InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court says retailer not an intended third-party beneficiary of a credit card arbitration provision
On July 8, the U.S. District Court for the Central District of California denied a retailer’s motion to compel arbitration in a consumer data sharing putative class action, ruling that the retailer was not an intended third-party beneficiary of an arbitration provision in a credit card agreement. The proposed class had filed an amended complaint accusing several national retailers of illegally sharing consumer transaction data in violation of the FCRA, the California Consumer Privacy Act, and California’s unfair competition law, among others. The motion at issue, filed by one of the retailers, addresses a named plaintiff’s opposition to compel arbitration. The retailer argued that as an “intended” third-party beneficiary of the contract, it had the right to enforce an arbitration clause contained in a credit card agreement purportedly signed by the plaintiff when she opened a retailer credit card account issued by an online bank.
The court disagreed, finding that the contract’s arbitration provisions specifically referred to the bank, and that the contract did not clearly “express an intention to confer a separate and distinct benefit on [the retailer].” Moreover, the court noted the contract at issue instructed the plaintiff to send any arbitration demand notices to the bank, adding that “[i]t seems unlikely that the parties would expect a demand for arbitration solely against the [retailer]—that does not involve [the bank]—to be sent to [the bank].”
NYDFS tells industry to tighten third-party risk management
On April 27, NYDFS released a report warning the financial services industry to tighten third-party risk management measures, as the “next great financial crisis could come from a cyber-attack.” The report covers a December 2020 cyber-attack described as “part of a widespread, sophisticated cyber espionage campaign by Russian Foreign Intelligence Service actors” focusing on “stealth and stealing sensitive information.” According to the report, hackers installed malware into a software platform used by the government and financial services and telecommunications companies to monitor and manage the performance of their networks. This attack, NYDFS noted, is “the most visible, widespread, and intrusive information technology software supply chain attack” to date and “opened back doors into thousands of organizations, including almost 100 companies in New York’s financial services industry.” While none of NYDFS’s regulated entities’ networks were actively exploited, the regulator warned that these types of attacks highlight the financial services industry’s vulnerability to supply chain attacks. Moreover, because third-party risk management is a key part of NYDFS’s Cybersecurity Regulation, the regulator is “exploring ways to further address this critical component of cybersecurity.” Report findings highlight that, among other things, (i) the patch-management programs for many regulated entities “are immature and lack the proper ‘patching cadence’ needed to ensure timely remediation of high-risk cyber vulnerabilities,” and (ii) “supply chain” cyber-attacks are dangerous since “malware is embedded inside a legitimate product,” allowing “an attacker to access the networks of many organizations in a single stroke.”
The report provides several recommendations, including that entities should (i) include in their vendor risk-management policies and procedures “processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors”; (ii) adopt a “zero trust” approach and implement multiple layers of security and extra protection for sensitive information; (iii) address vulnerabilities in a timely manner through patch testing, validation processes, and deployment; and (iv) ensure their incident response plans address supply chain compromises.
11th Circuit: Outsourcing debt collection letters can violate FDCPA
On April 21, the U.S. Court of Appeals for the Eleventh Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” According to the opinion, the plaintiff’s medical debt was assigned to the defendant debt collector, who, in turn, hired a mail vendor to produce a dunning letter in the course of collecting the outstanding debt. In order to produce the letter, information about the plaintiff was allegedly electronically transmitted from the defendant to the mail vendor, including his status as a debtor, the exact balance of the debt, its origin, and other personal information. The plaintiff filed suit, claiming the disclosure of the information to the mail vendor violated the FDCPA’s third-party disclosure provisions, which the district court dismissed for failure to state a claim.
On appeal, the 11th Circuit reviewed whether a violation of § 1692c(b) gives rise to a concrete injury under Article III, and whether the defendant’s communication with the mail vendor was “in connection with the collection of any debt.” In reversing the district court’s ruling, the appellate court determined that communicating debt-related personal information with the third-party mail vendor is a concrete injury under Article III. Even though the plaintiff did not allege a tangible injury, the appellate court held, in a matter of first impression, that under the circumstances, the plaintiff alleged a communication “in connection with the collection of any debt” within the meaning of § 1692c(b). In choosing this interpretation over the defendant’s “‘industry practice argument,’” in which the defendant referred to the widespread use of mail vendors and the relative lack of FDCPA suits brought against debt collectors who use these vendors, the 11th Circuit recognized that its interpretation of the statute may require debt collectors to in-source many of the services previously outsourced to third-parties at a potentially great cost. “We recognize, as well, that those costs may not purchase much in the way of ‘real’ consumer privacy, as we doubt that the [mail vendors] of the world routinely read, care about, or abuse the information that debt collectors transmit to them,” the appellate court wrote, adding, “Even so, our obligation is to interpret the law as written, whether or not we think the resulting consequences are particularly sensible or desirable.”
