DOJ’s FCPA Corporate Enforcement Policy Creates Greater Certainty for Companies

The Foreign Corrupt Practices Act of 1977 (FCPA) makes it unlawful for certain classes of persons and entities to make payments to foreign government officials to assist in obtaining or retaining business. On November 29, 2017, Deputy Attorney General Rod Rosenstein announced the addition of an FCPA Corporate Enforcement Policy to the U.S. Attorneys’ Manual, providing guidance to companies seeking cooperation credit for voluntarily self-disclosing FCPA-related misconduct, fully cooperating with the government’s investigation, and remediating. Notably, the policy creates a presumption that a self-disclosing company that is not a repeat offender will receive a declination from the Department of Justice (DOJ) “absent aggravating circumstances.” Although, as an internal operating policy, it creates no private rights and is not enforceable in court, the policy promotes consistency and predictability in DOJ’s treatment of corporate FCPA offenders.

This new policy largely mirrors the Pilot Program announced by DOJ on April 5, 2016. By making the Pilot Program permanent and incorporating it into the U.S. Attorney’s Manual, and by modifying it to give even greater certainty to companies self-disclosing misconduct, DOJ has demonstrated its belief that incentivizing voluntary disclosure works. Indeed, Deputy Attorney General Rosenstein noted that during the period the Pilot Program was in effect, DOJ received 30 voluntary disclosures, compared to 18 during the previous 18-month period. Also, of the 17 criminal FCPA resolutions entered by DOJ during the Pilot Program, only two involved defendants who had voluntarily disclosed. Both of those were resolved through non-prosecution agreements that did not impose a compliance monitor. Over that same time period, seven additional matters came to the Department’s attention through voluntary disclosures and were resolved under the Pilot Program through declinations with payment of disgorgement. The new policy broadens and cements the incentives for companies to come forward of their own accord to report findings or suspicions of misconduct.

Most notably, while the Pilot Program provided for the possibility of a declination when a company voluntarily self-discloses misconduct, fully cooperates, and timely and appropriately remediates, the new policy creates a presumption that the company will receive a declination, unless there are aggravating circumstances related to the seriousness of the offense or if the disclosing company is a repeat offender. Even if aggravating circumstances exist, where the company is not a recidivist, DOJ will recommend a 50 percent reduction off the low end of the Sentencing Guidelines range. These modifications to the Pilot Program provide much greater certainty for a company considering making a voluntary disclosure.

Voluntary self-disclosure is evaluated by “assessment of the circumstances of the disclosure.” First, a company must make the disclosure prior to an imminent threat of disclosure or government investigation. Second, the company must demonstrate timeliness of the disclosure and show that it was made “within a reasonably prompt time after becoming aware of the offense.” And, third, the company must disclose all relevant facts known to it, including all relevant facts about all individuals involved in the violation of law.

The DOJ determines whether a company has fully cooperated based upon its Principles of Federal Prosecution of Business Organizations, as well as five other independent factors. These factors are timely disclosure of all relevant facts; proactive rather than reactive disclosure; preservation and collection of relevant documents; de-confliction of investigative steps; and making officers and employees available for interview by the department.

Finally, remediation credit is available when a company has performed a root cause analysis; implemented a compliance and ethics program; disciplined responsible employees; implemented an appropriate document retention policy; and taken any other steps to reduce future risks, accept responsibility, and demonstrate recognition of the seriousness of the misconduct. Although the 2016 Pilot Program indicated that remediation was “difficult to ascertain and highly case specific,” the new policy articulates additional factors to consider when evaluating remediation, such as the requirement of conducting a root cause analysis of the conduct.

It is worth noting that this policy applies only to FCPA matters and has no direct application to voluntary disclosures of wrongdoing in other contexts.

