On April 10, 2018, the Federal Financial Institutions Examination Council (the “FFIEC”), an interagency body composed of the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency and the State Liaison Committee, issued guidance to assist financial institutions in analyzing the use of cyber insurance in an effective risk management program (the “Guidance”).Continue Reading How to Evaluate Cyber Insurance Options?
On July 10, 2017, the Consumer Financial Protection Bureau (the “CFPB”) finalized its proposed arbitration rule that will prohibit providers of certain consumer financial products and services from requiring a consumer to utilize mandatory pre-dispute arbitration in lieu of a consumer filing or participating in a class action (“Arbitration Rule”). In other words, no longer may covered entities require a consumer to use arbitration in lieu of class action participation. This Arbitration Rule will likely have far ranging consequences for covered providers, including mandatory updates to consumer agreements, likely increases to legal and compliance costs and increased operational risks in new consumer products.
Congress directed the CFPB to study pre-dispute arbitration agreements in the Dodd-Frank Wall Street Reform and Consumer Protection Act (“the Dodd-Frank Act”). The Dodd-Frank Act also authorized the CFPB, after completing the study, to issue regulations restricting or prohibiting the use of arbitration agreements if the CFPB found that such rules would be in the public interest and for the protection of consumers. In 2015, the CFPB published and delivered to Congress a study of arbitration. On May 24, 2016, the CFPB proposed the Arbitration Rule with a request for comment. Since May 2016 the CFPB has been silent, leading many in the financial services industry to believe that, with the change in administration, the CFPB had abandoned the Arbitration Rule. In finalizing the Arbitration Rule, the CFPB has answered the industry’s long outstanding question. Would the CFPB be more moderate in its approach in issuing regulation that drastically impacts financial services providers? The industry has its answer. The CFPB has answered in the negative.
Continue Reading Another Day, Another Regulation: A Summary and Description of the CFPB’s Arbitration Rule
Over the last several years, financial technology (“FinTech”) companies have captured the attention of the marketplace with innovative financial products and processes. Now FinTech companies are capturing the attention of the Consumer Financial Protection Bureau (“CFPB”). Two recent actions by the CFPB within the last fourteen days make clear that FinTech companies can expect some of the same regulatory burdens as faced by Federal Deposit Insurance Corporation (“FDIC”) insured banks. In the first action, the CFPB assessed a civil money penalty against a FinTech company for data security deficiencies, the first-ever such action brought by the CFPB. In the second action, the CFPB announced to the public that it would begin accepting consumer complaints regarding online marketplace lenders.
Data Security Protections
On March 2, 2016, the CFPB and Dwolla, Inc., an Iowa-based online peer-to-peer payment system provider (“Dwolla”), entered into a Consent Order that imposed the CFPB’s first-ever civil money penalty for data security violations under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”).
In the Consent Order, the CFPB alleged that Dwolla made misrepresentations relating to Dwolla’s data security practices that otherwise constituted deceptive acts and practices likely to cause substantial consumer harm, in violation of the Dodd-Frank Act. Specifically, the CFPB alleged that between 2010 and 2014, Dwolla advertised falsely on its website that all its payment transactions were “safe and secure,” and that its data security processes and protections “met or exceeded” industry standards. The CFPB claimed that Dwolla failed to employ reasonable and appropriate measures to protect sensitive consumer data from unauthorized access by failing to:
- adopt and implement data security policies and procedures reasonable and appropriate for the organization;
- use appropriate measures to identify reasonably foreseeable security risks;
- ensure that employees who had access to consumer information receive adequate training and guidance about security risks;
- use encryption technologies to properly safeguard sensitive consumer information (at rest and in transit); and
- practice secure software development, particularly with regard to consumer facing applications developed at an affiliated website.