On February 12, 2019, for the first time in its history, the Commodity Futures Trading Commission (“CFTC”) announced the release of 2019 examination priorities for each of its regulatory Divisions. CFTC Chairman J. Christopher Giancarlo stated that “[t]his first-ever publication of division examination priorities is in line with Project KISS and other agency initiatives to improve the relationship between the agency and the entities it regulates, while promoting a culture of compliance at our registrants.” Other regulatory agencies, such as the U.S. Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”), traditionally publish annual examination priorities. The CFTC 2019 examination priorities focus on ensuring that CFTC registrants have sufficient compliance mechanisms in place to effectively self-regulate in accordance with the CFTC’s regulatory priorities. Registrants should consider this announcement as signaling an increase in the CFTC’s attention to its supervisory efforts and as a potential precursor to increased enforcement activity.
On February 11, 2019, President Trump signed an Executive Order (“EO”), “Maintaining American Leadership in Artificial Intelligence,” that launches a coordinated federal government strategy for Artificial Intelligence (the “AI Initiative”). Among other things, the AI Initiative aims to solidify American leadership in AI by empowering federal agencies to drive breakthroughs in AI research and development (“R&D”) (including by making data computing resources available to the AI research community), to establish technological standards to support reliable and trustworthy systems that use AI, to provide guidance with respect to regulatory approaches, and to address issues related to the AI workforce. The Administration’s EO is the latest of at least 18 other countries’ national AI strategies, and signals that investment in artificial intelligence will continue to escalate in the near future—as will deliberations with respect to how AI-based technologies should be governed.
On February 6, 2019, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) released its much-anticipated proposed amendments to the payday lending rule. The proposed revision is Kathy Kraninger’s first major regulatory initiative since becoming the director of the CFPB.
The Bureau issued two notices of proposed rulemaking that would (i) repeal the mandatory underwriting provisions in the payday lending rule and (ii) delay the compliance date for these provisions until November 19, 2020, which would allow the Bureau to consider comments and issue a final rule before the underwriting provisions take effect. The Bureau’s proposed revisions would not amend or delay the effective date of the payment provisions of the payday lending rule, although the preamble to one of the proposed rules makes clear that the Bureau may separately consider whether any revisions to the payment requirements are appropriate.
On January 28, 2019, Senator Mike Crapo (R.-Id.), Chair of the Senate Committee on Banking, Housing, and Urban Affairs, published a column signaling his support for data privacy and security legislation in the 116th Congress.
In his column, Senator Crapo emphasizes what he sees as the “incredibly positive” developments associated with the development of technology, including increasing consumer choice, inclusion, and economic prosperity. However, he also highlights the increasing prevalence of data breach incidents and the lack of transparency associated with “big data analytics, data aggregation, and other technologies that make use of consumer data.”
He concludes that “[i]n order to fully embrace the immense benefits that can result from technological innovation, we must ensure proper safeguards are in place and consumers are fully informed.” Because of this, “[d]ata privacy and data security legislation will remain a priority in the 116th Congress,” and the Senate Banking Committee in particular will explore solutions to “give consumers more control over and enhance the protection of consumer financial data.”
Senator Crapo’s column comes on the heels of several bills that have recently been introduced in the Senate to address data protection issues, from both Democrats and Republicans. In particular, Senator Marco Rubio (R.-Fla.) introduced a privacy bill in January, and Senators Amy Klobuchar (D.-Minn.) and John Kennedy (R-La.) reintroduced their bipartisan bill in this Congress. Senators Brian Schatz (D-Hawaii) and Ron Wyden (D.-Ore.) introduced proposals last session.
The outlines of a possible compromise are still coming into view, but a key issue in the debates over data protection legislation is likely to be whether the law would preempt California’s new California Consumer Privacy Act (“CCPA”). As we have previously discussed, amendments to the CCPA exempted broad categories of consumer financial data under an exemption for data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act, making the CCPA much less onerous for financial services companies. However, the full breadth of that exemption has not yet been defined, and certain financial data will fall outside the exemption.
