InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC proposes rulemaking to combat impersonation fraud
On September 15, the FTC issued a notice of proposed rulemaking (NPRM) to prohibit the impersonation of government, businesses, or their officials. According to the FTC, reported losses due to impersonation fraud spiked at the beginning the Covid-19 pandemic, and more than 2.5 million scams were reported nationwide from the beginning of 2017 through the middle of 2022, with consumers reporting losses of more than $2 billion. These impersonation scams include persons posing as government officials or employees, or persons claiming that they represent well-known businesses or charities who may use “misleading domain names and URLs and ‘spoofed’ contact information’” to create the illusion of legitimacy. The FTC added that scammers are looking for information that can be used to commit identity theft or seek monetary payment, and often request that funds be paid through wire transfer, gift cards, or cryptocurrency.
The NPRM follows an advanced notice of proposed rulemaking issued last December (covered by InfoBytes here), for which the FTC received more than 160 comments from members of the public, as well as a coalition of 49 state attorneys general and many companies and industry organizations. According to the FTC, the NPRM would codify the principle that impersonation scams violate the FTC Act, allowing the Commission to seek civil penalties and recover money from those who violate the rule. Among other things, the NPRM would ban scammers from (i) using government identifiers when communicating with consumers via mail or online; (ii) spoofing government and business email and web addresses “or using lookalike email addresses or websites that rely on misspellings of a company’s name”; or (iii) falsely implying an affiliation with a government or a business by using commonly known terms. The FTC noted that the NPRM would also apply to persons who provide the “means or instrumentalities” for scammers, such as suppliers who manufacture the fake government credentials used by scammers. Additionally, non-profit organizations would be included in the definition of a business under the NPRM, so that the FTC can take action against scammers impersonating charities. Comments on the NPRM are due 60 days after publication in the Federal Register.
CFPB studying BNPL growth
On September 15, the CFPB announced plans to consider issuing interpretive guidance or regulations to ensure that buy now, pay later (BNPL) lenders follow many of the same consumer protection measures that exist for credit cards. “We will be working to ensure that borrowers have similar protections, regardless of whether they use a credit card or a Buy Now, Pay Later loan,” CFPB Director Rohit Chopra said in the announcement. The Bureau described BNPL products as a form of interest-free credit that “serves as a close substitute for credit cards” and allows consumers to split a retail transaction into smaller, interest-free installments that are repaid over time.
Recognizing that BNPL products are a rapidly growing alternative form of credit for online retail purchases, the Bureau published a report providing key insights into the industry. According to the report, the number of BNPL loans originated from 2019 to 2021 in the US grew 970 percent, from 16.8 million to 180 million. The total dollar volume of these loans grew by 1,092 percent in that period, from $2 billion in 2019 to $24.2 billion in 2021, the report said, noting that 73 percent of applicants were approved for credit in 2021, up from 69 percent in 2020. Additionally, the report found that 89 percent of consumers using BNPL loans linked their accounts to their debit cards, and that late fee policies vary by issuer.
The Bureau raised several concerns with BNPL products in the report, including (i) inconsistent standardized cost-of-credit disclosures, minimal dispute resolution rights, a forced opt-in to autopay, and occurrences where consumers are assessed multiple late fees on the same missed payment; (ii) risks related to data harvesting and monetization, as many BNPL lenders shift business models toward proprietary app usage, allowing lenders “to build a valuable digital profile of each user’s shopping preferences and behavior”; and (iii) concerns over consumers taking out several loans during a short period of time at multiple lenders. According to the Bureau, because most BNPL lenders currently do not furnish data to the major credit reporting companies, many lenders are unaware of a consumer’s current liabilities when deciding whether to originate new loans.
The Bureau noted in its announcement that while BNPL lenders are currently subject to some federal and state oversight, compliance and licensing requirements vary. In addition to exploring potential new regulatory guidance, the Bureau said it plans to identify surveillance practices that BNPL lenders should seek to avoid, and it will continue to address the development of appropriate and accurate credit reporting practices for the industry. Chopra further announced that the Bureau is inviting BNPL lenders to self-identify if they wish to be examined for any potentially problematic business practices. The Bureau is also reviewing its authorities to conduct examinations on a compulsory basis and will work with state regulators that license nonbank finance companies on examinations of BNPL firms.
Republicans take issue with CFPB agenda
On September 12, several Republican senators sent a letter to CFPB Director Rohit Chopra expressing concerns that the Bureau is again pursuing “a radical and highly-politicized agenda unbounded by statutory limits.” In particular, the letter took issue with recent Bureau reports on the use of overdraft fees (covered by InfoBytes here and here), calling the agency’s actions a “relentless smear campaign” against banks. “Charging fees that customers chose to pay should not be disturbing or illegal, and yet, the CFPB appears to have developed a particular disdain for banks charging their customers for services, pejoratively calling overdraft protection ‘junk fees,’” the letter stated. Additionally, the letter claimed that the Bureau is changing its rules in order to publish previously confidential information about financial institutions to make it easier to threaten them with reputational harm (covered by InfoBytes here), without affording the financial institution the similar ability to, for example, disclose the existence of a CFPB examination. Among other things, the new procedural rule establishes a disclosure mechanism intended to increase transparency of the Bureau’s risk-determination process that will exempt final decisions and orders by the CFPB director from being considered confidential supervisory information, allowing the Bureau to publish the decisions on their website. According to the senators, the rule requires nonbanks to keep confidential information relating to a decision issued by the Bureau, including facts that could question the decision or raise procedural concerns. “The one-sided nature of the CFPB’s rule change gives the agency the ability to publicly tarnish an institution’s name without affording the firm the power to defend itself,” the letter said. The letter also decries a recent change to the agency’s rules of adjudication to make it more difficult for companies to defend themselves against novel enforcement theories by bypassing an administrative law judge and permitting the director to rule directly on the validity of the legal basis for the enforcement action.
CISA issues RFI on new cyber incident reporting requirements
On September 9, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) from critical infrastructure owners and operators on how to develop new data breach reporting regulations related to ransomware and other malicious attacks. The RFI will inform CISA’s promulgation of proposed regulations as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Specifically, the agency is requesting feedback on definitions and terminology for the proposed rules, the form and content of reports, incident reporting requirements, enforcement procedures, and information protection policies. Once the final regulation is published, CISA will use information obtained from cyber-incident reports submitted by covered entities to “deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends and understand how malicious cyber actors are perpetrating their attacks, and quickly share that information with network defenders to warn other potential victims,” the RFI explained. CISA will also host a series of public listening sessions across the country to receive additional input as it develops the proposed regulations. Comments on the RFI are due November 14.
Agencies push to implement Basel III
On September 9, the FDIC, OCC, and Federal Reserve Board reaffirmed their commitment to implementing enhanced regulatory capital requirements that align with Basel III standards issued by the Basel Committee on Banking Supervision in 2017. The agencies announced they are currently developing—and will issue “as soon as possible”—a joint proposed rule on new capital standards for large banking organizations. The agencies noted that community banks are subject to different capital requirements and will not be affected by the proposal.
Treasury issues guidance on Russian oil sales cap
On September 9, the U.S. Treasury Department announced preliminary guidance on implementing a maritime services policy and related price exception for seaborne Russian oil. As previously covered by InfoBytes, OFAC recently announced that it planned to publish preliminary guidance on implementing the price cap to provide a high-level overview of the directive, including how U.S. persons can comply in advance of formal guidance and legal implementation. According to the preliminary guidance, the policy is intended to establish a framework for Russian oil to be exported by sea under a capped price, and establish a ban on services for any shipments of seaborne Russian oil above the capped price. Objectives of the guidance include: (i) maintaining a reliable supply of seaborne Russian oil to the global market; (ii) reducing upward pressure on energy prices; and (iii) reducing the revenues the Russian Federation earns from oil after its own war of choice in Ukraine has inflated global energy prices. The policy contains an exception, which applies to “jurisdictions or actors that purchase seaborne Russian oil at or below a price cap to be established by the coalition (the “price exception”).” The policy, which relates to a broad range of services in connection with the maritime transportation of Russian Federation origin crude oil and petroleum products, will become effective December 5, 2022 for the maritime transportation of crude oil and on February 5, 2023 for the maritime transportation of petroleum products.
FTC hosts forum on commercial surveillance and lax data security practices
On September 8, the FTC hosted a forum regarding its Advance Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security practices. As previously covered by InfoBytes, the ANPR was issued in August to solicit public comment on “the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.” The ANPR noted that there is increasing evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms. The forum featured remarks by FTC Chair Lina M. Khan, Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, as well as a staff presentation, two panel discussions, and comments from the public. Chair Khan noted in her remarks that the discussion and comments at the forum will be critical in determining the evidentiary basis for proceeding with a rulemaking and whether legal requirements needed for crafting any particular type of rule. However, some observers expressed concern that the FTC’s ANPR could undermine efforts to pass federal privacy legislation. Slaughter noted in her remarks that she “support[s] strong federal privacy legislation, but until there’s a law on the books, the commission has a duty to use all the tools we have to investigate and address unlawful behavior in the market.” Commissioners Slaughter and Bedoya also expressed the need for public engagement to understand commercial surveillance.
The first panel focused on industry perspectives on commercial surveillance and data security. When asked about some of the best practices or potential business models developed by businesses to mitigate consumer harm and protect data, a panelist noted that there are many approaches underway, but the guiding principle is that the process of documentation supports transparency by prompting processes and critical thinking of each step in the mission learning lifecycle. One panelist expressed concerns about businesses tracking personal data, stating that because retailers collect information about their customers when they make purchases online and may recommend related offerings, regulators “should not interfere with these direct relationships.” Another panelist warned against treating all data collection and processes equally, stressing that the FTC should use its enforcement tools against third parties.
The second panel featured consumer advocates discussing interests, concerns, risks, and harms related to commercial surveillance, in addition to mitigating consumer harms and protecting data. The advocates noted, among other things, that the FTC should impose heightened safeguards on sensitive data, such as precise location records and information associated with children. Additionally, the panelists advocated for establishing a regulation and broadening the FTC’s Section 5 unfairness authority that limits widescale tracking. Specifically, one panelist discussed how the FTC should approach a data minimization rule under Section 5, recommending that such a rule should ban secondary use and third-party disclosures. In regard to combating discrimination through data collection and advertising, a panelist noted that shifting data protection responsibilities from individuals onto companies could play an important part to ensure that data-driven algorithms that deliver ads or content are not discriminating against consumers.
OCC issues expectations for protecting non-public information
On September 7, the OCC issued Bulletin 2022-21, Information Security: Expectations for Protecting Non-public OCC Information on Institution- or Other Non-OCC-Owned or Managed Video Teleconferencing Services, outlining its expectations for protecting non-public OCC information shared on video teleconferencing services that are operated or managed by an institution or any other party. The OCC reiterated that banks and other parties in possession of such information are prohibited from disclosure without the agency’s prior approval, except under certain limited circumstances. Further, the prohibition extends to the disclosure of information displayed, processed, stored, or transmitted by information systems, including video teleconferencing services. The Bulletin states that non-public OCC information is the property of the OCC and includes, among other things: (i) “OCC reports of examination, including ratings such as CAMELS and the Uniform Rating System for Information Technology ratings”; (ii) “supervisory correspondence”; (iii) “institution responses to supervisory correspondence”; (iv) “investigatory files”; and (v) “certain enforcement-related information, including matters requiring attention.” The OCC also listed several security expectations for any videoconference in which non-public OCC information will be communicated, which includes using an encrypted connection, moderating the meetings, making no recordings or transcriptions, and ensuring the videoconference service is securely configured and routinely patched to protect against cyber intrusion and data loss.
SEC warns Chinese companies against switching auditors to avoid compliance
On September 6, SEC acting Chief Accountant Paul Munter issued a warning to Chinese companies that they may face enforcement actions if they switch auditing firms to remain listed in the U.S. that do not follow applicable standards. Munter pointed to instances of foreign issuers, especially those located in China or Hong Kong, “changing their lead auditor from a local registered public accounting firm to a registered public accounting firm located either in the U.S. or elsewhere, generally within the same network.” According to Munter, these types of arrangements create “special challenges that raise questions about whether the newly engaged registered public accounting firms—whether located in the U.S. or elsewhere—will be able to satisfy their responsibilities to serve as the lead auditor.” Munter noted that the U.S. Public Company Accounting Oversight Board (PCAOB), the China Securities Regulatory Commission, and the Ministry of Finance of the People’s Republic of China, recently signed a Statement of Protocol governing inspections and investigations of audit firms based in China or Hong Kong. He said, however, that certain issuers based in China and Hong Kong have started structuring audits with registered public accounting firms located either in the U.S. or elsewhere “to avoid the potential of consecutive PCAOB [Holding Foreign Companies Accountable Act] determinations and a potential resultant trading prohibition.” Issuers and firms looking to avoid compliance could result in investigations and enforcement actions by the PCAOB, the SEC, or both.
Temporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023
The California legislative session ended on August 31, foreclosing any chance of the legislature extending temporary exemptions under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) related to human resource and business-to-business data, set to expire January 1, 2023. The legislature proposed several bills throughout the legislative session that would have extend the exemptions, but all of them stalled. In a last-ditch effort, a California assembly member proposed amendments to AB 1102 that would have extended the exemptions to January 1, 2025 if adopted during the August 31 floor session.
According to the amendments, the CPRA recognized that various rights afforded to consumers under the CCPA and CPRA are not suited to the employment context, and as such, clarified that the CPRA “does not apply to personal information collected by a business about a natural person in the course of the natural person acting within the employment context, including emergency contact information, information necessary to administer benefits, or information collected in the course of business to business communications or transactions.” The amendments attempted to extend the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” Although the amendments did not address the reason for the extension for the business exemption, they stated that while the legislature and advocates continue to engage in discussions concerning the enactment of “robust and implementable privacy protections tailored to the employment context,” extending the exemptions would provide temporary protections around worker monitoring while giving businesses more time to enact these protections. However, the amendments were not adopted, and the exemptions will expire as originally intended on January 1, 2023.
As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the CCPA. In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here). CPPA Executive Director Ashkan Soltani said he expects the rulemaking process to extend into the second half of the year.