InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Special Alert: NYDFS accelerates Libor transition planning
On December 23, 2019, the New York Department of Financial Services issued an “Industry Letter” requesting that each NYDFS-regulated institution submit the institution’s plan for addressing the transition away from Libor-based credit, derivative, and securities exposures. The NYDFS letter has spurred additional focus by financial institutions in the issue, and not only by those regulated by NYDFS. This Client Alert summarizes the current state of play in Libor transition, and outlines some key considerations for developing a Libor transition plan.
* * *
Click here to read the full special alert.
If you have any Libor-related questions please contact a Buckley attorney with whom you have worked in the past.Fed provides FAQs for tailoring rules
On January 13, the Federal Reserve Board (Fed) issued SR 20-2, “Frequently Asked Questions on the Tailoring Rules” (FAQs) applicable to bank holding companies, savings and loan companies, U.S. intermediate holding companies with $100 billion or more in total assets, and certain depository institutions. In October, as previously covered by InfoBytes, the Fed and the OCC released a jointly developed framework that set out four categories to be used to classify these banking entities for the purposes of determining regulatory capital and liquidity requirements based on risk. The FAQs provide guidance on the tailoring rules, including answers to questions about Liquidity Coverage Ratio (LCR) requirements, recognition of Accumulated Other Comprehensive Income, compliance requirements for foreign banking organizations with less than $100 billion in U.S. assets, and the interpretation of “quarterly” in relation to stress testing frequency.
Data breach settlement of $380.5 million approved in consumer reporting agency class action
On January 13, the U.S. District Court for the Northern District of Virginia issued a final order and judgment in a class action settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (company) to resolve allegations arising from a 2017 cyberattack causing a data breach of the company. After the company announced the breach, many consumers filed suit and were eventually joined into a proposed settlement class. As previously covered by InfoBytes, the plaintiffs alleged that the company (i) failed to provide appropriate security to protect stored personal consumer information; (ii) misled consumers regarding the effectiveness and capacity of its security; and (iii) failed to take proper action when vulnerabilities in their security system became known. The company and the plaintiffs later submitted a proposed settlement order to the court.
According to the final order and judgment, the court certified the settlement class of the approximately 147 million affected consumers, finding the class was adequately represented, and approved the “distribution and allocation plan” as fair and reasonable. In the order granting final approval of the settlement the company agreed to, among other things, pay $380.5 million into a settlement fund and potentially up to $125 million more to cover “certain out-of-pocket losses,” $77.5 million for attorneys’ fees, and approximately $1.4 million for reimbursement of expenses. Class members are eligible for additional benefits including up to 10 years of credit monitoring and identity theft protection services or cash compensation if they already have those services, as well as identity restoration services for seven years. The company also agreed to spend at least $1 billion on data security and technology in the next five years.
NYDFS appoints Leandra English to executive team
On January 14, NYDFS Superintendent Linda Lacewell announced that former Deputy Director of the CFPB, Leandra English, will serve as Special Policy Advisor to the Department. In her role, English will report directly to Lacewell and will manage and develop NYDFS’ policy initiatives involving consumers, financial services, and other issues. English will also be responsible for spearheading NYDFS’ policy development and analysis process, and assisting in the identification of common regulatory trends and risks across industries.
Basis for invalidating CFPB is “remarkably weak,” says court-appointed defender
On January 15, Paul Clement, the lawyer selected by the U.S. Supreme Court to defend the leadership structure of the CFPB, filed a brief in Seila Law LLC v. CFPB arguing that Seila Law’s constitutionality arguments are “remarkably weak” and that “a contested removal is the proper context to address a dispute over the President’s removal authority.” First, Clement stated that “there is no ‘removal clause’ in the Constitution,” and that because the “constitutional text is simply silent on the removal of executive officers” it does not mean there is a “promising basis for invalidating an Act of Congress.” Moreover, the Constitution leaves it to Congress to decide “all manner of questions about the organization and structure of executive-branch departments and officers,” Clement wrote. Second, Clement disagreed with the argument that Congress cannot impose modest restrictions on the President’s ability to remove executive officers, so long as the President is the one exercising the removal powers. Third, Clement noted that in the past, the Court has repeatedly upheld the ability to place permissible restrictions on a President’s removal authority.
