Alston & Bird Consumer Finance Blog

Uncategorized

Don’t Miss the Small Stuff Lenders: New Mexico Issues Regulatory Guidance for Completing the “Freedom to Choose” Insurance Company Form

A&B Abstract:

Under New Mexico’s Insurance Code, it has been a long-standing requirement that lenders may not condition a loan of money on the procurement of insurance from any particular insurer, agent, solicitor, or broker.  The lender is required to inform the buyer of their rights “regarding the placement of insurance on a form prescribed by the superintendent” and the borrower must “signify that he has been so informed.”  The form of the required “Freedom to Choose” is provided by regulation to the Insurance Code as follows:

FREEDOM TO CHOOSE INSURANCE COMPANY AND INSURANCE PROFESSIONAL

The undersigned person hereby acknowledges that I have been informed by (individual’s name) on behalf of (name of lender) that, although I may be required by the seller or lender to purchase insurance to cover the property that is being used as security for the loan, I may purchase that insurance from the insurance company or agent of my choice, and cannot be required by the seller or lender, as a condition of the sale or loan, to purchase or renew any policy of insurance covering the property through any particular insurance company, agent, solicitor, or broker. I hereby acknowledge receipt of a true copy of this notice on the _____day of_____________, _____.

__________________________________

(Signature of Purchaser or Borrower)

The New Mexico Financial Institutions Division (FID) issued regulatory guidance (the “Guidance”) this month as some lenders have not been completing the form correctly.  The Guidance clarifies that the “Freedom to Choose” notice requires the name of the individual providing the notice, and the FID finds the practice of providing only the company name in the blank reserved for the individual’s name as a violation of the Insurance Code.

 Takeaway:

Lenders take note as this is an easy violation to avoid.  To that end, now is a good time to review your New Mexico policies, procedures and QC reviews to ensure compliance with this requirement.  Please don’t hesitate to reach out with any questions on when the form is required and how to ensure it is completed correctly.  While the FID’s Guidance does not speak to penalties, it is worth noting that the Superintendent of the New Mexico Regulation and Licensing Department has authority to impose monetary penalties for violations of this provision, including a fine not to exceed $500 per violation. The statute also authorizes administrative penalties and civil actions.

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation

On November 1, 2023, the New York Department of Financial Services (NYDFS) published the finalized Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500), which includes a number of significant and, for many covered entities, onerous changes to its original regulation. The finalized Second Amendment is much like the June 2023 proposed draft (which made certain revisions to the November 2022 draft). Covered entities should take note of these now-final changes that will require covered entities to review and revamp major components of their cybersecurity programs, policies, procedures, and controls to ensure they are in compliance. This is particularly important as the NYDFS continues to take on an active enforcement role following cyber events, marking itself as a leading cyber regulator in the United States.

Covered entities must notify the NYDFS of certain cybersecurity incidents, including providing notice within: (1) 72 hours after determining a cybersecurity event resulting in the “deployment of ransomware within a material part of the covered entity’s information system” occurred; and (2) 24 hours of making an extortion payment in connection with a cybersecurity event.

Covered entities must implement additional cybersecurity controls, including expanding their use of multifactor authentication and maintaining a comprehensive asset inventory. Covered entities are also required to maintain additional (or more prescriptive) cybersecurity policies and procedures, including ensuring that their incident response plans address specific delineated issues (outlined in the Second Amendment) and maintaining business continuity and disaster recovery plan requirements (both of which must be tested annually).

The most senior levels of the covered entity (senior governing body) must have sufficient knowledge to oversee the cybersecurity program. Additionally, the highest-ranking executive and the CISO are required to sign the covered entity’s annual certification of material compliance.

A material failure (which could be a single act) to comply with any portion of the Cybersecurity Regulation for a 24-hour period is considered a violation.

The Second Amendment became effective on November 1, 2023, and covered entities generally have 180 days to come into compliance with the new requirements. There are certain requirements, however, that will be phased in over the next two years. We have outlined the material changes and the effective dates below.

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation Chart

The NYDFS is providing a number of resources for covered entities, including a helpful visual overview of the implementation timeline for covered entitiesClass A companies, and small businesses (NYDFS-licensed individual producers, mortgage loan originators, and other businesses that qualify for exemptions under Sections 500.19 (a), (c), and (d)). The NYDFS is also hosting a series of webinars to provide an overview of the Second Amendment; individuals can register for the webinars on the NYDFS’s website.

 

 

 

FTC Approves New Data Breach Notification Requirement for Non-Banking Financial Institutions

On October 27, 2023, the FTC approved an amendment to the Safeguards Rule (the “Amendment”) requiring that non-banking financial institutions notify the FTC in the event of a defined “Notification Event” where customer information of 500 or more individuals was subject to unauthorized acquisition.  The Amendment becomes effective 180 days after publication in the Federal Register.  Importantly, the amendment requires notification only to the Commission – which will post the information publicly – and not to the potentially impacted individuals.

