InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
EU-U.S. release statement on Joint Financial Regulatory Forum
On July 20, participants in the U.S.-EU Joint Financial Regulatory Forum, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, issued a joint statement regarding the ongoing dialogue that took place from June 27-28, noting that the matters discussed during the forum focused on six themes: “(1) market developments and financial stability risks; (2) regulatory developments in banking and insurance; (3) anti-money laundering and countering the financing of terrorism (AML/CFT); (4) sustainable finance and climate-related financial risks; (5) regulatory and supervisory cooperation in capital markets; and (6) operational resilience and digital finance.”
Participants acknowledged that the financial sector in both the EU and the U.S. is exposed to risk due to ongoing inflationary pressures, uncertainties in the global economic outlook, and geopolitical tensions as a result of Russia’s war on Ukraine. During discussions, participants emphasized the significance of strong bank prudential standards, effective resolution frameworks, and robust supervision practices. They also stressed the importance of international cooperation and continued dialogue to monitor vulnerabilities and strengthen the resilience of the financial system. Participants took note of recent developments relating to, among other things, recent bank failures, digital finance, the crypto-asset market, and the potential adoption of central bank digital currencies.
Illinois Supreme Court declines to reconsider BIPA accrual ruling
On July 18, the Illinois Supreme Court declined to reconsider its February ruling, which held that under the state’s Biometric Information Privacy Act (BIPA or the Act), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Three justices, however, dissented from the denial of rehearing, writing that the ruling leaves “a staggering degree of uncertainty” by offering courts and defendants little guidance on how to determine damages. The putative class action stemmed from allegations that the defendant fast food chain violated BIPA sections 15(b) and (d) by unlawfully collecting plaintiff’s biometric data and disclosing the data to a third-party vendor without first obtaining her consent. While the defendant challenged the timeliness of the action, the plaintiff asserted that “a new claim accrued each time she scanned her fingerprints” and her data was sent to a third-party authenticator, thus “rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.”
In February, a split Illinois Supreme Court held that claims accrue under BIPA each time biometric identifiers or biometric information (such as fingerprints) are scanned or transmitted, rather than simply the first time. (Covered by InfoBytes here.) The dissenting judges wrote that they would have granted rehearing because the majority’s determination that BIPA claims accrue with every transmission “subvert[s] the intent of the Illinois General Assembly, threatens the survival of businesses in Illinois, and consequently raises significant constitutional due process concerns.” The dissenting judges further maintained that the majority’s February decision is confusing and lacks guidance for courts when determining damages awards. While the majority emphasized that BIPA does not contain language “suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” it also said that it continues “to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature,” and that it “respectfully suggest[s] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”
California probes employers’ CCPA compliance
On July 14, the California attorney general announced it recently sent inquiries to several large employers as part of an investigation into companies’ compliance with their legal obligations under the California Consumer Protection Act (CCPA). The investigation centers on how companies handle the personal information of employees and job applicants. As previously covered by InfoBytes, temporary exemptions related to human resource and business-to-business data provided by the CCPA and the California Privacy Rights Act expired on January 1 of this year. Amendments were introduced last legislative session that would have extended the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role . . . [in] that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” However, the amendments were not adopted, and the exemptions expired.
The AG said they are sending the inquiry letters “to learn how employers are complying with their legal obligations.” Covered businesses subject to the CCPA are required to comply with the statute’s privacy protections as they relate to employee data, including providing notice of privacy practices and honoring consumer requests to exercise their rights to access, delete, and opt out of the sale and sharing of their personal information.
CFPB, EU start talks on AI, digital finance
On July 17, CFPB Director Rohit Chopra and Commissioner for Justice and Consumer Protection of the European Commission Didier Reynders issued a joint statement announcing the start of new dialogue on consumer financial protection with a primary focus on digital developments in the financial sector and ways to improve policy and regulatory cooperation.
Chopra and Reynders stressed that there are significant implications for both businesses and households from the digitalization of the financial services sector, including impacts on pricing, customer service, competition, and privacy. They noted that financial institutions are increasingly deploying automated decision-making processes, leveraging artificial intelligence technologies, and developing and introducing new financial products and services, such as Buy Now, Pay Later. Chopra and Reynders also commented that digital payments are becoming “increasingly offered and controlled by Big Tech.” They warned these developments, if not properly regulated, “could increase consumers’ exposure to fraud and manipulation, limit their product options over time, threaten their control over their own data, and force them to accept more expensive personalized pricing for the same products and services compared to other consumers.” Chopra and Reynders also cautioned that policymakers must do more to keep pace with evolving markets and ensure consumer protection.
The dialogue will address topics relating to:
- The deployment of automated decision-making and data processing and implications for consumers;
- Risks associated with emerging credit options, including the potential risks of over-consumption and over-indebtedness for consumers who use these products;
- Measures for exploring ways to assist over-indebted consumers in managing and repaying their debt sustainably;
- Digital transformation and access to fair financial services, including to unbanked and underbanked consumers, as well as those who prioritize protecting their personal data; and
- Competition, privacy, security, and financial stability implications associated with big tech companies that offer financial services.
