The DMA requires that companies provide consumers with options on how their personal data is used in order to ensure fair business practices within the tech sector. Under the DMA, app developers distributing their apps via Apple’s App Store should be able to inform customers, free of charge, of alternative offers outside the App Store, steer them to those offers and allow them to make purchases. However, the EU found that Apple imposed numerous restrictions that effectively restricted consumers from doing so. The EU found that consumers could not fully benefit from alternative and cheaper offers as Apple prevents app developers from directly informing consumers of such offers. Apple did not adequately show that these restrictions are objectively necessary and thus were in violation of the DMA’s anti-steering obligation.

Meta “Consent or Pay” Advertising Model Illegal

In regard to Meta, the EU found that the social media platform giant violated the DMA by not allowing its users to exercise their right to freely consent to the combination of their personal data. Under the DMA, companies such as Meta are required to seek users’ consent for combining their personal data between services. Those users who do not consent must have access to a less personalized but equivalent alternative.

“In November 2023, Meta introduced a binary “Consent or Pay” advertising model. Under this model, EU users of Facebook and Instagram had a choice between consenting to personal data combination for personalized advertising or paying a monthly subscription for an ad-free service,” according to the EU. “However, according to the EU, this model is not compliant with the DMA “as it did not give users the required specific choice to opt for a service that uses less of their personal data but is otherwise equivalent to the ‘personalised ads’ service.”

Ultimately, the “Consent or Pay” model which provided users of Facebook and Instagram with an option to either consent to their personal data being used for advertisements or paying a subscription for an ad-free service was in violation of the DMA. However, since Meta did not provide an option to opt-in into a service that used less of their personal service, the EU found such a model noncompliant.

According to the EU, Meta introduced another version of the free personalized ads model, offering a new option that allegedly uses less personal data to display advertisements. The EU is currently analyzing the model to assess whether it is compliant with the DMA.

“Apple and Meta have fallen short of compliance with the DMA by implementing measures that reinforce the dependence of business users and consumers on their platforms,” Teresa Ribera, an executive vice president at the European Commission, said. “We have taken firm but balanced enforcement action against both companies, based on clear and predictable rules.”

Both companies are expected to appeal the decisions however, each are required to comply with the decision within 60 days or else will be subject to additional fines.  

The post EU Hits Apple and Meta with Fines for Digital Markets Act Violations appeared first on Compliance Chief 360.

The task force’s focus will be to assist the SEC in defining clear rules and boundaries for regulatory oversight and develop practical and achievable ways for companies, securities, or financial products to comply with SEC registration requirements. It will also create guidelines for companies to provide necessary and meaningful disclosures to investors without being overly burdensome or impractical.

The SEC perceives such the task force as way to both ensure that the agency itself performs better and to provide more clarity when it comes to crypto regulation. According to the SEC the task force will collaborate with agency staff and the public to “set the SEC on a sensible regulatory path that respects the bounds of the law.”

While under the leadership of former Chair Gary Gensler, the SEC faced much criticism on its approach to crypto regulation. Until the launch of this task force, the SEC primarily relied on enforcement actions that would have a retroactive regulatory effect on crypto rather than proposing clearcut rules.

“To date, the SEC has relied primarily on enforcement actions to regulate crypto retroactively and reactively, often adopting novel and untested legal interpretations along the way,” according to a SEC press release. “Clarity regarding who must register, and practical solutions for those seeking to register, have been elusive. The result has been confusion about what is legal, which creates an environment hostile to innovation and conducive to fraud. The SEC can do better.”

