The Final Prepaid Rule: Version 3.0; Refresher on the EU's GDPR
Since 1982, no less than seven different cuts of Ridley Scott's science fiction masterpiece Blade Runner have been shown to theater audiences. The initial workprint version didn't test well, so the studio re-cut it, adding a rightfully maligned voice-over and a preposterous "happy ending." Both the director and generations of film snobs-to-come found it insufferable. A version with extended, more violent fight scenes was released for international audiences, and a version with toned down violence and nudity was produced for television broadcast. In the early 90's, positive responses to an unauthorized release of the original workprint prompted the 1992 release of a director's cut version, but Ridley Scott still didn't feel he had sufficient time or control to finish it the way he wanted. In 2007, Scott was able to make the version he wanted -- the "Final Cut" -- which was released with the 25th Anniversary Edition blu-ray. Blade Runner is one of my favorite movies, and it proves that, sometimes to get something right you need a quarter of a century and at least seven iterations.
Which is to say, the CFPB is still working on the Prepaids Rule.
The initial proposed rule was released on December 23, 2014, with following corrections to the proposal being released February 5, 2015. The rule went finalfor the first time on November 22, 2016, with an effective date of October 1, 2017. Less than 4 months later, on March 15, 2017 the Bureau issued another proposal, recognizing some issues with implementation of the final rule, seeking more time for additional adjustments and suggesting the effective date be delayed six months. That proposal went final on April 25, 2017, with a new effective date of April 1, 2018. However, the Bureau did believe further adjustments were necessary, and on June 29, 2017, another proposal was issued, delaying the implementation date further and proposing changes to the regulation. While it has not yet been published in the Federal Register, the Bureau has released the third Final Rule on prepaids, and the new effective date is April 1, 2019.
With all this rule writing and rewriting, one of the more painful parts of this process has been identifying the regulatory language that would be current on the effective date. On that front, the CFPB has done us a solid: they finally released an unofficial, informal redline of the rule, allowing compliance personnel to read the rules as a whole. The redline is even bookmarked!
The FINAL Final Rule
The most recent final rule makes several changes to the rule, most significant of which is the April 1, 2019 effective date. Other changes include:
- Revising the error resolution and limited liability provisions so that they only apply to prepaid accounts that are registered with the credit union and for which the identity of the account holder has been verified;
- Creating limited exceptions to the credit-related provisions to address situations where a credit card is liked to a digital wallet;
- Expanding situations where an account issuer can run a negative balance, if certain conditions are met;
- Making clarifications and minor adjustments to several provisions in Regulation E, including the definition of a prepaid account, unsolicited issuance of access devices, pre-acquisition disclosure requirements and submission of prepaid account agreements; and
- Technical corrections!
Refresher on the European Union's GDPR
The NAFCU Compliance Team has seen an uptick in questions about the scope of the European Union's General Data Protection Regulation (GDPR). Apparently some vendors are raising the red flag for their clients. NAFCU recently hosted a webcast (for purchase) on the GDPR which credit unions may find helpful. We also blogged about the GDPR in May of last year, and that might be worth revisiting: Privacy Laws from Across the Pond: Scoping Out the GDPR.
The GDPR's scope is drawn very broadly. It does not require the credit union to have a location in the EU or for the website user to be an EU citizen or resident for the rule to apply. Here is a section from that prior blog post:
The Directive applied mostly to organizations that had an establishment or "means of processing" physically located within the EU. The GDPR, however, expands the application of EU privacy law to organizations not located in the EU, but doing certain business in the EU.
For entities that do not have an establishment in the EU, the GDPR applies to any organization that processes the personal data of natural persons in the EU under two circumstances: 1) when offering them goods or services, even if it's not in return for payment, or 2) in monitoring their behavior which takes place within the EU. See, EU Regulation 2016/679, Ch. 1, Art. 3(2)."
The full post contains more detail, including the definitions that are necessary to really understand this scope. However, even if the credit union falls within the scope, there is still a question as to whether and when compliance with the rule may be appropriate for individual credit unions. It is not clear how the European Union would enforce the law against organizations without a presence in the EU. Neither the CFPB nor NCUA have indicated an appetite to examine for it. Credit unions seeking a realistic assessment of the risk that GDPR noncompliance would pose to the credit union should speak with an attorney experienced in international law. A proper assessment of this risk should help the credit union assess whether GDPR compliance is appropriate and necessary at this time.