InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Ed. Dept. discharges additional $238 million
On April 28, the Department of Education announced it will deliver relief to tens of thousands of borrowers harmed by “pervasive and widespread misconduct” at a beauty school. According to the Department, the students attended the beauty school between 2009 and 2016, during which it “engaged in pervasive and widespread misconduct that negatively affected all borrowers who enrolled.” The 28,000 borrowers will receive loan discharges totaling approximately $238 million, which will provide relief to borrowers who enrolled at the beauty school during this period, including those who have not yet applied for a borrower defense discharge. According to Secretary of Education Miguel Cardona, the Department will “continue to strengthen oversight and enforcement for colleges and career schools that engaged in misconduct and uphold the Biden-Harris Administration’s commitment to helping students who have been harmed.” The Office of Federal Student Aid also announced it is hiring four employees for its enforcement unit.
4th Circuit will not revive investors’ data breach case
On April 21, the U.S. Court of Appeals for the Fourth Circuit affirmed a district court’s dismissal of a securities suit against a hotel corporation (defendant) alleging that they misled the plaintiffs regarding data vulnerabilities connected to a major breach of customers’ personal information. According to the opinion, two years after merging with another hospitality corporation, the defendant “learned that malware had impacted approximately 500 million guest records in the [hospitality corporation’s] guest reservation database.” An investor filed a putative class action against the defendant and nine of its officers and directors, alleging that its failure to disclose severe vulnerabilities in the hospitality corporation’s IT systems rendered 73 different public statements false or misleading in violation of Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act) and SEC Rule 10b-5. The district court granted the defendant’s motion to dismiss with prejudice and concluded that the plaintiffs “‘failed to adequately allege a false or misleading statement or omission, a strong inference of scienter, and loss causation,’ which doomed the claim under Section 10(b) and Rule 10b-5 as well as the secondary liability claim [under Section 20(a) of the Exchange Act].” The investor appealed, dropping its challenge to 55 of the statements but maintaining its challenge to the other 18.
On appeal, the 4th Circuit agreed with the district court that the defendant’s statements about the importance of cybersecurity were not misleading with respect to the quality of its cybersecurity efforts. The appellate court found that “[t]he ‘basic problem’ with the complaint on this point is that ‘the facts it alleges do not contradict [the defendant’s] public disclosures,’” and that reiterating the “basic truth” that data integrity is important does not mislead investors or create a false impression. The appellate court also noted that the complaint “concedes that [the defendant] devoted resources and took steps to strengthen the security of hospitality corporation’s systems,” and that the company included “such sweeping caveats that no reasonable investor could have been misled by them.” The appellate court concluded that the defendant “certainly could have provided more information to the public about its experience with or vulnerability to cyberattacks, but the federal securities laws did not require it to do so.”
Chopra testifies at congressional hearings
On April 26, CFPB Director Rohit Chopra testified at a hearing held by the Senate Banking Committee on the CFPB’s most recent semi-annual report to Congress (covered by InfoBytes here). Chopra’s opening remarks focused on key efforts the agency is taking to meet objectives established by Congress, including (i) shifting enforcement resources away from investigating small firms and focusing instead on repeat offenders and large players engaged in large-scale harm; (ii) increasing transparency through the issuance of guidance documents, such as advisory opinions, compliance bulletins, policy statements, and other publications to help entities comply with federal consumer financial laws; (iii) rethinking its approach to regulations, including its work to develop several rules authorized in the CFPA, and placing “a higher premium on simplicity and ‘bright lines’ whenever possible”; (iv) engaging with the business community and meeting with state-based associations to speak directly with community banks and credit unions and engaging with a broad range of other businesses and associations that may be affected by the laws the Bureau administers; (v) promoting greater competition by “lowering barriers to entry and increasing the pool of firms competing for customers based on quality, price, and service”; and (vi) researching issues related to big tech’s influence on consumer payments.
In his opening statement, Senate Banking Committee Chair Sherrod Brown (D-OH) praised Chopra’s recent efforts related to “junk fees” such as overdraft fees and non-sufficient fund fees, discrimination and bias in the appraisal process, reporting of medical collection debt by the credit reporting agencies, examination authority over non-banks and fintech companies, and crack-down on repeat offenders. However, Ranking Member Patrick Toomey (R-PA) criticized Chopra’s actions and alleged “overreach.” Among other things, Toomey characterized the Bureau’s attempts “to supervise for disparate impact not only in lending, but in all consumer financial services and products” as “unauthorized stealth rulemaking” that “will create tremendous uncertainty among regulated entities.” Toomey also took issue with recent changes to the Bureau’s rules of adjudication, claiming it will “make it easier to engage in regulation by enforcement.”
During the hearing, committee members discussed topics related to collecting small business lending data, rural banking access, student loan servicing, and whether the Bureau should be subject to the congressional appropriations process. Republican committee members raised concerns over several issues, including significant revisions recently made to the Bureau’s unfair, deceptive, or abusive acts or practices (UDAAP) examination manual that state that any type of discrimination in connection with a consumer financial product or service could be an “unfair” practice (i.e., the CFPB can now bring “unfair” discrimination claims related to non-credit financial products). (Covered by a Buckley Special Alert.) Senator Thom Tillis (R-NC) characterized the new policy as a “wholesale rewrite” of the examination manual that will improperly expand the reach of disparate impact liability and challenged the lack of notice-and-comment for the changes to the UDAAP manual.
