Explainer Things: Episode 9

Tyler Engar, Eric Goldberg, Christy Hawkins, William Heller, Thomas Kearney, Lenora Lynham, Aliza Pescovitz Malouf, Nora Rigby, Chelsea D.B. Valente
Akerman LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Akerman LLP

Fall is finally in the air as temperatures drop (in some parts of the country, at least) and football season is in full swing. We’ve previously avoided writing about football because our Explainer Things cast can’t agree on which team to support. Until now, that is. With Taylor Swift’s appearances in Kansas City and New Jersey to root for her “maybe” new boyfriend Travis Kelce, we all became Chiefs fans real quick. The love of Tay-Tay is once again bringing people together.

Taylor and Travis aren’t the only news that blew up our phones this September—CFPB has been on a news-making streak, too. This episode includes blurbs on the agency’s “Issue Spotlight” on contactless payments and proposed changes to credit-reporting rules. But we did not have space to cover other big CFPB news: one court holding the agency exceeded its authority in deeming discrimination is an abusive practice in connection with non-lending products; another court halting implementation of the new small business lending rule pending the Supreme Court’s decision on the agency’s constitutionality; and a statement from the agency indicating it could be reviving its efforts to restrict arbitration clauses in consumer contracts. Oh yeah, and the Supreme Court oral arguments are next week to decide whether its funding structure is constitutional!

Keep reading for blurbs relevant to payments, crypto, fintech, cards, and more, with our quick analysis (aka Akerman’s Take) on why that news matters to you.

The Explainer Things team will be at Money 20/20 this month in Las Vegas. Please reach out if you will be there. We’d love to see you and get your take on all things fintech and Taylor Swift.

  • CFPB’s New Credit Reporting Rules Are Major League…And a Major Question?
  • Maryland and Connecticut Added to List of Dutton Schemes to Wrangle EWA Providers
  • CFPB Wants to Sing “Bye, Bye, Bye” to Big Tech Dominating the Tap-to-Pay Market
  • Party Like It’s 1999 (Or Any Time Before April 1, 2021)—TCPA Filings Are Up
  • Ocean’s Eleven Comes to Life as Ransomware Hackers Attack Vegas Casinos
  • Hey Crypto—“Life Ain’t About How Hard You Can Hit, It’s About How Hard You Can Get Hit and Keep Moving Forward” –Rocky Balboa

CFPB’s New Credit Reporting Rules Are Major League…And a Major Question?

Last week CFPB released an overview of rulemaking proposals that would significantly change the rules implementing the Fair Credit Reporting Act. FCRA provides consumer protections in the credit reporting industry, including by limiting the purposes for which credit bureaus (CRAs) can share information about consumers. It also places obligations on companies providing information to CRAs (furnishers). The proposals being considered involve four changes that would drastically alter the status quo for how consumer information is shared by CRAs.

First, CFPB would expand the statute’s coverage to ensure data brokers collecting and selling certain consumer information comply with the FCRA—many data brokers are not currently covered by the statute. Second, CFPB would limit several of the “permissible purposes” for which a CRA may share consumer information. For example, the statute currently permits a CRA to disclose information in accordance with the written consent of the consumer. CFPB is considering clarifying how that consent must be obtained, limiting the scope of such authorizations, including limits on the number of purposes or entities that can be covered by a single written consent. Third, the agency wants to make it easier for consumers to dispute inaccuracies or problems on their credit reports by expanding the types of information consumers can dispute. Lastly, the agency is considering prohibiting CRAs from including medical debt information on credit reports. It is also considering several smaller changes as well.

For the next step in the rulemaking process, CFPB will collect input on the potential rules changes from small businesses that would be impacted. Then it must propose a formal notice of proposed rulemaking, consider public comments on that proposal, and issue a final rule before any changes become effective. If the rulemaking goes forward, changes to the credit reporting rules likely will not take effect until at least 2026.


Taylor Swift may not be watching baseball, but CFPB’s potential changes to FCRA rules are major league. So Major League, Ricky “Wild Thing” Vaughn might even hear about them. The potential change generating the most headlines is excluding medical debt from credit reports, probably because that is easiest for consumers to appreciate. But in our view, the change that could make the biggest impact is the one that makes all data aggregators CRAs covered by the statute. Many of the fintechs we know and love depend on data aggregators to obtain bank account and other consumer financial information to facilitate transactions. Some of those data aggregators may not currently follow FCRA requirements because they do not believe they are CRAs. If those data aggregators become CRAs, they could be severely restricted in what kinds of information they can share with fintechs and for what purpose. This could throw a big wrench in the works for fintechs and the consumers who use them.

