InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
2nd Circuit: CFPB funding is constitutional
On March 23, the U.S. Court of Appeals for the Second Circuit held that the CFPB’s funding structure is constitutional—splitting from the U.S. Court of Appeals for the Fifth Circuit’s decision in Community Financial Services Association of America v. Consumer Financial Protection Bureau, which concluded that Congress violated the Constitution’s Appropriations Clause when it created what that Court described as a “perpetual self-directed, double-insulated funding structure.” The U.S. Supreme Court is scheduled to review the 5th Circuit’s decision next term (covered by InfoBytes here).
Meanwhile, the 2nd Circuit concluded that it “cannot find any support” for the 5th Circuit’s determination in Supreme Court precedent, the text of the Constitution text, or in the history of the Appropriations Clause. “Because the CFPB’s funding structure was authorized by Congress and bound by specific statutory provisions, we find that the CFPB’s funding structure does not offend the Appropriations Clause,” the 2nd Circuit wrote. As such, the appellate court affirmed a 2020 district court order requiring the defendant debt collection law office to comply with a civil investigative demand issued by the Bureau in June 2017. As previously covered by InfoBytes, the CID requested information from the defendant as part of a Bureau investigation into whether debt collectors, furnishers, or other persons associated with the collection of debt and furnishing of information have engaged or are engaging in unfair, deceptive, or abusive acts or practices in violation of the CFPA, FDCPA, and FCRA. The defendant objected on several grounds, including that the CID was void ab initio under Seila Law LLC v. CFPB (the defendant contended that “the CFPB Director was shielded from presidential oversight by an unconstitutional removal provision at the time the CID was issued”), and that the Bureau is unconstitutionally funded. As noted in the opinion, the Bureau ratified the CID and the enforcement action against the defendant following the Supreme Court’s decision in Seila Law, and the district court ultimately granted the Bureau’s petition to enforce the CID.
On review, the 2nd Circuit affirmed the district court’s order, concluding that the CID was not void ab initio because “there is no dispute that the CFPB Director who issued the CID was properly appointed.” The appellate court pointed to the majority opinion in the Supreme Court’s decision in Collins v. Yellen (covered by InfoBytes here), which held that “‘an unconstitutional removal restriction does not invalidate agency action so long as the agency head was properly appointed[,]’” and therefore the Bureau’s actions are not void and do not need to be ratified, unless a plaintiff can show that “the agency action would not have been taken but for the President’s inability to remove the agency head.” The panel further noted that “[s]ince the CID was issued, there have been three different CFPB Directors appointed by two different presidents, each of whom has been subject to at-will removal at some point in their tenure. There is nothing to suggest that the Director’s removal protection affected the issuance of the CID or the investigation into [the defendant].” The 2nd Circuit further concluded that “the CFPB’s funding structure is not constitutionally infirm under either the Appropriations Clause or the nondelegation doctrine, and that the CID served on [the defendant] is not an unduly burdensome administrative subpoena.”
North Dakota amends mortgage licensing requirements
On March 13, the North Dakota governor signed SB 2090, which, among other things, revises licensing requirements for residential mortgage lenders. The act provides that “a person other than a residential mortgage lender licensed and authorized under this chapter may not engage in residential mortgage lending in the state without a residential mortgage lender license issued by the commissioner. A person engages in residential mortgage lending if the borrower resides in North Dakota.” The act outlines provisions related to application for licensure; licensing fees; surety bond and minimum net worth requirements; license renewal, expiration, revocation, suspension, and surrender; recordkeeping requirements; prohibited acts and practices; prohibitions on advance fees; and permitted maximum charges for loans and installment payments. Provisions relating to orders, injunctions, investigations, subpoenas, examinations, and penalties are also discussed. The act also provides a comprehensive list of exemptions.
The act stipulates that lenders in possession of a valid state money broker’s license as of August 1, are not required to obtain a residential mortgage lenders license until December 31. All other provisions of this chapter are applicable to residential mortgage lenders as of August 1.
