Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 30, the U.S. District Court for the District of Oregon granted a group of car dealerships’ (defendants) summary judgment motion in a putative class action involving claims that the dealership violated Oregon’s Unlawful Trade Practices Act (UTPA) as well as the state’s financial elder-abuse law. The plaintiffs, who all purchased vehicles along with other goods or services from one or more of the defendants, asserted that the defendants allegedly failed to “appropriately disclose [their] specific fees associated with arrangement of financing or the profit margins related to the sale of third-party products and services.” By failing to comply with these disclosure requirements, the plaintiffs alleged that the defendants “wrongfully appropriated money from elderly persons.” Concerning the alleged violations of UTPA, the defendants argued that its section titled “Undisclosed Fee Payments” only applies to referral fees greater than $100 paid to non-employee third-parties and not to other payments made by a dealership to a third party. The court agreed and stated that the defendants’ position was further supported by the state’s official commentary. With regard to the plaintiffs’ other claim concerning deficiencies in the disclosures, the court concluded that “strict recitation of the statute is not required to meet the clear and conspicuous standard,” and that the disclosures in question were clearly visible and easy to understand. Finally, the court granted summary dismissal on the plaintiffs’ claim of elder abuse because the claim was premised on the alleged violations of UTPA, which were dismissed.
On February 15, HUD released Mortgagee Letter 2019-01, which provides guidance on the use of third-party verification (TPV) services for FHA-insured mortgages. Effective immediately, FHA now allows mortgagees to use TPV services for verification of a borrower’s employment, income, and asset information. The Letter provides specific requirements for each category of information but, in all circumstances, a borrower must authorize the mortgagee’s use of a TPV vendor for the verification (whether direct or electronic).
On January 31, NYDFS issued a reminder for regulated entities that the final deadline for implementing NYDFS’s cybersecurity regulation ends March 1. Under the new regulation, banks, insurance companies, mortgage companies, money transmitters, licensed lenders and other financial services institutions regulated by NYDFS are required to implement a cybersecurity program to protect consumer data. The last step in the implementation timeline requires covered entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and nonpublic information accessible to, or held by, such third parties. NYDFS also reminded regulated entities that the deadline to file their second certification of compliance via NYDFS’ cybersecurity portal is February 15.
Previously InfoBytes coverage on NYDFS’ cybersecurity regulation are available here.
7th Circuit affirms summary judgment for repossession company, holds property-retrieval fee is not subject to FDCPA
On October 31, the U.S. Court of Appeals for the 7th Circuit affirmed summary judgment for a third-party repossession company and an auto lender, holding that a fee that the repossession company required to process personal items left in a repossessed car did not constitute an impermissible demand for repayment under the FDCPA. According to the opinion, after a consumer fell behind on her auto payments, the third-party company repossessed her vehicle on behalf of the auto lender. The repossession company, according to the consumer, demanded a $100 payment in order to retrieve personal property she had left in the car. The consumer sued the company and the lender arguing that the retrieval fee was an impermissible debt collection in violation of the FDCPA. In response, the repossession company and the lender moved for summary judgment, arguing that the fee was an administrative handling fee that the lender had agreed to pay to the repossession company—not a fee assessed to the consumer. The lower court agreed.
On appeal, the 7th Circuit determined that the documentary evidence showed that the $100 fee was an administrative fee that the lender agreed to pay to the repossession company, stating “[t]here is no way on this record to view the handling fee as some sort of masked demand for principal payment to [the lender].” The appellate court concluded the consumer did not establish a genuine issue of fact as to whether the repossession company demanded the $100 payment on behalf of the lender and, therefore, affirmed summary judgment in favor of the repossession company and the lender.
On November 5, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement alerting financial institutions to the potential impact that the U.S. Treasury Department’s Office of Foreign Assets Control’s (OFAC) recent actions under its Cyber-Related Sanctions Program may have on financial institutions’ risk management programs. OFAC implemented the Cyber-Related Sanctions Program in response to Executive Order 13694 to address individuals and entities that threaten national security, foreign policy, and the economy of the U.S. by malicious cyber-enabled activities. FFIEC’s press release announcing the joint statement references OFAC’s June action against five Russian entities and three Russian individuals who, through “malign and destabilizing cyber activities,” provided material and technological support to Russia’s Federal Security Service (previously covered by InfoBytes here), noting that these entities may offer services to financial institutions operating in the U.S.
The joint statement reminds financial institutions to ensure that their compliance and risk management processes address possible interactions with an OFAC sanctioned entity. The statement notes that continued use of products or services from a sanctioned entity may cause the financial institution to violate the OFAC sanctions. Additionally, use of software or technical services from a sanctioned entity may increase a financial institution’s cybersecurity risk. The statement encourages financial institutions to take appropriate corrective action, as well as to ensure their third-party service providers comply with OFAC’s requirements.
The OCC also released Bulletin 2018-40, which corresponds with the FFIEC’s joint statement.
On October 29, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), fining a broker-dealer $2.75 million for identified deficiencies in its anti-money laundering (AML) program. According to FINRA, design flaws in the firm’s AML program allegedly resulted in the firm’s failure to properly investigate (i) certain third-party attempts to gain unauthorized access to its electronic systems, and (ii) other potential illegal activity, which should have led to the filing of Suspicious Activity Reports (SARs). FINRA notes that this failure primarily stemmed from the firm's use of an inaccurate “fraud case chart,” which provided guidance to employees about investigating and reporting requirements related to suspicious activity where third parties use “electronic means to attempt to compromise a customer's email or brokerage account.” Consequently, FINRA alleges that the firm failed to file more than 400 SARs and did not investigate certain cyber-related events. Among other things, FINRA also asserts that the firm failed to file or amend forms U4 or U5, which are used to report certain customer complaints, due to an overly restrictive interpretation of a requirement that complaints contain a claim for compensatory damages exceeding $5,000.
