Consumer services

Troutman Pepper Consumer Financial Services COVID-19 Weekly Bulletin – November 2021 # 4 | Man’s pepper with trout

Like most industries today, consumer finance service companies are significantly affected by the novel coronavirus (COVID-19). Troutman Pepper has developed a COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading healthcare organizations, and tools businesses can use for free.

To help you stay on top of relevant activities, below is a breakdown of some of the biggest COVID-19 related events at the federal and state levels that have impacted the consumer finance services industry. last week :

Federal activities

State activities

Privacy and cybersecurity activities

Federal activities:

  • On November 16, the Consumer Financial Protection Bureau (CFPB) issued a request for information (RFI) to solicit comments on the rules for implementing the Home Mortgage Disclosure Act (HMDA). CFPB plans to review recent rule changes and assess their effectiveness in strengthening CFPB’s ability to maintain a fair, competitive and non-discriminatory mortgage market. For more information, click here.
  • On November 19, the CFPB issued advice to staff, reminding them to report suspicious communications and activities of former CFPB employees to agency officials. This will allow the CFPB to detect the activities of former employees and other government agencies that may violate existing laws and regulations regarding ethics and the disclosure of confidential information. For example, the guidelines require current employees to file reports with agency ethics officials if they learn that a former employee may be illegally providing “behind-the-scenes” assistance to a party under attack. ‘an investigation by the CFPB. For more information, click on here.

State activities:

  • On November 17, the California Department of Financial Protection and Innovation (DFPI) issued a revised notice of changes to the Second Text of the proposed regulations under the Debt Collection Licensing Act. The DFPI issued a regulatory notice to “Adopt the Debt Collection Licensing Act Debt Collection License Application Form and Debt Collection Licensing Act”, and the revised notice extended the comment period until ‘to December 2. For more information, click here.
  • On November 17, California Attorney General Letitia James warned of “marketing plans to trick consumers into recurring payments.” The warning advised New Yorkers to “take caution when presented with deceptive marketing offers that may unintentionally result in recurring charges,” particularly when the marketing “contains a condition that a seller interprets silence in ‘a consumer or his inability to take positive action to reject a good or service or to cancel the contract as a continued acceptance or acceptance of the offer. “Attorney General James said:” While consumers continue to suffer the financial damage from COVID-19, the last thing businesses should do is make it harder for consumers to terminate a service. ”For more information, click here.
  • On November 15, Virginia Attorney General Mark Herring wrote to the Federal Communications Commission (FCC) to “support its efforts to reduce illegal callers’ access to legitimate phone numbers.” In a corresponding press release, Attorney General Herring said, “Earlier this year, telephone companies were required to implement STIR / SHAKEN – caller ID authentication technology to fight Against identity theft by ensuring that phone calls come from verified phone numbers. Because technology prevents robocallers from spoofing phone numbers, fraudulent robocalls have fallen 29% since June as the phone industry continues to implement STIR / SHAKEN. For more information, click here.

Privacy and cybersecurity activities:

  • On November 18, the Federal Trade Commission (FTC) announced an analysis that showed COVID-19-related fraud had flourished on social media platforms. Since the start of the pandemic, the FTC has sent “over 400 letters to businesses asking them to stop making false promises that various pills, potions and treatments could prevent, treat or cure COVID-19.” About half of the companies that received letters made problematic statements on one or more of the top four social media platforms. The FTC has cited the design and high profits of these platforms as potential reasons for the increase in problematic claims. The full scan can be found here. The FTC also published several questions users can ask before taking COVID-19 advice found on social media: (1) Who is the message from? ; (2) what do they want me to do? ; and (3) what evidence supports the message? The full announcement can be found here.
  • On November 18, US representatives Anna G. Eshoo (CA-18) and Zoe Lofgren (CA-19) reintroduced the Online Privacy Act, which would create rights over user data, impose limitations and obligations on businesses who collect and use user data, and create a digital privacy agency to enforce privacy laws. Eshoo and Lofgen previously introduced the Online Privacy Protection Act on November 5, 2019. In view of the increase in digital work and online activities, the bill aims to “protect individuals, encourage ‘innovation and restore confidence in technology companies’. The press release can be found here.
  • On November 18, the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve System Board of Governors (Council), and the Office of the Comptroller of the Currency (OCC) “issued a joint final rule to establish an incident of IT security. notification obligations for banking organizations and their banking service providers. The letter applies to all institutions supervised by the FDIC. Among other provisions, the rule: (1) will require banking organizations to notify the FDIC as soon as possible and no later than 36 hours after the banking organization determines that a computer security incident that reaches the level of a notification incident has occurred; and (2) require a banking service provider to notify at least one bank-designated point of contact in each affected customer banking organization as soon as possible when the banking service provider determines that it has experienced a banking incident. computer security that has materially disrupted or degraded covered services for four hours or more. For more information click here.
  • On November 18, the Brennan Center released a report assessing privacy and fairness issues around digital vaccine credentials. The report highlights various privacy concerns, including concerns about individual freedom and the potential to track their movements based on where they use their credentials. The report also emphasizes fairness issues and the importance of continued use of analog cards for communities that might not have smartphones capable of supporting digital credentials. The report recommends the implementation of a national privacy standard to govern vaccine identification information that includes clear limits on data collection, retention and sharing. The full report can be found here. For those interested in learning more about the implications of vaccine credential privacy, check out Troutman Pepper’s Law360 article by clicking here.
  • On November 15, President Biden signed the Infrastructure Investment and Jobs Act. This $ 1.2 trillion bill was passed by both houses with bipartisan support and includes $ 1 billion in cybersecurity funding for state and local governments. This funding will be distributed over the next four years, starting in 2022. About 80% of this funding will go to local governments, which cyber attacks have increasingly targeted during the pandemic. The infrastructure bill also includes $ 100 million for a “Cyber ​​Response and Stimulus Fund,” which the Homeland Security Secretary can use to support “federal and non-federal entities” affected by a cyber attack. The full version of the Infrastructure and Employment Act is available here.
  • During the pandemic, the government in Washington, DC contracted with a data broker to obtain location data for COVID-19 research purposes. On November 10, a report from the Electronic Frontier Foundation (EFF) securities, revealing the nature and extent of the data shared under this contract. Through public record requests, the EFF found that device IDs, time stamps and GPS data for hundreds of thousands of devices were collected between April and September of last year. This data was uploaded to a data repository shared by many DC government organizations, some of which were not engaged in research related to COVID-19. The DC government ultimately concluded that there was no use for this data; however, according to the report, it has not yet been deleted. While there is no evidence that this data has been misused, this report illustrates the potential risks associated with large-scale data collection and sharing. A copy of the EFF report is available here.