InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC releases July enforcement actions, including breaches of fiduciary duty and FDPA violations
On August 25, the FDIC announced a list of administrative enforcement actions taken against banks and individuals in July. The 10 orders include “two orders that combined a prohibition order and order to pay CMP; one combined personal consent order and order to pay CMP; four prohibition orders; one order modifying a prohibition order; one order of termination of deposit insurance; and one order to pay CMP for pattern or practice violations of the Flood Disaster Protection Act.” The FDIC assessed a civil money penalty against a North Dakota-based bank for alleged violations of the Flood Disaster Protection Act and the National Flood Insurance Act including providing or extending loans secured by a building or mobile home situated in or intended for placement within an area with a recognized risk of flooding, without promptly notifying the borrower and/or the servicer about the availability of flood insurance for the asset.
Warren urges Fed to finalize capital requirements for large banks
On August 29, Senator Elizabeth Warren (D-MA) sent a letter to the Fed regarding its recent notice of proposed rulemaking, urging them to “finalize the rules as quickly as possible.” In July, the Fed announced amendments to the regulatory capital requirements for large banking organizations that would implement the final components of the Basel III agreement (previously covered by InfoBytes here). Warren noted that she is concerned about the Fed’s intent to seek potential modifications as it could result in weakening the proposed rule. Warren also warned that big bank lobbyists has been “engaging in a full-court press to fend off higher capital requirements” before the release of the proposed rule, and that big banks lobbying expenditures were up 20 percent compared to the same period of time in the previous year, indicating a “clear effort to fend off stronger rules” following recent bank failures. The senator finally noted that the capital bank requirements are a threat to bank’s “massive payouts for executives and shareholders.”
DOJ, Oklahoma bank agree to consent order over redlining
On August 28, the DOJ announced a settlement agreement to resolve allegations of redlining by an Oklahoma-based bank. According to the complaint, defendant allegedly engaged in redlining by refraining from providing home loans and other mortgage-related services, and also engaged in biased behavior, to deter individuals residing in or seeking credit within predominantly Black and Hispanic neighborhoods in Tulsa from pursuing mortgage opportunities. According to the proposed consent order, without admitting or denying the allegations, defendant agreed to (i) invest $1.15 million to increase credit opportunities in neighborhoods of color; (ii) invest at least $950,000 in a loan subsidy fund for predominantly Black and Hispanic neighborhoods in Tulsa; (iii) invest $100,000 for advertising, outreach and consumer education; (iv) invest $100,000 for community partnerships to improve access to residential mortgage credit services; (v) “open a new community-oriented loan production office in the historically Black area of Tulsa”; and (vi) assign at least two mortgage loan officers to solicit mortgage applications in predominantly Black and Hispanic neighborhoods in Tulsa, among other things.
The DOJ press release makes reference to the 1921 Tulsa Race Massacre. The bank's press release announcing the settlement responded by stating that “[a]s Oklahomans, we carry a profound sense of sorrow for the tragic events of the Tulsa Race Massacre over a century ago. It is with deep concern that we note the Justice Department’s decision to reference this distressing historical event in its complaint against our bank, established a mere 25 years ago.”
Fed issues enforcement action against state bank and its holding company
On August 17, the Fed announced an enforcement action against a state bank and its holding company for failing to comply with conditions imposed during the approval process for the bank to become a member of the Federal Reserve System and subsequent application for acquisition. Namely, the order provides that, among other conditions and limitations, the bank was required to provide advance notice of any change in its business plan, and was found to have changed the business plan without the requisite prior written approval. As part of the order, the bank will wind down its operations as part of a purchase agreement where it will sell its assets to a third-party bank and it will ensure the conservation of capital, preservation of cash assets, and will limit its business activities to only those necessary to consummate the purchase agreement.
SEC charges fintech investment adviser for misleading advertising
On August 21, the SEC announced charges against a New York-based fintech investment adviser for using hypothetical performance metrics in misleading advertisements, compliance failures that led to misleading disclosures, and failure to adopt policies concerning crypto asset trading by employees, among other things. These charges mark the first violation of the SEC’s amended marketing rule.
According to the order, the fintech investment adviser made misleading statements on its website by failing to include material information, and without having adopted and implemented required policies and procedures under the SEC’s marketing rule. The SEC also found that the company made conflicting disclosures regarding crypto assets custody and failed to adopt policies related to employee personal trading in crypto assets.
The company consented to the order finding that it violated the Advisers Act and without admitting or denying the SEC’s findings, entered into a cease-and-desist order, a censure, and agreed to pay $192,454 in disgorgement, prejudgment interest and an $850,000 civil penalty that will be distributed to affected clients.
