InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CISA releases new cybersecurity performance goals
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) released a new report outlining baseline cross-sector cybersecurity performance goals (CPGs) for all critical infrastructure sectors. The report follows a July 2021 national security memorandum issued by President Biden, which required CISA to coordinate with the National Institute of Standards and Technology (NIST) and the interagency community to create fundamental cybersecurity practices for critical infrastructure, primarily to help small- and medium-sized organizations improve their cybersecurity efforts. The CPGs were informed by existing cybersecurity frameworks and guidance, as well as real-world threats and adversary tactics, techniques, and procedures observed by the agency and its partners. CISA noted in the report that the CPGs are not comprehensive but instead “represent a minimum baseline of cybersecurity practices with known risk-reduction value broadly applicable across all sectors, and will be followed by sector-specific goals that dive deeper into the unique constraints, threats, and maturity of each sector where applicable.” Organizations may choose to voluntarily adopt the CPGs in conjunction with broader frameworks like the NIST Cybersecurity Framework. “The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques,” CISA said in its announcement.
District Court preliminarily approves data breach settlement
On October 24, the U.S. District Court for the District Court of Colorado granted preliminary approval of a class action settlement resolving claims that a defendant failed to safeguard personally identifiable information (PII) during a data breach. According to the plaintiffs’ unopposed motion for preliminary approval of class action settlement and supporting memorandum, in December 2021, the defendant determined that an unauthorized third party gained access to and gathered data from its computer network in June 2021. The plaintiffs further alleged that, “if [the defendant] ‘properly monitor[ed] … [its] computer network and systems that housed the … [PII],’ [the defendant] ‘would have discovered the intrusion sooner.’” Furthermore, the plaintiffs alleged that the defendant failed to provide “timely and adequate notice” to the plaintiff class, and filed claims for negligence, breach of implied contract, and invasion of privacy by intrusion. The settlement also includes a provision for the defendant to pay directly for credit monitoring and identity theft protection services, not limited by the $475,000 cap, along with about $51,000 for settlement administration costs. The plaintiffs would also be able to seek up to $210,000 for attorney fees and costs, and a total $5,000 for service awards to the named plaintiffs.
District Court enters $228 million judgment in BIPA class action
On October 12, the U.S. District Court for the Northern District of Illinois entered a judgment for $228 million after a jury found that a defendant railway company committed 45,600 reckless or intentional violations of the Illinois Biometric Information Privacy Act (BIPA). The jury’s judgment, which does not include pre-judgment interest, was entered against the defendant in the amount of $228 million (BIPA provides for statutory damages of $5,000 for every willful or reckless violation and $1,000 for every negligent violation). Class members consisting of more than 44,000 truck drivers alleged in their second amended complaint that the defendant violated BIPA when it collected, captured, and stored their biometric identifiers and biometric information without obtaining their informed written consent or providing written disclosures explaining the purpose and duration of such use. The defendant countered that it should not be held liable for biometric data collection conducted on its behalf by a third-party contractor because BIPA does not impose liability for the acts of a third party. The court disagreed, ruling, among other things, that BIPA’s language “makes clear that [the defendant] need not have ‘collected’ the data itself to be liable,” and that there is evidence that the defendant “ultimately called the shots on whether and how biometric information is collected.”
District Court rules in favor of debt collectors in FDCPA, FCRA dispute
On October 7, the U.S. District Court for the Eastern District of Pennsylvania granted defendants’ motion for summary judgment in an FDCPA, FCRA action. According to the opinion, the plaintiff took out a $20,000 loan but never made any payments on the loan. The charged off loan was assigned to the defendant debt purchaser, and a written notice was sent to the plaintiff who requested validation of the debt. The defendant loan servicer provided the account information to the plaintiff and later began furnishing the information to the consumer reporting agencies (CRAs). The plaintiff sued alleging the defendants violated sections 1681s-2(a) and 1681s-2(b) of the FCRA, as well as multiple sections of the FDCPA. Under section 1681s-2(b), a furnisher who has been notified by a CRA of a consumer dispute is required to conduct a reasonable investigation and follow certain procedures. The court noted, however, that these obligations are only triggered if the furnisher received such notice. In this instance, there is no record showing that any CRA reported the plaintiff’s dispute to the defendants, the court said, adding that, moreover, section 1681s-2(a) does not include a private right of action. With respect to the plaintiff’s FDCPA claims, the court determined that, among other things, (i) the plaintiff failed to provide evidence supporting the majority of his claims; (ii) section 1692g does not require the defendants to verify the plaintiff’s account by providing documentation bearing his signature or providing the contractual agreement governing the debt (in this instance, the defendant loan servicer met the minimal requirements by providing an account summary report); and (iii) that nothing in section 1692g requires a debt collector to respond to a dispute within 30 days—this timeframe only applies to when a debtor must dispute a debt, not to the debt collector’s period to provide verification, the court wrote.
Seven largest U.S. banks answer committee questions on overdraft fees and P2P fraud
On September 22, the Senate Banking Committee held a hearing entitled “Annual Oversight of the Nation’s Largest Banks” where chief executive officers from the seven largest U.S. retail banks testified on bank activities related to topics including peer-to-peer (P2P) payment networks; mortgage practices; overdraft fees; forced arbitration; and environmental, social, and governance agendas. Among other things, senators pushed the CEOs to take more aggressive action to eliminate overdraft fees and compensate P2P payment fraud victims.
- Overdraft fees. Democratic senators stressed that charges still fall too heavily on low-income and minority customers, with Senator Bob Menendez (D-NJ) saying that there is “no reasonable explanation to continue to charge overdraft fees on working families.” The CEOs discussed their respective efforts to relax overdraft policies to reduce fees, with one CEO noting that “there are a lot of occasions where if [overdraft protection] is not used, [customers] would be charged a higher fee on the other side.” These fees, he noted, “can often reduce the cost on the other side and stop them from going to payday lenders.” Another CEO added that he believes “giving people a choice and letting them opt in or out is the proper thing to do.” One bank CEO noted that his bank offers two accounts with no fees and provides customers the opportunity to choose in the moment if they want to return or pay for an item.
- P2P platforms. Senators Sherrod Brown (D-OH) and Elizabeth Warren (D-MA) asked the CEOs if they would give customers their money back if they are defrauded on a certain P2P platform and complain to the bank. The CEOs emphasized that their banks currently reimburse customers for fraud and “unauthorized transactions” and are taking measures to reduce the incidence of fraud, including educating consumers on how to detect scams. “There’s a tremendous amount that we can do as owners of the network to drive down the ability for thieves to take advantage of the network,” one CEO said when asked if banks believe it is their responsibility to make a consumer whole again. “That is what we're working on. That’s what we have to do.” Another CEO pointed out that other P2P platforms have “15 times the number of disputes” coming into the bank than the highlighted platform. One CEO also stressed that banks need to work through partnerships with law enforcement and regulatory agencies “to actually catch the criminals who are perpetuating this fraud against our customers.”
The previous day, the same CEOs discussed similar topics during the House Financial Services Committee’s hearing entitled “Holding Megabanks Accountable: Oversight of America’s Largest Consumer Facing Banks.” Several proposed bills containing provisions that would impact the banks if enacted were also discussed, including those that would (i) improve dispute procedures and disclosures related to reinvestigations of consumer reports (see H.R. 4120); (ii) amend and modernize bank merger laws (see H.R. 5419); and (iii) amend Community Reinvestment Act provisions to improve the assessment process for financial institutions (see H.R. 8833).
During the hearing (see committee memorandum here), committee members questioned the CEOs on a broad range of topics related to consumer protection compliance, enforcement, diversity initiatives, capital standards, emerging technologies and cybersecurity, merchant category codes for firearm purchases, and banking deserts. The CEOs addressed ways their banks have engaged in “responsible growth” and spoke on measures they have taken to bolster customer relations, including modifying overdraft practices. They also noted they are working on improving data protection and cybersecurity. In discussing P2P digital payment services, one CEO emphasized that “scams are growing daily” and regulators and legislators need to respond. He added that “[i]t’s not enough that we apportion blame after the fact. We need to stop fraud and scams before they occur. Secure [P2P] networks, real-time payments, and potentially FedNow allow for direct authentication with a host bank. They also allow members of the network to identify [] and police against scam accounts. This is not the case with nonbank networks. These networks are not held to the same security standards as banks.” He stated that banks “have zero visibility into where the money went, zero capability to recover the money, and zero capability to close the bad account.”
