InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC releases March CRA evaluations for 19 banks
On April 1, the OCC released its Community Reinvestment Act (CRA) performance evaluations for last March. The OCC evaluated 19 national banks, federal savings associations, and insured federal branches of foreign banks with a rubric that included four possible ratings: Outstanding, Satisfactory, Needs to Improve, and Substantial Noncompliance. Of the 19 evaluations reported by the OCC, two Midwest banks received the lowest rating, which was “Needs to Improve.” Most entities were rated “Satisfactory,” and four entities were rated “Outstanding.” A full list of the bank evaluations is available here. In an OCC FAQ regarding the implementation of the CRA, the OCC detailed how it evaluated and rated financial institutions by reviewing both the institution itself (such as its capacity, constraints, business strategies, competitors, and peers) and the community the institution serves (such as its demographics, economic data, and its lending, investment, and service opportunities).
FDIC’s Consumer Compliance report outlines most frequently cited violations and observations
On March 28, the FDIC released its March 2024 version of the Consumer Compliance Supervisory Highlights from the previous year, a report that enhanced transparency regarding the FDIC’s consumer compliance supervisory activities. The FDIC reported 16 formal enforcement actions and another 16 informal enforcement actions to address consumer compliance examination findings. The report highlighted how the FDIC conducted almost 900 consumer compliance examinations. The top five most frequently cited violations of moderate severity (levels two and three out of five of supervisory concern), which represented 74 percent of the total violations, included, in order from most frequently cited to least: TILA, and its implementing regulation, Regulation Z; the Flood Disaster Protection Act (FDPA) and its implementing regulation, Part 339; EFTA, and its implementing regulation, Regulation E; TISA, and its implementing regulation, Regulation DD; and Section 5 of the FTC Act. The report noted how Section 5 of the FTC Act dropped from the second most frequently cited to the fifth.
The FDIC’s report outlined the most significant consumer compliance examination observations including the misuse of the FDIC’s logo, advertising of credit builder products, electronic fund transfer (EFT) error resolutions by third parties, mortgage broker relationships, and fair lending compliance. On the misuse of the FDIC’s logo, the FDIC found “a number of third parties” misrepresented the FDIC’s deposit insurance in violation of Section 18(a)(4) of the FDI Act. On substantiating claims in the advertising of credit builder products, the FDIC found that institutions collaborated with fintech companies on credit builder products and falsely advertised “these products would improve” one’s credit score, in violation of Section 5 of the FTC Act. On EFTs handled by third parties, the FDIC identified an issue with a security program in validating customer transactions in violation of Regulation E of EFTA. On payments for mortgage brokerage services, the FDIC found RESPA Section 8 violations involving mortgage broker relationships. On oversight of third parties, the FDIC identified issues with an institution that partnered with third-party lenders to offer unsecured consumer loans, finding the institution violated Section 39 of the FDI Act. Last and on fair lending, the FDIC found that most of the DOJ’s referral matters pertinent to discrimination related to redlining, automobile financing, and credit underwriting.
FDIC issues February enforcement action against New York bank for lack of effective third-party oversight
On March 29, the FDIC released its list of February 2024 enforcement actions, which included a consent order against a New York digital bank in which the FDIC alleged a lack of sufficient oversight of the bank’s third-party relationships. According to the consent order, the bank allegedly engaged in unsafe and unsound banking practices due to a lack of internal controls appropriate to the bank’s size and risk of its third-party relationships, and weaknesses in board oversight of asset growth and management, among other issues. The FDIC further alleged that the bank violated several laws including BSA, EFTA, and TISA.
