Top Story Technology Related

The NCUA has reported that the president has designated NCUA Vice Chairman Kyle S. Hauptman as the thirteenth Chairman of the NCUA Board.

Mr. Hauptman listed his priorities as chairman in the NCUA's press release. Among them were—

• "Codifying our procedures to protect Americans from regulation-by-enforcement. For example, no enforcement action should ever set — even clarify — policy. In America and other free societies, the sequence is: set speed limits, then give speeding tickets (no one has any obligation to be aware of someone else’s ticket)."
• Re-assessing NCUA policies that may, even inadvertently, dissuade credit unions from serving low-income areas. This includes language around overdraft policies, particularly for credit unions located in states with especially punitive government late fees/penalties.
• Right-sizing credit unions’ obligations where possible under the Bank Secrecy Act, including NCUA’s regulations surrounding Suspicious Activity Reports.”

Last week, the CFPB released a Compendium of Recent CFPB Guidance, including CFPB Circulars, Bulletins, Advisory Opinions, and Interpretive Rules issued from November 2021 through December 2024. The Compendium comprises 42 documents issued by the Bureau during that period for a total of 363 pages in a PDF format.

The CFPB has posted a Bureau Blog entry, "Holding Government Contractors Accountable for Wrongdoing," to announce that Argus Information and Advisory Services, a subsidiary of TransUnion, has agreed in writing that it will not seek any government contract with the Consumer Financial Protection Bureau for three years.

In March 2024, the Department of Justice took action against Argus to resolve claims that the company violated the False Claims Act and the Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA), in connection with its access to and use of credit card data obtained pursuant to contracts with various federal regulators. The Department of Justice alleged that Argus ingested information in violation of its federal government contracts and improperly monetized it in its commercial business. Argus paid $37 million to resolve these allegations.

The CFPB was one of many federal financial regulators with a contractual arrangement with Argus. The CFPB notified the TransUnion affiliate that it was considering additional actions, and Argus has now committed to the CFPB that it will not seek any contracts for three years.

The CFPB has issued released Issue 38 (Winter 2025) of its Supervisory Highlights series, an "Advanced Technologies Special Edition" that focuses on select examinations of institutions that use credit scoring models, including models built with advanced technology commonly marketed as AI/ML technology, when making credit decisions.

The FDI has issued a public service announcement alert [I-011625-PSA] to warn the public that scammers exploit mass casualty events and disasters, such as the New Year's Day terrorist attack in New Orleans and the ongoing wildfires in Los Angeles, to commit fraud by soliciting fake charitable donations to support victims or their families.

Scammers take advantage of catastrophic incidents — such as mass casualty events, terrorist attacks, war, natural disasters, or pandemics — to pose as charitable entities providing humanitarian aid or developing fundraising efforts, including monetary and cryptocurrency donations. Charitable fraud schemes associated with natural disasters are a common occurrence online as well as through in-person collection drives.

The Federal Trade Commission has announced it has finalized changes to the Children’s Online Privacy Protection Rule to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children.

The final rule requires parents to opt in to third-party advertising and includes other changes to address the emerging ways that consumers’ data is collected and used by companies, and particularly how children’s data is being shared and monetized.

The COPPA Rule, which first went into effect in 2000, requires certain websites and other online services to obtain verifiable parental consent before collecting, using or disclosing personal information from children under 13. It also provides other important rights for parents, including the right to require operators to delete personal information collected from their children, and imposes independent obligations on covered operators, for example with respect to data minimization and data retention.

The FTC's final rule makes several changes to the COPPA rule, including:

• Requiring opt-in consent for targeted advertising and other disclosures to third parties
• Limits on data retention
• Increasing Safe Harbor programs' transparency
• Amendments to several definitions, including expanding the definition of personal information to include biometric identifiers as well as government-issued identifiers

The final rule will become effective 60 days of its publication in the Federal Register. Compliance will be mandatory one year after publication.

