InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
U.S. Supreme Court rules CFPB funding structure is constitutional
On May 16, the U.S. Supreme Court ruled 7-2 that the funding structure of the CFPB was consistent with the Constitution’s appropriations clause, reversing a decision of the U.S. Court of Appeals for the Fifth Circuit that had called the Bureau’s ability to continue operating without Congressional action into question. The Supreme Court recognized that the CFPB’s funding structure was unique: Congress authorized the Bureau to draw from the Federal Reserve System instead of appropriating funds through the annual appropriations process. However, the Supreme Court found that this unique feature did have constitutional significance. The only question presented was whether the Bureau’s funding mechanism was an “Appropriatio[n] made by Law.” The Supreme Court found that the answer was yes.
Specifically, The Supreme Court held that Congress’s statutory authorization to allow the Federal Reserve System to fund the CFPB satisfied the appropriations clause since “appropriations need only identify a source of public funds and authorize the expenditure of those funds for designated purposes to satisfy the Appropriations Clause,” and both criteria were met. The Supreme Court found the trade associations’ arguments as to why the Bureau’s funding mechanism violated the appropriations clause were unpersuasive.
The CFPB’s constitutionality was challenged following the Bureau’s promulgation of a 2017 regulation on payday lending. In response to a challenge to that regulation, the District Court for the Western District of Texas granted summary judgment to the CFPB; however, the U.S. Court of Appeals for the Fifth Circuit agreed with the trade associations’ arguments and reversed the lower court’s decision, holding that the CFPB’s funding mechanism violated the appropriations clause. The Supreme Court has now reversed this decision and remanded the case back to the court of appeals.
CFPB’s credit card late fee rule stayed
On May 10, the U.S. District Court for the Northern District of Texas entered an opinion and order granting the plaintiffs, comprising several trade organization, its motion for preliminary injunction and placed a stay on the CFPB’s credit card late fee rule. As previously covered by InfoBytes, a suit was filed against the CFPB by multiple trade organizations to challenge the Bureau’s final rule to amend Regulation Z and limit most credit card late fees to $8.
The court decided not to address the plaintiffs’ arguments regarding the CARD Act, TILA, and APA violations due to the Court of Appeals for the Fifth Circuit opinion that the CFPB's funding structure was unconstitutional; therefore, any regulations promulgated by the CFPB would be unconstitutional. For that reason, due to the CFPB’s unconstitutional structure found by the 5th Circuit, the District Court decided that all factors weighed in favor of issuing a preliminary injunction and thus staying the final rule.
HUD and mortgage lender reach agreement on Montana fair lending complaint
On May 13, HUD announced an agreement with a mortgage lender to resolve allegations of Fair Housing Act violations. According to the redacted agreement, a complaint was filed with HUD last August accusing the mortgage company of engaging in housing discrimination based on race, in violation of the Fair Housing Act. The complainants claim they faced discriminatory housing terms, were denied housing, and were subject to racially discriminatory notices and advertisements. The mortgage company denied all allegations of discrimination, asserted its commitment to fair housing and equal opportunity, and agreed to a Conciliation Agreement to resolve the matter without admitting any wrongdoing or liability.
The mortgage company agreed to a $65,000 settlement and will commit to upholding its fair lending policies, ensuring applicants on Native American reservations are able to obtain residential mortgage loans without fear of discrimination based on race, color or national origin. Respondent will also contribute at least $30,000 towards initiatives designed to enhance housing conditions, financial literacy, and homeownership education for Native Americans near reservations. During the three-year term of the agreement, HUD may review compliance and conduct fair housing tests, among other oversight methods. The terms of the agreement also required the mortgage company to submit a training curriculum on its fair lending training courses for new employees and perform annual trainings with current employees; additionally, the mortgage company must submit an annual report on the mortgage company’s progress and performance in complying with the public interest provisions of the agreement. The agreement has been approved by the regional director of the Office of Fair Housing and Equal Opportunity.
CFPB to extend 1071 rule compliance deadlines
On May 17, the CFPB announced it is extending the compliance deadlines for the small business lending rule (Section 1071 of Dodd-Frank, the “1071 rule”), which will require financial institutions to collect and report data on lending to small businesses to the Bureau (covered by InfoBytes here). Following challenges to the 1071 rule in the U.S. District Court in Texas, the rule was stayed pending the Supreme Court’s decision in CFPB v. CFSA (covered by InfoBytes here). Considering the Supreme Court’s recent decision that the Bureau’s funding is constitutional and the district court’s order requiring the CFPB to extend the rule’s compliance deadlines to compensate for the period stayed, the Bureau will issue an interim final rule to extend compliance deadlines as follows:
- Tier 1 institutions (highest volume lenders): The new compliance date is July 18, 2025, and the first filing deadline is June 1, 2026.
- Tier 2 institutions (moderate volume lenders): The new compliance date is January 16, 2026, and the first filing deadline is June 1, 2027.
- Tier 3 institutions (lowest volume lenders): The new compliance date is October 18, 2026, and the first filing deadline is June 1, 2027.