The firm neither admitted nor denied the findings set forth in the AWC agreement, but agreed to address identified deficiencies in its programs.
On October 26, the FTC announced its final approval of an expanded settlement with a global ride-sharing company over allegations that the company violated the FTC Act by deceiving consumers regarding the company’s privacy and data practices. Specifically, the company allegedly failed to closely monitor and audit its employees’ internal access to consumer and driver data. Furthermore, the company represented to consumers and drivers that personal information stored in its databases were secure, but, according to the FTC, the company failed to implement reasonable measures to prevent unauthorized access to consumers and driver data maintained by the ride-sharing company’s third-party cloud service provider. In April, the FTC announced it would be expanding the original settlement from August 2017 (previously covered by InfoBytes here), which covered a 2014 data breach, because it was discovered the company failed to disclose a subsequent data breach that occurred in 2016 for more than a year, despite the on-going FTC investigation of the 2014 data breach.
The expanded final settlement subjects the company to civil penalties if it fails to notify the FTC of future incidents involving unauthorized access to data. The settlement also, among other things, requires the company to implement a comprehensive privacy program, including biennial third-party privacy assessments for 20 years.
CFPB announces settlement with companies that allegedly delayed transfer of consumer payments to debt buyers
On October 4, the CFPB announced a settlement with a group of Minnesota-based companies that allegedly violated the Consumer Financial Protection Act when consumers made payments on debts that the companies had already sold to third parties, and the companies improperly delayed the forwarding of some of those payments to debt buyers. According to the consent order, the companies—whose practices include the purchasing, servicing, collection, and furnishing consumer-report information on consumer loans—partnered with third-party banks to sell merchandise on closed-end or open-end revolving credit. Within a few days, banks originated the loans and sold the receivables to the companies. The companies subsequently serviced the debts and sold the receivables to a third party. For defaulted accounts, the companies charged off the accounts and sold them to third-party debt buyers. According to the Bureau, the companies allegedly failed to notify consumers when their accounts were sold, failed to inform them who now owned the debt, and continued to accept direct pays from consumers. The Bureau contends that between 2013 and 2016, the companies delayed forwarding direct pays for more than 31 days in 18,000 instances, and in 3,500 of those instances, the companies did not forward the payments for more than a year. Moreover, the Bureau asserts that these delays led to misleading collection efforts, including collection activity on accounts consumers had completely paid off. The order requires the companies to pay a civil money penalty of $200,000, and improve their policies and procedures to prevent further violations.
On September 28, FHFA released Advisory Bulletin AB 2018-08, which provides guidance to Fannie Mae and Freddie Mac, the Federal Home Loan Banks, and the Office of Finance (regulated entities) on the evaluation and management of risks associated with third-party provider relationships. (FHFA defines a third-party provider relationship as a “business arrangement between a regulated entity and another entity that provides a product or service.”)
The bulletin sets forth the structure and describes the features of the third-party provider risk management programs that FHFA expects regulated entities to establish. With respect to governance, the bulletin recommends such programs address: (i) the responsibilities of the board and senior management; (ii) policies, procedures, and internal standards; and (iii) the implementation of a reporting system to ensure management and the board are adequately informed. The bulletin also specifies that an effective program include policies and procedures that cover each of the following phases of a third-party provider relationship life cycle: (i) Risk Assessment; (ii) Due Diligence in Third-Party Provider Selection; (iii) Contract Negotiation; (iv) Ongoing Monitoring; and (v) Termination. The bulletin suggests that regulated entities should ensure that their third-party risk management corresponds with the level of risk and complexity of their third-party relationships and notes that not every aspect of the bulletin may apply to every relationship.
On August 23, the New York Department of Finance Services (NYDFS) released updated guidance reminding institutions engaged in indirect auto lending through third parties that they must comply with the state’s Fair Lending Law, despite the May repeal of the CFPB’s Bulletin 2013-02 on indirect auto lending and compliance with the Equal Credit Opportunity Act (ECOA). (The repeal was previously covered by InfoBytes here.) The updated guidance “consolidates, streamlines and reinforces previous guidance issued by [NYDFS]’s predecessor, the New York State Banking Department,” which applies to supervised financial institutions and their subsidiaries and affiliates (lenders). The guidance provides a list of actions lenders should take to develop a fair lending compliance program for indirect auto lending, including (i) submitting all applications for loans that are rejected or withdrawn to an automatic review by a higher-level supervisor; (ii) implementing a fair lending training program for both new hires and current employees; (iii) obtaining written agreements from all dealers that certify that the dealer acknowledges its responsibility to comply with fair lending laws and the policies and procedures contained in the fair lending plan; and (iv) extending fair lending plan principles to refinancing and collection practices.
- Buckley Webcast: The next consumer litigation frontier? Assessing the consumer privacy litigation and enforcement landscape in 2019 and beyond
- Buckley Webcast: The CFPB’s proposed debt collection rule
- Buckley Webcast: Trends in e-discovery technology and case law
- Brandy A. Hood to discuss "What the flood? Don’t get washed away by a flood of changes" at the American Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Mitigating the risks of banking high risk customers" at the American Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano, Kari K. Hall, Brandy A. Hood, and H Joshua Kotin to discuss "Regulations that matter in a deregulatory environment" at the American Bankers Association Regulatory Compliance Conference Power Hour
- Buckley Webcast: Data breach litigation and biometric legislation
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Douglas F. Gansler to discuss "Role of state AGs in consumer protection" at a George Mason University Law & Economics Center symposium