The CFPB on Thursday announced it has ordered Block, Inc., the operator of the peer-to-peer payments app Cash App, to refund and pay other redress to consumers up to $120 million and pay a penalty of $55 million into the CFPB’s victims relief fund. The Bureau found that Block employed weak security protocols for Cash App and put its users at risk. While Block is required by law to investigate and resolve disputes about unauthorized transactions, the company’s investigations were woefully incomplete. Block directed users — who had suffered financial losses as a result of fraud — to ask their bank to attempt to reverse transactions, which Block would subsequently deny. Block also deployed a range of tactics to suppress Cash App users from seeking help, reducing its own costs.

Specifically, the CFPB found that Block:

• Failed to provide effective customer service for Cash App, including by failing to provide live telephone agents, which prevented consumers from being able to have their financial issues addressed in a proper and timely fashion and resulted in fake customer service lines through which consumers’ information would be stolen, in a manner that was unfair in violation of the Consumer Financial Protection Act of 2010 (CFPA).
• Failed to take timely, appropriate, and effective measures to prevent, detect, limit, and address fraud on the Cash App platform in a manner that was unfair in violation of the CFPA.
• Used the card network chargeback process as a substitute for fulfilling its obligations under the Electronic Fund Transfer Act (EFTA) and Regulation E to investigate and resolve disputes about unauthorized transactions in a timely manner in violation of the CFPA’s prohibition on unfair practices.
• Engaged in deception by misrepresenting that it protected consumers from unauthorized transfers and had a telephone line to report such unauthorized transfers.
• Failed to comply in multiple ways with the requirements of EFTA and Regulation E, including regarding error resolution.

The Federal Trade Commission has reported it will require web hosting company GoDaddy Inc and GoDaddy.com, LLC to implement a robust information security program to settle charges that the company failed to secure its website-hosting services against attacks that could harm its customers and visitors to the customers’ websites.

The FTC alleges in its complaint that, since 2018, GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services. GoDaddy’s unreasonable security practices include failing to: inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments, according to the complaint. The Commission says that GoDaddy’s data-security failures resulted in several major security breaches between 2019 and 2022 in which bad actors gained unauthorized access to customers’ websites and data.

In its proposed settlement order, the FTC will:

The Pennsylvania Department of Banking and Securities (DOBS) yesterday announced that it has joined 47 other state financial regulatory agencies in coordinated action against Block, Inc., owner of the CashApp mobile payment service, for violations of the Bank Secrecy Act (BSA) and anti-money laundering (AML) laws which are designed to protect the financial system from illicit activity. The enforcement action includes a multistate settlement in which Block has agreed to pay an $80 million penalty, with approximately $1.6 million allocated to each of the 48 participating state regulators. State regulators found that Block failed to meet certain requirements, which created the potential for its services to be exploited for money laundering, terrorism financing, and other illegal activities.

As part of the settlement, Block will hire an independent consultant to assess the effectiveness of its BSA/AML program and provide a report to the states within nine months. Block will then have 12 months to correct any deficiencies identified in the review. The enforcement effort, led by state regulators in Arkansas, California, Massachusetts, Florida, Maine, Texas, and Washington, was coordinated with Block’s cooperation throughout the process.

The Consumer Financial Protection Bureau on Friday announced it is seeking public input on strengthening privacy protections and preventing harmful surveillance in digital payments, particularly those offered through large technology platforms. The agency is requesting comment on implementing existing financial privacy law and how to address intrusive data collection and personalized pricing. Comments will be accepted through April 11, 2025.

Additionally, the CFPB requested comments by March 31, 2025, on a proposed interpretive rule outlining how the Electronic Fund Transfer Act, which provides consumers with protections against errors and fraud, applies to new types of digital payment mechanisms, such as those currently offered through large technology companies and video gaming platforms, as well as stablecoins and other digital currencies that are not widely used today in consumer transactions. The Bureau also posted a Blog article requesting emailed comments by March 31, 2025, from electronic gamers and the general public on their experiences with video game currencies.

PUBLICATION UPDATES:

• The proposed Regulation E interpretive rule was published at 90 FR 3723 in the 1/15/2025 Federal Register.
• The request for information regarding collection, use, and monetization of consumer payment and other personal financial data was published at 90 FR 3804 on 1/15/2025.