InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Massachusetts reaches settlement with mortgage servicer over foreclosure practices
On August 17, the Massachusetts attorney general announced that a national mortgage servicer must pay $3.2 million to resolve allegations that its mortgage servicing, debt collection, and foreclosure practices were unfair and deceptive. According to the assurance of discontinuance, the servicer allegedly violated Massachusetts’ Act Preventing Unlawful and Unnecessary Foreclosures by not providing notice and opportunity for borrowers to apply and be reviewed for loan modifications. Among other things, the servicer also allegedly placed debt collection calls exceeding the number of calls permitted by state law, did not inform borrowers of their right to request verification of the amount of their debt, unfairly charged foreclosure-related fees prior to obtaining authority to foreclose, and failed to send required debt validation notices. While the servicer denied the allegations, it agreed to pay borrowers $2.7 million in the form of principal forgiveness on eligible loans as well as a $500,000 fine. The servicer also agreed to “make significant changes” to its business practices.
DFPI orders crypto lender to cease offering unqualified securities
On August 8, the California Department of Financial Protection and Innovation (DFPI) issued a desist and refrain order to a now-bankrupt cryptocurrency lender and its CEO after determining that the company allegedly made material misrepresentations and omissions in the offering of crypto interest accounts, particularly with respect to understating the risks of depositing digital assets with the company. According to DFPI, since June 2018, the company funded part of its lending operations and proprietary trading through the sale of unqualified securities in the form of digital asset interest-earning accounts known as “Earn Rewards” accounts. DFPI found that the company allegedly offered these accounts to consumers without first qualifying them as securities in compliance with California’s Corporate Securities Law. Additionally, DFPI contended that the company failed to fully disclose material aspects of its business and Earn Rewards accounts, and claimed that the CEO failed to disclose material aspects of the company’s business, made materially misleading statements, or omitted material facts necessary to ensure the statements were not misleading. In June, the company suspended the fulfillment of customer withdrawals from its crypto interest accounts and filed for Chapter 11 bankruptcy reorganization on July 13.
DFPI ordered the company and CEO to desist and refrain from further offers and sale of securities in California, including but not limited to the Earn Rewards accounts, unless such sale has been qualified under California law or unless the security or transaction is exempt from qualification. The company and CEO were also both ordered to desist and refrain from offering securities in California by means of untrue statements of material fact or omissions of material fact.
D.C. reaches $2.54 million settlement with online delivery company
On August 17, the Superior Court of the District of Columbia issued a consent order and judgment against an online delivery company resolving claims that it charged consumers millions of dollars in deceptive service fees. According to a press release issued by the D.C. AG, from 2016 until 2018, the company allegedly misled consumers into believing that service fees charged on their orders were tips that went to delivery workers. Instead, these fees went to the company to subsidize operating expenses. Without admitting any wrongdoing, the company agreed to pay $1.8 million to the district to go towards restitution and cover litigation costs. The company also agreed it will not seek refunds of $739,057 in previously disputed sales tax payments and will collect and remit sales tax on the total amount of the sales price it charges consumers going forward. Additionally, the company will cease making any misrepresentations about the nature of fees on consumer orders.
States sue installment lender for hidden add-on products
On August 16, a multistate lawsuit led by the Pennsylvania attorney general was filed against a subprime installment lender for allegedly charging consumers for hidden add-on products without their consent. According to the Pennsylvania AG’s press release, consumers believed they had entered into agreements to borrow and repay, over time, a fixed loan amount when allegedly the lender “added hundreds to thousands of dollars to the total amount a consumer owed.” Among other things, the complaint claimed the lender’s alleged “aggressive, high-pressure sales tactics” were “dictated by a profit-driven model,” and that its loans and aggressive sales tactics targeted the most vulnerable borrowers (often subprime and deep subprime borrowers that already carry significant credit card, installment loan, and/or student loan debt) by offering them “small dollar personal loans with high interest costs.” Additionally, the complaint contended that the lender’s corporate policies and practices resulted in employees charging consumers for add-on products they did not know about and did not consent to buy, and that employees were encouraged to perpetrate the unlawful conduct by being rewarded for maximizing add-on charges. The complaint seeks restitution, repayment of unlawfully obtained profits, civil penalties, rescission or reformation of all contracts or loan agreements between the lender and affected consumers, and injunctive relief.
