InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CSBS and FHFA sign agreement to enhance information sharing on nonbank mortgage companies
On April 10, the Conference of State Bank Supervisors (CSBS) and the FHFA announced they have signed a memorandum of understanding (MOU) to enhance information sharing on nonbank mortgage companies. The MOU reportedly aimed to improve the ability to coordinate on market developments, identify and mitigate risks, and ultimately, further protect consumers, taxpayers, and the nation’s housing finance system. CSBS Board Chair, Lise Kruse, emphasized the value of collaboration between state and federal regulators to support a stable mortgage marketplace, given the distinct authority each supervisory agency maintained over the nonbank mortgage industry. According to the CSBS, state financial regulators primarily oversee nonbank mortgage companies, while the FHFA regulated significant entities like Fannie Mae and Freddie Mac, which served as important counterparties to the nonbank mortgage industry. According to FHFA Director, Sandra L. Thompson, the new information sharing protocols will enable both state and federal regulators to supervise the mortgage industry more effectively, leading to improved outcomes for all stakeholders.
Kentucky enacts bills: on mortgage liens and unlawful trade practices
On April 9, Kentucky enacted HB 488 (the “Bill”) which will establish when a county clerk admits any amendment, renewal, modification, or extension of a recorded mortgage to record. The Bill will also establish when a county clerk admits affidavits of amendment prepared and executed by an attorney to record. Additionally, the Bill will establish recording requirements and a section to establish when a promise, acknowledgment, or payment of money operates as an extension of a lien in a recorded mortgage or deed. Finally, the Bill establishes recording requirements for extensions on a lien in a recorded mortgage or deed.
On April 4, Kentucky also enacted HB 88 (the “Act”) which will amend provisions related to unlawful trade practices, prohibiting (i) entities that are not banks or trust companies from implying that they are engaged in banking or trust activities, and (ii) entities to use in their marketing materials the name, trademark, logo or symbol of any financial institution or similarly resembling any financial institution, with exceptions for permitted use or disclosure of non-consent.
The Act will also state that residential real property service agreements cannot give rise to rights or obligations lasting longer than two years after their effective date. Additionally, barring exceptions, service agreements cannot (i) be enforceable on future owners of interests in the residential real property or otherwise purport to remain attached to the property; (ii) create or impose a lien, encumbrance, or other real property interest on the residential real property; or (iii) require or permit recording of the agreement or any notice or memorandum of the agreement, among other things.
Ginnie Mae now requires issuers to disclose cybersecurity incidents within 48 hours
On March 4, the President of Ginnie Mae released All Participants Memorandum (APM) 24-02, which set forth a new requirement applicable to all issuers, including issuers that subservice loans for others. The memo mandated that all approved issuers must notify Ginnie Mae of any significant cybersecurity incident within 48 hours of detection. Ginnie Mae defined a “Cyber Incident” as “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constituted a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the Issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.” If a Cyber Incident has occurred, issuers must it report to Ginnie Mae via a specified email address and must include (i) the date and time of the incident, (ii) a summary of the incident, and (iii) points of contact responsible for coordinating any follow-up questions regarding the incident. These requirements are also now reflected in Chapter 03, Part 18 of the Mortgage-Backed Securities Guide, 5500.3, REV-1.
District Court partially dismisses TCPA claims
On December 12, the U.S. District Court for the Northern District of Illinois partially granted a culinary school’s motion to dismiss claims concerning unwanted calls to enroll in cooking classes. According to the memorandum opinion and order, the plaintiff filed suit after the culinary school called her over 30 times, even though she had requested the school to place her on a do-not-call list. The plaintiff claimed the school violated the Telephone Consumer Protection Act (TCPA) by making unwanted calls and leaving prerecorded messages on her cell phone.
According to the court, any calls made to a cell phone cannot violate § 227(b)(1)(B) because the court reasoned that “a cellular phone and a residential phone are not the same thing,” and that § 227(b)(1)(B) of the TCPA expressly covers “residential telephone line[s],” but not cellular telephone services. Regarding the plaintiff’s claim under § 227(b)(1)(A) of the TCPA, although the school argued there was not enough proof that the calls were prerecorded, including because some of the calls came from different states, the court disagreed and provided examples of why the calls could have been prerecorded. The court consequently denied the school’s motion to dismiss the plaintiff’s § 227(b)(1)(A) claim.
President Biden issues Executive Order targeting AI safety
On October 30, President Biden issued an Executive Order (EO) outlining how the federal government can promote artifical intelligence (AI) safety and security to protect US citizens’ rights by: (i) directing AI developers to share critical information and test results with the U.S. government; (ii) developing standards for safe and secure AI systems; (iii) protecting citizens from AI-enabled fraud; (iv) establishing a cybersecurity program; and (v) creating a National Security Memorandum developed by the National Security Council to address AI security.