Court rules software service provider did not eavesdrop when capturing website data for retailer
On April 15, the U.S. District Court for the Northern District of California dismissed class claims alleging a software-services provider for a clothing retailer wiretapped consumers’ communication with the retailer in violation of California’s Invasion of Privacy Act and the California Constitution. The software at issue was sold to the service provider’s clients to capture and analyze data so companies can see how website visitors use their sites. The plaintiff alleged that during a visit to one of the retailer’s websites, the defendant’s software captured information including when she visited, the length of her visit, her IP address and location, browser type, and the operating system on her device. The plaintiff further claimed that, in addition to the aforementioned information, the software also captured personally identifiable information such as email, shipping addresses, and payment-card information. The defendant moved to dismiss, which was granted by the court. In dismissing the action, the court referenced its dismissal of virtually identical claims against another software-services provider and ruled that the defendant’s recording of activities such as keystrokes, mouse clicks, and page scrolling does not amount to wiretapping. “[The defendant] is not a third-party eavesdropper,” the court wrote, “[i]t is a vendor that provides a software service that allows its clients to monitor their website traffic.” Moreover, the court determined that information—“such as IP addresses, locations, browser types, and operating systems”—is not “content” under the plaintiff’s Section 631(a) claim.
FTC settles with mortgage analytics company over vendor oversight deficiencies
On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform text recognition scanning on tens of thousands of mortgage documents was adequately securing consumers’ personal data. The FTC’s complaint alleges that the vendor stored the unencrypted contents of these documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. The data contained sensitive personal information, including “names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, or other personal and financial information of borrowers, as well as of family members and others whose information was included in the mortgage application.” According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was accessed approximately 52 times. The FTC claims, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of all of its vendors as required by the Safeguards Rule.
The proposed settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.
HUD re-extends procedures to address Section 232 mortgage insurance issues
On October 1, 2020, the U.S. Department of Housing and Urban Development issued Mortgagee Letter 20-33, which extends interim procedures regarding site access issues related to Section 232 mortgage insurance applications during the Covid-19 pandemic (previously covered here and here). The guidance provides temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities effective through December 31, 2020. The letter also provides guidance on other aspects relating to Section 232 properties, including regarding lender underwriter site visits, appraisals, and inspections on new construction, among other things.
HUD issues mortgagee letter extending interim procedures relating to FHA Section 232 approved mortgages
On July 31, 2020, the U.S. Department of Housing and Urban Development issued Mortgagee Letter 2020-25, which extends interim procedures regarding site access issues related to Section 232 mortgage insurance applications during the Covid-19 pandemic (previously covered here). The guidance provides temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities with effective dates within 60 days of the issuance of the mortgagee letter. The letter also provides guidance on other aspects relating to Section 232 properties, including regarding Property Capital Needs Assessments, appraisals, Section 232 Phase 1 Environmental Site Assessments, asbestos surveys, and radon testing, among other things.
FDIC seeks input on voluntary certification of innovative technologies
On July 20, the FDIC issued a Request for Information (RFI) seeking input on whether a public/private standard-setting partnership and voluntary certification program could be established to (i) promote the efficient and effective adoption of innovative technologies at supervised financial institutions; and (ii) support financial institutions’ efforts to implement innovative models, manage risk, and conduct due diligence of third-party fintech firms. The RFI is being issued as part of the agency’s FDiTech initiative (covered by InfoBytes here), which was established in 2019 to encourage innovation within the banking industry (particularly at community banks), support collaboration for piloting new products and services, eliminate regulatory uncertainty, and manage risks.
The FDIC stated that establishing a standards-setting body, developed by regulators and industry stakeholders, would help promote innovation across the banking sector and streamline the vetting process for fintech partners. The agency noted that a voluntary certification program could assist in standardizing due diligence practices and reduce costs for financial institutions that choose to participate. Additionally, the FDIC emphasized that it “is especially interested in information on models and technology services developed and provided by [fintechs].” Comments are due 60 days after publication in the Federal Register.
OCC highlights key risks for federal banking system, says compliance risk elevated due to Covid-19
On June 29, the OCC released its Semiannual Risk Perspective for Spring 2020, which reports on key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. In particular, the OCC focused this report on the financial impacts of the Covid-19 pandemic on the federal banking industry, emphasizing that weak economic conditions stemming from the shutdown will stress financial performances in 2020, and that banks should monitor elevated compliance risks that may occur as a result of their responses to the pandemic, including participating in the Paycheck Protection Program as well as forbearance and deferred payment programs. The report highlighted that the surge in consumer demands, government programs, and the modifications to operations due to remote work and the “short timelines for implementing changes placed additional strains on banks already operating in a stressed environment.” However, the report noted that, “[s]ome banks are leveraging innovative technologies and third parties, including fintech firms, to help manage these challenges,” and that “[b]ank risk management programs should maintain effective controls for third-party due diligence and monitoring and other oversight processes, operational errors, heightened cyber security risks, and potential fraud related to stimulus programs.” The report highlighted several areas of concern for banks, including (i) credit risk increases; (ii) interest rate risk, including risks related to the LIBOR cessation; (iii) operational risks related to banks’ Covid-19 response; (iv) heightened cyber risks; and (v) compliance risks related to Bank Secrecy Act/anti-money laundering laws, consumer compliance, and fair lending.
Boston Fed updates Main Street Lending Program FAQs
On June 20, the Federal Reserve Bank of Boston updated FAQs for its Main Street Lending Program (see here, here and here for previous coverage). Among other things, new FAQs address the treatment of applicant debt to third party lenders for purposes of calculating outstanding and undrawn debt, certifications regarding conflicts of interest, and the application of regulatory lending limits imposed on national banks, federal savings associations, and state savings associations to loans issued under the Main Street Lending Program.