InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Utah enshrines two acts to create cybersecurity notification guidelines
On March 19, Utah enacted SB 98 which amended the state’s online data security and privacy requirements. SB 98 will include new protocols that individuals and governmental entities must follow under its data breach reporting requirements. SB 98 will require individuals and governmental entities to provide specific information about the breach, including, among other things: (i) when the data breach occurred; (ii) when the data breach was discovered; (iii) the total number of individuals affected by the breach, with a separate count for Utah residents; (iv) the type of personal data involved; (v) a brief description of the data breach; and only for government entities (vi) the path of means by which access was granted to the system if known; (vii) the individual or entity who perpetrated the breach if known; and (viii) the actions taken by the governmental entity to mitigate the effects of the breach. Additionally, the Cyber Center will be tasked with assisting the governmental entity in responding to breaches. This assistance may include: (a) conducting or participating in an internal investigation; (b) assisting law enforcement with their investigation if necessary; (c) determining the scope of the data breach; (d) helping the entity to restore the integrity of the compromised system; and (e) providing any other necessary support in response to the breach.
On that same day, the governor also signed into law HB 491 which enacted the Government Data Privacy Act. Similarly, the bill will describe the duties of state government agencies related to personal data privacy, including breach notification requirements, limits on data collection and use, and the ability to correct and access personal data. On structure, the bill created the Utah Privacy Governing Board to recommend changes in the state privacy policy, established the Office of Data Privacy to coordinate implementation of privacy protections, and named the Personal Privacy Oversight Commission to the Utah Privacy Commission and amended the commission’s duties. Both SB 98 and HB 491 will go into effect on May 1.
5th Circuit reverses judgment in FDCPA case
Recently, the U.S. Court of Appeals for the Fifth Circuit ordered an FDCPA case to be reversed and remanded after the U.S. District Court for the Eastern District of Louisiana granted a motion for summary judgment. The plaintiffs filed a putative class action alleging that the defendant law firm violated the FDCPA for misrepresenting judicial enforceability of a debt in their dunning letters. The case concerned Congress’s “Road Home” grant program, which was created to provide grants to repair and rebuild homes in the aftermath of Hurricanes Katrina and Rita. All Road Home grant recipients were required to disclose repair benefits previously received. The named plaintiffs in this case applied for and received Road Home grants but failed to disclose repair benefits previously received from FEMA or a privacy insurance carrier. In March 2008, the State’s contractor, ICF, noticed the potential double payments to the two named plaintiffs and placed an internal flag on their accounts in the Road Home database. After a decade, the defendant law firm was engaged to help recover these double payments. The defendants sent a dunning letter demanding repayment in 90 days or the defendants “may proceed with further action against you, including legal action.” The dunning letter further stated that “you may be responsible for legal interest from judicial demand, court costs, and attorneys fees if it is necessary to bring legal action against you.” The plaintiffs filed suit under Section 1692e of the FDCPA and, in an amended complaint, alleged the defendants collected or attempted to collect time-barred debts, failed to itemize the alleged debts, and threatened to assess attorneys’ fees without determining if that right existed. The district court granted summary judgment to the defendants.
The 5th Circuit reversed on appeal. Concerning the first allegation of collecting or attempting to collect a time-barred debt, the court reasoned that while it does not violate the FDCPA to collect on a time-barred debt, a debt-collector “can run afoul of the FDCPA by threatening judicial action while completely failing to mention that a limitations period might affect judicial enforceability.” Further, the appellate court found the dunning letters were “untimely even under the most liberal, 10-year time window” as the plaintiffs breached their agreements when they closed on their Road Home grants or when the State of Louisiana was provided actual notice of the alleged duplicative payments, both of which occurred more than 10 years before the dunning letters were received. The court also found that the defendants mischaracterized one plaintiff’s debt as the dunning letter said the amount owed was for insurance proceeds when it included a 30 percent penalty for lack of flood insurance. Finally, the court explained that because there was no lawful basis to recover attorneys fees, the defendants violated the FDCPA.
OCC’s Hsu discusses bank fairness and effective compliance risk management
On March 25, the Acting Comptroller of the Currency, Michael J. Hsu, released a transcript of a speech on fairness and effective compliance risk management in banking, delivered at a banking association meeting. The speech focused on how bank fairness can be used as a “guide and input to effective compliance risk management,” and how Hsu believed banks could develop more fairness in banking. Hsu noted that deploying more resources and adopting modern technologies will be only part of the challenge in improving a bank’s compliance risk programs; the other part of the challenge is “adapting and anticipating” where compliance risks could arise.
