October 2023

On October 27, the Federal Trade Commission (FTC) announced a final rule amending the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act. The Safeguards Rule requires nonbanking financial institutions to develop, implement, and maintain a comprehensive information security program to keep their customers’ information safe. The amendment will require financial institutions to notify the FTC no later than 30 days after discovery of a security breach involving the information of 500 or more consumers. The amendment will go into effect 180 days after publication of the final rule in the Federal Register.

The Securities and Exchange Commission’s Division of Examinations has outlined its 2024 Examination Priorities, with a significant focus on cryptocurrency, emerging technology, and Anti-Money Laundering (AML) laws. This has important implications for financial services. Our Regulatory Oversight blog has the details; key highlights are below.

In a major victory for small business lenders, yesterday the U.S. District Court for the Southern District of Texas granted motions filed by three groups of trade association intervenors to extend the court’s existing injunction against the Consumer Financial Protection Bureau’s (CFPB or Bureau) enforcement of its final rule under § 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Final Rule) to cover all small business lenders nationwide. A discussion of the preliminary injunction issued by that Texas federal court on July 31 can be found here. The injunction in Texas Bankers Association v. CFPB will dissolve if the U.S. Supreme Court reverses the Fifth Circuit in Community Financial Services Association v CFPB (CFSA case), which found the CFPB’s funding structure unconstitutional.

On October 24, the Federal Trade Commission (FTC) and the Wisconsin Department of Justice announced a settlement with Wisconsin auto dealer group Rhinelander Auto Center, Inc. (Rhinelander), its current and former owners, and general manager. The lawsuit was brought under the FTC Act, the Equal Credit Opportunity Act (ECOA), the Wisconsin Deceptive Trade Practices Act, and the Wisconsin Consumer Act.

A U.S. District Court in the Western District of Wisconsin recently denied both the defendant and plaintiff’s summary judgment motions in a Fair Credit Reporting Act (FCRA) case, holding that the reasonableness of the defendant’s investigation of the plaintiff’s identity theft claim was a triable issue.

In this episode of The Consumer Finance Podcast, Troutman Pepper Partners Chris Willis and Matthew Orso discuss lessons learned from bank internal investigations. They explore the trigger points that give rise to these investigations, provide useful advice for banks regarding their investigations, discuss how to avoid common issues, and suggest remedial measures to prevent issues from repeating.

On October 24, the Federal Reserve Board (Fed), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the agencies) finally issued their long-awaited final rule modernizing how they assess lenders’ compliance under the Community Reinvestment Act (CRA). The CRA was enacted in 1977 to address systemic inequities in access to credit and encourages banks to meet the credit needs of the entire community, including low- and moderate-income (LMI) communities, consistent with safety and soundness principles. The last meaningful, comprehensive revision to the CRA regulations occurred in 1995.

On October 19, the Consumer Financial Protection Bureau (CFPB) issued its highly anticipated notice of proposed rulemaking under Section 1033 of the Consumer Financial Protection Act of 2010 (CFPA). The proposed Personal Financial Data Rights Rule would require depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ accounts, establish obligations for third parties accessing a consumer’s data, and provide basic standards for data access. Notably, the proposed rule only provides for narrow exceptions, such as community banks and credit unions that have no digital interface with their customers. The CFPB is currently accepting comments on the proposed rule until December 29, 2023.