The Consumer Finance Observer

A periodic update on legal developments in consumer finance

Winter 2021 Edition The Consumer Finance Observer A periodic update on legal developments in consumer finance — Winter 2021 Edition

IN THIS ISSUE:

PAGE 1 California Passes Proposition 24: California Privacy Rights Act to Become Law

Class Actions Seek to Test the Limits of the CCPA’s Private Right of Action

PAGE 4 California Passes Proposition 24: California Legislature California Privacy Rights Act to Passes New Consumer Become Law Financial Protection Law By: David P. Saunders, Kate T. Spelman, and Effiong K. Dampha Is Betting on an Athlete’s Heart Rate During a Game Privacy was on the ballot this past November, the most significant changes, which we have Coming to Broadcasting? at least in California. And it appears that enough written about previously. Those changes include people voted in favor of Proposition 24, the handling a new category of “sensitive personal PAGE 5 California Privacy Rights Act (CPRA), for it to information,” the expansion of the existing Colorado Consumers become law. Although the CPRA technically CCPA private right of action, and mandatory Receive Additional becomes effective five days after the California changes to company privacy policies. So what Secretary of State certifies the voting results, happens to the CCPA, and what do businesses Protections after Attorney the bulk of the law – which is an overhaul of have to prepare for? The answer is not much in General Settles Lawsuits the California Consumer Privacy Act (CCPA) – the short term. will not come into force until January 1, 2023. PAGE 6 Continued on top of next page Businesses have some time to prepare for Three Takeaways from LendIt 2020

SEC and CFTC Actions Against Cryptocurrency App Developer for Class Actions Seek to Test the Limits Unregistered Security- of the CCPA’s Private Right of Action Based Swaps Highlight Risks By: Kate T. Spelman, Vivian L. Bickford, and Effiong K. Dampha for FinTech Companies The California Consumer Privacy Act (CCPA) The CCPA also includes what was supposed to PAGE 8 took effect January 1, 2020. As has been well be a limited private right of action that permits Funds Travel Rule documented, the statute provides consumers consumers to recover up to $750 in statutory Compliance Obstacles damages per incident when certain types of with certain rights regarding their personal Facing Crypto Firms personal information are exposed in connection information, including the right to know whether with a data breach. Perhaps unsurprisingly, this PAGE 10 businesses are collecting such information and private right of action has already spawned EDPB Provides Guidance how it is being used, the right to request deletion dozens of class actions in California state and on Personal Data Transfers of such information, and the right to opt out of federal courts. These suits shed light on the Following Schrems II the sale of such information to third parties. Continued on bottom of next page The Consumer Finance Observer Winter 2021 Edition | 2

Continued from previous page – California n A Consumer Privacy Fund will be created n A new state agency, the California Privacy Passes Proposition 24: California Privacy Protection Agency, will be created, Rights Act to Become Law – with appropriations to be made by the legislature – with the purpose of funded, and begin operations. Until the CPRA becomes fully effective in 2023, “offsetting the costs” of state courts and the CCPA remains in full effect. That means Because of the phased effective dates for CPRA’s businesses should keep up with their CCPA the California Attorney General enforcing provisions, businesses have time to revise their compliance, including being attentive to new the CCPA (and later the CPRA). The fund policies and prepare for the full weight of the California Attorney General regulations. The will also be used “to promote and protect CPRA. Of course, that does not account for following CPRA provisions – which largely do consumer privacy, educate children whatever CPRA regulations the California not impact businesses directly – will become in the area of online privacy, and fund Attorney General publishes, which we expect effective once the California Secretary of State cooperative programs with international to be previewed perhaps as early as late 2021. certifies the voting results. law enforcement organizations” in

n An extension of the carve out for connection with addressing consumer business contact and employee personal data breaches. information that is collected by businesses covered by the CCPA. In the existing n The California Attorney General will be CCPA, these carve outs were set to charged with developing a laundry list of expire on January 1, 2021. The carve outs new regulations, which will put meat on will now be extended to January 1, 2023. the bones of many of the new CPRA rules.

Continued from previous page – Class Actions Seek to action applies only to the “unauthorized access For example, in L.P. v. Shutterfly, which was filed Test the Limits of the CCPA’s Private Right of Action and exfiltration, theft, or disclosure” of personal in the Northern District of California on July 23, various ways plaintiffs are testing the boundaries information resulting from a business’s failure to several minor plaintiffs and their legal guardians of the CCPA and its private right of action. “implement and maintain reasonable security assert a CCPA claim based on Shutterfly’s alleged Several categories of boundary-testing CCPA procedures and practices.” Importantly, CCPA collection and use of minors’ personal biometric lawsuits are discussed below. claims “based on violations of any other section information without notice and an opportunity of this title” are not permitted. Despite this for deletion in violation of Section 1798.100(b) CCPA LAWSUITS PREMISED express limitation, a number of plaintiffs have of the CCPA. The complaint also seeks to hold ON VIOLATIONS OF THE asserted CCPA claims based on alleged failures Shutterfly liable for selling minors’ personal to comply with the CCPA’s disclosure, deletion, STATUTORY NOTICE AND biometric information without requiring opt-in and opt-out requirements. While these alleged OPT-OUT PROVISIONS or parental consent, and attempts to equate this failures may constitute technical violations of conduct to “a data breach” under CCPA Section As mentioned above, the CCPA provides the CCPA, under a plain reading of the statute, 1798.150. If adjudged viable, this claim would consumers with certain rights to know and they do not give rise to a private right of action. render meaningless the prohibition against CCPA control how their data is being collected and Nonetheless, plaintiffs have not been deterred claims based on violations of the disclosure and used. However, the CCPA’s private right of from bringing suit. opt-out provisions of the statute. Shutterfly has not yet responded to the complaint.