You may have noticed the repeated use of the word “major” to describe what CFPB is considering. That’s because we cannot help but wonder whether CFPB might be running afoul of the major questions doctrine with these significant changes. That doctrine holds that statutes must not be interpreted as delegating power to an agency to decide major questions through rulemaking unless the text clearly grants such power. In other words, it is not at all clear that CFPB has the authority to change defined terms in the like “credit reporting agency.” We predict Major League litigation if the agency movies forward with this rule.

Maryland and Connecticut Added to List of Dutton Schemes to Wrangle EWA Providers

Two states moved forward with earned wage access (EWA) guidance. Maryland’s Office of Financial Regulation issued new guidance in August clarifying when EWA products are considered loans in Maryland. In determining whether an EWA product is a loan, Maryland says it depends. The guidance explains that advances provided directly by an employer to an employee are not a loan under Maryland law, but advances provided by a third-party vendor may be a loan—a determination requiring a case-by-case analysis. According to the guidance, Maryland will consider the provider’s risk of loss, level of contact with the employee, and economic benefit from the transaction in evaluating whether the transaction is a loan.

Connecticut’s Department of Banking also issued new guidance in September, clarifying Connecticut’s Small Loan Lending Act covers EWA products following earlier changes to the law. In determining whether an EWA product is a small loan such that an EWA provider needs a license, Connecticut will look to the statutory definition of “small loan.” A “small loan” is, in part, a “loan or advance of money on a consumer’s future potential source of money.” The new guidance clarifies that Connecticut views EWA products as an “advance of money” and could be a “small loan.” (Separately, Connecticut’s guidance also clarifies its true lender position. It explains that persons who service loans originated by an exempt entity, such as a bank, are no longer themselves exempt from licensure.)

Following the initial guidance, Connecticut issued supplemental guidance stating it was engaging with several EWA providers to determine whether their products involved “small loans” given the recent guidance. The later guidance also announced that Connecticut is allowing EWA providers to continue operations without penalty as long as they file an application for a small loan company license by January 1, 2024. After that date, the Commissioner of Banking suggests it will take enforcement action against EWA providers engaged in unlicensed activity.


Let’s take this one Yellowstone style. Imagine the EWA providers are Paradise Valley Development and the great states of Maryland and Connecticut are curveballs thrown by John and Beth Dutton to rein in the company and its plans. As Paradise Valley Development is working to make Bozeman more accessible by building an airstrip and housing, John and Beth are working hard to stop that progress, lobbing curveball after curveball. Translation: Maryland and Connecticut have joined a handful of other states in attempting to wrangle EWA products.

Both states’ regulators have issued guidance interpreting their state laws without an underlying instruction to do so from their respective legislatures. (The Connecticut Legislature’s recent changes to the Small Loans Act are not relevant to the recent EWA guidance.) This regulatory approach by Connecticut and Maryland is different from the new statutes passed in Nevada and Missouri (see Explainer Things: Episode 7). As these pronouncements are guidance, rather than law, they may not be each state’s final word. At the very least, EWA providers should take note of these latest pronouncements and be wary of others. And if John or Beth Dutton throw another curveball at Paradise Valley’s development plans, we will alert our readers.

CFPB Wants to Sing “Bye, Bye, Bye” to Big Tech Dominating the Tap-to-Pay Market

CFPB published an Issue Spotlight focusing on point-of-sale (POS) purchases, mobile device operating systems in the payments arena, and the “Big Tech” companies dominating this market. CFPB found the market for “tap-to-pay” or “contactless” mobile payment has grown considerably, with a total of $300 billion in transactions and an estimated 150 percent growth by 2028. CFPB found Apple and Google are controlling the market, given that their operating systems hold nearly 100 percent of the smartphone market.

Point-of-sale payments through mobile devices use near field communication (NFC) technology to allow for the “tap-to-pay” functionality. According to CFPB, Apple is imposing “private” regulations restricting consumer choice and innovation because its operating system does not allow other financial service providers to access the NFC technology on its devices. PayPal, Venmo, and CashApp are prime examples of financial service providers that would be top competitors if they could access the NFC technology. On top of holding the key to the technology, Apple also imposes fees on card issuers. The card issuer has to pay a transaction fee every time its card is used via Apple Pay. Google does not currently restrict access to NFC capabilities but it could, especially given its dominant position in the market.

