Alston & Bird Consumer Finance Blog

Uncategorized

FTC Approves New Data Breach Notification Requirement for Non-Banking Financial Institutions

By , , , ,

On October 27, 2023, the FTC approved an amendment to the Safeguards Rule (the “Amendment”) requiring that non-banking financial institutions notify the FTC in the event of a defined “Notification Event” where customer information of 500 or more individuals was subject to unauthorized acquisition.  The Amendment becomes effective 180 days after publication in the Federal Register.  Importantly, the amendment requires notification only to the Commission – which will post the information publicly – and not to the potentially impacted individuals.

Financial institutions subject to the Safeguards Rule are those not otherwise subject to enforcement by another financial regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805 (“GLBA”). The Safeguards Rule within the FTC’s jurisdiction include mortgage brokers, “payday” lenders, auto dealers, non-bank lenders, credit counselors and other financial advisors and collection agencies, among others.  The FTC made clear that one primary reason for adopting these new breach notification requirements is so the FTC could monitor emerging data security threats affecting non-banking financial institutions and facilitate prompt investigations following major security breaches – yet another clear indication the FTC intends to continue focusing on cybersecurity and breach notification procedures.

Notification to the FTC

Under the Amendment, notification to the FTC is required upon a “Notification Event,” which is defined as the acquisition of unencrypted customer information without authorization that involves at least 500 consumers. As a new twist, the Amendment specifies that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information, unless the financial institution has evidence that the unauthorized party only accessed, but did not acquire the information.  The presumption of unauthorized acquisition based on unauthorized access is consistent with the FTC’s Health Breach Notification Rule and HIPAA, but not state data breach notification laws or the GLBA’s Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”).

As mentioned above, individual notification requirements for non-banking financial institutions will continue to be governed by state data breach notification statutes and are not otherwise included in the Amendment. The inclusion of a federal regulatory notification requirement and not an individual notification requirement in the Amendment is a key departure from other federal financial regulators, as articulated in the Interagency Guidelines which applies to banking financial institutions, and the SEC’s proposed rules that would require individual and regulatory reporting by registered investment advisers and broker-dealers.

Expansive Definition of Triggering Customer Information

Again departing from pre-existing notification triggers of “sensitive customer information” in the Interagency Guidelines or “personal information” under state data breach reporting laws, the FTC’s rule requires notification to the Commission if “customer information” is subject to unauthorized acquisition. “Customer information” is defined as “non-public personal information,” (see 16 C.F.R. 314.2(d)) which is further defined to be “personally identifiable financial information” (see 16 C.F.R. 314.2(n)).

Under the FTC’s rule, “personally identifiable financial information” is broadly defined to be (i) information provided by a consumer to obtain a service or product from the reporting entity; (ii) information obtained about a consumer resulting from any transaction involving a financial product or service from the non-banking financial institution; or (iii) information the non-banking financial institution obtains about a consumer in connection with providing a financial product or service to the consumer. Unlike the Interagency Guidelines which defines “sensitive customer information” as a specific subset of data elements (“customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account”) (see 12 CFR Appendix F to Part 225 (III)(A)(1)), the FTC’s definition of “personally identifiable financial information” is much broader.

For example, “personally identifiable financial information” could include information a consumer provides on a loan or credit card application, account balance information, overdraft history, the fact that an individual has been one of your customers, and any information collected through a cookie. As a result of this broad definition, notification obligations may be triggered for a wider variety of data events, as compared to data breach notifications for banking financial institutions under the Interagency Guidelines or state data breach notification laws. As a result, non-banking financial institutions should consider reviewing and revising their incident response procedures so that they can be prepared to conduct a separate analysis of FTC notification requirements under the Amendment, as distinct from state law notification requirements.

No Risk of Harm Provision

Although the FTC considered whether to include a “risk of harm” standard for notifying the Commission, it ultimately decided against including one to avoid any ambiguity or the potential for non-banking financial institutions to underestimate the likelihood of misuse. However, numerous state data breach reporting statutes contain risk of harm provisions that excuse notice to individuals and/or state regulators where the unauthorized acquisition and/or access of personal information is unlikely to cause substantial harm (such as fraud or identify theft) to the individual.  This divergence between FTC notifications and state law has set the stage for the possibility that a reporting non-banking financial institution could be required to report to the FTC, but not to potentially affected individuals and/or state attorneys general pursuant to state law.

Timing and Content for Notice to FTC

Non-banking financial institutions must notify the Commission as soon as possible, and no later than 30 days after discovery of the Notification Event. Discovery of the event is deemed to be the “first day on which such event is known…to any person other than the person committing the breach, who is [the reporting entity’s] employee, officer, or other agent.” The FTC’s timeline is similar to the timeline dictated for notifying state Attorney Generals under most state data breach notification laws (either explicitly or implicitly), but a key difference from the Interagency Guidelines, which requires notification to the bank’s primary federal regulator as soon as possible.

The notification must be submitted electronically on a form located on the FTC’s website (https://www.ftc.gov), and include the following information, which will be available to the public: (i) the name and contact information of the reporting financial institution, (ii) a description of the types of information involved in the Notification Event, (iii) the date or date range of the Notification Event (if available), (iv) the number of consumers affected or potentially affected; (v) a general description of the Notification Event; and (vi) whether law enforcement official (including the official’s contact information) has provided a written determination that notifying the pu of the breach would impede a criminal investigation or cause damage to national security.  Making this type of information regarding a data security incident available to the public is not part of any current U.S. regulatory notification structure.

Law Enforcement Delays Public Disclosure by FTC, Not FTC Reporting

A law enforcement delay may preclude public posting of the Notification Event by the FTC for up to 30 days but does not excuse timely notification to the FTC.  A law enforcement official may seek another 60 days’ extension, which the Commission may grant if it determines that public disclosure of the Notification Event “continues to impede a criminal investigation or cause damage to national security.”

As Economic Winds Blow, So Do Whistleblowers: How to Protect Your Company Through Turbulent Times

By

A&B ABstract:

As recently reported by the Financial Times, banks are preparing for the “deepest job cuts since the financial crisis,” with firings to be “super brutal.” Already, nonbank lenders and service providers have been suffering with several rounds of layoffs and, potentially, more to come. Former employees, particularly disgruntled ones, may have information they want to share with the government.  An Insider article highlighted that remote work has resulted in a surge of whistleblower complaints.  If true, even current employees, including those whose complaints or grievances fall on deaf ears, also could be potential whistleblowers.

Alston & Bird Partners Nanci Weissgold, Joey Burby, and Cara Peterman (ably assisted by, and a special thanks to, Charlotte BohnAndrew Brown, and Melissa Malpass) addressed today’s challenging economic conditions, and how companies can protect themselves during an expected surge in whistleblowing by disgruntled current and former employees.  The webinar slides address:

  • What you need to know about government whistleblower reward programs and laws with whistleblower incentives and protections, including the False Claims Act, FIRREA, and the SEC’s Whistleblower program.
  • Recent trends, developments, major settlements, and awards in whistleblower-related settlements and litigation.
  • Best practices for companies when responding to, de-escalating, and defending against whistleblower complaints.

Best Practices for Responding to Whistleblower Complaints

#1: Keep complaints internal. It is critical to have procedures in place for employees (as well as contractors and other agents) to report compliance concerns internally.

  • Establish a compliance hotline or other means of anonymous
  • Have an anti-retaliation policy to protect employees who make a report.
  • Promote these policies and procedures, and train employees on them.

This is a required element of an effective compliance program under DOJ and SEC guidance, and factors into their charging decisions; also considered under U.S. Sentencing Guidelines in determining corporate penalties.

Additionally, internal complaints allow companies to investigate and remediate (if necessary) and to consider whether/how to self-disclose. The 2023 revisions to DOJ’s Corporate Enforcement Policy strongly encourage self-disclosure, offering significant incentives to companies who do.

#2: Maintain a strong Compliance Management System (CMS). A strong CMS is one that establishes compliance responsibilities, communicates those responsibilities to employees, ensures the responsibilities are carried out and met, takes corrective action, and updates tools, systems, and processes as needed.

Scaled to the size of the company’s operations, a CMS requires:

  • A strong board of directors and management oversight – “tone at the top.”
  • Comprehensive written policies and procedures to demonstrate an understanding of all applicable laws and regulations.
  • Training of all applicable laws to ensure that employees can perform their functions.
  • Monitoring and testing based on an assessment of risk carried out through three lines of defense:
    (1) functions that own and manage risk; (2) functions that oversee risk; and (3) functions that provide independent assurance.
  • Timely corrective action that remediates past issues and prevents reoccurrence prospectively.
  • Consumer complaint response, root cause analysis, and enterprise-wide action.

#3:  Time is of the essence. Whether you learn of a whistleblower complaint internally, or via contact from a government agency, you should initiate an internal investigation into the subject matter of the complaint immediately. DOJ takes the immediacy of self-disclosure into account in determining whether to file charges. If there is ongoing problematic conduct, you want to stop it and cut off potential liability.

  • What the investigation will involve, and how it will be conducted, will vary depending on the seriousness of the complaint and how credible it appears.
  • Inside or outside counsel should generally conduct the investigation to ensure communications and work product are protected by the attorney-client privilege.
  • Some basic steps are common to almost every internal investigation:
    • Ensure that all potentially relevant documents (including emails and IMs) are preserved.
    • Collect and review relevant documents.
    • Interview involved employees (using Upjohn warning).

