InfoBytes Blog

SEC says exchanges must have policies on incentive compensation given in error

On October 27, the SEC announced final rules requiring securities exchanges to adopt listing standards that require issuers to develop and implement policies providing for the recovery of erroneously awarded incentive-based compensation received by executive officers. The final rules require a listed issuer to file the policy as an exhibit to its annual report and to include disclosures related to its recovery policy and recovery analysis where a recovery is triggered. The SEC first proposed new rules for executive compensation disclosure in 2015, but they were not finalized. The SEC reopened consideration of the rules last year, and in August, adopted a new requirement that a reporting company’s proxy statement and other disclosures include a table showing executive compensation and financial performance measures.

According a statement released by SEC Chairman Gary Gensler, the new rules will “strengthen the transparency and quality of corporate financial statements, investor confidence in those statements, and the accountability of corporate executives to investors.” Commissioner Hester M. Peirce also released a statement, where she noted that implementing the statutory clawbacks mandate is “commendable,” but “doing it—expansively, inflexibly, and impractically—is not.” Peirce noted that the final rule “does not permit company boards, guided by their fiduciary duty, to determine when clawing back compensation makes sense,” and that “[s]uch an approach would have served shareholders by ensuring that companies claw back erroneously awarded compensation when doing so yields a net benefit to shareholders.” The final rules will become effective 60 days after publication in the Federal Register. Exchanges will be required to file proposed listing standards no later than 90 days following publication of the release in the Federal Register, with listing standards effective no later than one year following such publication.

Securities Federal Register Executive Compensation Incentive Compensation Agency Rule-Making & Guidance SEC Clawback

NYDFS revises state CRA regulations

On October 26, NYDFS released revisions to its proposed state Community Reinvestment Act regulation, which would allow the Department to obtain the necessary data to evaluate the extent to which New York-regulated banking institutions are serving minority- and women-owned businesses in their communities. The revised proposed regulation addresses comments received during a prior 60-day comment period that began last November (covered by InfoBytes here), and is intended to minimize compliance burdens by making sure the regulation’s proposed language complements requirements in the CFPB’s proposed rulemaking for collecting data on credit access for small and minority- and women-owned businesses. Among other things, the revised proposed regulation would require regulated entities to inquire as to whether a business applying for a loan or credit is minority- or women-owned or both, and submit a report to the Department providing application details, such as the date, type of credit applied for and the amount, whether the application was approved or denied, and the size and location of the business. Additionally, the revised proposed regulation (i) establishes processes for regulated entities when soliciting, collecting, storing, and reporting information related to their provision of credit to minority- and women-owned businesses, including when requests for information should be made, and notifications informing applicants of their right to refuse to offer information in response to a request and that the provided information may not be used for any discriminatory purpose; (ii) provides that, to the extent feasible, underwriters should not be able to access information provided by an applicant; (iii) stipulates how long a regulated entity is required to preserve gathered information; and (iv) provides a sample data collection form that regulated entities may choose to use. According to NYDFS, the revisions are designed to make sure regulated entities abide by fair lending laws when collecting and submitting the necessary data. Comments will be accepted for 45 days following publication in the State Register.

State Issues Bank Regulatory Agency Rule-Making & Guidance NYDFS New York New York CRA Fair Lending

CFPB launches rulemaking on consumers’ rights to their data

On October 27, the CFPB released a 71-page outline of proposals and alternatives under consideration related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts. The outline describes proposals under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” Emphasizing that “[c]lear data rights for consumers have the potential to give individuals more bargaining leverage,” the Bureau claimed that companies compiling vast amounts of personal data, including information about consumers’ use of financial products and services, are able to monopolize the use of this data, thereby blocking competition and stifling the development of competitors’ products and services.

Highlights from the outline include a series of discussion questions for small businesses and a list of topics, including:

