InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB Director speaks on new and proposed rules for data brokers
On April 2, the Director of the CFPB, Rohit Chopra, delivered a speech at the White House Office of Science and Technology Policy highlighting President Biden’s recent Executive Order (EO) to Protect Americans’ Sensitive Personal Data and how the CFPB will plan to develop rules to regulate “data brokers” under FCRA. As previously covered by InfoBytes, the EO ordered several agencies, including the CFPB, to better protect Americans’ data. Chopra highlighted how the EO not only covered data breaches but also regulated “data brokers” that ingest and sell data. According to the EO, “Commercial data brokers… can sell [data] to countries of concern, or entities controlled by those countries, and it can land in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments.”
Consistent with the EO, the CFPB will plan to propose rules this year that will regulate “data brokers,” as per its authority under FCRA. Specifically, the proposed rules would include data brokers within the definition of “consumer reporting agency”; further, a company’s sale of consumer payment or income data would be considered a “consumer report” subject to requirements, like accuracy, customer disputes, and other provisions prohibiting misuse of the data.
FinCEN seeks public comment for changing SSN requirements during customer identification
On March 29, FinCEN published a request for information (RFI) and comment in the Federal Register, in consultation with the OCC, FDIC, NCUA, and the Fed, to receive more information on the Customer Identification Program (CIP) Rule requirement. This announcement extended the comment period as the regulators explored how banks can better collect a customer’s social security number (SSN). Specifically, FinCEN sought information on the “potential risks and benefits” if banks were to be allowed to collect partial SSNs from customers, and then used a “reputable” third-party source to obtain the full SSN. FinCEN noted there has been “expressed interest” in permitting this practice. Written comments must be received on or before May 28.
Agencies extend applicability date of certain provisions of their Community Reinvestment Act final rule
On March 21, the FDIC, Fed, and OCC jointly issued an interim final rule to extend the applicability date of certain provisions of the Community Reinvestment Act (CRA) final rule and requested comments on the extension. As previously covered by InfoBytes, the final rule was intended to modernize how banks comply with the CRA, a law that encouraged banks to help meet the credit needs of low- and moderate-income communities.
Stated “[t]o promote clarity and consistency,” the agencies have postponed the applicability date of the facility-based assessment areas and public file provisions from April 1, 2024, to January 1, 2026. As a result, banks would not be required to modify their assessment areas or public files in response to the final rule until the new 2026 date. This extension would put these elements on the same timeline as other components of the 2023 CRA final rule that also would take effect on January 1, 2026, including the performance tests and geographic area provisions.
The agencies also made technical, non-substantive updates to the CRA final rule and related agency regulations that reference it. One of these technical adjustments specified that banks are not required to update their public CRA Notices until January 1, 2026. Public comments on the postponed implementation date must be received 45 days following the rule's publication in the Federal Register.
FHA implements changes to branch office registration requirements
On March 19, the FHA issued Mortgagee Letter 2024-04 to implement the provisions of a Final Rule, “Changes in Branch Office Registration Requirements.” The Final Rule will eliminate the requirement for mortgagees and lenders to register with HUD in each branch office from which they conduct FHA business, making branch registration optional and branch registration fees applicable only to branch offices that mortgagees or lenders choose to register with FHA. As previously covered by InfoBytes, FHA proposed the rule last March. Following public comments, HUD published the Final Rule without changes from the proposed rule, and the Final Rule became effective on March 4.
The Final Rule will exclude branch offices not registered with HUD from the HUD Lender List Search page. The Mortgagee Letter will summarize changes that will be incorporated into Handbook 4000.1 to implement the Final Rule, including updating the policy for registering branch offices, clarifying the “Area Approved for Business” for home offices and branch offices, updating the definitions for Branch Manager and Regional Manager, and clarifying the policy requirements that apply to registered branch offices. Although the Mortgagee Letter will go into effect immediately, it will not impact annual recertifications due to be completed by March 31; rather, the recertification fee “will be calculated based on the registered branches as of the last business day of the mortgagee’s certification period (fiscal year end).”
CFPB submits brief alleging “forum shopping,” banking groups defend their choice of venue
On March 12, the CFPB submitted a brief to the U.S. District Court for the Northern District of Texas in opposition to a motion for preliminary injunction filed by a group of industry associations, urging the court to block the implementation of a new rule that would limit the ability of large credit card issuers to charge late fees (covered by InfoBytes here).
The CFPB defended the rule by stating that it has considered all relevant factors and that the rule aimed to prevent credit card issuers from charging excessive late fees. The CFPB also argued that the case is not properly situated, as the plaintiffs lack a significant connection to the district in which they filed the lawsuit and do not have the standing to sue on behalf of others, stating “it seems not one large card issuer wants its name on the marquee… [t]he rule applies to only the largest card issuers—approximately 30–35 total entities nationwide. Plaintiffs have not identified a single one that is based in this District.” The CFPB suggested that plaintiffs have engaged in “forum shopping”—i.e., choosing this court because they believe it will be more favorable to their case, despite a lack of substantial connection to the district. The brief stated that the plaintiffs are unlikely to succeed on the merits of their claims under the Administrative Procedure Act because they failed to establish proper venue and associational standing. Additionally, the CFPB argued that an injunction was not warranted because the rule was designed to protect consumers and that preventing its implementation would be against the public interest.
On March 13, plaintiffs submitted a brief defending its motion for preliminary injunction and their choice of venue in Texas as part of an ongoing suit against the CFPB. The brief stated that according to law, the venue was appropriate if one plaintiff resided in the district, which applied to one of the Texas-based chamber plaintiffs, and if a significant portion of the related events occurred in the district, which is true as the rule impacted the local area. That plaintiff argued they have standing to sue because the issues are relevant to its “mission of cultivating a ‘thriving business climate in the Fort Worth region’” and its trade members included credit card issuers affected by the rule. Despite the CFPB’s counterarguments that the plaintiff lacked standing and that a transactional venue was not applicable, the plaintiff asserted it represented members that would be directly impacted by the rule, fulfilling the requirements for standing. Additionally, plaintiff contended that the rule's effects within the district justify the court's jurisdiction over the case.
White House targets “junk fees” in higher education with several new initiatives
On March 15, the White House issued a fact sheet on proposed measures aimed at curbing or eliminating alleged “junk fees” in higher education, citing that it found college students incurred “billions in fees” when having to pay for services they may not want. The first action the Biden Administration highlighted was a FY 2025 budget proposal that would eliminate student loan origination fees. The White House found that seven million student loan borrowers pay origination fees somewhere between one and four percent of their student loans. The second item the Biden Administration sought to end was college banking “junk fees,” citing a recent report by the CFPB on this issue (covered by InfoBytes here). To address this issue, the Dept. of Education has proposed a rule on college banking products that cannot include harmful fees. Third, the White House supports another proposed rulemaking from the Dept. of Education that would end automatic billing on tuition for textbooks, allowing students to shop around for better prices. Last, the Dept. of Education is considering a rulemaking that would stop colleges from pocketing leftover meal plan “dollars,” and instead will return the balance to students. The Biden Administration noted these were just a few items meant to help student initiatives, including increasing the transparency of college costs and preventing schools from withholding transcripts. These rules will go into effect on July 1.
Chopra discusses open banking and standard-setting
On March 13, the Director of the CFPB, Rohit Chopra, delivered prepared remarks at the Financial Data Exchange Global Summit and discussed advancing the U.S. towards open banking. Chopra outlined the current efforts and considerations surrounding the development of industry standards that would help transition consumers with switching financial products. The CFPB had been finalizing rules on Section 1033 of the CFPA which would grant consumers the right to access their financial data and would aim to protect sensitive personal financial information while promoting open banking (covered by InfoBytes here).
Chopra highlighted the importance of creating industry standards for data sharing and communication protocols, drawing parallels with existing standards in electronics and financial services. While the CFPB's proposal acknowledged the role of standards, Chopra noted that it intentionally avoided being overly “prescriptive” to avoid stifling innovation, among other things.
The speech also addressed the potential for anticompetitive behavior in the standard-setting process. Chopra noted historical instances of anticompetitive behavior, a concern that the CFPB had been monitoring closely. The Bureau will be working with the DOJ to prevent such practices.
The Bureau sought to codify what standard-setting organizations must demonstrate to be recognized under the proposed rule, then invite those organizations to begin the process of receiving formal recognition from the CFPB. Based on the comments received on the proposed rule, Chopra expects that by this fall, the final rule will “identify the areas where standards are relevant to the requirements of the final rule.” Chopra also noted the CFPB considered whether standard-setting organizations should be balanced so no entity or group of entities can “dominate[] decision making.” He noted that the Bureau will investigate the makeup of entities’ standard-setting/modification groups and funding structure, warning if an entity’s composition or funding suggests favoritism, then “that will be a problem.” Chopra noted that if the CFPB cannot identify standard-setting organizations, it is prepared to implement more detailed guidance.