CSBS seeks comments on uniform mortgage licensing standards
On March 16, the Conference of State Bank Supervisors (CSBS), on behalf of the NMLS Policy Committee, issued a request for public comments on proposed uniform state licensing standards for mortgage companies. The Proposal: Mortgage Business-Specific Requirements would create a national standard for mortgage industry licensing to help improve uniformity within the state system and streamline the licensing process for mortgagees seeking licensure in multiple states.
The proposal is broken down into eight components:
- Contacts. All licensees will be required to provide contacts within the company for accounting, legal, licensing, data breach/cybersecurity, exam billing, exam delivery, and mortgage call reports, in addition to a primary company contact and a primary consumer complaint contact. If a licensee chooses to list a third-party contact, “the company will be deemed to have expressly authorized a state agency to contact the third party without further approval from the company” and “the company is ultimately responsible for the area of responsibility.”
- Periodic reporting. All licensees will be required to complete periodic reports covering mortgage call reports, audited financial statements, and reportable incidents.
- Data requirements. All licensees will be required to “provide numbers for any approvals or designations the company holds[,]” as well as business bank account information for accounts held in the name of the applicant and used for mortgage activities.
- Document requirements. Required documentation includes financial statements; policies and certifications; current Bank Secrecy Act/anti-money laundering and Gramm-Leach Bliley Privacy Act policies; current disaster recovery or business continuity plans; a current consumer grievance/complaint policy (as well as the required certification); and documents used in the regular course of business such as operating agreements, consumer complaint notices, customer agreements, and third-party contracts.
- Required functionality. All licensees must abide by a three-party electronic surety bond agreement in order to guarantee “the surety’s performance or monetary compensation to the obligee should there be a failure by the principal to perform specified acts within a stated time period.” The surety bond will be electronically managed by NMLS.
- Location reporting. All licenses will be required to provide locations where licensed activity will be performed, where records will be stored, or where support staff for licensed activities will be located. Licensees must also provide the primary location for accounting services, regardless of whether they are provided in house or by a third-party accounting firm, cloud storage services (including services used to collect data from customers), and the primary location for legal services, regardless of whether they are provided in house or by a third-party law firm.
- Company operated work locations’ information. The proposal outlines information required for each company operated work location, including business activities, licensing authorities, addresses, books and records information, and “doing business as” names.
- Key individual requirements. Licensees will be required to identify key individuals in the areas of management, ownership, functional risk areas, and industry specific roles. The proposal explains that the key individual inquiry focuses on key risk and functional areas (operations, finance, compliance, and information security), rather than titles. Key individuals for mortgages must also submit credit reports and complete an FBI criminal background check. Key individuals who have lived outside the United States at any time in the past 10 years must also provide an investigative background report.
Comments on the proposal are due May 15.
North Dakota passes law on money transmitter licensure
On March 15, the North Dakota governor signed SB 2119, which revises provisions related to money transmitters. The act, among other things, provides that a “person may not engage in the business of money transmission or advertise, solicit, or hold itself out as providing money transmission unless the person is licensed under this chapter.” The provision does not apply to a “person that is an authorized delegate of a person licensed under this chapter acting within the scope of authority conferred by a written contract with the licensee” or to exempt persons provided the person “does not engage in money transmission outside the scope of the exemption.” The act outlines provisions related to consistent state licensure, application for licensure, information requirements for certain individuals, reporting and recordkeeping requirements (including those related to anti-money laundering), and bond requirements. Provisions relating to examinations, investigations, and licensee supervision, as well as unauthorized activities are also discussed. The act also provides a comprehensive list of exemptions.
The act is effective August 1. For current licensees, the provisions take effect upon license renewal but no later than December 31.
