July 2019 Vendor Management News

Keep up-to-date on the latest vendor management news. We'll help you out! Read the articles below that we recommend checking out.

Recently Added Articles as of August 1

Technically, it's a new month but the below articles obviously still cover these last few days of July. Capital One is the biggest story of the week, but we’re sure there's lots more to come.

CFPB’s debt collection call frequency limits: Let’s start August off a little differently with a podcast hosted by Ballard Spahr. In this podcast the call frequency limits that are address in the CFPB’s proposed debt collection rules are discussed. In addition, they share their recommendations to prepare for these changes.

Credit repair companies file motion to dismiss deceptive marketing allegations: A group of companies being sued by the CFPB have a filed a motion to dismiss the lawsuit against them that states they violated the Telemarketing Sales Rule (TSR) and the Consumer Financial Protection Act (CFPA). Some of their reasoning includes that the defendants feel the CFPB is relying on “alleged” misrepresentations by third parties. They also said that they should not be held indirectly liable for third party actions as it can’t be proved that they, the third parties, represented them, the companies, as their agents. Oh, and they say it should be dismissed because the CFPB is “unconstitutionally structured.” Hmm, interested to see how this one pans out.

100 million impacted by Capital One breach: A former Amazon systems engineer who worked for Capital One is responsible for the recent Capital One breach and has been arrested. The breach that impacted 100 million is anticipated to cost the company between $100 million to $150 million.

Credit card interest-reduction telemarketing scheme is no more: The FTC and state of Ohio requested a federal court in Texas put a stop to two schemes that brought in millions of dollars from consumers. The companies involved, who have halted operations, are Madera Merchant Services and B&P Enterprises and Educare Centre Services and Prolink.

Bank of America and First Data no longer partners: After the closing of Fiserv’s acquisition of First Data, Bank of America and First Data announced they’re calling it quits. Although they will no longer pursue new merchant services strategies together, there are contracts that extend out to 2023.

Recently Added Articles as of July 25

This week’s news features the Equifax settlement, New York acting “non-New York like”, anti-money laundering considerations and the FTC and state attorneys general jumping into enforcement matters.

FTC and states work to enforce deceptive advertising claims: Sounds like many tend to lean towards the Federal Trade Commission (FTC) for guidance when evaluating advertising and marketing regulatory expectations. However, it’s not just the FTC taking action. Many state attorneys general are also watching for deceptive advertising and marketing practices. So, what does this article want you to think about? First, remember that state attorneys general have like consumer protection mandate as the FTC. Second, they are just as effective as the FTC at addressing consumer issues and can impose significant financial penalties, too.

Honeywell under foreign bribery investigations: U.S. and Brazilian authorities are investigating Honeywell International. The focus is on the company’s compliance with the Foreign Corrupt Practices Act, as well as laws that are similar in Brazil. Honeywell is cooperating but feels this will not have a material impact on their financial condition.

US Fintech Task Force in full effect: The House Financial Service Committee created the Fintech Task Force this past June. They recently had their first hearing which was to address the first issue, covering topics like cash flow data and overall fintech regulation from many agencies and including insight from U.S. and U.K. regulators. 

Anti-money laundering is back in the spotlight: Anti-money laundering is complex. Multinational institutions, with a U.S. branch or even if they have a U.S. branch that doesn’t service the activities, can still be examined and penalized by a U.S. regulator. This article provides examples, like the UniCredit settlement. Their branch was U.S. licensed but did not clear U.S. dollars. However, they were still investigated and agreed to a $13.1 billion settlement with U.S. regulators regarding certain conduct and transactions.

NY proposed data privacy law is a no-go: The anticipated NY data privacy law, that would be more stringent than the California Consumer Privacy Act, did not pass. Much of this is due to uncertainty around how it would impact small and mid-sized organizations as well as how prescriptive it was going to be. For once, New York doesn’t lead the way in restrictions.

Equifax agrees to $575 million settlement: It could go as high as $700 million when all is said and done, but Equifax has agreed to pay $575 million in a global data breach settlement. This is regarding the 2017 data breach that affected around 147 million people. Big news since this breach has been the talk of the industry since it happened.

Consumer finance bills passed in NY: Two new consumer finance bills have been passed by the New York Assembly and Senate. The first bill amends New York’s plain language requirement to extend its application to consumer contracts amounting up to $250,000, instead of $100,000. The second bill would prohibit use of social media to determine a members’ credit worthiness.

Consumer privacy is taken very seriously: The FTC fines Facebook $5 billion for consumer privacy violations. This is huge and a sign that U.S. privacy violations will be taken very seriously.

Recently Added Articles as of July 18

Lots of big headlines this week, but mainly pertaining to Facebook as they’ve received a substantial fine and their cryptocurrency is under fire. Also, in the news for the first time, the CFPB allows us a peek at how they define abusive by defending its use in a new enforcement action.