CFPB believes Apple’s “private” regulations impact this market by reducing consumer choice, inhibiting innovation, and affecting the potential for open banking. CFPB believes it must focus on threats to competition in this area, so that Apple, Google, and other large technology firms will not hinder smaller firms in entering the contactless payment space.


Apple and Google were probably not as excited about this Issue Spotlight as millennials were seeing *NSYNC reunite at the MTV Video Music Awards in September. Why would they be? These companies are at the forefront of a market with an estimated $300 billion in tap-to-pay transactions so far and CFPB looks to pave the way for competitors. Perhaps Director Rohit Chopra enjoys the occasional *NSYNC tune, but we know CFPB isn’t a fan of companies proclaiming “It’s gonna be me/You’ve got no choice, babe.” It sounds like CFPB wants to attach some strings to Apple, forcing them to let banks and other payment apps from access tap-to-pay functionality. Some might question the agency’s authority to do this; it mentions only its pending rulemaking on personal financial data rights—a rulemaking required by the Dodd-Frank Act. In any event, this Issue Spotlight may be CFPB’s way of saying ”[Regulation] I Promise You” for the POS payments market.

Party Like It’s 1999 (Or Any Time Before April 1, 2021)–TCPA Filings Are Up

Remember last edition when we told you that, after a dip in TCPA filings following the Supreme Court’s April 1, 2021, ruling in Facebook v. Duguid, the TCPA world is heating up? Consider this a friendly “we told you so.” According to the August report from WebRecon, TCPA filings are up 13.2 percent from last year. In contrast, other consumer filings WebRecon tracks (CFPB, FDCPA, and FCRA) are all down from the prior year. WebRecon recorded 158 TCPA filings in August and 150 in July. In just the first eight months of this year, there were 1,169 TCPA filings, compared with the 1,033 filed in the same period last year. A staggering 92 (or 58.2 percent) of TCPA filings in August were class action lawsuits. These numbers are starting to inch back up towards pre-Duguid numbers. For context, in March 2021, the month before the Supreme Court issued Duguid, there were 199 TCPA filings and 160 the month before. (As a reminder, in Duguid, the Supreme Court held that to constitute an automatic telephone dialing system under the TCPA, a device must be able to randomly or sequentially generate numbers (i.e. systems that merely dial numbers from a set list—like most of today’s dialing equipment—doesn’t make the cut).)


With numbers like these we cannot stress enough the importance of reviewing your TCPA compliance. Dust off those old policies and procedures, review your consent language, and check your vendor contracts. And, while you’re at it, you might want to ensure those policies also comply with state telemarketing laws, because telemarketing compliance is not going anywhere any time soon, folks.

Ocean’s Eleven Comes to Life as Ransomware Hackers Attack Vegas Casinos

In a recent wave of ransomware cyberattacks, MGM Resorts and Caesars Entertainment casinos across the country were targeted, causing problems with slot machines, hotel check-ins, keycard access, and cashing out winnings. In a regulatory filing with the SEC, Caesars stated that many of its loyalty program members’ personal data was stolen. The hack was possibly the result of a hacker posing as an employee identified on LinkedIn and soliciting credentials from the helpdesk.

The entertainment industry is not the only high-profile target of ransomware attacks. Earlier this year, the City of Dallas suffered a ransomware breach where 27,000 employees, retirees, and their dependents had personal and medical information exposed. In 2021, the Colonial Pipeline fell victim to a ransomware attack that impacted computerized equipment managing the pipeline. The company halted its operations for six days, resulting in a severe drop in gas and oil supply. Also in 2021, CNA Financial experienced a ransomware attack after an employee downloaded a fake browser update from a legitimate website. Using the employee’s credentials, the hacker encrypted around 15,000 systems and was paid $40 million in ransom.


Hackers routinely use “social engineering,” which is calling or emailing company employees and attempting to manipulate them into divulging confidential or internal information that is then used for fraudulent purposes. Imagine George Clooney as Danny Ocean sweet-talking an employee into spilling a password and you get the idea. Social engineering can happen to any company, no matter how sophisticated or tough the IT security. It exploits the human element of the company, and that can be from the call center level to top management.

