Legislative & Regulatory Update 2 nd Quarter 2013

Transcription

1 Legislative & Regulatory Update 2 nd Quarter 2013 FEDERAL LEGISLATIVE AND REGULATORY ACTIONS Consumer Protection Consumer Financial Protection Bureau : CFPB releases procedural rule on notifying nonbanks of supervision The rule states that CFPB will issue a Notice of Reasonable Cause if it has information about a nonbank entity engaging in conduct that poses risks to consumers. The regulation lays out what the CFPB requires in the notice and the company s response, as well as procedures and timelines that CFPB will use to make a decision on supervision. In addition, the final rule creates a mechanism for nonbanks to file a petition to terminate the CFPB s supervisory authority after two years. Failure to respond to a Notice may result in a default determination that the nonbank entity poses risks to consumers through its products and services, followed by an order subjecting the company to routine CFPB supervision : CFPB releases bulletin on Responsible Business Conduct: Self-Policing, Self-Reporting, Remediation, and Cooperation CFPB Bulletin states that the Bureau considers many factors in the exercise of its enforcement discretion. These include, for example: (1) the nature, extent, and severity of the violations identified; (2) the actual or potential harm from those violations; (3) whether there is a history of past violations; and (4) a party s effectiveness in addressing violations. This guidance is being provided to inform those subject to the Bureau s enforcement authority that in addition to these and other factors, there are activities they can engage in both before and after the conduct in question has occurred that the Bureau may favorably consider in exercising its enforcement discretion. Specifically, a party may proactively self-police for potential violations, promptly self-report to the Bureau when it identifies potential violations, quickly and completely remediate the harm resulting from violations, and affirmatively cooperate with any Bureau investigation above and beyond what is required. If a party meaningfully engages in these activities, which this bulletin refers to collectively as responsible conduct, it may favorably affect the ultimate resolution of a Bureau enforcement investigation : CFPB expands complaint database CFPB announced it is expanding its public Consumer Complaint Database to include complaints about credit reporting and money transfers. Simultaneously, the CFPB announced that complaints in its public database are searchable by state. The CFPB uses complaints it receives to prioritize and prepare for investigations and examinations. The public database now contains complaints about credit cards, mortgages, student loans, bank accounts and services, other consumer loans, credit reporting, and money transfers. Debt collection complaints are due to be added to the database in the near future. The CFPB does not verify the facts alleged in a complaint before making it public (but confirms that the consumer has a commercial relationship with the company). Cybersecurity : Senate Commerce panel unveils draft cybersecurity bill The Senate Commerce, Science and Transportation Committee announced a draft bill aimed at improving the nation's defenses against hackers. The draft, backed by Committee Chairman Rockefeller (D-WV) and ranking member Sen. Thune (R-SD), is an attempt to forge a compromise on cybersecurity 1

2 after repeated attempts to pass legislation failed last year. The draft bill would task the National Institute of Standards and Technology (NIST) with developing voluntary cybersecurity standards and best practices for critical infrastructure, such as banks and power plants. The legislation also aims to improve cybersecurity research, education and public awareness : Sen. Rockefeller sees "real opportunity" of passing cybersecurity bill Senate Commerce Chairman Senator Rockefeller (D-WV) expressed optimism that can pass a cybersecurity bill this session. "For the first time, I think we see a real opportunity of getting a bipartisan cybersecurity bill," Rockefeller said at a confirmation hearing for Commerce Secretary nominee Penny Pritzker. "It will be a miracle if we do it, but as I say, it's the greatest national threat." Rockefeller said he came to this conclusion after having a "very, very good talk with the chairman of the appropriate committee handling cybersecurity in the House," though he did not reveal the name of the lawmaker he spoke with : House Energy and Commerce hearing entitled: Cyber Threats and Security Solutions The hearing focused on steps the federal government and the private sector are taking to bolster the security of our nation s critical infrastructure and mitigate exposure to cyber attacks. Members discussed the president s Executive Order to improve critical infrastructure cybersecurity, including the latest on the order s implementation and the administration s development of a voluntary cybersecurity framework. The committee also examined security solutions to better protect against cyber threats, including enhanced information sharing, public-private partnerships, and greater industry collaboration : House Subcommittee on Communications and Technology hearing entitled: Cybersecurity: An Examination of the Communications Supply Chain The hearing examined how to secure the communications network supply chain, focusing on potential vulnerabilities and the wide-ranging impacts on national security and the economy. Mark Goldstein, Director of Physical Infrastructure Issues at the Government Accountability Office, discussed the magnitude of U.S. communications and technology networks and the vital role these networks play in the safe and secure operation of the country. Government, industry, and the public rely on communications networks to such a great degree that federal policy has included them in a category of national assets deemed critical infrastructure, making their protection a national priority. Many other critical infrastructure sectors such as banking and finance, energy, transportation systems, and water also rely on communications networks to sustain their operation. he stated. Dean Garfield, President and CEO of the Information Technology Industry Council, urged the government to tread lightly, as communications and technology companies have best innovated and responded to threats without government involvement. the communications industry has been consistently cited as one of the leading sectors in cybersecurity. We encourage to continue this light-touch approach when looking at the communications supply chain and enable industry to respond to evolving threats with innovation, flexibility, and the most updated and appropriate global standards and best practices : S.884, the Deter Cyber Theft Act, introduced by Sen. Levin (D-MI) This bill would require the Director of National Intelligence (DNI) to annually report to specified congressional committees on foreign countries that engage in economic and industrial espionage in cyberspace with respect to U.S. trade secrets or proprietary information. It would require each report to identify countries that engage in such espionage as well as countries that engage in the most egregious forms of such espionage. Also, it would direct the President to exclude from entry into the United States any article produced or exported by an entity identified within any such report, as long as the President determines that such exclusion is warranted for the enforcement of intellectual property rights or to protect the integrity of the Department of Defense (DOD) supply chain. 2

3 : H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), passed by House of Representatives CISPA was approved by the full House after the addition of several privacy-protecting amendments. The bill would provide companies liability protection for sharing cyberthreat information with the federal government. Also, it calls on the director of national intelligence to establish procedures allowing elements of the intelligence community to share cyberthreat information with certified U.S. companies. CISPA aims to encourage industry and the government to share information about malicious source code and other cyber threats with each other in real time so firms can thwart cyberattacks. Executive : NIST Releases Draft Outline of Cybersecurity Framework for Critical Infrastructure As part of its efforts to develop a voluntary framework to improve cybersecurity in the nation's critical infrastructure, the National Institute of Standards and Technology (NIST) has posted a draft outline of the document to invite public review and gather comments. The Executive Order calling for NIST to develop the framework directs the agency to collaborate with the public and private sectors : White House threatens veto against CISPA due to privacy concerns The White House threatened to veto H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), citing concerns it lacks vital privacy protections. Among the list of privacy concerns were that the bill does not include a measure that would require companies to take "reasonable steps to remove irrelevant personal information" from cyber threat data prior to sharing it with the government and other peers in the private sector. "Citizens have a right to know that corporations will be held accountable and not granted immunity for failing to safeguard personal information adequately," according to the administration's statement. "Moreover, the administration is confident that such measures can be crafted in a way that is not overly onerous or cost prohibitive on the businesses sending the information." : ETA submits comments to NIST on cybersecurity framework The National Institute of Standards and Technology (NIST) is conducting a comprehensive review to develop a framework to reduce cyber risks to critical infrastructure. The Framework will consist of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. ETA ACTION: ETA filed comments as part of this review suggesting three existing frameworks for NIST to follow -- Special Publication , the ISO series, and PCI-DSS. Fraud Consumer Financial Protection Bureau : CFPB Files Complaint against Debt-Relief Company; First Time Reliance on Abusive Acts and Practices Prohibition The Bureau filed a complaint in federal district court against American Debt Settlement Solutions, Inc. ( ADSS ), a Florida debt-relief company, and its owner. The complaint alleges that ADSS and its owner violated the Federal Trade Commission s Telemarketing Sales Rule, as well as certain UDAAP provisions of the Dodd-Frank Act. The complaint is significant because it alleges, in part, that ADSS engaged in abusive practices, as defined in the Dodd-Frank Act. This action is the first that relies on this prohibition on abusive acts or practices. Federal Trade Commission : FTC Expands Case and Names Payment Processing Company for Assisting, Facilitating Telemarketing Fraud 3

4 The Commission added eight new defendants to a case the agency brought last year, including a payment processor it alleges assisted in the fraud. The FTC filed an amended complaint against the defendants behind the firm Treasure Your Success (TYS), which allegedly made deceptive cardholder services robocalls, promising to lower consumers credit card rates in exchange for an upfront fee as high as $1, Among the additional defendants named in the complaint is a company called Newtek Merchant Solutions. According to the complaint, Newtek approved TYS for a merchant account without performing customary reviews and despite clear warning signs of fraud. The FTC also claims Newtek continued to process credit card transactions for TYS, despite knowing that it had high charge-back rates, had fraud alerts on its credit reports, and was on MasterCard s fraud monitoring program : FTC Sues Payment Processor for Assisting Credit Card Debt Relief Scam The FTC alleges the payment processor, Independent Resources Network Corp. (IRN), knew, or consciously avoided knowing, key facts about the illegal conduct of a telemarketing scam operated by Innovative Wealth Builders, Inc. (IWB), and chose to continue profiting from processing IWB s credit card transactions. Among the many indicators of illegal conduct that IRN allegedly ignored were IWB s alarmingly high chargebacks rates. According to the FTC s amended complaint, IWB s chargeback rate averaged above 20 percent for several years, and exceeded 40 percent in multiple months. Intellectual Property Executive : White House updates intellectual property strategy The Obama administration released a new strategy to protect ideas and prevent counterfeit goods from spreading online and across the border. The new version of the strategy outlines additional ways to coordinate enforcement, increase outreach and help the private sector collaborate on their own initiatives. The administration has "deliberately taken a non-regulatory approach" to protecting copyright owners of music, movies and other products, stated U.S. Intellectual Property Enforcement Coordinator Victoria Espinel. Internet Gaming : H.R.2666, the Internet Poker Freedom Act of 2013, introduced by Rep. Barton (R-TX) The legislation would require poker websites to be licensed, would require technology to block underage players and would require programs to discourage compulsive gamblers. The bill would still allow states to conduct their own regulation : H.R. 2282, the Internet Gambling Regulation, Enforcement, and Consumer Protection Act of 2013 introduced by Rep. King (R-NY) This bill would require the Treasury Department to create a federal licensing regime for internet gaming businesses and giving states the ability to opt out of it. This proposal would make it a crime to operate an internet gaming facility unless the entity first obtains a license, with exceptions for state-run lotteries, tribal gaming, casinos, and race tracks. The proposal would have no effect on existing federal and state restrictions on sports betting. Mobile Payments : S.1144, the Fair Telephone Billing Act of 2013, introduced by Sen. Rockefeller (D-WV) This bill seeks to prohibit unauthorized third-party charges on telephone bills. This problem, referred to as cramming, first appeared in the 1990s after telephone companies opened their billing platforms to an array of third-party vendors offering a variety of services. An investigation by the Senate Committee on 4

5 Commerce, Science, and Transportation confirmed that cramming is a problem of massive proportions and has affected millions of telephone users, costing them billions of dollars in unauthorized third-party charges over the past decade. The Committee reported that third-party billing through telephone numbers has largely failed to become a reliable method of payment that consumers and businesses can use to conduct legitimate commerce. Telephone companies regularly placed third-party charges on their customers' telephone bills without their customers' authorization. Many companies engaged in third-party billing were illegitimate and created solely to exploit the weaknesses in the third-party billing platforms established by telephone companies : H.R. 1913, the Application Privacy, Protection and Security Act of 2013, introduced by Rep. Johnson This bill would direct mobile device application developers, before the application collects personal data about the user, to notify the user and obtain the user s consent regarding the terms and conditions governing the collection, use, storage, and sharing of such personal data. The bill would also require developers to provide users with a method to withdraw consent and to request that the developer delete personal data or refrain from further data collection and sharing, and take measures to prevent unauthorized access to personal and de-identified data. Federal Communications Commission : FCC Votes to Apply Privacy Rules to Data Collected on Wireless Devices The FCC voted to require wireless carriers to adhere to the agency's Customer Proprietary Network Information rules, which historically have governed only how traditional telephone companies and providers of internet-based phone services treat their customers' personal data. Under a declaratory ruling adopted on a unanimous 3-0 vote, when a wireless carrier collects a customer's personal information, such as a number dialed, the length of a call, and the location of where a call is placed or received, that company may use or disclose it only as permitted by the commission's CPNI rules. The ruling also makes it clear that carriers must take reasonable precautions to prevent unauthorized disclosure of such information, including by third-party marketers. Also, when a wireless carrier collects such information about customers' use of their devices using pre-installed applications, the ruling requires them to protect that information. The ruling only applies to wireless carriers, not operating systems run by companies such as Google or Apple. Commissioner, Ajit Pai stated that there is no mobile device exception to either section 222 or our CPNI rules. If information is covered by the statutory definition of CPNI set forth in section 222(h)(1), then it is CPNI, regardless of whether it is located on a mobile device, Pai said. He also supported the ruling's limited scope, noting that it only applies to information that is both collected by or at the direction of the carrier and may be accessed or controlled by the carrier or its designee : FCC publishes Mobile Wallet Services Protection guide for consumers The FCC outlines safe practices for consumers to follow as they are increasingly using their smartphones, tablets and other mobile devices as "mobile wallets" to pay for goods and services, downloading software that allows them to complete both mobile and in-person transactions. As the use of mobile wallet services increases, consumers need to protect their smartphones, mobile wallet applications, associated data, and mobile wallet services from theft and cyber attacks. Privacy : Senate Commerce Committee holds hearing entitled: A Status Update on the Development of Voluntary Do-Not-Track Standards. 5