NIST updates its Cybersecurity Framework
The National Institute of Standards and Technology (NIST) recently unveiled a proposed update to its Cybersecurity Framework, which was originally developed to provide information security guidelines for “critical infrastructure” like banking and energy industries. (Covered by InfoBytes here). The update includes a new, sixth pillar called “govern” that provides categories to facilitate executive oversight; manage enterprise risk (including supply chain risk); and effective alignment of enterprise resources, strategies, and risk, emphasizing that “cybersecurity is a major source of enterprise risk and a consideration for senior leadership.” This pillar will also guide organizations’ leadership in making internal decisions to support its cybersecurity strategy. The framework draft also updated its implementation guidance, especially for creating profiles that tailor guidance for certain situations. Additionally, NIST included implementation examples that are particularly beneficial for smaller firms. The framework’s lead developer, Cherilyn Pascoe, mentioned the framework has proven useful across many different sectors like small businesses and foreign governments, therefore it was updated to be a useful tool to sectors, regardless of type or size, outside of those designated as critical. A major goal of the updated version of the framework is to show organizations how to leverage existing technology frameworks, standards, and guidelines to implement NIST’s framework. Furthermore, the framework title changed from “Framework for Improving Critical Infrastructure Cybersecurity” to “The Cybersecurity Framework” to reflect its expanded inclusivity and wide adoption.
Public comments must be received by November 4.
DFPI finalizes small business UDAAP and data reporting rule
DFPI recently approved the final regulation for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to commercial financial products and services. After considering comments and releasing three rounds of modifications to Sections 1060, 1061, and 1062, the final regulation will, among other things, bring protections to small businesses seeking loans, by (i) defining and prohibiting unfair, deceptive, and abusive acts and practices in the offering or provision of commercial financing to small businesses, nonprofits, and family farms; and (ii) establishing data collection and reporting requirements.
Previous InfoBytes coverage on the (i) initial modifications to the CCFPL proposed regulation can be found here; (ii) the second round of CCFPL modifications proposal is found here; and (iii) the third iteration of the modified CCFPL proposal is located here.
This DFPI regulation was notably finalized on the heels of the CFPB’s finalized Section 1071 rule on small business lending data, which similarly will require financial institutions to collect and provide the Bureau data on lending to small businesses (covered by InfoBytes here)
Sections 1060, 1061, and 1062 will be effective on October 1.
District Court denied motion to dismiss CFPA and FDCPA claims against debt buyers
On August 22, the U.S. District Court for the Western District of New York refused to dismiss CFPA and FDCPA claims brought by the CFPB that alleged violations related to misrepresentations made to debtors by debt collectors. The CFPB’s complaint alleged that defendants purchased defaulted consumer debt and then placed it for collection with, or sold it to, a network of debt collectors who consistently violated consumer protection laws by making false statements to debtors. These false statements included informing consumers that (i) they would be sued for failing to pay the debts; (ii) that their credit score would be impacted by paying or not paying the debt; and (iii) that they could face criminal charges for failing to pay the debt. The complaint additionally alleged that defendants were aware of the allegedly unlawful acts by the debt collectors they used through monitoring of the debt collectors and consumer complaints made to defendants.
The CFPB’s complaint alleged violations against a variety of corporate entities responsible for the alleged debt collection practices, as well as individual executives at those entities. Defendants moved to dismiss the complaint on several grounds. The defendants argued that they are not “covered persons” under the CFPA, because they do not actually collect debts themselves. The district court held that the defendants were “covered persons” under the CFPA since they were engaged in the collection of consumer debt, writing that it would “strain ordinary understanding to say that a company is not engaged in collecting debt when it purchases defaulted debt, places that debt with other companies for collection, and then receives some of the money recovered by those debt collectors.” Similarly, the defendants argued that they are not “debt collectors” under the FDCPA. The court also rejected this argument, reasoning that defendants’ principal purpose was debt collection making them a “debt collector” for FDCPA purposes, because they purchased portfolios of debts and derived most of their revenue from collecting those debts.
The district court also rejected defendants’ arguments that they could not be held vicariously liable for the conduct of the third-party debt collectors under the CFPA or FDCPA, reasoning that parties can be found vicariously liable for the acts of their agents under both statutes. The court held that because the CFPB’s complaint alleged that the defendants exercised authority over the debt collectors, vicarious liability for the violations by the debt collectors was appropriate.
The district court further held that the complaint adequately alleged violations of the CFPA by the individual defendants. The court held that the individual defendants enabled violations of the CFPA, relying on the fact that the individual defendants had both knowledge of the violations and the ability to control the violations, by either providing instructions to the debt collectors or by refusing to place debts with those collectors. Further, the court held that the individual defendants could be liable for “substantially assisting” violations of the CFPA, because the complaint alleged that the individual defendants recklessly disregarded unlawful behavior by the debt collectors and continued to place or sell debts to those collectors.
Finally, defendants also argued that both the CFPA and the FDCPA claims are time barred by the statute of limitations. The court rejected the defendants’ argument that the CFPB’s FDCPA claims were barred by the FDCPA’s one-year statute of limitations, holding that this provision applies only to private plaintiffs. The court held that FDCPA claims brought by the CFPB are subject to the CPFA’s statute of limitations, which bars claims brought more than three years after the CFPB’s discovery of the violations. The court further rejected the defendants’ argument that the claims were barred by this three-year statute of limitations, holding that it is unclear from the complaint when the CFPB became aware of facts constituting the violation and that the receipt of a consumer complaint by the CFPB will not necessarily constitute the date that the CFPB discovered or should have discovered the facts constituting the violation.
CFPB contests motions for preliminary injunctions to block enforcement of Small Business Lending Rule
On August 22, the CFPB filed an opposition to a motion made by a group of intervenors seeking to expand the scope of a preliminary injunction issued by the U.S. District Court for the Southern District of Texas, which enjoined the CFPB from implementing its Small Business Lending Rule. As previously covered by InfoBytes, the original plaintiffs in the litigation, a Texas banking association and a Texas bank, challenged the legality of the CFPB’s Small Business Lending Rule. After the American Bankers Association joined the case, the plaintiffs sought, and the court granted, a preliminary injunction enjoining implementation and enforcement of the rule against plaintiffs and their members. The intervenors, who consist of both banking and credit union trade associations, as well as individual banks and credit unions, seek a nationwide injunction that would apply beyond the parties to the case, or at least to the intervenors and their members. The CFPB’s opposition to this request for an expanded preliminary injunction argues that the intervenors fail to show that they would suffer immediate harm from enforcement of the Small Business Lending Rule.
In a related matter, on August 21, a group of Kentucky banks and a Kentucky banking association filed a motion for a preliminary injunction in the U.S. District Court for the Eastern District of Kentucky against the CFPB, seeking a preliminary injunction enjoining the CFPB from enforcing the Small Business Lending Rule against the plaintiffs and their members. Referencing the parallel Texas litigation, the Kentucky plaintiffs allege that they are entitled to an order enjoining enforcement of the Small Business Lending Rule against them for the same reasons that the Texas district court enjoined enforcement of the rule.
The most recent litigation activity follows a request from a group of trade associations to the CFPB to take administrative action to address the disparity in compliance dates that results from the district court’s injunction, a disparity that the trade associations argue is both unfair and disruptive to the market’s compliance efforts. The CFPB declined this request.
Both of these challenges to the Small Business Lending Rule point to a recent decision issued by the U.S. Court of Appeals for the Fifth Circuit in Community Financial Services Association of America v. Consumer Financial Protection Bureau, where the court found that the CFPB’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause (covered by InfoBytes here), as justification for why the final rule should ultimately be set aside.
7th Circuit affirms dismissal of proposed Driver’s Privacy Protection Act class action
On August 22, the U.S. Court of Appeals for the Seventh Circuit affirmed the dismissal of a proposed class action alleging that defendant insurance companies leaked the plaintiffs’ drivers license numbers, holding that the plaintiffs lacked standing to sue the insurance companies. In a split decision, the majority opinion held that plaintiffs failed to establish standing to bring a lawsuit under the Driver’s Privacy Protection Act (DPPA) based on the unauthorized disclosure of their driver’s license numbers through a form on defendant’s website. The majority held that plaintiffs failed to allege a concrete injury, writing that allegations that plaintiffs are worried about future identity theft stemming from the disclosure are insufficient for standing, focusing on legitimate reasons why driver’s license numbers are commonly exposed to third-parties. The majority further held that plaintiffs failed to allege that false unemployment benefit applications submitted in their name were traceable to the disclosure of their driver’s license number, dooming their standing claim. In a dissent, Judge Kenneth Ripple disagreed with the majority’s conclusion that plaintiffs failed to make sufficient allegations to justify standing, reasoning that the DPPA contemplates a private right of action for the types of harms suffered by the plaintiffs and that plaintiffs adequately alleged that they suffered harm from false unemployment benefit applications submitted as a result of the driver’s license number leak.