InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC proposes changes to Negative Option Rule
On March 23, the FTC announced a notice of proposed rulemaking (NPRM) seeking feedback on proposed amendments to the agency’s Negative Option Rule, which is used to combat unfair or deceptive practices related to subscriptions, memberships, and other recurring-payment programs. (See also FTC fact sheet here.) Claiming that current laws and regulations do not clearly provide a consistent legal framework for these types of programs, the NPRM, which applies to all subscription features in all media, proposes to add a new “click to cancel” provision that would make it as easy for consumers to cancel their enrollment as it was to sign up. The NPRM would also require sellers to first ask consumers whether they want to hear about new offers or modifications before making a pitch when consumers are trying to cancel their enrollment. If a consumer says “no” a seller must immediately implement the cancellation process. Sellers would also be required to provide consumers who are enrolled in negative option programs with an annual reminder involving anything other than physical goods before they are automatically renewed.
Commissioner Christine Wilson issued a dissenting statement, in which she argued that while the NPRM “may achieve the goal of synthesizing the various requirements in one rule,” it “is not confined to negative option marketing [as it] also covers any misrepresentation made about the underlying good or service sold with a negative option feature.” Wilson commented, “as drafted, the Rule would allow the Commission to obtain civil penalties, or consumer redress under Section 19 of the FTC Act, if a marketer using a negative option feature made misrepresentations regarding product efficacy or any other material fact.”
Colorado finalizes privacy rules
On March 15, the Colorado attorney general’s office finalized rules to implement and enforce the Colorado Privacy Act (CPA). The final rules, which went through three draft versions (covered by InfoBytes here), were filed with the Colorado Secretary of State following completion of a review by the attorney general’s office. (See redline version of the final rules showing changes made to address concerns raised through public comments here.) As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. In addition to promulgating rules to carry out the requirements of the CPA, the attorney general has authority to issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. Colorado is one of several states that have enacted comprehensive privacy laws that take effect in 2023, joining California, Connecticut, Utah, and Virginia. (Covered by InfoBytes here, here, here, and here.) The final rules will be published in the Colorado Register in March and will go into effect July 1.
CFPB updates card survey to improve comparison shopping
On March 21, the CFPB announced updates to its terms of credit card plans (TCCP) survey. The updates are intended to “create a neutral data source” to help consumers comparison shop for credit cards and “find the best interest rates and products,” the Bureau explained. Previously, credit card data was compiled and made publicly available from the largest 25 issuers, as well as from a sample of at least 125 other issuers (as required by the Fair Credit and Charge Chard Disclosure Act of 1988). The refreshed TCCP survey will now allow issuers to voluntarily submit information about their credit card products to enable smaller credit card issuers to reach comparison shoppers and compete with bigger players. The TCCP survey will also include additional questions about credit card annual percentage rates, and will require issuers to report the minimum and maximum APR offered if it varies by credit score. According to the Bureau, allowing consumers to see the median APR for their credit score range will help them better compare products and estimate the potential cost of borrowing before applying. Additionally, the top 25 credit card issuers will have to provide information on all their credit cards instead of just their most popular products. Other issuers will be permitted to voluntarily submit information on multiple products. Expanded information reporting requirements include providing details on whether a product is a secured card or if it requires a deposit to open an account, as well as information about promotional terms of balance transfers, introductory rates, and cash advances.
HUD restores 2013 discriminatory effects rule
On March 17, HUD announced the submission of a final rule—Reinstatement of HUD’s Discriminatory Effects Standard—which would rescind the agency’s 2020 regulation governing Fair Housing Act (FHA or the Act) disparate impact claims and reinstate the agency’s 2013 discriminatory effects rule. Explaining that “the 2013 rule is more consistent with how the [FHA] has been applied in the courts and in front of the agency for more than 50 years,” HUD emphasized that it also “more effectively implements the Act’s broad remedial purpose of eliminating unnecessary discriminatory practices from the housing market.”
As previously covered by InfoBytes, in 2021, HUD proposed rescinding the 2020 rule, which was intended to align the 2013 rule with the U.S. Supreme Court’s 2015 ruling in Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc. The 2020 rule included, among other things, a modification of the three-step burden-shifting framework in its 2013 rule, several new elements that plaintiffs must show to establish that a policy or practice has a “discriminatory effect,” and specific defenses that defendants can assert to refute disparate impact claims. According to HUD’s recent announcement, the modifications contained within the 2020 rule complicated the discriminatory effects framework, created challenges for establishing whether a policy violates the FHA, and made it harder for entities regulated by the Act to assess whether their policies were lawful.
The final rule is effective 30 days after publication in the Federal Register. According to HUD, the 2020 rule never went into effect due to a preliminary injunction issued by the U.S. District Court for the District of Massachusetts, and the 2013 rule has been and currently is in effect. Regulated entities that have been complying with the 2013 rule will not need to change any practices currently in place to comply with the final rule, HUD said.
CFPB updates agency contact information
On March 20, the CFPB published a final rule in the Federal Register to make non-substantive technical corrections and updates to Bureau and other federal agency contact information found within Regulations B, E, F, J, V, X, Z and DD, including federal agency contact information that is required to be provided with ECOA adverse action notices and the FCRA Summary of Consumer Rights (available here). Additionally, the final rule “revises the chapter heading, makes various non-substantive changes to Regulations B and V, and provides a Bureau website address where the public may access certain APR tables referenced in Regulation Z.” The final rule is effective April 19, although the Bureau noted that the mandatory compliance date for the amendments to appendix A to Regulation B, appendix A to Regulation J, and appendix K to Regulation V is March 20, 2024.
FCC regulations target scam robotexts
On March 16, the FCC adopted its first regulations specifically targeting scam text messages sent to consumers. Recognizing that robotexts are generally covered under the TCPA’s limits against unwanted calls to mobile phones, the FCC stated that the new regulations will require mobile service providers to block certain robotexts that appear to be coming from phone numbers that are unlikely to transmit text messages, including invalid, unallocated, or unused numbers, as well as “numbers that the subscriber to the number has self-identified as never sending text messages, and numbers that government agencies and other well-known entities identify as not used for texting.” Mobile service providers will also be required “to establish a point of contact for text senders, or have providers require their aggregator partners or blocking contractors to establish such a point of contact, which senders can use to inquire about blocked texts.”
The FCC’s report and order also include a further notice of proposed rulemaking, which seeks to implement additional protections to further prevent illegal text messages. The proposal would “require terminating providers to block texts from a sender after they are on notice from the Commission that the sender is sending illegal texts, to extend the National Do-Not-Call Registry’s protections to text messages, and to ban the practice of marketers purporting to have written consent for numerous parties to contact a consumer, based on one consent.”
Comments are due 30 days after publication in the Federal Register.
SEC proposes new cybersecurity requirements
On March 15, a divided SEC issued several proposed amendments to the agency’s cybersecurity-related rules.
The first is a proposed rule that would implement cybersecurity requirements for participants in the securities market, including broker-dealers, clearing agencies, and major security-based swap participants, among others. (See also SEC press release and fact sheet.) Among other things, the proposed rule would require all market entities to establish, maintain, and enforce written policies and procedures that are reasonably designed to address cybersecurity risks. Market participants would also be required to review the design and effectiveness of their cybersecurity policies and procedures at least once a year, and immediately provide the SEC written electronic notice of a significant cybersecurity incident should the participant have a reasonable basis to conclude that the incident had occurred or is occurring. Certain market entities would also be required to make public disclosures addressing cybersecurity risks and significant cybersecurity incidents to improve transparency. The SEC explained that the “interconnectedness of [m]arket [e]ntities increases the risk that a significant cybersecurity incident can simultaneously impact multiple [m]arket [e]tities causing systemic harm to the U.S. securities markets.”
The second proposed rule would amend Regulation S-P to enhance the protection of customer information and provide a federal minimum standard for data breach notifications. Regulation S-P requires broker-dealers, investment companies, and registered investment advisers to implement written policies and procedures for safeguarding customer records and information. The regulation also imposes requirements for proper disposal of consumer report information, implements privacy notice and opt-out provisions, and requires covered institutions to tell customers how their financial information is used. (See also SEC press release and fact sheet.) Under the proposed rule, covered institutions would be required to adopt an incident response program to address unauthorized access or use of customer information. Covered institutions would also be required to notify customers affected by certain types of data breaches that may expose them to identity theft or other harm by providing “notice as soon as soon as practicable, but not later than 30 days after the covered institution becomes aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.” The proposed rule would also “extend the protections of the safeguards and disposal rules to both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions.” Modifications to provisions related to registered transfer agents are also proposed.