Takeaway

Given that a surge in whistleblower complaints is likely, financial institutions should ensure that they are adequately prepared to address them.

New York Amends Disclosure Requirements for Telemarketers

By ,

A&B Abstract:

New York Governor Kathy Hochul signed legislation in December designed to limit unwanted telemarking calls by providing consumers the option to be added to a company’s do-not-call list at the outset of a call. The new law takes effect March 6, 2023.

Updated Requirements for New York Telemarketers:

The new legislation (S.8450-B/A.8319-C) amends New York General Business Law § 399-z as it relates to telemarketers.  New York currently regulates telemarketers, defined generally as entities that engage in solicitation by telephone call or electronic messaging text to a customer located in New York or that control or supervise such entities.  The law requires certain disclosures to be made at the time of the call.

The law is amended by the legislation to require telemarketers to give customers the option to be added to the company’s do-not-call list at the beginning of telemarketing sales calls, right after providing the telemarketer’s name and solicitor’s name. Currently, the law requires telemarketers to inform customers that they may request to be added to the company’s do-not-call list, but it does not specify when this disclosure must be made.

Takeaway:

Telemarketers doing business in New York should update their procedures and scripts to comply with this new requirement by March 6, 2023, as each violation of this rule can incur a fine of up to $11,000.

State Community Reinvestment Acts Reaching Beyond Banks

By

A&B ABstract:

When Congress passed the federal Community Reinvestment Act (“CRA”) in 1977 to address redlining, it imposed affirmative requirements on insured depository institutions to serve the credit needs of the communities where they receive deposits. At that time, banks were extending the vast majority of mortgages nationally. However, non-banks have become the dominant mortgage lenders, by some estimates accounting for more than two thirds of residential mortgage loans in 2021.

Indeed, the non-bank mortgage market share has been increasing steadily since 2007, when non-banks were originating approximately 20 percent of mortgage loans. That year, Massachusetts became the first state to extend the scope of its state CRA to non-bank mortgage lenders, notwithstanding the proviso of the federal statute that tied credit obligations to depository activities.  Historically, deposits were gathered primarily from areas surrounding bank branches, and thus a bank’s CRA performance responsibilities were likewise focused on those same areas.  But today, both lending and depository activities can be conducted nationally.  In recognition of the more attenuated connection between bank branches serving the credit needs of communities, the Massachusetts CRA became the first state to impose CRA responsibilities on non-bank lenders.

The Various State CRAs

In March 2021, Illinois passed its CRA which also applies beyond banks to non-bank mortgage lenders, followed shortly by New York in November 2021.  (Note that this expansion has not taken mortgage servicers into the fold, as CRA is more focused on an institution’s loan originations and purchases than its loan servicing.)  Relatedly, other state CRA statutes apply to credit unions and banks, though not to other financial institutions.  Below is a brief update on where various state CRAs currently stand:

  • Connecticut. Connecticut’s CRA initially applied only to banks but was amended in 2001 to cover state credit unions as well.  It does not cover any other financial institutions, however.  Its provisions are similar to the federal CRA.
  • District of Columbia. The District of Columbia’s CRA applies to deposit-receiving institutions, which includes federal, state, or District-chartered banks, savings institutions, and credit unions.  It is also similar to the federal CRA.
  • Illinois. The Illinois CRA applies to financial institutions, which includes state banks, credit unions, and non-bank mortgage entities that are licensed under the state’s Residential Mortgage Lending Act that lent or originated 50 or more residential mortgage loans in the previous calendar year.  Following the expansion of its CRA (205 ILCS 735) last year, Illinois solicited comments and facilitated roundtables to assist the Department of Financial and Professional Regulation in developing rulemaking for non-bank entities. In particular, the Department’s August 31, 2021 Advance Notice of Proposed Rulemaking sought comment on whether the assessment areas of these non-bank entities should include the entire state of Illinois.  Importantly, the Department has referenced the potential suitability of either the federal CRA rules or Massachusetts’ CRA rules as a model for Illinois.  No proposed rule has been published as of the date of this writing.
  • Massachusetts. Despite mortgage lender concerns raised today regarding the feasibility and inapplicability of different elements of the general CRA examination framework, Massachusetts has imposed meaningful CRA requirements on non-bank lenders for more than a decade.  Indeed, Massachusetts has succeeded in implementing and conducting separate CRA examination processes for banks and non-banks. Yet despite this distinction, Massachusetts CRA exams for mortgage companies remain rigorous.
  • New York. In November last year, New York Governor Kathy Hochul signed legislation (S.5246-A/A.6247-A) to expand the scope of the state’s CRA to cover non-bank mortgage lenders. Specifically, the legislation creates a new section, 28-bb of the New York Banking Law, that requires non-depository lenders to “meet the credit needs of local communities.” Further, section 28-bb provides for an assessment of lender performance by the Superintendent that considers the activities conducted by the lender to ascertain the credit needs of its community, along with the extent of the lender’s marketing, special programs, and participation in community outreach, educational programs, and subsidized housing programs. This assessment also may consider the geographic distribution of the lender’s loan applications and originations; the lender’s record of office locations and service offerings; and any evidence of discriminatory conduct, including any practices intended to discourage prospective loan applicants.  The provisions of section 28-bb will go into effect on November 1, 2022.

Worth noting also is that while these state CRAs are generally aligned with the federal CRA requirements, the regulations implementing the federal CRA are expected to change.  The Federal Reserve Board, FDIC, and OCC are currently working on promulgating a modernized interagency CRA framework.  Once the federal CRA regulations change, the state CRAs may follow or risk subjecting their banks and any other covered financial institutions to the burden of complying with two different regulatory regimes.

Takeaway:

Much like in Massachusetts, non-bank lenders originating a significant number of loans in Illinois and New York should be developing a CRA compliance strategy that makes sense for their size and business model to comply with the state CRAs.  That said, all non-bank lenders would do well to contemplate whether Massachusetts, Illinois, and New York are a harbinger of what is to come.  Finally, state CRA covered financial institutions in Connecticut, the District of Columbia, Illinois, Massachusetts, and New York should be planning for potential compliance framework shifts once the federal CRA regulations are revised.

New CFPB Chief Rohit Chopra Confirmed by Senate and Takes Immediate Action Against Big Tech Firms

By

A&B Abstract:

On September 30, 2021, the Senate confirmed Rohit Chopra to serve as director of the Consumer Financial Protection Bureau (CFPB) in a 50-48 vote along party lines. He had been serving as a member of the Federal Trade Commission (FTC) where he had been a vocal critic of big tech companies and advocated for increased restitution for consumers. He previously served as the CFPB’s private education loan ombudsman under former CFPB Director Richard Cordray. Prior to that, he had worked closely with Sen. Elizabeth Warren on the CFPB’s establishment. Consistent with his past practices, Chopra’s CFPB has now ordered six Big Tech companies to turn over information regarding their payment platforms.

Expectations for Chopra’s CFPB

President-elect Biden announced Chopra as his choice to lead the CFPB before Inauguration Day, and the Biden Administration subsequently referred his nomination to the Senate in February. Chopra succeeds Kathy Kraninger, who became Director in December 2018 after having served as a senior official at the Office of Management and Budget. She led the CFPB for two years before the incoming Biden Administration demanded her resignation on January 20. It is expected that Chopra will aggressively lead the CFPB and unleash an industry crack down. The October 21, 2021 order issued to Big Tech regarding payment products appears to be the first step in that plan. Additionally, credit reporting companies, small-dollar lenders, debt collectors, fintech companies, the student loan industry, and mortgage servicers are among the financial institutions expected to face scrutiny from Chopra’s CFPB. Prior to the Big Tech inquiry, the CFPB, under interim leadership, had already taken initial steps to implement pandemic-era regulations and to advance the Biden administration’s priorities. It is also expected that the enforcement practices under former-Director Cordray will be revived under a Chopra-led CFPB.

After his confirmation, Chopra stated an intent to focus on safeguarding household financial stability, echoing prior statements regarding his commitment to ensuring those under foreclosure or eviction protections during the pandemic are able to regain housing security. He has also declared an intent to closely scrutinize the ways that banks use online advertising, as well as take a hard look at data-collection practices at banks. In his remarks related to the market-monitoring order issued to Big Tech, Chopra was critical of the way companies may collect data and his concern that it may be used to “profit from behavioral targeting, particularly around advertising and e-commerce.”

Just one week later, Chopra delivered remarks in his first congressional hearing as Consumer Financial Protection Bureau director. In his prepared statements before both the House Committee on Financial Services and the Senate Committee on Banking, Housing, and Urban Affairs, he cited mortgage and rent payments, small business continuity, auto debt, and upcoming CARES Act forbearance expirations as problems he plans to address. He also stated an intent to closely monitor the mortgage market and scrutinize foreclosure activity. And, echoing his action from a week earlier, Chopra reiterated an intent to closely look at Big Tech and emerging payment processing trends. Chopra also noted a lack of competition in the mortgage refinance market and stated an intent to promote competition within the market.

Although appointed to a five year term, the CFPB director serves at the pleasure of the president after a landmark decision last year from the Supreme Court.

Takeaway

Industry participants, including credit reporting companies, small-dollar lenders, debt collectors, fintech companies, the student loan industry, and mortgage lenders and servicers can anticipate additional scrutiny in the coming months and years from the CFPB. As Chopra gets settled into his new role, we will be keenly watching where he turns his attention to next.