InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court grants bank a MSJ in overdraft fee class action case
On April 16, the U.S. District Court for the Eastern District of Michigan entered an opinion and order granting defendant bank’s motion for summary judgment in an overdraft fee-related consumer class action. In this case, plaintiffs claimed that defendant breached its account agreements in connection with two related but distinct practices that the plaintiffs claimed were inconsistent with their account agreement. The first practice involved the assessment of overdraft fees on transactions that were initially authorized with a positive balance but settled at a time when the account had a negative balance, labeled Authorize Positive, Purportedly Settle Negative transactions (APPSN). The second practice imposed insufficient fund (NSF) fees each time the same item was re-presented by a merchant and declined by the bank due to a lack of funds. The complaint alleged a breach of contract and conversion against the bank based on these two fee practices.
In a previous order in 2021, the court denied defendant’s motion to dismiss as to plaintiff’s breach of contract claim but granted dismissal as to plaintiff’s conversion claim. In denying the motion to dismiss the breach of contract of claim, the court determined the account agreement was ambiguous as to the overdraft fees since it was unclear whether defendant would assess overdraft fees at the time of a debit's authorization or at the time of its settlement. The court held that the account agreement was similarly ambiguous as to the NSF fees, since the agreement’s language lent itself to multiple reasonable interpretations of the meaning of “item.”
In the current opinion, the court held that the language of the updated disclosure guide provided to the plaintiff removed the perceived ambiguity in the contractual language, finding that plaintiff’s interpretation was “unreasonable because it contradict[ed] the language of the [a]greement as a whole, including the updated disclosure guide.” The court explained that the updated disclosures made it clear that customers could still incur an overdraft fee if their balance goes negative before a debit authorization hold would be lifted and the actual transaction settled, despite having a positive balance at the time the hold was placed. The court highlighted that the new disclosure guide included a practical example demonstrating the impact of a temporary debit authorization hold on an account’s available balance.
Further, the court noted that even if the agreement was ambiguous, plaintiff would still be unsuccessful in pursuing her breach of contract claim because it had been established that she did not actually read the specific contract terms in question. The court noted, under Michigan law, there cannot be a factual question as to the meaning of a contract where one party had not read the contract to form a different understanding of the contract. The court applied a similar analysis to dismiss the allegations relating to the NSF fees. Finally, the court held that plaintiff failed to demonstrate a genuine issue of material fact regarding her claim of breach of an implied covenant of good faith and fair dealing because the applicable fees were contemplated by the parties’ agreement.
Kansas enacts its Commercial Financing Disclosure Act
On April 12, Kansas enacted the Commercial Financing Disclosure Act in SB 345 (the “Act”) which will require the disclosure of certain commercial financing product transaction information, provide civil penalties for violations, and authorize enforcement by the attorney general. The Act will apply to any commercial loan, accounts receivable purchase transaction, and commercial open-end credit plan (when the transaction would be less than or equal to $500,000).
According to the Act, providers must disclose the total amount of funds furnished, and total amount dispersed, if that number is less than the amount furnished. Additionally, providers must disclose the total amount borrowers will owe the provider in that agreement, including the total cost to the borrower, as well as the manner, frequency, and amount of each payment. For each commercial financing agreement, only a single disclosure is necessary. If there are alterations to the financing arrangement, a new disclosure will not be mandated. Furthermore, providers will not be required to issue a new disclosure with every purchase of accounts receivables under the agreement. Moreover, brokers of such transactions are prohibited from collecting an advance fee from a business, making any false representations, or omitting any material facts during the sale of the services.
The Act will exempt certain depository institutions, commercial financing transactions secured by real property or a lease, and providers that made five or fewer commercial financing transactions in Kansas in one year, among other things.
Violations of the Act will be subject to a civil penalty of $500 per individual violation and the total penalty for multiple aggregated violations cannot exceed $20,000. If a person continues to violate the Act after receiving a written warning from the attorney general, the penalty will increase to $1,000 per violation. The maximum penalty for multiple aggregated violations in this scenario will be $50,000. The Act will not grant individuals the right to sue based on compliance or non-compliance with its provisions; there is no private right of action. Violations of the Act will not affect the enforceability or validity of the underlying agreement. The authority to enforce the Act will not be given exclusively to the attorney general.
District Court rules against CFPB on Prepaid Rule disclosure requirement
On March 28, the U.S. District Court for the District of Columbia (D.D.C.) ruled in favor of a fintech digital wallet provider by granting its motion for summary judgment, denying the CFPB’s cross-motion, and vacating the CFPB’s Prepaid Rule’s short-form disclosure requirements for digital wallets. The suit focused on the applicability of the Prepaid Rule’s short-form disclosure requirements to digital wallet products. The plaintiff sued the CFPB, arguing the CFPB’s Prepaid Rule was arbitrary and capricious because, unlike for general-purpose reloadable (GPR) products, the CFPB failed to provide a “well-founded, non-speculative reason for subjecting digital wallets” to the Prepaid Rule’s short-form disclosure regime.