President Biden also called on Congress to act by passing “bipartisan data privacy legislation” that (i) prioritizes federal support for privacy preservation; (ii) strengthens privacy technologies; (iii) evaluates agencies’ information collection processes for AI risks; and (iv) develops guidelines for federal agencies to evaluate privacy-preserving techniques. The EO additionally encourages agencies to use existing authorities to protect consumers and promote equity. As previously covered by InfoBytes, the FCC recently proposed to use AI to block unwanted robocalls and texts). The order further outlines how the U.S. can continue acting as a leader in AI innovation by catalyzing AI research, promoting a fair and competitive AI ecosystem, and expanding the highly skilled workforce by streamlining visa review.
Challenge to HUD fair housing rule denied
On September 19, the U.S. District Court for the District of Columbia denied a motion for summary judgment from the National Association of Mutual Insurance Companies arguing that the Department of Housing and Urban Development’s disparate-impact rule conflicts with the limits of the Fair Housing Act as interpreted at the Supreme Court. The rule, promulgated in 2013 and reinstated under the Biden administration, a policy is unlawful if it has a “discriminatory effect” on a protected class and was not necessary to achieve a “substantial, legitimate, nondiscriminatory” interest or if there is a less discriminatory alternative. Judge Richard J. Leon held that the rule does not exceed limitations on disparate-impact liability under the FHA placed by the Supreme Court in Texas Department of Housing & Community Affairs v. Inclusive Communities Project, Inc., 576 U.S. 519 (2015) where those limitations avoid potential constitutional issues and prevent the Act from forcing housing authorities to reorder their legitimate priorities.
District Court: Plaintiff failed to prove damages in RESPA suit
The U.S. District Court for the Northern District of Texas recently granted summary judgment in favor of a defendant mortgage servicer related to alleged RESPA violations. Plaintiff obtained a refinanced loan that was serviced by the defendant. Plaintiff later sued the defendant after becoming frustrated by receiving repeated calls suggesting he refinance the loan. Once litigation commenced, the defendant began sending the monthly mortgage statements to plaintiff’s counsel. In 2021, plaintiff sent a request for information to the defendant seeking a range of monthly billing statements, which the defendant allegedly only partially provided. Plaintiff’s attorney further claimed to have received an escrow review statement from the defendant referencing an escrow surplus check that the plaintiff also claimed not to have received. The plaintiff claimed violation of RESPA by pointing to the defendant’s alleged failure to adequately respond to his requests for statements or to provide the surplus check. The defendant moved for summary judgment, arguing that neither the facts nor the law supported the plaintiff’s claims.
The plaintiff eventually conceded that there is no private right of action under RESPA’s escrow payment regulation and withdrew the claim. The court also took issue with his claim that the defendant failed to adequately respond to his request for information. Even if the defendant failed to adequately respond, the plaintiff could not plead or prove actual damages, the court said. “Neither party disputes that RESPA requires plaintiffs to plead and prove actual damages from an alleged violation,” the court wrote. “Instead, they focus their arguments on the sufficiency of the alleged damages. [Defendant] alleges that [plaintiff] provides no evidence to demonstrate how he suffered damages from the fact that it provided only three of the fourteen requested monthly statements.” Plaintiff tried to argue he was owed monetary damages due to being deprived of the escrow surplus funds and by being unfairly assessed convenience fees when making payments through the defendant’s online portal. He further claimed he suffered medical and mental anguish. However, the court concluded that evidence presented by the defendant refuted these claims (the convenience fee claim, the court said, could not be connected to the RESPA claim) and said plaintiff also failed to support his claims of medical and mental anguish. Further, plaintiff failed to present evidence supporting his claim for statutory damages, the court said, finding no genuine dispute of material fact in the record.
District Court denies servicer’s claims that it never received QWR
The U.S. District Court for the Eastern District of Missouri recently considered whether a mortgage servicer received a borrower’s qualified written request (QWR) relating to a missed mortgage payment. The borrower sent a money order to cover two monthly mortgage payments, but the payments were not properly credited to her account. The borrower made several attempts to contact the mortgage servicer about the improperly credited payment. After receiving a formal notice of default, the borrower sent a “Request for Information and Notice of Error” (NOE) to the servicer explaining the situation and asking that her account be updated to reflect that all payments had been made and requesting the removal of late fees and charges. She also asked that her loan be removed from default status and sent letters to the credit reporting agencies formally disputing the delinquent payment reports. According to the court’s opinion, the borrower claimed that the servicer violated RESPA by failing to respond and violated the FCRA by failing to conduct a reasonable investigation into her credit disputes and verifying inaccurately furnished information.
In considering both parties’ motions for summary judgment, the court granted the borrower’s motion on liability with respect to her RESPA claim and denied the servicer’s motion for summary judgment on the FCRA claims on the basis that the borrower provided evidence of actual damages resulting from the servicer’s alleged FCRA violation. The court explained that RESPA requires mortgage servicers to respond to a QWR within five days to acknowledge receipt, and again within 30 days by either correcting the account, providing a written explanation as to why it believes the account is correct, or providing the information requested by the borrower or an explanation of why the information requested is unavailable. Failure to do so entitles a borrower to any actual damages suffered as result of the failure. Claiming the NOE was a QWR, the borrower presented evidence, including a certified mail receipt allegedly showing the NOE was signed for by one of the servicer’s representatives. The servicer countered that because it had no record of the correspondence, its RESPA duties were not triggered. The servicer further argued that the NOE did not qualify as a QWR because it failed to provide sufficient information for it to investigate or respond to the request, and that even if it was a QWR, the borrower had failed to show actual damages.
The court disagreed, determining (i) that the servicer failed to prove it did not receive the NOE, and (ii) that the NOE constituted a QWR. “The information in the letter alone is sufficient to qualify as a QWR,” the court wrote. “The letter quite specifically states the error [the borrower] believed to have occurred…. This is not an ‘overbroad’ and generalized statement of ‘bad servicing.’ It identifies an error specifically contemplated by RESPA’s regulations.” The court further added that “RESPA does not require that a lender’s violations be the sole cause of a borrower’s emotional distress. It merely requires that damages be causally related to a violation of the statute.” However, the court noted that the borrower still needs to prove at trial the extent of damages caused by the servicer's alleged violation.
District Court dismisses FTC’s privacy claims in geolocation action
On May 4, the U.S. District Court for the District of Ohio issued two separate rulings in a pair of related disputes between the FTC and a data broker. The disputes center around accusations made by the FTC last August that the data broker violated Section 5 of the FTC Act by unfairly selling precise geolocation data from hundreds of millions of mobile devices which can be used to trace individuals’ movements to and from sensitive locations (covered by InfoBytes here). The FTC sought a permanent injunction to stop the data broker’s practices, as well as additional relief. The data broker, upon learning that the FTC planned to filed a lawsuit against it, filed a preemptive lawsuit challenging the agency’s authority.
The court first dismissed the data broker’s preemptive bid to block the FTC’s enforcement action, ruling that the data broker has not identified any “viable cause of action” to support its request for injunctive relief. The court explained that injunctive relief is a “drastic remedy” that is only available if no other legal remedy is available. However, the data broker possesses an “adequate remedy at law,” the court said, “because it can seek dismissal of, and otherwise directly defend against, the FTC’s enforcement action.”
With respect to the FTC’s action, the court granted the data broker’s motion to dismiss the FTC’s complaint, but gave the agency leave to amend. The court agreed with the data broker that the FTC’s complaint lacks sufficient allegations to support its unfairness claim under Section 5 of the FTC Act. While the court disagreed with the data broker’s assertion that it did not have “fair notice that its sale of geolocation data without restrictions near sensitive locations could violate Section 5(a) of the FTC Act” or that the FTC had to allege a predicate violation of law or policy to state a claim, the court determined that the FTC failed to adequately allege that the data broker’s practices created “a ‘significant risk’ of concrete harm.” Moreover, the court found that “the purported privacy intrusion is not severe enough to constitute ‘substantial injury’ under Section 5(n).” The court noted, however that some of the deficiencies may be cured through additional factual allegations in an amended complaint.
Kansas enacts financial institutions information security act
On April 20, the Kansas governor signed SB 44 to enact the Kansas financial institutions information security act. The Act establishes information security standards for covered entities, and applies to credit service organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions. A covered entity will be required to develop, implement, and maintain a cybersecurity system to protect consumer information, and must ensure its information security program is maintained as part of its books and records in compliance with established record retention requirements. Additionally, the state bank commissioner is granted the authority to adopt “all rules and regulations necessary to govern and administer the [Act’s] provisions.” The commissioner is also given an assortment of enforcement tools to administer the Act, including: conducting routine examinations; investigating a covered entity’s operations; issuing subpoenas; assessing fines and civil penalties not to exceed $5,000 per violation, as well as investigation and enforcement costs; censuring registered or licensed covered entities; entering into memorandums of understanding or consent orders; revoking, suspending, or refusing to renew the registration or license of covered entities; issuing cease-and-desist orders; filing for injunctions; or issuing emergency orders to prevent harm to consumers. The Act takes effect July 1.