Legislators will likely also debate whether a federal law should include rights to data access, data correction, data deletion, and data mobility (i.e., the right to transfer personal information to another business), and, if so, what forms those rights should take.
Senator Crapo’s column underscores both that data protection legislation will be a major focus of this Congress, and also the important implications such legislation could have for financial services companies, including banks, credit reporting agencies, and other nonbank financial institutions.
Innovation in financial services continues to move at a rapid pace. The significant increase in the number of fintech companies in recent years has highlighted a burgeoning market with significant economic potential, and a commercial need to create efficiencies and modernize the provision of financial products and services. Federal and state financial services regulators remain focused on fostering the growth of fintech companies, while simultaneously developing an appropriate regulatory framework for fintech activities that will ensure consumer protection.
We recently authored a chapter on fintech regulation in the United States as part of a global fintech guide published by Thomson Reuters. Each chapter provides an overview of the financial services and fintech sectors in that jurisdiction, including the regulatory environment for fintech in alternative finance, payments, securities, insurance, and blockchain activities; regulatory compliance issues; government initiatives; and the future of fintech.
Reproduced from Practical Law with the permission of the publishers. For further information, visit www.practicallaw.com.
On January 23, 2019, the CFPB announced a settlement with Mark Corbett following an investigation by the Bureau, the Arkansas Attorney General, and the South Carolina Department of Consumer Affairs into Mr. Corbett’s brokerage of contracts offering high-interest credit to veterans. As detailed in the consent order, Mr. Corbett facilitated high-interest contracts between veterans and investors marketed as purchases of the veterans’ future pension and disability payments. Pursuant to the contracts, veterans would receive a lump-sum payment from investors in an amount ranging from a few thousand to tens of thousands of dollars, and would then be obligated to repay the investors by assigning to the investors all or part of the veterans’ pension or disability payments. The repayment obligations typically lasted from five to ten years, and resulted in a repayment amount far greater than the initial lump-sum payment.
The Bureau found Mr. Corbett violated Sections 1031 and 1036 of the Consumer Financial Protection Act of 2010 (“CFPA”) by: (i) misrepresenting to consumers that the contracts were valid and enforceable when, in fact, the contracts were void because the veterans’ pension payments are unassignable under federal law; (ii) misrepresenting to consumers that the contracts involved a purchase of payments rather than high-interest credit; (iii) misrepresenting to consumers when they would receive funds under the contracts; and (iv) failing to disclose to consumers the applicable interest rate for the credit offered by the contracts.
The past few weeks have been chaotic for both Brexit negotiations and U.K. politics overall. On January 15, 2019, British Prime Minister Theresa May’s Brexit plan succumbed to historic defeat in Parliament. Brexit watchers expected a defeat but the record margin of 432 votes against, and 202 votes for, was still shocking. On January 16, 2019, the Prime Minister narrowly survived a vote of no-confidence in her government. On Monday, she submitted to Parliament a Plan B for Brexit with a vote on such plan scheduled for tomorrow, January 29th. Against this backdrop of upheaval and uncertainty, derivatives markets must still function and, over the past few months, the European Commission ( the “EC” or the “Commission”) has taken steps to mitigate the negative impacts of a possible no-deal Brexit. Nevertheless, issues and market concerns remain.
No Deal Brexit and the Limits of EU Equivalence
If anything, recent activities in the U.K. have heightened expectations of a no-deal Brexit. For months now, investors and advisors, particularly those in the U.K., have been flagging concerns about the impact of Brexit on the derivatives industry, including fragmented markets and liquidity shortfalls.
Facing such risks to the multi-trillion-dollar derivatives market and attendant long-term impacts on its economy, the EC announced on December 12 that it would adopt an equivalence decision to address some, but not all, of the issues associated with a no-deal Brexit. The EC stated it will issue temporary licenses to clearinghouses, recognizing U.K. laws as “equivalent” to EU standards, to ensure that derivatives markets will continue to function with minimal disruption.