The CFPB’s Prepaid Rule mandated that pre-acquisition fee disclosures, which were intended to apply to GPR cards, be required for digital wallets––i.e., digital wallet providers would be required to provide consumers with a pre-acquisition fee disclosure in a formatted “short form.” While the judge agreed that this makes sense as applied to GPR products, digital wallet products were fundamentally different from GPRs and were not primarily “used to access funds or to function as a substitute checking account.” While the CFPB’s Advanced Notice of Proposed Rulemaking, did not initially include digital wallets, in the final Prepaid Rule, the CFPB included digital wallets for three reasons: (1) the CFPB reasoned that the Prepaid Rule should apply to digital wallets since digital wallets can carry funds (just like GPRs), and the fee structure “may not hold true in the future”; (2) the CFPB argued that the Prepaid Rule filled a regulatory gap for digital wallets; and (3) the CFPB claimed it “cast a wide net” on purpose to avoid a “patchwork regime.”
In response, the plaintiff argued that the disclosure requirement was arbitrary and capricious due to the Bureau having no rational justification for including digital wallets in the Prepaid Rule. Further, it was arbitrary and capricious because the CFPB did not comply with its role under Dodd-Frank by assessing the costs and benefits of the Rule. Finally, the plaintiff argued that the short-form disclosure regime violated the First Amendment.
While declining to rule on First Amendment issues, the court held that the CFPB lacked a “rational justification” for subjecting digital wallets to the Prepaid Rule’s short-form disclosure requirement, agreeing that the CFPB’s requirement was arbitrary and capricious, and that it had no basis for including digital wallets because they were materially different products. The judge also found the CFPB’s cost-benefit analysis (as mandated by Dodd-Frank) was deficient, as the “general” cost-benefit analysis did not fit for digital wallets.
District Court severs NJFCRA requirement that agencies must provide credit disclosures in 10 languages
On March 27, the U.S. District Court for the District of New Jersey granted in part and denied in part both the Attorney General for the State of New Jersey’s (AG) motion for summary judgment and a plaintiff international trade association’s motion for summary judgment. In particular, the court held that the New Jersey Fair Credit Reporting Act’s (NJFCRA) 2019 amendment requiring national consumer reporting agencies (NCRAs) to provide consumer reports in a language other than English (if requested) was not preempted by the federal Fair Credit Reporting Act. However, the court stopped short of requiring NCRAs to provide the disclosures in “at least ten languages” in addition to Spanish on First Amendment grounds, explaining that the requirement imposed under the NJFCRA only required a rational basis and while a rational basis existed for Spanish (due to, among other things, the high percentage of Spanish speaking constituents in New Jersey), it did not exist for the additional languages given the relatively lower prevalence of those other languages. Accordingly, the court severed the provision that mandated that credit file disclosures be provided in at least 10 languages.
Indiana enacts SB 220 on cyber incident notification guidelines
On March 11, the Governor of Indiana signed SB 220 (the “Act”) which will add cyber incident notification guidelines for financial institutions. The Act defined the term "corporation" as the following entities organized in Indiana, including a (i) bank; (ii) trust company; (iii) corporate fiduciary; (iv) savings bank; (v) savings association; (vi) industrial loan and investment company with federal deposit insurance; (vii) credit union; and (viii) bank of discount and deposit.
According to the Act, a corporation will be required to inform the director of the department about a reportable cyber incident or notification incident following the same protocol mandated by the corporation's federal regulatory body or deposit insurance provider. If a corporation does not have a federal regulatory body or deposit insurance provider, it must report the cyber incident to the director of the department using the procedures outlined in U.S.C. 12 CFR 748.1(c), which despite typically applying to federally insured credit unions, will also apply to corporations. The Act will go into effect on July 1.
Indiana enacts HB 1284 regarding change in terms for deposit accounts
On March 12, the Governor of Indiana signed HB 1284 which codified a new chapter regarding a contract for a deposit account between a depository institution and a consumer may be changed occasionally, subject to the terms of the deposit account agreement. The bill will provide that after continued use of the deposit account by the consumer after a modification to the agreement has been disclosed through written notice by the depository institution, then it will be considered clear or “prima facie” evidence that the consumer will accept the new terms. The depository institution must provide written notice of the changes at least 30 days before the effective date of any change to the deposit account agreement. The bill will go into effect on July 1.
