Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.
To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:
Privacy and Cybersecurity Activities
- On November 16, the Consumer Financial Protection Bureau (CFPB) issued a request for information (RFI) to seek input on rules implementing the Home Mortgage Disclosure Act (HMDA). The CFPB plans to review recent changes to the rules and evaluate their effectiveness to strengthen the CFPB’s ability to maintain a fair, competitive, and nondiscriminatory mortgage market. For more information, click here.
- On November 19, the CFPB issued guidance to staff, reminding them to report suspicious communications and activity by former CFPB employees to agency officials. This will allow the CFPB to detect activity by former employees and other government agencies potentially violating existing ethics and confidential information disclosure laws and regulations. For example, the guidance directs current employees to file reports with agency ethics officials if they learn a former employee may be illegally providing “behind the scenes” assistance to a party under investigation by the CFPB. For more information, click here.
- On November 17, California’s Department of Financial Protection and Innovation (DFPI) issued a revised notice of second text modifications of proposed regulations under the Debt Collection Licensing Act. The DFPI published a notice of rulemaking to “adopt the license application form and procedures for applying for a debt collection license under the Debt Collection Licensing Act,” and the revised notice extended the comment period until December 2. For more information, click here.
- On November 17, California Attorney General Letitia James issued a warning against “marketing schemes aimed at trapping consumers into recurring payments.” The warning advised New Yorkers to “take precaution when presented with deceptive marketing offers that may unwittingly result in recurring charges,” particularly where the marketing “contains a term or condition under which a seller interprets a consumer’s silence or failure to take affirmative action to reject a good or service or to cancel the agreement as acceptance or continuing acceptance of the offer.” Attorney General James stated, “As consumers continue to suffer the financial harms of COVID-19, the last thing companies should be doing is making it harder for consumers to end a service.” For more information, click here.
- On November 15, Virginia Attorney General Mark Herring wrote to the Federal Communications Commission (FCC) in “support of its efforts to reduce illegal robocallers’ access to legitimate phone numbers.” In a corresponding press release, Attorney General Herring said, “Earlier this year, phone companies were required to implement STIR/SHAKEN — caller ID authentication technology to combat spoofing by ensuring that telephone calls originate from verified phone numbers. Because the technology prevents robocallers from spoofing phone numbers, scam robocalls have dropped by 29 percent since June as the phone industry continues to put STIR/SHAKEN into effect.” For more information, click here.
Privacy and Cybersecurity Activities:
- On November 18, the Federal Trade Commission (FTC) announced an analysis that showed COVID-19 fraud has thrived on social media platforms. Since the beginning of the pandemic, the FTC has sent “more than 400 letters to companies demanding that they cease making false promises that various pills, potions, and treatments could prevent, treat, or cure COVID-19.” About half of the companies that received letters made problematic claims on one or more of the four most prominent social media platforms. The FTC cited the design and high profits of these platforms as potential reasons for the rise in problematic claims. The complete analysis can be found here. The FTC also published several questions that users can ask before following COVID-19 advice found on social media: (1) Who is the message from?; (2) what do they want me to do?; and (3) what evidence supports the message? The full announcement can be found here.
- On November 18, U.S. Representatives Anna G. Eshoo (CA-18) and Zoe Lofgren (CA-19) reintroduced the Online Privacy Act, which would create user data rights, place limitations and obligations on companies that collect and use user data, and create a digital privacy agency to enforce privacy laws. Eshoo and Lofgen had previously introduced the Online Privacy Act on November 5, 2019. Given the rise in digital work and online activities, the bill seeks to “protect individuals, encourage innovation, and restore trust in technology companies.” The press release can be found here.
- On November 18, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) “issued a joint final rule to establish computer-security incident notification requirements for banking organizations and their bank service providers.” The letter applies to all FDIC-supervised institutions. Among other provisions, the rule will: (1) require banking organizations to notify the FDIC as soon as possible and no later than 36 hours after the banking organization determines that a computer-security incident that rises to the level of a notification incident has occurred; and (2) require a bank service provider to notify at least one bank-designated point of contact at each affected customer banking organization as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded covered services for four or more hours. For more information click here.
- On November 18, the Brennan Center published a report, evaluating the privacy and equity concerns around digital vaccine credentials. The report highlights various privacy concerns, including concerns around individual freedom and the potential to have one’s movements tracked based on where they use their credentials. The report also emphasizes equity concerns and the importance of continued use of analog cards for those communities that might not have smartphones capable of supporting digital credentials. The report recommends implementing a national privacy standard to govern vaccine credentials that include clear limits on data collection, retention, and sharing. The full report can be found here. For those interested in learning more about the privacy implications of vaccine credentials, check out Troutman Pepper’s Law360 article by clicking here.
- On November 15, President Biden signed the Infrastructure Investment and Jobs Act. This $1.2 trillion bill passed both chambers with bipartisan support and includes $1 billion in cybersecurity funding for state and local governments. This funding will be distributed over the course of the next four years, starting in 2022. About 80% of these funds will go to local governments, which cyberattacks have increasingly targeted during the pandemic. The infrastructure bill also includes $100 million for a “Cyber Response and Recovery Fund,” which the secretary of homeland security can use to support “federal and nonfederal entities” impacted by a cyberattack. The full version of the Infrastructure and Jobs Act is available here.
- During the pandemic, Washington, DC’s government entered into a contract with a data broker to obtain location data for COVID-19 research purposes. On November 10, an electronic frontier foundation (EFF) report made headlines, revealing the broad nature and scope of the data shared under this contract. Through public records requests, the EFF found that device identifiers, timestamps, and GPS data for hundreds of thousands of devices were collected between April and September of last year. This data was uploaded to a data repository shared by numerous D.C. government organizations, some of which were not engaged in COVID-19-related research. The D.C. government ultimately concluded there was no use for this data; however, according to the report, it has not yet been deleted. While there is no evidence that this data was misused, this report illustrates the potential risks associated with broad data collection and sharing. A copy of the EFF’s report is available here.