A fact of business today is that customers – both consumers and other businesses – and employees expect to transact digitally. To remain competitive, companies find themselves increasing their efforts to digitally transform their businesses.
Successfully implementing this transformation requires careful planning to ensure regulatory compliance, a smooth integration with existing business technology and a positive customer experience.
This is our eleventh bulletin for 2019, again aiming to help companies identify important and significant news and legal developments impacting digital offerings. Each issue will feature in-depth insight on a timely and important current topic.
In this issue, we provide an analysis of the requirements and expectations financial institutions and tech vendors face when striving to safeguard customer information. In addition, we will cover recently enacted federal and state laws, federal and state regulatory activities, fresh judicial precedent and other important news.
For related information regarding blockchain and digital assets, please see our monthly bulletin Blockchain and Digital Assets News and Trends.
Financial institutions and technology vendors: requirements and expectations when safeguarding customer information
By Margo H.K. Tank, R. David Whitaker, Andrew W. Grant and Liz Caires
The Interagency Guidelines Establishing Information Security Standards, promulgated pursuant to the Gramm-Leach-Bliley Act, establish standards for safeguarding customer information. Those guidelines set expectations for managing technology service provider relationships through contractual terms and ongoing monitoring. Financial institutions must account for these requirements in contracts with technology service providers. Earlier this year, the FDIC issued new letter guidance on requirements for agreements between financial institutions and technology service providers. The guidance, in titled Financial Institution Letter 19-2019 (FIL-19-2019), was prompted by significant gaps in contract terms that FDIC examiners were encountering, on a regular basis, related to business continuity and data breach. Even though it is addressed to financial institutions, the letter actually contains valuable advice for any business contracting with a technology vendor, and it alerts vendors to what their financial institution customers will be asking of them. This guidance will be even more significant when the California Consumer Privacy Act comes into effect in January 2020. Learn more.
- CFPB considers amending Regulation Z to address intersection of E-SIGN as it relates to credit cards: In the Consumer Financial Protection Bureau’s (CFPB) Fall Rulemaking Agenda, the CFPB stated that it has received feedback that the intersection of certain requirements of Regulation Z and ESIGN are too restrictive for consumers applying for credit card accounts via electronic channels and for consumers willing, or preferring, to receive account information only electronically. Therefore, the CFPB is considering a rulemaking to address a range of issues at the intersection of ESIGN and Regulation Z with regard to credit cards. The CFPB also noted that similar concerns have been raised with respect to other types of consumer financial products and services including checking accounts. The CFPB anticipates that what it learns in considering these issues in the credit card context may assist the CFPB in assessing whether there are similar concerns with other financial products and services that may be appropriate to address in future rulemakings.
Virtual currency and blockchain
- FinCEN reiterates that stablecoin transactions are covered by definition of “money transmission services”: On November 15, 2019, the director of FinCEN, Kenneth Blanco, gave a talk in which he discussed the applicability of money transmission services requirements to stablecoins and anonymity-enhanced cryptocurrencies (AECs). Mr. Blanco stated that “we can say with complete clarity that for AML/CFT purposes, it should be understood that transactions in stablecoins, like any other value that substitutes for currency, are covered by our definition of ‘money transmission services.’ …To that point, administrators of stablecoins have to register as MSBs with FinCEN.” He further stated that “FinCEN’s technology neutral approach also means that other types of activity in convertible virtual currency are already covered by our money transmitter requirements. As our May 2019 guidance highlights [covered here], this includes AECs…In practice, this means that whether you are a money transmitter offering bitcoin, ether, or AECs — your obligations under the BSA are the same.”
- Treasury Department announces blockchain project. The Bureau of the Fiscal Service of the Treasury Department announced on October 17 that the Office of Financial Innovation and Transformation (FIT) is partnering with the Bureau’s Payment Management division and the National Science Foundation on a blockchain project proof of concept which tokenizes (digitally represents) and transfers payment authorizations within a simulated letter of credit system. This proof of concept will be the first time FIT will apply blockchain technology to a financial use case.
