InfoBytes

Massachusetts AG Takes Action Against Debt Collection Law Firm

On December 21, Massachusetts AG Maura Healey filed a lawsuit against a Massachusetts-based debt collection law firm and its two owners for allegedly violating consumer protection laws by suing consumers for debts that were inaccurate or for debts they did not owe. The AG claims that, since 2011, the law firm: (i) pursued consumers who had exempt income, serving some of them with civil arrest warrants; (ii) demanded payments on old debts without having meaningful proof that the consumer owed the debt or that the debt amount was accurate; (iii) sued consumers without meaningful attorney involvement in the lawsuits; (iv) used sworn statements by debt buyers in collection lawsuits, even though it knew the affidavits were often generated without meaningful documentation or knowledge of the debt; (v) demanded payment of debts that may not have been within the statute of limitations for bringing a lawsuit; and (vi) continued to demand payments on alleged debts even after the cases were dismissed in court for lack of proof. The AG’s suit seeks injunctive relief, restitution to consumers, and civil penalties.

State Attorney General Debt Collection

Vendor Management in 2015 and Beyond

With evolving regulatory expectations and increased enforcement exposure, financial institutions are under more scrutiny than ever. Nowhere is this more evident than in the management and oversight of service providers. When service providers are part of an institution’s business practice, understanding the expectations of regulators, investors, and counterparties for compliance with consumer financial laws is critical.

CFPB Guidance

In 2012, the CFPB issued Bulletin 2012-03, which outlines the CFPB’s expectations regarding supervised institutions’ use of third party service providers. Banks and nonbanks alike are expected to maintain effective processes for managing the risks presented by service providers, including taking the following steps:

• Conducting thorough due diligence of the service provider to ensure that the service provider understands and is capable of complying with federal consumer financial law
• Reviewing the service provider’s policies, procedures, internal controls, and training materials
• Including clear expectations in written contracts
• Establishing internal controls and on-going monitoring procedures
• Taking immediate action to address compliance issues

Implementing consistent risk-based procedures for monitoring third party service provider relationships is an extremely important aspect of meeting the CFPB’s expectations and mitigating risk to the institution.

The Risk Management Lifecycle and Best Practices

The CFPB is but one of many agencies that have circulated vendor management guidance.  Other federal prudential regulators—most notably the Office of the Comptroller of the Currency—have developed regulatory guidance describing a “lifecycle” for oversight of third parties that supervised institutions are expected to follow.  The risk management lifecycle of a service provider relationship consists of:

• Planning/risk assessment
• Due diligence and service provider selection
• Contract negotiation and implementation
• Ongoing relationship monitoring
• Relationship termination/contingency plans

Supplemented by enhanced risk management processes, including meaningful involvement by the Board of Directors and extensive monitoring of performance and condition, the new framework for oversight of third parties can present both cost and operational challenges for all institutions.  Financial institutions would be prudent to implement the following best practices into their vendor management procedures, among others:

• Staffing sufficiently to ensure that service providers are properly monitored
• Incorporating Board and senior executive involvement throughout the process
• Documenting its efforts at every stage of the lifecycle

CFPB OCC Vendors Risk Management Valerie Hletko Jeffrey Naimon Chris Witeck Jon Langlois

Credit Cards 2016: Consumer Protection in Focus

The past year has seen heightened CFPB interest in the following areas: (i) deferred interest and rewards, (ii) limited English proficiency consumers, and (iii) the recent revisions to the Military Lending Act (MLA). Pursuing simplicity in the design of product features and closely following limited English proficiency issues will help credit issuers mitigate their regulatory risk. Also on the horizon in 2016 is the effective date of the MLA revisions, which were announced in July 2015.

Deferred Interest and Rewards

The Bureau has been focused on the marketing and design of deferred interest products and issued a strong admonition in September 2014 relating to the potential for consumer surprise.  However, there has been relatively little enforcement activity in this regard.  Instead, enforcement generally has focused on technical violations of law.  For example, an August 2015 consent order arose out of point-of-sale disclosures as opposed to the product features themselves. Some deferred interest issues, such as “old fashioned mistakes,” (e.g., “if paid in full” is dropped from the marketing copy) may represent low-hanging fruit for the CFPB and should be addressed to mitigate enforcement risk.  The Bureau has also expressed concern about technical issues that may complicate deferred interest for consumers, such as expiration of the promotional period prior to the payment due date.

The Bureau has suggested that consumers base their choice of credit card more on the nature and richness of the rewards than on the interest rate.  Accordingly, the Bureau has expressed concern about various aspects of rewards programs, including the expiration of points and complexity surrounding how they are earned and redeemed.  While simplicity may reduce regulatory risk, it undoubtedly makes rewards programs more expensive for issuers, and makes it more difficult for consumers to distinguish among them.

