Top Story Technology Related

The CFPB yesterday announced action against Apple, Inc. ("Apple") and Goldman Sachs Bank USA ("Goldman Sachs") for customer service breakdowns and misrepresentations that impacted hundreds of thousands of Apple Card users. The CFPB found that:

• Apple failed to send tens of thousands of consumer disputes of Apple Card transactions to Goldman Sachs, and when Apple did send disputes to Goldman Sachs, the bank did not follow numerous federal requirements for investigating the disputes
• Apple and Goldman launched Apple Card despite third-party warnings to Goldman that the Apple Card disputes system was not ready due to technological issues
• These failures meant that consumers faced long waits to get money back for disputed charges, and some had incorrect negative information added to their credit reports

The CFPB is ordering Goldman Sachs to pay at least $19.8 million in redress and a $45 million civil money penalty, and Apple to pay a $25 million civil money penalty. The CFPB is also banning Goldman Sachs from launching a new credit card unless it can provide a credible plan that the product will actually comply with the law.

The CFPB also found that Apple and Goldman Sachs misled consumers about interest-free payment plans for Apple devices. Many customers thought they would automatically get interest-free monthly payments when buying Apple devices with their Apple Card. Instead, they were charged interest. In some cases, Apple did not even show the interest-free payment option on its website on certain browsers. Goldman Sachs also misled consumers about the application of some refunds, which led to consumers paying additional interest charges.

Goldman Sachs Group, Inc. (NYSE: GS), is one of the largest financial institutions in the world. It operates Goldman Sachs Bank USA, headquartered in New York City. Goldman Sachs primarily focuses on investment banking and investment management, not consumer finance. Apple Card was Goldman Sachs’s first significant experiment in credit card lending.

• Consent order against Goldman Sachs Bank USA
• Consent order against Apple, Inc.

The Securities and Exchange Commission has announced charges against four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited – with making materially misleading disclosures regarding cybersecurity risks and intrusions. The SEC also charged Unisys with disclosure controls and procedures violations. The companies agreed to pay the following civil penalties to settle the SEC’s charges:

• Unisys — $4 million
• Avaya — $1 million
• Check Point — $995,000
• Mimecast — $990,000

The charges against the four companies result from an investigation involving public companies potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity. According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.

• The financial stability implications of tokenization
• The status report on the G20 Crypto-Asset Policy Implementation Roadmap
• A consultation on a common Format for Incident Reporting Exchange (FIRE)
• G20 Roadmap for Enhancing Cross-border Payments: Consolidated progress report for 2024

This morning, the CFPB announced it has finalized a rule designed to give consumers greater rights, privacy, and security over their personal financial data. The rule will require financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free.

The Bureau said that consumers will be able to more easily switch to providers with superior rates and services, and, by fueling competition and consumer choice, the rule will help lower prices on loans and improve customer service across payments, credit, and banking markets. The rule also establishes strong privacy protections, requiring that personal financial data can only be used for the purposes requested by the consumer. It ensures that third parties cannot use consumer data for other purposes that benefit the third party, but that consumers do not want. It also helps move the industry away from “screen scraping,” a still common but risky practice that typically involves consumers providing their account passwords to third parties who use them to access data indiscriminately through online banking portals.

Compliance with the rule, which amends 12 CFR Part 1033, will be implemented in phases, with larger providers subject to the rule sooner than smaller ones. Financial firms will be required to comply based on their size; the largest institutions will have to comply by April 1, 2026, while the smallest covered institutions will have until April 1, 2030. Certain small banks and credit unions are not subject to this rule.

• Executive Summary of Rule
• Published 11/18/2024 at 89 FR 90838, with an effective date of 1/17/2024.
• Compliance dates: Data providers must comply with the requirements in 12 CFR part 1033, subparts B and C beginning April 1, 2026; April 1, 2027; April 1, 2028; April 1, 2029; or April 1, 2030, based on the criteria set forth in § 1033.121(c).

The OCC has reported it has finalized revisions to its recovery planning guidelines for certain large insured national banks, federal savings associations, and federal branches (banks).

The revisions to the recovery planning guidelines are part of the OCC’s effort to ensure that large banks are adequately prepared for and have developed plans to respond to the financial effects of severe stress, particularly in light of the contagion effects and systemic risks they may pose.

The revisions:

• Expand the recovery planning guidelines to apply to banks with at least $100 billion in assets
• Incorporate a testing standard for recovery plans
• Clarify the role of non-financial risk (including operational and strategic risk) in recovery planning
• Provide covered banks with time frames in which to comply with the recovery planning guidelines, including development of a testing framework and conducting testing

The revisions, published in today's Federal Register at 89 FR 84255, are effective on January 1, 2025, with staggered compliance dates. They will apply to insured national banks, insured Federal savings associations, and insured Federal branches of foreign banks with average total consolidated assets of $100 billion or more.

The Financial Stability Board has published reports detailing work to enhance cross-border payments.

• a consolidated progress report for 2024 reporting on a broad range of actions being progressed as part of the G20 Roadmap for Enhancing Cross-Border Payments
• a progress report on the implementation of the Legal Entity Identifier (LEI)
• an annual progress report on meeting the improved user experience targets for cross-border payments

• Press release

The FDIC has announced it is extending the compliance date for amendments to part 328 subpart A of its regulations to modernize the rules governing use of the official FDIC sign and insured depository institutions’ advertising statements from January 1, 2025, to May 1, 2025. This extension will provide additional opportunity for IDIs to establish processes and systems, and make technological updates, necessary to implement the new regulatory requirements under subpart A. The compliance date for amendments to part 328, subpart B, relating to misrepresentations of deposit insurance, remains January 1, 2025.

The Federal Trade Commission is today announcing a final "click-to-cancel" rule that will require sellers to make it as easy for consumers to cancel their enrollment as it was to sign up. Most of the final rule’s provisions will go into effect 180 days after it is published in the Federal Register.

The Commission’s updated rule will apply to almost all negative option programs in any media. The rule also will prohibit sellers from misrepresenting any material facts while using negative option marketing; require sellers to provide important information before obtaining consumers’ billing information and charging them; and require sellers to get consumers’ informed consent to the negative option features before charging them.

PUBLICATION AND EFFECTIVE DATE:
Published 11/15/2024 at 89 FR 90476, effective 1/14/2025. Regulated entities have until 5/14/2025, to comply with §§ 425.4 through 425.6.

The OCC has announced it is soliciting academic research papers on the use of artificial intelligence in banking and finance for submission by December 15, 2024.

The OCC will invite authors of selected papers to present to OCC staff and invited academic and government researchers at OCC Headquarters in Washington, D.C., on June 6, 2025. Authors of selected papers will be notified by April 1, 2025, and will have the option of presenting their papers virtually.

The Federal Reserve Board has released two enforcement actions.