InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Court rules on CFPB’s motions in case against lender regarding Military Lending Act violations
On November 7, the U.S. District Court for the Northern District of Texas entered an opinion and order in a case involving the CFPB and a consumer lender and its subsidiaries (the defendants) addressing two motions: the Bureau’s motion to strike and the defendant’s motion for partial summary judgment. In this case, the CFPB asserted the defendants made pawn loans to active duty servicemembers and their dependents that: (i) charged interest rates exceeding the Military Lending Act’s (MLA) 36 percent cap; (ii) required arbitration in violation of the MLA; and (iii) failed to provide mandatory disclosures. The CFPB claimed that between June 2017 and May 2021, the defendant issued more than 3,600 prohibited loans to covered borrowers in multiple states, including Arizona, Nevada, Utah and Washington. The CFPB also asserted the defendant’s conduct following its 2016 merger with another company constituted a breach of a 2013 administrative order.
The CFPB’s motion to strike sought to eliminate the defendant’s “bona-fide-error” defense, which the Bureau argued “is only available when a private party is the plaintiff.” The court granted this motion in part, agreeing with the CFPB that the bona-fide-error defense, which protects defendants from civil liability for unintentional violations of the MLA, did not apply in suits brought by federal agencies like the CFPB. The court reasoned that the MLA’s bona-fide-error defense is intended to protect against liability to individual borrowers — not federal agencies. Therefore, the court struck the defendant’s bona-fide-error defense from its answer.
The defendant’s motion for partial summary judgment sought to establish the applicability of the bona-fide-error defense and dismiss the first three counts of the CFPB’s complaint, arguing that the Bureau lacked jurisdiction over its claims. The court denied this motion, stating that the defendant failed to provide sufficient evidence to support its bona-fide-error defense and that “the CFPB did not make ‘judicial admissions’ that rob the Court of jurisdiction.” The court clarified that the CFPB is empowered to enforce the MLA under the CFPA and TILA.
Additionally, the court denied the CFPB’s motion to strike the defendant’s sixth and eighth affirmative defenses, which reserve rights to amend its answer. The court found that these defenses did not prejudice the Bureau in any way.
FDIC reports lowest unbanked rate since start of survey
On November 12, the FDIC released its biennial survey of unbanked and underbanked households revealing that the unbanked rate in the U.S. fell to a historic low of 4.2 percent in 2023. This rate decreased from 4.5 percent in 2021 and marked a significant drop from a high of 8.2 percent in 2011. First conducted in 2009, the survey noted about 5.6 million households were unbanked in 2023.
The survey also highlighted that households consisting of minority groups continued to have higher unbanked rates compared to their counterparts. For the first time, the 2023 survey included questions about the use of Buy Now, Pay Later (BNPL) services, revealing that 3.9 percent of households used BNPL in the past 12 months.
CFPB report examines state and federal consumer financial data privacy protections
On November 12, the CFPB released a report examining federal and state consumer financial data privacy protections. The report highlighted how several states have recently enacted new data privacy laws, most of which provided entity-level exemptions for financial institutions, as well as any data subject to the privacy provisions of the GLBA.
The CPFB critiqued the limitations of the GLBA and the FCRA, noting that these laws primarily focus on consumer disclosures and provide opt-out opportunities rather than requiring affirmative consent for data sharing, among other rights granted by some state privacy laws. It also addressed the increasing role of financial institutions in monetizing consumer data, and the GAO’s criticisms regarding financial institutions’ use of the model privacy policy form set forth under Regulation P to “mask just how much data they collect on consumers and all the ways they allow that information to be used, including by firms far removed from the products and services the financial institution provides.”
In assessing recently enacted state laws, which included 18 new statutes between January 2018 and July 2024, the Bureau compared the protections provided by each statute and the federal financial privacy laws. It noted how all 18 state laws included three rights modeled after the EU’s General Data Protection Regulation — right of access, right to delete, and right to data portability — while fewer set forth additional rights. It further described how the California Consumer Privacy Act was “the only one of the eighteen state laws to focus its GLBA exemption solely on the data governed by the GLBA.”
