Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and groundbreaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.

To subscribe to this newsletter, click here.

Regulatory Announcements

CFPB Proposes to Define and Supervise Larger Participants in Market for General-Use Digital Consumer Payment Apps. On November 7, the CFPB released a Notice of Proposed Rulemaking (NPRM) proposing to define larger participants in the market for “general-use digital consumer payment applications.” The Consumer Financial Protection Act (CFPA) authorizes the CFPB to define larger participants in markets for consumer financial products or services, and to supervise larger nonbank-covered entities subject to the law to assess compliance with federal consumer financial laws, obtain information about such entities’ activities and compliance systems and procedures, and detect and assess risks to consumers and consumer financial markets.

The NPRM defines the general-use digital consumer payment app market to include “providers of funds transfer and wallet functionalities through digital applications for consumers’ general use in making payments to other persons for personal, family, or household purposes.” The NPRM notes that this definition includes “‘digital wallets,’ ‘payment apps,’ ‘funds transfer apps,’ ‘person-to-person payment apps,’ ‘P2P apps,’ and the like.” Additionally, the NPRM proposes a test to determine whether a nonbank entity is a larger participant in the general-use digital consumer payment app market – (1) the entity must provide general-use digital consumer payment apps with an annual volume of at least five million consumer payment transactions; and (2) the entity must not be a small business concern based on the Small Business Administration’s applicable size standard. If adopted, the proposals in the NPRM would permit entities to dispute whether they qualify as a larger participant in the general-use digital payment app market. Comments on the NPRM are due 30 days after the item is published in the Federal Register.

FTC to Hold Open Commission Meeting on November 16. On November 9, the FTC announced that it will hold a virtual Open Commission Meeting on November 16 at 11 a.m. ET. The Open Commission Meeting has two agenda items: (1) a Voice Cloning Challenge announcement; and (2) a presentation on public comments regarding the business practices of cloud computing providers. According to the agenda, the Voice Cloning Challenge will “encourage the development of multidisciplinary solutions – from products to procedures – aimed at protecting consumers from artificial intelligence [(‘AI’)]-enabled voice cloning harms, such as fraud and the broader misuse of biometric data and creative content.” The cloud computing presentation “will present findings from and ongoing areas of inquiry following the Commission’s Request for Information and public panel discussion on cloud computing.” Additionally, it will “address a number of issues raised in the RFI and panel discussion, including competition, security, and generative AI.” As we discussed previously, the Cloud Computing RFI sought comment regarding the business practices of cloud computing providers. The RFI outlines questions on both competition and data security issues in the cloud computing industry. Comments on the RFI were due May 22, 2023.

FTC Submits Comment to U.S. Copyright Office About AI-Related Consumer Protection and Competition Issues. On November 7, the FTC filed a comment in response to a notice of inquiry and request for comments on copyright policy issues raised by AI. In its comment, the FTC states that AI tools and products raise concerns “about potential harm to consumers, workers, and small businesses.” The FTC further notes that it is actively exploring risks with AI use, including “violations of consumers’ privacy, automation of discrimination and bias, and turbocharging of deceptive practices, imposter schemes, and other types of scams.” The FTC also asserts that it will “[v]igorously” enforce laws “over which the FTC has enforcement authority in AI-related
markets. . . .”

FTC Annual Do Not Call Registry Data Book Shows a Drop in Consumer Complaints. On November 3, the FTC released the National Do Not Call Registry Data Book for Fiscal Year 2023, which shows that consumer complaints regarding robocalls and unwanted live telemarketing calls have dropped to a five-year low. The Data Book shows that complaints regarding imposter calls topped the list, with 175,000 received during FY 2023. However, the total number of complaints is down more than 900,000 from FY 2022.

Recent Enforcement Actions

FTC Obtains Injunction Against Operator of Small Business Financing Company for Alleged Unlawful Debt Collection Practices. On October 30, the U.S. District Court for the Southern District of New York issued a permanent injunction against Jonathan Braun, who controlled small-business funding company RCG Advances, after partially granting the FTC’s motion for summary judgment on September 27, finding Braun violated the FTC Act and Gramm-Leach-Bliley Act (GLBA). In 2020, the FTC alleged that Braun had misled consumers by misrepresenting the terms of cash advances and using unfair collection practices. The permanent injunction bans Braun from engaging in debt collection or cash advance practices. The trial will proceed in January 2024 to determine monetary damages and civil penalties under the section of the GLBA that the FTC is pursuing.

FTC and Florida Attorney General Settle With Chargeback Mitigation Company for Allegedly Harming Consumers’ Dispute of Credit Card Charges. On November 7, the FTC and Florida Attorney General filed a stipulated order in the U.S. District Court for the Middle District of Florida against Chargebacks911 and its owners for alleged violations of the FTC Act and Florida Unfair and Deceptive Practices Act. The FTC and Florida Attorney General filed their complaint in April 2023, alleging that Chargebacks911 prevented consumers from successfully disputing credit card charges by overlooking suspicious activity from merchants from whom consumers were challenging charges. The complaint also alleges that Chargebacks911 passed fraudulent screenshots from the merchants to the credit card companies to confirm that the consumer agreed to the purchase. The defendants agreed to pay $600,000, in addition to injunctive relief.

CFPB Settles with National Bank for Allegedly Over-Scrutinizing Credit Card Applications. On November 8, the CFPB filed a consent order and stipulation against Citibank, for alleged violations of the Equal Credit Opportunity Act (ECOA). The CFPB alleges that the company applied more stringent credit criteria to certain applicants and provided false reasons for denying credit applications. The company has agreed to pay $25.9 million.

Upcoming Comment Deadlines and Events

FTC Seeks Research Presentations for PrivacyCon 2024. Research presentations for the FTC’s annual PrivacyCon event are due December 6 and may be submitted here. The FTC announced that PrivacyCon 2024 will be particularly focused on: automated systems and AI; health-related “surveillance;” children’s and teen’s privacy; deepfakes and voice clones; worker “surveillance;” and advertising practices. PrivacyCon 2024 will take place virtually on March 6, 2024, and the agenda will be posted here prior to the event. Members of the public wishing to attend the event may visit the FTC’s website at www.ftc.gov to access the live webcast.

CFPB Releases NPRM to Implement Rules Under Section 1033 of the CFPA. Comments are due December 29 on the CFPB’s Notice of Proposed Rulemaking (NPRM) to implement rules under Section 1033 of the Consumer Financial Protection Act (CFPA). Section 1033 of the CFPA requires consumer financial services providers to make information in the possession of the provider available to consumers when the information concerns the financial product or service that the consumer obtained from the provider. If adopted, the rules proposed in the NPRM would require both depository and non-depository financial institutions to make available to both consumers and authorized third parties certain data related to consumers’ financial transactions and financial accounts; establish privacy obligations for third parties accessing consumers’ data; provide standards for third-party data access; and promote industry standards for such access. The NPRM proposes to use the definitions for “financial institution” under Regulation E and “card issuer” under Regulation Z. This would effectively open both banks and nonbanks that offer a variety of services – from deposit accounts to digital wallets – to Section 1033’s consumer data sharing requirements.

FTC Seeks Comment on “Junk Fees” and Proposes Fee Disclosure Requirements. Comments are due January 8, 2024 on the FTC’s Trade Regulation Rule on Unfair or Deceptive Fees NPRM. The NPRM broadly addresses two practices: (1) fee disclosures after a consumer sees an initial base price, and (2) “practices that misrepresent the nature and purpose of fees or charges.” The proposed rule would define both as unfair and deceptive practices, which would enable the FTC to seek civil penalties for violations. Among other things, the NPRM proposes to require businesses to disclose a “Total Price” in any offer, display, or advertisement that contains an amount a consumer must pay and do so more prominently than other pricing information. It also proposes a preemptive disclosure requirement which would require businesses to disclose, clearly and conspicuously and before the consumer consents to pay, the nature and purpose of any amount the consumer may pay that is excluded from the “Total Price,” including shipping charges, government charges, optional fees, voluntary gratuities, and invitations to tip.

FTC Amends Safeguards Rule to Include Breach Reporting Requirement for Non-Bank Financial Institutions. The FTC’s amendments to its Gramm-Leach-Bliley Act (GLBA) Safeguards Rule will take effect on May 13, 2024. The amendments will require covered “financial institutions” to notify the FTC of certain data breaches involving the information of at least 500 consumers within 30 days of the discovery of the event. The Safeguards Rule applies to certain covered non-bank financial institutions, which include, for example, mortgage brokers, motor vehicle dealers, and many financial technology companies. The Safeguards Rule currently requires these entities to develop, implement, and maintain a comprehensive information security program to safeguard customer information. While the amendments do not require covered companies to issue separate breach notifications to consumers, the FTC has stated that it intends to publish notification reports in a publicly available database.

More Analysis from Wiley

New AI Executive Order Outlines Sweeping Approach to AI

OMB Proposes Far-Reaching AI Risk Management Guidance Following AI Executive Order

New Executive Order Signals Companies Should Reassess AI Security

AI Use is Promising Yet Risky for Government Subpoenas and CIDs

DOJ Must Help In Fighting Illegal Robocalls, Lawyers Say

CFPB Poised to Significantly Expand the Reach of the Fair Credit Reporting Act

FTC and HHS Caution Hospitals and Telehealth Providers on Tracking Tech

Podcast: The “Wild West” of AI Use In Campaigns

California Eyes New Privacy, Cyber, and AI Obligations

Cracks in the State Privacy Law Foundation: State Privacy Law Challenges See Success in District and State Courts

Podcast: How to Fix the Cyber Incident Reporting Mess--DHS Weighs In

Biden Administration Looks at Harmonizing Cyber Regulations Amidst Flurry of New Activity

Coming Soon: New Cyber Labeling Program for IoT Devices

Podcast: The FTC Safeguards Rule: A Deep Dive into the Revisions Effective June 9, 2023

Webinar: How to Keep Up with the Influx of New State Privacy Laws and Regulations

Podcast: What could AI regulation in the US look like?

DOD Devotes Resources to Responsible Adoption of Generative AI

A New White House Project on Responsible AI Sends a Message to the Private Sector, Including Contractors

Podcast: AI: The Next Big Thing in Government Contracting

FTC Issues Policy Statement on Biometric Information, Signaling a New Enforcement Priority

FTC Joins the Cloud Security Discussion

Podcast: AI Risk Management: A Discussion with NIST’s Elham Tabassi on the NIST AI Risk Management Framework

Generative AI Policies: Five Key Considerations for Companies to Weigh Before Using Generative AI Tools

Federal Legislators Are Taking AI Implementation and Oversight Seriously

NIST Announces Generative AI Working Group

Webinar: Staying Ahead of State Privacy Laws: Tips and Best Practices for Building Compliant Strategies for Five Key States

U.S. State Privacy Law Guide

Legal 500 US Recognizes Wiley’s Telecom, Media & Technology Practice as Tier 1. Read more here.

[View source.]