InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC takes action against ed tech provider for lax data security
On October 31, the FTC announced an administrative action against an education technology (ed tech) provider claiming that the company’s allegedly poor data security practices exposed millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords. According to the FTC’s complaint, due to the company’s alleged failure to adequately protect the personal information collected from its users and employees, the company experienced four data breaches beginning in September 2017, when a phishing attack granted a hacker access to employees’ direct deposit information. Less than a year later, another data breach involved a former employee using login information the company shared with employees and outside contractors to gain access to a third-party cloud database containing personal data for roughly 40 million users. In the following two years, the company experienced two more data breaches through phishing attacks that exposed sensitive employee data, including medical and financial information. Claiming violations of Section 5(a) of the FTC Act, the Commission alleged the company failed to implement basic security measures, stored personal data insecurely, and failed to implement a written security policy until January 2021, despite experiencing three phishing attacks.
Under the terms of the proposed decision and order, the company would be required to take several measures to address the alleged conduct, including (i) documenting and limiting data collection; (ii) providing users access to collected data and allowing them to submit requests for deletion; (iii) implementing multifactor authentication or another authentication method to protect user and employee accounts; and (iv) implementing a comprehensive information security program that would encrypt consumer data and provide security training to employees, among other things.
This action is part of the FTC’s ongoing efforts to make sure ed tech providers protect and secure personal data they collect and do not collect more information than necessary. As previously covered by InfoBytes, the FTC issued a policy statement in May warning ed tech providers that they must fully comply with all provisions of the Children’s Online Privacy Protection Act when gathering data about children. The FTC emphasized that ed tech providers may not harvest or monetize children’s data, cannot force children to disclose more information than is reasonably necessary for participating in their educational services, and must have procedures in place to keep the data secure, among other things.
VA proposes amendments to IRRRL requirements
On November 1, the Department of Veterans Affairs (VA) published a proposed rule in the Federal Register, which would amend the agency’s rules on VA-backed interest rate reduction refinancing loans (IRRRLs). Specifically, the proposed amendments would update existing VA IRRRL regulations to meet current statutory requirements for determining whether the agency can guarantee or insure a refinance loan. The amendments would modify current regulations to reflect requirements related to, among other things, net tangible benefit, recoupment, and seasoning standards. Additionally, due to confusion among program participants, VA is proposing clarifications to minimize the risk of lender noncompliance, thereby safeguarding veterans, easing lender concerns, reducing potential instability in the secondary loan market, and insulating taxpayers from unnecessary financial risk. Comments on the proposed rule are due January 3, 2023.
FHFA to host “tech sprints” on housing finance fintech solutions
On November 2, FHFA published a notice in the Federal Register announcing plans to hold a series of competitions called “Tech Sprints” to solicit innovative solutions on ways to advance housing finance fintech in a safe, sound, responsible, and equitable manner. Recognizing the significant effects that regulated entities’ potential use of fintech products and innovations could have on the mortgage market and market participants, FHFA said it wants to gather information about new and emerging technologies that may have applications in the mortgage space. Two tech sprints are planned each year over the next three years, with participation expected from housing finance industry members as well as other industries, such as tech companies, mortgage companies, academia, industry groups, and other members of the public. FHFA is accepting comments through January 3, 2023, on the necessity of the information collection, the burden of such collection, and ways to minimize the burden on members and project sponsors when providing information on ways to enhance the quality, utility, and clarity of the information collected from the Tech Sprints.
CFPB provides update on student loan borrowers
On November 2, the CFPB’s Office of Research released an update showing that student loan borrowers are increasingly likely to struggle to make monthly payments when federal Covid-19 payment suspensions end in January 2023. The findings follow a report issued in April discussing the credit health of student loan borrowers during the pandemic (covered by InfoBytes here). According to the April report, researchers found that borrowers most at risk when payment suspension ends include those who are 30 to 49 years of age and who live in low-income, high-minority census tracts. However, the Bureau pointed out that since the report was released, inflation has risen and delinquencies and balances have increased for consumers across credit products—both of which may contribute to potential payment challenges for borrowers. The Bureau also noted that during this time, payment suspensions were extended through the end of 2022, and President Biden announced a student debt cancellation plan to reduce payment burdens for many borrowers and completely eliminate loans for others (covered by InfoBytes here).
The Bureau’s recent findings examined data from its Consumer Credit Panel (a deidentified sample of credit records from one of the nationwide consumer reporting agencies) on consumers who are expected to resume scheduled loan payments at the end of the suspension. Findings show, among other things, that (i) an increasing number of borrowers are 60 days or more past due on a non-student-loan credit account since mid-2021; (ii) monthly payments across credit products aside from student loans have increased; and (iii) since the April report, delinquencies on non-student-loan products have risen further, with an overall increase in the number of borrowers (5.1 million to 5.5 million) who meet two or more potential risk factors that indicate a borrower may struggle when the payment suspensions end. These risk factors are: “pre-pandemic delinquencies on student loans, pre-pandemic payment assistance on student loans, multiple student loan servicers, delinquencies on other credit products since the start of the pandemic, and new non-medical collections during the pandemic.” The Bureau noted, however, that as many as one-third of borrowers with two or more risk factors may have their balances completely canceled under the student debt cancellation plan, so “despite worsening credit outcomes overall, the cancellation of some student loan debt means that fewer student loan borrowers are likely to be at risk of payment difficulties when federal student loan payments resume in January 2023 than they otherwise would be.”
Chopra says CFPB is examining industry standard settings
On November 2, CFPB Director Rohit Chopra delivered prepared remarks before a public meeting of the Bureau’s Consumer Advisory Board briefly touching upon on several topics related to the Buy Now Pay Later market, big tech and data collection, peer-to-peer payment platforms, and Section 1033 rulemaking concerning consumers’ rights to their personal financial data. Notably, Chopra raised an area of discussion concerning industry standard-setting organizations and providers of critical infrastructure. Recognizing that private organizations play a major role in setting standards across sectors of the economy, Chopra emphasized that “[d]ecentralized, open banking will likely rely on fair standard-setting, through an amalgam of legally binding rules and industry developed standards.” He warned though that it “can be difficult to achieve fair standard-setting, since incumbents will have a strong economic interest when it comes to protecting their turf.” Chopra pointed to the telecommunications and health care industries as areas where private organizations “are not neutral, but are instead owned or governed by certain market participants” and where other players may also integrate a function akin to a lobbying or trade association. Explaining that the Bureau has been devoting a lot of time to this space, Chopra said the agency is gathering insights into other countries’ experiences, such as the UK’s Open Banking Implementation Entity (which was established to provide critical services and infrastructure), as well as domestic developments. He stated the Bureau will develop rulemaking with a practical mindset of how requirements would be operationalized in the market.
CISA releases new cybersecurity performance goals
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) released a new report outlining baseline cross-sector cybersecurity performance goals (CPGs) for all critical infrastructure sectors. The report follows a July 2021 national security memorandum issued by President Biden, which required CISA to coordinate with the National Institute of Standards and Technology (NIST) and the interagency community to create fundamental cybersecurity practices for critical infrastructure, primarily to help small- and medium-sized organizations improve their cybersecurity efforts. The CPGs were informed by existing cybersecurity frameworks and guidance, as well as real-world threats and adversary tactics, techniques, and procedures observed by the agency and its partners. CISA noted in the report that the CPGs are not comprehensive but instead “represent a minimum baseline of cybersecurity practices with known risk-reduction value broadly applicable across all sectors, and will be followed by sector-specific goals that dive deeper into the unique constraints, threats, and maturity of each sector where applicable.” Organizations may choose to voluntarily adopt the CPGs in conjunction with broader frameworks like the NIST Cybersecurity Framework. “The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques,” CISA said in its announcement.
FDIC releases September enforcement actions
On October 28, the FDIC released a list of administrative enforcement actions taken against banks and individuals in September. During the month, the FDIC made public 12 orders consisting of “two consent orders, five orders of prohibition, two orders to pay a civil money penalty, two orders of termination of insurance, and one section 19 order.” The FDIC also publicly released an order to pay a civil money penalty taken against an Illinois-based bank related to alleged violations of the Flood Disaster Protection Act and the National Flood Insurance Act for failure to follow lender placement flood insurance procedures in 13 instances. The order requires the payment of an $11,625 civil money penalty.
FFIEC updates 2018 Cybersecurity Resource Guide for Financial Institutions
On October 27, the FDIC issued FIL-50-2022 related to recent updates made to the Federal Financial Institutions Examination Council’s (FFIEC) 2018 Cybersecurity Resource Guide for Financial Institutions. The FFIEC guide is designed to assist financial institutions in meeting their security control objectives and preparing to respond to cyber incidents. The FFIEC guide includes updates to certain references as well as new ransomware-specific resources to address the ongoing threat of ransomware incidents.
OCC to establish Office of Financial Technology
On October 27, the OCC announced it intends to establish an Office of Financial Technology early next year that will build on and incorporate the agency’s Office of Innovation (established in 2016 and covered by InfoBytes here). Intended to strengthen the OCC’s expertise and ability to adapt to a rapidly evolving banking landscape, the Office of Financial Technology will provide strategic leadership, vision, and perspective for the agency’s financial technology activities and related supervision. The new office will be led by a chief financial technology officer who will be a deputy comptroller reporting to the senior deputy comptroller for bank supervision policy. “Financial technology is changing rapidly and bank-fintech partnerships are likely to continue growing in number and complexity. To ensure that the federal banking system is safe, sound, and fair today and well into the future, we need to have a deep understanding of financial technology and the financial technology landscape,” acting Comptroller of the Currency Michael J. Hsu said. “The establishment of this office will enable us to be more agile and to promote responsible innovation, consistent with our mission.”
CFPB seeks additional public input on big tech payment platforms
On October 31, the CFPB announced it will reopen the public comment period for 30 days on a 2021 notice and request for comment related to the Bureau’s inquiry into big tech payment platforms. In October 2021, the Bureau issued orders to six large U.S. technology companies seeking information and data on their payment system business practices to inform the agency as to how these companies use personal payments data and manage data access to users (covered by InfoBytes here). The Bureau is inviting additional comments to broaden its understanding of the risks consumers face and potential policy solutions on topics related to, among other things, “companies’ acceptable use policies and their use of fines, liquidated damages provisions, and other penalties.” A notice will be published in the Federal Register with additional details on the public comment period in the coming days.