The CFPB suggested that state policymakers reassess the tradeoffs associated with exempting GLBA-covered financial institutions from new data privacy laws.
OIG releases 2024 audit of the Fed’s information security program
On October 31, OIG for the Fed and the CFPB released its 2024 Audit of the Board’s Information Security Program. The audit found that the Board’s information security program continues to operate at a level-4 (managed and measurable) maturity. Since the 2023 Federal Information Security Modernization Act (FISMA) audit report, the Fed has improved, such as updating personnel security processes to ensure position risk designations are clearly documented and used. However, the audit identified areas where the program’s maturity has decreased, including the need for a supply chain risk management strategy, a review and escalation process for data loss prevention alerts, consistent documentation of systems, vulnerability scanning on mobile devices, annual testing of the incident notification and breach response plan, role-based privacy training, targeted phishing exercises, and ensuring timely incident reporting by cloud service providers.
The report included nine recommendations regarding the Board’s information security program in risk management, supply chain risk management, data protection and privacy, and security training. The Fed concurred with the recommendations and plans to address them with action plans and milestones. Additionally, 14 recommendations from prior FISMA audit reports remain open, and the audit warned that failure to address these could lead to a decline in the program’s maturity rating in 2025.
Senate democrats take issue with student loan servicer’s terms of use
On November 3, Sens. Elizabeth Warren (D-MA), Richard Blumenthal (D-CT), Chris Van Hollen (D-MD), and Tammy Duckworth (D-IL) penned a letter to the CEO of a student loan servicer expressing concerns about the terms of use on its website. The servicer attempted to impose the terms of service on all users of the website, including individuals that merely browse the website and borrowers that use the website to make payments and view important information about balances, among other features, with obtaining the affirmative consent of the users. However, the senators argued that the terms of use unfairly restricted borrowers’ legal rights and absolved the servicer of liability for potential misconduct, often without the borrowers’ full knowledge. The senators asserted that the terms may be unlawful under the CFPA’s prohibition of UDAAP, as well as other consumer financial laws, as they exploited borrowers’ lack of alternatives and included potentially unenforceable contractual provisions.
The letter concluded with several questions for the servicer, seeking clarification on the enforcement of the terms, the rationale behind specific clauses, and the implications for borrowers who rely on the website to manage their loans. The senators requested responses by November 17.
OIG satisfied with CFPB information security program, provides recommendations
On October 31, OIG for the Fed and the CFPB published its 2024 Audit of the CFPB’s Information Security Program, reporting that the CFPB’s information security program operates effectively at a level-4 (managed and measurable) maturity. While the report noted the CFPB has taken steps to improve its security program since the last review, it included eight recommendations:
- Complete the finalization of an agencywide data classification policy that accounts for the sensitivity of the data maintained by the CFPB.
- Ensure that data classification and sensitivity labels are incorporated into the CFPB’s data loss prevention program.
- Strengthen flaw remediation processes by developing and implementing a process to clearly map identified vulnerabilities to system IP addresses, host names, and remediation owners within the CFPB’s configuration management database.
- Ensure that adequate resources are allocated to reinvestigate CFPB systems users.
- Develop and maintain a ransomware strategy and specific procedures that provide a formal, focused and coordinated approach to respond to ransomware attacks.
- Ensure that testing of mission-essential functions identified in the CFPB’s continuity of operations plan is periodically performed.
- Renew the authorization to use for the CFPB’s governance, risk and compliance tool.
- Implement a process that ensures the cyber risk information in the CFPB’s governance, risk and compliance tool is accurate and maintained.
The CFPB concurred with the recommendations and outlined plans to implement them. OIG will continue to monitor the CFPB’s progress in addressing the recommendations, as well as three unresolved findings from prior audits.