While speaking on the challenges of bank consumer compliance, Hsu discussed rapid changes in product offerings, such as the growth of credit cards, BNPL products, and Earned Wage Access. Hsu discussed how the increase in the digitalization of banking has aligned with third-party arrangements, fraud, and cyber risks in finance. On fairness, Hsu discussed the increased prevalence of overdraft charges and how a “well developed sense of fairness” can guide banks in connection with such areas. Hsu stated that fairness is not unidimensional, and when a bank develops an internal sense of fairness, it should be aware of how multiple notions of fairness interact. For example, he noted that “disparate treatment and disparate impact” provide the foundations for fair lending laws, and to comply with fair lending laws, a bank must mitigate both disparities.
FDIC opens comment period on proposed Statement of Policy regarding bank merger transactions, highlights “added scrutiny” for $100+ billion mergers
On March 21, the FDIC issued a request for comment on its proposed Statement of Policy (SOP) on bank merger transactions, which will aim to update, strengthen, and clarify the FDIC’s approach to bank merger evaluation. The proposed SOP does note that transactions in excess of $100 billion are more likely to present financial stability concerns and will be “subject to added scrutiny.” The new SOP will replace the FDIC’s current SOP on its responsibilities under the Bank Merger Act (BMA) or Section 18(c) of the FDI Act. Both the heads of the CFPB and OCC issued statements on this review, with the Acting Comptroller of the Currency offering his explicit support.
Broadly speaking, the proposed SOP aims to make the process more principles based, communicate the FDIC’s expectations in its evaluation of merger applications, and describe which merger transactions are under the FDIC’s domain. The proposed SOP will include separate discussions for each statutory factor as set forth in the BMA, including the effects on competition, financial resources, future prospects, CRA, financial and banking stability risk, and AML considerations. Further, this will not be an exhaustive list, as the FDIC will claim jurisdiction over any other elements that could present a risk to financial stability. Of note, the proposed SOP will not include any “bright lines or specific metrics” on what transaction would be considered anti-competitive, as the FDIC wishes to maintain its flexibility to appropriately evaluate the circumstances of each merger application.
This new comment period will begin after the FDIC reviewed 33 comment letters received during the previous comment period, about three-fourths of which were in favor of at least some changes to the FDIC’s merger review process. Six commenters were against such changes and two commenters were neither in favor of nor against the changes. The comments against argued that the current framework was “sound,” and any revisions could harm the sector by making the bank merger process more difficult and disproportionally impacting community, mid-size, and regional banks. Comments must be received by 60 days from the date of the SOP’s publication in the Federal Register.
OCC releases Q4 report on first-lien mortgage performance
On March 19, the OCC released a report on the performance of first-lien mortgages in the federal banking system during the fourth quarter of 2023. According to the report, 97.2 percent of mortgages included in the report were current and performing at the end of the quarter, which is a slight improvement from the fourth quarter of 2022, but also a minor decline from the third quarter of 2023. The report also shows
- a rise in the percentage of seriously delinquent mortgages compared to the previous quarter (1.2 percent in the fourth quarter compared to 1.1 percent in the third quarter), but this percentage has trended down since the fourth quarter of 2021 (when it was 2.3 percent);
- a decline in new foreclosures, with 8,320 new foreclosures in the fourth quarter of 2023, compared to 8,965 new foreclosures the previous quarter and a high of 19,524 new foreclosures in the first quarter of 2022;
- finalization of 7,382 loan modifications, which was less than the 7,436 modifications completed in the prior quarter. Eighty-seven percent of the modifications were “combination modifications,” which are modifications that incorporate more than one type of modification action to improve the loan’s affordability, such as an interest rate reduction and a loan term extension.
First-lien mortgages account for 22.2 percent of the total outstanding residential mortgage debt in the country, representing approximately 11.7 million loans with a combined principal balance of $2.9 trillion.
Agencies extend applicability date of certain provisions of their Community Reinvestment Act final rule
On March 21, the FDIC, Fed, and OCC jointly issued an interim final rule to extend the applicability date of certain provisions of the Community Reinvestment Act (CRA) final rule and requested comments on the extension. As previously covered by InfoBytes, the final rule was intended to modernize how banks comply with the CRA, a law that encouraged banks to help meet the credit needs of low- and moderate-income communities.
Stated “[t]o promote clarity and consistency,” the agencies have postponed the applicability date of the facility-based assessment areas and public file provisions from April 1, 2024, to January 1, 2026. As a result, banks would not be required to modify their assessment areas or public files in response to the final rule until the new 2026 date. This extension would put these elements on the same timeline as other components of the 2023 CRA final rule that also would take effect on January 1, 2026, including the performance tests and geographic area provisions.
The agencies also made technical, non-substantive updates to the CRA final rule and related agency regulations that reference it. One of these technical adjustments specified that banks are not required to update their public CRA Notices until January 1, 2026. Public comments on the postponed implementation date must be received 45 days following the rule's publication in the Federal Register.