DFPI clarifies licensing provisions for several state laws
The California Department of Financial Protection and Innovation (DFPI) recently filed a notice of proposed rulemaking with the Office of Administrative Law, seeking to add several sections to Title 10, Chapter 3 of the California Code of Regulations relating to the California Consumer Financial Protection Law (CCFPL), the California Financing Law (CFL), the California Deferred Deposit Transaction Law (CDDTL), and the California Student Loan Servicing Act (SLSA). (See also DFPI initial state of reasons here.) Among other things, the proposed regulations provide specific registration requirements for covered persons under the CCFPL and outline requirements for exemption from registration under the CCFPL for licensees under the CFL, CDDTL, and SLSA.
According to DFPI’s notice, the CCFPL grants the Department authority to require covered persons engaged in the business of offering and providing a consumer financial product or service to be registered but does not specify requirements for registration. The proposed regulations clarify these requirements, which include establishing an application process, outlining fees, and specifying persons and conditions for exemption. The proposed regulations also establish annual reporting requirements for filing reports with DFPI. The Department explained that “[e]xisting law exempts from CCFPL registration certain licensees who provide consumer financial products or services ‘within the scope of’ their licenses issued under other Department laws.” The proposed regulations clarify the meaning of “within the scope of” and specify that licensees under the CFL and the CDDTL are exempt from registering under the CCFPL. “[E]xempt licensees who provide products or services that would otherwise be subject to registration under the CCFPL [are required] to submit supplemental information on these activities in their annual reports required under their license,” DFPI explained.
With respect to the SLSA, DFPI noted that “[a]lthough an SLSA license does not confer upon a licensee the authority to originate financing within the scope of their license, the regulations exempt SLSA licensees from registration requirements for education financing when they meet specified requirements.”
The proposed regulations also clarify the applicability of the CFL to certain activities, by, among other things, providing that “an advance of funds to be repaid from a consumer’s future earned or unearned pay is a loan subject to the CFL” and that “providers of income-based advances and education financing who are registered under the CCFPL and whose charges do not exceed the charges permitted under the CFL” are exempt from licensure under the CFL. The proposed regulations also clarify provisions relating to collecting loan payments, monthly subscription fees, and loan contracts.
Comments on the proposed regulations are due May 17.
OFAC continues to sanction Iran’s UAV procurement network
On March 21, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions in coordination with the FBI against four entities and three individuals in Iran and Turkey accused of supporting Iran’s unmanned aerial vehicle (UAV) procurement efforts. The sanctions, taken pursuant to Executive Order (E.O.) 13382, follow the recent designation of a China-based network, as well as several prior OFAC actions targeting Iran’s UAV manufacturers and their executives (covered by InfoBytes here). According to OFAC, the procurement network operates on behalf of Iran’s Ministry of Defense and Armed Forces Logistic, which was sanctioned by OFAC in 2007 “for having engaged, or attempted to engage, in activities or transactions that have materially contributed to, or pose a risk of materially contributing to, the proliferation of weapons of mass destruction or their means of delivery.”
As a result of the sanctions, all property interests belonging to the sanctioned individuals and entities that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property interests of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to sanctions, and “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today pursuant to E.O. 13382 could be subject to U.S. sanctions.”
Colorado finalizes privacy rules
On March 15, the Colorado attorney general’s office finalized rules to implement and enforce the Colorado Privacy Act (CPA). The final rules, which went through three draft versions (covered by InfoBytes here), were filed with the Colorado Secretary of State following completion of a review by the attorney general’s office. (See redline version of the final rules showing changes made to address concerns raised through public comments here.) As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. In addition to promulgating rules to carry out the requirements of the CPA, the attorney general has authority to issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. Colorado is one of several states that have enacted comprehensive privacy laws that take effect in 2023, joining California, Connecticut, Utah, and Virginia. (Covered by InfoBytes here, here, here, and here.) The final rules will be published in the Colorado Register in March and will go into effect July 1.