The FDIC ordered the bank’s board to increase its oversight of the bank’s management and the bank’s financial condition commensurate with the size of the bank and the risk of its third-party relationships. Further, the FDIC ordered the board to correct or eliminate any unsafe banking practices or violations of the law. On data and systems, the FDIC ordered the bank to conduct a data and systems review and develop a written action plan to address any deficiencies or weaknesses. Notably for the bank’s third-party relationships, the FDIC ordered that the bank’s procedures, data, and systems include “clear lines of authority” responsible for monitoring bank procedures and effective risk assessments. Finally, among other things, the FDIC ordered the bank to implement look-back reviews and have its board review the bank’s program to ensure compliance with consumer-related laws.
FinCEN seeks public comment for changing SSN requirements during customer identification
On March 29, FinCEN published a request for information (RFI) and comment in the Federal Register, in consultation with the OCC, FDIC, NCUA, and the Fed, to receive more information on the Customer Identification Program (CIP) Rule requirement. This announcement extended the comment period as the regulators explored how banks can better collect a customer’s social security number (SSN). Specifically, FinCEN sought information on the “potential risks and benefits” if banks were to be allowed to collect partial SSNs from customers, and then used a “reputable” third-party source to obtain the full SSN. FinCEN noted there has been “expressed interest” in permitting this practice. Written comments must be received on or before May 28.
CFPB, FTC submit amicus brief in FCRA case
On March 29, the CFPB and the FTC filed an amicus brief in the U.S. Court of Appeals for the Eleventh Circuit, arguing that the FCRA mandated consumer reporting agencies (CRAs) when a consumer challenged the “completeness or accuracy of any item or information” in their file, must perform a “reasonable reinvestigation.”
In the underlying case, a consumer claimed she identified multiple inaccuracies in her credit report held by the defendant CRA, including issues with her name, address, and Social Security number. She allegedly contacted the defendant three times to dispute these errors, but the defendant directed her to resolve the issues with the misinformation sources and did not conduct its own reinvestigation as the consumer believed was required by the FCRA.
The consumer then filed a lawsuit against the defendant CRA for not performing the reinvestigation. The district court acknowledged that the defendant should have completed the reinvestigation under the FCRA but nonetheless concluded that the defendant did not violate the statute because it did not reasonably interpret that the FCRA did not require a reinvestigation.
The case will now be under the appeal process and the CFPB and FTC have submitted a joint amicus brief arguing that the FCRA required a CRA to reinvestigate a consumer’s dispute about personal identifying information, and that the district court correctly determined that a reinvestigation was required. The brief also argued that the district nonetheless erred in concluding that the defendant did not negligently or willfully violate the FCRA because the defendant’s interpretation of the FCRA was not “objectively reasonable.”
FTC to hold an informal hearing on its proposed “junk fee” rules
On March 27, the FTC published a notice in the Federal Register informing the public of its decision to hold an informal hearing on its proposed rule prohibiting “junk fees.” As previously covered by InfoBytes, the FTC released a notice of proposed rulemaking (“NPRM”) titled “Rule on Unfair or Deceptive Fees” and extended the comment period last October. In the NPRM, the FTC presented the opportunity for any party to present their positions orally. The FTC announced that 17 commenters requested to partake in the informal hearing by presenting oral statements and an administrative law judge for the FTC will serve as the presiding officer. The informal hearing will be presented virtually on April 24 at 10:00 a.m. Eastern time. The hearing will be presented live to the public on the FTC’s website, and a recording will be placed in the rulemaking record.
State AGs sue to block Biden's SAVE Plan for student loan forgiveness
On April 1, 10 state attorneys general filed a lawsuit in the U.S. District Court for the District of Kansas against President Biden, the Secretary of Education, and the Department of Education seeking to block the enactment of the SAVE Plan. As previously covered by InfoBytes, the SAVE Plan was an income-driven repayment plan, intended to calculate payments based on a borrower’s income and family size, rather than the loan balance, and forgave balances after several years since repayment. According to the complaint, the government released a rule for the new SAVE Plan intended to eliminate at least $156 billion in student debt as the second step in a three-part loan forgiveness initiative. The first step involved an attempt to cancel $430 billion in student loans under the HEROES Act, which the U.S. Supreme Court ruled unconstitutional in Biden v. Nebraska.