6 The hearing examined what steps, if any, industry stakeholders have taken to fulfill their public commitment to honor Do-Not-Track requests from consumers. Senate Commerce Committee Chairman Rockefeller (D-WV) stated, I strongly believe that consumers should be able to manage whether online companies collect their personal information. At a White House event in early 2012, a coalition of Internet companies said they would work together to voluntarily implement a Do Not Track option for users. After more than a year of talks between advertisers, browser makers and other Internet companies, there is no agreement. "Industry made a public commitment to honor Do-Not-Track requests from consumers but has not yet followed through," Rockefeller said. "I plan to find out what is holding up the development of voluntary Do-Not-Track standards that should have been adopted at the end of last year : H.R. 1312, the Geolocational Privacy and Surveillance Act, introduced by Rep. Chaffetz This bill would establish a clear, uniform standard for government access to geolocation data. This would provide prosecutors and law enforcement officers clarity about how much evidence they need to remotely track individuals movements. It would also give private companies clarity about when they can respond to legitimate law enforcement requests, and what obligations they have to protect their customers information. The bill is modeled after federal wiretapping statutes and is based on the view that surreptitiously turning an individual s cell phone into a tracking device without their knowledge has a substantial privacy impact, just like tapping that person s phone or searching that person s house. The bill creates a process whereby government agencies can get a probable cause warrant to obtain geolocation information in the same way that they currently get warrants for wiretaps or other types of electronic surveillance. STATE LEGISLATION AND REGULATION Connecticut : S.B An Act Concerning Alternative Methods for the Collection and Remittal of Sales and Use Taxes, signed into law This bill is intended to enhance collection of the Sales and Use Tax, generating state and municipal revenue gain. The Commissioner of Revenue Services has until October 1, 2013, to study various collection methods and make recommendations on the implementation of alternative methods for collection and remittal of Sales and Use Tax. If those recommendations are approved by the Finance Committee, the bill would take effect January 1, A notable passage for payment processors: Nebraska The commissioner shall consider (1) the amount of sales and use taxes that are annually uncollected or consistently delinquent, (2) the availability and effectiveness of such alternative methods, including any electronic software available for purchase or license to assist in the collection and remittal of said taxes, (3) the advisability of requiring more frequent remittal of said taxes (4) the advisability of instituting a payment system whereby the state may receive payment of said taxes electronically on or about the date of the taxable transaction, from thirdparty processors of consumer credit or debit card payments or electronic funds transfers, (5) whether such methods should be required for all retailers, only for retailers consistently delinquent in remitting said taxes, only for retailers either above or below a specific dollar level of quarterly tax liability, or for some combination thereof, and (6) whether such methods are likely to reduce deficiencies and increase collections and remittals : Nebraska lawmakers to scrutinize credit, debit holds The Legislature's Banking, Commerce and Insurance Committee will conduct a study this summer of the regulations in place for the temporary extra charges that can be applied to credit and debit card 6

7 purchases when the total bill isn't immediately known. The practice is intended to protect merchants from fraud and loss. The committee's findings and recommendations are due before Dec. 31. Sen. John Harms introduced the legislative study after talking with a constituent who worked at a local grocery store. A young couple tried to buy diapers and baby food with a credit card, but was denied because a gas station had placed a $75 hold which pushed their credit to its limit. Groups that represent convenience stores and other businesses have argued that the hold amounts are out of their control, because they contract with credit card processing companies that set the terms of how the technology is used. New York : Information reporting bills pass both chambers A.B.7557 passed the State Assembly on June 12 and companion bill S passed the State Senate and was returned to the Assembly on June 18. The bills would amend state law with regard to information returns relating to payments made in settlement of payment card and third party network transactions. Current law prohibits the Department of Taxation and Finance from redisclosing any information it receives on such an information return. These bills would allow the Department of Taxation and Finance to disclose reporting information only to the Commissioner of Finance of the City of New York, in order to facilitate more accurate and efficient administration of New York City tax laws. 7