Maryland enacts child consumer protection laws
On May 9, the Governor of Maryland approved SB 571 (the “Act) to provide consumer online protections for children. The Act will afford protections from online products aimed at children or that are likely accessed by children. Specifically, the Act will require companies that provide online products “reasonably likely to be access[ed] by children” to prepare a data protection impact assessment (DPIA) for the online product. The DPIA will identify the purpose of the online product, how the product uses children’s data, determine if the product would be in children’s best interests, and include a description of the compliance steps the company will have taken to comply with the duty to act in a manner consistent with the best interests of children, among other requirements. The Act outlined several violations, including against processing data not in children’s best interests, profiling children, processing geolocation, using of dark patterns, or monitoring of children’s activities without first notifying the parent/guardian. The Act will go into effect on October 1.
Maryland enshrines its consumer online data privacy act
On May 9, the Governor of Maryland approved SB 541 (the “Act”) which enacted the Maryland Online Data Privacy Act of 2024, setting forth new provisions for businesses and data processors under the state’s UDAP commercial code. The Act will prevent persons or processors from providing access to consumer health data unless contractually required, or from using a geofence within a certain distance from health or mental health facilities. The Act will enable consumers to exercise certain rights with respect to their data, including confirming use, accessing data, correcting inaccuracies, requiring deletion of data (unless protected by law), and opting out of targeted advertising or sales of one’s personal data. Consumers will also be able to designate an agent to opt-out on their behalf.
The Act will prohibit controllers from selling sensitive data and from collecting, processing, or sharing sensitive consumer data unless “the collection or processing is strictly necessary to… maintain a specific product,” among others. The Act will enable controllers to limit collection to what would be “reasonabl[y] necessary” and establish data security practices. Controllers will also be forced to provide consumers with a privacy notice that will outline their use of the data and a consumer’s rights, as well as establish a secure method for a consumer to exercise such rights. The Act will not apply to financial institutions or to consumer credit data that is protected under the FCRA. The Act will go into effect on October 1, 2025.
NIST issues updated security requirements and assessment procedures for protecting controlled unclassified information
On May 14, the National Institute of Standards and Technology (NIST) released “Revision 3” to Special Publication 800-171 (Protecting Controlled Unclassified Information on Nonfederal Systems and Organizations) and 800-171A (Assessing Security Requirements for Controlled Unclassified Information) for federal contractors and other entities that do business with the federal government and handle controlled unclassified information. The revisions were intended to create better alignment with the controls set forth in Special Publication 800-53 Rev. 5 (Security and Privacy Controls for Information Systems and Organizations), realign controls based on new tailoring criteria, and to directly tie specific controls to the handling of controlled unclassified information. The revisions further implemented the framework set forth in Executive Order 13556 – Controlled Unclassified Information, and give the private sector more clarity by tailoring the moderate baseline for controls in Special Publication 800-53 Rev. 5 to withdraw the requirements that are, among other things, primarily the responsibility of the federal government, not directly related to the protection of controlled unclassified information, or are adequately addressed through other related controls. The updates will also allow for more specific tailoring of organizational controls to security standards, increasing flexibility. Finally, the assessment procedures in Special Publication 800-171A for determining whether a contractor or other entity would be compliant with Special Publication 800-171 was updated to align with the new revisions in Special Publication 800-171. These updates will come at a time when the Department of Defense will continue to implement the Cybersecurity Maturity Model Capability, covered by InfoBytes here.
Maryland enacts new powers for regulators to examine third parties
On May 9, the Governor of Maryland approved HB 250 (the “Act”) which will authorize the Commissioner of Financial Regulation to examine third parties that service entities under the supervision of the state’s Office of Financial Regulation (OFR). Such licensed entities include both depository and non-depository financial institutions. Currently, the OFR lacks the authority to examine third parties until the Act goes into effect. The Act will define third-party service providers as a “person who performs activities relating to financial services on behalf of a regulated entity for that regulated entity’s customers,” and include data processing centers, activities that support financial services, and internet-related services. On enforcement, the Act will authorize the OFR to enforce the law against any third party that refuses to submit to an examination, refuses to pay a fee, or engages in “unsafe or unsound” behaviors as determined by the OFR. The Act will outline several authorities of the OFR, including notifying the licensed person, which information the OFR can access, and levying fees. Following a notice and hearing, the Commissioner may issue a cease-and-desist order, suspend or revoke a violator’s license, or issue a penalty of up to $10,000 for the first violation and up to $25,000 for each subsequent violation. The Act takes effect on October 1.
Connecticut becomes latest state to ban medical debts in credit reporting
On May 9, the Governor of Connecticut approved SB 395 (the “Act”) banning health care providers from reporting medical debt to credit rating agencies. Further, the Act will prohibit hospitals and collection agents from reporting a patient to a credit rating agency, as well as initiating an action to foreclose a lien where the lien was filed to secure payment for health care (retroactive from October 1, 2022), and from garnishing wages for health care collections (also retroactive from October 1, 2022). The Act will go into effect on July 1. The CFPB wrote in favor of this bill’s enactment after the CFPB promulgated its NPRM to prohibit creditors from using medical bills in underwriting decisions, as covered by InfoBytes here.
NYDFS releases its Cybersecurity Program Template
On May 13, NYDFS issued a guidance letter informing licensed entities about its Cybersecurity Program Template. NYDFS created the Template to help individual licensees and individually owned businesses licensed by NYDFS to develop a cybersecurity program as required by its cybersecurity regulation (23 NYCRR Part 500). The Template was prepared based on the version of the NYDFS Cybersecurity Regulation in effect as of November 1, 2023 (covered by InfoBytes here). The template does not need to be submitted to NYDFS or any other state agencies for approval.