Bank regulators respond to bankers’ motion to enjoin CRA final rule
On March 8, the Fed, OCC, and FDIC (the federal banking agencies, or “FBAs”) submitted a brief opposing the plaintiffs’ motion for a preliminary injunction to stop the CRA final rule from going into effect. As previously covered by InfoBytes, a group of trade, banking, and business associations filed a class-action complaint for injunctive relief against the bank regulators’ enforcement of the final rule to implement the CRA before it goes into effect on April 1. The FBAs assert that, in opposing the final rule, the plaintiffs are asking the court to “graft” two exclusions from the CRA’s purpose that are not actually in the statute: first, to exclude geographic areas where a bank conducts retail lending from the scope of the bank’s “entire community”; and second, to exclude a bank’s deposit activities from the assessment on whether a bank is meeting its entire community’s “credit needs.” The banking regulators also argued that the plaintiffs’ motion for preliminary relief should fail because the plaintiffs cannot show irreparable harm, in that they have failed to demonstrate that costs to comply with the CRA final rule, which would not apply until 2026 and 2027, were significant when considered in the context of the bank’s overall finances. Finally, the FBAs argued that the public interest and balance of equities favor allowing the final rule to proceed, as, among other factors, “the rule provides significant regulatory relief and lower compliance costs for smaller institutions by increasing the asset size thresholds that determine which performance tests apply to an institution.”
CPPA releases latest draft of automated decision-making technology regulation
The California Privacy Protection Agency (CPPA) released an updated draft of its proposed enforcement regulations for automated decisionmaking technology in connection with its March 8 board meeting. The draft regulations included new definitions, including “automated decisionmaking technology” which means “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking,” which expands its scope from its previous September update (covered by InfoBytes here).
Among other things, the draft regulations would require businesses that use automated decisionmaking technology to provide consumers with a “Pre-use Notice” to inform consumers on (i) the business’s use of the technology; (ii) their right to opt-out of the business’s use of the automated decisionmaking technology and how they can submit such a request (unless exempt); (iii) a description of their right to access information; and (iv) a description of how the automated decisionmaking technology works, including its intended content and recommendations and how the business plans to use the output. The draft regulations detailed further requirements for the opt-out process.
The draft regulations also included a new article, entitled “risk assessments,” which provided requirements as to when a business must conduct certain assessments and requirements that process personal information to train automated decisionmaking technology or artificial intelligence. Under the proposed regulations, every business which processes consumers’ personal information may present significant risk to consumers’ privacy and must conduct a risk assessment before initiating that processing. If a business previously conducted a risk assessment for a processing activity in compliance with the article and submitted an abridged risk assessment to the CPPA, and there were no changes, the business is not required to submit an updated risk assessment. The business must, however, submit a certification of compliance to the CPPA.
The CPPA has not yet started the formal rulemaking process for these regulations and the drafts are provided to facilitate board discussion and public participation, and are subject to change.
Business groups sue the CFPB over credit card late fee rule
On March 7, several business groups (plaintiffs) sued the CFPB rule in the U.S. District Court for the Northern District of Texas over its announced credit card late fee rule. As previously covered by InfoBytes, the Bureau’s new final rule limited most credit card late fees to $8, among other actions, and was met immediately with criticism from banks and legislators.
The plaintiffs’ complaint claimed the CFPB completed the rule hastily to implement a pledge made by President Biden around his State of the Union Address to reduce credit card late fees by 75 percent. The complaint further asserted the CFPB skipped necessary steps, made economic miscalculations, and otherwise breached the Administrative Procedure Act. As alleged, the Bureau likely understated “the volatility of card issuers’ cost-to-fee ratios pertaining to late fees” and improperly relied on data which does not allow for the recovery of a “reasonable and proportional” penalty fee. On the Bureau’s use of the Y-14M data, the complaint alleged the new rule ignored peer-reviewed studies and instead opted to base the rule on an internal study using confidential data that was not available for examination during the period allocated for public comment. The plaintiffs argued the final rule would incur “substantial compliance costs” by amending printed disclosures, using the cost-analysis provisions, and notifying consumers of changes in interest rates to recoup costs, among other problems. The complaint also cited TILA’s effective-date provisions and the Bureau’s embattled funding structure to support the argument that the final rule would cause irreparable harm.