The SAVE Plan assumed $430 billion in loans would be forgiven beforehand, but after the Supreme Court's decision, the defendants allegedly did not revise the cost estimate in anticipation of overturning the case. This oversight led to a significant underestimation of the SAVE Plan's true cost; plaintiffs alleged.
Plaintiffs further claimed that the SAVE Plan was written before the Supreme Court's ruling in Biden v. Nebraska and thus included outdated statements of confidence in the defendants' authority to pursue debt relief. The rule would take effect on July 1, but defendants allegedly have already started forgiving loans for some individuals before this date. The complaint alleged that on February 21, the Department of Education forgave the debt of 153,000 borrowers, which the state attorneys general claimed violated Biden v. Nebraska.
Plaintiffs brought claims under the Administrative Procedure Act, contending that the Department of Education exceeded its authority under the Higher Education Act of 1965 by issuing the rule and that the rule would be arbitrary and capricious since defendants failed to account for the full cost of the rule.
New Hampshire enacts SB 255, a comprehensive consumer privacy bill
Recently, the Governor of New Hampshire signed SB 255 (the “Act”) making New Hampshire the 14th state to enact a comprehensive consumer privacy bill. The Act will apply to entities that engage in commercial activities within New Hampshire or target New Hampshire consumers for their products or services and that during a one-year period either: (i) control or process data of 35,000 New Hampshire consumers (except solely for purposes of completing a payment transaction); or (ii) control or process data of 10,000 New Hampshire consumers and derive more than 25 percent of their revenue from selling the data. Exemptions include entities or data subject to the Gramm-Leach-Bliley Act’s Title V, non-profit organizations, and higher education institutions. The legislation will also exempt specific types of data, such as health information that is protected under HIPAA or data subject to the FCRA. The definition of consumer is limited to an individual residing in New Hampshire and excludes both employee and business-to-business (B2B) data.
The Act will define new terms, such as "sensitive data” which could mean “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status.” “Sensitive data” also includes genetic or biometric information, data on children, and precise location details. New Hampshire will now mandate that companies obtain explicit consent from consumers before processing sensitive data.
The Act also granted consumers the following rights: the right to know, the right to correct, the right to delete, the right to opt out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer in furtherance of solely automated decisions that produce legal effects or other effects of similar significance, and the right to data portability. Consumers will also be protected against discrimination for exercising any of the above rights.
The Act contained controller responsibilities, including:
- Limiting the collection of personal data to what is adequate, relevant and reasonably necessary;
- not processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes that were disclosed to the consumer, unless the controller obtains the consumer's consent;
- Establishing, implementing and maintaining reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
- Not processing sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;
- Providing an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, ceasing to process the data as soon as practicable, but not later than 15 days after the receipt of such request; and
- Not processing the personal data of a consumer for purposes of targeted advertising, or selling the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age.
The controller also must provide a privacy notice meeting the standards set forth by the Secretary of State. Controllers must conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including: (i) the processing of personal data for the purpose of targeted advertising; (ii) the sale of personal data; (iii) the processing of sensitive data; and (iv) the processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.
The attorney general has exclusive authority to enforce the Act. Between January 1, 2025, and December 31, 2025, the attorney general is required to provide notice of an alleged violation and an accompanying 60-day cure period before commencing an enforcement action. Beginning January 1, 2026, the attorney general has the discretion to provide an opportunity to cure but is not required to provide such an opportunity. The Act does not include a private right of action. The Act will take effect on January 1, 2025.
CFPB sends letters of support for New York’s pending unfair and abusive conduct prohibition
On March 19, the CFPB published a blog post providing input on New York State’s proposed prohibition on unfair and abusive acts, urging passage of A 7138 and S 795, companion bills that are titled the “Consumer and Small business Protection Act” (the “Acts”). The blog post followed the CFPB’s delivery of letters in support of the Act to Governor Hochul, state senators, and state assembly members.
The Acts would expand Section 349 of New York’s general business law to prohibit unfair or abusive acts or practices, in addition to the existing prohibition on deceptive acts or practices. The Acts would also give the New York attorney general authority to bring an action for unfair, unlawful, deceptive, or abusive acts or practices, “regardless of whether or not the underlying violation is directed at individuals or businesses, is consumer-oriented, or involves the offering of goods, services, or property for personal, family or household purposes,” and would give “any person who has been injured by reason of any violation of this section” authority to bring “an action to recover one thousand dollars and his or her actual damages, if any, or both such actions, … regardless of whether or not the underlying violation is consumer-oriented, has a public impact or involves the offering of goods, services or property for personal, family or household purposes.”
The Acts defined an act or practice as unfair “when it causes or is likely to cause substantial injury, the injury is not reasonably avoidable, and the injury is not outweighed by countervailing benefits.” They provided that an “act or practice is deceptive when the act or practice misleads or is likely to mislead a person and the person’s interpretation is reasonable under the circumstances,” and that an act or practice is abusive when “it materially interferes with the ability of a person to understand a term or condition of a product or service,” or “takes unreasonable advantage of: (A) a person’s lack of understanding of the material risks, costs, or conditions of a product or service; (B) a person’s inability to protect his or her interests in selecting or using a product or service; or (C) a person’s reasonable reliance on a person covered by this section to act in his or her interests.” The Bureau’s letters to the state governor and legislature noted that the “reasonable reliance” component of the Acts is “critical,” and like the federal prohibition that “recognizes that people often reasonably expect that certain businesses will help them make difficult financial decisions, and there is potential for betrayal or exploitation of that trust.” The CFPB also mentioned that it has brought numerous actions based on that particular component.
The Acts provided that “standing to bring an action under this section, including but not limited to organizational standing and third-party standing, shall be liberally construed and shall be available to the fullest extent otherwise permitted by law.” Further, “[a]ny individual or non-profit organization entitled to bring an action” under the Acts “may, if the prohibited act or practice has caused damage to others similarly situated, bring an action on behalf of himself or herself and such others to recover actual, statutory and/or punitive damages or obtain other relief as provided for in” the Acts. A nonprofit also may bring an action on behalf of itself, its members, or members of the public that have been injured by a violation of the Acts. Nonprofits may seek the same remedies and damages as individuals.
Wisconsin enacts SB 628 to protect vulnerable adults
On March 22, the Governor of Wisconsin signed SB 628 (the “Act”), which “allows financial service providers to refuse or delay financial transactions when financial exploitation of a vulnerable adult is suspected.”
The Act would authorize financial service providers to refuse or postpone financial transactions on accounts held by or benefiting a vulnerable adult—a term defined as “an adult at risk or an individual who is at least 65 years of age”—if there is a reasonable suspicion of financial exploitation. The Act would not mandate covered financial service providers, which included financial institutions, mortgage bankers, brokers, and loan originators, among others, to take such action. Additionally, financial service providers were allowed, but not obligated, to act on information from elder-adult-at-risk agencies, adult-at-risk agencies, or law enforcement regarding potential financial exploitation. The Act mandated that financial service providers give notice when transactions are refused or delayed and defined the time limits for such actions. It also permitted financial service providers to refuse to accept a power of attorney if financial exploitation is suspected. Moreover, the Act outlined a procedure for financial service providers to compile a list of contacts that a vulnerable adult authorizes, which can be used if exploitation is suspected, and authorized the financial service provider to share its suspicions with designated individuals, including those on the list. Financial service providers acting in good faith would be granted immunity from any criminal, civil, or administrative liability for actions such as (i) refusing or not refusing a financial transaction; (ii) refusing to accept or accepting a power of attorney; (iii) contacting or not contacting a person to convey suspicion of financial exploitation; and (iv) any action based on a reasonable determination related to these measures. The Act went into effect on March 23.