Financial institutions subject to the Safeguards Rule are those not otherwise subject to enforcement by another financial regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805 (“GLBA”). The Safeguards Rule within the FTC’s jurisdiction include mortgage brokers, “payday” lenders, auto dealers, non-bank lenders, credit counselors and other financial advisors and collection agencies, among others.  The FTC made clear that one primary reason for adopting these new breach notification requirements is so the FTC could monitor emerging data security threats affecting non-banking financial institutions and facilitate prompt investigations following major security breaches – yet another clear indication the FTC intends to continue focusing on cybersecurity and breach notification procedures.

Notification to the FTC

Under the Amendment, notification to the FTC is required upon a “Notification Event,” which is defined as the acquisition of unencrypted customer information without authorization that involves at least 500 consumers. As a new twist, the Amendment specifies that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information, unless the financial institution has evidence that the unauthorized party only accessed, but did not acquire the information.  The presumption of unauthorized acquisition based on unauthorized access is consistent with the FTC’s Health Breach Notification Rule and HIPAA, but not state data breach notification laws or the GLBA’s Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”).

As mentioned above, individual notification requirements for non-banking financial institutions will continue to be governed by state data breach notification statutes and are not otherwise included in the Amendment. The inclusion of a federal regulatory notification requirement and not an individual notification requirement in the Amendment is a key departure from other federal financial regulators, as articulated in the Interagency Guidelines which applies to banking financial institutions, and the SEC’s proposed rules that would require individual and regulatory reporting by registered investment advisers and broker-dealers.

Expansive Definition of Triggering Customer Information

Again departing from pre-existing notification triggers of “sensitive customer information” in the Interagency Guidelines or “personal information” under state data breach reporting laws, the FTC’s rule requires notification to the Commission if “customer information” is subject to unauthorized acquisition. “Customer information” is defined as “non-public personal information,” (see 16 C.F.R. 314.2(d)) which is further defined to be “personally identifiable financial information” (see 16 C.F.R. 314.2(n)).

Under the FTC’s rule, “personally identifiable financial information” is broadly defined to be (i) information provided by a consumer to obtain a service or product from the reporting entity; (ii) information obtained about a consumer resulting from any transaction involving a financial product or service from the non-banking financial institution; or (iii) information the non-banking financial institution obtains about a consumer in connection with providing a financial product or service to the consumer. Unlike the Interagency Guidelines which defines “sensitive customer information” as a specific subset of data elements (“customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account”) (see 12 CFR Appendix F to Part 225 (III)(A)(1)), the FTC’s definition of “personally identifiable financial information” is much broader.

For example, “personally identifiable financial information” could include information a consumer provides on a loan or credit card application, account balance information, overdraft history, the fact that an individual has been one of your customers, and any information collected through a cookie. As a result of this broad definition, notification obligations may be triggered for a wider variety of data events, as compared to data breach notifications for banking financial institutions under the Interagency Guidelines or state data breach notification laws. As a result, non-banking financial institutions should consider reviewing and revising their incident response procedures so that they can be prepared to conduct a separate analysis of FTC notification requirements under the Amendment, as distinct from state law notification requirements.

No Risk of Harm Provision

Although the FTC considered whether to include a “risk of harm” standard for notifying the Commission, it ultimately decided against including one to avoid any ambiguity or the potential for non-banking financial institutions to underestimate the likelihood of misuse. However, numerous state data breach reporting statutes contain risk of harm provisions that excuse notice to individuals and/or state regulators where the unauthorized acquisition and/or access of personal information is unlikely to cause substantial harm (such as fraud or identify theft) to the individual.  This divergence between FTC notifications and state law has set the stage for the possibility that a reporting non-banking financial institution could be required to report to the FTC, but not to potentially affected individuals and/or state attorneys general pursuant to state law.

Timing and Content for Notice to FTC

Non-banking financial institutions must notify the Commission as soon as possible, and no later than 30 days after discovery of the Notification Event. Discovery of the event is deemed to be the “first day on which such event is known…to any person other than the person committing the breach, who is [the reporting entity’s] employee, officer, or other agent.” The FTC’s timeline is similar to the timeline dictated for notifying state Attorney Generals under most state data breach notification laws (either explicitly or implicitly), but a key difference from the Interagency Guidelines, which requires notification to the bank’s primary federal regulator as soon as possible.

The notification must be submitted electronically on a form located on the FTC’s website (https://www.ftc.gov), and include the following information, which will be available to the public: (i) the name and contact information of the reporting financial institution, (ii) a description of the types of information involved in the Notification Event, (iii) the date or date range of the Notification Event (if available), (iv) the number of consumers affected or potentially affected; (v) a general description of the Notification Event; and (vi) whether law enforcement official (including the official’s contact information) has provided a written determination that notifying the pu of the breach would impede a criminal investigation or cause damage to national security.  Making this type of information regarding a data security incident available to the public is not part of any current U.S. regulatory notification structure.

Law Enforcement Delays Public Disclosure by FTC, Not FTC Reporting

A law enforcement delay may preclude public posting of the Notification Event by the FTC for up to 30 days but does not excuse timely notification to the FTC.  A law enforcement official may seek another 60 days’ extension, which the Commission may grant if it determines that public disclosure of the Notification Event “continues to impede a criminal investigation or cause damage to national security.”