Federal Reserve chairman unsure about Facebook’s cryptocurrency: The Federal Reserve’s chairman has a lot of hesitancy regarding Facebook’s cryptocurrency and how prepared the company truly is to launch Libra. He shared there is a lot more that goes into it such as proving you’ve addressed money laundering, data protection, consumer privacy issues, etc. and it doesn’t seem like he thinks that Facebook is quite there yet.

Facebook receives $5 billion FTC fine: Facebook received a $5 billion FTC fine to settle the Cambridge Analytics breach – yes that’s billion with a “b”. However, their negative presence in the media over the last year hasn’t hurt their growth. According to Facebook, in Q1 their total revenue was up 26 percent making it $15.1 billion. They’re steadily growing in user and advertisement revenue. Some find it shocking that consumers keep using the platform given the misuse of data, but they do, therefore advertisers are still utilizing Facebook too.

Keep Big Tech Out of Finance Act: More news that is related to a big-name technology company. Can you guess who? Yep, Facebook. At the same time the Facebook Libra hearings are in motion a new draft discussion bill is announced – “Keep Big Tech Out of Finance Act.” The goal of this bill is to prevent big technology companies with revenues of $25 billion plus from becoming financial institutions. Are they trying to protect the little guys or afraid of a monopoly?

Understanding Facebook’s cryptocurrency: Need to brush up on Facebook’s Libra cryptocurrency? What it is, when it will be launched, how it may impact you? Check out this article released by CU Management. Sounds like many are hoping that credit unions will see the urgency to strengthen their own digital transformation and innovation.

$25 million CFPB settlement helps define abusive: According to the CFPB, a debt-relief company acted “abusively” in the way they communicated with consumers and their telemarketing practices. With this, we learn one way to define abusive is if there is “unreasonable advantage of consumers’ lack of understanding.” The CFPB providing reasoning behind “abusive” in an enforcement action is a nice step in the right direction.

Bills passed will amend FCRA: The House Financial Services Committee recently passed four bills that will amend the Fair Credit Reporting Act (FCRA). These amendments include shortening the time information can remain on a credit report, increasing the amount of information that must be provided to a consumer on their credit report and more.

Recently Added Articles as of July 11

Whoa! The news sure did pick up after the holiday week. Top headlines include a major GDPR fine against Marriot, CFPB director blazing her own trail, banks against regulatory rollbacks specific to the overdraft rule, a reminder on the importance of oversight and NAFCU arguing for information sharing as it pertains to anti-money laundering.

Credit union data exposed by employee: A credit union’s employee recently exposed 2.9 million members’ data. The employee had ill intentions. The incident reminds organizations why it’s important to ramp up cybersecurity monitoring. A threat can evolve from anywhere – not just third parties – even internally.

States moving forward with fintech sandboxes: Fintech sandboxes are still under review at the federal level. However, many states are moving forward with them. Utah is the most recent state to announce a program that allows organizations to test financial products with consumers without any possibility of violating state licensing or consumer protection laws.

Boards trying to understand their role in oversight: Many banking boards are looking to further clarify their responsibility in oversight and guidance when a product or service is outsourced, particularly to a fintech. There are a few key takeaways here. They’re always responsible for ensuring the bank’s strategic direction is matched, confirming a proper risk management program is in place to control and mitigate risks, verifying contract negotiation occurred and is documented and reviewing ongoing reports pertaining to monitoring. Remember, you can’t outsource the oversight!

CCPA compliance strategies: January 1, 2020 is rapidly approaching. Why is this important? The California Consumer Privacy Act (CCPA) will be enforced. Laurie Fischer, who is managing director at HBR Consulting, spoke on some of the biggest challenges she foresees as well as success strategies. What’s some of her biggest advice? Start mapping your organization’s data by identifying the scope of consumer data, identifying how it’s collected, where it’s shared, etc. Check out the Q&A for more insight.

FDIC publishes 2018 supervisory highlights: FDIC released their first consumer compliance supervisory highlights. This may mean that they will have increased focus on consumer compliance moving forward. Some of the items they address in the highlights include overdraft programs, prohibited kickbacks, Regulation E mistakes and lines of credit procedures. Looks like mortgage servicing is getting some attention.

CFPB director Kraninger’s creating her own path: They’re calling it an “independent path.” CFPB director, Kathy Kraninger, continues to move along her own path. Some of the most recent developments include a large settlement with a student lending provider as they previously engaged in unfair acts and practices that violated the Consumer Financial Protection Act (CFPA). There’s some discussion around payday lending compliance changes. Oh, and no one can forget the recent symposium. The abusive controversy is featured in this analysis, too.

