In This Issue:
- Kristen Larson Joins Ballard Spahr’s Consumer Financial Services Group
- Podcast: The Third Circuit’s Decision in Bibbs v. Trans Union: What it Means for Fair Credit Reporting Act Litigation
- Podcast: A Look at Recent Federal Trade Commission and Consumer Financial Protection Bureau Privacy and Data Security Initiatives
- OCC Keeps Focus on Bank/Fintech Partnerships
- CPRA’s Employee and B2B Exemptions Appear Destined to Sunset
- Bill to Extend the California Debt Collection Licensing Act’s Grace Period Provisions Sent to Governor
- GAO Report: DOJ Cannot Provide Meaningful Feedback on SAR Use
- Looking Ahead
For the latest updates on the COVID-19 pandemic visit the Ballard Spahr COVID-19 Resource Center
Kristen Larson Joins Ballard Spahr’s Consumer Financial Services Group
I am pleased to share with our blog readers that Kristen Larson, an attorney with almost two decades of in-house experience advising midsized and large national banks on financial services matters, has joined Ballard Spahr’s Consumer Financial Services Group. She is resident in the firm’s Minneapolis office.
Kristen’s practice involves consumer, small business, and treasury management products and services; digital banking; emerging payments; servicing; innovative technology; information security; operations; marketing; and complex service contracts. She has experience with the Consumer Financial Protection Act, National Bank Act, Federal Deposit Insurance Act, Federal Reserve Act, Truth in Savings Act, Truth in Lending Act, and other federal and state consumer protection laws.
Kristen is the 11th attorney to join our Consumer Financial Services Group in the past six months. She will be a regular contributor to our blog.
Podcast: The Third Circuit’s Decision in Bibbs v. Trans Union: What it Means for Fair Credit Reporting Act Litigation
In Bibbs v. Trans Union, the Third Circuit ruled that in determining whether a credit report is inaccurate or misleading under the FCRA’s “maximum possible accuracy” requirement, a district court should apply a “reasonable reader” standard. After reviewing the background of Bibbs, we discuss the analysis that Bibbs requires a district court to perform in determining whether a credit report is inaccurate or misleading, how Bibbs broadly undercuts the claims of plaintiff’s lawyers in FCRA cases alleging pay status information is misleading, Bibbs’ implications for data furnishers that follow Metro 2 guidelines or other industry standards, and Bibbs’ impact on defendants’ litigation strategy and the threat of plaintiffs’ attorney fees.
Dan McKenna, Co-Chair of Ballard Spahr’s Consumer Financial Services Group, hosts the conversation, joined by Abigail Pressler, Of Counsel in the Group.
To listen to the episode, click here.
- Dan McKenna & Abigail S. Pressler
Podcast: A Look at Recent Federal Trade Commission and Consumer Financial Protection Bureau Privacy and Data Security Initiatives
Our discussion examines the FTC’s Advanced Notice of Proposed Rulemaking relating to what it describes as “commercial surveillance” and the CFPB’s circular confirming that covered persons and service providers may violate the Consumer Financial Protection Act’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. We consider the ANPR’s scope, its areas of focus, and potential federal and state obstacles to the FTC’s initiative. After providing an overview of the CFPB’s circular, we look at the data security measures highlighted by the CFPB, the CFPB’s authority to address data security, precedents to which companies can look in assessing the adequacy of their data security measures and potential exposure, and steps to mitigate risk.
Alan Kaplinsky, Ballard Spahr Senior Counsel, hosts the conversation, joined by Greg Szewczyk, Co-Leader of the firm’s Privacy and Data Security Group, and Tim Dickens, an associate in the firm’s Litigation Department focusing on privacy and data security.
To listen to the episode, click here.
OCC Keeps Focus on Bank/Fintech Partnerships
Since the beginning of Michael Hsu’s tenure as Acting Comptroller of the Currency, bank/fintech partnerships have been a focus of OCC concern. Although bank lending partnerships with fintechs continue to receive OCC attention, recent remarks by OCC officials indicate that OCC scrutiny is now also directed at partnerships outside of the lending arena.