Parallel Universe or Coincidence: The CFPB’s New Data Consumer Protection Principles’ Relationship to GDPR

Parallel Universe or Coincidence: The CFPB’s New Data Consumer Protection Principles’ Relationship to GDPROn October 18, 2017, the Consumer Financial Protection Bureau (CFPB) outlined nine non-binding Consumer Protection Principles (the Principles) for the access and sharing of consumer information between third-party companies. The Principles focus on the consumer experience, specifically consumers’ enhanced control over their financial lives.

The CFPB envisions a marketplace in which consumers are in the proverbial drivers’ seat with regard to the use of their financial data. To that end, the CFPB announced the Principles in an attempt “to reiterate the importance of consumer interests to all stakeholders in the developing market for services based on the consumer-authorized use of financial data.” The Principles provide general guidance for the following:

  1. Access
  2. Data Scope and Usability
  3. Control and Informed Consent
  4. Authorizing Payments
  5. Security
  6. Access Transparency
  7. Accuracy
  8. Ability to Dispute and Resolve Unauthorized Access
  9. Efficient and Effective Accountability

Shifting the balance of power to consumers

Although each Principle sets forth a unique protection for consumers, when read as a whole, the Principles make it apparent that the CFPB seeks to shift the balance of power into consumers’ hands. For example, a boilerplate notice regarding data access and data sharing may no longer suffice in light of the Control and Informed Consent Principle. This Principle provides that “authorized terms of access, storage, use, and disposal are fully and effectively disclosed to the consumer, understood by the consumer, not overly broad, and consistent with the consumer’s reasonable expectations in light of the product(s) or service(s) selected by the consumer.”

As if to clarify any possible confusion, the CFPB specifies that consumers are not to be “coerced into granting third-party access.” Continuing on this theme of consumer control, the CFPB also pushes for “separate and distinct consumer authorizations” for payment authorization. Put simply, consumer authorization of data access does not equal consumer authorization for the initiation of payments.

Emphasizing security of data and credentials

Of particular importance in the aftermath of the Equifax security breach is the CFPB’s emphasis on the security of consumer data and access credentials. Although the CFPB does not specify a security standard, it nonetheless provides that “all parties that access, store, transmit, or dispose of data use strong protections and effective processes to mitigate the risks of, detect, promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud, and transmit data only to third parties that also have such protections and processes.”

Such practices are not meant to be static, as the CFPB envisions adaptable security practices in response to new and emerging threats. To that end, the Principles could be read as an impetus to encourage cooperation among market participants with regard to data/security standards. Data aggregators are in the best position to determine the scope of these evolving threats and determine criteria to protect consumer interests with minimal CFPB involvement.

Similarities to EU’s GDPR

Keen observers of the data privacy arena may note some resemblance to the rights enshrined in the European Union’s (EU) General Data Protection Regulation (GDPR), specifically the right to data portability. As envisioned, the GDPR’s right to data portability would allow a data subject to request a copy of all his or her electronically stored personal data and/or have the right to transmit that data to another data controller without hindrance.

The GDPR, like the CFPB’s Principles, allow the data owner, or consumer, to remain in control of his or her data. Unlike the GDPR, which will become an enforceable regulation on May 25, 2018, the Principles are, for the time being, aspirational tenets by which the CFPB seeks to enable consumer-friendly innovation in financial services. Under the Principles, financial institutions and third-party service providers will need to coordinate closely, which may require a heavy investment if they choose to fully implement the Principles.

The watchdog role

Even though the Principles do not alter, interpret, or otherwise provide guidance on applicable statutes and regulations, they provide a practicable, if generalized, framework with respect to data security, privacy, and unauthorized access. Through the Principles, the CFPB is further staking out its role as watchdog in the growing aggregation services market.

Exactly how bold the CPFB will be in enforcing consumer rights in this area remains unknown. What is known is that the CFPB will be embedding regulators with the three major credit reporting agencies in the wake of the Equifax data breach, indicating the CFPB’s heightened involvement in the day-to-day security operations of these companies.

What the future may hold

Looking ahead, the CFPB could further clarify existing regulations or take more drastic measures such as engaging in rulemaking under Section 1033 of the Dodd-Frank Act. The CFPB could also use its powers under the Unfair, Deceptive or Abusive Acts or Practices (UDAAP) regulation to bring enforcement actions against companies that refuse to follow the Principles.

On the other hand, in the wake of CFPB Director Richard Cordray’s resignation, the CFPB could simply withdraw its oversight from this area, as a future director may look to reorient the CFPB’s mission. Until such time as the CFPB signals its intent with regard to data-sharing requirements, data aggregators and any financial service entity that collects consumer data should heed the Principles and ensure consumer protections for safe access to and controlled use of consumer financial data.

As data privacy threats continue to loom, so too will the increase in regulation and oversight. General data privacy principles continue to serve as the building blocks for many of the international standards in data privacy. As technology continues to shrink global differences, U.S. companies can expect general and globally accepted data privacy principles to cross borders and influence data privacy laws stateside.

Texas Voters Relax Home Equity Lending Restrictions

Texas Voters Relax Home Equity Lending RestrictionsTexas has long had some of the tightest consumer protections in the home equity lending space. After years of lobbying by the industry, a constitutional amendment was submitted to voters on November 7, 2017, aimed at relaxing some of those restrictions. Early returns indicate that Texas voters have approved Proposition 2, which had a ballot title that read:

“The constitutional amendment to establish a lower amount for expenses that can be charged to a borrower and removing certain financing expense limitations for a home equity loan, establishing certain authorized lenders to make a home equity loan, changing certain options for the refinancing of home equity loans, changing the threshold for an advance of a home equity line of credit, and allowing home equity loans on agricultural homesteads.”

The most significant change in Proposition 2 is the downward revision allowing lenders to charge 2 percent fees instead of 3 percent. However, the amendment also allows lenders for the first time to exclude certain fees from this cap. Significantly, these fees include items such as appraisal costs, survey costs, title insurance premiums and title report costs.

Borrowers will now be able to pay for those expenses separately. The net result of this change is a likely increase in the ability to originate smaller home equity loans that were previously not economically viable as a result of the fee cap that included such expenses.

Another significant change is the new ability to refinance seasoned home equity loans to be non-home equity loans. The former prohibition on such refinancing generated a considerable amount of litigation, which this change is meant to avoid.

Proposition 2 also removes the ban on home equity lending to agricultural homesteads, representing a considerable expansion of the ability of farmers and ranchers to obtain home equity loans on a previously excluded class of property.

Notably, Proposition 2 does not involve reverse mortgages. Proposition 2 also does not remove the prohibition against borrowing more than 80 percent of a home’s appraised value, which is often cited as an important consumer protection.

Bottom line, this amendment will trim regulations and will expand the availability of home equity loans to Texans while preserving some of the key consumer protections.

Upending Trade Finance through Blockchain Technology

Upending Trade Finance through Blockchain TechnologyTrade finance, in both domestic and international financial transactions, is often utilized when one company seeks to import a shipment of goods from a supplier (or exporter). These transactions comprise an enormous amount of global trade. It is estimated that approximately 80 to 90 percent of world trade relies on trade finance. In fact, almost any time goods or services are bought or sold across any border, there is some form of trade finance involved.

Due to the cross-border nature of the transaction, payment and shipment do not occur simultaneously (or in the same day or even week). The importer needs to pay for the goods but wants to ensure that the goods will arrive as ordered. Meanwhile, the exporter is hesitant to ship the goods without being certain that payment will arrive for the goods. Because neither party wants to bear the risk, a trusted third party is used to bridge the payment/delivery gap.

In addition to the lag in payment and delivery, another downside to trade finance is the involvement of massive amounts of paperwork. One of the main difficulties is facilitating the flow of large volumes of documentation between the parties. With each step of the process, all the paperwork must be confirmed between various parties to ensure its accuracy. This structure of trade financing arrangements has been in place for hundreds of years with fairly little change in methodology.