District Court rules in favor of FHFA on shareholders’ net worth sweep claims
On September 23, the U.S. District Court for the District of Columbia partially granted FHFA’s motion for summary judgment resolving claims brought by Fannie Mae and Freddie Mac (GSEs) shareholders in a lawsuit alleging the government exceeded its authority when it adjusted its Senior Preferred Stock Purchase Agreements (PSPAs) to allow net worth sweeps. The plaintiff shareholders claimed that FHFA acted outside its statutory authority when it adopted a third amendment to the PSPAs, which replaced a fixed-rate dividend formula with a variable one calculated on a quarterly basis (known as the “net worth sweep”). These sweeps, the plaintiffs contended, harmed their future dividend prospects. FHFA disagreed, arguing that the U.S. Supreme Court had already held in Collins v. Yellen (covered by InfoBytes here) that “the Third Amendment [to the PSPAs] was both authorized and a reasonable exercise of FHFA’s broad statutory power” and that “it is time to end this case.” With respect to the plaintiffs’ “remaining claim for breach of the implied covenant of good faith and fair dealing arising under Delaware and Virginia law,” the agency contended that the “Supreme Court unanimously held in Collins that FHFA—exercising its ‘expansive authority in its role as a conservator’—‘reasonably viewed [the Third Amendment] as more certain to ensure market stability’ than ‘the shareholders’ suggested strategy.’ … This holding alone forecloses Plaintiffs’ implied covenant claim.”
Following several years of litigation, the court granted FHFA’s motion for summary judgment “insofar as no genuine dispute remains on the fact of harm on the theory that plaintiffs were denied dividends that they otherwise were reasonably certain to receive, and insofar as plaintiffs’ proposed alternative remedy of rescission and restitution is barred as a matter of law.” However the court denied the motion “insofar as a genuine dispute of material fact remains on the fact of harm on the theory that plaintiffs’ shares lost much of their value, and in all other respects.” A memorandum opinion was filed under seal as it referenced documents filed under seal by the parties.
District Court criticizes CFPB’s cost-benefit analysis in HMDA change
On September 23, the U.S. District Court for the District of Columbia granted partial summary judgment to a group of consumer fair housing associations (collectively, “plaintiffs”) that challenged changes made in 2020 that permanently raised coverage thresholds for collecting and reporting data about closed-end mortgage loans and open-end lines of credit under HMDA. As previously covered by InfoBytes, the 2020 Rule, which amended Regulation C, permanently increased the reporting threshold from the origination of at least 25 closed-end mortgage loans in each of the two preceding calendar years to 100, and permanently increased the threshold for collecting and reporting data about open-end lines of credit from the origination of 100 lines of credit in each of the two preceding calendar years to 200. The plaintiffs sued the CFPB in 2020, arguing, among other things, that the final rule “exempts about 40 percent of depository institutions that were previously required to report” and undermines HMDA’s purpose by allowing potential violations of fair lending laws to go undetected. (Covered by InfoBytes here.) The plaintiffs also claimed that the agency’s cost-benefit analysis underlying the 2020 Rule was “flawed because the Bureau exaggerated the ‘benefits’ of increasing the loan-volume reporting thresholds by failing to adequately account for comments suggesting that the savings would be much smaller than estimated, and by relying on overinflated estimates of cost savings to newly-exempted lending institutions with smaller loan volumes.” The plaintiffs asked that the 2020 Rule be vacated and set aside on the grounds that the Bureau acted outside of its statutory authority in issuing the 2020 Rule and violated the Administrative Procedure Act. The Bureau countered that issuing the 2020 Rule was within its scope of authority because HMDA’s text “does not unambiguously foreclose” the agency’s interpretation of the statute.
The court first determined that promulgation of the 2020 Rule did not exceed the Bureau’s statutory authority because “HMDA grants broad discretion ‘in the judgment of the’ agency to create ‘exceptions’ to the statutory reporting requirements…” “[E]ven a regulation relieving roughly forty percent of institutions from data collection and reporting requirements is an exception to the ‘rule’ of disclosure, which continues to apply to the majority of institutions,” the court wrote, adding that the 2020 Rule preserves the reporting requirements, “as compared to the 2015 Rule, for most institutions, the vast majority of loans, and the vast majority of communities.”
However, the court agreed with the plaintiffs that the cost-benefit analysis for the 2020 Rule’s increased reporting threshold for closed-end mortgage loans was arbitrary and capricious. The court expressed criticism of the cost-benefit analysis used by the Bureau to justify setting the minimum number of closed-end loans in each of the two preceding calendar years at 100, and found that the Bureau failed to adequately explain or support its rationales for revising and adopting the closed-end reporting thresholds under the 2020 Rule. The Bureau “conceded the new rule would cause identifiable harms to the public, but effectively threw up its proverbial hands, citing an inability to incorporate these harms into its analysis as quantifiable ‘costs,’ and moved on to the next topic of discussion,” the court said.
