Regulation P UPDATE Dino Tsibouris Tsibouris & Associates, LLC
Regulation P CFPB amended Regulation P in October Allows limited web posting of annual privacy notices under certain conditions Applies to a financial institution (“FI”) that does not share in a way that gives rise to an opt out
Regulation P Gramm Leach Bliley §503 requires a FI to provide initial and annual notices describing their privacy policies Must describe whether and how the FI shares nonpublic personal information with third parties
Regulation P If FI wants to share nonpublic personal information with nonaffiliated third parties, must give opportunity to opt out of sharing Exceptions: Third-party service providers Joint marketing arrangements Account servicing Legal compliance
Regulation P - FCRA Similarly to GLBA, the FCRA places restrictions on an FI providing a consumer information containing customer credit information to others FCRA §603 - Sharing credit information with affiliates is not deemed a “consumer report” if: The consumer is notified; and given the option to opt out
Regulation P - FCRA FCRA § 624 (“Affiliate Marketing Rule”) – affiliate of FI may not receive transaction history from FI unless consumer is given notice and opportunity to opt out Optional; may be included in GLBA initial and annual notice May use alternative delivery if not only method Included in model notice - opt out must be indefinite Separate notice - limit to 5 years subject to renewal if disclosed
Regulation P Common practice to mail printed copies of their GLBA Section 503(c)(4) of GLBA and Reg. P require notices to include FCRA §603 notice and opt out Many currently provide electronically if the consumer consents and acknowledges receipt of the notice Referred to as the “standard delivery methods”
Regulation P You may reasonably expect that a customer will receive actual notice of your annual notice under 12 CFR if: The customer uses your Web site to access financial products and services electronically and agrees to receive notices at the Web site, and you post your current privacy notice conspicuously in a clear and conspicuous manner on the Web site.
Regulation P GLBA Section 503(a) “Annual Notice” baseline requirement: ‘as long as a “clear and conspicuous disclosure” is provided “in writing or in electronic form or other form permitted by the regulations.”’
Regulation P You may now post annual notice on website under the following conditions: No opt out rights triggered under GLBA or FCRA and FCRA opt-out notices have been provided already or independent of proposed GLBA web notice; Information practices have not changed since the last notice (initial, annual, or revised) The model form provided in Regulation P is used.
Regulation P Access requirements: The 3 C’s: Continuous, clear, and conspicuous posting on a page of the FIs website No login or “agreement to any conditions” to access the notice Must provide in writing within ten days of telephone request
Regulation P Is this an agreement?
Regulation P Web page may only include annual privacy notice “Only content on the web page” Information such as navigational menus and links to other supplemental information (including privacy information) is not “content” and is permissible
Regulation P FIs who change their privacy policies should deliver revised notices using the standard delivery methods Subsequent notice would use alternative delivery Name changes for FI/affiliates are not a change in privacy practices; alternative delivery permitted Minimum “not less than annually” standard allows for midyear corrections/more frequent delivery
Regulation P May use alternative delivery if information in privacy notice has not changed since it was provided in the immediately previous notice (whether initial, annual, or revised). If methods of information disclosure or sharing is eliminated, alternative delivery is acceptable without a new standard notice (“no changes other than elimination”).
Regulation P “Notice of availability” Must annually state that the privacy notice is posted on the FIs website and that it will be mailed if you call their number May combine the reminder with another mandatory disclosure or notice – statements, coupon books, but not ads or newsletters May use an existing “E-SIGNed” method of delivery if available
Regulation P Must meet all conditions for alternative delivery by the due date of the first annual privacy notice you intend to use it for Notice of availability Telephone number Access via website Use of Model Form
Do-Not-Track Features: Legal Developments Kelly Lipinski McGlinchey Stafford
Browser Supported Do- Not-Track Feature
Fair debt collection practices act Rulemaking Update David A. Head Weltman, Weinberg & Reis Co., L.P.A.
Fair debt collection practices act Enacted in 1977 Federal Trade Commission had enforcement powers over the FDCPA, but could not make rules Case law has interpreted the law inconsistently Dodd-Frank Act in 2010 empowered the Consumer Financial Protection Bureau to make rules and enforce the FDCPA
FDCPA Consumer protection act Debt collectors treat consumers fairly Prohibit certain methods of debt collection Addresses issue of proper and appropriate debt collection practices and techniques Debt collector defined as third party collecting on behalf of another A violation of the FDCPA does not erase a legitimate consumer debt that is owed
Advanced Notice of Proposed Rulemaking CFPB began debt collection rule-writing process November 2013 – CFPB issued the ANPR for debt collection practices February 2014 – ANPR comment period ended December 2014 – Pre-rule activities scheduled through December Unknown when Proposed Rule will be issued for additional comment
Anpr areas of interest Transfer and accessibility of information Ensure info is accurate when transferred Validation, dispute and verification Ensure consumer has clear understanding of rights Communications Technology update needed (telephone, mail, telegraph) Cell phone, , text, social media
ANPR Areas of Interest Unfair, Deceptive and Abusive Acts or Practices First party/creditor liability for debt collection CFPB Bulletin Prohibition of UDAAP in consumer debt collection Originating creditors included Enforcement Action against ITT Educational Services, Inc. and Corinthian Colleges allege UDAAP violations, including abusive collection practices
ANPR Areas of Interest Time-barred debt Amicus briefs in Buchanan v Northland Group, Inc. and Delgado v Capital Management Services “A debt collector’s communication need not contain overtly false statements to be misleading or deceptive; omissions may also deceive” Communication contained no threat of litigation, but CFPB/FTC argued that actual or threatened litigation is not necessary Offer of settlement can be misleading because it implies legal enforceability
ANPR Areas of Interest Litigation practices Venue and pleading requirements/documentation State and local debt collection exemptions Recordkeeping, monitoring and compliance Federal registration
Higher Ed Privacy Federal Trade Commission enforces GLBA Stated that a college or university that fits within the definition of a “financial institution” is compliant with GLBA’s Privacy Rule if it complies with the Federal Educational Rights and Privacy Act (FERPA) (20 USC 1232g/ 34 CFR Part 99) 16 CFR 313.1
Higher Ed Privacy FERPA (20 USC 1232g/ 34 CFR Part 99) requires you to protect “personally identifiable information” Broader than “nonpublic personal information” as defined in GLBA Includes records maintained by your agents and contractors
Higher Ed Privacy “Personally identifiable information” includes, but is not limited to: Names of student, parents, family members Their addresses Personal identifiers Other direct identifiers (D.O.B., birthplace, mother’s maiden name) Linkable information (alone or in combination with other information that could identify the student)
Higher Ed Privacy “Parent” means the student’s parent but includes: A natural parent Guardian Individual acting as a parent in the absence of a parent or guardian
Higher Ed Privacy Annual notice of rights to parents of students or eligible students in attendance Notification of policy using means reasonably likely to inform
Higher Ed INFOSecurity FTC Safeguards Rule to protect nonpublic personal information does not exempt institutions of higher education You must comply FTC – Very limited enforcement power over nonprofits (subject to exceptions on a case by case basis) State AG
Higher Ed Security Risk assessments Comprehensive program to address risks Policies Training Adequate resources Event response Updating
Higher Ed Pressure Points If you aren’t compliant with FERPA, did you just violate GLBA also? Are the school’s joint ventures or spinoffs no longer nonprofit or independent of the school? Do you update your comprehensive programs? What about your credit union?
Higher Ed Pressure Points EPIC – ED does not adequately investigate FERPA complaints California Student Online Personal Information Protection Act (No K-12 student profiling allowed, EPIC Student Privacy Bill of Rights) Debt collector practices/Quality control reports (EPIC settlement, 2013)
Higher Ed Pressure Points Markey/Hatch proposed “Protecting Student Privacy Act” Safeguards for private companies holding student data Prohibits using data for marketing Parents can access/correct data at the company Transparency/limitations
Credit reporting Update Kelly Lipinski McGlinchey Stafford
Credit Reporting & disputes Fair Credit Reporting Act Credit reporting agencies must notify furnisher if a consumer disputes information provided by the furnisher. Furnisher must investigate the dispute using “all relevant information”: Information on hand. Information provided by the CRA. Information provided by the consumer.
Credit Reporting & disputes CFPB Expectations for FCRA Compliance: System that can receive information from CRAs; Investigate “all relevant information”; Report the results of the investigation. If dispute is valid, furnisher must provide corrected information to every nationwide CRA to which it reported. Not only the CRA that initiated the investigation. If FCRA process isn’t written down, it doesn’t exist.
Credit Reporting & disputes Vendor management issue: Verification versus dispute. Understand what matters are handled as “verification” requests instead of “disputes”. Uniform policy of deleting trade line upon receipt of a dispute is insufficient and does not comply with FCRA. Investigation may reveal systemic problems.
Student LINES of credit Use of open end credit for private student loans is increasing A line of credit is established based on credit criteria Borrow up to the credit limit Draw period Repayment period Popular with credit unions and startups
Student LINES of credit Truth-in-Lending open end disclosures apply Private student loan disclosures under TILA §140 do not apply to open-end credit
Student LINES of credit 12 CFR (a)(2) - Open-end credit means consumer credit extended by a creditor under a plan in which: The creditor reasonably contemplates repeated transactions; The creditor may impose a finance charge from time to time on an outstanding unpaid balance; and The amount of credit that may be extended to the consumer during the term of the plan (up to any limit set by the creditor) is generally made available to the extent that any outstanding balance is repaid.
Student LINES of credit Truth in Lending Act amendments first required that the creditor have reasonably contemplated repeat sales Senate report discusses “spurious open end credit,” which occurs when “a merchant styles what is likely to be a one-time credit extension in the form of a purchase on an open end (revolving charge) plan”
Student LINES of credit Staff Commentary - 2(a)(20) Open-end credit. 3. Repeated transactions. Under this criterion, the creditor must reasonably contemplate repeated transactions. This means that the credit plan must be usable from time to time and the creditor must legitimately expect that there will be repeat business rather than a one-time credit extension. The creditor must expect repeated dealings with consumers under the credit plan as a whole and need not believe a consume r will reuse a particular feature of the plan.
Student LINES of credit Staff Commentary - 2(a)(20) Open-end credit. …The determination of whether a creditor can reasonably contemplate repeated transactions requires an objective analysis. Information that much of the creditor's customer base with accounts under the plan make repeated transactions over some period of time is relevant to the determination, particularly when the plan is opened primarily for the financing of infrequently purchased products or services.
Student LINES of credit The Benions argue that “likely” means more than 50 percent probable, that a probability of more than 50 percent is equivalent to a frequency of more than 50 percent, and hence that the issuer of a private label credit card violates the Act unless more than 50 percent of the purchases made with the card are repeat purchases-and anyway that big- ticket items are not eligible for credit card credit. Benion v. Bank One, 1998 (7 th Cir.)(Claim rejected)
Student LINES of credit Line may be underwritten at opening May evaluate creditworthiness of borrowers periodically or on ad hoc basis (soft pulls) Must not perform underwriting because a person requested an advance Must have policies, procedures, and training Risk: converting the advance to a closed-end loan subject to closed-end disclosure requirements