- Board of Governors of the Federal Reserve System addresses stablecoins in most recent Financial Stability Report: On November 15, 2019, the Board of Governors of the Federal Reserve System (FRB) published its Financial Stability Report, which contained a section titled “Global Stablecoins and Financial Stability.” In that section, the FRB stated that the “possibility for a stablecoin payment network to quickly achieve global scale introduces important challenges and risks related to financial stability, monetary policy, safeguards against money laundering and terrorist financing, and consumer and investor protection.”
- FATF clarifies stablecoin guidance. On October 18, the US Treasury Department announced that the Financial Action Task Force (FATF) concluded its 31st plenary meeting with a public statement that clarified guidance on stablecoins and adopted changes regarding virtual assets, among other reports related to anti-money laundering/countering the financing of terrorism (AML/CFT).
- US financial regulators join the Global Financial Innovation Network. On October 24, the SEC, CFTC, OCC and FDIC issued a joint press release announcing that they have signed onto the Global Financial Innovation Network (GFIN). The GFIN is an international alliance of government regulators which was formally launched in January 2019 to create a “global sandbox” for financial innovation.
- FCC seeks comment on whether companies can clarify scope of informational text opt-out requests via confirmation text: On November 7, 2019, the FCC published a Public Notice stating that it was seeking comment on a petition for a declaratory ruling regarding whether “the sender of a lawful informational text message transmitted through an automatic telephone dialing system (‘ATDS’) [who] receives a valid opt-out request from the recipient in response to that message, and that informational message was part of a program in which the recipient had previously enrolled that transmits several categories of informational messages, then, pursuant to the Commission’s ruling in Soundbite, the sender may clarify in an opt-out confirmation message to the recipient the scope of the recipient’s opt-out request without violating the Telephone Consumer Protection Act (‘TCPA’) or related Commission rules.”
- California DBO issues guidance on applicability of Money Transmission Act to cryptocurrencies: The California Department of Business Oversight issued several opinion letters finding that certain entities are not required at this time to obtain a license under the state’s Money Transmission Act (Fin. Code § 200 et. seq.) based on the business activities described as to be provided:
- Online cryptocurrency exchange platform, using with custodial digital wallets and custodial accounts for US$ held by federally insured financial institutions, allowing customers to trade with other customers for digital currency or US$ (September 30, 2019)
- Online platform allowing customers to purchase, exchange, and sell cryptocurrency in exchange for fiat or other cryptocurrency using a SEC licensed broker-dealer as facilitator (October 1, 2019)
- Online platform enabling nonprofits to receive cryptocurrency as donations. (October 4, 2019)
- Mobile payments application and merchant payment network platform allowing consumers to use cryptocurrencies to pay for goods and services (October 4, 2019)
- Online platform allowing customers to trade fiat-to-crypto, crypto-to-fiat, and crypto-to-crypto, acting solely as intermediary (October 4, 2019)
The Department also issued an October 1, 2019 opinion letter finding that the operation of Bitcoin payment kiosks which only allow customers to purchase Bitcoin using fiat currency (and customers could not sell their Bitcoin for fiat) does not meet the definition of “receiving money for transmission” under the California Money Transmission Act, Fin. Code § 2003, subd. (u).
- NYDFS grants trust charter to digital assets company: On November 19, 2019, the New York Department of Financial Services (NYDFS) announced that it had granted a charter under New York Banking Law to Fidelity Digital Asset Services, LLC (FDAS), to operate as a limited liability trust company. NYDFS has authorized FDAS to provide a virtual currency custody and execution platform, on which institutional investors and individuals can securely store, purchase, sell, and transfer Bitcoin. Including the charter granted to FDAS, to date NYDFS has approved 23 charters or licenses for companies engaged in virtual currency business activities.
- OCC and FDIC release proposed regulations to address Madden ruling in 2015: On November 18, 2019, the Office of the Comptroller of the Currency proposed a new rule that would “clarify that when a national bank or savings association sells, assigns, or otherwise transfers a loan, interest permissible prior to the transfer continues to be permissible following the transfer. This proposal will address confusion about the effect of a transfer on a loan’s valid interest rate, including confusion resulting from a recent decision from the US Court of Appeals for the Second Circuit (Madden v. Midland Funding, LLC).” On November 19, the Federal Deposit Insurance Corporation proposed a new rule to “clarify the Federal law governing interest rates state banks may charge their customers. The FDIC's proposal is intended to address marketplace uncertainty in the wake of a 2015 court ruling that called into question the enforceability of interest rate terms following the sale or assignment of a loan originated by a national bank to a third-party non-bank.”
- California DOJ updates regulations implementing the Electronic Recording Delivery Act: On October 7, 2019, the California Department of Justice finalized amendments to its regulations implementing the Electronic Recording Delivery Act of 2004, which permits electronic delivery, recording, and return of certain types of instruments through an electronic recording delivery system (ERDS). Of note, the DOJ updated the ERDS technology requirements as part of these amendments.
- Course of business sufficient to attribute electronic signatures to debtor: In In re: Kisha Yvonne Daniel, 2019 WL 5485218 (Bankrtcy Ct. M.D. Ala Oct. 24, 2019), the court held that the course of business between the debtor and the title pawn loan company was such that the debtor’s electronic signature could be attributed to the debtor under Alabama’s Uniform Electronic Transactions Act. The debtor stated that she did not dispute the original executed pawn ticket or its initial renewal but that she disputed the subsequent renewals that did not contain her handwritten signature. The pawn loan company used an electronic signature technology company to execute its electronic signatures in-store, but said it generally limits such use to those customers who are physically unable to sign; here, the debtor was physically able to sign. The court noted that while normally the record’s content would provide the necessary information for establishing attribution, any insufficiency can be cured by an established course of dealings between the parties. Here, the debtor did not dispute any pawn transaction renewals until the company moved for a determination that the bankruptcy stay be terminated. The court further noted that for about 18 months, the debtor made monthly payments on dates that coincided with dates on the disputed pawn tickets. The court concluded that the course of business between the debtor and the company was sufficient to attribute the electronic signatures on the disputed pawn transactions to the debtor.
- Parties enter into consent agreement that requires a business to meet WCAG 2.0 AA standards: In Picon v. McKenzie Fine Art, Inc., 2019 WL 5963519 (S.D.N.Y. Nov. 8, 2019), the court approved a consent decree between the two parties that required the defendant to, among other obligations, ensure that its websites substantially conform to the Web Content Accessibility Guidelines 2.0 Level A and AA Success Criteria (WCAG 2.0 AA) such that the websites will be accessible to persons with disabilities. The defendant, however, will not be responsible for ensuring that third-party content or plug-ins whose coding is not solely controlled by the defendant, but which are otherwise located on its websites or linked to from its websites, are accessible or otherwise conform to WCAG 2.0 AA.
- Claims of negligence and fraud in management of crypto exchange survive motion to dismiss. In Fabian v. LeMahieu et al, 2019 WL 4918431 (ND California Oct. 4, 2019), the court granted in part and denied in part the defendants’ motion to dismiss. The plaintiff’s complaint included federal law claims and multiple state law claims including negligence and fraud, in connection with the defendants’ promotion of a cryptocurrency referred to as Nano tokens or XRB. The defendants included Nano fka BaiBlocks fka Hieusys, LLC (Nano), along with certain founders and promoters of Nano (the Nano defendants) as well as B.G. Services SRL fka BitGrail SRL and its founder (BitGrail). The plaintiff’s claims of negligence, fraud, and negligent misrepresentation survived the defendants’ motion to dismiss based on the plaintiff’s well-pled factual allegations. The court found, in part, that the Nano defendants had a legal duty to exercise reasonable care with respect to the management of XRB and they had breached that duty. The plaintiff’s allegations are summarized as follows: The Nano defendants developed a cryptocurrency, XRB, which they offered, promoted and sold to the public. When popular cryptocurrency exchanges were unwilling to list XRB, the Nano defendants worked with BitGrail to create a BitGrail dedicated cryptocurrency exchange that primarily created and sustained a market for XRB. The Nano defendants used social media and other publicity to direct the public to buy, store, and trade XRB at the BitGrail Exchange, including by providing assurances that the exchange was secure and that transactions in XRB were instant, with no fees, and scalable. In late 2017, the BitGrail Exchange began having problems causing user verification issues, account balance miscalculations, and duplicate processing of one-time transactions. Despite the issues, the Nano defendants continued to represent the BitGrail Exchange as secure and reliable. In early 2018 over 15 million XRB with a value of approximately $170 million was “lost” due to “unauthorized transactions.” BitGrail then suspended all account activity on the BitGrail Exchange, making all withdrawals impossible and causing the plaintiff to lose his investment, which was, at that time, worth approximately $275,000.
Online contract formation
- Court finds defendant entered into commercial contract that was executed both electronically and on paper: In Universal Steel Buildings Corp. v. Reagan, 2019 WL 5859814 (Sup. Ct. Pa. Nov. 8, 2019), the court was not persuaded by the defendant’s argument that because the transaction was conducted in part electronically and in part non-electronically, the parties needed a separate and express agreement to proceed electronically under the Pennsylvania Electronic Transactions Act (PETA). The court noted that the defendant misunderstood that section of PETA. Specifically, the court noted two points. First, this was a commercial transaction and not a consumer transaction. Second, the statutory provision states that in the case of a nonelectronic consumer contract, that contract may not contain a provision authorizing the conducting of a transaction by electronic means unless the consumer agrees to such a provision in a separate and express acknowledgement; but here, the defendant electronically executed the contract while it was countersigned and returned by mail by the other party.
- Court upholds insurance arbitration agreement: In Simon et al. v. Blue Cross of California, 2019 WL 5677552 (unpublished Nov. 1, 2019), on appeal, the California Court of Appeal upheld the ruling of the lower court compelling arbitration of plaintiffs’ claims. The appellate court held that the declaration in support of Blue Cross’s motion to compel arbitration sufficiently described the online enrollment process on the Covered California health exchange, and the plaintiffs’ agreement to Blue Cross’s arbitration provision. The motion included a screenshot of the enrollment electronic signature page which bore a text box above the signature field, and the text box displayed the beginning of the binding arbitration agreement with arrows to scroll through it. The plaintiffs were required to check a box to signify that they had “Read and Agree[d] to the Binding Arbitration Agreement.” Additionally the declaration attached “electronic signature reports” for each plaintiff which listed “created by username,” “esignature name entered,” “esignature date,” and “agreed to binding arbitration” (which indicated “yes” as the checkbox was clicked by each plaintiff).
- The plaintiffs had further alleged that Blue Cross failed to submit the “actual signed [arbitration] agreements,” but the appellate court disagreed. The court held that Blue Cross’s burden was to provide merely “a copy or recitation of its terms,” citing Condee v. Longwood Management Corp. (2001) 88 Cal.app.4th 215 (holding that “unless there is a dispute over authenticity, it is sufficient for a party moving to compel arbitration to recite the terms of the governing provision”). Blue Cross submitted the coverage document that included the arbitration agreement as well as evidence that each plaintiff (or each plaintiff’s agent) agreed to be bound by it. The court determined such evidence was sufficient as there was no actual dispute as to whether plaintiffs or their agents executed the agreement.
M. Tank and D. Whitaker, Law of Electronic Signatures, 2019 Edition
M. Tank, D. Whitaker, and A. Grant, "Remote Online Notarization is Here to Stay," ABA Banking Law Committee Journal – Summer 2019
M. Tank and D. Whitaker, "So you want to go digital…", Intellectual Property and Technology News (North America), Issue 41, Q1 2019
M. Tank and D Whitaker, "Trends in electronic signatures: strategies for addressing risk using biometric data," a white paper for Wacom