Limited English Proficiency

In September 2015, the CFPB issued an enforcement action related to mortgages, which required the respondent to spend $1M on targeted advertising and an outreach campaign in Spanish and English over the five-year term of the order. The CFPB recently created several Spanish language documents: a glossary of basic financial terms as well as two documents titled “Your Money, Your Goals,” and “The Newcomer’s Guide to Managing Money.”

Notwithstanding these efforts, it is worth noting that the CFPB has not translated any of the credit card model forms into Spanish.  Determining the appropriate extent of Spanish-language marketing—and fulfillment, if any—is a difficult calculation, and the Bureau has provided no firm guidance.  Still, while the industry awaits further developments in 2016, it is advisable to make specific efforts to engage Spanish-speaking communities.

Military Lending Act

The recently revised MLA will also impact the credit card industry in 2016. Under the new regulations, most credit card products will be subject to the MLA, including its 36 percent interest rate limitation.  Creditors will need to determine who is a covered borrower, but the revised regulations also provided two safe harbors for a creditor to make such a determination. The revised regulations take effect on October 3, 2016, except for most credit cards, as to which the compliance date is October 3, 2017. BuckleySandler addressed this new rulemaking in an MLA Spotlight Series (see Part 1, Part 2, Part 3).

Credit Cards Manley Williams Valerie Hletko

OCC Releases Semiannual Risk Perspective Report

On December 16, the OCC released its Semiannual Risk Perspective report to provide an overview of supervisory concerns for the federal banking system, including operational and compliance risks. According to the report, which covers data through June 30, 2015, risks relating to strategic, compliance, and interest rates remain unchanged, but risks connected to underwriting and cybersecurity continue to grow. Notable findings in the report reveal that (i) the low interest rate environment has led banks to reevaluate risk tolerance and extend their reach for yield; and (ii) banks are responding to competitive pressures and growth objectives by adopting a more relaxed approach toward credit underwriting standards and practices, particularly in high-growth loan segments, such as indirect auto, commercial and industrial, and multifamily.

The report emphasizes cyber threats and Bank Secrecy Act (BSA) and anti-money laundering (ALM) risks as growing concerns, commenting that “[c]yber attacks against cybersecurity products and services further increase risk to banks because of the release or sale of malware and zero-day vulnerabilities,” and “BSA/AML risks remain high, as technological developments that benefit customers through enhanced products and greater access to financial services may be vulnerable to criminals who exploit such innovations.”

OCC Anti-Money Laundering Bank Secrecy Act Risk Management Privacy/Cyber Risk & Data Security

CFPB Reports on Credit Card Agreements and Warns Colleges of Potential CARD Act Violations

On December 16, the CFPB issued its annual report to Congress regarding credit card marketing agreements between colleges and issuing credit card organizations. Pursuant the Credit Card Accountability, Responsibility, and Disclosure (CARD) Act, credit card issuers must disclose the details of those agreements to the CFPB, and colleges and universities are required to publicly disclose their marketing agreements, either by posting the actual contracts to their websites or by posting the information needed to request a copy of the agreement and subsequently providing a copy to the requestor. According to the report, a review of 25 sample colleges with active credit card agreements determined that “most institutions of higher education [did] not make copies of [the] agreements available on their websites to students and other affected parties.” The CFPB further noted that “[w]ith only rare exceptions, [the] institutions also fail[ed] to provide alternative reasonable means of access to those agreements.” In light of its findings, the CFPB sent a letter to the 17 colleges that may not have adequately disclosed a credit card agreement. The letter explained that the school received the notice because its marketing agreement with a card issuer “could not be publicly obtained using reasonable procedures and in a reasonable timeframe.” While the CFPB’s letter stated that it had yet to determine if the schools’ inaction violated the CARD Act, it urged the recipient schools to “reconsider [their] approach to public disclosure.”

CFPB CARD Act

CFPB Takes Action Against "Buy-Here, Pay-Here" Auto Dealer and Affiliated Financing Company

On December 17, the CFPB announced a consent order against a Minnesota-based auto dealer and its affiliated financing company for alleged violations of the FCRA and the CFPA. The CFPB alleged that the auto dealer, acting through its financing company, (i) repeatedly furnished inaccurate consumer credit information for more than 84,000 customers from January 2009 through September 2013; and (ii) engaged in deceptive acts and practices by failing to report “good credit” to the credit reporting agencies (CRAs) for tens of thousands of consumers after making written representations that the it would report positive credit information to help consumers build and maintain good credit. Alleged FCRA violations include: (i) inaccurately reporting that vehicles were repossessed and borrowers owed balances after the vehicles were returned to the dealer in accordance with the company’s 72-hour return policy; (ii) inaccurately reporting that consumers had outstanding balances after issuing documentation that disputed accounts had been settled; and (iii) failing to establish and maintain reasonable written policies and procedures to ensure the accuracy and integrity of consumer information furnished to CRAs.

Under the terms of the consent order, the companies are required to pay a $6,465,000 civil money penalty. In addition, the companies must (i) establish and implement written consumer-information furnishing policies and procedures that comply with the Furnisher Rule; (ii) identify and correct inaccurate consumer-information that was furnished to the CRAs (iv) cease from making false representations that it will report “good credit” or other positive information to the CRAs; (v) provide affected consumers with free credit reports; and (vi) implement an effective audit program of its credit reporting practices.

CFPB Dodd-Frank FCRA Auto Finance Credit Scores

CFPB Names Mary McLeod as New General Counsel

On December 17, the CFPB announced that Mary McLeod will join the Bureau in early 2016 as its General Counsel. McLeod will replace Meredith Fuchs, who announced her departure from the Bureau earlier this year and is currently serving as the CFPB’s General Counsel and Acting Deputy Director. McLeod first joined the State Department in 1977 and has headed the Office of the Legal Adviser of the State Department since January 2013.

CFPB

Omnibus Spending Package Affects Cybersecurity Legislation

On December 15, Speaker Paul Ryan (R-WI) unveiled the omnibus spending bill, which includes the Cybersecurity Act of 2015 – legislation that would affect how businesses share information with each other and the government, and establish an information system for the government to share “cyber threat indicators and defensive measures in real time consistent with the protection of classified information” with federal and non-federal entities. The cybersecurity text included in the omnibus bill is a combination of three cybersecurity bills that were under legislative consideration this year, as follows: S. 754 - Cybersecurity Information Sharing Act of 2015; H.R. 1731 - National Cybersecurity Protection Advancement Act of 2015; and H.R. 1560 - Protecting Cyber Networks Act. Designating the Department of Homeland Security as the government’s proxy, the revised legislation provides entities with liability protections to voluntarily share with the government cybersecurity threat information. Specifically, regarding the sharing or receipt of cyber threat indicators, the legislation reads, “[n]o cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the sharing or receipt of a cyber threat indicator or defensive measure under section 104(c).” Although the legislation includes text mandating that entities “implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individuals,” critics from privacy and civil liberties organizations argue that the language is vague, offering citizens little protection while enhancing intelligence agencies’ capability to invade personal privacy.

The House is scheduled to vote on the legislation Friday, December 18, with the Senate – should the legislation pass the House – acting shortly thereafter.

U.S. Senate U.S. House Privacy/Cyber Risk & Data Security

Reorganization of the United States Code Affects SCRA Classification

Effective December 1, the Servicemembers Civil Relief Act (SCRA) was recodified at 50 U.S.C. §§ 3901 – 4043 from its former location at 50 U.S.C. app. §§ 501 – 597b. Recent structural changes to the U.S. Code eliminated the Appendix to Title 50, with several provisions transferring into the body of Title 50. Historically, the 1940 edition of the U.S. Code established the Appendix to Title 50 for emergency-related or temporary executive branch documents and law. However, because of the enduring nature of several laws contained in the Appendix, the Office of the Law Revision Counsel concluded that it would “improve the organizational structure” of the U.S. Code to move these sections into Title 50. Importantly, the law was not amended, so there are no substantive changes to the SCRA from this recodification. To assist clients in tracking these changes, BuckleySandler attorneys have prepared this chart mapping the old sections of the SCRA with their new locations in Title 50.

SCRA

FDIC Announces Final Rule Amending the Filing Requirements and Procedures for Changes in Control

On December 16, the FDIC issued Financial Institution Letter FIL-60-2015 announcing the final rule amending filing requirements and processing procedures for notices filed under the Change in Bank Control Act. The final rule applies to all FDIC-supervised institutions, including those with assets under $1 billion. Some of the changes brought by the rule, effective January 1, 2016, include (i) consolidating and conforming the change-in-control regulation of state savings associations and rescinding prior regulation and guidance transferred from the Office of Thrift Supervision; (ii) adopting presumptions of acting in concert with the other federal banking agencies;  (iii) defining terms that were previously undefined, such as “voting securities”; (iii) establishing reporting requirements for stock loans held by foreign banks and their affiliates, and for a CEO and bank director following a change of control; and (iv) subject to waiver, requiring a person who was approved to and has acquired control of a covered institution to file a second notice if that person's ownership, control, or power to vote will increase to 25% or more of any class of voting securities.

FDIC Directors & Officers Agency Rule-Making & Guidance