• Data providers subject to the proposals under consideration. The proposals, if finalized, would impact data providers, including “depository and non-depository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution, as well as depository and non-depository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer.” Notably, “a financial institution would be a covered provider if it issues an ‘access device’ (as the term is defined in Regulation E § 1005.2(a)(1)), such as a digital credential storage wallet, and provides EFT services, even if it does not hold consumer accounts.” Additionally, “a card issuer would be a covered data provider if it issues a ‘credit card’ (as the term is defined in Regulation Z § 1026.2(a)(15)(i)), such as by issuing digital credential storage wallets, even if it does not hold consumer credit accounts.” The outline also defines covered accounts and states the Bureau is considering potential exemptions for certain data providers.
• Recipients of information. To be considered an authorized third party under the proposals, a third party must: (i) provide an “authorization disclosure” informing consumers of key terms of access; (ii) obtain consumers’ informed, express consent to the key terms of access contained within the authorization disclosure; and (iii) certify to consumers that it will abide by certain obligations related to the collection, use, and retention of a consumer’s information. The Bureau is considering proposals that would address “a covered data provider’s obligation to make information available upon request directly to a consumer (direct access) and to authorized third parties (third-party access).”
• Types of information covered data providers would need to make available. The outline proposes six categories of information data providers would have to make available with respect to covered accounts, including (i) periodic statement information; (ii) information on certain types of prior transactions and deposits that have not-yet-settled; (iii) information regarding prior transactions not typically shown on periodic statements or online account portals; (iv) online banking transactions that have not yet occurred; (v) account identity information; and (vi) other information, such as consumer reports, fees, bonuses, discounts, incentives, and security breaches that exposed a consumer’s identity or financial information.
• Exceptions to the requirement to make information available. The outline provides four exceptions to the requirement for making information available: (i) confidential commercial information; (ii) information obtained to prevent fraud, money laundering, or other unlawful conduct; (iii) information that is required to be kept confidential; and (iv) information a “data provider cannot retrieve in the ordinary course of business.”
• How and when information would need to be made available. The outline states the Bureau is considering ways to define the methods and the circumstances in which a data provider would need to make information available with respect to both direct access and third-party access.
• Third party obligations. The Bureau is examining proposals to limit authorized third parties’ collection, use, and retention of consumer information to that which “is reasonably necessary to provide the product or service the consumer has requested.” This includes (i) limiting duration, frequency, and retention periods; (ii) providing consumers a simple way to revoke authorization; (iii) limiting a third party’s secondary use of consumer-authorized information; (iv) requiring third parties to implement data security standards and policies and procedures to ensure data accuracy and dispute resolution; and (v) requiring third parties to comply with certain disclosure obligations, including a mechanism for consumers to request information about the extent and purposes of a third party’s access to their data.
• Record retention obligations. Proposals under consideration would establish requirements for data providers and third parties to demonstrate compliance with their obligations under the rule.
• Implementation period. The Bureau is seeking feedback on time frames to ensure consumers are able to benefit from a final rule, while also considering implementation factors for data providers and third parties.

An appendix to the highlights provides examples of ways the proposals would apply to hypothetical transactions involving consumer-authorized data access to an authorized third party.

The Bureau’s rulemaking process will include panel convenings, as mandated under the Small Business Regulatory Enforcement Fairness Act of 1996, after which the panel will prepare a report for the Bureau to consider as it develops the proposed rule. “Dominant firms shouldn’t be able to hoard our personal data and appropriate the value to themselves,” CFPB Director Rohit Chopra said in announcing the rulemaking outline. Chopra further elaborated on the rulemaking’s purposes during an industry event earlier in the week (covered by InfoBytes here) where he said the Bureau plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing as a way to “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.”

Agency Rule-Making & Guidance Federal Issues CFPB Section 1033 Small Business Dodd-Frank Consumer Finance Privacy, Cyber Risk & Data Security

CFPB issues guidance on “junk fees”

On October 26, President Biden discussed guidance issued by the CFPB to help banks avoid charging illegal “junk fees” on deposit accounts. The Bureau’s Circular 2022-06 noted that overdraft fees can be considered an “unfair” practice and violate the Consumer Financial Protection Act (CFPA) even if such fees are in compliance with other laws and regulations. Specifically, the Circular noted that “overdraft fees assessed by financial institutions on transactions that a consumer would not reasonably anticipate are likely unfair.” The guidance further stated that unanticipated overdraft fees are likely to impose substantial injury on consumers that they cannot reasonably avoid and that are not outweighed by countervailing benefits to consumers or competition. The Bureau’s compliance bulletin on surprise depositor fees explained that a returned deposited item is a check that a consumer deposits into their checking account that is returned to the consumer because the check could not be processed against the check originator’s account. The bulletin stated that “blanket policies of charging returned deposited item fees to consumers for all returned transactions irrespective of the circumstances or patterns of behavior on the account are likely unfair under the [CFPA].” The Bureau further explained that indiscriminately charging depositor fees, regardless of circumstances, are likely illegal and noted that the bulletin is intended to put regulated entities on notice regarding how the agency plans to exercise its enforcement and supervisory authorities in the context of deposit fees. The bulletin urged financial institutions to charge depositor fees only in situations where a depositor could have avoided the fee, such as when a depositor repeatedly deposits bad checks from the same originator. The Bureau emphasized the guidance as part of its Junk Fee Initiative, noting that since it launched the initiative in January 2022, the CFPB has taken action to constrain “pay-to-pay” fees (covered by InfoBytes here), and has announced an advance notice of proposed rulemaking soliciting information from credit card issuers, consumer groups, and the public regarding late payments, credit card late fees, and card issuers’ revenue and expenses (covered by InfoBytes here). 

Federal Issues Agency Rule-Making & Guidance CFPB Consumer Finance Biden Overdraft Junk Fees CFPA

Chopra previews Section 1033 rulemaking on consumers’ rights to data

On October 25, CFPB Director Rohit Chopra spoke before an industry event where he announced that the Bureau will soon release a discussion guide for small businesses to further the agency’s Section 1033 rulemaking efforts with respect to consumer access to financial records. As announced in the Bureau’s Spring 2022 rulemaking agenda, Section 1033 of Dodd-Frank provides that, subject to Bureau rulemaking, covered entities such as banks must make certain product or service information, including transaction data, available to consumers. The Bureau is required to prescribe standards for promoting the development and use of standardized formats for information made available to consumers under Section 1033. In 2020, the Bureau issued an advanced notice of proposed rulemaking seeking comments to assist in developing the regulations (covered by InfoBytes here).

Chopra explained that, before issuing a proposed rule, the Bureau must first convene a panel of small businesses that represent their markets to solicit input on proposals the CFPB is considering. Chopra said the Bureau plans to “hear from small banks and financial companies who will be providers of data, as well as the small banks and financial companies who will ingest the data,” and will also gather input from intermediary data brokers that facilitate data transfers (“fourth parties”). He noted that a report will be published in the first quarter of 2023 based on comments received during the process, which will be used to inform a proposed rule that is slated to be issued later in 2023. Chopra said the Bureau hopes to finalize the rule in 2024, stating “[w]hile not explicitly an open banking or open finance rule, the rule will move us closer to it, by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service, and unleashing more market competition.”

Chopra also expressed plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing. He stressed that doing so would “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.” He further noted that the Bureau is planning to assess ways to prevent incumbent institutions from improperly restricting access when consumers try to control and share their data, including by developing requirements for limiting misuse and abuse of personal financial data, fraud, and scams. Chopra said staff has been directed to consider alternatives to the “notice-and-opt out” regime that has been the standard for financial data privacy and to explore safeguards to prevent excessive control or monopolization by one or a handful of firms.

Federal Issues Privacy, Cyber Risk & Data Security CFPB Section 1033 Agency Rule-Making & Guidance Small Business Dodd-Frank Consumer Finance

FRBs to adopt new Fedwire format in 2025

On October 24, the Federal Reserve Board published a notice in the Federal Register announcing that the International Organization for Standardization’s (ISO) 20022 message format for the Fedwire Funds Service will be adopted on a single day, March 10, 2025. The Fedwire Funds Service is a real-time gross settlement system owned and operated by the Federal Reserve Banks that enables businesses and financial institutions to quickly and securely transfer funds using either balances held at the Reserve Banks or intraday credit provided by the Reserve Banks. A single-day implementation strategy is preferable to a three-phased implementation approach, the Fed said, explaining it is both simpler and more efficient and is likely to reduce users’ overall costs related to software development, testing, and training. The Fed also announced a revised testing strategy and backout strategy, as well as other details concerning ISO 20022’s implementation.

Bank Regulatory Federal Issues Agency Rule-Making & Guidance Federal Reserve Payments Payment Systems Federal Reserve Banks

FTC to issue rulemaking on junk fees and fake reviews

On October 20, the FTC voted 3-1 at an open meeting to publish two rules for comments: the Advance Notice of Proposed Rulemaking (ANPRM) on Junk Fees (see here) and the ANPRM on Fake Reviews and Endorsements (see here). The first ANPRM addresses junk fees that are charged for goods or services that have little or no added value to the consumer. The ANPRM seeks comments on the prevalence of junk fees and the consumer harms arising from junk fee practices, among other topics. The second APNRM initiates a rulemaking proceeding addressing fake reviews and other endorsements, which can cheat consumers and honest businesses alike. The ANPRM seeks comment on the prevalence of fake and deceptive reviews and the consumer harms arising from them, among other things.