CFPB submits brief alleging “forum shopping,” banking groups defend their choice of venue
On March 12, the CFPB submitted a brief to the U.S. District Court for the Northern District of Texas in opposition to a motion for preliminary injunction filed by a group of industry associations, urging the court to block the implementation of a new rule that would limit the ability of large credit card issuers to charge late fees (covered by InfoBytes here).
The CFPB defended the rule by stating that it has considered all relevant factors and that the rule aimed to prevent credit card issuers from charging excessive late fees. The CFPB also argued that the case is not properly situated, as the plaintiffs lack a significant connection to the district in which they filed the lawsuit and do not have the standing to sue on behalf of others, stating “it seems not one large card issuer wants its name on the marquee… [t]he rule applies to only the largest card issuers—approximately 30–35 total entities nationwide. Plaintiffs have not identified a single one that is based in this District.” The CFPB suggested that plaintiffs have engaged in “forum shopping”—i.e., choosing this court because they believe it will be more favorable to their case, despite a lack of substantial connection to the district. The brief stated that the plaintiffs are unlikely to succeed on the merits of their claims under the Administrative Procedure Act because they failed to establish proper venue and associational standing. Additionally, the CFPB argued that an injunction was not warranted because the rule was designed to protect consumers and that preventing its implementation would be against the public interest.
On March 13, plaintiffs submitted a brief defending its motion for preliminary injunction and their choice of venue in Texas as part of an ongoing suit against the CFPB. The brief stated that according to law, the venue was appropriate if one plaintiff resided in the district, which applied to one of the Texas-based chamber plaintiffs, and if a significant portion of the related events occurred in the district, which is true as the rule impacted the local area. That plaintiff argued they have standing to sue because the issues are relevant to its “mission of cultivating a ‘thriving business climate in the Fort Worth region’” and its trade members included credit card issuers affected by the rule. Despite the CFPB’s counterarguments that the plaintiff lacked standing and that a transactional venue was not applicable, the plaintiff asserted it represented members that would be directly impacted by the rule, fulfilling the requirements for standing. Additionally, plaintiff contended that the rule's effects within the district justify the court's jurisdiction over the case.
Senator Romney et al. pen letter confirming nonbank lending regulations, specifically on the ILC charter
On March 13, Senator Mitt Romney (R-UT) with 11 other senators penned a brief letter to the heads of the FDIC, OCC, and CFPB that supported the FDIC’s regulation of the industrial loan company (ILC) charter but expressed concerns about delay in processing ILC charter applications. According to the letter, ILCs provide “critical access to credit opportunities within the regulated banking sector.” The letter stated the senators “strongly oppose” regulatory actions against lawful ILC charter applications that may further delay FDIC review and decision-making.
Indiana enacts HB 1284 regarding change in terms for deposit accounts
On March 12, the Governor of Indiana signed HB 1284 which codified a new chapter regarding a contract for a deposit account between a depository institution and a consumer may be changed occasionally, subject to the terms of the deposit account agreement. The bill will provide that after continued use of the deposit account by the consumer after a modification to the agreement has been disclosed through written notice by the depository institution, then it will be considered clear or “prima facie” evidence that the consumer will accept the new terms. The depository institution must provide written notice of the changes at least 30 days before the effective date of any change to the deposit account agreement. The bill will go into effect on July 1.
Bank regulators respond to bankers’ motion to enjoin CRA final rule
On March 8, the Fed, OCC, and FDIC (the federal banking agencies, or “FBAs”) submitted a brief opposing the plaintiffs’ motion for a preliminary injunction to stop the CRA final rule from going into effect. As previously covered by InfoBytes, a group of trade, banking, and business associations filed a class-action complaint for injunctive relief against the bank regulators’ enforcement of the final rule to implement the CRA before it goes into effect on April 1. The FBAs assert that, in opposing the final rule, the plaintiffs are asking the court to “graft” two exclusions from the CRA’s purpose that are not actually in the statute: first, to exclude geographic areas where a bank conducts retail lending from the scope of the bank’s “entire community”; and second, to exclude a bank’s deposit activities from the assessment on whether a bank is meeting its entire community’s “credit needs.” The banking regulators also argued that the plaintiffs’ motion for preliminary relief should fail because the plaintiffs cannot show irreparable harm, in that they have failed to demonstrate that costs to comply with the CRA final rule, which would not apply until 2026 and 2027, were significant when considered in the context of the bank’s overall finances. Finally, the FBAs argued that the public interest and balance of equities favor allowing the final rule to proceed, as, among other factors, “the rule provides significant regulatory relief and lower compliance costs for smaller institutions by increasing the asset size thresholds that determine which performance tests apply to an institution.”