InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB’s credit card late fee rule stayed
On May 10, the U.S. District Court for the Northern District of Texas entered an opinion and order granting the plaintiffs, comprising several trade organization, its motion for preliminary injunction and placed a stay on the CFPB’s credit card late fee rule. As previously covered by InfoBytes, a suit was filed against the CFPB by multiple trade organizations to challenge the Bureau’s final rule to amend Regulation Z and limit most credit card late fees to $8.
The court decided not to address the plaintiffs’ arguments regarding the CARD Act, TILA, and APA violations due to the Court of Appeals for the Fifth Circuit opinion that the CFPB's funding structure was unconstitutional; therefore, any regulations promulgated by the CFPB would be unconstitutional. For that reason, due to the CFPB’s unconstitutional structure found by the 5th Circuit, the District Court decided that all factors weighed in favor of issuing a preliminary injunction and thus staying the final rule.
CFPB to extend 1071 rule compliance deadlines
On May 17, the CFPB announced it is extending the compliance deadlines for the small business lending rule (Section 1071 of Dodd-Frank, the “1071 rule”), which will require financial institutions to collect and report data on lending to small businesses to the Bureau (covered by InfoBytes here). Following challenges to the 1071 rule in the U.S. District Court in Texas, the rule was stayed pending the Supreme Court’s decision in CFPB v. CFSA (covered by InfoBytes here). Considering the Supreme Court’s recent decision that the Bureau’s funding is constitutional and the district court’s order requiring the CFPB to extend the rule’s compliance deadlines to compensate for the period stayed, the Bureau will issue an interim final rule to extend compliance deadlines as follows:
- Tier 1 institutions (highest volume lenders): The new compliance date is July 18, 2025, and the first filing deadline is June 1, 2026.
- Tier 2 institutions (moderate volume lenders): The new compliance date is January 16, 2026, and the first filing deadline is June 1, 2027.
- Tier 3 institutions (lowest volume lenders): The new compliance date is October 18, 2026, and the first filing deadline is June 1, 2027.
CFPB and Fed adjust dollar thresholds for Regulation CC
On May 13, the CFPB and the Fed announced inflation-adjusted changes to Regulation CC, which governed the availability of customer funds from bank deposits. The final rule altered the minimum amounts that must be made available for withdrawal by the next business day for certain types of check deposits and modified the funds from certain checks deposited into new accounts that are subject to next-day availability. Mandated by Dodd-Frank, these adjustments were based on the five-year change in the CPI for Urban Wage Earners and Clerical Workers from July 2018 to July 2023. The updated thresholds will go into effect on July 1, 2025.
FTC’s Safeguards Rule notification requirement under GLBA now in effect
On May 14, the FTC published a business blog post announcing the Safeguards Rule, an amendment to the GLBA, is in effect as of May 13. The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and aims to protect customers' private personal information through data breach reporting requirements.
Additional revisions to the Rule related to data breach reporting were announced in October 2023, with amendments requiring covered companies to notify the FTC within 30 days of a security breach impacting at least 500 consumers. For reporting, businesses must use a new online form provided by the FTC. The Rule complements existing business security measures and does not negate other state and federal legal obligations. Businesses can refer to FTC guidance for further details on the rule and compliance requirements.
House questions CFPB's rules on NSF fees and impact on small businesses
On May 9, the House Committee on Small Business expressed concerns in a letter addressed to CFPB Director, Rohit Chopra, on a proposed rule that would ban charging insufficient fund fees (NSF fees) on declined transactions (covered by InfoBytes here). The Committee argued this proposed rule could unduly complicate existing UDAAP regulations and impose additional burdens on small financial institutions.
The letter stated the CFPB did not convene a Small Business Advocacy Review (SBAR) panel and questioned the CFPB’s claims that the rule would not significantly affect a substantial number of small businesses. The Committee suggested that the CFPB’s analysis, which minimizes the impact of NSF fees on small institutions’ revenue, might be flawed and that the rule could have a significant economic impact in terms of reporting requirements and compliance, warranting a review by an SBAR panel. The Committee also challenges the CFPB’s assertion that NSF fees for certain transactions are inherently “abusive,” arguing that the CFPB is overstepping its authority by attempting to ban “business practices” altogether rather than limiting abusive practices. Finally, the Committee requests information from the CFPB on several fronts, including the number of small financial institutions affected by the rule, the compliance burden, the CFPB’s methodology for identifying UDAAP, and the CFPB's stance on disclosures compared to other financial regulations and the FTC's approach.
Agencies issue NPRM on incentive-based compensation
On May 6, the FDIC, OCC, NCUA and the FHFA issued a NPRM (proposed rule) on incentive-based compensation, pursuant to Dodd-Frank’s Section 956 (Section 956), which required federal regulators to prescribe regulations or guidelines regarding incentive-based compensation at covered financial institutions. Regulators first proposed a rule to implement Section 956 in 2011, and again in 2016. Now, regulators are reproposing the 2016 version without change, albeit with certain alternatives. The current proposal, however, will be published without involvement from the Fed or SEC.