Real estate brokerage firm settles claims of discriminatory practices
On March 15, the New York attorney general announced a settlement with a real estate brokerage firm to resolve claims that it allegedly discriminated against Black, Hispanic, and other homebuyers of color on Long Island. According to the announcement, the Office of the Attorney General commenced investigations into several brokerage firms, in which it found that agents employed by the brokerage firm at issue violated the Fair Housing Act and New York state law when they allegedly “subjected prospective homebuyers of color to different requirements than white homebuyers, directed homebuyers of color to homes in neighborhoods where residents predominantly belonged to communities of color, and otherwise engaged in biased behavior.” In certain instances, agents allegedly disparaged neighborhoods of color and “warned white potential homebuyers about the diverse racial makeup of the neighborhood but did not share the same comments with Black and Hispanic potential homebuyers.”
Under the terms of the assurance of discontinuance, the brokerage firm agreed to stop the alleged conduct, will offer comprehensive fair housing training to all agents, and will provide a discrimination complaint form on its website. The brokerage firm will also pay $20,000 in penalties and $10,000 to Suffolk County to promote enforcement and compliance with fair housing laws. This is the fourth action taken by the AG’s office against real estate brokerage firms in the state. As previously covered by InfoBytes, last August three Long Island real estate brokerage firms entered settlements to resolve claims of discriminatory practices.
9th Circuit: Law firm did not violate FCRA by accessing credit report
On March 17, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s grant of summary judgment in favor of a defendant law firm that allegedly accessed a plaintiff’s credit report to obtain her current address after it was hired to collect unpaid homeowner association (HOA) assessments. The plaintiff filed a class action lawsuit claiming, among other things, that the defendant violated the FCRA by accessing her credit report without her consent and that neither the HOA nor the defendant are creditors within the meaning of the FCRA. The district court disagreed, concluding that the HOA was in fact a creditor for purposes of the FCRA. “Under the [a]greement, the HOA determines the assessment amount for a full year and then makes it payable in installments over the course of the year. Thus, it regularly extends credit,” the district court wrote, explaining that because the HOA is a creditor, its attorneys, in collecting on the account, have the right to review a consumer’s credit report without consent. Moreover, the district court determined that the defendant had established the requisite “direct link” between the credit transaction and its request for the plaintiff’s credit report.
The 9th Circuit concluded that the “[d]efendant’s reading of the statute was not objectively unreasonable” because the plaintiff “had a grace period during which she could receive half a month’s services that she had not yet paid for,” which “could be considered an extension of credit.” While concurring with the panel, one of the judges commented, however, that “[i]t is hard to imagine that Congress intended FCRA, a statute that protects consumer privacy, to empower HOAs composed of neighboring homeowners to run their neighbors’ credit reports if homeowners fall two weeks behind in their payments.” The judge recommended that the appellate court “revisit the issue,” noting that it is unclear under current case law whether an HOA assessment qualifies as a “credit transaction” under the FCRA.
OCC releases enforcement actions
On March 17, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a cease and desist order against a New York-based bank for allegedly engaging in unsafe or unsound practices related to its information technology security and controls, as well as its information technology risk governance and board of director/management oversight of its corporate risk governance processes. The OCC also found alleged deficiencies (including unsafe or unsound practices) in the bank’s Bank Secrecy Act (BSA)/anti-money laundering risk management controls in the following areas: “internal controls, BSA officer, customer identification program, customer due diligence, enhanced due diligence, [] beneficial ownership,” and suspicious activity monitoring and reporting. The order requires the bank to, among other things, maintain a compliance committee, develop a corporate governance program to ensure appropriate board oversight, establish a written strategic plan and conduct an internal audit to assess the sufficiency of the bank’s internal controls program, implement information technology governance and security programs, and adopt an automated clearing house risk management program. The bank is also required to appoint a BSA officer to ensure adherence to the bank’s BSA/AML internal controls, conduct a suspicious activity review lookback, implement a customer information program that is reasonably designed to identify and verify beneficial owners of legal entity customers, and develop and adopt a BSA/AML model risk management process.