InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed Report Provides Information on Debit Card Transactions in 2015
On November 30, the Fed announced the release of its annual report on debit card transactions in 2015. The report is the fourth in a series to be published every two years pursuant to Section 920 of the Electronic Fund Transfer Act (EFTA). As in prior years, the 2015 report reflected that issuers’ costs of authorizing, clearing, and settling debit card transactions (excluding issuer fraud losses) varied greatly across respondents. Data compiled in the report estimates that debit-card fraud losses to all parties (merchants, cardholders, and issuers) increased by 44 percent from 2013 to an estimated total of $2.41 billion in 2015. The median covered issuer had average fraud prevention and data security costs of 1.9 cents per transaction.
CFPB Launches Inquiry into Consumer Financial Data Access
On November 17, the CFPB formally announced the launch of an inquiry into the benefits and risks associated with consumers authorizing third-parties to access their financial and account information held by financial service providers. The CFPB has been investigating and assessing issues related to data access and technological innovation for some time, including through Project Catalyst.
As detailed in the Request for Information (Dkt No. CFPB-2016-0048) issued on November 17, the CFPB is focused on three main points of inquiry: (i) secure access for consumers – i.e., are consumers able to securely access, and authorize others to securely access, their financial records? Are there any “business burdens” that must be addressed to provide access and use of financial records?; (ii) third-party risk -- i.e., some financial institutions have expressed concern that providing third parties with access to records may compromise consumer privacy or put their funds at risk. The CFPB would like learn more about options for ensuring that financial records are securely obtained, stored and used; and (iii) consumer control -- i.e., to what extent are consumers able to control how shared data is being used by third-parties with authorized access? Are consumers able to limit the number of times those firms can access the data?
In prepared remarks delivered at a field hearing in Salt Lake City, UT, CFPB Director Richard Cordray explained: “The technology around digital financial records continues to develop and, so far, there are many unanswered questions about how the information is being shared, by and to whom, and how safely. As with any emerging industry, we are hearing about some bumps in the road. Both Fintech companies and financial institutions, as well as consumer groups, are describing to us the various challenges, risks and technological obstacles to further progress in this area.”
OCC Proposes Revisions to Stress Test Information Collection
On November 15, the OCC published a notice and request for comment on proposed changes to its rules requiring certain covered financial institutions, including national banks and federal savings associations with assets over $50 billion, to report certain financial information as part of stress testing. The proposed revisions to the OCC’s reporting requirements are “intended to promote consistency with” the Fed’s proposed changes to its form FR Y-14A, and consist generally of clarifying instructions, shifting the “as-of date”, adding data items, deleting data items, and redefining existing data items—including an expansion of the information collected in the scenario schedule. The proposed revisions also reflect the implementation of the final Basel III regulatory capital rule, which is set to revise and replace the OCC’s risk-based and leverage capital requirements to be consistent with agreements reached by the Basel Committee on Banking Supervision in ‘‘Basel III: A Global Regulatory Framework for More Resilient Banks and Banking Systems’’ (Basel III). All comments must be received by January 19, 2017.
California AG Harris Launches New Consumer Privacy Tool
On October 14, California AG Harris released an online complaint form designed to help consumers report potential violations of the California Online Privacy Protection Act (CalOPPA). Pursuant to the CalOPPA, commercial websites and online services collecting consumer information are required to post privacy policies that include “the categories of information collected, the types of the third parties with whom the operator may share that information, instructions regarding how the consumer can review and request changes to his or her information, and the [policy’s] effective date.” As part of AG Harris’s “multi-pronged” effort to improve online privacy for consumers, the form will allow consumers to “crowdsource” privacy policy violations, thus “exponentially increasing the California Department of Justice’s ability to identify and notify those in violation of CalOPPA.”
CFPB Considers Registration Rule for Nonbank Financial Institutions
The CFPB recently issued a Request for Information (RFI) seeking vendor feedback on the agency’s consideration of establishing a web-based system that would require nonbank financial institutions to register with the CFPB. The RFI outlines the potential registration system’s capabilities and services, noting that nonbank financial institutions would use it to “apply for, amend, update, or renew a registration online using a single set of uniform applications.” In addition to other data gathering components, the potential registration system may be used for the collection of financial, operational, and organizational structure data. Responses from technology system vendors were due on July 29, 2016, with a disclaimer that the RFI was not “to be construed as a commitment that the CFPB will propose a rulemaking on the registration of nonbank financial institutions or that the CFPB will propose any specific system requirements.”
GSEs Release Redesigned Uniform Residential Loan Application
On August 23, Fannie Mae and Freddie Mac (GSEs) published a redesigned Uniform Residential Loan Application (URLA), the first substantial update to the standardized form used by borrowers applying for a residential loan in more than 20 years. The GSEs also released a redesigned Uniform Loan Application Dataset (ULAD) Mapping Document, used to “ensure consistency of data delivery.” The GSEs revised the URLA and ULAD by (i) redesigning the format to support better efficiency and more accurate data collection; (ii) including new and updated fields intended to “[c]apture loan application details that reflect today’s mortgage lending business and support both the GSEs’ and government requirements”; (iii) simplifying instructions; and (iv) incorporating revised HMDA demographic questions. The GSEs released FAQs about the redesigned URLA and ULAD, which will be available for lender use beginning January 1, 2018. Among other things, the FAQs note that (i) the GSEs will continue to support the URLA in paper form; and (ii) updates to the published documents may be required as a result of the CFPB’s review of the redesigned URLA in connection with the Regulation B safe harbor.
FTC Issues Report on Big Data
On January 6, the FTC published a report titled, “Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues.” The report, which draws from information from a September 2014 FTC workshop, as well as public comments and research, primarily focuses on the final stage in the life cycle of big data use by addressing the commercial use of consumer data and its effect on low-income and underserved populations. According to the report, participants in the 2014 workshop expressed concern that potential inaccuracies and biases from big data may lead companies to “exclude low-income and underserved communities from credit and employment opportunities.” For example, the report states that, “if big data analytics incorrectly predicts that particular consumers are not good candidates for prime credit offers, educational opportunities, or certain lucrative jobs, such educational opportunities, employment, and credit may never be offered to these consumers.” In order to minimize legal and ethical risks, and to avoid possible exclusion and/or discrimination, the report suggests that companies should obtain an understanding of various laws that may apply to their big data practices, including the FCRA, equal opportunity laws, and the FTC Act. The report provides a basic overview of these laws and presents companies with a number of questions to consider when examining whether or not their data practices comply with such laws, including, but not limited to, whether or not a company maintains reasonable security over consumer data, and whether it complies with requirements under the Equal Credit Opportunity Act regarding requests for information and record retention. In addition to these questions, the report advises companies to consider the following four key policy questions: (i) How representative is your data set? (ii) Does your data model account for biases? (iii) How accurate are your predictions based on big data? (iv) Does your reliance on big data raise ethical or fairness concerns? Finally, while the report acknowledges the benefits of big data, such as providing access to credit using non-traditional methods and increasing equal access to employment, the FTC’s report stresses the significance of examining and raising awareness about big data practices that have the potential to adversely impact low-income and underserved populations.
FTC Announces Agenda for Cross-Device Tracking Workshop
On November 3, the FTC announced the agenda for its Cross-Device Tracking workshop, which is scheduled to take place on November 16 in Washington, D.C. FTC Chairwoman Edith Ramirez will deliver opening remarks, with FTC Office of Technology, Research and Investigation Policy Director Justin Brookman introducing two panel discussions. The first panel will examine the technology used for cross-device tracking, including how it has evolved, privacy concerns, and how the technology benefits consumers and businesses alike. The second panel will focus on the policy implications of cross-device tracking, such as: (i) the type of data being collected about consumers; (ii) consumer awareness of this type of tracking; (iii) notice to consumers of cross-device tracking and consumers’ ability to give consent; and (iv) industry self-regulation efforts.
NYDFS Reaches Fifth Agreement Regarding Symphony Chat System; Issues Regulatory Guidance
On October 13, the NYDFS announced that it reached its fifth agreement with a bank regarding record keeping requirements and other protections to ensure that the bank is responsibly using Symphony Communication Services, LLC’s chat and messaging platform (Symphony). In September, the NYDFS reached similar agreements with four banks after expressing concern that some Symphony features, most notably its promised service of “Guaranteed Data Deletion,” had the capability to hinder regulators’ and prosecutors’ investigations of misconduct at banks. Per the agreements reached with the NYDFS, the banks must (i) require Symphony to maintain copies of all communications sent through the chat and messaging platform for at least seven years; (ii) provide an independent custodian with a copy of decryption keys for encrypted messages sent through Symphony; and (iii) inform the NYDFS of the location of the decryption keys. Acting Superintendent Anthony Albanese outlined these requirements in the October 13 guidance issued to all NYDFS-regulated institutions, stressing that “any [NY]DFS-regulated institution that is considering using the Symphony platform should ensure that the entity’s anticipated use conforms to the standards included in the Agreements.”
European Court of Justice Ruling on Validity of U.S.-EU Data Sharing Agreement Scheduled for October 6
Following up on an opinion issued on September 23 by the European Court of Justice Advocate General Yves Bot, the European Court of Justice is scheduled to issue its ruling on the validity of the U.S.-EU Safe Harbor Program on October 6. The High Court’s swift decision to issue judgment follows an opinion from the Advocate General advocating that the 2000 data sharing agreement between the U.S. and the European Union is invalid and inadequately protects Europeans’ personal data. Previous InfoBytes coverage can be seen here. The case is Schrems v. Data Protection Commissioner.