Clement further contended, among other things, that the dispute in Seila is “not just unripe, but entirely theoretical.” He referenced the Bureau’s brief filed last September (covered by InfoBytes here), in which the CFPB argued that the for-cause restriction on the President’s authority to remove the Bureau’s single director violates the Constitution’s separation of powers, and noted that “[w]hatever was true when this suit was first filed, the theory of the unitary executive appears alive and well in the Director’s office.” Rather, Clement stated, the Court should wait for an instance where a CFPB director has been fired for something short of the “inefficiency, neglect of duty, or malfeasance in office” threshold that Congress set for dismissing a CFPB director in Dodd-Frank before ruling on the question. Clement also emphasized that “text, first principles and precedent” all “strongly support” upholding the U.S. Court of Appeals for the Ninth Circuit’s decision from last May, which deemed the CFPB to be constitutionally structured and upheld a district court’s ruling enforcing Seila Law’s compliance with a 2017 civil investigative demand.
As previously covered by InfoBytes, the 9th Circuit held that the for-cause removal restriction of the CFPB’s single director is constitutionally permissible based on existing Supreme Court precedent. The panel agreed with the conclusion reached by the U.S. Court of Appeals for the D.C. Circuit majority in the 2018 en banc decision in PHH v. CFPB (covered by a Buckley Special Alert) stating, “if an agency’s leadership is protected by a for-cause removal restriction, the President can arguably exert more effective control over the agency if it is headed by a single individual rather an a multi-member body.”
The parties in Seila filed briefs last December. While both parties are in agreement on the CFPB’s single-director leadership structure, they differ on how the matter should be resolved. Seila Law argued that the Court should invalidate all of Title X of Dodd-Frank, whereas the Bureau contended that the for-cause removal provision should be severed from the rest of the law in accordance with Dodd-Frank’s express severability clause. Oral arguments are scheduled for March 3. (Previous InfoBytes coverage here.)
FDIC extends deadline for comments on innovation pilot programs
On January 14, the FDIC again published a notice and request for comments in the Federal Register on innovation pilot programs. The FDIC first solicited comments on innovation pilot programs in November, with comments due by January 6. As no comments were submitted, the agency is once again requesting comments on the programs, which, as previously covered by InfoBytes, it hopes will spur collaboration “with innovators in the financial, non-financial, and technology sectors to, among other things, identify, develop, and promote technology-driven innovations among community and other banks in a manner that ensures the safety and soundness of FDIC-supervised and insured institutions.”
Comments must be received by February 13.
Securities class action against bank pared down
On January 12, the U.S. District Court for the Northern District of California dismissed one of plaintiffs’ causes of action and concluded that only two of the 67 public statements the plaintiffs identified in support of their securities fraud causes of action against a large bank and its former CEO (defendants) related to the defendants “collateral protection insurance (CPI) … practices for auto loan customers” were actionable. The plaintiffs alleged that while, in July 2016, the defendants learned of irregularities with respect to the CPI and, by September 2016, discontinued the program, the defendants did not disclose information on the CPI program’s issues until July 2017, after which time, the defendants’ stock price dropped. The plaintiffs then filed suit based on 67 public statements made by the defendants prior to that time, which the plaintiffs alleged the defendants knew were “false or misleading” and resulted in the bank’s stockholders losing money.
Upon review, the court found that 65 of the 67 public statements, on which the plaintiffs’ causes of action were based were not actionable. The two statements that the court found may support the plaintiffs’ causes of action were those made by the defendants when they were specifically asked whether they knew about “potential misconduct outside of the already disclosed improper retail banking sales practices” and, each time, “failed to disclose the CPI issue….” With respect to the two statements, the court found that the plaintiffs had “met [their] burden under the PSLRA (private securities litigation reform act)” to show a “strong inference that the defendant acted with the required state of mind,” and that the plaintiffs “adequately pleaded loss causation.” According to the opinion, the defendants did not challenge the plaintiffs’ contentions about the two alleged misstatements’ connection to the purchase or sale of the defendants’ securities, or that the plaintiffs relied on the misstatements or omissions and experienced economic losses as a result.
After settlement, six remain in FTC robocalling suit
On January 10, the FTC announced that it entered into two settlement agreements: one with a call center and two individuals, and one with an additional individual (together, “the settling defendants”) that it claims made illegal robocalls to consumers as part of a cruise line’s telemarketing operation allegedly aimed at marketing free cruise packages to consumers. According to the two settlements (see here and here), the settling defendants “participated in unfair acts or practices in violation of . . . the FTC Act, and the FTC’s Telemarketing Sales Rule [(TSR)]” by “(a) placing telemarketing calls to consumers that delivered prerecorded messages; (b) placing telemarketing calls to consumers whose telephone numbers were on the National Do Not Call Registry; and (c) transmitting inaccurate caller ID numbers and names with their telemarketing calls.” The defendants are permanently banned from making telemarketing robocalls, and have been levied judgments totaling $7.8 million, all but $2,500 of which has been suspended due to the defendants’ inability to pay.
