Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and ground-breaking technologies.
FFIEC Issues Guidance for Financial Institutions on Consumer, Employee, and Third-Party Access to Digital Banking and Information Services. On August 11, the Federal Financial Institutions Examination Council (FFIEC) issued guidance that provides financial institutions with examples of risk management principles and practices for access and authentication. Specifically, the guidance, among other things, supports a financial institution’s adoption of layered security, highlights the weaknesses of single-factor authentication and includes examples of authentication controls, and provides a list of government and industry resources and references to assist financial institutions. The guidance also notes the need for strong risk management controls for third parties, such as data aggregators and consumer-permissioned entities, to access business and consumer financial information.
FTC Asks Federal Reserve Board to Modify EFTA Rules to Expand Requirements Related to Debit Card Networks. On August 12, the FTC submitted a comment on the Board of Governors of the Federal Reserve System’s (Federal Reserve Board) proposed rulemaking on Regulation II. The proposed rulemaking would clarify that Regulation II applies to both transactions in which a credit card is present, and transactions in which it is not, such as pay-by-phone or other electronic payment options. Regulation II implemented changes made to the Electronic Fund Transfer Act (EFTA) under the Dodd-Frank Wall Street Reform Act of 2010. Specifically, those changes required debit card issuers to enable at least two unaffiliated debit card networks to permit merchants an option for routing electronic debit card transactions. The FTC’s comments also asked the Federal Reserve Board to prevent debit card networks from paying incentives to debit card issuers for routing electronic transactions in a manner favorable to the particular debit card network.
CFPB Issues Interpretive Rule on Mortgage and Disclosure Timing Requirements for the Juneteenth Federal Holiday. On August 5, the CFPB released an Interpretive Rule to assist the mortgage industry in determining whether to treat June 19, 2021 as a federal holiday or a business day for compliance purposes with time-sensitive borrower protections. Regulation Z of the CFPB’s mortgage rules establishes timing requirements, calculated in business days, for when borrowers must receive certain disclosures and when borrowers have the right to cancel some mortgages. For recission of certain mortgages, whether June 19, 2021 counts as a federal holiday or a business day depends on when the relevant time period for the mortgage began. Specifically, if the period began on or before June 17, 2021, then June 19 was a business day. If the period began after June 17, 2021, then June 19, 2021 was a federal holiday.
FTC Removes Company from List of Approved Children’s Privacy Self-Regulatory Platforms. On August 4, the FTC announced that it is removing Aristotle International, Inc. (Aristotle) from the list of self-regulatory companies that monitor for Children’s Online Privacy Protection Act (COPPA) compliance. Aristotle was one of the first seven pre-approved COPPA Safe Harbor organizations and is the first to be removed from the list. The COPPA Rule requires that commercial website and online service operators directing content towards children under the age of 13, or general-audience websites knowingly collecting information about children under the age of 13, notify parents about their information practices and obtain verifiable consent before collecting or disclosing personal information from children under age 13. Earlier this year, the FTC warned Aristotle that the agency was concerned that Aristotle may not have sufficiently monitored its member companies to ensure that they were complying with the applicable guidelines.
FTC Adjusts Merger Review Process Amidst Filing Increases. On August 3, FTC Bureau of Competition Director Holly Vedova announced that “for deals that we cannot fully investigate within the requisite timelines [under the Hart-Scott-Rodino Act], we have begun to send standard form letters alerting companies that the FTC’s investigation remains open and reminding companies that the agency may subsequently determine that the deal was unlawful. Companies that choose to proceed with transactions that have not been fully investigated are doing so at their own risk.” The Hart-Scott-Rodino Act requires that companies engaging in transactions that meet a certain threshold provide the FTC and U.S. Department of Justice with advance notice. After the merging parties submit a notice, the agencies generally have certain deadlines to pursue an investigation. When sent, the standard form letters remind companies that the FTC may still determine that their deal is unlawful and take further action at a later date even if the standard statutory time period for review has passed.
Significant Enforcement Actions
FTC Files Complaint Against Fuel Card Provider for Charging Allegedly Fabricated Fees to Small Businesses. On August 11, the FTC filed an administrative complaint against FleetCor for allegedly charging small businesses millions in fabricated fees associated with fuel cards. The FTC alleges that FleetCor falsely told its business customers that they would receive protection from unauthorized charges and have no set-up, transaction, or membership fees, in violation of Section 5 of the FTC Act. The FTC previously filed suit against FleetCor in December 2019 based on similar allegations. However, following the Supreme Court’s AMG decision, holding that the agency could not obtain consumer redress under Section 13(b) of the FTC Act, the FTC has filed the current complaint pursuant to its administrative process.
Upcoming Comment Deadlines and Events
Federal Reserve Board, FDIC, and OCC Seek Comment on Third Party Risk Management Principles. Comments are due September 17 on proposed interagency guidance issued by the Board of Governors of the Federal Reserve (the Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC). The proposed interagency guidance is focused on risk management practices for banking organizations to consider when developing risk management strategies for third party relationships. The Board, FDIC, and OCC intend for the proposed interagency guidance to take “into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.” If adopted, the proposed guidance would replace each agency’s existing guidance and would be directed to all banking organizations regulated by the agencies.