Distributed Ledger Technology (DLT) or blockchain technology, however, is now providing a novel way to both reduce costs and increase efficiency by replacing the flow of paper for trade finance with digital data flows, as well as providing a streamline payment between the parties. DLT was born out of the operational platform behind bitcoin transactions. DLT is touted as an emerging technology that can provide a transparent way to digitally track the ownership of assets, expedite transactions, facilitate secure payment processing, and electronically initiate and enforce contracts. At a very high level, DLT creates a digital ledger of transactions that can be distributed through a network of computers, allowing details of the transaction, or the transaction’s database, to be accessed, viewed and potentially updated by a number of different parties. This differs from the traditional, centralized ledger system, where a single party is responsible for maintaining the details of the transaction.

DLT is made possible through the application of encryption and algorithms that allow new transactions to be aggregated, encoded, and appended to an existing chain of transactions. Put simply, any time a change to data or an asset is proposed, a unique digital fingerprint is created. That fingerprint is sent to another part of the network chain for validation, which is organized around the networks’ previously agreed-upon rules. These features enable network participants to validate the accuracy of new transactions and prevent the history of transactions from being modified.

Blockchain is seen as a way to streamline the trade finance process. Because a distributed ledger can be updated to reflect the most recent transaction, it removes the need for multiple copies of the same document stored on numerous databases among various entities. Instead of constantly reconciling documents and databases against each other, documents stored on the blockchain are already validated and verified.

The advantages of utilizing blockchain could accelerate transactions, increase transparency between the parties, and provide access to capital that would otherwise be unavailable in a slower-paced transaction.

Because of these advantages, DLT is disrupting a centuries old process. Companies have already begun investing in, developing test programs, and, in some cases, are now utilizing blockchain in trade finance and receivables finance. Just last year, a Fintech company established The Fluent Trade Asset Marketplace, which is a blockchain-based open financial network and payment platform. The advantages to this type of blockchain-based network is that it provides global access to banks and capital providers while streamlining and automating the lending process and reducing costs. The allure of blockchain is spreading. Recently, Bank of Montreal (BMO), CaixaBank, Commerzbank and Erste Group have joined an initiative launched by UBS and IBM to launch a new trade finance platform built on blockchain, dubbed “Batavia.” Batavia is constructed on the Hyperledger Fabric Blockchain Framework, which powers the IBM Blockchain networks. Batavia is targeted for pilot transactions with customers on the network in early 2018.

Blockchain is poised to be an innovative and exciting platform for many different types of commercial loan transactions and highlights the growing importance of efficiency and transparency in the financial services industry. As this technology develops, businesses should be apprised of these new platforms and the expansion of global innovations in the financial services sector, as well as the legal and regulatory requirements that flow from the use of these novel and revolutionary technologies.

Client Alert: CFPB’s New Small-Dollar Short-Term Lending Rule

By now you’ve likely heard that the Consumer Financial Protection Bureau (CFPB) has released a final small-dollar lending rule concerning Payday, Vehicle Title, and Certain High-Cost Installment Loans (the “Final Rule”). The hallmark of the Final Rule is the requirement that lenders make a reasonable determination that a borrower has the ability to repay a loan while also meeting basic living expenses, prior to issuing a consumer loan with a repayment term of 45 days or less and longer term consumer loans with a balloon payment. The rule however, is much more complex than that simple proposition. Like the mortgage origination and servicing rules previously issued by the CFPB, the Final Rule also establishes new consumer disclosures, prohibits certain payment withdrawal methods related to collection, sets forth record retention standards, and creates a national reporting system. In no uncertain terms, the Final Rule will dramatically change the paradigm for most small dollar lenders.

For a detailed analysis of the Final Rule, readers can download a PDF copy of Bradley’s whitepaper “A Deeper Dive: The CFPB Small-Dollar Short-Term Lending Rule.”