NAFCU advocates for better anti-money laundering information sharing: NAFCU’s regulatory affairs counsel provides suggestions that should help with strengthening sharing information between government agencies, law enforcement and financial institutions through the FinCEN 314(a) program. She shares that while the program is beneficial, she feels credit unions don’t receive enough information from law enforcement to identify a potential threat. They need identifiers such as social security numbers, addresses and birth dates. Yes! This would be so helpful!

Investment firm merger of note: Sandler O’Neill Partners and Piper Jaffray Cos will merge in a $485 million deal. They’ll be known as Piper Sandler Cos.

NYDFS looks at Facebook advertising: NYDFS is investigating Facebook as the company may have used protected characteristics in advertisement conduct aimed at certain individuals. There is very clearly regulatory concern in the digital advertising space. Given the uncertainty of this area of law, and that investigations are beginning to emerge, it’ll be interesting to see the outcome.

Overdraft rule changes are being passed on: As the CFPB reviews the overdraft protection rule, many feel it does not need amended or rescinded. Many argue it should be left as is. It is working well and is doing what it was intended to do – increase informed consumer choice regarding overdraft services. Your thoughts? Do you think smaller institutions need some relief?

CFPB settles lawsuit with largest debt-settlement services provider: The CFPB and Freedom Debt Relief, LLC reach $25 million settlement. The debt-settlement services provider violated the Telemarketing Sales Rule and Consumer Financial Protection Act of 2010.

Marriot receives UK data fine: GDPR is in full force. Marriot receives $124 million fine for failure to protect consumer data. Marriot plans to appeal the fine.

British Airways fined for data breach: The UK fines British Airways $230 million due to a 2018 data breach. The Information Commissioners Office reports “poor security” in areas such as login, booking and payment.

Recently Added Articles as of July 4

To kick off the month, it’s clear the effort to define abusive leads the way in the industry. However, there’s also a major data breach. Cue the fireworks. The second half of 2019 is sure to have a lot of excitement in third party risk.

Bank agreed to $88 Million SEC Settlement: State Street Bank & Trust Company agreed to an $88 million settlement. The bank overcharged mutual funds and other registered investment company clients regarding expenses related to the bank’s custody of client assets.

FDIC announced plan to centralize supervision and resolutions of large and complex institutions: The FDIC announced the newest division - Division of Complex Institution Supervision and Resolution (CISR). CISR will be created in an effort to centralize supervision and monitoring of large institutions. This will be particularly banks with assets greater than $100 billion and if the FDIC is not the prudential regulator.

CFPB symposium panelists discuss CFPB abusive authority: While it may not be the definition that we were all expecting, the CFPB symposium featured perspective and insight from two panels’ worth of industry experts. The first had a focus on academics in consumer protection laws and policy issues pertaining to the abusive standard. The second featured a legal perspective and digging further into how the “abusive” standard has been used overtime in practice. We may not have a definition but at least it’s something, right?

New rulemaking impacting the Home Mortgage Disclosure Act (HMDA): The CFPB recently announced rulemaking activities affecting the HMDA. These include discretionary data-point requirements and proposed collection threshold requirements. Industry stakeholders now have more time to review and provide their thoughts on the changes. Will this impact you? Be sure to check out the extension deadlines.

New York seeks to surpass California in privacy protection: If passed, the New York Privacy Act (NYPA), Senate Bill S5642, will impose the most stringent requirements in the country related to a company’s collection, use, maintenance and disclosure of consumer information - even stricter than California’s Consumer Privacy Act (CCPA). In many ways the NYPA is like the CCPA; however, there are some key differentiators. NYPA will define a “data fiduciary” as any legal entity that “collects, sells or licenses personal information of consumers.” The NYPA will also create a data correction mechanism that requires correction of inaccurate personal data. Lastly, the NYPA will be privately actionable meaning a consumer could sue for actual damages and injunctive relief if injured by reason of a violation. Wow! Sounds like the rules will be firm and with big penalties if broken.

Data breach affects 2 billion user records: Need a reminder why cybersecurity/data protection is so important in third party risk management? It can happen anywhere, anytime! A smart home equipment manufacturer experienced a data breach that impacted 2 billion user logs leaving them vulnerable to hackers. The database included personally identifiable information of customers. The data vulnerability was exposed as part of a web-mapping project.

The FDIC updated 5 sections of its Compliance Exam Manual: Need hints for your next exam? We may have you covered. In June, the FDIC updated five sections of its Consumer Compliance Examination Manual. The sections include updates to examinations and third party risk, appeals, SOURCE violation codes, the Home Mortgage Disclosure Act and the Protecting Tenants at Foreclosure Act.

Cybersecurity is a major issue, do you know how to handle a vendor data breach? Download the infographic.