Chopra and Reynders will meet informally at least once per year to share insights and experiences on consumer financial issues. According to the statement, the dialogue will also involve staff discussions, bilateral meetings with subject matter experts, and roundtables with stakeholders. The cooperation and exchanges within the informal dialogue are expected “to occur in parallel with other forms of cooperation and exchanges between the European Union and the United States on various digital and financial services policies and regulations,” the joint statement said.
OCC allows institutions affected by Vermont flooding to temporarily close
On July 11, the OCC issued a proclamation permitting OCC-regulated institutions to close offices, at their discretion, affected by severe flooding in Vermont “for as long as deemed necessary for bank operation or public safety.” In issuing the proclamation, the OCC noted that only bank offices directly affected by potentially unsafe conditions should close, and that institutions should make every effort to reopen as quickly as possible to address customers’ banking needs. The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions.
Find continuing InfoBytes coverage on disaster relief here.
Agencies put out policy on CRE workouts
On June 29, the FDIC, OCC, Federal Reserve Board, and NCUA, in consultation with state bank and credit union regulators, jointly issued a final policy statement addressing prudential commercial real estate loan accommodations and workouts for borrowers experiencing financial difficulty. The policy statement applies to all supervised financial institutions and supersedes previous guidance issued in 2009. Building on existing supervisory guidance, the policy statement advises financial institutions “to work prudently and constructively with creditworthy borrowers during times of financial stress.” The policy statement (i) updates interagency supervisory guidance on commercial real estate loan workouts; (ii) adds a new section on short-term loan accommodations (for purposes of the policy statement, “an accommodation includes any agreement to defer one or more payments, make a partial payment, forbear any delinquent amounts, modify a loan or contract, or provide other assistance or relief to a borrower who is experiencing a financial challenge”); (iii) addresses relevant accounting standard changes on estimating loan losses; and (iv) provides updated examples on how to classify and account for loans modified or affected by loan accommodations or loan workout activity. The policy statement takes effect upon publication in the Federal Register.
FFIEC releases 2022 HMDA data
On June 29, the Federal Financial Institutions Examinations Council (FFIEC) released the 2022 HMDA data on mortgage lending transactions at 4,460 covered institutions (an increase from the 4,338 reporting institutions in 2021). Available data products include: (i) the Snapshot National Loan-Level Dataset, which contains national HMDA datasets as of May 1; (ii) the HMDA Dynamic National Loan-Level Dataset, which is updated on a weekly basis to reflect late submissions and resubmissions; (iii) the Aggregate and Disclosure Reports, which provide summaries on individual institutions and geographies; (vi) the HMDA Data Browser where users can customize tables and download datasets for further analysis; and (v) the Loan/Application Register for filers of 2022 HMDA data.
The 2022 data includes information on 14.3 million home loan applications, of which 11.5 million were closed-end and 2.5 million were open-end. The Snapshot revealed that an additional 287,000 records were from financial institutions making use of the Economic Growth, Regulatory Relief, and Consumer Protection Act’s partial exemptions that did not designate closed-end or open-end status. Observations from the data relative to the prior year include: (i) the percentage of mortgages originated by non-depository, independent mortgage companies decreased, accounting for “60.2 percent of first lien, one- to four-family, site-built, owner-occupied home-purchase loans, down from 63.9 percent in 2021”; (ii) the percentage of closed-end home purchase loans for first lien, one- to four-family, site-built, owner-occupied properties made to Black or African American borrowers increased from 7.9 percent in 2021 to 8.1 percent in 2022, while the share of these loans made to Hispanic-White borrowers decreased slightly from 9.2 percent to 9.1 percent and the share made to Asian borrowers increased from 7.1 percent to 7.6 percent; and (iii) “Black or African American and Hispanic-White applicants experienced denial rates for first lien, one- to four-family, site-built, owner-occupied conventional, closed-end home purchase loans of 16.4 percent and 11.1 percent respectively, while the denial rates for Asian and non-Hispanic-White applicants were 9.2 percent and 5.8 percent respectively.”
NYDFS publishes new proposal on cybersecurity regs
On June 28, NYDFS published an updated proposed second amendment to the state’s cybersecurity regulation (23 NYCRR 500) reflecting revisions made by the department in response to comments received on proposed expanded amendments published last November. (Covered by InfoBytes here.) NYDFS’ cybersecurity regulation, effective in March 2017, imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. (Covered by InfoBytes here.) Proposed changes include:
- New and amended definitions. The proposed second amendment defines “Chief Information Security Office or CISO” to mean “a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy, who has adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain an effective cybersecurity program.” Certain references to a CISO’s responsibilities have been moved and slightly modified throughout. The amendments also clarify that affiliates should only include “those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity” for the purposes of calculating the number of employees and gross annual revenue for consideration as a “Class A Company.” The definition of a “privileged account” has also been modified to remove a condition that an authorized user account or service account be able to affect a material change to the technical or business operations of the covered entity. Risk assessments also no longer include a requirement that a covered entity “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” Additionally, “senior governing body” now specifies that for “any cybersecurity program or part of a cybersecurity program adopted from an affiliate under section 500.2(d) of this Part, the senior governing body may be that of the affiliate.”