As Economic Winds Blow, So Do Whistleblowers: How to Protect Your Company Through Turbulent Times

A&B ABstract:

As recently reported by the Financial Times, banks are preparing for the “deepest job cuts since the financial crisis,” with firings to be “super brutal.” Already, nonbank lenders and service providers have been suffering with several rounds of layoffs and, potentially, more to come. Former employees, particularly disgruntled ones, may have information they want to share with the government.  An Insider article highlighted that remote work has resulted in a surge of whistleblower complaints.  If true, even current employees, including those whose complaints or grievances fall on deaf ears, also could be potential whistleblowers.

Alston & Bird Partners Nanci Weissgold, Joey Burby, and Cara Peterman (ably assisted by, and a special thanks to, Charlotte BohnAndrew Brown, and Melissa Malpass) addressed today’s challenging economic conditions, and how companies can protect themselves during an expected surge in whistleblowing by disgruntled current and former employees.  The webinar slides address:

  • What you need to know about government whistleblower reward programs and laws with whistleblower incentives and protections, including the False Claims Act, FIRREA, and the SEC’s Whistleblower program.
  • Recent trends, developments, major settlements, and awards in whistleblower-related settlements and litigation.
  • Best practices for companies when responding to, de-escalating, and defending against whistleblower complaints.

Best Practices for Responding to Whistleblower Complaints

#1: Keep complaints internal. It is critical to have procedures in place for employees (as well as contractors and other agents) to report compliance concerns internally.

  • Establish a compliance hotline or other means of anonymous
  • Have an anti-retaliation policy to protect employees who make a report.
  • Promote these policies and procedures, and train employees on them.

This is a required element of an effective compliance program under DOJ and SEC guidance, and factors into their charging decisions; also considered under U.S. Sentencing Guidelines in determining corporate penalties.

Additionally, internal complaints allow companies to investigate and remediate (if necessary) and to consider whether/how to self-disclose. The 2023 revisions to DOJ’s Corporate Enforcement Policy strongly encourage self-disclosure, offering significant incentives to companies who do.

#2: Maintain a strong Compliance Management System (CMS). A strong CMS is one that establishes compliance responsibilities, communicates those responsibilities to employees, ensures the responsibilities are carried out and met, takes corrective action, and updates tools, systems, and processes as needed.

Scaled to the size of the company’s operations, a CMS requires:

  • A strong board of directors and management oversight – “tone at the top.”
  • Comprehensive written policies and procedures to demonstrate an understanding of all applicable laws and regulations.
  • Training of all applicable laws to ensure that employees can perform their functions.
  • Monitoring and testing based on an assessment of risk carried out through three lines of defense:
    (1) functions that own and manage risk; (2) functions that oversee risk; and (3) functions that provide independent assurance.
  • Timely corrective action that remediates past issues and prevents reoccurrence prospectively.
  • Consumer complaint response, root cause analysis, and enterprise-wide action.

#3:  Time is of the essence. Whether you learn of a whistleblower complaint internally, or via contact from a government agency, you should initiate an internal investigation into the subject matter of the complaint immediately. DOJ takes the immediacy of self-disclosure into account in determining whether to file charges. If there is ongoing problematic conduct, you want to stop it and cut off potential liability.

  • What the investigation will involve, and how it will be conducted, will vary depending on the seriousness of the complaint and how credible it appears.
  • Inside or outside counsel should generally conduct the investigation to ensure communications and work product are protected by the attorney-client privilege.
  • Some basic steps are common to almost every internal investigation:
    • Ensure that all potentially relevant documents (including emails and IMs) are preserved.
    • Collect and review relevant documents.
    • Interview involved employees (using Upjohn warning).

Takeaway

Given that a surge in whistleblower complaints is likely, financial institutions should ensure that they are adequately prepared to address them.

New York Amends Disclosure Requirements for Telemarketers

A&B Abstract:

New York Governor Kathy Hochul signed legislation in December designed to limit unwanted telemarking calls by providing consumers the option to be added to a company’s do-not-call list at the outset of a call. The new law takes effect March 6, 2023.

Updated Requirements for New York Telemarketers:

The new legislation (S.8450-B/A.8319-C) amends New York General Business Law § 399-z as it relates to telemarketers.  New York currently regulates telemarketers, defined generally as entities that engage in solicitation by telephone call or electronic messaging text to a customer located in New York or that control or supervise such entities.  The law requires certain disclosures to be made at the time of the call.

The law is amended by the legislation to require telemarketers to give customers the option to be added to the company’s do-not-call list at the beginning of telemarketing sales calls, right after providing the telemarketer’s name and solicitor’s name. Currently, the law requires telemarketers to inform customers that they may request to be added to the company’s do-not-call list, but it does not specify when this disclosure must be made.

Takeaway:

Telemarketers doing business in New York should update their procedures and scripts to comply with this new requirement by March 6, 2023, as each violation of this rule can incur a fine of up to $11,000.