Comments on both proposed rules are due 60 days after publication in the Federal Register.
Additionally, the SEC announced it has reopened the comment period on proposed cybersecurity risk management rules and amendments for registered investment advisers and funds. Under the proposed rules, advisers and funds would be required to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks that could harm advisory clients and fund investors. The proposed rules also laid out additional requirements relating to the disclosure of cybersecurity risks and significant cybersecurity incidents as well as filing and recordkeeping. (Covered by InfoBytes here.) The SEC reopened the comment period for an additional 60 days.
In voting against the proposed rules, Commission Hester M. Pierce questioned, among other things, whether the amendments would create overlapping requirements for financial firms subject to state data breach laws that have customer notification provisions, some of which conflict with the SEC’s proposals. Commissioner Mark T. Uyeda also raised concerns as to how the three proposals interact with each other. He cautioned that the “lack of an integrated regulatory structure may even weaken cybersecurity protection by diverting attention to satisfy multiple overlapping regulatory regimes rather than focusing on the real threat of cyber intrusions and other malfeasance.”
FHFA delays effective date of DTI ratio-based fee
On March 15, FHFA delayed the implementation of a new debt-to-income ratio-based fee to August 1, in order to ensure lenders have sufficient time to prepare. In January, FHFA made several changes relating to upfront fees for certain borrowers with debt-to-income (DTI) ratios above 40 percent. The updated and recalibrated pricing grids also include the upfront fee eliminations announced last October to increase pricing support for purchase borrowers limited by income or by wealth, FHFA said. The agency made the decision to delay the effective date by three months based on feedback from mortgage industry stakeholders who raised concerns about the operational challenges of implementing the DTI ratio-based fee. FHFA also confirmed that “lenders will not be subject to post-purchase price adjustments related to this DTI ratio-based fee for loans acquired by [Fannie Mae and Freddie Mac] between August 1, 2023, and December 31, 2023.” The agency explained that this temporary exception “will not alter any other quality control review decisions by [Fannie Mae and Freddie Mac].”
CFPB seeks input on data broker businesses
On March 15, the CFPB issued a Request for Information (RFI) seeking public input on data broker business practices in order to inform planned rulemaking under the FCRA and help the agency understand the current state of the industry. “Modern data surveillance practices have allowed companies to hover over our digital lives and monetize our most sensitive data,” CFPB Director Rohit Chopra said in the announcement. He added, “[o]ur inquiry will inform whether rules under the [FCRA] reflect these market realities.” The Bureau explained that the FCRA—which covers data brokers such as credit reporting companies and background screening firms, as well as parties who report information to these firms—provides several protections, including accuracy standards, dispute rights, and restrictions on how data can be used. The RFI seeks feedback on business models and practices used by the data broker market, including information about the types of data being collected and sold and the sources data brokers rely upon. In particular, the Bureau seeks information on consumer harm and market abuses, and wants to understand “whether companies using these new business models are covered by the FCRA, given the FCRA’s broad definitions of ‘consumer report’ and ‘consumer reporting agency.’” The Bureau stated it is also interested in learning about consumers’ direct experiences with data brokers, including when consumers try to remove, correct, or regain control of their data. Comments on the RFI are due by June 13.
HHS releases health care cybersecurity guide
On March 8, the Department of Health and Human Services (HHS) released a cybersecurity implementation guide to assist public and private health care sectors prevent cybersecurity incidents. The Cybersecurity Framework Implementation Guide was developed jointly with the Administration for Strategic Preparedness and Response and the Health Sector Coordinating Council Cybersecurity Working Group. Substantial contributions to the guide were also provided by the National Institute for Standards and Technology (NIST) and other federal agencies. HHS explained that the guide is intended to help health care organizations implement the 2018 NIST Framework for Improving Critical Infrastructure Cybersecurity using their existing security measures, stating that the guide should be used to assess current cybersecurity practices and risks and identify gaps for remediation. Among other things, the guide (i) outlines risk management principles and best practices; (ii) provides common language for addressing and managing cyber risk; (iii) lays out a structure for applying cyber risk management; and (iv) identifies “effective standards, guidelines, and practices to manage cybersecurity risk cost-effectively based on business needs.”