InfoBytes
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Credit Cards 2016: Consumer Protection in Focus
The past year has seen heightened CFPB interest in the following areas: (i) deferred interest and rewards, (ii) limited English proficiency consumers, and (iii) the recent revisions to the Military Lending Act (MLA). Pursuing simplicity in the design of product features and closely following limited English proficiency issues will help credit issuers mitigate their regulatory risk. Also on the horizon in 2016 is the effective date of the MLA revisions, which were announced in July 2015.Deferred Interest and Rewards
The Bureau has been focused on the marketing and design of deferred interest products and issued a strong admonition in September 2014 relating to the potential for consumer surprise. However, there has been relatively little enforcement activity in this regard. Instead, enforcement generally has focused on technical violations of law. For example, an August 2015 consent order arose out of point-of-sale disclosures as opposed to the product features themselves. Some deferred interest issues, such as “old fashioned mistakes,” (e.g., “if paid in full” is dropped from the marketing copy) may represent low-hanging fruit for the CFPB and should be addressed to mitigate enforcement risk. The Bureau has also expressed concern about technical issues that may complicate deferred interest for consumers, such as expiration of the promotional period prior to the payment due date.
The Bureau has suggested that consumers base their choice of credit card more on the nature and richness of the rewards than on the interest rate. Accordingly, the Bureau has expressed concern about various aspects of rewards programs, including the expiration of points and complexity surrounding how they are earned and redeemed. While simplicity may reduce regulatory risk, it undoubtedly makes rewards programs more expensive for issuers, and makes it more difficult for consumers to distinguish among them.
Limited English Proficiency
In September 2015, the CFPB issued an enforcement action related to mortgages, which required the respondent to spend $1M on targeted advertising and an outreach campaign in Spanish and English over the five-year term of the order. The CFPB recently created several Spanish language documents: a glossary of basic financial terms as well as two documents titled “Your Money, Your Goals,” and “The Newcomer’s Guide to Managing Money.”
Notwithstanding these efforts, it is worth noting that the CFPB has not translated any of the credit card model forms into Spanish. Determining the appropriate extent of Spanish-language marketing—and fulfillment, if any—is a difficult calculation, and the Bureau has provided no firm guidance. Still, while the industry awaits further developments in 2016, it is advisable to make specific efforts to engage Spanish-speaking communities.
Military Lending Act
The recently revised MLA will also impact the credit card industry in 2016. Under the new regulations, most credit card products will be subject to the MLA, including its 36 percent interest rate limitation. Creditors will need to determine who is a covered borrower, but the revised regulations also provided two safe harbors for a creditor to make such a determination. The revised regulations take effect on October 3, 2016, except for most credit cards, as to which the compliance date is October 3, 2017. BuckleySandler addressed this new rulemaking in an MLA Spotlight Series (see Part 1, Part 2, Part 3).
OCC Releases Semiannual Risk Perspective Report
On December 16, the OCC released its Semiannual Risk Perspective report to provide an overview of supervisory concerns for the federal banking system, including operational and compliance risks. According to the report, which covers data through June 30, 2015, risks relating to strategic, compliance, and interest rates remain unchanged, but risks connected to underwriting and cybersecurity continue to grow. Notable findings in the report reveal that (i) the low interest rate environment has led banks to reevaluate risk tolerance and extend their reach for yield; and (ii) banks are responding to competitive pressures and growth objectives by adopting a more relaxed approach toward credit underwriting standards and practices, particularly in high-growth loan segments, such as indirect auto, commercial and industrial, and multifamily.
The report emphasizes cyber threats and Bank Secrecy Act (BSA) and anti-money laundering (ALM) risks as growing concerns, commenting that “[c]yber attacks against cybersecurity products and services further increase risk to banks because of the release or sale of malware and zero-day vulnerabilities,” and “BSA/AML risks remain high, as technological developments that benefit customers through enhanced products and greater access to financial services may be vulnerable to criminals who exploit such innovations.”
CFPB Reports on Credit Card Agreements and Warns Colleges of Potential CARD Act Violations
On December 16, the CFPB issued its annual report to Congress regarding credit card marketing agreements between colleges and issuing credit card organizations. Pursuant the Credit Card Accountability, Responsibility, and Disclosure (CARD) Act, credit card issuers must disclose the details of those agreements to the CFPB, and colleges and universities are required to publicly disclose their marketing agreements, either by posting the actual contracts to their websites or by posting the information needed to request a copy of the agreement and subsequently providing a copy to the requestor. According to the report, a review of 25 sample colleges with active credit card agreements determined that “most institutions of higher education [did] not make copies of [the] agreements available on their websites to students and other affected parties.” The CFPB further noted that “[w]ith only rare exceptions, [the] institutions also fail[ed] to provide alternative reasonable means of access to those agreements.” In light of its findings, the CFPB sent a letter to the 17 colleges that may not have adequately disclosed a credit card agreement. The letter explained that the school received the notice because its marketing agreement with a card issuer “could not be publicly obtained using reasonable procedures and in a reasonable timeframe.” While the CFPB’s letter stated that it had yet to determine if the schools’ inaction violated the CARD Act, it urged the recipient schools to “reconsider [their] approach to public disclosure.”
CFPB Takes Action Against "Buy-Here, Pay-Here" Auto Dealer and Affiliated Financing Company
On December 17, the CFPB announced a consent order against a Minnesota-based auto dealer and its affiliated financing company for alleged violations of the FCRA and the CFPA. The CFPB alleged that the auto dealer, acting through its financing company, (i) repeatedly furnished inaccurate consumer credit information for more than 84,000 customers from January 2009 through September 2013; and (ii) engaged in deceptive acts and practices by failing to report “good credit” to the credit reporting agencies (CRAs) for tens of thousands of consumers after making written representations that the it would report positive credit information to help consumers build and maintain good credit. Alleged FCRA violations include: (i) inaccurately reporting that vehicles were repossessed and borrowers owed balances after the vehicles were returned to the dealer in accordance with the company’s 72-hour return policy; (ii) inaccurately reporting that consumers had outstanding balances after issuing documentation that disputed accounts had been settled; and (iii) failing to establish and maintain reasonable written policies and procedures to ensure the accuracy and integrity of consumer information furnished to CRAs.
Under the terms of the consent order, the companies are required to pay a $6,465,000 civil money penalty. In addition, the companies must (i) establish and implement written consumer-information furnishing policies and procedures that comply with the Furnisher Rule; (ii) identify and correct inaccurate consumer-information that was furnished to the CRAs (iv) cease from making false representations that it will report “good credit” or other positive information to the CRAs; (v) provide affected consumers with free credit reports; and (vi) implement an effective audit program of its credit reporting practices.
CFPB Names Mary McLeod as New General Counsel
On December 17, the CFPB announced that Mary McLeod will join the Bureau in early 2016 as its General Counsel. McLeod will replace Meredith Fuchs, who announced her departure from the Bureau earlier this year and is currently serving as the CFPB’s General Counsel and Acting Deputy Director. McLeod first joined the State Department in 1977 and has headed the Office of the Legal Adviser of the State Department since January 2013.
Omnibus Spending Package Affects Cybersecurity Legislation
On December 15, Speaker Paul Ryan (R-WI) unveiled the omnibus spending bill, which includes the Cybersecurity Act of 2015 – legislation that would affect how businesses share information with each other and the government, and establish an information system for the government to share “cyber threat indicators and defensive measures in real time consistent with the protection of classified information” with federal and non-federal entities. The cybersecurity text included in the omnibus bill is a combination of three cybersecurity bills that were under legislative consideration this year, as follows: S. 754 - Cybersecurity Information Sharing Act of 2015; H.R. 1731 - National Cybersecurity Protection Advancement Act of 2015; and H.R. 1560 - Protecting Cyber Networks Act. Designating the Department of Homeland Security as the government’s proxy, the revised legislation provides entities with liability protections to voluntarily share with the government cybersecurity threat information. Specifically, regarding the sharing or receipt of cyber threat indicators, the legislation reads, “[n]o cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the sharing or receipt of a cyber threat indicator or defensive measure under section 104(c).” Although the legislation includes text mandating that entities “implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individuals,” critics from privacy and civil liberties organizations argue that the language is vague, offering citizens little protection while enhancing intelligence agencies’ capability to invade personal privacy.
