InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Hsu discusses stablecoin standards
On April 27, acting Comptroller of the Currency Michael J. Hsu issued a statement regarding stablecoin standards after appearing before the Artificial Intelligence and the Economy: Charting a Path for Responsible and Inclusive AI symposium hosted by the U.S. Department of Commerce, National Institute of Standards and Technology, FinRegLab, and the Stanford Institute for Human-Centered Artificial Intelligence. According to Hsu, the internet has “technical foundations” that “provide for an open, royalty-free network.” He further noted that “[t]hose foundations did not emerge on their own. They were developed by standard setting bodies like IETF (Internet Engineering Task Force) and W3C (World Wide Web Consortium), which had representatives with differing perspectives, a shared public interest ethos, and a strong leader committed to the vision of an open and inclusive internet.” Hsu further stated that stablecoins do not have “shared standards and are not interoperable.” However, to make stablecoins “open and inclusive,” Hsu said that he believed that “a standard setting initiative similar to that undertaken by IETF and W3C needs to be established, with representatives not just from crypto/Web3 firms, but also from academia and government.” As previously covered by InfoBytes, Hsu discussed stablecoin policy considerations earlier this month in remarks before the Institute of International Economic Law at Georgetown University Law Center, calling for the establishment of an “intentional architecture” for stablecoins developed through principles of “[s]tability, interoperability and separability,” as well as “core values” of “privacy, security, and preventing illicit finance.”
OCC releases lineup of risk management workshops
On April 27, the OCC released its lineup of virtual workshops for board directors of national community banks and federal savings associations for the second half of 2022. Included as part of the workshops to be held later this year is a risk management series focusing on risk governance, credit risk, operational risk, and compliance risk. Another workshop will present guidance for directors and senior managers on building blocks for success. A schedule of the upcoming workshops and registration information is available here.
New York AG settles with student loan servicer for alleged PSLF and IDR failures
On April 27, the New York attorney general announced a settlement with a national student loan servicer, resolving allegations that it failed to properly manage student loans and administer the Public Service Loan Forgiveness (PSLF) program by inaccurately counting loan payments, improperly denying applications, and not processing applications in a timely manner. As previously covered by InfoBytes, the New York AG filed a complaint against the defendant in 2019 alleging violations of the CFPA and New York law, whereby the defendant, among other things, (i) failed to accurately count borrower’s PSLF-qualifying payments; (ii) failed to provide timely explanations to borrowers for PSLF payment count determinations; (iii) failed to process income driven repayment (IDR) plan paperwork accurately and timely; and (iv) lacked clear policies and procedures for addressing errors, resulting in inconsistent treatment of borrowers.
Under the terms of the settlement, the defendant is required to automatically review nearly 10,000 accounts of New York borrowers for various potential errors, including incorrect information provided about PSLF or IDR eligibility and inaccurate monthly payment charges, among other things. In addition, more than 300,000 current New York residents may be eligible to have their accounts reviewed at no cost to them. The defendant is required to send out notices to borrowers within 30 days. Borrower relief may include crediting of undercounted payments, refunds of overpayments, interest, monetary payments, and modifications to past payments to designate them as PSLF-qualifying. The defendant will implement enhanced quality assurance review procedures designed to identify errors.
NYDFS encourages virtual currency licensees to use blockchain analytics tools for sanctions and AML compliance
On April 28, NYDFS announced new guidance on virtual currency entities that are establishing the use of blockchain analytics tools. NYDFS explained that virtual currency activities can involve, among other things, different sources, destinations, and types of funds flows than are found in more traditional, fiat-currency contexts. Such characteristics of virtual currencies can create compliance challenges, but also can present new possibilities for new technology-driven control measures. In the guidance, NYDFS outlined expectations for New York State-regulated virtual currency companies, including: (i) establishing control measures that may leverage blockchain analytics; (ii) augmenting due diligence controls; (iii) conducting transaction monitoring of on-chain activity; and (iv) conducting sanctions screening of on-chain activity. NYDFS also emphasized "the importance of risk-based policies, processes, and procedures to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions."
As previously covered by InfoBytes, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance, which provided guidance for effectively managing cyber insurance risk. The framework is the first guidance released by a U.S. regulator on cyberinsurance. NYDFS noted it has “engaged with external stakeholders to inform this new guidance and continues to conduct significant outreach to state, federal and international regulators; industry; and other experts in the field to ensure New York maintains a robust regulatory regime and remains a destination for virtual currency companies to operate.”
District Court dismisses state law claims concerning scanned email allegations
On April 26, the U.S District Court for the Northern District of California granted a defendant tech company’s motion for reconsideration to dismiss a plaintiffs’ Washington Privacy Act (WPA) claims that it shared customer data with third parties without first obtaining consent. According to the amended complaint, the defendant allegedly misrepresented its privacy and security practices in violation of federal and state law by, among other things, sharing customer data with unauthorized third parties (some of which suffered data breaches), using customer data to develop products and services to sell to other companies, and falsely promising it complied with privacy and confidentiality standards. Plaintiffs alleged the company scanned 400 billion customer emails to obtain insights for its API, which it then sold to others.
In its prior ruling, the court dismissed plaintiffs’ Wiretap Act and Stored Communications Act claims but allowed the WPA claims to proceed. The defendant then filed a motion for partial reconsideration, arguing that the WPA claim is also premised on the same scanned email theory as with the other two claims that were already dismissed. The court agreed that the plaintiffs failed to sufficiently allege that their emails were scanned and dismissed the WPA claims without leave to amend because the “interception or disclosure of a communication” was necessary “in order for the conduct to be actionable.”
California Court of Appeal: Including extraneous language in FCRA disclosure may constitute willful violation
On April 19, the California Court of Appeal for the Fourth Appellate District reversed a trial court’s summary judgment order and held that the inclusion of extraneous language in an employer’s FCRA disclosures to job applicants may constitute willful violation of the FCRA. The plaintiff filed a putative class action against the defendant employer, contending that it willfully violated the FCRA by providing job applicants with a disclosure that included extraneous language unrelated to the topic of consumer reports. The plaintiff alleged that the disclosure violated the FCRA’s requirement for providing a standalone disclosure informing the applicant that the employer may obtain the applicant’s consumer report when making a hiring decision upon applicant’s consent. The defendant filed a motion for summary judgment arguing that no reasonable jury could find that the plaintiff’s FCRA violation was willful, because the erroneous disclosure form was the result of a drafting mistake that took place when the defendant modified a sample disclosure provided by a consumer reporting agency to ensure compliance with the FCRA. The trial court granted the defendant’s motion, finding that any non-compliance resulted from a drafting was an inadvertent error.
On appeal, the Court of Appeal reversed and remanded with instructions that the trial court deny the motion for summary judgment. The appellate court found that “a reasonable jury could find that [the employer] acted willfully because it violated an unambiguous provision of the FCRA.” The Court of Appeal noted that that there’s evidence that at least one of the defendant’s employees was aware that the extraneous language would be included in the disclosure form. In addition, the continuous use of the allegedly problematic disclosure form for nearly two years could signify recklessness. The Court of Appeal reasoned further that the defendant’s “continued and prolonged use” of the “problematic” disclosure form “suggest[ed] that it had no proactive monitoring system in place to ensure its disclosure was FCRA-complaint.”
Nevada Supreme Court affirms ruling in default notice suit
On April 7, the Nevada Supreme Court denied a petition for rehearing and reaffirmed its prior conclusion that, under Nevada law, when a notice of rescission is recorded after a notice of default, the rescission cancels the acceleration triggered by the notice of default, and resets a statutory 10-year period for automatically clearing a lien on real property. NRS § 106.240 “provides a means by which liens on real property are automatically cleared from the public records after a certain period of time,” and specifically “provides that 10 years after the debt secured by the lien has become ‘wholly due’ and has remained unpaid, ‘it shall be conclusively presumed that the debt has been regularly satisfied and the lien discharged.’” The specific question before the Nevada Supreme Court was what effect a notice of rescission has on NRS § 106.240’s 10-year period when the notice is recorded after a notice of default. The Nevada Supreme Court upheld the lower court’s decision determining that “because a notice of rescission rescinds a previously recorded notice of default, the notice of rescission ‘effectively cancelled the acceleration’ triggered by the notice of default, such that NRS 106.240’s 10-year period was reset.”
District Court allows state claims concerning the use of individuals’ likenesses in online ads to proceed
On April 19, the U.S. District Court for the Northern District of California denied a motion to dismiss in a putative class action alleging a California-based website operator violated various Ohio, Indiana, and California state laws by appropriating individuals’ names and likenesses and using this information in online teaser profile advertisements. Plaintiffs contended that the “teasers” violated their rights of publicity, and that memberships give users access to data including location history, family members, court records, employment information, and more. Plaintiffs further stated that “they ‘did not consent to the commercial use of their personal information and personas to promote subscriptions to a website with which they have no relationship.’” Defendant moved to dismiss on numerous grounds, including lack of standing.