In remarks to The Clearing House and Bank Policy Institute Annual Conference, Acting Comptroller Hsu discussed the growth “of banking-as-a-service (BaaS),” meaning arrangements in which a nonbank offers banking services to its customers as a way of adding value to its products and services. He observed that “[d]igitalization has put a premium on online and mobile engagement, customer acquisitions, customization, big data, fraud detection, artificial intelligence, machine learning, and cloud management” and that “these activities require expertise and economies of scale that most banks do not have.” Noting that BaaS is not an issue limited to large banks, he commented that banks and fintechs, “in an effort to provide a ‘seamless’ customer experience, are teaming up in ways that make it more difficult for customers, and regulators, and the industry to distinguish between where the bank stops and the tech firm starts.”
Mr. Hsu expressed significant concern about the safety and soundness implications of these developments. He discussed the supervisory concerns raised in bank technology examinations, stating that a majority are related to “fundamental elements of risk management, e.g. board oversight, governance, and internal controls” and that common issues involve insufficient information security controls, change management issues particularly with emerging products and services, and IT operational resilience.” Mr. Hsu also raised concerns about unknown risks or “nasty surprises” arising out of bank-fintech arrangements. He indicated that to mitigate this risk, the OCC is currently working on a process to subdivide bank-fintech arrangements into cohorts with similar safety and soundness risk profiles and attributes. This approach is expected to enable a clearer focus by the OCC on risks and risk management expectations.
According to a Law360 report, another OCC official who spoke at the Annual Conference also expressed concerns about bank/fintech partnerships. Kevin Greenfield, OCC Deputy Comptroller for Operational Risk, is reported to have warned banks that they can be liable for customer harm arising out of fintech partnerships, such as violations of consumer protection laws and unfair and deceptive practices. He advised banks to closely monitor risk and compliance in these partnerships. With regard to lending partnerships, Mr. Greenfield is quoted as having stated that a bank’s responsibility for compliance with consumer protection laws “doesn’t go away if [customers] click on a fintech app or if they walk into the bank branch to get that loan” and that “[i]f it’s [the bank’s] charter that’s providing that loan, [the bank needs to] understand what the risks are and how that’s operating, because, ultimately, it’s going to get traced back to [the bank] that provided the credit.”
We find it noteworthy that neither Mr. Hsu or Mr. Greenfield mentioned concerns about a bank using its charter to avoid state interest rate limits applicable to a nonbank partner.
- Ronald K. Vaske & Mindy Harris
CPRA’s Employee and B2B Exemptions Appear Destined to Sunset
The August 31 closing of the California legislative session likely marked the end of hopes for an extension of the limited exemptions for employee and business-to-business (B2B) data that have existed for the California Consumer Privacy Act (CCPA) since its inception. As a result, when the California Privacy Rights Act (CPRA) goes into effect on January 1, 2023, employee and B2B data will be treated the same as consumer data.
Specifically, with the expiration of these exemptions, covered businesses will be obligated to provide their California employees, contractors, job applicants, and business contacts with the full array of disclosures and rights available to California consumers under the CPRA. Extending CPRA rights to employees in particular is likely to pose a significant policy and operational lift for many businesses.
For example, in addition to the disclosures already required under the CCPA, employers will now have to provide employees with the rights of access, correction, portability, and deletion of their personal information. Given the nature of the information that businesses may hold about their employees—including internal performance reviews, work evaluations, and human resources or disciplinary reports—effectuating these rights may be logistically difficult in a way that standard consumer requests are not. Businesses will have to review the scope of these rights carefully to identify what information may be subject to employee review and what information may fall under an exemption.
The sun setting of these exemptions is likely to have a particularly large impact on businesses without direct-to-consumer sales and companies in federally regulated industries (such as financial institutions), as those types of businesses often had relatively little data subject to the CCPA.
With only four months until 2023, businesses have already been focusing significant efforts on complying with the CPRA and the four other privacy laws going into effect next year. The lapsing of the CPRA’s B2B and employee exemptions will make these months feel even shorter.
- Gregory P. Szewczyk, Timothy Dickens, & Kelsey Fayer
Bill to Extend the California Debt Collection Licensing Act’s Grace Period Provisions Sent to Governor
On August 31, 2022, the California Senate voted to approve House Assembly Bill 156, and sent the bill to Governor Newsom for consideration and potential signature. If it becomes law, the bill would amend the existing California Debt Collection Act (the DCLA) in three ways.
First, the bill would amend provisions of Cal. Fin. Code § 100000.5(a) to “allow any debt collector that submits an application [for a license] before January 1, 2023, to operate pending the approval or denial of the application.” The existing grace period provided by the DCLA had previously only covered applications that were submitted prior to January 1, 2022.
