Among the more than 20 bills that the House Financial Services Committee is scheduled to mark-up this Wednesday, October 11, is a bill to provide a “Madden fix” as well as several others relevant to consumer financial services providers.

These bills are the following:

  • H.R. 3299, “Protecting Consumers’ Access to Credit Act of 2017.  In Madden, the Second Circuit ruled that a nonbank that purchases loans from a national bank could not charge the same rate of interest on the loan that Section 85 of the National Bank Act allows the national bank to charge.  The bill would add the following language to Section 85 of the National Bank Act: “A loan that is valid when made as to its maximum rate of interest in accordance with this section shall remain valid with respect to such rate regardless of whether the loan is subsequently sold, assigned, or otherwise transferred to a third party, and may be enforced by such third party notwithstanding any State law to the contrary.”
    This language is identical to language in a bill introduced in July 2017 by Democratic Senator Mark Warner as well as language in the Financial CHOICE Act and the Appropriations Bill that is also intended to override Madden.  Like those bills, H.R. 3299 would add the same language (with the word “section” changed to “subsection” when appropriate) to the provisions in the Home Owners’ Loan Act, the Federal Credit Union Act, and the Federal Deposit Insurance Act that provide rate exportation authority to, respectively, federal savings associations, federal credit unions, and state-chartered banks.  In the view of Isaac Boltansky of Compass Point, the bill is likely to be enacted in this Congress.
  • H.R. 2706, “Financial Institution Consumer Protection Act of 2017.”  This bill is intended to prevent a recurrence of “Operation Chokepoint,” the federal enforcement initiative involving various agencies, including the DOJ, the FDIC, and the Fed. Initiated in 2012, Operation Chokepoint targeted banks serving online payday lenders and other companies that have raised regulatory or “reputational” concerns.  The bill includes provisions that (1) prohibit a federal banking agency from (i) requesting or ordering a depository institution to terminate a specific customer account or group of customer accounts, or (ii) attempting to otherwise restrict or discourage a depository institution from entering into or maintaining a banking relationship with a specific customer or group of customers. unless the agency has a material reason for doing so and such reason is not based solely on reputation risk, and (2) require a federal banking agency that requests or orders termination of specific customer account or group of customer accounts to provide written notice to the institution and customer(s) that includes the agency’s justification for the termination.  (In August 2017, the DOJ sent a letter to the chairman of the House Judiciary Committee in which it confirmed the termination of Operation Chokepoint.  Acting Comptroller Noreika in remarks last month, in which he also voiced support for “Madden fix” legislation, indicated that the OCC had denounced Operation Choke Point.)
  • H.R. 3072, “Bureau of Consumer Financial Protection Examination and Reporting Threshold Act of 2017.”  The bill would raise the asset threshold for banks subject to CFPB supervision from total assets of more than $10 billion to total assets of more than $50 billion.
  • H.R. 1116, “Taking Account of Institutions with Low Operation Risk Act of 2017.”  The bill includes a requirement that for any “regulatory action,” the CFPB, and federal banking agencies must consider the risk profile and business models of each type of institution or class of institutions that would be subject to the regulatory action and tailor the action in a manner that limits the regulatory compliance and other burdens based on the risk profile and business model of the institution or class of institutions involved.  The bill also includes a look-back provision that would require the agencies to apply the bill’s requirements to all regulations adopted within the last seven years and revise any regulations accordingly within 3 years.  A “regulatory action” would be defined as “any proposed, interim, or final rule or regulation, guidance, or published interpretation.”
  • H.R. 2954, “Home Mortgage Disclosure Adjustment Act.”  The bill would amend the Home Mortgage Disclosure Act to create exemptions from HMDA’s data collection and disclosure requirements for depository institutions (1) with respect to closed-end mortgage loans, if the institution originated fewer than 1,000 such loans in each of the two preceding years, and (2) with respect to open-end lines of credit, if the institution originated fewer than 2,000 such lines of credit in each of the two preceding years.  (An amendment in the nature of a substitute would lower these thresholds to fewer than 500 closed-end mortgage loans and fewer than 500 open-end lines of credit.)
  • H.R. 1699, “Preserving Access to Manufactured Housing Act of 2017.”  The bill would amend the Truth in Lending Act and the Secure and Fair Enforcement for Mortgage Licensing Act of 2008 (SAFE Act) to generally exempt a retailer of manufactured housing from TILA’s “mortgage originator” definition and the SAFE Act’s “loan originator” definition.  It would also increase TILA’s “high-cost mortgage” triggers for manufactured housing financing.
  • H.R. 2396, “Privacy Notification Technical Clarification Act.”  This bill would amend the Gramm-Leach-Bliley Act’s requirements for providing an annual privacy notice.  (An amendment in the nature of a substitute is expected to be offered.)

The FTC has announced that it will host a workshop on December 12, 2017 in Washington, D.C. to examine consumer injury in the context of privacy and data security.

In the workshop, the FTC plans to examine questions about the injury consumers suffer when information about them is exposed or misused such as “how to best characterize these injuries, how to accurately measure such injuries and their prevalence, and what factors businesses and consumers consider when evaluating the tradeoffs involved in collecting, using, or providing information while also potentially increasing their exposure to injuries.”

The types of consumer harm that flow from data security and privacy breaches has significant implications both for government enforcement and private actions.  With regard to government enforcement actions, in remarks given in February 2017 soon after her appointment by President Trump as Acting FTC Chairman, Maureen Ohlhausen observed that a focus on consumer injury is important both in deciding what cases to bring and in determining what remedy to seek.  She stated that the FTC can best use its limited resources “by focusing on practices that are actually harming or likely to harm consumers” and used recent privacy and data security actions as examples of situations where the FTC “strayed from a focus on actual harm.”  She also criticized the FTC’s pursuit of disgorgement  that was “disproportionate to any consumer harm” and stated that she intended to “work to ensure that our enforcement actions target behaviors causing concrete consumer harm, and that remedies are tied to consumer harm.”

With regard to private actions, the issue of what types of consumer injury will satisfy Article III standing under the U.S. Supreme Court’s Spokeo decision continues to be litigated.  In Spokeo, the Supreme Court held that a plaintiff alleging a violation of the Fair Credit Reporting Act does not have Article III standing to sue for statutory damages in federal court unless the plaintiff can show that he or she suffered “concrete,” “real” harm as a result of the violation.

In advance of the workshop, the FTC is seeking comment by October 27 on the issues to be covered by the workshop, including the following questions:

  • What are the qualitatively different types of injuries from privacy and data security incidents?  What are some real life examples of these types of informational injury to consumers and to businesses?
  • What frameworks might we use to assess these different injuries?  How do we quantify injuries?  How might frameworks treat past, current, and potential future outcomes in quantifying injury?  How might frameworks differ for different types of injury?
  • How do businesses evaluate the benefits, costs, and risks of collecting and using information in light of potential injuries?  How do they make tradeoffs? How do they assess the risks of different kinds of data breach?  What market and legal incentives do they face, and how do these incentives affect their decisions?
  • How do consumers perceive and evaluate the benefits, costs, and risks of sharing information in light of potential injuries?  What obstacles do they face in conducting such an evaluation?  How do they evaluate tradeoffs?

The Federal Trade Commission (“FTC”) released an updated version of its guidance on complying with the Children’s Online Privacy Protection Act (“COPPA”) on June 21, 2017. Companies that collect personal information from children under 13 years of age need to comply with COPPA. To help companies with COPPA compliance, the FTC’s guidance presents a six-step plan:

  • Step 1: Determine whether your company is a website or online service that collects personal information from kids under 13;
  • Step 2: Post a privacy policy that complies with COPPA;
  • Step 3: Notify parents directly before collecting personal information from their kids;
  • Step 4: Get parents’ verifiable consent before collecting personal information from their kids;
  • Step 5: Honor parents’ ongoing rights with respect to personal information collected from their kids; and
  • Step 6: Implement reasonable procedures to protect the security of kids’ personal information.

The updated guidance makes two important changes. First, the FTC clarifies that “website or online service” includes Internet of Things devices as well as connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data.

Second, the updated guidance provides two additional methods by which businesses can obtain verifiable consent from parents to collect personal information from children:

  • Parents can answer a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer; or
  • Parents can provide a picture of a driver’s license or other photo ID which is then compared to a second photo submitted by the parent using facial recognition technology.

Last week, the Federal Trade Commission (FTC) Bureau of Consumer Protection’s Acting Director, Thomas Pahl, posted on the FTC’s Business Blog about the FTC’s role as the federal agency with the “broadest jurisdiction” to pursue privacy and data security issues. Pahl noted that for over twenty years the FTC has used its authority, “thoughtfully and forcefully to protect consumers even as new products and services emerge and evolve.”  Pahl emphasized that the FTC is “the enforcement leader in the privacy and security arena” and that the FTC will continue to “focus the national conversation on keeping consumer privacy and data security front and center as new technologies emerge.”

Pahl’s blog posting supports recent statements by FTC Acting Chairman Maureen Ohlhausen, who recently testified before Congress that, “the FTC is committed to protecting consumer privacy and promoting data security in the private sector.”

Companies should not expect the FTC to reduce its enforcement activities relating to privacy and data security issues, but companies can expect the FTC to shift away from bringing cases based on novel legal theories.  Ohlhausen is committed to re-focusing the FTC’s efforts on “bread-and-butter” enforcement.  Ohlhausen has spoken openly in opposition to recent enforcement actions brought under the Obama Administration that were based on speculative injury or subjective types of harm rather than concrete consumer injury.

Furthermore, companies should expect further guidance from the FTC relating to privacy and data security expectations to help reduce unnecessary regulatory burdens and provide additional transparency to businesses on how they can remain compliant and avoid engaging in unfair or deceptive acts of practices.  Under Ohlhausen’s leadership, companies should be watching closely for FTC guidance laying out what they should do to protect consumer privacy and ensure proper data security, rather than just waiting to find out what they should not do from FTC enforcement actions.

On September 15th, the FTC will hold a workshop to examine the testing and evaluation of disclosures that companies make to consumers about advertising claims, privacy practices, and other information.  The FTC’s workshop will explore how to test the effectiveness of these disclosures to ensure consumers notice them, understand them, and can use them in their decision-making.  Companies should incorporate the principles articulated during the workshop by federal regulators such as the FTC and the CFPB into the development of their own consumer disclosures, especially relating to e-commerce and mobile initiatives.

The “Putting Disclosures to the Test” workshop will explore ways to improve the evaluation and testing of consumer disclosures by industry, academics, and the FTC related to:

  • Disclosures in advertising  designed to prevent ads from being deceptive;
  • Privacy-related disclosures, including privacy policies and other mechanisms to inform consumers that they are being tracked; and
  • Disclosures in specific industries designed to prevent deceptive claims.

Among the participants at the workshop will be Heidi Johnson, a research analyst from the CFPB Office of Research, who will present a case study entitled, “Disclosure Research in the Lab and Online.” The CFPB’s Decision Making and Behavioral Studies team is engaged in a strategic initiative to invest in research that explores the factors that influence a disclosure’s efficacy, how to use different methodologies to study disclosure, and the market effects of disclosure. Ms. Johnson’s work as a part of this team has included consumer research on overdraft and other financial products.

On July 1st, the CFPB proposed to amend Regulation P under the Gramm-Leach-Bliley Act (GLBA) to implement the statutory changes made by the Fixing America’s Surface Transportation Act (see prior post) that provided financial institutions that meet certain conditions with an exemption from the GLBA requirement to deliver annual privacy notices to customers.  The proposed changes would also establish timing requirements to begin re-delivering the annual privacy notices if a financial institution no longer qualifies for the exception.  Companies considering making changes to their privacy policies or practices should carefully assess the impact of the proposed rules.

The proposed rules would provide that a financial institution is not required to deliver a GLBA annual privacy notice if the financial institution:

  • Provides nonpublic personal information to nonaffiliated third parties only under one of the GLBA exceptions to the notice and opt-out requirements (§ 1016.13, § 1016.14, or § 1016.15); and
    Has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent privacy notice provided to the customer.
  • The proposed rule would not affect the collection or use of consumers’ nonpublic personal information by financial institutions.  Nor does the new exception affect the requirement to deliver an initial privacy notice, so all consumers will continue to receive such initial notices describing the privacy policies of any financial institutions with which they do business.  Furthermore, financial institutions that choose to take advantage of the annual notice exception must still provide any opt-out disclosures required under the Fair Credit Reporting Act, which can generally be provided in the initial notice.

The CFPB is also proposing to remove its 2014 rule (as described in our prior post) that established an alternative delivery method for GLBA annual privacy notices. Because financial institutions that meet the conditions in Regulation P to use the alternative delivery method also would meet the conditions for the new statutory exemption, the CFPB has concluded that the alternative delivery method is no longer necessary as the CFPB believes that a financial institution that has both options available to it would choose not to send the annual privacy notice at all, rather than to deliver it pursuant to the alternative delivery method.  However, the CFPB notes that financial institutions that qualify for the new exemption may still choose to post privacy notices on their websites or deliver privacy notices to consumers who request them.