Ginnie Mae now requires issuers to disclose cybersecurity incidents within 48 hours
On March 4, the President of Ginnie Mae released All Participants Memorandum (APM) 24-02, which set forth a new requirement applicable to all issuers, including issuers that subservice loans for others. The memo mandated that all approved issuers must notify Ginnie Mae of any significant cybersecurity incident within 48 hours of detection. Ginnie Mae defined a “Cyber Incident” as “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constituted a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the Issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.” If a Cyber Incident has occurred, issuers must it report to Ginnie Mae via a specified email address and must include (i) the date and time of the incident, (ii) a summary of the incident, and (iii) points of contact responsible for coordinating any follow-up questions regarding the incident. These requirements are also now reflected in Chapter 03, Part 18 of the Mortgage-Backed Securities Guide, 5500.3, REV-1.
DFPI fines online platform for omitting convenience fee disclosures
On January 9, DFPI issued a consent order against an online platform (respondent) that enables merchants to provide installment contracts to customers. The consent order resolved alleged violations of the California Consumer Financial Protection Law (CCFPL) arising from the convenience fees assessed by a third-party service provider when consumers opt to pay their installments online or by phone. According to the consent order, since 2021 respondent guaranteed that consumers entering into contracts on its platform had a fee-free payment method. However, for a time respondent failed to disclose potential optional convenience fees in the initial contract. Although the third-party servicer disclosed the convenience fees to consumers, DFPI took issue with the respondent’s failure to disclose these fees before transferring consumers to the third-party servicer to enter into the contracts. In other words, consumers only became aware of both the existence and amounts of these fees after entering into contractual obligations. DFPI accused respondent of deceiving consumers by failing to disclose this information first.
Under the terms of the consent order, respondent must pay a $50,000 penalty and must disclose information about the potential convenience fees that may be assessed by a servicer.
District Court dismisses FDCPA suit; clarifies debt collector communication on identity theft
On December 5, the U.S. District Court of New Jersey dismissed an FDCPA suit brought against a debt collector. According to the opinion, plaintiff originally filed suit because they received a letter from defendant regarding an outstanding cell phone bill. The letter provided instructions on what to do if the recipient suspected identity theft. Additionally, the letter contained a summary of plaintiff’s account and a QR code that linked to defendant’s website for online payment. Plaintiff contended that the dual approach of offering assistance while simultaneously pursuing collection of a debt was false and misleading. A District Court judge, however, disagreed and dismissed the case, at which point the plaintiff filed an amended complaint.
The amended complaint alleges that the debt collector breached the FDCPA by using false, deceptive or misleading representations regarding the rights of the plaintiff and the obligations of the debt collector with respect to communications concerning identity theft. Specifically, plaintiff argued defendant was in violation of § 1681m(g) of the FDCPA, which obligates a debt collector to take certain steps upon being notified of identity theft, but the court disagreed, finding that the collector’s specific steps taken were in accordance with the Act.
The court emphasized that plaintiff did not introduce any new factual claims in the amended complaint, and merely clarified how the facts already outlined in the initial complaint breached the FDCPA. The judge ruled that the letter not only allows plaintiff to inform defendant about potential identity theft, but also may serve to bring potential identity theft to plaintiff’s attention. The ruling stated that there is no obligation to extensively explain recommended procedures in the case of an identity theft occurrence, and only an “idiosyncratic reading” of the letter would lead to the conclusion that the letter misrepresents defendant’s obligations.
CFPB orders bank to pay $6.2 million; alleges overdraft fees violate CFPA, EFTA
On December 7, the CFPB announced a consent order against a Virginia-based bank, alleging it engaged in deceptive acts and practices and failed to comply with Regulation E. According to the CFPB, the bank did not comply with Regulation E because it did not provide appropriate written disclosures before enrolling customers in its overdraft service and imposing overdraft fees. The CFPB alleged that under the bank’s procedures, branch employees would provide oral disclosures and obtain oral consent but did not provide customers with the required written consent form under Regulation E until the end of the account-opening process. According to the CFPB, while the bank changed its practices partway through the period covered by the consent order, the disclosures it provided were still inadequate. The bank allegedly “requested that new customers orally specify their enrollment decision before providing them with adequate written notice describing the [opt-in] service,” which thereby allegedly breached the Electronic Fund Transfer Act.
The CFPB also alleged the bank committed deceptive actions or practices when marketing opt-in overdraft services to consumers via telephone. Specifically, the CFPB alleged that the bank did not provide its customer service representatives with a script, which resulted in representatives failing to clearly differentiate between transactions covered by the bank’s standard versus its opt-in overdraft protection service. The CFPB asserted that these statements qualified as “representations and omissions of key information were likely to mislead consumers,” and that as a result, the Bank did not comply with the CFPA and Regulation E.
The consent order imposes a $1.2 million civil money penalty and requires the bank to refund at least $5 million to affected consumers. The consent order also requires the bank to obtain a new overdraft enrollment decision from affected consumers before charging overdraft fees. Moreover, the bank must also create and implement a comprehensive compliance plan to ensure its overdraft program complies with all applicable laws. Finally, the consent order requires the bank to monitor compliance, maintain records, and inform the CFPB of any changes or developments that could impact its compliance responsibilities in the consent order.