Second, an amendment to Cal. Fin. Code § 100000.5(b) would provide the California Department of Financial Protect & Innovation (the DFPI) the authority to issue conditional licenses to applicants (valid for a period up to 90 days) pending the receipt and review of fingerprint images and related information. As the legislative counsel’s digest accompanying the bill’s text states: “[t]he DCLA requires the Department of Justice to transmit fingerprint images and related information received from the DFPI to the Federal Bureau of Investigation for the purpose of obtaining a federal criminal history records check and requires the Department of Justice to review the information returned from the Federal Bureau of Investigation and compile and disseminate a response to the commissioner.” The ability to issue conditional licenses during this time would provide the DFPI with flexibility during this portion of the application process.
Third, the bill would amend sections of Cal. Fin. Code § 100013 to provide the DFPI with discretion as to whether or not to deem an application abandoned in a situation where an applicant fails to submit responsive information within 60 days from a written request for information by the DFPI. Currently, the DCLA mandates that any such application be abandoned.
There is no express timeline for the Governor to sign House Assembly Bill 156 into law. All new applications for a license under the DCLA or for branch registrations are handled via the Nationwide Multistate Licensing System and Registry.
- Lisa Lanham & John Georgievski
GAO Report: DOJ Cannot Provide Meaningful Feedback on SAR Use
How effective is the current framework for filing Suspicious Activity Reports, or SARs? The AML Act mandates that federal law enforcement agencies provide statistics to assist Congress, regulators, and financial institutions answer this question. Specifically, it requires the Department of Justice (DOJ) to annually produce a report to the Secretary of the Treasury containing statistics, metrics and other information on the use of Bank Secrecy Act (BSA) reports. It further requires the Financial Crimes Enforcement Network (FinCEN), to the extent possible, to periodically disclose to financial institutions summary information on SARs that proved useful to law enforcement; it also requires FinCEN to review SARs and publish information on threat patterns and trends.
Yet, on August 25, 2022, the United States Government Accountability Office (GAO) published a report, Action Needed to Improve DOJ Statistics on Use of Reports on Suspicious Financial Transactions, describing how the DOJ has not fulfilled that statutory mandate. The GAO’s report sets forth two recommendations: (1) the DOJ should include data on the use of BSA reports in its ongoing agency-wide efforts to improve data collection; and (2) involve its Chief Information Officer and Statistical Official in the design of its annual BSA statistical report.
Arguably, the most eye-catching observation of the report is that FinCEN itself “cannot currently provide comprehensive feedback on the impact of BSA reports [to the DOJ] because agencies do not provide FinCEN with comprehensive data on their use of those reports or the effect they had.” Accordingly, and despite ongoing calls for FinCEN to provide meaningful feedback (now, a statutory requirement under the AML Act), FinCEN “cannot connect their data on report searches to the impact of those reports on case outcomes.”
A few statistics provide helpful background. The GAO reports that in fiscal year 2020, FinCEN received 2.4 million SARs. The cost of generating those SARs is high. Financial institutions spend, roughly, between 1 percent and 2 percent of their operating costs on BSA compliance.
In light of that ocean of data and mounting compliance costs, some have questioned the utility of the current SAR reporting regime in the absence of meaningful feedback from law enforcement to financial institutions. (Prior posts on this discussion are here, here, here, here and here). Indeed, the GAO conducted its analysis in part because the current reporting regime imposes “significant compliance burden[s]” on financial institutions, and limited public information regarding law enforcement’s use of the reports makes it difficult to assess their relative utility.
To help answer that question, the AML Act contains provisions requiring feedback, both from industry and from law enforcement. FinCEN garners industry feedback through myriad sources. As the report notes, feedback was solicited from industry groups through the Bank Secrecy Act Advisory Group; the FinCEN Exchange; and FinCEN’s publications, law enforcement liaisons, and speeches. To be clear, each of these groups are vehicles for information and feedback. Their usefulness is limited to the value of the information they provide. And a key source of that information is the DOJ’s reports on how SARs and other activity reports are useful to its mission.
Accordingly, the AML Act requires the DOJ to provide feedback to the Secretary of the Treasury on its use of BSA reports in the form of specific statistics. This feedback must include data on: (1) the frequency with which reports contains actionable information that leads to law enforcement action; (2) the time between when SARs are filed and when law enforcement takes action; (3) an analysis of the transactions underlying SARs; (4) the number of entities and individuals identified by the SARs; and (5) the extent to which SARs were related to law enforcement actions such as arrests, indictments, and convictions.
The GAO Report
According to the GAO, that mandate has gone unfulfilled. Reportedly, the DOJ could not generate the prescribed statistics using its current database, and instead only provided “qualitative descriptors” on how investigators used SAR reports.
Part of the problem may be that how DOJ uses SARs is not easily reducible into a set of statistics. For instance, consider the following iterative process described by DOJ: in a single investigation, officials may review 100 SARs; some of those SARs provide leads to further evidence, and some may prove useful only after investigators uncover additional facts. That kind of incremental case building does not easily lend itself to quantifying the amount of time between a SAR filing a law enforcement action. And the value of SARs to an investigation, just like any other form of evidence, is going to vary substantially between cases.
Relatedly, the AML Act requires the DOJ to provide statistics on when it “uses” SARs. But it is not clear what counts as a “use.” Directly relying on SARs to build an ongoing investigation may be a clear cut “use,” but what about reviewing a SAR and referring it to another agency? The DOJ reported a range of “uses” of SARs, so imprecision in this definition could render imprecise quantitative data. The DOJ noted that legal prohibitions on the disclosure of SARs prevent prosecutors from citing such evidence in court filings or other easily accessible records; similarly the confidential nature of grand jury investigations also imposes barriers to easily tracking and reporting SAR “use” statistics. Finally, the DOJ raised an argument which beleaguered compliance officers at financial institutions subject to the BSA may find ironic: the DOJ would have to dedicate “substantial resources” to identify BSA reports used by investigators, and the cost of such tracking and reporting would be “prohibitive” under the DOJ’s current data systems. Stated otherwise, compliance with a mandated recordkeeping and reporting regime turns out to be costly and difficult. A fair reading of the GAO report is that the DOJ simply declined to do it.
These shortcomings reportedly hobble FinCEN’s feedback programs. FinCEN informed the GAO that DOJ agencies conducted more than 500,000 searches of SARs through its database in 2020. Further, and although there was some confusion regarding whether the DOJ had reached out to IRS Criminal Investigation (CI) to try to obtain data, IRS CI reported to the GAO that it initiated 13 percent of its investigations based on information in BSA reports. Nonetheless, and as the GAO writes: “FinCEN cannot currently provide comprehensive feedback on the impact of BSA reports because agencies [such as the DOJ] do not provide FinCEN with comprehensive data on their use of those reports or the effect they had.” This is because the other government agencies collect data on the impact that BSA reports have had on case outcomes “inconsistently or not at all.”
The DOJ’s challenges in collecting and reporting accurate statistics are not insurmountable. The GAO report offered two recommendations to facilitate data collection and analysis at DOJ. First, the GAO report noted that DOJ is currently improving its general data collection and infrastructure. To date, those improvements have not included changes to how BSA reports are collected and analyzed, so the GAO recommends that the DOJ Chief Data Officer, Evaluation Officer, and Statistical Officer incorporate BSA report data into their improvement efforts.
Second, the GAO recommended that it include all relevant agencies and available data in its statistical report. Specifically, two agencies, IRS CI and the Secret Service, reportedly were not consulted when the DOJ created its report, nor did the report’s authors “prepare evaluation design, planning, or methodological documents detailing an approach for report development.”
These recommendations are discouraging indicators of the DOJ’s willingness to engage in the feedback process. Difficult as it may be to reduce SARs’ utility to a set of statistics, those quantifiable metrics could yield long-term improvements in the quality, efficiency, and cost of the current reporting regime. Moreover, the AML Act requires the government to provide feedback.
If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.
MBA's Regulatory Compliance Conference
Washington, DC | September 18-20, 2022
Key Updates Track: CFPB Updates
Speaker: Michael Gordon
Purchase Market Compliance Consideration Track: How To Do LO Comp Right—and Be Competitive
Speaker: Richard Andreano
State of the States Track: State Licensing and NMLS Challenges
Speaker: Stacey L. Valerio
State of the States: Key State Trends for Compliance Professionals
Speaker: John D. Socknat
Savannah, Georgia | September 26-27, 2022
Redlining. Think Again! CFPB Is Changing What It Means and You Need to Be Ready & the Continued Focus on Fair Lending, Fair Servicing, and Related Matters
Speaker: Richard Andreano
Subscribe to Ballard Spahr Mailing Lists
Copyright © 2023 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.