The Task Force’s Specific Focuses

According to the SEC, the task force’s undertaking will “take time, patience, and much hard work. It will succeed only if the task force has input from a wide range of investors, industry participants, academics, and other interested parties.” Many crypto firms have already begun submitting proposals such as allowing traditional broker-dealers to operate in the cryptocurrency market. in its mission to create a regulatory framework

Although it has and continues to receive ideas from crypto firms, the task force will prioritize the following objectives  its mission to create a regulatory framework:

• Security Status: The task force is studying different types of crypto assets to determine how securities laws apply to them, as this affects many other regulatory questions.
• Defining Jurisdiction: The task force is identifying areas that may not fall under SEC oversight.
• Coin and Token Offerings: The task force is considering temporary rules to allow certain token offerings to operate without uncertainty, as long as the issuer provides regular, accurate disclosures and agrees to SEC oversight in fraud cases. This would offer clarity until permanent rules or legislation are established.
• Registered Offerings: The task force will explore ways to improve existing registration options, to make it easier for token issuers to comply with SEC rules.
• Special Purpose Broker-Dealer: The task force is looking at revising the special-purpose broker-dealer framework, including allowing firms to hold both securities and non-securities crypto assets, and identifying other registration challenges.
• Custody Solutions for Investment Advisors: The task force will work with investment advisers to provide an appropriate regulatory framework within which advisers can safely, legally, and practically custody client assets themselves or with a third-party.
• Crypto Lending and Staking: The task force aims to clarify whether crypto lending and staking programs are subject to securities laws and, if so, how they can be structured to comply with regulations.
• Crypto Exchange-Traded Products (“ETPs”): The task force will help the SEC clarify its decision-making process for approving or rejecting new crypto ETPs. It will also consider updates to existing ETPs, like allowing staking or different ways of handling fund shares, but custody and other issues must be addressed first.
• Clearing Agencies and Transfer Agents: The task force will explore how blockchain and crypto assets fit within clearing and transfer rules, including their role in modernizing traditional financial markets.
• Cross-Border Sandbox: Since many crypto projects operate globally, the task force is considering ways to support limited, temporary international regulatory experiments, with the possibility of long-term solutions.

Although the task force initially said that it is open to ideas from industry participants and academics, it also welcomes public input. Anyone who would like to submit a comment to the task force can do so at Crypto@sec.gov.  

The post SEC Launches Cyrpto Task Force appeared first on Compliance Chief 360.

In the FTC’s complaint, the agency alleged that H&R Block unfairly required costumers seeking to downgrade to a cheaper H&R Block product to contact customer service, unfairly deleted users’ previously entered data and made deceptive claims about “free” tax filing.

The settlement requires H&R Block to make it easier for consumers to downgrade products and by eliminating its practice of completely deleting consumers’ previously entered data upon downgrade.

By February 15, 2025, H&R is required to allow consumers to downgrade products using a chatbot or other automatic means, instead of requiring them to call customer service or chat with a live customer service agent.

In addition to the $7 million payment, the settlement requires H&R Block, by the 2026 tax filing season, to stop completely deleting consumers’ previously entered information. Specifically, when H&R Block customers downgrades back to the product they upgraded from, the company must ensure that they return to the same point in filing where they were when they upgraded, which will save costumers significant time and effort.

H&R Block must also provide an easily noticeable and always available way for consumers to downgrade without having to call customer service or chat with a live customer service agent.

The settlement also requires H&R Block to disclose in its “free” advertising either the percentage of taxpayers who are eligible to use any “free” products or that the majority of taxpayers do not qualify.  

The post FTC Cracks Down on H&R Block Over Unfair Consumer Practices appeared first on Compliance Chief 360.

ith the rise of AI and regulatory uncertainty, Chief Audit Executives (CAEs) are expected to face mounting pressure from the Board to address emerging risks and strengthen mitigation efforts. According to Gartner, a technological research and consulting firm, as AI has emerged as both a valuable business asset and a potential threat, CAEs are pressured by the board to provide assurance over risk management.

“2025 brings more high-profile risks and opportunities that are driving growing board focus on risk management, so CAEs need to be sure they are effective in helping the audit committee (AC) discharge its risk oversight responsibilities,” said Margaret Porter, Chief of Research in the Gartner Assurance Practice.

Most of the time CAEs only get less than 30 minutes with audit committees and are therefore forced to maximize their limited time. During these meetings, CAEs should prioritize highlighting risk trends, root causes, and systemic governance issues. Meanwhile, they can hand out supplemental materials in order to provide an understanding of the background information.

AI Risks

According to Gartner, AI risks can take on many forms, including behavioral risks, transparency risks, and security and data risks:

• Behavioral risks are related to the ways algorithms and IT systems can misbehave in their performance, such as by creating inaccurate or biased results, providing outdated information or not complying with scoping requirements.
• Transparency risks are related to model explainability and disclosure of AI involvement.
• Security and data risks are related to the ways in which accidental or intentional leakage or misuse of personal or confidential information can impact the enterprise.

“While most audit leaders accept it is important to cover key AI risks in the next 12 months, less than a quarter feel confident in their ability to do so,” said Porter. “To increase their confidence in providing assurance over complex AI risks, audit should collaborate with assurance partners to assess and prioritize AI risk coverage needs.”

To better support the organization in managing and assessing AI risks, Gartner experts recommend internal audit work with legal, compliance, and risk teams to:

• Get organized for AI accountability and define enterprise practices
• Discover and inventory all AI used in the organization
• Revisit and implement AI data classification, protection and access management
• Implement technical controls to support and enforce policies
• Conduct ongoing governance, monitoring, validation, testing and compliance throughout the whole process.  

The post CAEs to Face Rising Pressure with the Emergence of AI appeared first on Compliance Chief 360.

According to the SEC’s order, in September 2022, an unknown third-party hijacked a pre-existing email chain between what was then American Stock Transfer and a U.S.-based public-issuer client. The hacker, pretending to be an employee at the issuer, then instructed American Stock Transfer to issue millions of new shares of the issuer, liquidate those shares, and send the proceeds to an overseas bank. As a result,  American Stock Transfer followed these instructions and transferred approximately $4.78 million to bank accounts located in Hong Kong, of which American Stock Transfer was able to recover approximately $1 million.

In addition, the SEC found, around April 2023, in an unrelated incident, someone used stolen Social Security numbers of certain American Stock Transfer accountholders to create fake accounts that were automatically linked by American Stock Transfer to real client accounts based solely on the matching Social Security numbers, even though the names and other personal information associated with the fraudulent accounts did not match those of the legitimate accounts. This allowed the thief to liquidate securities held in the legitimate accounts and transfer a total of approximately $1.9 million in proceeds to external bank accounts, of which American Stock Transfer was able to recover approximately $1.6 million.

“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique Winkler, Director of the SEC’s San Francisco Regional Office. “As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”

In finding that Equiniti failed to assure that: (i) all securities in its custody or possession related to its transfer agent activities were held in safekeeping and were handled in a manner reasonably free from risk of theft, loss or destruction and (ii) all funds in it possession were protected against misuse, the SEC concluded that that the transfer agent violatedSection 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12. In addition to the civil penalty referenced above, Equiniti agreed to a cease-and-desist order and censure.  

The post Equiniti Trust Penalized by SEC for Failing to Protect Client Assets from Cyber Theft appeared first on Compliance Chief 360.

The SEC announced that the firms admitted their failures, acknowledged that their conduct violated numerous recordkeeping provisions of the federal securities laws, agreed to pay combined $392.75 million in fines, and have begun implementing improvements to their compliance policies and procedures to address these violations. The charged firms included well known banks such as RBC Capital Markets, BNY Mellon, TD Securities, Edward D. Jones, and many more.

These charges represent the government’s ongoing mission of suppressing off-channel communications between broker-dealers and investment advisors. “As today’s enforcement actions against more than two dozen firms reflect, we remain committed to ensuring compliance with the books and records requirements of the federal securities laws, which are essential to investor protection and well-functioning markets,” said Gurbir Grewal, Director of the SEC’s Division of Enforcement. “Among this group of firms, there are several that differentiated themselves by self-reporting prior to the staff’s investigation, demonstrating once again the real benefits of proactive cooperation.”

