Photo of Kim Phan

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

On January 8, the Consumer Financial Protection Bureau (CFPB) officially recognized Financial Data Exchange, Inc. (FDX) as the first standard-setting body under the Personal Financial Data Rights promulgated rule under Section 1033 of the Dodd-Frank Act. This rule, released in October 2024, requires depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ accounts, establish obligations for third parties accessing a consumer’s data, and provide basic standards for data access.

On January 3, the Federal Trade Commission (FTC) issued a press release announcing that accessiBe Inc. and accessiBe Ltd. (collectively, accessiBe) agreed to pay $1 million to settle allegations of deceptive advertising practices in violation of the FTC Act. Specifically, the FTC’s complaint alleged that accessiBe misrepresented the artificial intelligence (AI) capabilities of its website accessibility tool, accessWidget, to make websites compliant with the Web Content Accessibility Guidelines (WCAG). The FTC further alleged that accessiBe paid for reviews on third-party websites that were formatted to appear as the opinions of impartial authors and publications and failed to disclose material connections to such online reviewers.

In this episode, Brooke Conkle and Chris Capurso, attorneys in the firm’s Consumer Financial Services Practice Group, are joined by Kim Phan, a partner in the firm’s Privacy and Cyber Practice Group. They delve into the latest trends in privacy and their significant impact on the auto finance industry. The discussion covers the evolving landscape of data security, the implications of connected cars and the Internet of Things, and the challenges and opportunities presented by AI. Kim also shares insights on how recent legislative changes and the new administration may shape the future of privacy regulations. Tune in for a comprehensive analysis of these critical issues and their potential ramifications for the auto finance sector.

On December 9, the Consumer Financial Protection Bureau (CFPB or Bureau) announced the launch of a rulemaking process addressing credit reporting on survivors of domestic violence, elder abuse, and other forms of financial abuse.

On December 3, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a proposed rule for public comment aimed at amending Regulation V, which implements the Fair Credit Reporting Act (FCRA). The proposed rule seeks to redefine (and, in some cases, rewrite) key terms and provisions within the FCRA, particularly focusing on the activities of purported “data brokers.”

In this episode of FCRA Focus, hosts Kim Phan and Dave Gettings welcome Mark Furletti, co-leader of Troutman Pepper’s Consumer Financial Services Regulatory practice. Mark shares his extensive knowledge on the Fair Credit Reporting Act (FCRA) and provides practical advice on how companies, especially fintechs, can operate without becoming a consumer reporting agency (CRA) under the FCRA. The discussion delves into the intricate definitions within the FCRA, common pitfalls, and best practices. Tune in to learn how to navigate the regulatory landscape and mitigate risks associated with consumer report information. Don’t miss this insightful conversation packed with tips and real-world examples.

In this episode of The Consumer Finance Podcast, Chris Willis is joined by Partner Kim Phan to discuss the latest cybersecurity guidance from the New York Department of Financial Services (NYDFS) concerning artificial intelligence (AI). Released on October 16, this guidance addresses the growing cybersecurity threats posed by AI and provides insights on how financial institutions can mitigate these risks. Kim and Chris delve into the specifics of the guidance, including the expectations for risk assessments, the importance of monitoring AI usage, and practical steps for enhancing cybersecurity measures. They also highlight the dual perspective of AI risks from both external threat actors and internal vulnerabilities, and discuss the potential benefits of integrating AI into cybersecurity strategies. Tune in to gain a comprehensive understanding of how to navigate these new guidelines and stay ahead in the evolving landscape of cybersecurity.

On October 16, the New York State Department of Financial Services (NY DFS) issued an industry letter to entities regulated by NY DFS (covered entities) providing guidance addressing the cybersecurity risks associated with the use of artificial intelligence (AI). The guidance purportedly aims to assist covered entities in understanding and assessing cybersecurity risks associated with threats arising from the use of AI by cybercriminals and the controls that may be used to mitigate those risks. The NY DFS emphasizes that this new guidance does not impose any new requirements on covered entities, but rather it provides an outline for meeting existing compliance obligations under the NY DFS Cybersecurity Regulation, 23 NYCRR Part 500, in light of the advancements in AI technology.

Yesterday, the Consumer Financial Protection Bureau (CFPB or Bureau) issued its final rule on personal financial data rights, purportedly aimed at enhancing consumer control over their financial data and promoting competition in the financial services industry. According to the Bureau’s press release, “[t]he rule requires financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free… help[ing] lower prices on loans and improve customer service across payments, credit, and banking markets.” Later that same day, a complaint was filed challenging the Bureau’s authority.

On September 24, the Consumer Financial Protection Bureau (CFPB or Bureau) announced a significant development in its efforts to implement open banking rules in the United States. The Bureau has initiated a public comment process for the first application from an organization seeking recognition as an open banking standard-setter.