers to a lender.

    Federal Issues FTC Consumer Finance Privacy/Cyber Risk & Data Security Gramm-Leach-Bliley Safeguards Rule Privacy Rule Dodd-Frank

Pages

Upcoming Events