Similarly, in McCoy v. Alphabet, which was filed in the Northern District of California on August 5, the plaintiffs allege that Google violated Section 1798.100(b) of the CCPA by failing to disclose that it collects plaintiffs’ “sensitive personal data from non-Google apps, including the duration of time spent on non-Google apps and the frequency that non-Google apps are opened.” Google’s pending motion to dismiss argues that the plaintiffs’ CCPA claim should be dismissed because it is premised on statutory violations to which the private right of action does not apply. Continued on bottom of next page The Consumer Finance Observer Winter 2021 Edition | 3

Continued from previous page CCPA LAWSUITS STRETCHING CCPA LAWSUITS SEEKING THE DEFINITION OF RECOVERY FOR NON- ‘PERSONAL INFORMATION’ CALIFORNIA RESIDENTS The CCPA contains a broad definition of “personal information” subject to its notice and The CCPA applies only to “consumers” who opt-out requirements. The CCPA’s private are “California resident[s].” Yet, several pending right of action, on the other hand, only covers CCPA class actions seek recovery for or on data breaches involving the more narrow behalf of non-California residents. Fuentes v. definition of “personal information” in California available, telephone numbers and addresses. Sunshine Behavioral Health Group LLC, filed Civil Code § 1798.81.5(d)(1)(A). Under that There is no allegation, however, that the in the Central District of California on March statute, “personal information” must include breach resulted in the exposure of consumers’ 10, is representative of these actions. There, a consumer’s first name or first initial and last names in conjunction with the type of sensitive a Pennsylvania resident filed a CCPA claim on name “in combination with” unencrypted information required by the relevant statutory behalf of a nationwide class of alleged victims sensitive information such as the consumer’s provision on which the CCPA’s private right of of a California company’s data breach. The Social Security number, driver’s license number, action relies. No substantive motions have been defendant filed a motion to compel arbitration financial information, medical information, health filed to date, though Minted has indicated that it or, in the alternative, to dismiss the complaint, insurance information, or unique biometric intends to file a motion to compel arbitration. in which it argued, among other things, that the data. However, several CCPA class actions Companies doing business in California should CCPA claim must be dismissed because the seek recovery for the allegedly unauthorized expect to see these boundary-testing CCPA non-resident plaintiff is not a “consumer” under disclosure of information that does not appear class actions continue until courts weigh in the statute. The court has not yet ruled on the to meet this statutory definition. motion. on this unsettled area of law. Until then, and Atkinson v. Minted, filed in the Northern District in any event, businesses should take steps to McCoy is also illustrative of this category of CCPA of California on June 11, provides an example implement adequate security procedures, and lawsuits. There, the lead plaintiff is a resident of of one such lawsuit. There, the plaintiffs filed ensure that they are providing consumers with New York, and Google therefore argued in its a class action against the online marketplace all information and disclosures required under motion to dismiss that the plaintiff lacks statutory Minted following notice of a data breach that the CCPA. Moreover, businesses should be standing because he does not meet the definition allegedly resulted in the disclosure of consumer cognizant of the additional protocols they may of a “consumer” under the CCPA. names, email addresses, passwords, and, where be required to implement in the event the CCPA is replaced by the California Privacy Rights Act scheduled to appear on the November ballot.

Reprinted with permission from the October 20, 2020 edition of The Recorder © [2020] ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved. The original article can be viewed here.

DEVELOPMENTS SINCE PUBLICATION Shortly after publication of this article, Fuentes was voluntarily dismissed with prejudice. The court did not issue a ruling on the motion to compel arbitration, or in alternative, to dismiss the complaint.

In addition, during the November election, Californians passed Proposition 24, enacting the California Privacy Rights Act (CPRA). Though the CPRA is effectively an overhaul of the CCPA, the CCPA will remain in full effect until the CPRA becomes effective on January 1, 2023. This gives businesses some time to prepare for the CPRA’s most significant changes, which include handling a new category of “sensitive personal information,” the expansion of the existing CCPA private right of action, and mandatory changes to company privacy policies. The Consumer Finance Observer Winter 2021 Edition | 4

California Legislature Passes New Consumer Financial Protection Law By: Madeline Skitzki

On August 31, 2020, the California Legislature products and services and exercise nonexclusive passed Assembly Bill 1864. In general, this bill (1) oversight and enforcement authority under renamed the Department of Business Oversight California and federal (to the extent permissible) as the Department of Financial Protection and consumer financial laws. The Department Innovation and renamed the commissioner is granted the power to bring administrative of the Department as the Commissioner of and civil actions, issue subpoenas, promulgate Financial Protection and Innovation, and (2) regulations, hold hearings, issue publications, enacted the California Consumer Financial conduct investigations, and implement outreach Protection Law (CCFPL) to, among other and education programs, and is required purposes, strengthen consumer protections requires covered persons and service providers to promulgate certain rules and regulations by expanding the ability of the Department of to file certain documents under oath and regarding registration requirements. The bill Financial Protection and Innovation to improve imposes specific civil and monetary penalties, also makes it unlawful for covered persons accountability and transparency in the California as well as injunctive relief, for violations of or service providers to engage in unlawful, financial system and promote nondiscriminatory the CCFPL. With respect to funding, the bill unfair, deceptive, or abusive acts or practices access to responsible, affordable credit. requires the Commissioner to deposit all money with respect to consumer financial products collected or received under the CCFPL with Under the bill, the Department of Financial or services or to provide consumers financial the State Treasurer for the Financial Protection Protection and Innovation is required to regulate products or services that are not in conformity Fund, which is created under the bill for the the provision of various consumer financial with any consumer financial law. It further administration of the CCFPL.

Is Betting on an Athlete’s Heart Rate During a Game Coming to Broadcasting? By: David W. Sussman and Amy Egerton-Wiley

This article was originally published by The Hollywood Reporter and is available here.

It’s now possible to measure, in real time, biometric Since there is a good deal of attention on data like an athlete’s respiration, temperature, the planning to “re-open” sports, this article blood pressure, and more. Can sports content discusses potential implications of these partners let people gamble on these metrics? developments, particularly for sports content Two independent recent developments in partners and their inclusion of biometric data in collegiate and professional sports are converging: their programming. Programmers will likely find the use of athletes’ biometric data and the the inclusion of this real-time information on an proliferation of legalized sports betting. Through athlete’s physical condition an appealing “add- innovative technologies, the monitoring of players’ physiologic information during performance is on” to its content as an innovative tool to capture growing rapidly. Simultaneously, 20 states have viewer engagement. But it is not without risk. legalized sports wagering with more in the pipeline, ushering in a new era of fan engagement To read the full Hollywood Reporter article, please in sports events. click here. The Consumer Finance Observer Winter 2021 Edition | 5

Colorado Consumers Receive Additional Protections after Attorney General Settles Lawsuits By: Alexander N. Ghantous

In August of 2020, the Colorado Attorney n Disclosure and Funding Criteria: Three Discontinuance, coag.gov/app/uploads/2020/08/ General’s Office settled two lawsuits concerning terms must be met to satisfy the “Safe Avant-Marlette-Colorado-Fully-Executed-AOD.pdf Colorado’s right to enforce its consumer loan Harbor” provision’s “Disclosure and [2] COLORADO ATTORNEY GENERAL’S OFFICE, Colorado Attorney General’s Office Settles Lawsuit interest rate limits.[1] The lawsuits involved Funding Criteria.”[12] For example, the first Against Lenders for Exceeding State Interest Rate Avant of Colorado, LLC (Avant) and Marlette term requires that WebBank or Cross Limits on Consumer Loans, (Aug. 18, 2020), coag.gov/ Funding, LLC (Marlette), both of which are River Bank be identified as the lender on press-releases/8-18-20/; Assurance of Discontinuance, not banks.[2] However, partnerships with banks loan agreements.[13] pg. 1, coag.gov/app/uploads/2020/08/Avant- located outside of Colorado were established Marlette-Colorado-Fully-Executed-AOD.pdf n  by the companies: Avant with WebBank, and Licensing Criteria: Five terms must [3] COLORADO ATTORNEY GENERAL’S OFFICE, Colorado Marlette with Cross River Bank.[3] be met to satisfy the “Safe Harbor” Attorney General’s Office Settles Lawsuit Against Lenders for provision’s “Licensing Criteria,” including, Exceeding State Interest Rate Limits on Consumer Loans, According to the Colorado Attorney General’s but not limited to, licensing requirements (Aug. 18, 2020), coag.gov/press-releases/8-18-20/ website, federal law permits “certain out-of- when “supervised loans” are offered.[14] [4] Id. state banks” to offer loans at higher interest [5] Id. rates in Colorado than what is generally n Consumer Terms Criteria: Tw o [6] Assurance of Discontinuance, pg. 6, coag. [4] terms must be met to satisfy the “Safe permitted in the state. The Colorado Attorney gov/app/uploads/2020/08/Avant-Marlette- General alleged that the partnerships in these Harbor” provision’s “Consumer Terms Colorado-Fully-Executed-AOD.pdf matters were established to illegally offer loans Criteria.”[15] For example, loans cannot [7] COLORADO ATTORNEY GENERAL’S OFFICE, Colorado at higher interest rates than what was allowed have an interest rate that is higher than Attorney General’s Office Settles Lawsuit Against Lenders for in Colorado.[5] While the lawsuits did result in 36 percent.[16] Exceeding State Interest Rate Limits on Consumer Loans, a settlement, there was no admission of fault, (Aug. 18, 2020), coag.gov/press-releases/8-18-20/ n Structural Criteria: To satisfy the liability, or wrongdoing.[6] [8] Id. “Safe Harbor” provision’s “Structural [9] Assurance of Discontinuance, pgs. 6-14, coag. The settlement provides Colorado consumers Criteria,” there must be compliance gov/app/uploads/2020/08/Avant-Marlette- with an extra layer of protection against predatory with a minimum of one of the options Colorado-Fully-Executed-AOD.pdf lending practices.[7] It ensures that “true bank that follow: “the Uncommitted Forward [10] Id. at 6-8 loans” are being made by Cross River Bank, Flow Option, the Maximum Committed [11] Id. at 6, 2-3 WebBank, and their non-bank company partners Forward Flow Option, the Maximum [ ] that include, but are not limited to, Marlette and Overall Transfer Option, or an Alternative 12 Id. at 8 Avant.[8] Included in those protections is a “Safe Structure Option,” all of which are [13] Id. at 8, 2-3

Harbor” provision, which was implemented to described within the settlement.[17] [14] Id. at 8-9 ensure compliance with the Colorado Uniform [15] Id. at 9 Consumer Credit Code.[9] The following criteria Under the settlement agreement, Web Bank, [16] COLORADO ATTORNEY GENERAL’S OFFICE, must be met to comply with the settlement’s Cross River Bank, Avant, and Marlette are also Colorado Attorney General’s Office Settles Lawsuit joint and severally liable for: (1) a payment of “Safe Harbor” provision: Against Lenders for Exceeding State Interest Rate $1,050,000 to the State of Colorado; and Limits on Consumer Loans, (Aug. 18, 2020), coag.gov/ n Oversight Criteria: To satisfy the “Safe (2) a $500,000 contribution to the Colorado press-releases/8-18-20/; Assurance of Discontinuance, Harbor” provision’s “Oversight Criteria,” MoneyWi$er program.[18] pg. 9, coag.gov/app/uploads/2020/08/Avant- 14 terms must be met.[10] For example, Marlette-Colorado-Fully-Executed-AOD.pdf the first term mandates that any loan The final, executed version of the settlement [17] Assurance of Discontinuance, pgs. 9-14, coag. that is “offered and originated” online agreement is located here. gov/app/uploads/2020/08/Avant-Marlette- by either WebBank or Cross River Bank Colorado-Fully-Executed-AOD.pdf in conjunction with Avant, Marlette, or [18] COLORADO ATTORNEY GENERAL’S OFFICE, any other FinTech company partner is Colorado Attorney General’s Office Settles Lawsuit [1] COLORADO ATTORNEY GENERAL’S OFFICE, “subject to oversight by the respective Against Lenders for Exceeding State Interest Rate Colorado Attorney General’s Office Settles Lawsuit Limits on Consumer Loans, (Aug. 18, 2020), coag.gov/ [b]ank’s prudential regulators, including Against Lenders for Exceeding State Interest Rate press-releases/8-18-20/; Assurance of Discontinuance, the FDIC and the [b]ank’s state banking Limits on Consumer Loans, (Aug. 18, 2020), coag. pgs. 14-15, coag.gov/app/uploads/2020/08/Avant- regulators.”[11] gov/press-releases/8-18-20/; Assurance of Marlette-Colorado-Fully-Executed-AOD.pdf The Consumer Finance Observer Winter 2021 Edition | 6

Three Takeaways from LendIt 2020 By: Michael W. Ross

I recently attended LendIt’s 2020 conference, enforcement activity in the area of AI was top of the largest FinTech conference of the year. mind – it has stayed quite relevant. Check it out! Kudos to everyone at LendIt for successfully transitioning the conference to a remote platform SERVING THE UNDERSERVED. – it was a great few days of speakers and topics including really slick tools for engagement and Relatedly, almost everyone seems to be talking networking. In this post, I’m sharing rough notes about how technology is helping improve on my top three takeaways from the sessions I access to credit and banking services to those attended. This is by no means a comprehensive previously cut out – not only the use of AI, but recap, and, if you attended, I’d love to hear from also the overall digitization of banking, payments, you about what you thought. and credit. Thought leaders are focused on looking beyond the ordinary credit file; on the ARTIFICIAL INTELLIGENCE. use of mobile services to reach new consumers; and on the growth of non-traditional payment trends; and regulators are focused on the third- First, artificial intelligence and machine learning platforms. Stay tuned for developments in this party risk issues that partnerships raise, and also are on everyone’s mind these days. From area, including the broadening of the “payments” on allowing third parties to keep smaller banks regulators to service providers to financial world to include non-financial institutions. competitive through partnerships. This area institutions, speakers honed in on the use of is not limited to true lender issues – especially AI for everything from underwriting, to risk PARTNERSHIPS. keep an eye on the FDIC’s request for analysis, to loan servicing, to many other things. information on standard-setting for third-party Everyone is talking about the risks and rewards Last, partnerships are all the rage. Financial service providers. of using these new tools, including how to institutions are buying startups, in addition to hone their models and how much to involve investing in technology themselves; smaller Again, these are just some blog thoughts from a human touch. As I listened, the relevance of banks, community banks, and others are one attendee – please get in touch with your our prior writing and talks on the potential for partnering to keep up with the latest tech reactions and thoughts!

SEC and CFTC Actions Against Cryptocurrency App Developer for Unregistered Security-Based Swaps Highlight Risks for FinTech Companies By: Charles D. Riely and Michael F. Linden

A recent enforcement action by the Securities app developer Abra and its related company, ABRA’S PRODUCT and Exchange Commission (SEC) and the Plutus Technologies Philippines Corporation. In 2018, Abra began offering users synthetic Commodity Futures Trading Commission Abra’s bold idea was to provide its global users exposure, via Bitcoin, to dozens of different fiat (CFTC) in the FinTech space serves as a with a way to invest in blue-chip American currencies and a variety of digital currencies, like cautionary tale for innovators who fail to heed securities, all funded via Bitcoin. In executing Ethereum and Litecoin. Users could fund their traditional regulations. On July 13, 2020, the this idea, Abra took pains to focus its products accounts with a credit card or bank account, and SEC and CFTC each filed settled enforcement outside of the United States and hoped to Abra would convert those funds into Bitcoin. actions against California-based cryptocurrency avoid the ambit of US securities laws. As further When a user wanted exposure to a new currency, detailed below, however, the SEC and CFTC the user would choose the amount of Bitcoin he both found that Abra’s new product violated US or she wanted to invest, Abra would create a laws. This post details Abra’s product, why the “smart contract” on the blockchain memorializing regulators came to the view that the new idea the terms of the contract, and the value of the ran afoul of long-established provisions under contract would move up or down in direct federal securities and commodities laws, and the relation to the price of the reference currency. key takeaways from the regulators’ actions. Continued on next page The Consumer Finance Observer Winter 2021 Edition | 7

Continued from previous page In February 2019, Abra announced that it planned to expand its business to provide synthetic exposure to US stocks and ETF shares, rather than just currencies. Abra advertised that users could enter into smart contracts to invest in their chosen stocks and ETFs. For example, Abra said in a blog post that:

[I]f you want to invest $1,000 in Apple shares you will place $1,000 worth of bitcoin into a contract. As the price of Apple goes up or down versus the dollar, bitcoin will be added to or subtracted from your contract. When you settle the contract – or sell the Apple investment – the value of the Apple shares will be reflected in bitcoin in your wallet which can easily be converted back to dollars, or any other asset for that matter. continued to be Abra’s brain center. Employees contract participants, and did so outside of a Abra said it planned to hedge the smart in California designed the details of the contracts board-of-trade-designated contract market, contracts by purchasing – in the US securities – including prices – sought out investors, the swaps violated Section 2(e) of the CEA. markets – the actual securities referenced in a marketed the swaps, and hedged the contracts Further, in soliciting and processing the swaps, given contract. by actually purchasing the underlying securities. Abra violated Section 4(d)(a)(1) of the CEA by Though Plutus was the legal party to the swaps, operating as a futures commission merchant THE SECURITIES AND Abra lent it the hedging money. without registering with the CFTC. COMMODITIES LAW Abra and Plutus ultimately sold more than VIOLATIONS KEY TAKEAWAYS 10,000 swaps, including a small number to The SEC’s cease-and-desist order found customers in the United States, despite efforts In bringing the action, the SEC and CFTC also that the contracts Abra offered were swaps to avoid doing so. The SEC’s order found that emphasized the messages they hoped the because they tracked the value of the underlying Abra and Plutus violated Section 5(e) of the filing of the action would send: namely that it securities without also conveying any ownership Securities Act of 1933 – which prohibits offers was important that FinTechs comply with the in those securities. Abra did not set any asset to sell security-based swaps to any person who relevant laws as they seek to bring innovative requirements to enter into these swaps, nor is not an eligible contract participant without products to the market. In filing the action, the did it make any effort to confirm the identity or an effective registration statement – when SEC emphasized that parties could not avoid financial resources of its customers, including they marketed and sold swaps to thousands of the reach of the securities laws easily when key whether those customers were “eligible contract unidentified customers without a registration parts of their operations occurred in the United participants,” as defined by the securities laws. statement in place. For similar reasons, the States. In the press release announcing the More than 20,000 people joined the waitlist to order found that Abra and Plutus also violated action, Dan Michael, the head of the Complex buy swaps from Abra. After being contacted by Section 6(1) of the Securities Exchange Act of Financial Instrument, said, “businesses that the SEC and CFTC in February 2019, Abra shut 1934, which prohibits effecting security-based structure and effect security-based swaps may down the swaps project before it went live and swaps with a person who is not an eligible not evade the federal securities laws merely removed mention of it from its website. contract participant, unless the transaction is by transacting primarily with non-US retail effected on a national securities exchange. investors and setting up a foreign entity to act as In May 2019, however, Abra rebooted the a counterparty, while conducting crucial parts of project, this time limiting offers to non-US The CFTC order similarly found that from their business in the United States.” For its part, persons and making Plutus, Abra’s related December 2017 to October 2019, Abra in its press release, the CFTC emphasized that it Filipino company, the counterparty to the swaps, entered into thousands of digital-asset and would continue to focus on ensuring responsible apparently under the belief that doing so would foreign currency-based smart contracts via its development of digital products. As stated by avoid exposure to US securities laws. While the app. Those contracts, according to the CFTC, the CFTC’s Enforcement Director, “Rooting app was run via Asian servers and Abra’s website constituted swaps under the Commodity out misconduct is essential to furthering the was coded to show the swap opportunity only Exchange Act (CEA). Because Abra offered responsible development of these innovative to users outside the United States, California these swaps to persons who were not eligible financial products.” The Consumer Finance Observer Winter 2021 Edition | 8

Funds Travel Rule Compliance Obstacles Facing Crypto Firms By: E.K. McWilliams and Wade A. Thomson

Long considered a potential game-changing is a common feature of all blockchains, each maverick for global business and crime, blockchain has different features and functionality. cryptocurrency is facing in the United States and and beneficiaries of transfers over a certain globally so-called funds travel rules – a potential Second, of particular relevance to the rule, a amount, and transmit that information to yoke in the form of compliance requirements. key difference between cryptocurrency and counterparties if they exist. fiat currency transactions is the nature of the In a speech before the Chainalysis Blockchain information that is attached to funds transfers. The rule also requires financial institutions to Symposium in November 2019 and a speech One of the main characteristics of the traditional maintain records of the information that is passed before the Consensus Blockchain Conference banking system is that identification of parties to on to the next financial institution. The rule was in mid-May 2020, Financial Crimes Enforcement a transaction is based on names. designed to help law enforcement agencies detect, Network Director Kenneth A. Blanco made investigate, and prosecute money laundering and clear that cryptocurrency exchangers are That is, financial institutions must identify their other financial crimes by preserving an information expected to comply with FinCEN’s funds travel customers in order to track fund transfers trail about persons sending and receiving funds rule, which requires banks and money services and meet legal requirements for reporting through funds transfer systems. businesses, including crypto exchangers, to share suspicious activities, conducting customer due the names, addresses, and account numbers diligence, and sharing customer information FinCEN has issued guidance making clear of both the originators and beneficiaries tied with recipient institutions. that crypto exchangers must comply with to payments of $3,000 or more with the next the rule. In 2011, FinCEN issued a final rule In contrast, the virtual currency system identifies financial institution or money services businesses amending definitions and other Bank Secrecy transactions not by a customer’s name, but rather in line to handle the funds. Act regulations relating to money services by virtual wallet. Unlike a traditional bank account, businesses to provide that money transmission Despite Blanco’s express statements that FinCEN the virtual wallet is not systematically linked to an covers the acceptance and transmission of value expects that crypto exchangers “will comply, individual, but rather is identified only by a string that substitutes for currency. period,” most cryptocurrency firms remain out of of letters and numbers. The owner generates a compliance with the rule. In fact, crypto industry secret key, equivalent to a long alphanumeric pin Cryptocurrency is this type of substitute and is publications widely report that crypto firms number, which is unique to each virtual wallet and covered by that regulation. In March 2013, FinCEN are scrambling to develop software and other is necessary to complete a transaction. issued guidance further clarifying this point and solutions to meet the rule’s requirements. providing that the BSA’s anti-money laundering, Users can deposit cash into a virtual wallet or AML, provisions apply to all transactions But what explains the delay? The obstacles through a cryptocurrency ATM or by a simple involving money transmission – including virtual standing between crypto exchanges and electronic transfer from a bank account. Then currency. Specifically, FinCEN specified that those compliance with the funds travel rule, and the users can send cryptocurrency to other users’ who are engaged as a business in the exchange of potential impacts of not complying, are explored virtual wallets, convert to other forms of virtual currency for real currency, funds, or other in this article for attorneys and compliance cryptocurrency, and so on. virtual currency meet the regulatory definition of professionals. a money transmitter. THE FUNDS TRAVEL RULE Thus, as money transmitters, virtual currency RELEVANT CRYPTOCURRENCY With these conceptual building blocks in place, exchangers must comply with the BSA FUNDAMENTALS it is now possible to understand the rule as by registering with FinCEN, having a risk- applied to cryptocurrency exchangers. To To understand obstacles to compliance with the based know-your-customer and anti-money begin, FinCEN, the enforcement arm of the US Funds Travel Rule, it is necessary to understand laundering program designed to prevent the Department of the Treasury, first issued the rule, two cryptocurrency basics. First and foremost, exchanger from being used to facilitate money Title 31 of the Code of Federal Regulations, a blockchain is a running ledger in the cloud laundering and terrorist finance, and filing Section 103.33(g), in 1995 with wire transfers that records all transactions that have occurred suspicious activity reports with FinCEN. across a network, allowing any number of in fiat currency in mind. computers to keep identical records. Finally, in clarifying guidance issued in May For any transaction of cash totaling $3,000 2019, FinCEN expressly stated that as money or more, the rule requires banks and certain There are over 860 blockchains currently in transmitters, cryptocurrency exchangers must nonbank financial institutions such as casinos use, including those used by well-known crypto also comply with the rule. This means that systems such as Bitcoin and Ethereum. While and money services businesses to verify their the underlying distributed ledger technology customers’ identities, identify the original parties Continued on next page The Consumer Finance Observer Winter 2021 Edition | 9

Continued from previous page As a result, there is no global consensus as to the Indeed, FinCEN’s rule, combined with the crypto exchangers who are originating transfers technology on which information sharing would Financial Action Task Force’s version of the rule, must submit to the beneficiary exchanger – that be run, funded, and regulated. On top of that, the which applies to crypto exchanges both within crypto ecosystem includes crypto mixers whose is, whatever entity acts as the custodian of a and outside the United States, may help to function is to mask the source of crypto funds. customer’s wallet – the customer’s name, address, eliminate the number of exchanges, particularly and other information required by the rule. These anonymous exchanges and their enthusiasts anonymizing crypto mixers and tumblers, point to the fact that the original concept behind through which criminals can move funds. OBSTACLES TO COMPLIANCE cryptocurrencies was to exchange tokens without FinCEN has made explicit that it expects any need for third-party oversight, and object The stakes are high: FinCEN has made clear crypto exchangers to comply with BSA/AML to measures that would diminish privacy and that it expects crypto exchanges to immediately requirements, including the rule. For instance, sovereignty in the crypto space. comply with the rule, and the obstacles to in his November 2019 speech, Blanco stated compliance have provided even small-scale While there are competing visions for how that the rule applies unequivocally to the exchanges with no respite from federal criminal crypto exchanges will implement the technology cryptocurrency sector, emphasizing: “In fact, needed to comply with the rule, all proposals enforcement actions for failing to comply with to date, it is the most commonly cited violation seek to address two primary issues. the BSA’s AML requirements. by the IRS against [money services businesses] engaged in” cryptocurrency transmission. First, there needs to be some means of identifying This article was originally published by Law360. crypto exchangers. This could be similar to the The original article can be viewed here. Despite FinCEN’s clear expectations and several bank identifier code used by SWIFT or the enforcement actions by the US Department international bank account number system. of Justice against crypto exchangers who flout DEVELOPMENTS SINCE BSA/AML obligations, many cryptocurrency Second, there must be a means for crypto exchanges PUBLICATION: exchanges are not yet compliant with the rule. to transmit customer data to one another, and that On December 18, 2020, FinCEN issued a notice In fact, crypto industry groups debate whether solution must be interoperable, such that data can of proposed rulemaking regarding a proposal and how they will comply with this rule. What’s be transmitted across all exchanges. to impose on banks and MSBs new reporting, standing in the way of compliance? recordkeeping, and customer identification Various working groups and crypto-sleuthing firms verification requirements in relation to certain Here is where these crypto concepts come into are working on a technical solution to address these transactions involving cryptocurrency if the play. The inherently pseudonymous nature of issues, with some proposing a centralized global counterparty to the transaction is an unhosted transactions on the blockchain, as well as the registry of virtual currency exchange addresses wallet—that is (and to oversimplify), if the decentralized nature of cryptocurrencies, are an and others proposing solutions anchored on wallet does not have an account with a financial obstacle to compliance. blockchain or distributed ledger technology. While institution regulated under the BSA or certain crypto firms race for a solution, there are some foreign financial institutions not located in certain Most cryptocurrency exchanges do not currently signs of an emerging consensus over a common high-risk jurisdictions. If adopted, the proposed have the infrastructure in place to obtain, hold, universal language for the transfer of data. rule will impose new burdens on MSBs, and transmit identifying information of both including determining whether a counterparty is parties of a transaction, much less to do so in In May, a working group convened by indeed an unhosted wallet, submitting currency compliance with existing privacy laws such as the international industry associations representing transaction reports and verifying the identity of EU’s General Data Protection Regulation and virtual currency exchangers released a messaging customers when MSB has a “reasonable basis” to the California Consumer Privacy Act. standard that creates a universal common believe that the counterparty to the transaction is language for exchanges to use when collecting an unhosted wallet and the transaction is greater Equally as significant, unlike the fiat banking and transmitting customer data, and opines that than $10,000, and keeping records and verifying system, cryptocurrency firms are decentralized: these harmonizing conventions will facilitate the the customer’s identity when a transaction with There are many different cryptocurrencies, exchange of data across borders. This type of an unhosted wallet is greater than $3,000. MSBs created and administered by different players system, assuming buy-in from users, will make will also have to check the “prevailing exchange operating out of various jurisdictions. Further compliance much easier for all covered entities. rate” for the relevant cryptocurrency at the complicating matters is the fact that there are time of the transaction to determine whether a numerous technologies and channels for crypto CONCLUSION transaction is covered by the recordkeeping and transactions, including virtual wallets, peer- reporting thresholds, and will have to provide to-peer exchanges, cryptocurrency ATMs, The rule will bolster AML efforts by augmenting all counterparty names and addresses on CTRs. decentralized applications, initial coin offerings, the audit trail when virtual assets are transferred The comment period for the proposed Rule has internet casinos, and multisignature wallets. between crypto exchanges. This will mean that already closed, but it remains to be seen whether financial authorities such as FinCEN are better FinCEN will promulgate a final rule before the Historically, there has been little coordination able to detect and prevent money laundering conclusion of the Trump administration. between these different cryptocurrency systems. activities involving crypto. The Consumer Finance Observer Winter 2021 Edition | 10

EDPB Provides Guidance on Personal Data Transfers Following Schrems II By: Kelly Hagedorn, David P. Saunders, and Matthew Worby

Earlier this year, in Schrems II, the Court of Justice RECOMMENDATIONS of the EU (CJEU) invalidated the EU-US Privacy ISSUED BY THE EDPB Shield.[19] That judgment also cast doubt over the The EDPB published a practical roadmap for validity of standard contractual clauses (SCCs) organizations seeking to transfer personal data as a means by which to transfer personal data internationally in a compliant manner in the outside of the EU, in particular to the United 3. ASSESS IF THERE IS ANY wake of Schrems II. This roadmap sets out six States. Unsurprisingly, this has caused concern recommended steps: LAW OR PRACTICE IN THE within organizations who rely on such transfers RECEIVING COUNTRY as part of their business model. 1. MAP ALL TRANSFERS THAT WOULD LIMIT THE Data protection requirements, imposed by the OF PERSONAL DATA EFFECTIVENESS OF THE GDPR, travel with any personal data whenever SAFEGUARDS CREATED As a first step, organizations should identify and it is transmitted outside of the EU. Problems arise BY THE TRANSFER catalog all of their international personal data when an organization needs to transfer personal MECHANISM IN USE transfers. The EDPB used this opportunity to data to a jurisdiction where local laws might remind organizations that remote access to The third step requires organizations to assess undermine these protections. Without some way personal data, or the cloud storage of personal each transfer tool, and identify – on a practical to manage this potential conflict, it was unclear if data, may constitute transfers to be included in level – if each tool being relied upon protects organizations’ personal data transfers outside of this exercise. personal data to the level required by the the EU would be able to continue. GDPR. [21] 2. VERIFY THAT THIS Unfortunately, the CJEU provided no practical Of principal concern, per the EDPB, is the PERSONAL DATA IS guidance for organizations as to how to make existence of “anything in the law or practice international personal data transfers compliant BEING TRANSFERRED IN of the [receiving country] that may impinge on with its ruling and did not provide any safe A COMPLIANT MANNER the effectiveness of the appropriate safeguards” harbor period before its ruling took effect. Once the data flows have been cataloged, the being relied upon. Schrems II highlighted the However, two key efforts have been made to tool (for example, SCCs) that each transfer difficulties posed by the United States’ mass assist organizations meet their post-Schrems II relies upon must be identified. surveillance programs in this regard. If a transfer GDPR requirements: tool is unable to provide an adequate level An international transfer of personal data should of protection, despite otherwise being valid, i. recommendations have been issued by not proceed without an appropriate transfer it should not be used alone as a means of the European Data Protection Board tool in place. The transfer tools available are (i) transferring personal data outside of the EU. (EDPB);[20] and an adequacy decision in respect of the recipient Continued on next page ii. a revised set of SCCs has been country made under Article 45 of the GDPR, published by the European Commission (ii) one of the mechanisms provided for under for consultation. Article 46 of the GDPR, including SCCs and Binding Corporate Rules, or (iii) one of the [19] Case C-311/18, available here. derogations provided for in Article 49 of the [ ] GDPR (such as public interest). 20 The EDPB is the body within the EU tasked with ensuring that data protection rules are applied consistently within the bloc.

[21] It should be noted that, where the transfer of personal data relies on an adequacy decision, no further steps need to be taken in this regard, apart from ensuring on a periodic basis that this decision is still in force. This is because, unlike other transfer mechanisms, an EU adequacy decision in effect states that there are no laws or practices that would undermine data protection rights in that jurisdiction. The Consumer Finance Observer Winter 2021 Edition | 11

Continued from previous page This is a pragmatic approach from the EDPB and Where an assessment is required, the EDPB seems to be designed to empower organizations to recommends that this should be based on an make positive decisions as to the ability to transfer objective review of the receiving country’s personal data internationally, where appropriate. legislation or, if this is not possible, “other relevant and objective factors.” This assessment In any event, the assessment should be clearly should not take into account any subjective documented and undertaken carefully. The factors, such as the type of data being EDPB notes that organizations will be held transferred. If the receiving country’s laws do The technical measures suggested by the accountable for the decisions made based on not allow for personal data to be protected, EDPB include: then further action, as detailed in step 4 below, the assessment. will be required. n “State-of-the-art” encryption; 4. IDENTIFY AND ADOPT ANY It is possible that a country’s legislation n pseudonymisation, where the personal empowers national security agencies to access ADDITIONAL MEASURES AS data being transferred is altered such that personal data. If this is the case, the assessment NECESSARY TO BRING THE an individual can no longer be identified should consider (i) the extent to which these LEVEL OF PROTECTION FOR without further information; and powers are limited to what is necessary or THIS DATA TO THE LEVEL n  proportionate in a democratic society, or split processing, where the personal data (ii) if they breach EU standards.[22] Any such REQUIRED BY THE GDPR is segmented and provided to separate assessment will be a complex undertaking. parties, such that no one party can identify It is possible that a company concludes that the Helpfully, however, the EDPB does provide an individual from the data it receives. transfer tool they intend to rely on, by itself, will practical and positive recommendations in this The contractual measures listed by the EDPB regard. In particular, the EDPB notes that: not provide the required level of protection include imposing obligations on recipients of for personal data. This may be the case with i. it is possible to conclude following the personal data to implement appropriate transfers to the United States in light of Schrems an assessment that any potential technical measures, or a requirement for II. The EDPB has however provided companies interference permitted by a country’s relevant legislative developments within the laws will be limited to a similar degree with suggestions as to how supplementary recipient country to be brought to the attention to that level of potential interference measures can be used to continue data transfers of the data exporter by the recipient. allowed under the GDPR; and even if the tool for transfer alone is insufficient. Organizational measures relate to internal policies or methods, intended to improve a ii. the existence of a comprehensive data These supplementary measures are categorized protection law, or an independent company’s awareness of the risks present in as being of a technical, contractual, or data protection authority, can indicate transferring personal data outside of the EU. that a country’s potential interference organizational nature. All three, when used in It is important to note that these supplementary with personal data protections can be combination, are likely to be most effective in measures must be capable of ensuring, in considered proportionate. ensuring compliance with the GDPR. conjunction with a transfer tool, that the level of data protection provided will meet the level required by the GDPR. If this is not the case then the transfer should not proceed. Continued on next page

[22] Greater guidance is available from the EDPB, available here. Broadly, EU standards are as follows:

• Processing should be based on clear, precise, and accessible rules. •Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated. • An independent oversight mechanism should exist. • Effective remedies need to be available to the individual. The Consumer Finance Observer Winter 2021 Edition | 12

Continued from previous page 5. TAKE FORMAL PROCEDURAL STEPS IF REQUIRED Where supplementary measures are identified and implemented, certain formalities may need to be completed. These should be completed prior to any international transfer of personal data.[23]

6. PERIODICALLY RE- EVALUATE THE LEVEL OF PROTECTION THESE TRANSFERS ENJOY Finally, once this process has been concluded, organizations should ensure that they monitor any developments in countries where personal data has been transferred. In the event there are any developments, these six steps should then be re-visited to ensure continued compliance with the GDPR.

DRAFT SCCS PUBLISHED BY THE EUROPEAN COMMISSION Seemingly drafted with the EDPB guidance in mind, the European Commission has proposed a new set of SCCs. This document, currently published in draft form, was open for consultation until December 10, 2020. It is currently unclear when the final version of the security” for a transfer, account for This uncertainty has been compounded by revised SCCs will be published. the risks involved in a transfer, and the end of the Brexit transition period on Importantly, and not entirely in response to then undertake due consideration of December 31, 2020, following which personal Schrems II or the EDPB guidance, these draft the technical measures that would be data transfers from the EU to the UK will need SCCs represent a clear attempt by the European appropriate to safeguard a transfer. to rely on an effective and reliable transfer Commission to provide as practical a set of tool. The finalization of the new SCCs will In perhaps one of the more significant concessions SCCs as possible. For example, the draft SCCs: allow for greater stability in that regard. It is a to businesses put into some difficulty by Schrems fact that many businesses rely on international i. cater for international data transfers II, the European Commission’s draft measures personal data transfers for various reasons, and from a data processor to another data currently provide for a year’s grace period a recognition that these should be facilitated as processor, a long overdue development; to implement these new clauses. This would far as possible is a positive step. give organizations time to transition from the ii. set out a new modular approach, previous form of SCCs (subject to implementing Organizations now face the task of implementing allowing for parties to use one single any required supplementary measures in the the EDPB’s recommendations, which is where template document to govern transfers meantime) to the new version, whenever these their utility and practicality will really be tested. from (i) controller-to-controller, (ii) are finalized. controller-to-processor, (iii) processor- to-processor, and (iv) processor-to- CONCLUSION [23] controller; and Such formalities include, for example, where parties In the face of the uncertainty that Schrems II seek to deviate from the SCCs, or the technical measures that are required in some way contradict the SCCs. In iii. reference the need for parties, using created, it is to be welcomed that the EDPB such an instance prior approval from the appropriate whichever module, to assess what and European Commission have sought to Data Protection Authority would be required before constitutes an “appropriate level of provide practical guidance to organizations. any international transfer of personal data occurs. The Consumer Finance Observer Winter 2021 Edition | 13

Contributors

KELLY HAGEDORN CHARLES D. RIELY pa r t n e r pa r t n e r

London | +44 330 060 5401 New York | +1 212 891-1686 [email protected] [email protected]

MICHAEL W. ROSS DAVID P. SAUNDERS pa r t n e r pa r t n e r

New York | +1 212 891-1669 Chicago | +1 312 923-8388 [email protected] [email protected]

KATE T. SPELMAN WADE A. THOMSON pa r t n e r pa r t n e r

Los Angeles | +1 213 239-2246 London | +44 330 060 5410 [email protected] [email protected]

DAVID W. SUSSMAN VIVIAN L. BICKFORD s p e ci a l co u n s e l a ssoci at e

New York | +1 212 891-1607 Los Angeles | +1 213 239-2249 [email protected] [email protected]

EFFIONG K. DAMPHA MICHAEL F. LINDEN a ssoci at e a ssoci at e

Los Angeles | +1 213 239-2247 Chicago | +1 312 840-7409 [email protected] [email protected]

E.K. MCWILLIAMS MADELINE SKITZKI a ssoci at e a ssoci at e

Chicago | +1 312-840-7295 Los Angeles | +1 213 239-2284 [email protected] [email protected]

MATTHEW WORBY ALEXANDER N. GHANTOUS a ssoci at e s ta f f at t o r n e y

London | +44 776 943 1677 Chicago | +1 312 840-7227 [email protected] [email protected]

© 2021 Jenner & Block LLP. Attorney Advertising. Jenner & Block is an Illinois Limited Liability Partnership including professional corporations. This publication is not intended to provide legal advice but to provide information on legal matters and firm news of interest to our clients and colleagues. Readers should seek specific legal advice before taking any action with respect to matters mentioned in this publication. The attorney responsible for this publication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. CHICAGO 353 NORTH CLARK STREET CHICAGO, ILLINOIS 60654-3456 TEL +1 312-222-9350

LONDON 25 OLD BROAD STREET LEVEL 17 LONDON, EC2N 1HQ TEL +44 (0) 330 060 5400

LOS ANGELES

633 WEST 5TH STREET SUITE 3600 LOS ANGELES, CALIFORNIA 90071-2054 TEL +1 213-239-5100

NEW YORK 919 THIRD AVENUE NEW YORK, NEW YORK 10022-3908 TEL +1 212-891-1600

WASHINGTON, DC 1099 NEW YORK AVENUE NW SUITE 900 WASHINGTON, DC 20001-4412 TEL +1 202-639-6000