Each of the SEC’s investigations uncovered longstanding use of unapproved off-channel communications at these firms. As described in the SEC’s orders, the firms admitted that their employees sent and received off-channel communications that were records required to be maintained under the securities laws. The failure to maintain and preserve required records deprives the SEC of these communications in its investigations. The failures involved personnel at multiple levels of authority, including supervisors and senior managers.

The firms were each charged with violating certain recordkeeping provisions of the Securities Exchange Act, the Investment Advisers Act, or both. The firms were also each charged with failing to reasonably supervise their personnel with a view to preventing and detecting those violations.

CFTC Fines Banks for Failing to Uphold Recordkeeping Requirements

The CFTC fined multiple banks for similar recordkeeping violations. The Commission discovered that multiple financial institutions did not stop their employees from communicating through off-channel platforms such as IMessage or WhatsApp. The CFTC additionally found that the firms did not preserve the communications which added onto its violations

According to the CFTC, some firms, such as Truist Bank self-reported their violations which was heavily accounted for when determining their respective penalties. “In responding to an industry-wide and consequential problem, Truist set itself apart from the more than 20 other registrants the CFTC brought actions against for use of unapproved communications methods. How? Truist made the decision to self-report to the Division of Enforcement it had serious recordkeeping and supervisory failures. It is the only registrant to do so,” said Director of Enforcement Ian McGinley.

“Truist’s decision to self-report, cooperate, remediate, and be held accountable allowed it to benefit in the form of a substantially reduced penalty,” Director McGinley added. “At the same time, the CFTC’s message remains clear—recordkeeping and supervision requirements are fundamental, and registrants that fail to comply with these core obligations do so at their own peril.”

These charges once again display the government’s mission in combatting off-channel communications among broker-dealers and investment advisors. This is not the first time that they have gone after broker-dealers and investment advisors for their use of off-channel communications as a means to do business. In August 2023, the SEC and CFTC collected $555 million in penalties for recordkeeping failures and in 2022 the agencies collected $1.8 billion for similar conduct.  

Jacob Horowitz is a contributing editor at Compliance Chief 360° 

The post SEC and CFTC Fine Firms $474 million for Recordkeeping violations appeared first on Compliance Chief 360.

The complaint alleges that TikTok and ByteDance failed to comply with the COPPA requirement to notify and obtain parental consent before collecting and using personal information from children under the age of 13.

“TikTok knowingly and repeatedly violated kids’ privacy, threatening the safety of millions of children across the country,” said FTC Chair Lina Khan. “The FTC will continue to use the full scope of its authorities to protect children online—especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data.”

“The Justice Department is committed to upholding parents’ ability to protect their children’s privacy,” said Principal Deputy Assistant Attorney General Brian Boynton. “This action is necessary to prevent the defendants, who are repeat offenders and operate on a massive scale, from collecting and using young children’s private information without any parental consent or control.”

ByteDance and its related companies allegedly were aware of the need to comply with the COPPA Rule and the 2019 consent order and knew about TikTok’s compliance failures that put children’s data and privacy at risk. Instead of complying, ByteDance and TikTok spent years knowingly allowing millions of children under 13 on their platform designated for users 13 years and older in violation of COPPA, according to the complaint.

As of 2020, TikTok had a policy of maintaining accounts of children that it knew were under 13 unless the child made an explicit admission of age and other rigid conditions were met, according to the complaint. TikTok employees allegedly spent an average of only five to seven seconds reviewing each account to make their determination of whether the account belonged to a child.

The company allegedly continued to collect personal data from these underage users, including data that enabled TikTok to target advertising to them—without notifying their parents and obtaining their consent as required by the COPPA Rule. Even after it reportedly changed its policy not to require an explicit admission of age, TikTok still continued to unlawfully maintain and use personal information of children, according to the complaint.

TikTok’s practices prompted its own employees to raise concerns. As alleged, after failing to delete numerous underage child accounts, one compliance employee noted, “We can get in trouble … because of COPPA.”

