CURRENT MONTH (November 2021)
Federal Agencies Issue Final Rule on Computer-Security Incident Notification Requirements for Banking Organizations
By Christopher Greenidge, McGlinchey Stafford, PLLC
On November 18, 2021, the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board, and the Federal Deposit Insurance Corporation (FDIC) announced the adoption of a final rule that requires a banking organization to notify its primary federal regulator of a significant computer-security incident within 36 hours after the organization determines that the incident has occurred.
The rule would also require a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.
The rule applies to a range of banking organizations including but not limited to: (i) national banks; (ii) all U.S. bank holding companies and savings and loan holding companies; (iii) state member banks; (iv) the U.S. operations of foreign banking organizations; (v) all insured state nonmember banks; and (vi) insured state-licensed branches of foreign banks.
Under the rule, notification is required for incidents that would materially disrupt: (i) the ability of a banking organization to carry out banking operations in the ordinary course of business; (ii) any business line of a banking organization and would result in a material loss of revenue; or (iii) those operations of a banking organization in which the failure would pose a threat to the financial stability of the United States.
CFPB Director Chopra Discusses Stablecoin Report
On November 1, 2021, the President’s Working Group on Financial Markets, the OCC, and the FDIC issued a “Report on Stablecoins.” Consumer Financial Protection Bureau Director Rohit Chopra’s statement on the report linked the report to the Bureau’s recent orders to large technology companies, arguing that “established players with large user bases could accelerate the adoption of stablecoins as a payment device, and lead to an excessive concentration of market power.” Director Chopra noted that “the CFPB is actively monitoring and preparing for broader consumer adoption of cryptocurrencies,” and that their use “in connection with consumer deposits, stored value instruments, retail and other consumer payments mechanisms, and in consumer credit arrangements,” would trigger the application of various federal consumer financial protection laws, including the prohibition on unfair, deceptive, or abusive acts or practices.
CFPB and Other Regulators Roll Back Early COVID Relief for Mortgage Servicers
On November 10, 2021, the CFPB, Fed, FDIC, OCC, National Credit Union Administration (NCUA) and a number of state financial regulators released a joint statement regarding supervisory and enforcement expectations for mortgage servicers. The new joint statement withdraws the agencies’ April 2020 joint statement that the agencies would not take supervisory or enforcement action against mortgage servicers for failing to meet timing requirements under Regulation X so long as servicers made good faith efforts to provide required notices and disclosures to consumers. It also explains that “the temporary flexibility” under the prior statement “is no longer necessary because servicers have had sufficient time to adjust their operations.”
The new joint statement underscores the Bureau’s focus on the economic impacts of the COVID-19 pandemic on consumers, rather than on financial services providers. In the Bureau’s press release, Director Rohit Chopra stated, “Failures by mortgage servicers and regulators worsened the impact of the economic crisis a decade ago. Regulators have learned their lesson, and we will be scrutinizing servicers to ensure they are doing all they can to help homeowners and follow the law.” The new joint statement follows the March 2021 rescissions of other industry-focused relief issued in the early days of the pandemic.
CFPB Warns Name-Only Matching Processes for Consumer Reports Violate the FCRA
On November 4, 2021, the Bureau published an Advisory Opinion that the use of name-only matching methods to prepare consumer reports violates consumer reporting agencies’ duty to adopt reasonable procedures to assure maximum possible accuracy of those reports under the Fair Credit Reporting Act. The CFPB advises that name-only matching is prone to inaccuracies due to the prevalence of many first and last names, particularly among Hispanic, Asian, and Black consumers. The Advisory Opinion adds that inaccurate information in consumer reports can adversely impact individuals’ ability to obtain employment, credit, or housing, thereby hindering the pandemic recovery.
In a statement on the Advisory Opinion, Director Rohit Chopra explained that the Bureau would enforce the opinion’s interpretation of the FCRA by collaborating with FTC consumer-data investigations, seeking “substantial” consumer redress, referring discriminatory conduct to the Department of Justice, and continuing to monitor data monetization practices. Endorsing the CFPB’s view, Federal Trade Commission Chair Lina Khan said the Commission “stands ready to work with the CFPB to protect American families.”
CFPB Report Examines Trends in Consumer Credit Report Disputes
On November 2, 2021, the Bureau released a research report entitled “Disputes on Consumer Credit Reports.” Based on auto loan, student loan, general purpose credit card, and retail card account data from 2012 to 2019, the Bureau found disputes are more common among consumers who are younger, have lower credit scores, and live in majority Black or Hispanic census tracts.
When announcing the report, Director Rohit Chopra emphasized its implications for racial equity and argued that its analysis supports the Bureau’s ongoing scrutiny of inaccuracies in consumer data. The report itself concludes that its findings “raise further questions” as to whether the correlations resulted from furnishers’ dispute policies or reflected exogenous differences among consumers and credit types.
FTC Updates the Safeguards Rule
On October 27, 2021, the FTC announced updates to the Safeguards Rule that are designed to “strengthen the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information.” The rule, which applies to non-bank financial institutions, requires a comprehensive security system to protect customer information. The updates to the Safeguards Rule include requirements to:
- Limit access to consumer data.
- Use encryption to secure consumer data.
- Describe information sharing practices, including the safeguards used to “access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers’ secure information.”
- Designate a qualified individual to oversee the information security program and report to the board of directors or senior officer in charge of information security.
These requirements will take effect over the course of the next year. A dissent by the two Republican Commissioners called the new rules premature and counterproductive.
The FTC is also requesting comments on whether it should make additional changes to the Safeguards Rule to require non-banking financial institutions to report data breaches. Comments on this supplemental notice of proposed rulemaking are due 60 days after publication in the Federal Register.
Fifth Circuit Stays OSHA Vaccine Rule, Citing “Grave Statutory and Constitutional Issues”
By Andrew Albritton, McGlinchey Stafford, PLLC
On Saturday, November 6, 2021, the United States Court of Appeals for the Fifth Circuit released an emergency motion to stay enforcement of the Emergency Temporary Standard (“Mandate” or “ETS”) issued by the Occupational Safety and Health Administration (OSHA) the day before. The ETS, under OSHA’s authority to regulate workplace safety, required certain employers (with more than 100 employees) to implement protective measures against COVID-19, namely that employees either be fully vaccinated or undergo weekly COVID-19 testing. It does not require that employers force their employees to be vaccinated.
Petitioners include the States of Louisiana, Texas, and Mississippi, sixteen corporate entities operating as supermarkets across those states, and six other individually-named corporations. They argue that the Mandate is in excess of OSHA’s administrative authority under its controlling statute and Congress’ authority under constitutional law. The Petitioners also argue that the ETS effectively mandates vaccinations because of the “steep costs” of requiring weekly COVID-19 testing and masking in the workplace.
In its response, the Government asserted that the emergency relief sought was inappropriate because the ETS would not go into effect for another two months, and the petitioners’ alleged injuries were outweighed by the benefits of the measure. It also argued that OSHA was within its rights to implement the standard to address the “grave danger” presented by COVID-19. The deadline to file responsive briefs was Tuesday, November 9.
In the per curiam decision, the Court cited “grave statutory and constitutional issues” as their reasoning for staying enforcement of the ETS temporarily. This temporary stay will remain in place until a final decision is issued, which may either come in the form of a permanent injunction or dismissal of the petition. Based on the timing of the pleadings, a decision will likely come quickly.
The challenge is one of several among the federal circuit courts, as similar petitions have been filed in the Sixth, Seventh, Eighth, Eleventh, and District of Columbia Circuits. If no permanent injunction is issued, the ETS is set to go into effect on January 4, 2022.
OSHA Vaccine Rule Cases Consolidated, Transferred to Sixth Circuit for Review
By Andrew Albritton, McGlinchey Stafford, PLLC
The challenge to OSHA’s COVID-19 Vaccination and Testing Emergency Temporary Standard (ETS) that was pending before the U.S. Court of Appeals for the Fifth Circuit has been transferred. The Judicial Panel on Multidistrict Litigation issued a ruling on November 16, 2021, consolidating all challenges to the ETS to the Sixth Circuit in Ohio. This includes 34 total petitions that had been filed in 12 of the 13 circuit courts (except the Federal Circuit in Washington). The Sixth Circuit was randomly selected by a lottery conducted by the Panel as the sole jurisdiction for those petitions to be reviewed.
The Court has not yet scheduled oral arguments or assigned judges who will hear the cases, though at least one challenger has filed for en banc consideration by the Court—meaning the entire bench of 16 judges would hear the cases. It is not immediately clear whether the transfer of the cases will override the injunction issued by the Fifth Circuit. Still, because the ETS is not scheduled to go into effect until January 4, 2022, there is no change to existing policy at this time.