Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and groundbreaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.
Regulatory Announcement
FTC Amends Safeguards Rule to Include Breach Reporting Requirement for Non-Bank Financial Institutions. On October 27, the FTC announced that it is amending its Gramm-Leach-Bliley Act (GLBA) Safeguards Rule to require covered “financial institutions” to notify the FTC of certain data breaches involving the information of at least 500 consumers within 30 days of the discovery of the event. The Safeguards Rule applies to certain covered non-bank financial institutions, which includes, for example, mortgage brokers, motor vehicle dealers, and many financial technology companies. The Safeguards Rule currently requires these entities to develop, implement, and maintain a comprehensive information security program to safeguard customer information. While the amendment does not require covered companies to issue separate breach notifications to consumers, the FTC has stated that it intends to publish notification reports in a publicly available database. The amendment will take effect 180 days after publication in the Federal Register.
CFPB Releases Report Finding That Credit Card Companies Charged $130 Billion in Interest and Fees in 2022. On October 25, the CFPB released its biennial report to Congress on the consumer credit card market pursuant to the Credit Card Accountability Responsibility and Disclosure Act (CARD Act). The CARD Act requires the CFPB to regularly review developments in the credit card market. The report specifically found that credit card companies charged $105 billion in interest and $25 billion in fees in 2022. The report also found that total outstanding credit card debt exceeded $1 trillion for the first time since the CFPB began collecting the data.
FTC Submits Two Reports to Congress on Efforts to Combat Cross-Border Fraud Through the U.S. SAFE WEB Act. On October 20, the FTC submitted two reports to Congress detailing the agency’s efforts to fight cross-border fraud through the Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers Beyond Borders Act (U.S. SAFE WEB Act) and work to address ransomware and other cyber incidents originating outside of the United States. The U.S. SAFE WEB Act, which was enacted by Congress in 2006, provides a framework for information sharing and investigative collaboration between the FTC and its international counterparts in an effort to combat cross-border fraud schemes. The first report provides an update on the FTC’s efforts to implement the U.S. SAFE WEB Act, and the second report discusses FTC efforts to work with China, Russia, North Korea, and Iran to combat ransomware and other types of cyber attacks.
FTC Releases Annual Report to Congress on Efforts to Protect Older Adults. On October 18, the FTC issued its annual report to Congress on the agency’s efforts to protect older Americans. The report found that older adults reported losing more than $1.6 billion to fraud in 2022. Additionally, the report found that older adults had significantly higher losses due to investment scams, business impersonation scams, and government impersonation scams than they did in 2021. The report also discusses actions the FTC has taken to address fraud impacting older consumers, including the FTC’s 2022 NPRM aimed at curbing business and government impersonation fraud; enforcement actions that had a particular impact on older Americans; and the FTC’s outreach and education efforts, such as the Pass it On Campaign, which focuses on providing fraud prevention resources to older adults.
Recent Enforcement Actions
FTC Settles Allegations of Deceptive Advertising Against For-Profit College. On October 18, the FTC filed a complaint and stipulated order in the U.S. District Court for the District of New Jersey against Sollers College and its parent company, Sollers Inc., for alleged violations of the FTC Act. The FTC alleges that Sollers College falsely advertised partnerships with prominent employers and high job placement rates, while encouraging students to pay for a Sollers College education through income-sharing agreements which it sold to third parties. Sollers College agreed to pay $3.4 million in monetary relief in addition to agreeing to stop collecting on existing income-sharing agreements, re-purchasing income-sharing agreements from third parties, and notifying credit agencies and consumers of the debt forgiveness. Sollers College also settled similar allegations with the State of New Jersey.
FTC and the State of Wisconsin Settle with Auto Dealers for Allegedly Discriminatory Fees. On October 24, the FTC and Wisconsin Attorney General filed a complaint in the U.S. District Court for the Western District of Wisconsin against Rhinelander Auto Center, Rhinelander Motor Company, its current and former owners, and its general manager. The FTC and Wisconsin Attorney General allege that the defendants charged consumers for add-on products and services without their consent and applied higher interest rates to American Indian consumers compared to non-Latino white consumers. The Rhinelander Auto Center and Rhinelander Motor Company have agreed to wind down the business and pay $100,000 in monetary relief. The individual defendants have also settled with the FTC and State of Wisconsin, agreeing to establish a comprehensive fair lending program for affected consumers and pay $1 million.
CFPB Settles with Financial Services Provider for Allegedly Failing to Provide EFTA-Compliant Remittance Services. On October 17, the CFPB filed a consent order against a fintech company, for alleged violations of the Electronic Transfer Fund Act (EFTA). The CFPB alleges that the company failed to disclose the accurate timing of remittances and fees charged for transactions, did not have processes in place to track and remedy errors in remittance transfers, and did not provide receipts to consumers in a timely fashion. The company has agreed to refund fees to affected consumers and pay a $1.5 million penalty to the CFPB.
FTC Settles with Product Manufacturer for Allegedly False Advertising. On October 24, the FTC filed a stipulated order in the U.S. District Court for the Eastern District of New York against Gary Kong, Timothy Wetzel, and the two companies they operate, K W Technology Inc. and K W Technology NV Inc. The FTC’s complaint alleges that the defendants advertised The 1 Virus Buster Card, worn around consumers’ necks, as having the ability to kill 99.9 percent of harmful bacteria within a three foot radius of the person despite the defendants’ lack of supporting scientific evidence. Kong and the two companies agreed to settle for $150,000 in addition to injunctive relief. The case against Wetzel is ongoing.
Upcoming Comment Deadlines and Events
DOJ and FTC Announce Additional Workshops on Draft Merger Guidelines. The U.S. Department of Justice (DOJ) (collectively, the Agencies) will hold workshops on the Agencies’ draft update of the merger guidelines (Draft Guidelines) on October 5 at the Harvard Kennedy School and on November 3 at the University of Chicago Law School.
FTC Seeks Research Presentations for PrivacyCon 2024. Research presentations for the FTC’s annual PrivacyCon event are due December 6 and may be submitted here. The FTC announced that PrivacyCon 2024 will be particularly focused on: automated systems and AI; health-related “surveillance;” children’s and teen’s privacy; deepfakes and voice clones; worker “surveillance;” and advertising practices. PrivacyCon 2024 will take place virtually on March 6, 2024, and the agenda will be posted here prior to the event. Members of the public wishing to attend the event may visit the FTC’s website at www.ftc.gov to access the live webcast.
CFPB Releases NPRM to Implement Rules Under Section 1033 of the CFPA. Comments are due December 29 on the CFPB’s Notice of Proposed Rulemaking (NPRM) to implement rules under Section 1033 of the Consumer Financial Protection Act (CFPA). Section 1033 of the CFPA requires consumer financial services providers to make information in the possession of the provider available to consumers when the information concerns the financial product or service that the consumer obtained from the provider. If adopted, the rules proposed in the NPRM would require both depository and non-depository financial institutions to make available to both consumers and authorized third parties certain data related to consumers’ financial transactions and financial accounts; establish privacy obligations for third parties accessing consumers’ data; provide standards for third-party data access; and promote industry standards for such access. The NPRM proposes to use the definitions for “financial institution” under Regulation E and “card issuer” under Regulation Z. This would effectively open both banks and nonbanks that offer a variety of services – from deposit accounts to digital wallets – to Section 1033’s consumer data sharing requirements.
More Analysis from Wiley
AI Use is Promising Yet Risky for Government Subpoenas and CIDs
DOJ Must Help In Fighting Illegal Robocalls, Lawyers Say
CFPB Poised to Significantly Expand the Reach of the Fair Credit Reporting Act
FTC and HHS Caution Hospitals and Telehealth Providers on Tracking Tech
Podcast: The “Wild West” of AI Use In Campaigns
California Eyes New Privacy, Cyber, and AI Obligations
Cracks in the State Privacy Law Foundation: State Privacy Law Challenges See Success in District and State Courts
GAO Calls for Better Info-Sharing by ONCD and CISA After Cyberattacks; May be Inconsistent with New Mandates
DHS Calls for Critical Harmonization of Cyber Incident Reporting
Podcast: How to Fix the Cyber Incident Reporting Mess--DHS Weighs In
Biden Administration Looks at Harmonizing Cyber Regulations Amidst Flurry of New Activity
Coming Soon: New Cyber Labeling Program for IoT Devices
Podcast: The FTC Safeguards Rule: A Deep Dive into the Revisions Effective June 9, 2023
Webinar: How to Keep Up with the Influx of New State Privacy Laws and Regulations
Podcast: What could AI regulation in the US look like?
The FTC Is Targeting Crypto Too - With a Significant New Enforcement Action
California privacy law changes draw in more businesses
U.S. Fulfills Its Commitments to Implement the EU-U.S. Data Privacy Framework
Companies May Begin Submitting EU-U.S. Data Privacy Framework Certifications
European Commission Adopts EU-U.S. Data Privacy Framework Adequacy Decision
California AG Initiates CCPA Investigations, Despite Setback in Court
DOD Devotes Resources to Responsible Adoption of Generative AI
A New White House Project on Responsible AI Sends a Message to the Private Sector, Including Contractors
Podcast: AI: The Next Big Thing in Government Contracting
FCC Launches Privacy and Data Protection Task Force
Initial Takeaways on the FCC’s New Privacy and Data Protection Task Force
FTC Issues Policy Statement on Biometric Information, Signaling a New Enforcement Priority
FTC Joins the Cloud Security Discussion
5 Takeaways From Recent CFPB, FTC Equal Credit Push
Podcast: AI Risk Management: A Discussion with NIST’s Elham Tabassi on the NIST AI Risk Management Framework
Generative AI Policies: Five Key Considerations for Companies to Weigh Before Using Generative AI Tools
Federal Legislators Are Taking AI Implementation and Oversight Seriously
NIST Announces Generative AI Working Group
Webinar: Staying Ahead of State Privacy Laws: Tips and Best Practices for Building Compliant Strategies for Five Key States
U.S. State Privacy Law Guide
Legal 500 US Recognizes Wiley’s Telecom, Media & Technology Practice as Tier 1. Read more here.
[View source.]
