Skip to main content
Menu Icon



Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Pennsylvania amends the Breach of Personal Information Notification Act

    State Issues

    On June 28, Pennsylvania enacted SB 824 (the “Act”), amending a previous bill from 2005 entitled the Breach of Personal Information Notification Act, which addresses the security of computerized data, mandates notification for consumers if their personal information may have been exposed due to a security breach, and imposes penalties. The Act enhances requirements for notifying individuals of security breaches, outlines obligations for notifying consumer reporting agencies, and provides for credit reporting and monitoring services in the event of data breaches.

    The Act specifically requires an entity to provide a notice to the attorney general (AG), along with the affected individuals, if a security breach affects more than 500 individuals in the state. The notification to the AG must include, when known, the name and location of the organization, the date of the security breach, a summary of the incident, and an estimate of the total number of individuals both within the state and overall, who are affected by the breach. However, there is an exemption stipulating that entities that are already subject to the requirements of 40 PA.C.S. CH. 45, which pertains to insurance data security, are exempt from these notification obligations.

    Further, under the Act, entities are required to notify affected individuals of a data breach and are responsible for covering costs related to providing credit reporting and monitoring services to those individuals. Specifically, the entity must provide access to an independent credit report from a consumer reporting agency free of charge, unless the individual is already entitled to receive a free credit report under federal law. Additionally, the entity must provide free access to credit monitoring services for 12 months following the notification of the breach.

    The Act also specifies that an entity must satisfy these requirements if it determines that a security breach has occurred and there is a reasonable belief that personal information, including an individual's name, in combination with their Social Security number, bank account number, or driver's license/state ID number, has been accessed.

    State Issues Pennsylvania Privacy, Cyber Risk & Data Security State Legislation State Attorney General

  • SAVE Plan partially blocked by 2 federal judges


    Recently, two district court judges partially blocked President Biden’s student debt relief program, known as the Saving on a Valuable Education (SAVE) plan. The judges from Missouri and Kansas ruled that the program lacks clear authorization from Congress as required under the Higher Education Act. Judge John Ross of Missouri issued a preliminary injunction to prevent the Department of Education from forgiving loans under the program. Similarly, Judge Daniel Crabtree of Kansas prohibited the plan from fully launching on July 1. The judges’ decisions came after state attorneys general filed lawsuits, arguing that the SAVE Plan presents a “major question” of economic and political significance, which demands explicit congressional approval. Despite the government’s claim that the Higher Education Act authorizes the plan, both judges found the arguments insufficiently persuasive to demonstrate clear congressional authorization.

    Courts Federal Issues Biden SAVE Plan Congress Student Loans Higher Education Act

  • 7th Circuit reverses district court, holds ECOA prohibits discouragement of prospective applicants for credit


    On July 11, the U.S. Court of Appeals for the Seventh Circuit reversed a district court’s decision to dismiss the CFPB’s claims that a Chicago-based nonbank mortgage company and its owner violated ECOA by engaging in discriminatory marketing. As previously covered by an Orrick Insight, the CFPB initiated a redlining enforcement action against the company in 2020, alleging defendants discouraged African Americans from applying for mortgage loans from the company and redlined African American neighborhoods in Chicago. Last year, the U.S. District Court for the Northern District of Illinois dismissed the CFPB’s action (covered by InfoBytes here). On appeal, the CFPB argued that its interpretation of ECOA is supported by the historical context of Regulation B and has not been contested by Congress (covered by InfoBytes here).

    The 7th Circuit noted that Congress intended to allow for penalties in cases where prospective applicants are discouraged. Therefore, the court stated that Regulation B's rule against deterring prospective applicants aligns with both the text and the intent of the ECOA. In determining whether Regulation B’s prohibition on the discouragement of prospective applicants is consistent with ECOA, the court reasoned that it “cannot constrain artificially the ECOA to a single provision” and rather, must review it as a whole. Applying this standard, the court held that ECOA prohibits “not only outright discrimination against applicants for credit, but also the discouragement of prospective applicants for credit.” In remanding the case, the 7th Circuit left it to the district court to determine whether the defendants’ alleged conduct was prohibited discouragement under ECOA, in addition to whether defendants’ argument that their allegedly unlawful conduct is protected by the First Amendment’s guarantee of free speech.