FTC charges debt collection company and owner for alleged $7.6M debt collection scam
On November 4, the FTC has taken action against a debt collection business and its owner for allegedly deceiving consumers into paying over $7.6 million in fake debts. According to the FTC’s complaint, the defendants contacted consumers under a number of false names, threatening them with arrest, lawsuits, and wage garnishment if they failed to pay up. The defendants’ actions were alleged to have violated Section 5 of the FTC Act for unfair and deceptive practices, the FDCPA and Regulation F for abusive collection practices, and Section 521 of the GLBA for obtaining consumer information through false or fraudulent means. Following the grant of an ex parte restraining order against the defendant, the matter remains pending in the U.S. District Court for the Northern District of Georgia.
GOP members of Financial Services Committee pen letter on bank-fintech partnerships
On October 30, Republican congressmembers serving on the U.S. House Committee on Financial Services responded to a joint Request for Information (RFI) issued by the OCC, the Fed and the FDIC. The RFI solicited input on bank-fintech partnerships, including effective risk management practices and whether enhancements to existing supervisory guidance may be helpful in addressing risks associated with bank-fintech partnerships (as covered by InfoBytes here).
In their response, the congressmembers highlighted several benefits of bank-fintech partnerships, including offering low-cost and more accessible financial products, providing tailored financial applications, fostering competition, and increasing deposit bases for smaller community banks. They urged regulators to recognize the diversity of bank-fintech relationships and to draft regulations that address these specific relationships rather than adopting a “one-size-fits-all” approach. The congressmen also recommended that regulators collaborate closely with state authorities, who often charter and supervise fintech partner banks, and gain insights into their approaches to safety, soundness and consumer protection, “including through the creation of regulatory sandboxes at both the state and federal levels.”
The comment period for the RFI concluded recently on October 30.
Biden-Harris Administration provides update on AI accomplishments
On October 30, the White House issued a fact sheet detailing the Biden-Harris Administration’s AI accomplishments one year after signing an Executive Order (EO) on AI. As previously covered by InfoBytes, the EO outlined how the federal government could, among other things, promote AI safety and protect U.S. citizens’ rights by developing standards for safe and secure AI systems.
In the fact sheet, the White House highlighted the Administration’s actions in several categories, including managing risks to safety and security from AI; protecting civil rights as AI is used in the workplace (like healthcare, education and the housing sector); and promoting AI innovation in the private sector. As an example, HUD provided guidance on AI’s nondiscriminatory use in the housing sector, affirming that existing prohibitions against discrimination applied to AI’s use for tenant screening and housing advertisements. The fact sheet emphasized that federal agencies completed over 100 actions in response to the EO.
CFPB proposes final judgment addressing discriminatory practices in mortgage lending
On November 1, the CFPB filed a proposed stipulated final judgment and order against a nonbank retail-mortgage creditor and broker based in Chicago, which, if approved by the court, would prohibit the defendant from engaging in any acts or practices that violate the ECOA in connection with offering or providing mortgage loans. It would also require the defendant to maintain a compliance management system, provide ongoing education and training for employees, and pay a $105,000 civil money penalty. In addition, the Bureau filed a stipulation of dismissal of its claim against the defendant’s cofounder, who was added in 2020 to an amended complaint in which the CFPB alleged he was the fraudulent transferee of more than $2.4 million from the defendant.
As previously covered by InfoBytes, the CFPB initiated its action against the defendant on July 15, 2020, in the U.S. District Court for the Northern District of Illinois, alleging that the defendant violated the ECOA, Regulation B and the CFPA. The complaint focused on numerous racially disparaging comments allegedly made by the defendant owner and employees on the company’s broadcasts. Allegedly, for years, the defendant received almost no mortgage applications for properties in majority-Black neighborhoods in the Chicago-Naperville-Elgin metropolitan statistical area and few applications from Black applicants.
Defendants filed a motion to dismiss the amended complaint on February 8, 2021, which the court granted on February 3, 2023. The Bureau appealed the dismissal of the case, and on July 11 the Seventh Circuit held that the ECOA prohibits not only outright discrimination against applicants for credit but also the discouragement of prospective applicants for credit. In reversing the district court’s decision, the Seventh Circuit remanded the case for further proceedings.