Would the 7th Circuit Have Changed Its FCA Standard but for Peer Pressure?

Would the 7th Circuit Have Changed Its FCA Standard but for Peer Pressure?The Seventh Circuit finally abandoned its “but-for” causation standard for False Claims Act (FCA) damages. The decision comes 25 years after the Seventh Circuit first adopted its controversial standard requiring only a showing that an injury would not have occurred if not for the conduct. The Seventh Circuit has long been the lone outlier among circuits which have weighed the question, the consensus being that the government is required to demonstrate a “proximate cause” nexus between defendants’ conduct and requested damages—specifically, showing proof that the conduct was a material element and substantial factor in bringing about the injury and that the injury is of the type a reasonable person would see as a likely result of the conduct. Although the Seventh Circuit declined to acknowledge any direct impact by the Supreme Court’s recent FCA ruling in Universal Health Services, Inc. v. United States ex rel. Escobar on the circuit’s decision to overrule its precedent, the decision is nonetheless “cause” for optimism that FCA defendants will now be able to lower the severity of damages assessed for relatively minor misstatements.

In United States v. Luce, the government pursued FCA and Financial Institutions Reform, Recovery, and Enforcement Act (FIRREA) causes of action against the owner and president of a now-defunct mortgage company for submitting false certification forms to the Department of Housing and Urban Development (HUD) between 2005 and 2008. To continue to benefit from Fair Housing Act (FHA) protection, mortgagees must certify that their officers are not currently involved in criminal proceedings. Although the owner of the mortgage company was indicted for fraud in April 2005, the company failed to notify HUD until February 2008 and failed to amend its certifications until August 2008, after the owner pleaded guilty to lesser charges. The government sought damages to compensate for losses associated with 237 FHA-covered loans originated during the three-year period, which ultimately went into default. Applying Escobar, the district court found the false certifications material to the government’s decision to allow the company’s participation in the program, and adjudicated the mortgage company owner liable for FCA and FIRREA violations. The Seventh Circuit affirmed the district court’s materiality and liability determinations.

On the issue of FCA damages, the district court found that “but-for” causation was still the law of the land in the Seventh Circuit and declined to hold that Escobar altered the jurisdiction’s precedent. Having long taken the approach that the government’s loss need not be directly attributed to a false statement, the Seventh Circuit uncomfortably grappled with the ghosts of precedent. Although the court emphasized that “nothing in [Escobar] directly addresses the question of FCA causation or the circuit split,” the Seventh Circuit conceded that Escobar “does give us pause.” Rather than acknowledging Escobar as overruling Seventh Circuit precedent, the circuit purported to voluntarily engage in a “careful reevaluation” of the issue based on the common-law meaning of fraud, FCA text, and the decisions of other circuits.  Ultimately, the court determined that its “but-for” precedent simply cannot “live in peace” with the opinions of the Third, Fifth, Tenth, and D.C. Circuits adopting a proximate cause standard. The court accordingly remanded the matter to the district court to weigh the evidence and assess damages anew.

Regardless of why the Seventh Circuit decided to revisit causation, the impact is clear—proximate cause is the reigning standard for FCA causation and defendants may be cautiously optimistic that the risk of “but-for” FCA causation has abated.

CFPB’s Effort to Axe Class Waivers Gets Axed by the Senate

CFPB’s Effort to Axe Class Waivers Gets Axed by the SenateBy the hair of its chinny chin chin, the Senate voted on Tuesday to nullify the CFPB’s previously announced final rule that would have prohibited banks, credit card companies, and other financial service entities from utilizing arbitration agreements to block or limit class action suits by consumers.

The vote took place pursuant to the Congressional Review Act, 5 U.S.C. § 801 et seq., which allows Congress to invalidate regulations promulgated by executive agencies within 60 legislative days of publication by a simple majority vote in both the House and Senate. After a long, heart-felt debate on the Senate floor, all Democrats and two Republicans (Sens. Lindsey Graham of South Carolina and John Kennedy of Louisiana) voted against nullification, but the resulting 50-50 tie was broken by Vice President Mike Pence.

The House had already voted overwhelmingly in favor of nullifying the rule in July. The only remaining piece of the puzzle for complete nullification is the blessing of President Trump. Given the Trump administration’s views on regulation and the president’s continued praise for those opposing this rule, the likelihood of the president disapproving this nullification appears extremely small.

Under the Congressional Review Act, the nullification not only kills this version of the rule, but also prohibits the issuance of “a new rule that is substantially the same … unless the reissued or new rule is specifically authorized by a law enacted after the date of the joint resolution disapproving the original rule.” As such, there is little chance that any type of rule limiting arbitration clauses will be issued in the foreseeable future.

Arbitration clauses with class waivers have been an effective tool for avoiding class litigation thanks to cases such as AT&T v. Concepcion, which held that the Federal Arbitration Act generally preempted state rules that classified arbitration clauses with class waivers in consumer contracts as unconscionable (563 U.S. 333, 340 (2011)). Thanks to the Senate’s vote on Tuesday, companies can continue relying on these types of holdings, utilizing arbitration clauses, and limiting a consumer’s ability to join or initiate a class action lawsuit.

The Senate’s vote also avoids potential constitutional challenges to the CFPB’s rule. As such arbitration agreements are made generally enforceable under the Federal Arbitration Act, the CFPB’s rule prohibiting a certain class of such agreements could be challenged as a revision to the FAA that only Congress could accomplish through the normal legislative process — and therefore could not delegate to the CFPB to decide. In addition, the CFPB’s structure has been challenged as unconstitutional in a case pending before the D.C. Circuit en banc, and the U.S. Chamber of Commerce had just filed suit to enjoin the rule as being inconsistent with the limitations imposed by the Dodd-Frank Act.

While the full extent of political backlash to Congress’ action remains to be seen, several groups and individuals immediately spoke out on each side of this Congressional decision. CFPB Director Richard Cordray stated minutes after the vote, “Wall Street won and ordinary people lost.” Similarly, Sen. Elizabeth Warren (D-Mass.) turned her attention directly toward President Trump, asking him to follow through on his promises of standing up to Wall Street. Conversely, Keith A. Noreika, Acting Comptroller of the Currency, released a statement praising the Senate for the vote, stating that the rule would have increased the cost of credit for hardworking Americans and had a detrimental impact on small community banks. In the coming days, there will undoubtedly be vigorous rhetoric on both sides of this decision, but the fact remains that the rule has likely been stopped in its tracks.

*Republished with permission. This blog post was originally published on Bradley’s Declassified: The Latest from the Class Action Battlefront blog.

After the Waters Recede: The Mortgage Servicer’s Role in Navigating Insurance Claims, Part III

In the first part of the series “The Mortgage Servicer’s Role in Navigating Insurance Claims,” we covered assessing property damage and applying insurance proceeds in compliance with the terms of the standard mortgage agreement. In part two, we discussed protecting the mortgagee’s rights under a homeowner property policy. In this final installment, we discuss maximizing coverage under a homeowner property policy.

Part III: Challenging the Denial

After the Waters Recede: The Mortgage Servicer’s Role in Navigating Insurance Claims, Part III Property damages losses attributable to Hurricane Harvey are expected to exceed $25 billion, but only a small portion of these losses will be covered by flood insurance through the National Flood Insurance Program. The standard homeowner policy excludes flood damage, but there are certain water damage losses that may be covered by a standard homeowner policy. Servicers should carefully evaluate property damage and policy language to maximize recovery under a standard homeowner policy.

Across most of the United States, a standard homeowner property policy will cover damage caused by windstorms, such as a tropical storm, hurricane, or tornado. Storms that create excessive winds can cause roof damage or cause trees and other debris to damage the exterior of property, including torn shingles or broken windows. This exterior damage can allow water to enter the property and cause further damage. Rain entering a home as a result of wind damage is not the same as flood damage, and such wind-related water damage should be covered by a standard homeowner policy.

The question that servicers will encounter in Harvey and other storm-related claims is what happens when property is damaged by both rain and flooding. Specifically, what water damage was caused by flood and what water damage was caused by wind-related rain? Insurance coverage in light of these competing causes is complicated by the anti-concurrent causation clause in most homeowner policies. Under this clause, a loss that is caused by a combination of covered causes and excluded causes will not be covered. In many jurisdictions, these clauses are enforceable. In other jurisdictions, however, such clauses are unenforceable by statute or in violation of public policy. Even in those jurisdictions that permit such clauses, if specific damage can be separated by causation, coverage may be available under a standard homeowner policy.

As noted in the second part of this series, a standard mortgage clause creates a separate insurance policy between the insurer and the mortgagee. In addition to the protections provided to the mortgagee previously discussed, the mortgagee provision should give servicers standing to make a property claim under the homeowner policy or to challenge the denial of such a claim. Servicers of loans secured by property that has sustained damage should take the following steps to maximize coverage or challenge the denial of a claim under a property policy:

  1. Describe the property damage carefully: When submitting an insurance claim or challenging a denial, describe property damage as “water damage” rather than damage cause by “flooding.”
  2. Identify evidence that could support a wind damage claim: Such evidence could include blown off shingles, downed trees, shattered windows, or breached doorways.
  3. Contact coverage counsel: Coverage counsel can help evaluate whether to file a claim or challenge the denial of a property claim based on the facts of the damage, the policy language, and the law of the jurisdiction.

Webinar – After the Waters Recede: The Mortgage Servicer’s Role in Navigating Insurance Claims

Register

October 25, 2017
11:30 AM – 12:30 PM CST

Following the recent hurricanes that have damaged many homes beyond repair, borrowers may seek to apply any available insurance proceeds to satisfy the outstanding balance on their loans rather than repair the property. In this webinar, we will discuss precautions servicers should take to ensure they comply with the terms of mortgage agreements and applicable law to protect against potential liability.

In the Wake of Equifax: What Auto Dealers Need to Know About Data Privacy

In the Wake of Equifax: What Auto Dealers Need to Know About Data PrivacyFollowing the recent Equifax data breach wherein millions of consumers’ private information may have been compromised, it is increasingly clear that consumer-interfacing businesses need to, and in some cases are required to, take steps to protect their consumers’ private information. Although not traditionally considered “financial institutions,” auto dealers that engage in financial activities—those that extend credit to someone to purchase a car, arrange financing or leasing, or give financial advice—must comply with the consumer privacy requirements of the Gramm-Leach-Bliley Act (GLBA) and related rules under the Federal Trade Commission (FTC), as well as certain state data privacy laws. Enacted in 1999 and enforced by the FTC, the GLBA requires financial institutions to explain their information-sharing practices to their customers and to safeguard private personal data. Specifically, the FTC’s Privacy of Consumer Financial Information Rule (Privacy Rule), requires auto dealers that qualify as financial institutions to notify consumers and customers about the information they collect, who they share it with, and how they protect it.

When does the Privacy Rule apply and what information is covered under it?

The Privacy Rule only applies when a dealer collects private personal information in relation to the financing or leasing of a vehicle, if it intends to disclose that personal information to nonaffiliated third parties (ex. third-party lenders). The rule does not require that the person have filled out a formal application, and does not apply if that person pays with cash or uses their own lender. Thus, the most likely situation in which an auto dealer will need to give a privacy notice to a “consumer” is if it runs that person’s credit, submits their private information to third-party lenders, or assigns a retail installment contract to a third-party. A consumer, who is not yet a customer, can be given a “short form” notice that must explain that a full notice is available upon request, how to get it, and how to opt-out. A consumer will become a customer once they enter into a contract with the dealer to purchase or lease a vehicle, and will be entitled to a full privacy notice among other requirements. The full privacy notice must be a “clear and conspicuous” written notice describing the dealer’s privacy policies and practices, including how the dealer collects, discloses, and protects consumers’ private personal information.

The specific information that the Privacy Rule protects is a consumer’s “nonpublic personal information” (NPI), which includes any “personally identifiable financial information” that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise “publicly available.” Typical examples of NPI include, but are not limited to, name, address, Social Security number, and income. Information that is legally “publicly available” is not considered to be NPI, such as a telephone number in a public phonebook.

Should auto dealers be concerned?

Although the Privacy Rule has been around for almost two decades, the FTC has for the most part focused its regulatory oversight on other financial service providers. However, in 2012 the FTC brought its first action alleging violations of the GLBA against a Georgia auto dealer, providing guidance on what the FTC considers best practices under the Privacy Rule. In that action, the FTC alleged that the dealer “had failed to implement reasonable security measures to protect consumers’ personal information, and, as a result, information for 95,000 consumers was made available on a [peer-to-peer] network. The information included names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers.” The FTC also alleged that the dealership “failed to prevent, detect and investigate unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information.” It also failed to provide annual privacy notices to its customers and a mechanism by which customers could opt out of information sharing in violation of the Privacy Rule. Ultimately, the dealership settled with the FTC and was required to “establish and maintain a comprehensive information security program, and undergo data security audits by independent auditors every other year for 20 years.”

As this case illustrates, and with the proliferation of online consumer data and increasingly public large scale breaches, the auto industry is a ripe area for regulators to turn their attention towards next. This is particularly true as regulators begin to focus on what companies can do to prevent or safeguard consumer information in the event of a data breach, such as what occurred at Equifax.

Note: This article does not discuss an auto dealer’s obligations under the FTC’s Safeguards Rule, the Fair Credit Reporting Act, or other federal and state laws.

Foreign No More: Transferring Data on Demand U.S. Companies and GDPR Data Portability

Foreign No More: Transferring Data on Demand U.S. Companies and GDPR Data PortabilityMuch has been written about the consternation and concern of businesses around the world regarding the European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25, 2018. The GDPR applies to companies operating within the EU that control or process data. Notably, it also applies to companies outside the EU that offer goods or services to EU residents.

Despite all the press surrounding the GDPR, new light is beginning to shine on the innovative aspects of the regulation, notably on Article 20, which creates a new right to data portability. Data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Under Article 20, a data subject may request a copy of all his or her electronically stored personal data and/or have the right to transmit that data to another data controller without hindrance. The days of data silo and vendor lock-in could be numbered as the GDPR allows for movement of personal data in a structured, commonly used, and machine-readable format.

Currently, a consumer must submit new and complete information packets to each data controller with whom the consumer seeks to transact business. As a result, many consumers spend unnecessary time and resources re-entering personal data they have previously provided to other controllers. In this walled-off environment, consumers may be less likely to transact business with new controllers, artificially suppressing consumer choice in the process. Innovation and growth similarly suffer because smaller and/or newer data controllers may find it difficult to compete with established competitors. The GDPR has the potential to level this playing field because consumers could avoid the hassle of re-entering all their data or losing any data if they switch to a new controller.

This new right to data portability is not without complications. Even though the GDPR may allow for and foster the growth of data portability in the aggregate, it may not streamline every case because of system incompatibility within and among businesses. Further complicating the picture is the variance between established systems and newer software. The sooner industry players develop the means to respond to data portability requests and transfer information in a commonly used and machine-readable format, the quicker the benefits will accrue to consumers and businesses alike.

In particular, U.S. companies, which may be lagging behind European companies in preparation for the GDPR’s implementation in approximately six months, should conduct a legal analysis to determine if they are subject to the GDPR’s requirements, research suitable technology, and implement appropriate measures to ensure compliance.

LexBlog