 |
|
 |
|
Extreme Makeover: Payments Edition?
The CFPB's General Counsel, Seth Frotman, spoke to the Innovative Payments Association at its conference this month highlighting three "areas of concern" the agency has about the rapidly changing payments industry. The CFPB is concerned with data harvesting and privacy, specifically with companies using payment data to do individualized marketing or selling payment data to third parties to do so. The agency is also focused on applying Regulation E's compulsory use restrictions to platforms' payment of "gig" workers who may be required to receive their payments via a particular financial institution or payment app. And the agency is concerned that consumers are putting themselves at risk by leaving large amounts of funds on uninsured prepaid cards or peer-to-peer payment apps rather than in traditional deposit accounts insured up to FDIC or NCUA limits.
You may be wondering what the CFPB's authority is over data harvesting since there is no federal statute or regulation that prohibits the practice. Frotman laid out his view that CFPB could use its UDAAP authority to pursue harmful practices relating to data use. One such consumer financial product or service specified in the Dodd-Frank Act is "providing payments or other financial data processing products or services." Taken together, the agency believes the collection of large amounts of data from processing payments is "in connection with" processing payments and therefore it has authority to prevent unfair or deceptive practices related to data harvesting.
In the early 2000s, ABC launched a long-running reality show called Extreme Makeover: Home Edition where a team of contractors would "renovate" a family's home over the course of a few short weeks. The "renovation" was often so total that the new home bore no resemblance to the original one. Likewise, the CFPB appears to be giving an extreme makeover to the authorities that govern it. The CFPB is undeterred by the fact that there is no federal statute that prohibits data harvesting or monetization; instead, it appears to want to renovate its existing UDAAP authority into a law that prohibits data harvesting. It's not hard to find deception when a company tells consumers it doesn't sell their data and then actually does so; but the CFPB seems to be suggesting that selling consumer data is inherently unfair or deceptive even if fully disclosed. This speech and other recent pronouncements by the CFPB against "big tech" seem to portend enforcement actions involving data harvesting in the near future. If your company collects consumer data for marketing purposes or sells consumer data to third parties, we recommend examining what you tell consumers about the practice.
Florida to Telemarketers: Call Me!
On July 1, 2021, Florida amended the Florida Telephone Solicitation Act (FTSA), making it extremely challenging for companies making or sending telemarketing calls or text messages. In the wake of those amendments, hundreds of class actions were filed alleging violations of FTSA, many of which were filed as putative class actions and related to the sending of text messages. In response to this wave of litigation, on May 3, 2023, the Florida legislature passed sweeping amendments to FTSA, including: (1) narrowing the scope of equipment regulated by FTSA; (2) clarifying that FTSA applies only to unsolicited telemarketing calls/texts; and (3) requiring consumers to text "STOP" in response texts and waiting 15 days for the texter to comply before filing a lawsuit. The full amended text of FTSA is available here. The governor signed the bill into law on May 25 and the changes went into effect immediately. These amendments, including the notice provision, apply to any class actions pending, but not yet certified, on or before May 25, 2023. We know FTSA (and its federal analog, the Telephone Consumer Protection Act) is a hot button issue, so we released a more detailed discussion of the amendments earlier this month, available here.
Florida legislators, clearly Blondie superfans, might be commended for making life a little easier for companies targeting Florida consumers via call and text (except for Disney, which is in for a wild ride). In the words of Florida's own Rock and Roll superstar, Debbie Harry, "call me (call me) on the line, call me, call me any, anytime." Although, with the pre-suit "STOP" requirement, it's looking like the best way to get in touch with those consumers is by text message—alas Ms. Harry can be forgiven for failing to predict texting would replace phone calls. Now if only those states that have passed copycat statutes would adopt Florida's recent amendments, we'd be golden—we're looking at you Oklahoma. Does Oklahoma's native son, Garth Brooks, have any phone call songs?
Big Brother is Watching: Leading Fintech Partner Bank Agrees to Substantial FDIC Oversight
In late April 2023, the FDIC released a consent order with Cross River Bank (CRB), a partner bank for many leading fintechs. In the consent order, the FDIC contends (CRB did not admit liability) CRB engaged in "unsafe or unsound banking practices related to its compliance with applicable fair-lending laws and regulations by failing to establish and maintain internal controls, information systems, and prudent credit underwriting practices" in accordance with FDIC guidance on safety and soundness, ECOA / Reg B, and TILA / Reg Z.
