Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 15, HUD released Mortgagee Letter 2019-01, which provides guidance on the use of third-party verification (TPV) services for FHA-insured mortgages. Effective immediately, FHA now allows mortgagees to use TPV services for verification of a borrower’s employment, income, and asset information. The Letter provides specific requirements for each category of information but, in all circumstances, a borrower must authorize the mortgagee’s use of a TPV vendor for the verification (whether direct or electronic).
On January 31, NYDFS issued a reminder for regulated entities that the final deadline for implementing NYDFS’s cybersecurity regulation ends March 1. Under the new regulation, banks, insurance companies, mortgage companies, money transmitters, licensed lenders and other financial services institutions regulated by NYDFS are required to implement a cybersecurity program to protect consumer data. The last step in the implementation timeline requires covered entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and nonpublic information accessible to, or held by, such third parties. NYDFS also reminded regulated entities that the deadline to file their second certification of compliance via NYDFS’ cybersecurity portal is February 15.
Previously InfoBytes coverage on NYDFS’ cybersecurity regulation are available here.
7th Circuit affirms summary judgment for repossession company, holds property-retrieval fee is not subject to FDCPA
On October 31, the U.S. Court of Appeals for the 7th Circuit affirmed summary judgment for a third-party repossession company and an auto lender, holding that a fee that the repossession company required to process personal items left in a repossessed car did not constitute an impermissible demand for repayment under the FDCPA. According to the opinion, after a consumer fell behind on her auto payments, the third-party company repossessed her vehicle on behalf of the auto lender. The repossession company, according to the consumer, demanded a $100 payment in order to retrieve personal property she had left in the car. The consumer sued the company and the lender arguing that the retrieval fee was an impermissible debt collection in violation of the FDCPA. In response, the repossession company and the lender moved for summary judgment, arguing that the fee was an administrative handling fee that the lender had agreed to pay to the repossession company—not a fee assessed to the consumer. The lower court agreed.
On appeal, the 7th Circuit determined that the documentary evidence showed that the $100 fee was an administrative fee that the lender agreed to pay to the repossession company, stating “[t]here is no way on this record to view the handling fee as some sort of masked demand for principal payment to [the lender].” The appellate court concluded the consumer did not establish a genuine issue of fact as to whether the repossession company demanded the $100 payment on behalf of the lender and, therefore, affirmed summary judgment in favor of the repossession company and the lender.
On November 5, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement alerting financial institutions to the potential impact that the U.S. Treasury Department’s Office of Foreign Assets Control’s (OFAC) recent actions under its Cyber-Related Sanctions Program may have on financial institutions’ risk management programs. OFAC implemented the Cyber-Related Sanctions Program in response to Executive Order 13694 to address individuals and entities that threaten national security, foreign policy, and the economy of the U.S. by malicious cyber-enabled activities. FFIEC’s press release announcing the joint statement references OFAC’s June action against five Russian entities and three Russian individuals who, through “malign and destabilizing cyber activities,” provided material and technological support to Russia’s Federal Security Service (previously covered by InfoBytes here), noting that these entities may offer services to financial institutions operating in the U.S.
The joint statement reminds financial institutions to ensure that their compliance and risk management processes address possible interactions with an OFAC sanctioned entity. The statement notes that continued use of products or services from a sanctioned entity may cause the financial institution to violate the OFAC sanctions. Additionally, use of software or technical services from a sanctioned entity may increase a financial institution’s cybersecurity risk. The statement encourages financial institutions to take appropriate corrective action, as well as to ensure their third-party service providers comply with OFAC’s requirements.
The OCC also released Bulletin 2018-40, which corresponds with the FFIEC’s joint statement.
On October 29, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), fining a broker-dealer $2.75 million for identified deficiencies in its anti-money laundering (AML) program. According to FINRA, design flaws in the firm’s AML program allegedly resulted in the firm’s failure to properly investigate (i) certain third-party attempts to gain unauthorized access to its electronic systems, and (ii) other potential illegal activity, which should have led to the filing of Suspicious Activity Reports (SARs). FINRA notes that this failure primarily stemmed from the firm's use of an inaccurate “fraud case chart,” which provided guidance to employees about investigating and reporting requirements related to suspicious activity where third parties use “electronic means to attempt to compromise a customer's email or brokerage account.” Consequently, FINRA alleges that the firm failed to file more than 400 SARs and did not investigate certain cyber-related events. Among other things, FINRA also asserts that the firm failed to file or amend forms U4 or U5, which are used to report certain customer complaints, due to an overly restrictive interpretation of a requirement that complaints contain a claim for compensatory damages exceeding $5,000.
The firm neither admitted nor denied the findings set forth in the AWC agreement, but agreed to address identified deficiencies in its programs.
On October 26, the FTC announced its final approval of an expanded settlement with a global ride-sharing company over allegations that the company violated the FTC Act by deceiving consumers regarding the company’s privacy and data practices. Specifically, the company allegedly failed to closely monitor and audit its employees’ internal access to consumer and driver data. Furthermore, the company represented to consumers and drivers that personal information stored in its databases were secure, but, according to the FTC, the company failed to implement reasonable measures to prevent unauthorized access to consumers and driver data maintained by the ride-sharing company’s third-party cloud service provider. In April, the FTC announced it would be expanding the original settlement from August 2017 (previously covered by InfoBytes here), which covered a 2014 data breach, because it was discovered the company failed to disclose a subsequent data breach that occurred in 2016 for more than a year, despite the on-going FTC investigation of the 2014 data breach.
The expanded final settlement subjects the company to civil penalties if it fails to notify the FTC of future incidents involving unauthorized access to data. The settlement also, among other things, requires the company to implement a comprehensive privacy program, including biennial third-party privacy assessments for 20 years.
CFPB announces settlement with companies that allegedly delayed transfer of consumer payments to debt buyers
On October 4, the CFPB announced a settlement with a group of Minnesota-based companies that allegedly violated the Consumer Financial Protection Act when consumers made payments on debts that the companies had already sold to third parties, and the companies improperly delayed the forwarding of some of those payments to debt buyers. According to the consent order, the companies—whose practices include the purchasing, servicing, collection, and furnishing consumer-report information on consumer loans—partnered with third-party banks to sell merchandise on closed-end or open-end revolving credit. Within a few days, banks originated the loans and sold the receivables to the companies. The companies subsequently serviced the debts and sold the receivables to a third party. For defaulted accounts, the companies charged off the accounts and sold them to third-party debt buyers. According to the Bureau, the companies allegedly failed to notify consumers when their accounts were sold, failed to inform them who now owned the debt, and continued to accept direct pays from consumers. The Bureau contends that between 2013 and 2016, the companies delayed forwarding direct pays for more than 31 days in 18,000 instances, and in 3,500 of those instances, the companies did not forward the payments for more than a year. Moreover, the Bureau asserts that these delays led to misleading collection efforts, including collection activity on accounts consumers had completely paid off. The order requires the companies to pay a civil money penalty of $200,000, and improve their policies and procedures to prevent further violations.
On September 28, FHFA released Advisory Bulletin AB 2018-08, which provides guidance to Fannie Mae and Freddie Mac, the Federal Home Loan Banks, and the Office of Finance (regulated entities) on the evaluation and management of risks associated with third-party provider relationships. (FHFA defines a third-party provider relationship as a “business arrangement between a regulated entity and another entity that provides a product or service.”)
The bulletin sets forth the structure and describes the features of the third-party provider risk management programs that FHFA expects regulated entities to establish. With respect to governance, the bulletin recommends such programs address: (i) the responsibilities of the board and senior management; (ii) policies, procedures, and internal standards; and (iii) the implementation of a reporting system to ensure management and the board are adequately informed. The bulletin also specifies that an effective program include policies and procedures that cover each of the following phases of a third-party provider relationship life cycle: (i) Risk Assessment; (ii) Due Diligence in Third-Party Provider Selection; (iii) Contract Negotiation; (iv) Ongoing Monitoring; and (v) Termination. The bulletin suggests that regulated entities should ensure that their third-party risk management corresponds with the level of risk and complexity of their third-party relationships and notes that not every aspect of the bulletin may apply to every relationship.
On August 23, the New York Department of Finance Services (NYDFS) released updated guidance reminding institutions engaged in indirect auto lending through third parties that they must comply with the state’s Fair Lending Law, despite the May repeal of the CFPB’s Bulletin 2013-02 on indirect auto lending and compliance with the Equal Credit Opportunity Act (ECOA). (The repeal was previously covered by InfoBytes here.) The updated guidance “consolidates, streamlines and reinforces previous guidance issued by [NYDFS]’s predecessor, the New York State Banking Department,” which applies to supervised financial institutions and their subsidiaries and affiliates (lenders). The guidance provides a list of actions lenders should take to develop a fair lending compliance program for indirect auto lending, including (i) submitting all applications for loans that are rejected or withdrawn to an automatic review by a higher-level supervisor; (ii) implementing a fair lending training program for both new hires and current employees; (iii) obtaining written agreements from all dealers that certify that the dealer acknowledges its responsibility to comply with fair lending laws and the policies and procedures contained in the fair lending plan; and (iv) extending fair lending plan principles to refinancing and collection practices.
Conference of State Bank Supervisors supports legislation to coordinate federal and state examinations of third-party service providers
On July 12, the Conference of State Bank Supervisors (CSBS) issued a statement to the Senate Banking Committee, offering support for legislation that would “enhance state and federal regulators’ ability to coordinate examinations of, and share information on, banks’ [third-party technology service providers (TSPs)] in an effective and efficient manner.” H.R. 3626, the Bank Service Company Examination Coordination Act, introduced by Representative Roger Williams, R-Texas, would amend the Bank Service Company Act to provide examination improvements for states by requiring federal banking agencies to (i) consult with the state banking agency in a reasonable and timely fashion, and (ii) take measures to avoid duplicating examination activities, reporting requirements, and requests for information. Currently, 38 states have the authority to examine TSPs, however, according to CSBS, amending the Bank Service Company Act would more appropriately define a state banking agency’s authority and role when it comes to examining potential risks associated with TSP partnerships. In its statement, CSBS also references a recent action taken by eight state regulators against a major credit reporting agency following its 2017 data breach that requires, among other things, a wide range of corrective actions, including improving oversight and ensuring sufficient controls are developed for critical vendors. (See previous InfoBytes coverage here.) The House Financial Services Committee advanced H.R. 3626 on June 24 on a unanimous vote.
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Spring Regulatory Compliance School
- Aaron C. Mahler to discuss "Regulation B/fair lending" at the National Association of Federally-Insured Credit Unions Spring Regulatory Compliance School
- Heidi M. Bauer and Dan Ladd to discuss "'So you want to form a joint venture' — Licensing strategies for successful JVs" at RESPRO26
- Tim Lange to discuss "Update from 2019 NMLS Conference" at the California Mortgage Bankers Association Mortgage Quality & Compliance Committee webinar
- Jonice Gray Tucker to discuss "Small business & regulation: How fair lending has evolved & where are we heading?" at CBA Live
- Jonice Gray Tucker to to discuss "DC policy: Everything but the kitchen sink" at CBA Live
- Jon David D. Langlois to discuss "Transaction management-issues surrounding purchase & sale agreements, post acquisition integration & trailing docs" at the Investment Management Network Residential Mortgage Servicing Rights Forum
- Daniel P. Stipano to discuss "Lessons learned from ABLV and other major cases involving inadequate compliance oversight" at the ACAMS International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "A year in the life of the CDD final rule: A first anniversary assessment" at the ACAMS International AML & Financial Crime Conference
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Hank Asbill to discuss "Creative character evidence in criminal and civil trials" at the Litigation Counsel of America Spring Conference & Celebration of Fellows
- Brandy A. Hood to discuss "Flood NFIP in the age of extreme weather events" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "UDAAP compliance" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "State examination/enforcement trends" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Benjamin K. Olson to discuss "LO compensation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Major state law developments" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Leveraging big data responsibly" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program