Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.
To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:
Privacy and Cybersecurity Activities
- On December 9, the Federal Deposit Insurance Corp. (FDIC) rebuked a move by its Democratic members seeking public feedback on how the agency analyzes potential bank mergers. The FDIC stated that the board had not voted or approved the release and that it was not seeking comment or information. For more information, click here.
- On December 8, U.S. Senators John Thune and Ed Markey, authors of the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, introduced the Robocall Trace Back Enhancement Act, which would help bolster privately led efforts to trace the origins of illegal and bothersome robocalls. For more information, click here.
- On December 8, the Consumer Financial Protection Bureau (CFPB) issued a Supervisory Highlights report on legal violations identified by the CFPB’s examinations in the first half of 2021. The report also highlights prior CFPB supervisory findings that led to public enforcement actions in the first half of 2021. For more information, click here.
- On December 7, the CFPB finalized a rule facilitating the transition away from the LIBOR interest rate index for consumer financial products. The rule establishes requirements for how creditors must select replacement indices for existing LIBOR-linked consumer loans after April 1, 2022. No new financial contracts may reference LIBOR as the relevant index after the end of 2021. Starting in June 2023, LIBOR can no longer be used for existing financial contracts. The transition away from LIBOR was set into motion after a criminal rate-setting conspiracy implicated large international banks and undermined public confidence in the index. Approximately $1.4 trillion in consumer loans are estimated to be currently tied to LIBOR. For more information, click here.
- On December 7, the U.S. Department of Housing and Urban Development released guidance on the Fair Housing Act’s treatment of certain special purpose credit programs designed and implemented in compliance with the Equal Credit Opportunity Act and Regulation B. For more information, click here.
- On December 6, the Office of the Comptroller of the Currency warned of elevated operational risks stemming from increasingly “brazen” cyberattacks and ransomware schemes, urging banks to employ the latest fintech security measures and system backups to protect customer data. For more information, click here.
- On December 6, the Attorney General of Nebraska, Doug Peterson, announced the creation of a Consumer Affairs Response Team (CART) to residents of the state from frauds, scams, and deceptive business practices. For more information, click here.
- On December 6, the American Bankers Association, American Financial Services Association, California Financial Services Association, and Consumer Bankers Association filed a joint amicus brief with the California Supreme Court in Pulliam v. HNL Automotive Inc., a case with significant implications for the amount of money a plaintiff can recover when proceeding against a dealer/seller under the FTC Holder Rule. For more information, click here.
Privacy and Cybersecurity Activities:
- On December 9, the New York Department of Financial Services (NYDFS) released new guidance addressing the question of whether covered entities should implement a cyber assessment framework (e.g., the NIST Cybersecurity Framework, the FFIEC Cyber Assessment Tool, etc.) as part of their risk assessment process. These risk assessments are required under Sections 500.9 & 500.2(b) of the NYDFS Cybersecurity Regulation. In this brief guidance update, NYDFS states that they “do not require a specific standard or framework for use in the risk assessment process” and that entities should “implement a framework and methodology that best suits their risk and operation.” For more information click here.
- On December 9, the National Institute of Standards and Technology (NIST) released an updated version of their “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach” guidance (NIST Special Publication 800-160). This guidance is intended to help organizations “anticipate, withstand, recover from, and adapt to adverse conditions, stresses, and compromises on systems.” In the accompanying press release, NIST notes that this latest version offers “significant new content and support tools for organizations to defend against cyber-attacks.” Prioritizing cyber-resilience has been especially important during the pandemic, as many businesses have been forced to implement and rely on new systems/software for remote working. For more information on this guidance, click here.
- On December 9, Senators Chris Coons (D-DE), Rob Portman (R-OH), and Amy Klobuchar (D-MN) announced the release of the Platform Accountability and Transparency Act (PATA). Under this bill, social media companies would be required to provide internal data about their platforms to university-affiliated researchers for National Science Foundation-approved research projects. It would also expand the Federal Trade Commission’s (FTC) authority to “require that platforms proactively make certain information available to researchers or the public on an ongoing basis, such as a comprehensive ad library with information about user targeting and engagement.” Further, under PATA, a new “Platform Accountability and Transparency Office” would be established within the FTC. This office would create privacy and cybersecurity safeguards for the use of data furnished under PATA. A full version of this legislation is available here.