TikTok Allowed Children to Bypass the Age Requirement

In addition, the complaint alleges that TikTok built back doors into its platform that allowed children to bypass the age gate aimed at screening children under 13. TikTok allegedly allowed children to create accounts without having to provide their age or obtain parental consent to use TikTok by using credentials from third-party services like Google and Instagram. TikTok classified such accounts as “age unknown” accounts, which grew to millions of accounts, according to the complaint.

TikTok also allegedly made it difficult for parents to request that their child’s accounts be deleted. When parents managed to navigate the multiple steps required to submit a deletion request, TikTok often failed to comply with those requests. TikTok also imposed unnecessary and duplicative hurdles for parents seeking to have their children’s data deleted. That practice allegedly continued even after the executive responsible for child safety issues told TikTok’s then-CEO, “we already have all the info that’s needed” to delete a child’s data when a parent requests it, yet TikTok would not delete it unless the parent fills out a second, duplicative form. If the parent did not do that, the executive allegedly added, “then we have actual knowledge of underage user[s] and took no action!”

Additionally, the complaint alleges that TikTok failed to:

• Notify parents about all of the personal data they were collecting from children;
• Obtain parental consent for the collection and use of that data;
• Limit the collection, use, and disclosure of children’s personal information; and
• Delete children’s personal information when requested by parents or when it was no longer needed.

The complaint asks the court to impose civil penalties against ByteDance and TikTok and to enter a permanent injunction against them to prevent future violations of COPPA.  

The post FTC Investigation Triggers Lawsuit Against TikTok for Children’s Privacy Violations appeared first on Compliance Chief 360.

In his final ruling, Judge Amit Mehta held that as a result of suppressing competition by paying billions of dollars to operators of web browsers and phone manufacturers to be their default search engine, Google has become a monopolist and “it has acted as one to maintain its monopoly.”

Judge Mehta emphasized that Google’s illegal practices has resulted in anticompetitive behavior. The tech giant’s exclusive deals with Apple and other large mobile companies that resulted in the preloading of Google’s search engine as the exclusive and default engine displays the company’s illegal practices. These contracts drove Google’s online advertising business as it transformed its search engine into the most convenient platform to access.

“This victory against Google is an historic win for the American people,” said Attorney General Merrick Garland. “No company — no matter how large or influential — is above the law. The Justice Department will continue to vigorously enforce our antitrust laws.” “This landmark decision holds Google accountable. It paves the path for innovation for generations to come and protects access to information for all Americans,” said Assistant Attorney General Kanter. “This victory is a reflection on the tireless efforts of the dedicated public servants at the Antitrust Division and our state law enforcement partners whose work made today’s decision possible.”

In response to the final ruling as well as Attorney Garland’s statement Google’s head of global affairs Kent Walker released his own statement that that displays the company’s dissatisfaction with the ruling. “This decision recognizes that Google offers the best search engine but concludes that we shouldn’t be allowed to make it easily available,” he said in a written statement that quoted complimentary passages from Mehta’s decision. “As this process continues, we will remain focused on making products that people find helpful and easy to use.”

What Does This Mean For the Future of Tech

Since Judge Mehta has yet to impose any penalties since Google has yet to appeal, the implication of this ruling is not completely clear. According to many, the most likely penalty imposed on Google will be a court order to terminate its existing contracts with Apple and other mobile companies. Ultimately, this case paves the way for AI-powered search engines to enter the industry and take control of what Google has to relinquish.

This case also teaches a valuable lesson to big tech companies to be cautious when drafting a contract that entails a sense of exclusivity. “If you’ve got a dominant product, you’ve got to be very careful to make sure that your licensing and contract agreements are open, because making them exclusive can be dangerous,” said University of Pennsylvania Carey Law School antitrust scholar, Herbet Hovenkamp. No longer can companies form contracts that aim to transform a product into a default platform for all users.

Although this decision will play a significant role in Google’s future business practices, it will have an even larger role for the tech industry as a whole. For now on, companies will have to be very careful when engaging in business agreements with third parties to use its products or else they will face a similar result to Google. This case is only the start of big tech antitrust lawsuits as companies such as Apple, Amazon and Meta face their own respective antitrust allegations.  

