InfoBytes
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
3rd Circuit finds appellant does not have FDCPA standing where only injury was confusion
On April 26, the U.S. Court of Appeals for the Third Circuit held that an appellant who sued a debt collector for allegedly violating the FDCPA did not have standing to bring her claim because she “failed to plead a concrete injury” under Article III. The appellant received a debt collection letter that failed to explicitly state if the money was owed to the original creditor or the current creditor and then filed a putative class action alleging a violation of the FDCPA. The appellant asserted that the uncertainty caused her confusion, but failed to allege that she suffered any other harm as a result of the confusion and uncertainty. Relying on precedent, the Third Circuit found that while an intangible harm such as confusion or uncertainty could qualify as a cognizable injury, it must still “bear a ‘close relationship’ to an injury ‘traditionally recognized as providing a basis for a lawsuit in American courts[.]’” Failing to do so, the court ruled that the appellant did not reach the threshold for establishing Article III injury. Therefore, the Third Circuit vacated the judgment of the district court (a dismissal for failure to state a claim) and remanded the case with instructions to dismiss the complaint.
FDIC closes Philadelphia-based bank and receives it for another bank
On April 26, the FDIC announced that the Pennsylvania Department of Banking and Securities had closed a Philadelphia-based bank and appointed the FDIC as receiver, noting that this is the first bank to “fail” this year and the first closure of a bank since November 2023. The FDIC reported that as of the end of January, the closed bank had $6 billion in total assets and $4 billion in total deposits. The FDIC entered into an agreement with a different bank from Lancaster, Pennsylvania whereby that bank will assume substantially all deposits and assets of the closed bank. All 32 branches of the failed bank became branches of the assuming bank, and customers of the failed bank became customers of the assuming bank. The FDIC estimated that the bank failure will cost the Deposit Insurance Fund $667 million.
HUD announces FFRMS final rule
Recently, HUD announced a final rule to implement the Federal Flood Risk Management Standard to “protect communities from flood risk, heavy storms, increased frequency of severe weather events and disasters, changes in development patterns, and erosion.” The final rule will enact the FFRMS as mandated by Executive Order 13690 by amending two HUD regulations: (i) Part 55, Floodplain Management and Protection of Wetlands; and (ii) Part 200, Minimum Property Standards. Among other things, the final rule will raise the elevations and flood proofing requirements of properties in flood-prone areas that use federal funds for new construction or are financed through HUD’s grant or subsidy programs. The revisions to Minimum Property Standards specifically target Federal Housing Administration-insured new constructions located within the 100-year floodplain. The final rule becomes effective on May 23.
FTC finalizes new rule on health data breach notification requirements
On April 26, the FTC released a final rule that will amend its Health Breach Notification Rule to require vendors of health apps and related entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify affected individuals, the FTC, and in some cases, the media of a health data breach. The NPRM was published in May 2023 (covered by InfoBytes here). The final rule will apply to breaches of unsecured personally identifiable health data and, among other things, clarify that a “breach of security” to include “an authorized acquisition of unsecured [personal health record] identifiable health information that occurs as a result of a data security breach or unauthorized disclosure.” Further, the final rule will define a “[personal health record’s] identifiable health information” to cover health diagnoses, medications, health information tracked on applications or websites, or emergent health data to adopt health apps and privacy and data security risks collected by these technologies.
Under the rule, the FTC will require each vendor who discovered it was the target of a security breach of personal health record identifiable health information to notify each U.S. resident whose information was compromised during the security breach, notify the FTC, and, in cases where 500 or more residents are confirmed or reasonably believed to have been affected by the breach, to notify “prominent media outlets” no later than 60 days after the discovery of the breach (with an exception for law enforcement concerns). The rule will go into effect 60 days after the date of publication in the Federal Register.
Department of Commerce announces new actions related to Executive Order on AI
On April 29, the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce released several announcements regarding the progress on President Biden's Executive Order on AI (covered by InfoBytes here). NIST released four draft publications aimed at enhancing AI systems' safety, security, and trustworthiness.
The four draft publications include: (i) NIST AI 600-1 that offers a Generative AI Profile to help organizations identify and manage risks associated with generative AI; (ii) NIST SP 800-218A t expand on the Secure Software Development Framework (SSDF) and address concerns about malicious training data affecting AI systems, as well as provide potential risks and strategies for handling training data, including recommendations for analyzing data for signs of poisoning, bias, homogeneity, and tampering; (iii) NIST AI 100-4 that proposes technical methods to improve the transparency of AI-created or “synthetic” content; and (iv) NIST AI 100-5 which will outline a plan to encourage the global development of AI-related technical standards and seek feedback on areas for AI standardization, including methods for tracking the origin of digital content and shared practices for AI system testing and evaluation. Additionally, NIST is launching challenges to create methods for distinguishing between human and AI-generated content. Public comments on these initial drafts will be due by June 2.
Biden announces student debt cancellation for borrowers who attended “predatory” institutions
On May 1, the Biden Administration announced the approval of $6.1 billion in student debt cancellation for 317,000 borrowers who attended a system of art schools, which the Administration accused of engaging in deceptive practices and leaving students with significant debt and poor job prospects.
The U.S. Department of Education found the system of art schools and its parent company guilty of significant misrepresentations about the educational value and career prospects following graduation in website, print material, and through misleading information from school personnel to prospective students. The school advertised an employment rate of 82 percent within six months of graduation within the field of study; however, a review of the school's records by the Department of Education alleged that graduates were inaccurately counted as employed in their study fields, inflating the figures by as much as 25 percent. Additionally, the school advertised inflated average salaries based on the same incorrect data, with testimonies indicating that school officials fabricated graduates’ earnings. All campuses of the school system closed under separate ownership in September 2023.
Bank granted MTD in credit card sign-up bonus class action
On April 15, the U.S. District Court for the Northern District of California entered an order granting a defendant bank’s motion to dismiss a plaintiff’s claims relating to alleged false advertising in connection with a credit card, with leave to amend. Plaintiff alleged that after responding to a social media advertisement for a credit card in December 2022, promising a $200 cash sign-up bonus for spending $500 within the first three billing cycles, he applied for and was approved for the card. However, the terms of the agreement he entered into with defendant did not mention the sign-up bonus, and he never received it. Consequently, plaintiff sued for "Breach of Contract Including Breach of the Covenant of Good Faith and Fair Dealing," asserting that defendant’s actions are part of a broader marketing strategy to entice customers to apply for defendant’s credit cards. Defendant filed a motion to dismiss the case based on two arguments: (i) plaintiff lacks the necessary Article III standing; and (ii) plaintiff failed to state a claim upon which relief can be granted.
The court sided with the defendant on both arguments determining that (i) the plaintiff failed to establish the “traceability” element of standing because it is not clear when the advertisement was seen or what it specifically promised; and (ii) the contract did not include a promise for a sign-up bonus, such that no breach of contract had occurred.
The court provided plaintiff with leave to amend within 45 days from entry of the order.
Court of Chancery throws out suit against bank for alleged fraud
On April 16, in the Court of Chancery of the State of Delaware, a judge threw out a case with prejudice where a shareholder (the plaintiff) sued a bank but ultimately failed to show a “substantial likelihood of liability.” The plaintiff alleged that the bank, along with its board, violated the EFTA and Regulation E by failing to resolve unauthorized electronic transfer claims and provisionally credit the consumer’s accounts within 10 business days, by failing to resolve unauthorized electronic transfer claims within 45 days, and by failing to reimburse victims of unauthorized electronic fund transfers after 45 days. To bolster the plaintiff’s claims, the plaintiff cited a 2022 U.S. Senate Committee on Banking, Housing, and Urban Affairs (Committee) investigation into the same alleged unauthorized electronic transfers and related reports, including one produced by Senator Elizabeth Warren (D-MA). However, the court found the reports at issue failed to demonstrate a violation of federal regulations. Accordingly, the court denied the plaintiff’s motion for leave to file a supplemental brief and granted the bank’s motion to dismiss.