Also on January 10, the FTC filed a complaint in the U.S. District Court for the Middle District of Florida against the remaining six defendants allegedly involved in the telemarketing operation, for violations of the FTC Act and TSR based on the same actions alleged against the settling defendants.
OFAC sanctions entities for aiding North Korea’s exportation of workers
On January 14, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced it was imposing sanctions on a North Korean trading corporation and a China-based North Korean lodging facility for facilitating North Korea’s practice of sending laborers abroad. According to OFAC, North Korea’s continued practice of exporting North Koreans as illicit laborers is an ongoing attempt to undermine and evade United Nations Security Council Resolutions. The designated companies’ exportation of workers on behalf of the country, OFAC stated, has generated revenue for the North Korean government or the Workers’ Party of Korea. As a result of the sanctions, “all property and interests in property of these targets that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC.” OFAC noted that its regulations “generally prohibit” U.S. persons from participating in transactions with the designated persons, and warned foreign financial institutions that if they knowingly facilitate significant transactions for any of the designated individuals, they may be subject to U.S. secondary sanctions.
Washington state introduces comprehensive privacy bill
On January 13, Washington state lawmakers announced two bills designed to strengthen consumer access and control over personal data and regulate the use of facial recognition technology. Highlights of SB 6281, the Washington Privacy Act, include the following:
- Applicability. SB 6281 will apply to legal entities that conduct business or produce products or services that are targeted to Washington consumers that also (i) control or process personal data for at least 100,000 consumers; or (ii) derive more than 50 percent of gross revenue from the sale of personal data, in addition to processing or controlling the personal data of at least 25,000 consumers. Exempt from SB 6281, among others, are state and local governments, municipal corporations, certain protected health information, personal data governed by state and federal regulations, and employment records.
- Consumer rights. Consumers will be able to exercise the following concerning their personal data: access; correction; deletion; data portability; and opt-out rights, including the right to opt out of the processing of personal data for targeted advertising and the sale of personal data.
- Controller responsibilities. Controllers required to comply with SB 6281 will be responsible for (i) transparency; (ii) limiting the collection of data to what is required and relevant for a specified purpose; (iii) ensuring data is not processed for reasons incompatible with a specified purpose; (iv) securing personal data from unauthorized access; (v) prohibiting processing that violates state or federal laws prohibiting unlawful discrimination against consumers; (vi) obtaining consumer consent in order to process sensitive data; and (vii) ensuring contracts and agreements do not contain provisions that waive or limit a consumer’s rights. Controllers must also conduct data protection assessments for all processing activities that involve personal data, and conduct additional assessments each time a processing change occurs that “materially increases the risk to consumers.”
- State attorney general. SB 6821 does not create a private right of action for individuals to sue if there is an alleged violation. However, the AG will be permitted to bring actions and impose penalties of no more than $7,500 per violation. The AG will also be required to submit a report evaluating the liability and enforcement provisions of SB 6281 by 2022 along with any recommendations for change.
- Information sharing. SB 6281 will allow the state governor to enter into agreements with British Columbia, California, and Oregon, which will allow personal data to be shared for joint research initiatives.
- Facial Recognition. SB 6281 will establish limits on the commercial use of facial recognition services. Among other things, the bill will require third-party testing on all services prior to deployment for accuracy and unfair performance, conspicuous notice when a service is deployed in a public space, and will require companies to receive consumer consent prior to enrolling an image in a service used in a public space.
The second bill, SB 6280, will more specifically govern the use of facial recognition services by state and local government agencies, and, among other things, outlines provisions for the use of facial recognition services when identifying victims of crime, stipulates restrictions concerning ongoing surveillance, and requires agencies to produce an annual report containing a compliance assessment.
As previously covered by InfoBytes, last year, New York introduced proposed legislation (see S 5642) that seeks to regulate the storage, use, disclosure, and sale of consumer personal data by entities that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state. Provisions included in the measures introduced by New York and Washington state differ from those contained in the California Consumer Privacy Act (CCPA), which took effect January 1. (Previous InfoBytes coverage on the CCPA is available here.)