    Of note, while the parties’ briefing before the 7th Circuit addressed the then-effective Chevron doctrine, the 7th Circuit noted that its decision treated the ECOA issue as “a question of statutory interpretation subject to our de novo review” and took into account the recent Supreme Court ruling in Loper Bright Enterprises v. Raimondo, No. 22-451, 603 U.S. ___ (2024) overturning Chevron (covered by InfoBytes here).

    Courts Federal Issues CFPB Consumer Finance Redlining Chevron Seventh Circuit ECOA First Amendment Regulation B

  • OCC releases June CRA evaluations for 21 institutions

    Recently, the OCC released its Community Reinvestment Act (CRA) performance evaluations for June. The OCC evaluated 21 entities, including national banks, federal savings associations, and insured federal branches of foreign banks. The assessment framework has four possible ratings: Outstanding, Satisfactory, Needs to Improve, and Substantial Noncompliance. Of the 21 evaluations reported by the OCC, 14 entities were rated “Satisfactory,” six entities were rated “Outstanding,” and one was rated “Needs to Improve.” A full list of the bank evaluations is available here. In the CRA FAQ , the OCC details how it evaluates and rates financial institutions based two categories: first, the institution, examining factors such as capacity, constraints, business strategies, competitors, and peers, and second, the community it serves, analyzing its demographic particulars, economic data, and the availability of lending, investment, and service opportunities.

    Bank Regulatory OCC CRA FAQs

  • FDIC issues May 2024 enforcement actions

    Recently, the FDIC released a list of administrative enforcement actions taken against banks and individuals in May 2024. During that month, the FDIC made public 15 orders consisting of: a combined personal consent order and order to pay a civil money penalty (CMP); “one combined order of prohibition from further participation, and compromise and waiver of order to pay a CMP; seven consent orders; three CMP orders; two orders terminating consent orders; and one order terminating deposit insurance.”

    Included was a consent order with an Oklahoma-based bank alleging the bank engaged in “unsafe or unsound banking practices and violations of law or regulation.” Under the order, the bank must allow its board to participate more in the bank’s affairs, notify the FDIC if any directors or executives resign, and create a business plan and a capital plan, among others. Also included was a consent order with an Arkansas-based bank, alleging the bank engaged in “violations of law or regulation” relating to RESPA, as implemented by Regulation X; HMDA, as implemented by Regulation C; Section 5 of the FTC Act; and the FCRA and Section 1022.54 of Regulation V. The FDIC ordered the bank to pay a civil money penalty of $1.5 million. The banks neither admitted nor denied the allegations.

    Bank Regulatory FDIC Enforcement Bank Compliance RESPA FCRA

  • CFPB addresses its commitment to ensuring a fair mortgage market

    Federal Issues

    Recently, the CFPB released a blog post to remind mortgage lenders of its commitment to maintaining a fair, competitive, and nondiscriminatory market. The CFPB’s research found a small group of lenders and loan originators allegedly failed to report HMDA data, particularly demographic information for an abnormally large percentage of their total loan originations, which could be an indicator that this group was misreporting data. The Bureau’s analysis found thousands of loan officers who reported a lack of demographic information for 95 percent or more of their mortgage applications, raising concerns about potential discrimination. The CFPB noted its work against two major lenders for failing to report accurate data under the HMDA, one against a large mortgage lender (as covered by InfoBytes here) for allegedly submitting false mortgage lending information and imposed a $3.95 million civil penalty. The CFPB separately ordered another bank to pay a $12 million penalty for allegedly failing to collect accurate demographic information from mortgage applicants and reporting that applicants had chosen not to respond.

    HMDA requires lenders to collect and report certain applicant data, including demographic information. If an applicant declines to provide this information in person, the lender must attempt to collect it through either visual observation or surname. Failure to comply with these requirements constitutes a violation of HMDA and Regulation C.

    The CFPB has intensified its efforts to address HMDA compliance through enforcement actions and supervisory examinations. The agency emphasized its commitment to holding companies accountable for non-compliance and encourages employees who suspect violations to report them.

    Federal Issues Mortgages CFPB Competition HMDA

  • CFPB reports on borrowers’ issues with their mortgage servicers

    Federal Issues

    Recently, the CFPB released a report examining the experiences of mortgage borrowers who struggled to make payments during the Covid-19 pandemic. For the report, the CFPB used a dataset from the 2020 American Survey of Mortgage Borrowers, derived from the National Mortgage Database. The report found that the most common challenges borrowers faced included (i) thinking they did not qualify for assistance programs; (ii) not knowing how to apply for them; and (iii) experiencing  “too much trouble” with the application process. The CFPB also found many borrowers felt uncomfortable talking to their mortgage servicer and noted data and evidence that borrowers with limited English proficiency were more likely to face challenges.

    The report also found that over half of distressed borrowers discussed their repayment difficulties with their servicer, and those who discussed these difficulties were more likely to receive offers for assistance (such as repayment plans or loan modifications). The most common topics discussed with servicers were forbearances, loan modifications, repayment plans, refinancing options and available government programs. Most borrowers who received a forbearance reported being satisfied with the process, but more than a third were unclear about what would happen at the end of the forbearance period and how to repay forborne payments. Some borrowers were also confused at the outset about how deferred payments would work after entering a loan forbearance.

    Federal Issues Mortgages Mortgage Servicing Covid-19

  • FTC orders end to software provider’s sale of web browsing data

    Federal Issues

    Recently, the FTC finalized an order banning a software provider from engaging in the sale, disclosure, or licensing of web browsing data for advertising. The order resolves the FTC’s accusations that the company monetized user data despite promises of protecting users from online tracking. The firm is also required to pay $16.5 million, intended to compensate consumers.

    In its complaint, the FTC claimed that the company, through an overseas subsidiary, inappropriately harvested users’ browsing data via browser add-ons and antivirus products, retained this information indefinitely, and sold it without proper notification or consent. The provider was accused of misleading consumers by offering privacy protection against third-party tracking while simultaneously selling their identifiable online activity data to a large number of third parties.

    The order requires the company to (i) erase all collected browsing data and any derived products or algorithms; (ii) secure explicit consent prior to selling or licensing any browsing data from certain products; (iii) inform consumers who had their data sold without consent about the enforcement action; and (iv) establish a privacy program to correct and prevent similar issues in the future.

    Federal Issues Privacy, Cyber Risk & Data Security FTC Enforcement

  • FCC’s Rosenworcel responds to congressmen on FCC’s efforts to combat scam texts

    Federal Issues

    Recently, the Chairwoman of the FCC, Jessica Rosenworcel, responded via letter to members of Congress on the FCC’s efforts to curtail scam text messages. These scam texts had often masqueraded as having been sent by financial institutions and exploited consumers through misleading text messages. The FCC labeled these messages as abusive and unlawful under Section 222 of the Communications Act, which requires telecommunications carriers to ensure consumer network information is secured.

    In the letters, Rosenworcel noted the FCC’s authority under the TCPA and TRACED Act (two amendments to the Communications Act) to protect consumers from “unlawful text messages and the scams that they can often spread.” Rosenworcel listed some rulemaking the FCC has taken to protect against these scams: In March 2023, the FCC adopted an order to block texts from invalid numbers; and in December 2023, the FCC adopted an order requiring all carriers to block texts from numbers that the agency deemed as a source of illegal texts.

    The chairwoman responded to Rep. Debbie Dingell (D-MI), Rep. Andrew Garbarino (R-NY), Rep. Josh Gottheimer (D-NJ), and Rep. Jay Obernolte (R-CA) with four copies of the same letter.

    Federal Issues FCC TCPA Federal Communications Act TRACED Act

  • CFPB publishes its 2023 fair lending annual report to Congress

    Federal Issues

    On June 26, the CFPB published its Fair Lending Annual Report to Congress for 2023, outlining the agency's actions against discrimination and promoting fair access to credit. Among additional interagency actions, the CFPB noted that it enforced fair lending laws by taking action against a bank for allegedly discriminating against Armenian Americans applying for credit cards (covered by InfoBytes here) and suing a Texas-based developer for allegedly targeting Latino borrowers with predatory loan products. The CFPB also addressed how some institutions may not have reported demographic data as required by HMDA, resulting in additional recent enforcement actions for inaccurate data reporting. The Bureau highlighted further efforts to combat appraisal bias, including working through the FFIEC Appraisal Subcommittee, filing court briefs, proposing guidance on valuation reconsiderations, and rulemaking on automated valuation models. The report satisfies CFPB's obligation to report to Congress on ECOA enforcement actions and on HMDA data utility, in consultation with HUD, which reports annually on the utility of HMDA reporting requirements.

    Federal Issues CFPB Fair Lending Consumer Finance Congress Enforcement


Upcoming Events