Consumer Protection Act

New FCRA Summary of Rights

Effective September 21, 2018, section 605A(i) of the Fair Credit Reporting Act (FCRA), added by the Economic Growth, Regulatory Relief, and Consumer Protection Act requires that a new notice (which explains consumer rights about placing fraud alerts and credit freezes with nationwide consumer reporting agencies (NCRAs)) be included whenever a consumer is required to receive a summary of rights under FCRA’s section 609. Although the new notice requirement is aimed at NCRAs and potentially consumer reporting agencies, the Consumer Financial Protection Bureau published a revised “FCRA Summary of Rights” form on September 13, 2018 (which includes the new notice and updates certain contact information) and the conservative approach for employers is to use the new form also.

The new version of the “FCRA Summary of Rights” form can be accessed HERE.

Financial regulators focus on vendor due diligence

In the wake of the economic crisis, financial institutions have faced a wave of new rules and regulations. From the Dodd-Frank Wall Street Reform and Consumer Protection Act to regulators stepping up their enforcement efforts, regulated entities must ensure compliance with a host of new requirements.

The rules and heightened oversight go beyond banks themselves, and are increasingly focused on their third-party vendors. In many cases, vendors are not allowed to work with regulated entities unless they can demonstrate their compliance with various data security and privacy requirements.

Last year, New York’s Department of Financial Services (the “DFS”) sent letters to banks nationwide expressing concern about the state of their cybersecurity practices with regard to third-parties. DFS Superintendent Benjamin Lawsky requested that recipients disclose “any policies and procedures governing relationships with third-party service providers” as well as “any due diligence processes used to evaluate” all types of providers, including accountants and law firms. “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors,” Lawsky wrote.

In “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” the Securities and Exchange Commission (the “SEC”) and the Department of Justice (the “DOJ”) state that the agencies “assess whether the company has informed third-parties of its compliance program and commitment to ethical and lawful business practices, and where appropriate, whether it has sought assurance from third-parties, through certifications and otherwise, of reciprocal commitments.” To avoid regulatory action, the SEC and DOJ also suggest that regulated banks and financial institutions consider providing training to vendors.

The Office of the Comptroller of the Currency (the “OCC”) released new guidance in October 2013, advising banks to take a “life cycle” approach to managing third-party relationships (such as security providers, affiliates, consultants, joint ventures, and payment processors) from planning and due diligence to ongoing monitoring and termination.

When conducting due diligence – commensurate with the level of risk and complexity presented by the relationship – financial institutions should not rely on prior knowledge or experience of the third-party, the OCC said. Instead, they must conduct an “objective, in-depth assessment of the third-party’s ability to perform the activity in compliance with applicable laws and regulations and in a safe and sound manner” including a review of the third-party’s financial conditions (like any pending litigation or audited financial statements), reference checks, and evaluation of the entity’s legal and regulatory compliance.

Contracts should specify compliance with the regulations of relevant law, such as the Gramm-Leach-Bliley Act, the OCC added, and provide the financial institution with the power to conduct compliance reviews of the third-party.

Not to be outdone, the Consumer Financial Protection Bureau (the “CFPB”) followed up in January 2015 with the latest addition to its loosely-sewn patchwork of vendor management best practices and requirements. Compliance Bulletin 2015-01 which, among other directives, puts CFPB-supervised entities on notice that they may not invoke non-disclosure agreements to avoid complying with requests from the CFPB to produce a third-party’s confidential information.

For nonbanks and service providers still coming up-to-speed on the CFPB’s supervision and enforcement, confidentiality obligations, audit rights, vendor training responsibilities, and remedies for vendor breaches are among the more thorny agreement provisions that may need to be enhanced in light of developing trends.

Read OCC Bulletin 2013-29.

Read the SEC’s and DOJ’s “A Resource Guide to the U.S. Foreign Corrupt Practices Act“.

Stricter Volcker Rule final; banking entities have until July 21, 2015 to conform

On December 10, 2013, five federal agencies approved the regulation known as the Volker Rule which introduces a variety of guidelines to limit risk-taking by banks with federally insured deposits. The Federal Reserve Board announced that banking entities covered by section 619 of the Dodd-Frank Wall Street Reform and Consumer Protection Act will be required to fully conform their activities and investments by July 21, 2015. The compliance requirements will vary based on the size of the entity and the scope of activities conducted.

The rule prohibits insured depository institutions and any company affiliated with an insured depository institution from engaging in short-term proprietary trading of certain securities, derivatives, and other financial instruments for the firm’s own account, subject to certain exemptions, including market making and risk-mitigating hedging. It also imposes limits on banking entities’ investments in, and other relationships with, hedge funds and private equity funds.

CFPB issues long-awaited rule on supervising non-banks that pose risks to consumers

On June 26, 2013, the Consumer Financial Protection Bureau (the “CFPB”) issued a final rule that establishes procedures to bring under its supervisory authority certain nonbanks whose activities pose risks to consumers. Non-banks subject to the rule are companies that offer or provide consumer financial products or services but do not have a bank, thrift, or credit union charter, and include a nonbank’s affiliate service providers. The final rule will be effective 30 days after its publication in the Federal Register.

Under the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), the CFPB is authorized to supervise any nonbank, regardless of its size, that the CFPB has reasonable cause to determine “is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.”

The CFPB has already finalized “larger participant” rules for the credit reporting and debt collection markets and has proposed such a rule for the federal and private student loan servicing market.

SEC’s proposed rule requires issuers and underwriters of asset-backed securities to make due diligence findings available to the public

The Securities and Exchange Commission (SEC) issued on October 13, 2010 a proposal to enhance disclosure to investors in the asset-backed securities market. The proposed rule requires issuers of asset-backed securities (ABS) to perform a review of the assets underlying the securities, and publicly disclose information relating to the review. The proposal also requires an issuer or underwriter of ABS to make publicly available the findings and conclusions of any third-party due diligence report.

  • The SEC’s proposed rule would enhance ABS disclosure in three ways:
    Issuers of ABS that are registered with the SEC would be required to perform a review of the bundled assets that underlie the ABS.
  • Proposed amendments to Regulation AB would require an ABS issuer to disclose the nature, findings and conclusions of this review of assets.
  • Issuer or underwriter of both registered and unregistered ABS offerings would be required to disclose the findings and conclusions of any review performed by a third-party that was hired to conduct such a review.

In addition to this rule, the Commission last week proposed regulations that require issuers of ABS — and credit rating agencies that rate ABS — to provide investors with new disclosures about representations, warranties, and enforcement mechanisms. And, in April 2010, the Commission proposed rules that would revise the disclosure, reporting and offering process for ABS to better protect investors in the securitization market.

The Dodd-Frank Wall Street Reform and Consumer Protection Act requires the Commission to adopt rules regarding the review of assets, such as loans, underlying the securities no later than 180 days after enactment.

Go to Top