On August 19, the FTC approved final orders resolving allegations that two companies: (i) misrepresented the level of security of their mobile applications; and (ii) failed to secure the transmission of millions of consumers’ sensitive personal information. The FTC alleged that one company’s application assured consumers that their credit card information was stored and transmitted securely even though the company disabled a higher level of security validation, which allowed such credit card information to be intercepted. In addition, the company allegedly failed to have an adequate process for receiving vulnerability reports from security researchers and other third parties. The FTC alleged that the second company also disabled enhanced security validation despite claiming that it followed industry-leading security precautions, which also left consumers’ information vulnerable to interception. The final settlement orders require both companies to establish comprehensive programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit the companies from misrepresenting the level of privacy or security of their products and services.
On August 21, the CFPB announced the companies that have been selected to participate in its residential mortgage eClosing pilot program. The program is intended to explore how the increased use of technology during the mortgage closing process may affect consumer understanding and engagement and save time and money for consumers, lenders, and other market participants. Specifically, the program seeks to aid the CFPB in better understanding the role that eClosings can play in addressing consumers’ “pain points” in the closing process, as identified by the CFPB in an April 2014 report. The three-month pilot program will begin later this year, and the participants include both technology vendors that provide eClosing solutions and creditors that have contracted to close loans using those solutions.
This week, the New York DFS announced the extension of the comment period on its proposal to create a regulatory licensing framework for virtual currency companies, including a so-called BitLicense. Given the “significant amount of public interest in and commentary on” the proposal, the DFS doubled the length of the comment period from 45 to 90 days. Comments are now due by October 21, 2014. Further information about the proposal and related issues is available here.
On August 12, the U.S. District Court for the Northern District of California dismissed for failure to state a claim a putative class action alleging that a digital wallet provider made unauthorized disclosures of user information to third-party mobile app developers. Svenson v. Google Inc., No. 13-cv-04080, 2014 WL 3962820 (N.D. Cal. Aug. 12, 2014). The named plaintiff claimed that when the digital wallet provider processed payments for apps purchased through an affiliated online store, it also provided certain customer/personally identifiable information to third-party app developers, including email address, account name, home city and state, zip code, and in some instances, telephone number. The plaintiff asserted theories of breach of contract and breach of the implied covenant of good faith and fair dealing, as well as violations of the Stored Communications Act and California’s Unfair Competition Law. The court held that the plaintiff’s breach of contract claim failed, reasoning in part that: (i) the plaintiff was not deprived of the “benefit of the bargain” given that the allegations involved free services and a $1.77 app; and (ii) there was no support for the theory that the economic value of the plaintiff’s information was diminished (because the plaintiff failed to allege that there was a market for the information). Similarly, the court held that the plaintiff’s Unfair Competition Law claims did not allege an economic injury, and that the breach of implied covenant claims were duplicative of the breach of contract claims. The court also dismissed the plaintiff’s Stored Communications Act claims.
On August 11, the Consumer Financial Protection Bureau (the CFPB or Bureau) issued a “consumer advisory” concerning virtual currency and also announced that it would begin accepting consumer complaints about virtual currency or virtual currency companies. These actions are the consumer agency’s first foray into virtual currencies, and they follow a recent GAO report that recommended the CFPB play a larger role in the development of federal virtual currency policy. Read more…
On July 17, the New York Department of Financial Services (NYDFS) proposed a rule intended to govern the virtual currency marketplace. The proposed rule is extremely broad and as currently drafted would appear to capture products provided by traditional brick and mortar banks and other regulated financial institutions. For example, as proposed, the rule could regulate:
- Reward programs, “thank you” offers, or digital coupons that offer cash back or statement credits;
- Generated numbers that access cash;
- Prepaid access and other cards that will allow customers to receive cash, including those customarily exempt such as government funded transfers;
- P2P transfers; and
- Wallet providers where the customer can access cash.
If left unaddressed, these apparent unintended consequences could create a confusing regulatory environment for certain bank and card products. It is also noteworthy that the rule does not provide any customary exclusions for chartered entities, raising substantial preemption questions. Read more…
BuckleySandler Webinar Recap: Top 10 Things You Need to Know About the New York BitLicense Proposed Rule
On August 6, BuckleySandler hosted a webinar, Top 10 Things You Need to Know about the New York BitLicense Proposed Rule. Michael Zeldin, Special Counsel at BuckleySandler, moderated the panel, which featured presentations by Partner Margo H. K. Tank and Counsel Amy Davine Kim of BuckleySandler’s Digital Commerce and Payments Group.
Overall, our presenters agreed that the regulatory framework proposed by the New York Department of Financial Services (DFS) would establish a different and more difficult standard for the virtual currency industry than for the traditional money transmitter industry. The rigorous data security, consumer protection, and anti-money laundering provisions may unintentionally operate as a high barrier to entry into the virtual currency industry while favoring established companies with experience and resources to handle these issues. Our presenters also offered specific areas of improvement and clarification for organizations to take into account when drafting comments on the proposal.
The following provides a more detailed summary of the discussion: Read more…
On August 1, the FTC released a staff report on the agency’s review of shopping apps—those used for comparison shopping, to collect and redeem deals and discounts, and to complete in-store purchases. The FTC staff examined information available to consumers before they download the software onto their mobile devices—specifically, information describing how apps that enable consumers to make purchases dealt with fraudulent or unauthorized transactions, billing errors, or other payment-related disputes. The staff also assessed information on how the apps handled consumer data. The FTC staff determined that the apps studied “often failed to provide pre-download information on issues that are important to consumers.” For example, according to the report, few of the in-store purchase apps provided any information prior to download explaining consumers’ liability or describing the app’s process for handling payment-related disputes. In addition, according to the FTC, most linked privacy policies “used vague language that reserved broad rights to collect, use, and share consumer data, making it difficult for readers to understand how the apps actually used consumer data or to compare the apps’ data practices.” The FTC staff recommends that companies that provide mobile shopping apps to consumers: (i) disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions; (ii) clearly describe how they collect, use, and share consumer data; and (iii) ensure that their strong data security promises translate into strong data security practices. The report also includes recommended practices for consumers.
On August 1, the U.S. Senate passed by unanimous consent H.R. 4386, which will permit FinCEN, in fulfilling its responsibility to supervise registered money services businesses (MSBs), to rely on state agency examinations of MSBs. The bill also covers other non-bank financial institutions such as gaming establishments and jewel merchants. The bill passed the House by voice vote in May. The President, who sought this authority for FinCEN in budget requests, is expected to sign the bill.
On August 6, in remarks at a financial technology conference, the UK’s Chancellor of the Exchequer, George Osborne, outlined the UK government’s plans for the UK to become a world leader in financial innovation and financial technology. Mr. Osborne noted the UK’s science and technology resources and its history of leading the way in financial innovation. He called for new means of banking and payments for consumers and businesses that go beyond just viewing statements online and that “bypass traditional banks altogether, and lend money directly – through peer-to-peer platforms.” Mr. Osborne believes that “with the right backing from government,” London can become “the Fin Tech capital of the world.” To that end, he detailed the government’s plans to support financial innovation, including by: (i) establishing an appropriate tax regime for the industry; (ii) committing funds for government investment programs; (iii) establishing a favorable regulatory regime; (iv) creating a new partnership between Innovate Finance and the British Business Bank to champion financial innovation and technology; and (v) launching a “major program of work exploring the potential of virtual currencies and digital money.” For example, as part of the regulatory changes, Mr. Osborne described several pieces of legislation, including those that will: (i) require the large UK banks to “pass on information on small businesses they reject for loans, so that FinTech Companies and alternative lenders can step in and offer finance instead”; and (ii) allow consumers to use their smart phones to pay in checks.