Companies wishing to thwart these smooth operators should have a serious chat with their board. Have in-house counsel, IT, and the board discussed plans to prevent and deal with ransomware attacks and social engineering? If something falls through the cracks, what is the plan of attack? Do you have an instant response plan, and, if so, have you tested that plan? What is the plan if the hacker organization is blacklisted with OFAC and paying them could cause even more problems? The best-situated companies proactively think about and resolve these questions ahead of time. Don’t wait until that Brad Pitt look-a-like smooth operator “melts all your memories and change into gold, his eyes are like angels but his heart is cold.”

Hey Crypto—“Life Ain’t About How Hard You Can Hit, It’s About How Hard You Can Get Hit and Keep Moving Forward” –Rocky Balboa

You may recall last year when Grayscale Investments applied to the SEC to create a spot bitcoin exchange-traded fund (ETF), only to have its application rejected. Unlike other spot bitcoin ETF applicants, Grayscale didn’t just walk away. It appealed SEC’s decision, arguing, in a nutshell, what’s good enough for bitcoin futures ETF (i.e., SEC approved) ought to be good enough for a spot bitcoin ETF—the only real difference being asset delivery timing; spot now, futures later. In August, a three-judge panel on the D.C. Circuit Court of Appeals agreed with Grayscale that the SEC’s denial was wrong, holding:

It is a fundamental principle of administrative law that agencies must treat like cases alike. The Securities and Exchange Commission recently approved the trading of two bitcoin futures funds on national exchanges but denied approval of Grayscale’s bitcoin fund…Grayscale maintains its proposed bitcoin exchange-traded product is materially similar to the bitcoin futures exchange-traded products and should have been approved to trade on NYSE Arca. We agree. The denial of Grayscale’s proposal was arbitrary and capricious.…

The Grayscale SEC loss comes on the heels of another major legal loss for the SEC earlier this summer when a federal district court ruled that certain “retail” public exchange sales of XPR (Ripple Labs, Inc.’s token) did not violate federal securities law.


Who do the SEC and crypto remind you of? Kendall Roy and Rocky Balboa, right? Yeah, same here, and in that order. Both are surrounded by people lobbying for this position or that, telling them about the odds of success if they go in one direction or another. And all the while they do what they’re gonna do—they are driven characters. In Kendall’s case, the drive comes from hubris. For Rocky, from a desire to transform and persevere.

Kendall contrives and schemes to outplay his opponents. He hopes to catch them off guard and exploit any weakness. He’ll take all advantages, to hell with the consequences. Yet his plans to dominate all seem to end the same way: the rug pulled out from under him. Kendall can be summed up in one short scene from season 4: when he screams in his sister’s face, “I’m the eldest boy.” As if to say, “I win because I am the SEC…er…Kendall Roy.”

Rocky, on the other hand, doesn’t scheme and contrive. He plans and prepares. He’s not looking to exploit his opponents’ weaknesses because he capitalizes on his own strengths. He doesn’t trample relationships to his advantage. His greatest opponent, Apollo Creed, became his best friend—from whom he learns to be a better boxer. Rocky cannot be summed up in one line; he can’t even be summed up in multiple sequels. But, one quote speaks volumes. As crypto…er…Rocky Balboa and Adrian discuss the likelihood of defeat to Ivan Drago, Rocky tells her:

No, maybe I can’t win, maybe the only thing I can do is just take everything he’s got. But to beat me, he’s gonna have to kill me, and to kill me, he’s gonna have to have the heart to stand in front of me, and to do that, he’s gotta be willing to die himself and I don’t know if he’s ready to do that.

In the end, how’d it go for Kendall? Well, we’re not spoilers, but we weren’t surprised. Succession ended. We’ve seen the last of Kendall. As for Rocky, sure, maybe he lost to Apollo in the first movie, but that was one battle. Ultimately he beat Apollo and Clubber Lang and Ivan Drago (ugh, and Tommy Gunn). What is more, we haven’t see the last of Rocky! And we are betting that crypto’s story has even more sequels.

Explainer Things is brought to you by the Consumer Financial Services, Data & Technology Practice Group (CFS+) at Akerman LLP.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akerman LLP | Attorney Advertising

Written by:

Akerman LLP
Akerman LLP
Contact
more
less

Akerman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide