Consumer Financial Services Law

Industry Groups Respond on Consumer Access to Financial Records

Financial industry groups responded to the Consumer Financial Protection Bureau's (CFPB) request for information on consumer access to their financial records.

What happened

Last November, the Bureau announced its intent to take a closer look at "the challenges consumers face in accessing, using, and securely sharing their financial records," asking for information about how much choice consumers are being given about the use of their records, how secure it is for them to share their records, and to what extent consumers have control over their records, releasing a Request for Information (RFI).

Industry groups have responded. The American Bankers Association (ABA) noted the timeliness of the CFPB's RFI, given that technology "has facilitated the creation of an unprecedented amount of consumer financial data." While the ABA "fully supports the customer's ability to access and share their financial data in a secure, transparent manner that gives them control," the group identified regulatory gaps and suggested steps to facilitate consumer access.

Three core principles should set the framework for how consumer data is treated, the ABA wrote: security (bank-level protection should be consistent for all consumer financial information, whether the data is at a bank or a third party); transparency (consumers should know how their data is being used); and control (consumers should have control over the access and use of their data, including what information is shared).

To effectuate these principles, the ABA recommended that the Bureau use existing regulatory authority and not promulgate new rules. For example, the CFPB should clarify that data aggregators are "financial institutions" subject to the requirements of the Gramm-Leach-Bliley Act (GLBA) and take steps to ensure such entities are subject to the same standards as depository institutions for safeguarding financial data and notifying customers about security breaches. Data aggregators should also be designated as "service providers" under the Electronic Funds Transfer Act (EFTA) and "larger participants" in the market for consumer financial data should be identified and subject to supervision by the CFPB, the ABA recommended.

In its comments, the Financial Services Roundtable (FSR) set forth "five core elements" that should be considered by the Bureau to determine its role in the evolving ecosystem. Security and privacy; data access and use transparency (with the group stating that customers should be required to provide express consent permitting a financial institution to share their account data with a third party); clarity of liability, particularly with regard to data aggregators under Regulation E; customer choice and control; and technology neutrality, the group explained.

The FSR also urged the CFPB to exercise "caution in pursuing any rulemakings that would certainly hamper these consumer-focused agreements, and likely stifle innovation."

While the Independent Community Bankers of America (ICBA) threw its support behind consumer access to financial information, the group expressed "profound concerns" that non-bank entities "do not take the same care in protecting consumer privacy and data that community banks do." Community banks are highly regulated but "protecting consumers' account data at banks is of limited value if it remains under protected or exposed by other users," the group told the Bureau.

"At a minimum, consumers must have the same GLBA-like privacy protections with permissioned third parties as they have with banks, including limitations on the use of consumer information and limitations on the disclosure of the consumer's information to third parties," ICBA wrote.

The group also shared its worries that the Bureau would develop rules dictating how community banks share information with third parties, with the banks shouldering both financial and reputational risks, emphasizing that community banks should not have to bear the cost and risk of ensuring safe third party access.

Finally, Financial Innovation Now (FIN), an alliance of technology leaders, weighed in, similarly taking the position that regulation by the CFPB is unnecessary. "We are concerned that regulation would run the risk of creating a framework that likely would restrict market developments or innovations and not easily adapt to the pace of technological innovation and consumer expectations," the group wrote.

Instead, FIN said that consumers' interest would most effectively be promoted by empowering them to permission access to financial account data "securely and easily, using whatever secure application or technology they wish," according to industry-developed standards that are regularly reviewed and updated and do not mandate a specific type of technology.

To read the ABA's comment, click here.

To read the FSR's comment, click here.

To read the ICBA comment, click here.

To read the FIN comment, click here.

Why it matters

Industry groups were united in their stance that no new regulation is required from the CFPB in order to ensure consumer access to financial records. While the comments provided different suggestions as to how the Bureau should address the safety and security of consumer financial data, the core principles of consumer choice and data security remained consistent for all the groups.

back to top

Home Depot Settles Data Breach Suit for $25M

As a result of a $25 million settlement reached with the remaining banks and credit unions, the litigation against Home Depot stemming from its 2014 data breach will finally end.

What happened

In September 2014, Home Depot announced that its payment data systems had been breached. An investigation revealed that hackers placed malware on the self-checkout kiosks in stores nationwide, allowing the theft of customers' personal financial information, including names, payment card numbers, expiration dates, and security codes. The stolen information—estimated in the range of 56 million credit and debit card numbers—was then sold over the Internet.

As a result, financial institutions cancelled accounts and reissued the compromised payment cards, reimbursed their customers for fraudulent transactions, and incurred other expenses. More than 25 class action lawsuits were filed against Home Depot by financial institutions alleging that the company's failure to institute adequate data security measures caused their losses.

The litigation was consolidated and after some motions and discovery, the parties managed to reach a deal.

Pursuant to the settlement, Home Depot promised to pay $25 million into a non-reversionary fund to be distributed to class members, which included banks and credit unions in the United States that issued any payment card identified as having been at risk as a result of the data breach and that did not release their claims. Class members that file a valid claim will receive a "fixed payment award" estimated to be $2 per compromised card, without having to prove their losses and regardless of the amount of compensation they already have received from another source.

Those class members that submit proof of their losses and the compensation they already received, if any, are eligible for an additional "documented damages award" from the fund of up to 60 percent of their uncompensated losses from the data breach.

Home Depot previously obtained releases from some MasterCard and Visa issuers, paying out $14.5 million in premiums on top of more than $140 million in payments to the larger issuers under the card brand recovery processes.

A separate $2.25 million will be provided by Home Depot to sponsored entities whose claims were released by their sponsor in connection with MasterCard's Account Data Compromise program. Eligible entities will be entitled to $2 per compromised card.

In addition to the monetary payment, Home Depot agreed to implement new data security measures. For a period of at least two years, the company will "design and implement reasonable safeguards to manage the risks identified through its data security risk assessments," tracking and managing its assessments utilizing a risk exception process involving Home Depot leadership and reviewed on a periodic basis.

The company will implement an appropriate industry recognized security control framework and develop and use reasonable steps to select and retain information technology vendors capable of maintaining appropriate security, conducting assessments to ensure that vendors with access to payment card information comply with Home Depot's security practices.

Home Depot also accepted responsibility for the costs of settlement administration and class counsel fees separate from the settlement fund.

Arguing in support of granting preliminary approval of the deal, the plaintiffs said the terms were within reason and compared favorably with settlements in similar data breach cases.

To read the memorandum of law in support of the plaintiffs' unopposed motion for preliminary approval of class action settlement in In re: The Home Depot, Inc., Customer Data Security Breach Litigation, click here.

U.S. District Court Judge Thomas W. Thrash granted preliminary approval to the deal. A final hearing on the settlement is set for September.

Why it matters

Aside from the settlement confirming a consistent level of potential financial recoveries for banks refusing to accept the amounts recoverable through the Card Networks, the obligation to implement new security measures—while not unexpected after a breach—also establishes a precedent as to commitments that may be expected of merchants in future cases.

back to top

Mortgage Lender Hit With Record HMDA Penalty

In the Consumer Financial Protection Bureau's (CFPB) largest Home Mortgage Disclosure Act (HMDA) penalty to date, the Bureau hit a major mortgage servicer with a $1.75 million penalty for allegedly failing to report accurate data about mortgage transactions over a two-year period.

What happened

The mortgage servicer—a nonbank mortgage lender—has almost 3 million customers in the mortgage servicing and origination markets. It earns its fees through servicing, origination, and other real estate-based services.

According to the CFPB allegations, the company "consistently" failed to report accurate data about mortgage transactions from 2012 to 2014, in alleged violation of the HMDA. The 1975 statute requires that mortgage lenders collect and report data about their mortgage lending not only to the appropriate federal agencies but also make it available to the public.

During its supervision process, however, the Bureau claims it found that the servicer's compliance systems were flawed and generated mortgage lending data with "significant, preventable errors." Because the company failed to consistently define data among its various lines of business, it produced discrepancies, the CFPB alleges.

These problems occurred after a history of HMDA non-compliance, the Bureau claimed. The same servicer reached a settlement with the Massachusetts Division of Banks in 2011 to address HMDA compliance deficiencies (a deal that included a $25,000 payment). Despite this, the CFPB claims that samples showed "substantial" error rates in three consecutive reporting years after that settlement, the Bureau alleged: 13 percent in 2012, 33 percent in 2013, and 21 percent in 2014.

To settle the CFPB's charges, the servicer agreed to a consent order requiring the company to pay a $1.75 million penalty—the largest the Bureau has ordered to date for violations of the HMDA—and change its practices.

Although the CFPB acknowledges that the company has already taken steps to further its compliance and increase accuracy since the Bureau's examination, the CFPB has nonetheless directed the servicer to develop and implement an effective HMDA compliance management system, undertaking any necessary improvement to prevent future violations. In addition, the servicer was directed to review, correct, and make available the corrected HMDA data for the applicable time period between 2012 and 2014.

To access the consent order, click here.

Why it matters

Once again, the CFPB is using enforcement actions as a substitute for legitimate rulemaking. Here, in a warning to others that may have more significant operations, the CFPB reached its record-setting HMDA civil penalty based on the servicer's market size, the alleged substantial magnitude of its errors," and the company's alleged history of previous violations, the CFPB said. Despite little evidence that the servicer was a true recidivist, director Cordray insisted that "[f]inancial institutions that violate the law repeatedly and substantially are not making serious enough efforts to report accurate information." The action "send[s] a strong reminder that HMDA serves important purposes for many stakeholders in the mortgage market, and those required to report this information must make more careful efforts to follow the law."

back to top



pursuant to New York DR 2-101(f)

© 2020 Manatt, Phelps & Phillips, LLP.

All rights reserved