The New York Department of Financial Services riveted the attention of the virtual currency world (and just about everyone else involved with digital financial services), with its July 17 proposal to issue licenses for Virtual Currency Business Activities. The so-called BitLicense proposal features broad coverage; open ended capital and bonding requirements; personal investigation of founders, investors and even employees; and prior regulatory approval of new products and activities.
These and other aspects of BitLicensing beg the question: will licensing protect the public and investors? Or just drive Bitcoin participants out? (If they leave, they may find roadblocks elsewhere; days before New York’s announcement, France’s Ministry for the Economy and Finance, for example, proposed regulating Bitcoin.) Opportunistic locales for virtual currency operators are already being identified, such as the Isle of Man, a self-governing British Crown Dependency, whose Financial Supervision Commission says it is “not the appropriate time” to introduce a regulatory regime, while warning there is no consumer protection in the digital currency market. Think about this: Tiny Delaware is a corporate legal haven, Switzerland created an international bank haven, and a virtual currency haven may be next. Regulatory exercises like New York’s could advance that option. Read more…
On July 18, FinCEN published SAR Stats—formerly called By the Numbers—an annual compilation of numerical data gathered from the Suspicious Activity Reports (SARs) filed by financial institutions using FinCEN’s new unified SAR form and e-filing process. Among other things, the new form and process were designed to allow FinCEN to collect more detailed information on types of suspicious activity. As such, FinCEN describes the data presented in this first SAR Stats issue as “a new baseline for financial sector reporting on suspicious activity.” The primary purpose of the report is to provide a statistical overview of suspicious activity developments, including by presenting SAR data arranged by filing industry type for the more than 1.3 million unique SARs filed between March 1, 2012 and December 31, 2013. In addition, the redesigned annual publication includes a new SAR Narrative Spotlight, which focuses on “perceived key emerging activity trends derived from analysis of SAR narratives.” The inaugural Spotlight examines the emerging trend of Bitcoin related activities within SAR narrative data. It states that FinCEN is observing a rise in the number of SARs flagging virtual currencies as a component of suspicious activity, and provides for potential SAR filers an explanation of virtual currencies and the importance of SAR data in assessing virtual currency transactions.
On July 17, the New York DFS announced a proposal to establish a licensing regime for virtual currency businesses, the first by any state. In January, the DFS held a two-day hearing on developing a regulatory framework for virtual currency firms, and subsequently sought applications for virtual currency exchanges pending completion of the regulations. The proposed regulations define virtual currency as “any type of digital unit that is used as a medium of exchange or a form of digitally stored value or that is incorporated into payment system technology.” This would include digital units of exchange that: (i) have a centralized repository or administrator; (ii) are decentralized and have no centralized repository or administrator; or (iii) may be created or obtained by computing or manufacturing effort. It would exclude digital units that are used solely within online gaming platforms or that are used exclusively as part of a customer affinity or rewards program.
Under the proposal, the state would require companies engaged in the following activities to obtain a so-called BitLicense: (i) receiving or transmitting virtual currency on behalf of consumers; (ii) securing, storing, or maintaining custody or control of such virtual currency on the behalf of customers; (iii) performing retail conversion services; (iv) buying and selling virtual currency as a customer business (as distinct from personal use); or (v) controlling, administering, or issuing a virtual currency. To obtain a license, a business would be required to, among other things: (i) hold virtual currency of the same type and amount as any virtual currency owed or obligated to a third party; (ii) provide transaction receipts with certain required information; (iii) comply with AML rules; (iv) maintain a cyber security program; and (v) establish business continuity and disaster recovery policies. Licensed entities would be subject to DFS supervision, with examinations taking place no less than once every two calendar years. The proposal will be published in the New York State Register’s July 23, 2014 edition, which begins a 45-day public comment period.
On June 28, California Governor Jerry Brown signed AB 129, which repeals a state ban on the issuance or circulation of anything but lawful money of the United States. As described in a legislative staff analysis of the bill, the repeal is designed to ensure that forms of alternative currency such as digital currency, points, coupons, or other objects of monetary value do not violate the law when those methods are used for the purchase of goods and services or the transmission of payments in California.