Section 956 defined “covered financial institutions” as institutions with at least $1 billion in assets and include the following: depository institutions or depository institution holding companies, registered broker-dealers, credit unions, investment advisers, Fannie Mae, and Freddie Mac (or any other financial institution that federal regulators determined should be treated as a covered financial institution). Dodd-Frank required regulators to prohibit incentive-based compensation arrangements that encouraged “inappropriate risks.” The proposed rule included prohibitions intended to make these compensation arrangements more sensitive to risk, such as a ban on incentive-based compensation arrangements that do not include risk adjustment of awards, deferral of payments, or forfeiture and clawback provisions. In addition, the proposed rule set forth recordkeeping and disclosure requirements to help federal regulators monitor potential issues.
The agencies will review both new comments and those received in 2016 for the prior proposed rule. The agencies invited those who previously submitted comments and resubmit their comments to explain how their viewpoint may have changed from their prior comments. The agencies also requested comments on the compliance date and disclosures, like the recordkeeping and clawback requirements. Comments will be due no later than 60 days following publication in the Federal Register.
House passes resolution to nullify SEC’s rule on crypto accounting guidance
On May 8, the U.S. House of Representatives passed H. J. Res. 109, the first step in an attempt to nullify the SEC’s Staff Accounting Bulletin No. 121 (SAB 121) under the Congressional Review Act. SAB 121 describes how the SEC expects entities to account for and disclose their custodial obligations to “safeguard crypto-assets held for their platform users,” and has been in effect since April 11, 2022. As previously covered by InfoBytes, in October 2023, the GAO found SAB 121 was a rule, not guidance, making SAB 121 subject to the Congressional Review Act.
HUD announces FFRMS final rule
Recently, HUD announced a final rule to implement the Federal Flood Risk Management Standard to “protect communities from flood risk, heavy storms, increased frequency of severe weather events and disasters, changes in development patterns, and erosion.” The final rule will enact the FFRMS as mandated by Executive Order 13690 by amending two HUD regulations: (i) Part 55, Floodplain Management and Protection of Wetlands; and (ii) Part 200, Minimum Property Standards. Among other things, the final rule will raise the elevations and flood proofing requirements of properties in flood-prone areas that use federal funds for new construction or are financed through HUD’s grant or subsidy programs. The revisions to Minimum Property Standards specifically target Federal Housing Administration-insured new constructions located within the 100-year floodplain. The final rule becomes effective on May 23.
FTC finalizes new rule on health data breach notification requirements
On April 26, the FTC released a final rule that will amend its Health Breach Notification Rule to require vendors of health apps and related entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify affected individuals, the FTC, and in some cases, the media of a health data breach. The NPRM was published in May 2023 (covered by InfoBytes here). The final rule will apply to breaches of unsecured personally identifiable health data and, among other things, clarify that a “breach of security” to include “an authorized acquisition of unsecured [personal health record] identifiable health information that occurs as a result of a data security breach or unauthorized disclosure.” Further, the final rule will define a “[personal health record’s] identifiable health information” to cover health diagnoses, medications, health information tracked on applications or websites, or emergent health data to adopt health apps and privacy and data security risks collected by these technologies.
Under the rule, the FTC will require each vendor who discovered it was the target of a security breach of personal health record identifiable health information to notify each U.S. resident whose information was compromised during the security breach, notify the FTC, and, in cases where 500 or more residents are confirmed or reasonably believed to have been affected by the breach, to notify “prominent media outlets” no later than 60 days after the discovery of the breach (with an exception for law enforcement concerns). The rule will go into effect 60 days after the date of publication in the Federal Register.
DFPI annual report highlights consumer protection efforts and upcoming regulations
On April 25, the California DFPI released its Annual Report of Activity under the California Consumer Financial Protection Law (CCFPL), highlighting investigations, public actions, and consumer outreach efforts under the CCFPL. According to the report, the DFPI (i) experienced a 70 percent increase in CCFPL complaints, which predominantly involved crypto assets and debt collectors; (ii) opened 734 CCFPL-related investigations and issued 181 public CCFPL actions; (iii) launched the Crypto Scam Tracker and a new consumer complaints portal; and (iv) advanced two rules, including unlawful, unfair, deceptive, or abusive acts and practices (UUDAAP) protections for small businesses and new registration requirements (pending final approval by the Office of Administrative Law) for earned wage access, debt settlement services, debt relief services, and private postsecondary education financing products.
The report emphasized that the new regulations specified that optional payments, such as tips, collected by California Financing Law (CFL)-licensed lenders would be considered charges under the law. According to the DFPI, these updates will reinforce the CFL by blocking potential loopholes and ensuring compliance among CFL-licensed lenders. Once these regulations would be approved, DFPI will oversee these financial service providers. Upon adoption, DFPI says it will be a pioneer in defining “earned wage access” as loans and regulating income advance services and the treatment of tips as charges, all through regulatory measures rather than statutory enactment.