- Notice of a cybersecurity event. Under 23 NYCRR 500, entities are required to notify NYDFS within 72 hours after a determination has been made that a cybersecurity event has occurred at a covered entity, its affiliates, or a third-party service provider. The amendments remove a 90-day period for covered entities to provide the superintendent with requested information, and instead provides that “[e]ach covered entity shall promptly provide any information requested regarding such event. Covered entities shall have a continuing obligation to update and supplement the information provided.” Covered entities will be required to maintain for examination, and now inspection by the department upon request, all records, schedules, and supporting data and documentation.
- Exemptions. The proposed second amendment now offers that “[a]n employee, agent, wholly-owned subsidiary, representative or designee of a covered entity, who is itself a covered entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, wholly-owned subsidiary, representative or designee is covered by the cybersecurity program of the covered entity.”
- Additional modifications. Other slight modifications have been made throughout that include removing a requirement that covered entities “document material issues found during testing and report them to its senior governing body and senior management,” and deleting a requirement that Class A companies use external experts to conduct risk assessments at least once every three years. The proposed second amendment makes changes to third-party service provider policy requirements and multi-factor authentication provisions and replaces a reference to a covered entity’s board of directors or equivalent with the “senior governing body.” Language defining these responsibilities has been slightly modified. Additionally, incident response plans must also now include a root cause analysis describing “how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.” Furthermore, when assessing penalties, the superintendent may now also consider “the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as NIST.”
The proposed second amendment is subject to a 45-day comment period expiring August 14.
4th Circuit upholds sanctions against debt relief operation
On June 23, the U.S Court of Appeals for the Fourth Circuit upheld a default judgment entered against a debt relief operation and related individuals accused of violating the TCPA and the West Virginia Consumer Credit and Protection Act (WVCCPA). Plaintiff-appellee alleged she received multiple telemarketing phone calls regarding debt relief offered through lower interest rates on credit cards from the defendants (including the appellants). During discovery, defendants allegedly engaged in “evasive discovery tactics” and “relentless sandbagging,” which resulted in a magistrate judge entering multiple orders to compel. Defendants allegedly continued to call the plaintiff-appellee for more than a year after she filed her initial complaint. Additional defendants (including some of the appellants) were added via amended complaints as she discovered defendants had allegedly “formed a vast and complex web of corporate entities.”
The district court eventually sanctioned the appellants and struck their defenses for, among other things, engaging in a “pattern of concealing discoverable material” and failing to obey court orders. Appellants filed a motion for reconsideration, claiming the sanctions were too harsh and came as a surprise, the discovery abuses were “inadvertent,” and the plaintiff-appellee had not been prejudiced. Plaintiff-appellee then filed a renewed motion for sanctions outlining continued violations by appellants. Eventually, the district court entered a default judgment against the appellants for failing “to respond fulsomely and accurately to discovery requests and to comply with court orders pertaining to those requests.” The sanctions imposed an $828,801.36 judgment plus costs.
On appeal, the 4th Circuit concluded the district court did not abuse its discretion in finding appellants acted in bad faith and entered default judgment against them. The appellate court explained that there are certain circumstances, including this action, “where the entry of default judgment against a defendant for systemic discovery violations is the natural next step in the litigation, even without an explicit prior warning from the district court.” The appellate court further concluded the record contradicted each of the appellants’ arguments and held appellants “had fair ‘indication that sanctions might be imposed against [them]’ for their continued discovery and scheduling order violations.” With respect to appellants’ arguments that the district court awarded damages for the same purported calls pursuant to both the TCPA and the WVCCPA, the 4th Circuit found that penalties under these statutes are not exclusive and that they separately penalize different violative conduct. “[D]amages under the WVCCPA may be awarded in addition to those under the TCPA for a single communication that violates both statutes,” the appellate court wrote, adding that a plaintiff can also “recover separate penalties under separate sections of the TCPA even if the violations occurred in the same telephone call.”
OCC updates asset management handbook
On June 22, the OCC issued version 1.0 of the Asset Management booklet of the Comptroller’s Handbook. The booklet rescinds the booklet of the same title, issued in December 2000. Among other things, the booklet: (i) clarifies OCC expectations for fiduciary audit requirements; (ii) provides for consistency in the OCC’s examination of bank fiduciary audit activities; (iii) adds language from 12 CFR 150 applying to federal savings associations; and (iv) defines a robust, well documented risk assessment to support the development of a meaningful audit plan and support fiduciary activities.