The House is scheduled to vote on the legislation Friday, December 18, with the Senate – should the legislation pass the House – acting shortly thereafter.
Reorganization of the United States Code Affects SCRA Classification
Effective December 1, the Servicemembers Civil Relief Act (SCRA) was recodified at 50 U.S.C. §§ 3901 – 4043 from its former location at 50 U.S.C. app. §§ 501 – 597b. Recent structural changes to the U.S. Code eliminated the Appendix to Title 50, with several provisions transferring into the body of Title 50. Historically, the 1940 edition of the U.S. Code established the Appendix to Title 50 for emergency-related or temporary executive branch documents and law. However, because of the enduring nature of several laws contained in the Appendix, the Office of the Law Revision Counsel concluded that it would “improve the organizational structure” of the U.S. Code to move these sections into Title 50. Importantly, the law was not amended, so there are no substantive changes to the SCRA from this recodification. To assist clients in tracking these changes, BuckleySandler attorneys have prepared this chart mapping the old sections of the SCRA with their new locations in Title 50.
FDIC Announces Final Rule Amending the Filing Requirements and Procedures for Changes in Control
On December 16, the FDIC issued Financial Institution Letter FIL-60-2015 announcing the final rule amending filing requirements and processing procedures for notices filed under the Change in Bank Control Act. The final rule applies to all FDIC-supervised institutions, including those with assets under $1 billion. Some of the changes brought by the rule, effective January 1, 2016, include (i) consolidating and conforming the change-in-control regulation of state savings associations and rescinding prior regulation and guidance transferred from the Office of Thrift Supervision; (ii) adopting presumptions of acting in concert with the other federal banking agencies; (iii) defining terms that were previously undefined, such as “voting securities”; (iii) establishing reporting requirements for stock loans held by foreign banks and their affiliates, and for a CEO and bank director following a change of control; and (iv) subject to waiver, requiring a person who was approved to and has acquired control of a covered institution to file a second notice if that person's ownership, control, or power to vote will increase to 25% or more of any class of voting securities.
FTC Announces Record Settlement with Identity Theft Protection Company over Alleged Failures to Adhere to a 2010 Court Order
On December 17, the FTC announced a $100 million settlement with an Arizona-based identity theft protection company for violating the terms of a prior federal court order. In 2010, the District Court of Arizona prohibited the company from engaging in deceptive advertising and required it to secure consumers’ personal information. According to the FTC’s contempt charges, the company violated the terms of the prior order primarily by (i) failing to establish and maintain an adequate information security program to protect consumers’ personal information, such as social security numbers, and credit card and bank account numbers; (ii) falsely advertising that it protected consumers’ sensitive data by using the same sophisticated protections that financial institutions use; (iii) falsely advertising that it would send consumers alerts “as soon as” it received any indication that the consumer was a victim of identity theft; and (iv) failing to sufficiently create and retain records regarding the sale or provision of products or services related to identity theft.
The settlement is the largest monetary award obtained by the FTC in an enforcement action. Of the $100 million, $68 million may be used to “redress fees paid to [the company] by class action consumers who were allegedly injured by the same behavior alleged by the FTC.” In addition to the monetary provisions, the company must adhere to the recordkeeping procedures outlined in the 2010 order for an additional 13 years.
FinCEN Settles with Card Club Gaming Establishment for BSA Violations
On December 17, FinCEN announced a $650,000 settlement with a “card club” gaming establishment in California for willfully violating the program and reporting requirements of the Bank Secrecy Act (BSA). The gaming establishment allegedly trained its staff using misleading and inaccurate AML policy, which either failed to provide instructions at all, or provided incorrect instructions regarding the establishment’s obligations and reporting requirements under the BSA. As an example, the establishment “encouraged employees to provide notice to patrons if they were about to conduct a cash transaction that would put them over the $10,000 threshold for the filing of a Currency Transaction Report, thereby possibly encouraging structured transactions.” In addition, since the establishment’s policy did not contain instructions regarding when an employee should file a Suspicious Activity Report (“SAR”), it failed to file SARs in 2009 and 2010. Card clubs are gaming facilities that generally host only games involving cards; like casinos, card clubs are defined as financial institutions under the BSA, rendering them subject to FinCEN’s rules and regulatory authority.