While a positive step forward in regulatory reform, the CFPB could have done this years ago during its 2014 rulemaking process.  However, an act of Congress was required to push the CFPB into making this common-sense change.

An amendment creating an exception to the annual privacy notice delivery requirement for financial institutions has been signed into law by President Obama as part of the “Fixing America’s Surface Transportation Act” (FAST Act).

Section 75001 of the FAST Act, signed into law on December 4, 2015, amends Section 503 of the Gramm-Leach-Bliley Act (GLBA) to add an exception to the annual notice delivery requirement for any financial institution that (1) only shares nonpublic personal information (NPI) as permitted by the GLBA without providing consumers with notice and opt-out rights, and (2) has not changed its policies and practices with regard to disclosing NPI since its most recent disclosure sent to consumers.

Since the CFPB (as well as other federal agencies including the FTC) have issued GLBA regulations, those regulations will need to be amended to reflect the exception created by the FAST Act.  Nevertheless, the exception created by the amendment is effective immediately.

For more on the amendment, see our legal alert.

A new lawsuit filed by the CFPB in a California federal district court alleges that the defendants, a company and its individual owner, are engaged in a nationwide student financial aid scam.  In addition to injunctive relief, the complaint seeks redress for harmed consumers and civil money penalties.

According to the CFPB’s complaint, the defendants contacted students and their families using letters and envelopes with images intended to create the false impression that the defendants were affiliated with the federal government or a college.  The letters were accompanied by a form to be completed by the student or the student’s family to apply for financial aid and returned to the defendants with a processing fee.  (The CFPB claims that the form looked visually similar to the Department of Education’s Free Application for Federal Student Aid and used similar terms.)

The defendants allegedly promised to use the information provided on the form to conduct extensive searches to match students with financial aid opportunities.  The CFPB claims that, in exchange for sending the form and fee, consumers received “absolutely nothing” or received only “a generic booklet that is not tailored to the consumers’ circumstances.”  It also claims that the defendants created an artificial sense of urgency by telling consumers that they would lose their opportunity to receive student financial aid unless they returned the form and paid the fee by a specified deadline.

The CFPB alleges that the defendants’ conduct violated the CFPA’s UDAAP prohibition.  It also alleges that by accepting a fee from a consumer, the defendants established a customer relationship that triggered the obligation to send an initial privacy notice under Regulation P but failed to provide such notice.

 

The Office of the Inspector General (OIG) has released the “2015 list of major management challenges” faced by the CFPB that the OIG believes will hamper the CFPB’s ability to accomplish the CFPB’s strategic objectives.  Like the 2014 list, one of the challenges identified by the OIG is the need to ensure that the CFPB has an effective information security program.  Due to the advanced persistent threats faced by the federal government, the OIG concluded that the CFPB needs to strengthen its defenses against attacks from outside governments, organized groups, and other threats.  The OIG identified four high-priority security risk areas for CFPB improvement:

  • Continuous monitoring to assess security controls and system configurations
  • Configuration management of CFPB systems
  • Role-based security training for individuals with significant security responsibilities
  • Incident response and reporting

The OIG applauded the CFPB’s efforts to build out its Cybersecurity Program Management Office, but the OIG recommended that the CFPB should continue improving its information security program, overseeing the security of contractor-operated information systems, transitioning IT resources from the Treasury Department, and ensuring that personally identifiable information (PII) is properly protected, including the PII that the CFPB receives from consumer complaints about credit card accounts, mortgage loans, and other consumer financial products and services.

The FTC recently proposed amendments to its Gramm-Leach-Bliley Act (GLBA) rules requiring motor vehicle dealers to send their customers an annual privacy notice.  The amendments would allow motor vehicle dealers to notify their customers that a privacy policy is available on their website, subject to certain conditions.  Comments on the proposal are due on or before August 31, 2015.

While Dodd-Frank transferred primary jurisdiction over the GLBA to the CFPB, the FTC retained authority over motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both.  The FTC’s proposal  closely reflects the final rule issued last year by the CFPB for financial institutions subject to the CFPB’s GLBA rulemaking authority.

For more on the FTC’s proposal, see our legal alert.