Photo of David Stein

David Stein

Subscribe to David Stein's Posts

David Stein advises clients on credit reporting, financial privacy, financial technology, payments, retail financial services, and fair lending issues. He assists a broad range of financial services firms, consumer reporting agencies, financial technology companies, and their vendors with regulatory, compliance, supervision, enforcement, and transactional matters.

Mr. Stein has significant experience advising clients on compliance with the FCRA, GLBA, ECOA, EFTA, E-Sign Act, TILA, TISA, FDCPA, Dodd-Frank Wall Street Reform and Consumer Protection Act, and FTC Act, as well as state financial privacy laws. Mr. Stein is a member of the firm’s fintech and artificial intelligence initiatives and works with clients on issues related to cutting edge technologies, such as blockchain, virtual currencies, big data and data analytics, artificial intelligence, online lending, and payments technology.

Mr. Stein previously served in senior regulatory, policy-making, and management positions at the Consumer Financial Protection Bureau (CFPB) and the Federal Reserve Board (FRB). He played a significant role in developing regulations and policy on credit reporting, financial privacy, retail payments systems, consumer credit, fair lending, overdraft services, debit interchange, unfair or deceptive acts or practices, and mortgage origination and servicing. Mr. Stein draws upon his government experience in representing clients before the CFPB, the FRB, and other regulatory agencies and leverages his insights into the regulatory process to provide clients with practical, actionable advice.

Contact: Read more about David SteinEmail

On March 5, 2019 the Federal Trade Commission (“FTC”) published requests for comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act (“GLBA”).  Most significantly, the FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data.

In addition, the FTC is proposing to expand the definition of “financial institution” under the Safeguards Rule and the Privacy Rule to include “finders.”  Finally, the FTC is proposing to amend the Privacy Rule to make technical and conforming changes resulting from legislative amendments to GLBA in the Dodd-Frank Act and FAST Act of 2015.

Proposed Revisions to the Safeguards Rule’s Information Security Program Requirements

The Safeguards Rule establishes requirements for the information security programs of all financial institutions subject to FTC jurisdiction.  The Rule, which first went into effect in 2003, requires financial institutions to develop, implement, and maintain a comprehensive information security program.  As currently drafted, the Safeguards Rule has few prescriptive requirements, but instead generally directs financial institutions to take reasonable steps to protect customer information.

The FTC’s proposed revisions would add substantially more detail to these requirements.  Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, explained that the purpose of the proposed changes is “to better protect consumers and provide more certainty for business.”  The new requirements are primarily based on the cybersecurity regulations issued by New York Department of Financial Services (“NYSDFS”), and the insurance data security model law issued by the National Association of Insurance Commissioners.
Continue Reading FTC Proposes to Add Detailed Cybersecurity Requirements to the GLBA Safeguards Rule

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered into a consent order with online payment systems operator Dwolla, Inc., based on allegations that Dwolla deceived consumers about its data security practices and the safety of its online payment system. The CFPB brought this action under its authority in Sections 1031(a) and 1036(a)(1)