In denying the motion to dismiss, the court ruled that plaintiffs have Article III standing to sue and that plaintiffs sufficiently pleaded a cognizable injury in “that their names, likenesses, and related information have commercial value and were being used for a commercial purpose.” The court also reviewed the adequacy of pleadings with respect to the alleged state violations and concluded, among other things, that the defendant’s teasers “are not subject to statutory exceptions for newsworthiness or public interest information.” As to the defendant’s alleged violations of California’s Unfair Competition Law (UCL), the court considered whether the California Consumer Privacy Act (CCPA) “immunizes [defendant’s] behavior from UCL liability.” According to the defendant, the CCPA generally obligates businesses to notify California residents when personal information is being used, it also “contains an express exemption for the use of publicly available data.” Because this conduct is allegedly permitted by the CCPA, the defendant argued, it cannot violate the UCL. The court disagreed, writing that “all that these provisions of the CCPA do are exempt publicly available data from special notification and disclosure rules that the statute itself imposes on companies that collect Californians’ data. . . . They do not expressly or impliedly set aside privacy-based tort claims or related UCL claims.”
Illinois adopts rules implementing Predatory Loan Prevention Act
On April 22, the Illinois Department of Financial and Professional Regulation (IDFPR) published in the Illinois Register a notice of adopted rules to implement the Predatory Loan Prevention Act (PLPA or the Act). As previously covered by InfoBytes, the Act was signed into law in March 2021 to prohibit lenders from charging more than 36 percent APR on all non-commercial consumer loans under $40,000, including closed-end and open-end credit, retail installment sales contracts, and motor vehicle retail installment sales contracts. Violations of the Act constitute a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act and carry a potential fine up to $10,000. Additionally, any loan with an APR exceeding 36 percent will be considered null and void.
In general, the adopted rules require lenders to provide a disclosure to consumers about the 36 percent APR rate cap established by the PLPA, incorporate the APR calculation method required by the PLPA, and amend the rules for reporting of payday loans to the state database. The rules specify that words in the definitions are not defined to have the same meaning as in Regulation Z, including any interpretation by the CFPB. For purposes of calculating the PLPA ARP, the rules specify that the calculation excludes only certain specified bona fide fees, but includes finance charges, loan application fees, and fees imposed for participation in any plan or arrangement for a loan, “even if that charge would be excluded from the finance charge under Regulation Z.”
The IDFPR made several amendments related to rate cap disclosure notices. These specify that all loan applications must include a separate rate cap disclosure signed by the consumer (disclosures must be provided in English and in the language in which the loan was negotiated) that clearly and conspicuously states: “A lender shall not contract for or receive charges exceeding a 36% annual percentage rate on the unpaid balance of the amount financed for a loan, as calculated under the Illinois Predatory Loan Prevention Act (PLPA APR). Any loan with a PLPA APR over 36% is null and void, such that no person or entity shall have any right to collect, attempt to collect, receive, or retain any principal, fee, interest, or charges related to the loan. The annual percentage rate disclosed in any loan contract may be lower than the PLPA APR.”
The rules take effect August 1.
Florida court grants sovereign immunity to lender and company officials
On April 11, a Florida county court concluded that a defendant lender and certain company officials were entitled to sovereign immunity in a case concerning alleged usury claims. The plaintiff claimed the lender used its supposed federally-recognized tribal affiliation to escape state usury regulations. The court dismissed the complaint, however, finding that the lender is an “arm of the tribe” under a six-prong test established by the U.S. Court of Appeals for the Tenth Circuit in Breakthrough Management Group, Inc. v. Chukchansi Gold Casino & Resort. The test determines whether sovereign immunity should apply by examining, among other factors, an entity’s creation, the amount of control a tribe has over the entity, and the financial relationship between the tribe and the entity. According to the court, the defendant’s evidence suggests that the tribe created the defendant as a business entity “to generate and contribute revenues” to the tribe’s general fund. The court found that insufficient detail was presented to support the plaintiff’s assertion that the defendant pays a relatively small percentage of its gross revenues to the tribe. The court added that the plaintiff also failed to present evidence proving that large portions of the defendant’s revenue were distributed to non-tribal entities. In dismissing the case with prejudice, the court also dismissed claims against three individual defendants because they were entitled to sovereign immunity. The court concluded that the plaintiff’s allegations demonstrated that the individuals committed the alleged wrongs in their capacities as employees and officers and therefore the “real party in interest” is the lender.