On January 17, 2019, the Payment Card Industry Security Standards Council (the “Council”), a payment industry association, released a new framework for PCI software security – the PCI Software Security Framework – to assist companies in designing and maintaining secure software for processing payment transactions. The framework includes two standards: the PCI Secure Software Standard and the PCI Secure Software Lifecycle Standard. Both Standards are aimed at staying ahead of rapid developments in payment applications.
The Framework as a whole introduces objective-based security practices that can support existing ways to demonstrate strong application security and a variety of newer payment platforms and development practices. Troy Leach, the Council’s chief technology officer, underscored the Framework’s importance and said that it “provides assurance to users of the software that as development practices evolve, the payment applications they rely upon will remain independently evaluated for security vulnerabilities.” Later this year, the Council will introduce a tool for businesses to validate their payment systems against the Framework.
The PCI Secure Software Standard includes security requirements and assessment procedures to ensure payment software adequately protects the integrity and confidentiality of payment transactions and data. The Standard identifies key security principles such as sensitive data protection, access control, and attack detection. The Secure Software Standard is intended for payment software that is sold, distributed, or licensed to third parties for the purpose of supporting or facilitating payment transactions. However, the Council also encourages organizations that develop payment techniques in-house to utilize these same practices.
The Secure Software Lifecycle Standard outlines requirements and procedures for software vendors to validate their processes for properly managing the security of payment software throughout its lifecycle..” Key aspects of the Standard include addressing “governance, threat identification, vulnerability detection and mitigation, security testing, change management, secure software updates and stakeholder communications.” Both Standards were developed with input from industry participants, including software vendors, assessors and other payment security experts.
The new guidelines replace the Council’s existing Payment Application Data Security Standard (“PA-DSS”). PA-DSS focused on software development and lifecycle management principles for security in traditional payment software. The new guidelines are an advancement beyond the PA-DSS to address overall software security resiliency. The PA-DSS will be retired in 2022, and payment applications will be assessed under the PCI Software Security Framework at that time. There will be a transition period for current investments in PA-DSS until its expiration in 2022.
New York has enacted the Digital Currency Study Bill, which will establish a digital currency task force and provide the governor and the state legislature information “on the effects of the widespread use of cryptocurrencies and other forms of digital currencies and their ancillary systems in the state.” The task force will conduct an extensive review of the blockchain industry in New York (with an emphasis on cryptocurrency exchanges), while analyzing the laws and regulations of other states, the federal government, as well as foreign countries. In particular, the task force will provide legislative and regulatory recommendations to “increase transparency and security, enhance consumer protections, and to address the long term impact related to the use of cryptocurrency.” The task force will submit their findings by December 15, 2020.
This legislation is the latest step by New York to understand and regulate cryptocurrency as well as the blockchain industry. Clyde Vanel, the primary sponsor for this bill and the Chair of the Subcommittee on Internet and New Technologies of the New York Assembly, stated that “the task force of experts will help us strike the balance between having a robust blockchain industry and cryptocurrency economic environment while at the same time protecting New York investors and consumers.”
New York is not the first state to establish such a task force. In September 2018, the California state legislature passed a bill that will establish a working group to discuss the potential applications of blockchain technology and how such technology will affect businesses, the government, and other social purpose organizations. The bill also, for the first time in California, defines blockchain technology as “a mathematically secured, chronological, and decentralized ledger or database.” Continue Reading
On January 9, 2019, a divided three-judge panel of the Ninth Circuit held that the Federal National Mortgage Association, or Fannie Mae, is not a “consumer reporting agency” within the meaning of the Fair Credit Reporting Act (the “FCRA”). The case, Zabriskie v. Federal National Mortgage Association, was brought by prospective borrowers who were unable to refinance their current mortgage loans due to allegedly erroneous information in their credit histories, as reported by Fannie Mae software that is commonly used by mortgage lenders.