Maine enacts new money transmission law in line with the Money Transmission Modernization Act
On April 22, the Governor of Maine signed into law LD 2112 (the “Act”) which will codify a new law titled the “Maine Money Transmission Modernization Act.” The Act will amend and repeal many parts of the state’s money transmission laws and brought the law more in alignment with the Money Transmission Modernization Act, the model law drafted with a goal of creating a single set of nationwide standards and requirements. The stated purpose of the Act will be to coordinate with states to reduce the regulatory burden, protect the public from financial crimes, and standardize licensing activities allowed and exempted by Maine.
Among many other new provisions, the Act will require any person which engages in the business of money transmission or advertises, solicits, or holds itself out as providing money transmission to obtain a license. The Act will define “money transmission” as “(i) [s]elling or issuing payment instruments to a person located in [Maine]; (ii) [s]elling or issuing stored value to a person located in [Maine]; or (iii) [r]eceiving money for transmission from a person located in [Maine].” However, the Act will exempt, an agent of the payee to collect and process a payment from a payor to the payee for goods or services, other than money transmission services, provided certain criteria are met. Additionally, the Act will exempt certain persons acting as intermediaries, persons expressly appointed as third-party service providers to an exempt entity, payroll processors, registered futures commission merchants and securities broker-dealers, among others. Anyone claiming to be exempt from licensing may be required to provide information and documentation demonstrating their qualification for the claimed exemption.
The Act also will include a section on virtual currency, which will be defined as “a digital representation of value that: (i) [i]s used as a medium of exchange, unit of account or store of value, and (ii) [i]s not money, whether or not denominated in money.” The Act will specify that “virtual currency business activity” will include, among other activities, exchanging, transferring, storing, or engaging in virtual currency administration, whereas “virtual currency administration” will be defined as issuing virtual currency with the authority to redeem the currency for money, bank credit or other virtual currency.
The Act will require certain reporting, including about the licensee’s condition, financial information, money transmission transactions from every jurisdiction, among other types of information. The amendments will also outline numerous licensing application and renewal procedures including net worth, surety bond, and permissible investment requirements. Maine will now join several other states that adopted the model law. The Act takes effect on July 16 of this year.
Oklahoma amends SAFE Act licensing provisions
On April 29, Oklahoma enacted SB 1492 (the “Act”) which will amend the Oklahoma Secure and Fair Enforcement for Mortgage Licensing Act by, among others, expanding the definition of “mortgage broker” to include servicing a residential mortgage, defining “servicing” to include holding servicing rights, as well as significantly adjusting fees and annual assessments for licensees. With respect to mortgage servicing, the law will define servicing as “the administration of a resident mortgage loan following the closing of such loan” and further will state that an entity will be servicing if it “either holds the servicing rights, or engages in any activities determined to be servicing, including: (a) collection of monthly mortgage payments; (b) the administration of escrow accounts; (c) the processing of borrower inquiries and requests; and (d) default management.” The definition of “mortgage lender” already included an entity that “makes a residential mortgage loan or services a residential mortgage loan” and will be approved by HUD, Fannie Mae, Freddie Mac, or Ginnie Mae. The Act will add a new section allowing licensees to permit its employees and independent contractors to work at “remote locations,” subject to certain conditions on policies and procedures on customer contact and data, maintenance of physical records, and prohibitions on in-person customer interactions, among other things. Finally, the Act will establish new fees and formulas for annual assessments for licensees, including assessments based on loan volumes range for loan originated and loans serviced during the assessment period. The Act will go into effect on November 1.