Top Story Technology Related

The Federal Trade Commission has announced it has finalized changes to the Children’s Online Privacy Protection Rule to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children.

The final rule requires parents to opt in to third-party advertising and includes other changes to address the emerging ways that consumers’ data is collected and used by companies, and particularly how children’s data is being shared and monetized.

The COPPA Rule, which first went into effect in 2000, requires certain websites and other online services to obtain verifiable parental consent before collecting, using or disclosing personal information from children under 13. It also provides other important rights for parents, including the right to require operators to delete personal information collected from their children, and imposes independent obligations on covered operators, for example with respect to data minimization and data retention.

The FTC's final rule makes several changes to the COPPA rule, including:

• Requiring opt-in consent for targeted advertising and other disclosures to third parties
• Limits on data retention
• Increasing Safe Harbor programs' transparency
• Amendments to several definitions, including expanding the definition of personal information to include biometric identifiers as well as government-issued identifiers

The final rule will become effective 60 days of its publication in the Federal Register. Compliance will be mandatory one year after publication.

The CFPB on Thursday announced it has ordered Block, Inc., the operator of the peer-to-peer payments app Cash App, to refund and pay other redress to consumers up to $120 million and pay a penalty of $55 million into the CFPB’s victims relief fund. The Bureau found that Block employed weak security protocols for Cash App and put its users at risk. While Block is required by law to investigate and resolve disputes about unauthorized transactions, the company’s investigations were woefully incomplete. Block directed users — who had suffered financial losses as a result of fraud — to ask their bank to attempt to reverse transactions, which Block would subsequently deny. Block also deployed a range of tactics to suppress Cash App users from seeking help, reducing its own costs.

Specifically, the CFPB found that Block:

• Failed to provide effective customer service for Cash App, including by failing to provide live telephone agents, which prevented consumers from being able to have their financial issues addressed in a proper and timely fashion and resulted in fake customer service lines through which consumers’ information would be stolen, in a manner that was unfair in violation of the Consumer Financial Protection Act of 2010 (CFPA).
• Failed to take timely, appropriate, and effective measures to prevent, detect, limit, and address fraud on the Cash App platform in a manner that was unfair in violation of the CFPA.
• Used the card network chargeback process as a substitute for fulfilling its obligations under the Electronic Fund Transfer Act (EFTA) and Regulation E to investigate and resolve disputes about unauthorized transactions in a timely manner in violation of the CFPA’s prohibition on unfair practices.
• Engaged in deception by misrepresenting that it protected consumers from unauthorized transfers and had a telephone line to report such unauthorized transfers.
• Failed to comply in multiple ways with the requirements of EFTA and Regulation E, including regarding error resolution.

The Federal Trade Commission has reported it will require web hosting company GoDaddy Inc and GoDaddy.com, LLC to implement a robust information security program to settle charges that the company failed to secure its website-hosting services against attacks that could harm its customers and visitors to the customers’ websites.

The FTC alleges in its complaint that, since 2018, GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services. GoDaddy’s unreasonable security practices include failing to: inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments, according to the complaint. The Commission says that GoDaddy’s data-security failures resulted in several major security breaches between 2019 and 2022 in which bad actors gained unauthorized access to customers’ websites and data.

In its proposed settlement order, the FTC will:

The Pennsylvania Department of Banking and Securities (DOBS) yesterday announced that it has joined 47 other state financial regulatory agencies in coordinated action against Block, Inc., owner of the CashApp mobile payment service, for violations of the Bank Secrecy Act (BSA) and anti-money laundering (AML) laws which are designed to protect the financial system from illicit activity. The enforcement action includes a multistate settlement in which Block has agreed to pay an $80 million penalty, with approximately $1.6 million allocated to each of the 48 participating state regulators. State regulators found that Block failed to meet certain requirements, which created the potential for its services to be exploited for money laundering, terrorism financing, and other illegal activities.

As part of the settlement, Block will hire an independent consultant to assess the effectiveness of its BSA/AML program and provide a report to the states within nine months. Block will then have 12 months to correct any deficiencies identified in the review. The enforcement effort, led by state regulators in Arkansas, California, Massachusetts, Florida, Maine, Texas, and Washington, was coordinated with Block’s cooperation throughout the process.

The Consumer Financial Protection Bureau on Friday announced it is seeking public input on strengthening privacy protections and preventing harmful surveillance in digital payments, particularly those offered through large technology platforms. The agency is requesting comment on implementing existing financial privacy law and how to address intrusive data collection and personalized pricing. Comments will be accepted through April 11, 2025.

Additionally, the CFPB requested comments by March 31, 2025, on a proposed interpretive rule outlining how the Electronic Fund Transfer Act, which provides consumers with protections against errors and fraud, applies to new types of digital payment mechanisms, such as those currently offered through large technology companies and video gaming platforms, as well as stablecoins and other digital currencies that are not widely used today in consumer transactions. The Bureau also posted a Blog article requesting emailed comments by March 31, 2025, from electronic gamers and the general public on their experiences with video game currencies.

PUBLICATION UPDATES:

• The proposed Regulation E interpretive rule was published at 90 FR 3723 in the 1/15/2025 Federal Register.
• The request for information regarding collection, use, and monetization of consumer payment and other personal financial data was published at 90 FR 3804 on 1/15/2025.

The CFPB has announced its recognition of Financial Data Exchange, Inc. (FDX) as a standard-setting body under the CFPB’s Personal Financial Data Rights rule. The order of recognition is the first to be issued under the rule. The Personal Financial Data Rights rule, which was released in October 2024, requires financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free. The CFPB established a formal application process outlining the qualifications to become a recognized industry standard setting body, which can issue standards that companies can use to help them comply with the CFPB’s rule.

The CFPB's order of recognition, valid for five years, includes conditions, such as:

• A ban on "pay-to-play" and other conflicts of interest
• Mandatory reporting on market adoption
• Transparency and availability of standards

The CFPB also issued updated procedures for how companies can request special regulatory treatment, such as a no-action letter. The procedures seek to increase transparency and reduce favoritism for individual companies.

• Updated Policy Statement on No-Action Letters
• Updated Policy Statement on Compliance Assistance Sandbox Approvals

The Federal Trade Commission has reported it will require software provider accessiBe to pay $1 million to settle allegations that it misrepresented the ability of its AI-powered web accessibility tool to make any website compliant with the Web Content Accessibility Guidelines (WCAG) for people with disabilities.

New York-based accessiBe Inc. and accessiBe Ltd. (accessiBe) market and sell a web accessibility software plug-in called accessWidget that the company has said can make any website compliant with WCAG, a comprehensive set of technical criteria used to assess website accessibility. The company made the claims on its website, on social media, and in articles on third-party websites formatted to look like impartial and objective reviews.

According to the FTC's complaint, despite the company’s claims, accessWidget did not make all user websites WCAG-compliant and these claims were therefore false, misleading, or unsubstantiated, in violation of the FTC Act. In addition, the complaint alleges that accessiBe deceptively formatted third-party articles and reviews to appear as if they were independent opinions by impartial authors and failed to disclose the company’s material connections to the supposedly objective reviewers.

• Proposed consent order
• Request for public comment on proposed consent order (published today)

The Treasury Department on Tuesday reported OFAC sanctions actions.

• A Russian judge was sanctioned for her role in the arbitrary detention of Moscow city councilor and human rights defender Alexei Gorinov. The judge was designated under the authority of Executive Order 13818, which builds upon and implements the Global Magnitsky Human Rights Accountability Act and targets perpetrators of serious human rights abuse and corruption.
• OFAC also designated a subordinate organization of Iran’s Islamic Revolutionary Guard Corps (IRGC), and a Moscow-based affiliate organization of the Russian Main Intelligence Directorate (GRU) and its director under the authority of Executive Order 13848 (U.S. election interference). As affiliates of the IRGC and GRU, these actors aimed to stoke socio-political tensions and influence the U.S. electorate during the 2024 U.S. election.

For the names and identification information of the designated parties, see Tuesday's BankersOnline OFAC Update.

The Department of the Treasury has released a report following its 2024 Request for Information (RFI) on the Uses, Opportunities, and Risks of Artificial Intelligence (AI) in Financial Services, which summarizes key themes from respondent feedback and recommends several next steps.

The report highlights increasing AI use throughout the financial sector and underscores the potential for AI – including Generative AI – to broaden opportunities while amplifying certain risks, such as risks related to data privacy, bias, and third-party providers. The report builds on Treasury’s work on AI-related cybersecurity risks in the financial sector, including its March 2024 report.

The CFPB has announced it has brought suit against the operator of Zelle and three of the country's largest banks for failing to protect consumers from widespread fraud on America’s most widely available peer-to-peer payment network.

In its Complaint filed with the U.S. District Court for the District of Arizona, the CFPB alleges that Early Warning Services, LLC, which operates Zelle, along with three of its owner banks—Bank of America, JPMorgan Chase, and Wells Fargo—rushed the network to market to compete against growing payment apps such as Venmo and CashApp, without implementing effective consumer safeguards. Customers of the three banks named in today’s lawsuit have lost more than $870 million over the network’s seven-year existence due to these failures. The CFPB’s lawsuit describes how hundreds of thousands of consumers filed fraud complaints and were largely denied assistance, with some being told to contact the fraudsters directly to recover their money. Bank of America, JPMorgan Chase, and Wells Fargo also allegedly failed to properly investigate complaints or provide consumers with legally required reimbursement for fraud and errors. The CFPB is seeking to stop the alleged unlawful practices, secure redress and penalties, and obtain other relief.

Early Warning Services, LLC is a financial technology and consumer reporting company based in Scottsdale, Arizona. Early Warning Services designed and operates the Zelle network. It is co-owned by seven of the largest banks in the United States: Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo.

Zelle allows near-instant electronic money transfers through linked email addresses or U.S.-based mobile phone numbers, known as “tokens.” Users can create multiple tokens across different banks and quickly reassign them between institutions, a feature that the CFPB alleges has left consumers vulnerable to fraud schemes. The CFPB alleges that Bank of America, JPMorgan Chase, Wells Fargo, and Early Warning Services violated federal law through critical failures including leaving the door open to scammers, allowing repeat offenders to hop between banks, ignoring red flags that could prevent fraud, and abandoning consumers after fraud occurred.

• Press Call Remarks of CFPB Director Rohit Chopra