California requires consumer credit contract notices to be provided in multiple languages
On August 15, the California governor signed SB 633, which expands the obligation of creditors who obtain more than one person’s signature on a consumer credit contract when providing cosigners a notice regarding their obligation if the borrower does not pay the debt. Under existing law, these notices had to be provided in English and in Spanish. A creditor who provides a consumer a contract in a foreign language will now have to provide the cosigner notice in the language in which the contract is written. In addition to expanding the languages the notice must be provided in, the required cosigner notice must be provided even if the individuals are married to each other. SB 633 also requires the California Department of Financial Protection and Innovation to provide translations of these notices on its website by January 1, 2023, along with any translations of languages later added to state law. Additionally, notice must be provided only on a separate sheet preceding the contract.
Maryland Court of Appeals says law firm collecting HOA debt is not engaged in the business of making loans
On August 11, a split Maryland Court of Appeals held that “a law firm that engages in debt collection activities on behalf of a client, including the preparation of a promissory note containing a confessed judgment clause and the filing of a confessed judgment complaint to collect a consumer debt, is not subject to the Maryland Consumer Loan Law [(MCLL)].” A putative class action challenging the law firm’s debt collection practices was filed in Maryland state court in 2018. According to the opinion, several homeowners associations and condominium regimes (collectively, “HOAs”) retained the law firm to help them draft and negotiate promissory notes memorializing repayment terms of delinquent assessments. These promissory notes, the opinion said, included confessed judgment clauses that were later used against homeowners who defaulted on their obligations. The suit was removed to federal court and was later stayed while the Maryland Court of Appeals weighed in on whether the law firm was subject to the MCLL. Loans made under the MCLL by an unlicensed entity render the loans void and unenforceable, the opinion said.
Class members claimed that the law firm is in the business of making loans and that the promissory notes are subject to the MCLL and “constitute ‘loans’ because they are an extension of credit enabling the homeowners to pay delinquent debt to the HOAs.” Because neither the law firm nor the HOAs are licensed to make loans the promissory notes are void and unenforceable, class members argued. The law firm countered that it (and the HOAs) are not obligated to be licensed because they are not lenders that “engage in the business of making loans” as provided in the MCLL.
On appeal, the majority concluded that there is no evidence that the state legislature intended to require HOAs to be licensed “in order to exercise their statutory right to collect delinquent assessments or charges, including entering into payment plans for the repayment of past-due assessments.” Moreover, in order to qualify for a license, an applicant “must demonstrate, among other things, that its ‘business will promote the convenience and advantage of the community in which the place of business will be located[]’”—criteria that does not apply to an HOA or a law firm, the opinion stated. Additionally, applying class members’ interpretation would lead to “illogical and unreasonable results that are inconsistent with common sense,” the opinion read, adding that “[t]o hold that the MCLL covers all transactions involving any small loan or extension of credit—without regard to whether the lender is ‘in the business of making loans’—would cast a broad net over businesses that are not currently licensed under the MCLL.”
The dissenting judge countered that the law firm should be subject to the MCC because to determine otherwise would allow law firms to engage in the business of making loans in the form of new extensions of credit with confessed judgment clauses and would “create a gap in the Maryland Consumer Loan Law that the General Assembly did not intend.”
DFPI enters into settlement with unlicensed point-of-sale lender
On August 3, the California Department of Financial Protection and Innovation (DFPI) announced a settlement with a Florida-based point-of-sale lender for allegedly engaging in the business of finance lending in California without obtaining a license. According to the settlement, after conducting an inquiry, DFPI determined that the company violated California Financial Code section 22100(a) “by making loans through the operation of buy now, pay later’ point-of-sale products” without obtaining a proper license. The company voluntarily agreed to the consent order, and, among other things: (i) agreed to desist and refrain from engaging in the business of a finance lender or broker in California unless/until it obtains a California Financing Law (CFL) license authorizing the company to conduct business as a finance lender or broker; (ii) must pay an administrative penalty of $2,500; and (iii) refund fees totaling $13,065. The company also agreed that it will only make loans, deferred payment products, and extensions of credit to California residents under the authority of a CFL license and in compliance with the statute.
California Privacy Protection Agency opposes federal privacy bill
On August 15, the California Privacy Protection Agency (CPPA) sent a letter to House Speaker Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) opposing H.R.8152, the American Data Privacy and Protection Act (ADPPA). The CPPA expressed concerns that the proposed legislation “could nearly eliminate” the agency’s ability to fulfill its responsibility to protect Californians’ privacy rights and claimed that the bill’s provisions are “substantively weaker” than the California Privacy Rights Act. “ADPPA represents a false choice, that the strong rights of Californians and others must be taken away to provide privacy rights federally,” the CPPA stressed in its letter. “Americans deserve, and the Agency could support, a framework that offers both: a floor of federal protections that preserves the ability of the states to continue to improve protections in response to future threats to consumer privacy.”
Last month the U.S. House Committee on Energy and Commerce voted 53-2 to send the ADPPA to the House floor with amendments that would enable the California agency to enforce the federal law (covered by InfoBytes here). However, the CPPA noted that “the language in the bill still raises significant uncertainties for the Agency were it to seek to enforce the federal measure.” Additionally, the bill, which has been revised from its initial draft (covered by a Buckley Special Alert), would preempt the current patchwork of five state privacy laws—which “would be an anomaly,” the CPPA said, given that current federal privacy laws such as the Health Information Portability and Accountability Act, the Gramm Leach Bliley Act, and the FCRA all contain language allowing states to adopt stronger protections. Pointing out that the bill’s “preemption language is especially concerning given the rate at which technology continues to advance and evolve,” the CPPA stressed the importance of states being able to build on their existing laws and allowing voters to seek out additional protections.
States stress importance of CRA modernization
On August 5, a coalition of 15 state attorneys general submitted a comment letter in support of the joint notice of proposed rulemaking (NPRM) issued by the FDIC, OCC, and Federal Reserve Board (collectively, “agencies”) regarding modernizing the Community Reinvestment Act (CRA). As previously covered by InfoBytes, the NPRM, among other things, would update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. According to the letter, the NPRM is “a marked improvement over prior proposals that some of the agencies set out in the last several years.” The AGs noted that the final rule “must ensure that all members of our communities are fully served by financial institutions” and urged the agencies to continue to strengthen it. The AGs further encouraged the agencies to focus on: (i) ensuring the NPRM “vindicates CRA’s core purpose to address racial inequalities”; (ii) increasing the regulatory bar so “that banks are taking meaningful action to meet low- and moderate income (LMI) community needs; and (iii) “[l]everaging incentives to encourage affordable housing development for LMI communities without displacement.” Additionally, the AGs suggested that the NPRM “should be modified to ensure that this once-in-a-generation modernization effort gives the regulators the tools they need to carry out CRA’s imperative—that financial institutions be required to address the needs of our most vulnerable communities—in our States and across the Nation.” The AGs also noted that some states “expressed concern that the widening racial wealth gap stemming from historical redlining would be exacerbated by an uneven pandemic recovery.” Specifically, the letter stated that “two-and-a-half years into the COVID-19 crisis, the States face an affordable and accessible housing crisis, increased homelessness and housing insecurity, and historic levels of inflation that disproportionally threaten low-income communities and communities of color.” The AGs stated that CRA regulatory reform “can be a key element of addressing these problems.”
New York proposes new cybersecurity reporting requirements for financial institutions
Recently, NYDFS released proposed second amendments to New York’s Cybersecurity Regulation (23 NYCRR Part 500), which would, if adopted, require a financial institution’s senior officer or board of directors to approve the entity’s cybersecurity policy. Entities would also be required to disclose whether their directors have expertise in overseeing security risks or whether they rely on third-party cyber consultants. Among other things, the proposed amendments would require cybersecurity executives to provide directors timely alerts of significant cyber issues or events and provide annual reports to the board on cyber risks and defenses as well as on plans for remediating identified inadequacies. Additional requirements include: (i) multi-factor authentication for all privileged accounts (except for service accounts), as well as for “remote access to the network and enterprise and third-party applications from which nonpublic information is accessible”; (ii) limitations on asset and data retention management; (iii) training and monitoring of email to prevent unauthorized access; and (iv) incident response, business continuity, and disaster recovery plans.
The proposed amendments also contain provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a “material” part of the entity’s information system. Entities would also be directed to alert the Department within 24 hours of making a ransom payment to a hacker—similar to a ransomware payment disclosure mandate included within the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” covering critical infrastructure (covered by InfoBytes here). Within 30 days, entities would also be required to explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations including federal sanctions implications.
Comments on the proposed amendments are due August 18.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.