At the start of the meeting, members of the public provided feedback on the Commission’s work with some members of the public expressing concerns about how junk fees are harming consumers and businesses. Others also expressed consumers’ frustration with hidden fees that are added to bills that were not advertised up front. Regarding fake advertisements, some emphasized how consumers rely on reviews and how fake reviews can harm consumers and sellers. Commissioner Wilson, the sole ‘no’ vote on both measures, noted that the APNRM on junk fees “is sweeping in its breadth,” and said the APNRM potentially contradicts existing laws and rules, among other things. Chair Kahn, Commissioner Slaughter, and Commissioner Bedoya all voted yes for both measures. Regarding the junk fees ANPR, Commissioner Slaughter mentioned that she does not consider this to be “obscure” and expressed her support for the ANPRM, emphasizing that markets cannot function effectively with junk fees. Commissioner Wilson noted that she agrees that “fake and deceptive reviews are unlawful,” but does not believe public comment should be sought for this proposal because “the Commission already has a multi-pronged strategy in place to combat this issue,” such as FTC-published endorsement guides. Additionally, in October 2021, the Commission issued a notice of penalty offenses, which is explained in the ANPRM, and may enable the Commission to obtain civil penalties from marketers that use fake reviews.

Federal Issues Agency Rule-Making & Guidance FTC Junk Fees Endorsements Consumer Protection UDAP

FHA seeks comment on LIBOR transition

On October 19, FHA published a proposed rule in the Federal Register seeking public comment on transitioning existing FHA-insured forward and home equity conversion mortgage (HECM) adjustable rate mortgages (ARMs) from LIBOR to a spread-adjusted Secured Overnight Financing Rate (SOFR) index, after the one-year and one-month LIBOR indices cease to be published on June 30, 2023. The proposed rule also mentioned removing LIBOR and adding SOFR as an approved index for newly originated forward ARMs. According to the proposed rule, this change was made for HECM ARMs in Mortgagee Letter 2021- 08 and added to this proposed rule. As previously covered by InfoBytes, in March 2021, FHA issued ML 2021-08 announcing changes for adjustable interest rate HECMs as the market transitions away from LIBOR. Comments are due by November 18.

Agency Rule-Making & Guidance Federal Issues HUD FHA LIBOR Mortgages SOFR

CFPB opines on junk data in credit reports

On October 20, the CFPB issued an advisory opinion, Fair Credit Reporting; Facially False Data, as part of a series of actions being taken by the Bureau to ensure consumer reporting companies comply with consumer financial protection laws. The advisory opinion emphasizes, among other things, that “a consumer reporting agency that does not implement reasonable internal controls to prevent the inclusion of facially false data, including logically inconsistent information, in consumer reports it prepares is not using reasonable procedures to assure maximum possible accuracy under section 607(b) of the [FCRA].” According to the Bureau, consumer reporting companies are legally required to follow reasonable procedures to assure maximum possible accuracy of information that they collect and report. As part of that requirement, companies must implement policies and procedures to screen for and eliminate junk data, including being able to detect and remove inconsistent account information and information that cannot be accurate. Additionally, companies’ internal controls must also be able to identify and prevent reporting of illegitimate credit transactions for a minor.

For more details on the CFPB’s advisory opinion program, please see InfoBytes coverage here.

Agency Rule-Making & Guidance Federal Issues CFPB Junk Fees FCRA Credit Report Credit Furnishing Consumer Finance

California’s privacy agency amends draft privacy rules ahead of meeting

In advance of an upcoming meeting of the California Privacy Protection Agency Board (CPPA) scheduled for October 28-29, the agency posted updated draft rules for implementing the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here).

The proposed changes to the draft rules respond to comments received during the 45-day comment period, in which several businesses expressed concerns that the requirements were confusing and complying would be costly. (See also Explanation of Modified Text of Proposed Regulations.) Key clarifying modifications include:

• Adding, amending, and striking certain definitions. The proposed changes would, among other things, revise the definition of “disproportionate effort” to clarify that it applies to service providers, contractors, and third parties as well as to businesses. The revisions also provide additional details concerning factors that should be considered when evaluating whether responding to a consumer request would require disproportionate effort. The changes also add and amend terms such as “first party,” “information practices,” “nonbusiness,” “privacy policy,” and “unstructured.”
• Outlining restrictions on how a consumer’s personal information is collected or used. The revisions propose criteria for how a business should evaluate the “reasonable expectation” of consumers concerning the collection or processing of their personal information, including how to determine the purpose for which the personal information is collected, whether it is reasonably necessary and proportionate for achieving the stated purposes, and whether it is a “business purpose” under the CCPA/CPRA. According to the CPPA’s explanation of the modified text, the “factors consider relevant GDPR principles for harmonization while articulating the statutory requirements and intent of the CCPA.”
• Providing disclosure and communications requirements. The proposed changes clarify that conspicuous links for websites should appear in a similar manner as other similarly-posted links, and provide guidance on the placement of conspicuous links in a mobile environment.
• Clarifying requirements for obtaining consumer consent. The revisions explain how different user interfaces and “choice architecture” can impair or interfere with a consumer’s ability to make a choice, and thus fail to meet the definition of consent. The revisions further address provisions related to dark patterns, explaining that “[i]f a business did not intend to design the user interface to subvert or impair user choice, but the business knows of and does not remedy a user interface that has that effect, the user interface may still be a dark pattern. Similarly, a business’s deliberate ignorance of the effect of its user interface may also weigh in favor of establishing a dark pattern.”
• Amending requirements related to a business’s privacy notice. The revisions eliminate requirements for a business to either disclose the names or business practices of third parties that the business allows to collect personal information from the consumer in the business’s notice at collection. Additionally, a business and third party may provide a single notice at collection that outlines the required information about their collective information practices.
• Amending the right to limit the use/disclosure of sensitive personal information. The proposed changes clarify that a business does not need to provide a notice of right to limit the use of sensitive personal information if the business only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer. Additionally, the revisions would make it optional for businesses to provide a means by which consumers can confirm their request to limit in order to simplify implementation at this time.
• Clarifying request to delete provisions. The revisions confirm that a business’s service provider or contractor may delete collected personal information pursuant to the written contract that it has with the business. Additionally, businesses will be permitted to provide a link to a support page or other resource that explains a consumer’s data deletion options.
• Amending requests to correct/know. The proposed changes clarify that businesses, service providers, and contractors may delay compliance with requests to correct with respect to information stored on archived or backup systems. The amendments also, among other things, clarify that consumers should make good-faith efforts to provide businesses with all relevant information available at the time of the request, provide flexibility and discretion to a business concerning whether it will provide the consumer with the name of the source from which the business received the alleged inaccurate information, and clarify that a business only needs to disclose specific pieces of personal information that it maintains and has collected about the consumer in order to confirm that the business has corrected the inaccurate information that was the subject of the consumer’s request to correct. With respect to a consumer’s right to know, the proposed changes would allow a consumer to request a specific time period for which their request to know applies.
• Amending opt-out preference signals. The proposed changes specify that a business that does not sell or share personal information is not required to process an opt-out preference signal as a valid request to opt-out. However, for businesses that do sell or share personal information, processing the opt-out preference signal means that the business is treating it as a valid request to opt-out of sale/sharing. The revisions also address when a business can ignore an opt-out signal to allow a consumer to continue to participate in a financial incentive program, and explain that when a consumer is known to the business, the “business shall not interpret the absence of an opt-out preference signal after the consumer previously sent an opt-out preference signal as consent to opt-in to the sale or sharing of personal information.” Moreover, a business may choose to display whether it has processed the consumer’s optout preference signal as a valid request to opt-out of sale/sharing on its website.
• Amending requests to opt-out of sale/sharing. The revisions, among other things, clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods—an interactive form accessible via the “Do No Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy. The revisions also make various changes related to service provider, contractor, and third-party obligations.
• Clarifying requests to limit use and disclosure of sensitive personal information. The revisions clarify how sensitive personal information may be used to “prevent, detect, and investigate” security incidents “even if this business purpose is not specified in the written contract required by the CCPA and these regulations.”

The proposed changes also delete examples concerning notices of the right to opt-out of the sale/sharing of personal information through connected devices and augmented or virtual reality to simplify implementation at this time. Additionally, the proposed changes further clarify provisions related to requirements for service providers, contractors, and third parties, specifying, among other things, that businesses must contractually require these entities to provide the same level of privacy protection as is required of businesses by the CCPA and these regulations.

Privacy, Cyber Risk & Data Security State Issues California CPPA CPRA CCPA Consumer Protection Agency Rule-Making & Guidance