Artificial intelligence continues to remain a focus in 2021, as we predicted at the start of the year. From the FTC, to the EU, to others, regulators of all kinds are paying attention to companies’ use of these tools. In the latest, five US federal agencies are seeking input on how financial institutions are using AI tools. Comments from stakeholders are due by June 1, 2021.
Continue Reading Federal Financial Agencies Seek Comments on Use of Artificial Intelligence

The FTC recently settled with Ascension Data & Analytics for failure to oversee service providers. Ascension provides services to mortgage companies within its corporate family of entities. According to the complaint, Ascension uses third parties to provide some of its services. One of those, OpticsML, had access to tax returns for approximately 60,000 customers. OpticsML stored the information on a cloud-based server which server was publicly accessible for a year. During that time the tax documents were accessed by unauthorized individuals. The originating IP addresses were in Russia and China.  Although the security incident was that of OpticsML, the FTC alleged that Ascension violated the Gramm-Leach-Bliley Act’s Safeguards Rule. Namely, the company failed to properly oversee its service providers and it failed to adequately assess risk. In particular, the FTC alleged that:
Continue Reading FTC Settles Over Alleged Failure to Manage Service Providers

Israel’s investment industry has been reported as growing, and not surprisingly it has received interest from the Israeli Securities Authority. Late last year the ISA surveyed several funds and found that they were not following the requirements of Israel’s privacy laws. This resulted in a recent letter sent by the ISA to fund managers, warning the managers to take steps to protect customer information. Israel, like most countries around the globe, has a privacy law and corresponding regulations. Unlike many other jurisdictions, though, its privacy law has been deemed “adequate” by the EU, and as such, compliance can be a fairly rigorous exercise.  Accompanying the ISA letter were “insights” on how to protect information, including things like software updates and user authentication. Included in the insights were recommendations that are not included in Israel’s privacy law or regulation. However, the insights do mirror requirements that exist under Israeli laws for banks and insurance companies.
Continue Reading Israel Expresses Concerns Over Investment Fund Security Measures

In a recent letter, the New York Department of Financial Services provided guidance for insurers who use third party data to help with their underwriting decisions. The letter was drafted in response to reports that insurers are getting information about potential insureds from many “unconventional” data sources, including those that contain predictive models and algorithms. These sources are used to supplement medical underwriting, and include information that isn’t necessarily related to a person’s medical condition, but might impact an insurer’s decision. While these sources could improve the market, according to NYDFS (e.g., by simplifying and expediting life insurance sales and making pricing more accurate) the sources themselves are not uniformly reliable. NYDFS had two specific concerns about these sources: first, that the algorithms they use may have a negative impact on consumers; and second, that these sources are often used without the consumers’ knowledge.
Continue Reading New York Department of Financial Services Releases Letter Regarding Third Party Data Sources