The FDIC contends CRB's partnerships present "operational complexity, considering the number of credit products offered and number of third parties involved." As a result, the consent order imposes a number of substantive requirements on CRB related to its CMS. CRB must increase board oversight generally and in compliance with underwriting and fair-lending laws in particular. CRB must also identify its current fintech partners for the FDIC's review and submit new partnerships to the FDIC for potential objection. Such submissions must be accompanied by substantial backup material including details on the prospective company's products and agreements and a report to the CRB board explaining why the partner satisfies CRB's due diligence requirements. This will significantly slow CRB's onboarding of new customers, in part because the FDIC has 45 days to respond to a submission.
CRB must also engage in several fair-lending analyses for the FDIC's review. These obligations – of which they are many – form the bulk of the consent order. Together they are intended to substantially tighten CRB's fair-lending compliance and oversight of fair-lending issues present in its partners' lending products.
It should not be a surprise that regulators are watching bank/fintech partnerships like hawks. Remember Blue Ridge Bank last year? Expect more regulatory orders about banks' oversight of fintech partners—CRB is one of several banks with many partnerships. For all providers, this order underscores the importance that your Board be on top of compliance management. If you can't demonstrate it in Board minutes or otherwise, you're probably falling short. For non-banks, expect more questions from your partner banks about your own compliance operations so that the bank can answer the inevitable questions from its regulators.
Big picture, this order aligns statements from CFPB Director Chopra that regulators want to establish greater oversight over fintech partnerships. It's possible it will lead to a slowing of the roll-out of new products by existing and new partners.
Texas Has Entered the Data Privacy Rodeo
Texas is poised to join the ever-growing group of states with comprehensive privacy laws and regulations. The Texas Senate passed HB 4 , adding the Texas Data Privacy and Security Act (TDPSA) to the alphabet soup of state privacy laws. It has now been sent for the Governor’s signature, and will become law absent a veto. The TDPSA is similar to the laws in Virginia, Colorado, and Connecticut, but has some important differences.
Here are a few of the key points:
- Broadly applicable: The reach of the TDPSA is broader than other state laws, as it applies to all businesses that conduct business in Texas or produce goods or services consumed in Texas, and either process or sell personal data. Processing is defined as any operation or set of operations, whether by manual or automated means, on personal data or sets of personal data. The law does have a carve-out for small businesses (as defined by the United States Small Business Administration) that is narrower than the revenue thresholds in some of the other state privacy laws.
- Data protection assessments required: While some of the state privacy laws have taken more of a business friendly approach, Texas opted to require businesses to conduct data protection assessments for activities that are considered high risk (including targeted advertising, selling personal data, profiling that creates risks to consumers, processing sensitive data, and any other activities that create a “heightened risk of harm” to consumers). Data Protection Assessments require a business to weigh the risks and benefits of the data processing activities they want to undertake, and factor in protections that can help mitigate identified risks.
- Extra rules for sensitive data: The TDPSA has specific rules applicable to businesses processing sensitive data (defined as (A) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, or citizenship or immigration status; (B) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (C) personal data collected from a known child, or (D) precise geolocation data).
- Notice: If a business sells sensitive data, it has to include this notice on its website: "NOTICE: This website may sell your sensitive personal data."
- Consent: Consent is required before a business can process or sell the person’s sensitive data.
This bill will impact businesses that haven’t been subject to any of the other privacy laws (and presumably hoped it would stay that way); the broad applicability is going to catch folks off guard. Some requirements will take time to tackle and require significant resources to implement and maintain. The requirement for consent when processing sensitive data is huge, particularly in light of the types of data that are considered “sensitive” under the law. Businesses that collect information for DE&I initiatives will need to take a close look at what’s required, as will businesses using biometrics (e.g., finger scans to sign into an account or similar) or precise geolocation (tracking in apps or websites). Looking at this sooner rather than later will be important, considering some of the technical and resource challenges companies are likely to face.