Conversely, Democratic committee members praised Chopra’s actions and encouraged him to continue pressuring banks to cut excessive overdraft fees and other “junk fees,” as well as strengthen enforcement against repeat offenders. Senator Elizabeth Warren (D-MA) stressed that imposing fines that are less than the profits made from the misconduct will not be enough to persuade large banks to follow the law and asked Chopra to think about other steps regulators might consider to hold large repeat offenders accountable. She referenced her bill, the Corporate Executive Accountability Act, which is designed to hold big bank executives personally liable for the bank’s repeat violations of the law.
Chopra reiterated the Bureau’s priorities in his April 27 testimony before the House Financial Services Committee. At the hearing, House committee members questioned Chopra on the Bureau’s plans to collect data on small business loans pursuant to Section 1071 of the Dodd-Frank Act, crack down on “junk fees,” and address fair lending concerns with automated valuation models and fraud in payment networks. During the hearing, Chopra told committee members that the Bureau plans to revisit and update older regulations such as the CARD Act to lower credit card fees. “We want to make sure that credit cards are a competitive market . . . [so] I am asking the staff to look at whether we should reopen the Card Act rules that were promulgated by the Federal Reserve Board over 10 years ago . . . to be able to look at some of these older rules we inherited, to determine whether there needs to be any changes,” Chopra said, adding that “late fees are an area that I expect to be one of the questions we solicit input on.”
Hsu discusses stablecoin standards
On April 27, acting Comptroller of the Currency Michael J. Hsu issued a statement regarding stablecoin standards after appearing before the Artificial Intelligence and the Economy: Charting a Path for Responsible and Inclusive AI symposium hosted by the U.S. Department of Commerce, National Institute of Standards and Technology, FinRegLab, and the Stanford Institute for Human-Centered Artificial Intelligence. According to Hsu, the internet has “technical foundations” that “provide for an open, royalty-free network.” He further noted that “[t]hose foundations did not emerge on their own. They were developed by standard setting bodies like IETF (Internet Engineering Task Force) and W3C (World Wide Web Consortium), which had representatives with differing perspectives, a shared public interest ethos, and a strong leader committed to the vision of an open and inclusive internet.” Hsu further stated that stablecoins do not have “shared standards and are not interoperable.” However, to make stablecoins “open and inclusive,” Hsu said that he believed that “a standard setting initiative similar to that undertaken by IETF and W3C needs to be established, with representatives not just from crypto/Web3 firms, but also from academia and government.” As previously covered by InfoBytes, Hsu discussed stablecoin policy considerations earlier this month in remarks before the Institute of International Economic Law at Georgetown University Law Center, calling for the establishment of an “intentional architecture” for stablecoins developed through principles of “[s]tability, interoperability and separability,” as well as “core values” of “privacy, security, and preventing illicit finance.”
OCC releases lineup of risk management workshops
On April 27, the OCC released its lineup of virtual workshops for board directors of national community banks and federal savings associations for the second half of 2022. Included as part of the workshops to be held later this year is a risk management series focusing on risk governance, credit risk, operational risk, and compliance risk. Another workshop will present guidance for directors and senior managers on building blocks for success. A schedule of the upcoming workshops and registration information is available here.
New York AG settles with student loan servicer for alleged PSLF and IDR failures
On April 27, the New York attorney general announced a settlement with a national student loan servicer, resolving allegations that it failed to properly manage student loans and administer the Public Service Loan Forgiveness (PSLF) program by inaccurately counting loan payments, improperly denying applications, and not processing applications in a timely manner. As previously covered by InfoBytes, the New York AG filed a complaint against the defendant in 2019 alleging violations of the CFPA and New York law, whereby the defendant, among other things, (i) failed to accurately count borrower’s PSLF-qualifying payments; (ii) failed to provide timely explanations to borrowers for PSLF payment count determinations; (iii) failed to process income driven repayment (IDR) plan paperwork accurately and timely; and (iv) lacked clear policies and procedures for addressing errors, resulting in inconsistent treatment of borrowers.
Under the terms of the settlement, the defendant is required to automatically review nearly 10,000 accounts of New York borrowers for various potential errors, including incorrect information provided about PSLF or IDR eligibility and inaccurate monthly payment charges, among other things. In addition, more than 300,000 current New York residents may be eligible to have their accounts reviewed at no cost to them. The defendant is required to send out notices to borrowers within 30 days. Borrower relief may include crediting of undercounted payments, refunds of overpayments, interest, monetary payments, and modifications to past payments to designate them as PSLF-qualifying. The defendant will implement enhanced quality assurance review procedures designed to identify errors.
NYDFS encourages virtual currency licensees to use blockchain analytics tools for sanctions and AML compliance
On April 28, NYDFS announced new guidance on virtual currency entities that are establishing the use of blockchain analytics tools. NYDFS explained that virtual currency activities can involve, among other things, different sources, destinations, and types of funds flows than are found in more traditional, fiat-currency contexts. Such characteristics of virtual currencies can create compliance challenges, but also can present new possibilities for new technology-driven control measures. In the guidance, NYDFS outlined expectations for New York State-regulated virtual currency companies, including: (i) establishing control measures that may leverage blockchain analytics; (ii) augmenting due diligence controls; (iii) conducting transaction monitoring of on-chain activity; and (iv) conducting sanctions screening of on-chain activity. NYDFS also emphasized "the importance of risk-based policies, processes, and procedures to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions."
As previously covered by InfoBytes, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance, which provided guidance for effectively managing cyber insurance risk. The framework is the first guidance released by a U.S. regulator on cyberinsurance. NYDFS noted it has “engaged with external stakeholders to inform this new guidance and continues to conduct significant outreach to state, federal and international regulators; industry; and other experts in the field to ensure New York maintains a robust regulatory regime and remains a destination for virtual currency companies to operate.”
District Court dismisses state law claims concerning scanned email allegations
On April 26, the U.S District Court for the Northern District of California granted a defendant tech company’s motion for reconsideration to dismiss a plaintiffs’ Washington Privacy Act (WPA) claims that it shared customer data with third parties without first obtaining consent. According to the amended complaint, the defendant allegedly misrepresented its privacy and security practices in violation of federal and state law by, among other things, sharing customer data with unauthorized third parties (some of which suffered data breaches), using customer data to develop products and services to sell to other companies, and falsely promising it complied with privacy and confidentiality standards. Plaintiffs alleged the company scanned 400 billion customer emails to obtain insights for its API, which it then sold to others.
In its prior ruling, the court dismissed plaintiffs’ Wiretap Act and Stored Communications Act claims but allowed the WPA claims to proceed. The defendant then filed a motion for partial reconsideration, arguing that the WPA claim is also premised on the same scanned email theory as with the other two claims that were already dismissed. The court agreed that the plaintiffs failed to sufficiently allege that their emails were scanned and dismissed the WPA claims without leave to amend because the “interception or disclosure of a communication” was necessary “in order for the conduct to be actionable.”
California Court of Appeal: Including extraneous language in FCRA disclosure may constitute willful violation
On April 19, the California Court of Appeal for the Fourth Appellate District reversed a trial court’s summary judgment order and held that the inclusion of extraneous language in an employer’s FCRA disclosures to job applicants may constitute willful violation of the FCRA. The plaintiff filed a putative class action against the defendant employer, contending that it willfully violated the FCRA by providing job applicants with a disclosure that included extraneous language unrelated to the topic of consumer reports. The plaintiff alleged that the disclosure violated the FCRA’s requirement for providing a standalone disclosure informing the applicant that the employer may obtain the applicant’s consumer report when making a hiring decision upon applicant’s consent. The defendant filed a motion for summary judgment arguing that no reasonable jury could find that the plaintiff’s FCRA violation was willful, because the erroneous disclosure form was the result of a drafting mistake that took place when the defendant modified a sample disclosure provided by a consumer reporting agency to ensure compliance with the FCRA. The trial court granted the defendant’s motion, finding that any non-compliance resulted from a drafting was an inadvertent error.
On appeal, the Court of Appeal reversed and remanded with instructions that the trial court deny the motion for summary judgment. The appellate court found that “a reasonable jury could find that [the employer] acted willfully because it violated an unambiguous provision of the FCRA.” The Court of Appeal noted that that there’s evidence that at least one of the defendant’s employees was aware that the extraneous language would be included in the disclosure form. In addition, the continuous use of the allegedly problematic disclosure form for nearly two years could signify recklessness. The Court of Appeal reasoned further that the defendant’s “continued and prolonged use” of the “problematic” disclosure form “suggest[ed] that it had no proactive monitoring system in place to ensure its disclosure was FCRA-complaint.”
Nevada Supreme Court affirms ruling in default notice suit
On April 7, the Nevada Supreme Court denied a petition for rehearing and reaffirmed its prior conclusion that, under Nevada law, when a notice of rescission is recorded after a notice of default, the rescission cancels the acceleration triggered by the notice of default, and resets a statutory 10-year period for automatically clearing a lien on real property. NRS § 106.240 “provides a means by which liens on real property are automatically cleared from the public records after a certain period of time,” and specifically “provides that 10 years after the debt secured by the lien has become ‘wholly due’ and has remained unpaid, ‘it shall be conclusively presumed that the debt has been regularly satisfied and the lien discharged.’” The specific question before the Nevada Supreme Court was what effect a notice of rescission has on NRS § 106.240’s 10-year period when the notice is recorded after a notice of default. The Nevada Supreme Court upheld the lower court’s decision determining that “because a notice of rescission rescinds a previously recorded notice of default, the notice of rescission ‘effectively cancelled the acceleration’ triggered by the notice of default, such that NRS 106.240’s 10-year period was reset.”