Photo of Kim Phan

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

We are pleased to share our annual review of regulatory and legal developments in the consumer financial services industry. With active federal and state legislatures, consumer financial services providers faced a challenging 2023. Courts across the country issued rulings that will have immediate and lasting impacts on the industry. Our team of more than 140 professionals has prepared this concise, yet thorough analysis of the most important issues and trends throughout our industry. We not only examined what happened in 2023, but also what to expect — and how to prepare — for the months ahead.

In this episode of The Consumer Finance Podcast, host, Chris Willis, is joined by Partners Kim Phan and Lori Sommerfield, to discuss recent developments related to website accessibility under the Americans with Disabilities Act (ADA). In this episode, they explore the Department of Justice’s proposed rule under Title II of the ADA, which seeks to improve state and local government website and mobile app access for individuals with disabilities, and the potential significance to the private sector. They also discuss the international World Wide Web Consortium’s latest version of its Web Content Accessibility Guidelines (WCAG), 2.2, and the first working draft of WCAG 3.0. Tune in to learn more about these important updates and how they may impact your organization.

Please join Troutman Pepper Partner Dave Gettings and colleagues Tim St. George and Cindy Hanson for a highly informative discussion on federal preemption as it relates to state laws and the Fair Credit Reporting Act (FCRA). This episode provides listeners with an overview of important state and local legislation governing background screening, along with discussions about how federal preemption might affect required compliance with these state and local laws. Topics include:

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) recently issued a report entitled Identity-Related Suspicious Activity: 2021 Threats and Trends highlighting threat patterns and trend information derived from financial institutions’ Bank Secrecy Act (BSA) filings for the calendar year 2021. Financial institutions are required to file suspicious activity reports no later than 30 calendar days after the initial detection of facts that could constitute suspicious activity.

On December 8, the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC) (collectively, the agencies) filed an amici curiae brief urging the U.S. Court of Appeals for the Fourth Circuit to reverse a district court’s decision finding that furnishers need not investigate indirect disputes involving purely legal questions under the Fair Credit Reporting Act (FCRA).

In this episode of The Consumer Finance Podcast, Chris Willis is joined by Kim Phan, a partner in our firm’s Privacy + Cyber practice, to discuss the Securities and Exchange Commission’s new cyber risk management and incident disclosure rules for publicly traded companies. The rules, already in effect, detail the information a public company must report following a cybersecurity incident and the timeline for reporting. Chris and Kim also discuss the ongoing reporting obligations for a public company related to a cyber incident after the initial reporting phase, how the rules apply when cyber incidents involve a third party’s system, and if the SEC has struck the right balance between informing investors versus the possibility of educating hackers on a company’s cybersecurity defenses. They also address the rule’s new requirement for annual disclosures about a company’s cybersecurity risk management, strategy, and governance.

On December 13, New York Governor Kathy Hochul signed into law S4907A, which prohibits hospitals, medical providers, or ambulance services from providing negative information about medical debt to consumer reporting agencies (CRAs). The law also requires that these entities include a provision in their contracts with collection agencies prohibiting the reporting of any portion of a medical debt to a CRA. Any debt that is reported to a CRA will be deemed void. The law became effective immediately after it was signed.

In this special crossover episode with Regulatory Oversight podcast, Ashley Taylor is joined by Kim Phan and Kristen Eastman to discuss the Consumer Financial Protection Bureau’s (CFPB) proposed Rule 1033, also known as the Personal Financial Digital Rights rule. This rule, part of the Dodd-Frank Act, aims to restrict the sale or misuse of consumer data. It focuses on entities subject to the Truth in Lending Act (TILA) and Regulation Z, such as depository institutions, credit card companies, and payment processors. The rule requires these entities to make financial records available both to consumers and their authorized third parties.

Please join us for a special cross-over episode of FCRA Focus and The Consumer Finance Podcast, where Troutman Pepper Partners Chris Willis, Dave Gettings, Kim Phan, and Ron Raether look at the latest developments in the CFPB’s FCRA rulemaking process. Topics include: