Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 13, NYDFS announced a settlement with an insurance company to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to implement multi-factor authentication or reasonably equivalent or more secure access controls. Under Part 500.12(b), covered entities are required to implement such protocols (see FAQs here). NYDFS’s investigation also revealed that the insurance company falsely certified its compliance with the cybersecurity regulation for 2018. Under the terms of the consent order, the company will pay a $1.8 million civil monetary penalty and will undertake improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged the broker’s “commendable” cooperation throughout the examination and investigation and stated that the broker had demonstrated its commitment to remediation.
On April 27, the Oklahoma governor signed SB 261, which creates the Oklahoma Student Borrower’s Bill of Rights Act and outlines new provisions for student loan servicers. Among other things, the act prohibits student loan servicers from (i) directly or indirectly defrauding or misleading student loan borrowers; (ii) engaging in unfair or deceptive practices, such as “misrepresenting the amount, nature or terms of any fee or payment due or claimed to be due on a student education loan, the terms and conditions of the loan agreement or the borrower’s obligations under the loan”; (iii) obtaining property by fraud or misrepresentation; (iv) incorrectly applying or failing to apply a borrower’s loan payments to an outstanding balance; (v) providing inaccurate information to a credit bureau about a borrower; (vi) failing to report a borrower’s favorable and unfavorable payment history at least once a year except in the case of loan rehabilitation; (vii) refusing to communicate with a borrower’s authorized representative; (viii) making false statements or misrepresenting by omission any material facts in connection with a government investigation; (ix) failing to inform borrowers of their federal income repayment options prior to offering deferment or forbearance; and (x) failing to inform borrowers if their loan does not qualify for a loan forgiveness program. The act takes effect November 1.
On April 27, NYDFS released a report warning the financial services industry to tighten third-party risk management measures, as the “next great financial crisis could come from a cyber-attack.” The report covers a December 2020 cyber-attack described as “part of a widespread, sophisticated cyber espionage campaign by Russian Foreign Intelligence Service actors” focusing on “stealth and stealing sensitive information.” According to the report, hackers installed malware into a software platform used by the government and financial services and telecommunications companies to monitor and manage the performance of their networks. This attack, NYDFS noted, is “the most visible, widespread, and intrusive information technology software supply chain attack” to date and “opened back doors into thousands of organizations, including almost 100 companies in New York’s financial services industry.” While none of NYDFS’s regulated entities’ networks were actively exploited, the regulator warned that these types of attacks highlight the financial services industry’s vulnerability to supply chain attacks. Moreover, because third-party risk management is a key part of NYDFS’s Cybersecurity Regulation, the regulator is “exploring ways to further address this critical component of cybersecurity.” Report findings highlight that, among other things, (i) the patch-management programs for many regulated entities “are immature and lack the proper ‘patching cadence’ needed to ensure timely remediation of high-risk cyber vulnerabilities,” and (ii) “supply chain” cyber-attacks are dangerous since “malware is embedded inside a legitimate product,” allowing “an attacker to access the networks of many organizations in a single stroke.”
The report provides several recommendations, including that entities should (i) include in their vendor risk-management policies and procedures “processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors”; (ii) adopt a “zero trust” approach and implement multiple layers of security and extra protection for sensitive information; (iii) address vulnerabilities in a timely manner through patch testing, validation processes, and deployment; and (iv) ensure their incident response plans address supply chain compromises.
On April 21, the governor of Oklahoma signed SB 796, which amends the loan finance charge limit for supervised lenders. Specifically, a loan finance charge “may not exceed the equivalent of the greater of either” 25 percent per year on an unpaid principal balance or: (i) 32 percent annually on unpaid principal of $7,000 or less; (ii) 23 percent annually on unpaid principal that is greater than $7,000 but does not exceed $11,000; and (iii) 20 percent annually on unpaid principal of more than $11,000. The act also allows lenders to charge a closing fee of up to $28.85. The act takes effect November 1.
The North Dakota governor also signed into law SB 2103 on April 16, which, when it takes effect on August 1, imposes limits on charges that licensed money brokers can assess, including a 36 percent annual interest rate limit on installment loans, and caps nonpayment or late payment fees at five percent for loans greater than $50,000. The act also includes additional restrictions for loans of less than $2,000, including that (i) the maximum term for an installment loan may not exceed 36 months and balloon payments are prohibited; (ii) existing loan balances may be refinanced into a new loan, provided it is less than $2,000 and “the combination of any refinance fees along with any fees collected as part of the original loans” do “not exceed one hundred dollars per calendar year”; and (iii) licensees may not contract for or receive charges exceeding $100 for a loan extension or payment deferment.
On April 26, the California Department of Financial Protection and Innovation (DFPI) announced a settlement with a San Francisco-based coding school, requiring removal of a bankruptcy dischargeability provision from the school’s student contracts and notification to students that this type of financing can be discharged in a bankruptcy filing. According to the consent order, a non-dischargeability provision used in the school’s installment agreements was “misleading because, contrary to the Bankruptcy Non-Dischargeability Provision, the Contract is not . . . subject to the limitations on dischargeability pursuant to . . . the United States Bankruptcy Code.” Therefore, the school violated the California Consumer Financial Protection Law, which prohibits companies from participating in practices that are unlawful, unfair, deceptive, or abusive. As part of the settlement, the school must (i) notify students that the bankruptcy dischargeability provision language is not accurate; (ii) retain a third party to review the terms of the school’s finance contract to certify that it follows the relevant regulations and laws; and (iii) go through a marketing compliance review to certify that the information is accurate and not misleading. According to DFPI Commissioner Manuel P. Alvarez, the consent order “helps ensure that future students can confidently enter into educational financing contracts without being subjected to false or misleading terms.”
On April 28, the Maryland commissioner of financial regulation issued guidance that extends the “re-start date” for the ability to initiate residential foreclosures to July 1, 2021 (prior guidance has been discussed here and here.) The guidance is issued pursuant to the Maryland governor’s executive order 20-12-17-02, which amended and restated previous executive orders covered here and here.
On April 21, California’s Department of Financial Protection and Innovation (DFPI) hosted its first “Economic Equity Conference” presenting its Survey of Diversity in State Banking. The conference was designed to provide state financial leaders with strategies to enhance their “diversity, equity, and inclusion initiatives and consider their role in helping to close the racial wealth gap.” The conference featured the release of findings from a banking survey distributed to every state-chartered bank and credit union in October 2020. Some key takeaways of the report include:
- Responding financial institutions reported collecting employee and board member data on the following: (i) “60 percent collect ethnic and/or gender data;” (ii) “roughly 40 percent inquire about veteran/disability status”; (iii) “about 15 percent ask about ‘other’ categories, including marital status and age”; and (iv) “only 3 percent collect data on sexual orientation.”
- About half of responding financial institutions require diversity education or training for employees, but only 23 percent require diversity training for board members.
- Around 40 percent of financial institutions have “board-approved diversity, equity, and inclusion goals, with purposeful recruiting being the most common.”
- About 33 percent of responding institutions “track diversity, equity, and inclusion efforts, with reliance on self-assessment tools being the most common.”
- More than 75 percent of survey respondents “would like the DFPI to support diversity, equity, and inclusion efforts by providing education and training to licensees.”
On April 13, the Minnesota attorney general announced a settlement with a California-based student loan debt relief company that allegedly: (i) collected illegal fees from customers; (ii) misrepresented its services to cease operations in Minnesota by not providing full refunds to its Minnesota consumers; and (iii) violated Minnesota’s Debt Services Settlement Act, Prevention of Consumer Fraud Act, and Uniform Deceptive Trade Practices Act. The AG alleged that the company “falsely promised consumers student-loan forgiveness, when only the federal government can forgive federal student loans.” Under the terms of the settlement, the company is required to pay the AG $18,190.50, which will be used to provide full restitution to consumers. The settlement also requires the company to cease operations in Minnesota until it becomes registered as a debt-settlement service provider.
On April 20, the governor of Colorado issued an executive order providing additional protections for tenants at risk of eviction due to the impact of Covid-19. The order suspends portions of the Colorado statutes that require landlords to provide tenants with 10 days’ notice of default on rent payments during which the tenant may cure the default. The order instead requires landlords to provide 30 days’ notice of any default for nonpayment of rent on or after March 10, 2020. During this 30-day period, landlords are prohibited from initiating an action for forcible entry and tenants have the opportunity to cure any default.
On April 14, NYDFS announced a settlement with an insurance broker to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of two cyber breaches between 2018 and 2020. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A September 2019 examination revealed that the cyber breaches involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also alleged that the broker failed to implement a multi-factor authentication as required by 23 NYCRR Part 500. Under the terms of the consent order, the broker will pay a $3 million civil monetary penalty and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged the broker’s “commendable” cooperation throughout the examination and investigation and stated that the broker had demonstrated its commitment to remediation.
- Jonice Gray Tucker to discuss “How the new administration sets the tone for 2021” at the American Conference Institute Legal, Regulatory and Compliance Forum on Fintech & Emerging Payment Systems
- Sherry-Maria Safchuk to discuss UDAAP in consumer finance at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable