As National Cybersecurity Awareness Month comes to a close, the federal financial regulators have been releasing guidance related to cybersecurity and financial technology (FinTech) issues faster than a teen can complain about slow Wi-Fi.

In the last 10 days, there have been a number of notable releases:

  • The Board of Governors of the Federal Reserve System (Federal Reserve Board), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) released a joint advance notice of proposed rulemaking titled Enhanced Cyber Risk Management Standards that would apply to large supervised financial institutions and their service providers.
  • The Federal Reserve Board’s Secure Payments Task Force identified its key priorities for addressing secure payments: payment identity management, information sharing to mitigate payments risk and fraud, and data protection. The task force has invited industry feedback on these priorities through November 8.

On October 5, the Consumer Financial Protection Bureau (CFPB) released its final rule (Final Rule) extending an array of new substantive restrictions, upfront and ongoing disclosure obligations, and government reporting requirements on prepaid cards and a range of electronic non-bank accounts, commonly referred to as “digital wallets.”

The Final Rule makes a number of changes to both Regulation E (which implements the Electronic Funds Transfer Act) and the credit card rules that are part of Regulation Z (which implements the Truth in Lending Act). The Final Rule takes effect on October 1, 2017, with certain provisions phased in over time, and the reporting requirement for issuers is delayed until October 1, 2018.

On July 6, North Carolina Governor Pat McCrory signed into law legislation to bring certain virtual currency businesses expressly within the existing money transfer business regulatory scheme by repealing and replacing the current law with a new article.

The new law explicitly captures virtual currency with new definitions. Under the prior law, virtual currency intermediaries were not expressly covered, although the broad definitions of “money transmission” and “monetary value” (“[a] medium of exchange, whether or not redeemable in money”) prior to the new law’s adoption likely captured virtual currency. Coinbase Inc. and Circle Internet Financial Inc. are already licensed as money transmitters. The new law provides greater legal certainty, however, by explicitly providing that money transmission “includes maintaining control of virtual currency on behalf of others.”

Are you a consumer financial services provider? Do you tell your customers that your data security practices are “best in class”? If so, it had better be true, or Richard Cordray and his colleagues at the Consumer Financial Protection Bureau (CFPB) may want to talk with you.

On March 2, the CFPB initiated and settled by consent an administrative action against an online consumer payments provider (Respondent) for what the CFPB charged were deceptive acts and practices arising out of representations that the Respondent made about its data security practices.

In the Consent Order, the CFPB charged that Respondent (which offers funds transfer services to consumers) made numerous representations about its data security practices that were not true, including statements that

  • its network and transactions were safe and secure,
  • its transactions were safer than credit cards,
  • its data security practices “exceeded industry standards,”
  • customer information was safely encrypted, and
  • its data security measures were Payment Card Industry (PCI) compliant.

On September 29, four senators and 39 representatives sent a letter to Consumer Financial Protection Bureau (CFPB) Director Richard Cordray expressing concern about the CFPB’s proposed rulemaking for prepaid accounts. (Read our LawFlash discussing the proposed rule.)

The letter specifically identifies four areas of concern:

  • The broad coverage of the proposed rule, which encompasses person-to-person transfers and other transactions where consumers might not necessarily expect protections similar to credit cards and other traditional financial products.
  • The requirement of multiple disclosures, and the lack of usefulness of the long-form disclosure.
  • The implementation deadline—requesting 24 months from the final rule’s publication date instead of the proposed nine-month implementation period.
  • The effect of the overdraft provisions and whether consumers would be better served by overdrafts that allow for “micro-credit” but are exempt from the requirements of Regulation Z.