Jacob Horowitz is a contributing editor at Compliance Chief 360° 

The post Google Loses Antitrust Case For Having Dominant Search Engine appeared first on Compliance Chief 360.

The lawsuit accused Meta of using its users biometric data that is contained in photos and videos on Facebook without receiving permission to do so. As a result of this activity Facebook exploited the personal information of users and non-users alike to grow its empire and reap historic windfall profits.

“Companies that operate in Texas must be held accountable for their actions, particularly when it puts the privacy of Texans at risk. We’re grateful to have had the opportunity to work with the Office of the Attorney General, and we appreciate how the court handled this lawsuit,” attorneys Sam Baxter and Jennifer Truelove said in a written statement.

Texas Alleged that Meta Violated its Data Privacy Laws

AG Paxton alleged Meta of violating Texas’s Capture or Use of Biometric Identifier Act and the Deceptive Trade Practices Act (CUBI). The claimed violation rose out of Meta’s “Tag Suggestions” feature on Facebook that consisted of an automated photo tagging feature when users upload photos or videos. Facebook introduced the facial recognition technology in 2010 which provided users with an easier way of tagging their friends. In 2021, the company announced that it would cease to use the technology after settling a case in which it was sued for violating Illinois’ ​​biometric privacy law.

“It was the first time the State of Texas sought to enforce its biometric-privacy law since enactment, requiring our team to develop novel litigation approaches and analyze important questions of first impression,” Zina Bash, representative attorney for Texas, said in a written statement. “And it was the first time a single state has ever achieved a settlement of this magnitude — which is even more rewarding because of the record time in which we obtained it. When we filed the case in 2022, we knew the state wanted to move quickly, and our team was relentless in litigating the case.”

In February 2022, Paxton filed a lawsuit in Texas state court against Facebook’s parent company, accusing it of violating the CUBI act by failing to obtain consent from Facebook users before collecting their data. The state also claimed that Meta unlawfully disclosed this data to third parties and failed to delete the data within the time frame specified by CUBI.

A Meta spokesperson said the company was “pleased to resolve this matter and look forward to exploring future opportunities to deepen our business investments in Texas, including potentially developing data centers.”  

Jacob Horowitz is a contributing editor at Compliance Chief 360° 

The post Meta Reaches Historic Settlement Over Biometric Data Violations appeared first on Compliance Chief 360.

Green Dot violated consumer law in its marketing, selling, and servicing of prepaid debit card products, and its offering of tax return preparation payment services. For example, Green Dot failed to adequately disclose the tax refund processing fee for tax preparation services offered on a third party’s website.

The firm also blocked access to accounts of legitimate customers receiving unemployment benefits and lacked reasonable policies and procedures to help those customers cure those blocks. In addition, Green Dot did not maintain effective consumer compliance risk management and anti-money laundering programs.

In response to the Fed’s announcement, Green Dot CEO George Gresham asserted that the company would strive to correct any and all deficiencies within Green Dot’s compliance program. “We have taken and will continue taking meaningful steps to correct and remediate those issues, including significant updates to our processes, our product packaging and marketing, our management team and our compliance programs,” Gresham said. “We are committed to cooperating and partnering closely with our regulators to ensure all concerns noted in the consent order are addressed and complied with and that our customers are well-served and protected on an ongoing basis.

Fed Orders Green Dot to Improve Compliance and Address Complaints

The Board is requiring the firm to take several steps to improve these programs. Green Dot is now required to hire an independent third-party to strengthen its consumer compliance risk management program and address the root causes of consumer complaints.

The firm also must develop an effective anti-money laundering program and hire an independent third-party to conduct a review of certain transaction activities to determine whether any suspicious activity conducted through the bank was properly identified and reported.

In his response, Gresham concluded by stating that the bank “remains optimistic about our financial and regulatory positions as well as our future growth potential and opportunity as we serve and empower customers directly and through our partners.”  

The post Federal Reserve Fines Green Dot for Consumer Compliance Violations appeared first on Compliance Chief 360.