The Bureau “exaggerated the savings to ‘covered persons’ under the new rule, and did not engage appropriately with the nonquantifiable ‘harms’ of the 2020 Rule, and the disparate impact of those harms on the traditionally underserved populations HMDA is intended to protect, even as it conceded the revised threshold would certainly result in some harm to consumers,” the court said, questioning the Bureau’s analysis of disparate impacts on rural and low-to-moderate-income communities. The court determined that the plaintiffs identified several flaws in the Bureau’s cost-benefit analysis supporting the increased closed-end mortgage loan threshold, thus rendering this aspect of the 2020 Rule “arbitrary, capricious and requiring vacatur.” The court asked the Bureau for a “more reasoned explanation as to whether and how the cost-benefit analysis accounted for the ongoing need to collect data on home mortgages pursuant to other statutory requirements and underwriting purposes, and why, when a lender must collect and report multiple data points for each mortgage and loan application, the marginal cost of collecting the additional, HMDA-specific data points is so significant that the increased reporting threshold of the 2020 Rule renders unique cost savings.”
District Court grants partial summary judgment to debt collector in credit reporting and debt collection action
On September 21, the U.S. District Court for the District of Maryland partially granted a defendant debt collector’s motion for summary judgment in a credit reporting and debt collection action. The plaintiff disputed debt related to two electric bills for two different residences that were eventually combined into one account. After the plaintiff informed the electric company that she would not be paying the bill, the debt was eventually referred for collection to the defendant. The plaintiff disputed the debt, and the defendant conducted an investigation. The plaintiff continued to contend that the defendant was certifying the debt without proof and claimed the defendant’s agents called her a liar and incorrectly asserted that she had not made payments. The defendant argued that it was entitled to summary judgment on the plaintiff’s FCRA and FDCPA claims, contending, among other things, that FCRA 1681e(b) “expressly applies to [credit reporting agencies] and not to furnishers.”
The court first reviewed the plaintiff’s FCRA claims as to whether the defendant conducted a reasonable investigation. The court stated that the plaintiff bore the burden to establish whether the defendant failed to conduct a reasonable investigation, and noted that because she failed to provide certain evidence to the defendant “there is no genuine dispute that the investigation conducted by [defendant] was not unreasonable” or that the defendant reported accurate information to the CRAs about the debt. With respect to some of the FDCPA claims, the court denied the defendant summary judgment on the basis that the plaintiff created a genuine dispute about whether the defendant violated § 1692d (the provision prohibiting a debt collector from engaging in harassment or abuse). According to the opinion, evidence suggests that the defendant’s agents incorrectly informed the plaintiff that she had never made a payment on one of the accounts, called her a liar when she protested this information, and used a “demeaning tone” in their communications. “[A] reasonable jury could conclude that the language would have the natural consequence of abusing a consumer relatively more susceptible to harassment, oppression, or abuse,” the court wrote.
Additionally, the court ruled on Maryland state law claims introduced in the plaintiff’s opposition to summary judgment. The court ruled against her Maryland Consumer Debt Collection Act claim regarding the alleged use of abusive language, writing that the agents were not “grossly abusive” and that the plaintiff failed to generate a genuine dispute on this issue. Nor did the plaintiff show a genuine dispute as to whether the debt was inaccurate or that the defendant knew the debt was invalid. The court also entered summary judgment in favor of the defendant on the plaintiff’s Maryland Consumer Protection Act and Maryland Collection Agency Licensing Act claims.
Treasury applauds deferral of Ukrainian debt payments through 2023
On September 14, U.S. Treasury Secretary Janet Yellen announced that the Group of Creditors of Ukraine, which includes the U.S., concluded a Memorandum of Understanding to implement Ukraine’s request for a coordinated suspension of debt service through the end of 2023. According to Yellen, easing liquidity pressures will allow the Ukrainian government to direct additional spending towards its domestic needs and the welfare of its people. Yellen urged other official bilateral creditors, including private creditors, to support Ukraine as it defends itself from Russia’s invasion. The Group of Creditors of Ukraine issued a statement applauding measures taken by the Ukrainian government to address the economic and financial consequences of the war, and welcoming the conclusion of an agreement with bondholders and warrantholders to defer debt payments for two years.
District Court grants final approval in BIPA class action
On September 1, the U.S. District Court for the Northern District of Illinois granted final approval of a $6.8 million class action settlement in a biometric privacy data suit. According to the plaintiff’s memorandum of law in support of her unopposed motion for final approval of the settlement, the plaintiff alleged that the defendant violated Illinois law by collecting fingerprint scan data from Illinois users of vending machine systems without written notice and consent. According to the settlement, class members include all individuals who scanned their finger(s) in one or more of defendants’ vending systems in Illinois between August 23, 2014 and November 2021, which totals approximately 63,450 individuals. Each class member will receive approximately $413, and the settlement includes roughly $2.2 million in attorney fees for class counsel.