InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Colorado finalizes privacy rules
On March 15, the Colorado attorney general’s office finalized rules to implement and enforce the Colorado Privacy Act (CPA). The final rules, which went through three draft versions (covered by InfoBytes here), were filed with the Colorado Secretary of State following completion of a review by the attorney general’s office. (See redline version of the final rules showing changes made to address concerns raised through public comments here.) As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. In addition to promulgating rules to carry out the requirements of the CPA, the attorney general has authority to issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. Colorado is one of several states that have enacted comprehensive privacy laws that take effect in 2023, joining California, Connecticut, Utah, and Virginia. (Covered by InfoBytes here, here, here, and here.) The final rules will be published in the Colorado Register in March and will go into effect July 1.
Real estate brokerage firm settles claims of discriminatory practices
On March 15, the New York attorney general announced a settlement with a real estate brokerage firm to resolve claims that it allegedly discriminated against Black, Hispanic, and other homebuyers of color on Long Island. According to the announcement, the Office of the Attorney General commenced investigations into several brokerage firms, in which it found that agents employed by the brokerage firm at issue violated the Fair Housing Act and New York state law when they allegedly “subjected prospective homebuyers of color to different requirements than white homebuyers, directed homebuyers of color to homes in neighborhoods where residents predominantly belonged to communities of color, and otherwise engaged in biased behavior.” In certain instances, agents allegedly disparaged neighborhoods of color and “warned white potential homebuyers about the diverse racial makeup of the neighborhood but did not share the same comments with Black and Hispanic potential homebuyers.”
Under the terms of the assurance of discontinuance, the brokerage firm agreed to stop the alleged conduct, will offer comprehensive fair housing training to all agents, and will provide a discrimination complaint form on its website. The brokerage firm will also pay $20,000 in penalties and $10,000 to Suffolk County to promote enforcement and compliance with fair housing laws. This is the fourth action taken by the AG’s office against real estate brokerage firms in the state. As previously covered by InfoBytes, last August three Long Island real estate brokerage firms entered settlements to resolve claims of discriminatory practices.
9th Circuit: Law firm did not violate FCRA by accessing credit report
On March 17, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s grant of summary judgment in favor of a defendant law firm that allegedly accessed a plaintiff’s credit report to obtain her current address after it was hired to collect unpaid homeowner association (HOA) assessments. The plaintiff filed a class action lawsuit claiming, among other things, that the defendant violated the FCRA by accessing her credit report without her consent and that neither the HOA nor the defendant are creditors within the meaning of the FCRA. The district court disagreed, concluding that the HOA was in fact a creditor for purposes of the FCRA. “Under the [a]greement, the HOA determines the assessment amount for a full year and then makes it payable in installments over the course of the year. Thus, it regularly extends credit,” the district court wrote, explaining that because the HOA is a creditor, its attorneys, in collecting on the account, have the right to review a consumer’s credit report without consent. Moreover, the district court determined that the defendant had established the requisite “direct link” between the credit transaction and its request for the plaintiff’s credit report.
The 9th Circuit concluded that the “[d]efendant’s reading of the statute was not objectively unreasonable” because the plaintiff “had a grace period during which she could receive half a month’s services that she had not yet paid for,” which “could be considered an extension of credit.” While concurring with the panel, one of the judges commented, however, that “[i]t is hard to imagine that Congress intended FCRA, a statute that protects consumer privacy, to empower HOAs composed of neighboring homeowners to run their neighbors’ credit reports if homeowners fall two weeks behind in their payments.” The judge recommended that the appellate court “revisit the issue,” noting that it is unclear under current case law whether an HOA assessment qualifies as a “credit transaction” under the FCRA.
OCC releases enforcement actions
On March 17, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a cease and desist order against a New York-based bank for allegedly engaging in unsafe or unsound practices related to its information technology security and controls, as well as its information technology risk governance and board of director/management oversight of its corporate risk governance processes. The OCC also found alleged deficiencies (including unsafe or unsound practices) in the bank’s Bank Secrecy Act (BSA)/anti-money laundering risk management controls in the following areas: “internal controls, BSA officer, customer identification program, customer due diligence, enhanced due diligence, [] beneficial ownership,” and suspicious activity monitoring and reporting. The order requires the bank to, among other things, maintain a compliance committee, develop a corporate governance program to ensure appropriate board oversight, establish a written strategic plan and conduct an internal audit to assess the sufficiency of the bank’s internal controls program, implement information technology governance and security programs, and adopt an automated clearing house risk management program. The bank is also required to appoint a BSA officer to ensure adherence to the bank’s BSA/AML internal controls, conduct a suspicious activity review lookback, implement a customer information program that is reasonably designed to identify and verify beneficial owners of legal entity customers, and develop and adopt a BSA/AML model risk management process.
CFPB updates card survey to improve comparison shopping
On March 21, the CFPB announced updates to its terms of credit card plans (TCCP) survey. The updates are intended to “create a neutral data source” to help consumers comparison shop for credit cards and “find the best interest rates and products,” the Bureau explained. Previously, credit card data was compiled and made publicly available from the largest 25 issuers, as well as from a sample of at least 125 other issuers (as required by the Fair Credit and Charge Chard Disclosure Act of 1988). The refreshed TCCP survey will now allow issuers to voluntarily submit information about their credit card products to enable smaller credit card issuers to reach comparison shoppers and compete with bigger players. The TCCP survey will also include additional questions about credit card annual percentage rates, and will require issuers to report the minimum and maximum APR offered if it varies by credit score. According to the Bureau, allowing consumers to see the median APR for their credit score range will help them better compare products and estimate the potential cost of borrowing before applying. Additionally, the top 25 credit card issuers will have to provide information on all their credit cards instead of just their most popular products. Other issuers will be permitted to voluntarily submit information on multiple products. Expanded information reporting requirements include providing details on whether a product is a secured card or if it requires a deposit to open an account, as well as information about promotional terms of balance transfers, introductory rates, and cash advances.
HUD restores 2013 discriminatory effects rule
On March 17, HUD announced the submission of a final rule—Reinstatement of HUD’s Discriminatory Effects Standard—which would rescind the agency’s 2020 regulation governing Fair Housing Act (FHA or the Act) disparate impact claims and reinstate the agency’s 2013 discriminatory effects rule. Explaining that “the 2013 rule is more consistent with how the [FHA] has been applied in the courts and in front of the agency for more than 50 years,” HUD emphasized that it also “more effectively implements the Act’s broad remedial purpose of eliminating unnecessary discriminatory practices from the housing market.”
As previously covered by InfoBytes, in 2021, HUD proposed rescinding the 2020 rule, which was intended to align the 2013 rule with the U.S. Supreme Court’s 2015 ruling in Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc. The 2020 rule included, among other things, a modification of the three-step burden-shifting framework in its 2013 rule, several new elements that plaintiffs must show to establish that a policy or practice has a “discriminatory effect,” and specific defenses that defendants can assert to refute disparate impact claims. According to HUD’s recent announcement, the modifications contained within the 2020 rule complicated the discriminatory effects framework, created challenges for establishing whether a policy violates the FHA, and made it harder for entities regulated by the Act to assess whether their policies were lawful.
The final rule is effective 30 days after publication in the Federal Register. According to HUD, the 2020 rule never went into effect due to a preliminary injunction issued by the U.S. District Court for the District of Massachusetts, and the 2013 rule has been and currently is in effect. Regulated entities that have been complying with the 2013 rule will not need to change any practices currently in place to comply with the final rule, HUD said.
CFPB updates agency contact information
On March 20, the CFPB published a final rule in the Federal Register to make non-substantive technical corrections and updates to Bureau and other federal agency contact information found within Regulations B, E, F, J, V, X, Z and DD, including federal agency contact information that is required to be provided with ECOA adverse action notices and the FCRA Summary of Consumer Rights (available here). Additionally, the final rule “revises the chapter heading, makes various non-substantive changes to Regulations B and V, and provides a Bureau website address where the public may access certain APR tables referenced in Regulation Z.” The final rule is effective April 19, although the Bureau noted that the mandatory compliance date for the amendments to appendix A to Regulation B, appendix A to Regulation J, and appendix K to Regulation V is March 20, 2024.
FCC regulations target scam robotexts
On March 16, the FCC adopted its first regulations specifically targeting scam text messages sent to consumers. Recognizing that robotexts are generally covered under the TCPA’s limits against unwanted calls to mobile phones, the FCC stated that the new regulations will require mobile service providers to block certain robotexts that appear to be coming from phone numbers that are unlikely to transmit text messages, including invalid, unallocated, or unused numbers, as well as “numbers that the subscriber to the number has self-identified as never sending text messages, and numbers that government agencies and other well-known entities identify as not used for texting.” Mobile service providers will also be required “to establish a point of contact for text senders, or have providers require their aggregator partners or blocking contractors to establish such a point of contact, which senders can use to inquire about blocked texts.”
The FCC’s report and order also include a further notice of proposed rulemaking, which seeks to implement additional protections to further prevent illegal text messages. The proposal would “require terminating providers to block texts from a sender after they are on notice from the Commission that the sender is sending illegal texts, to extend the National Do-Not-Call Registry’s protections to text messages, and to ban the practice of marketers purporting to have written consent for numerous parties to contact a consumer, based on one consent.”
Comments are due 30 days after publication in the Federal Register.
FFIEC releases 2022 HMDA data
On March 20, the CFPB announced the release of the 2022 HMDA modified loan application register (LAR) data. The LAR data, available on the Federal Financial Institutions Examination Council’s HMDA platform, contains modified loan-level information on approximately 4,394 HMDA filers. The Bureau also announced plans to produce the 2022 HMDA data “in other forms to provide users insights into the data,” including through a nationwide loan-level dataset, which will provide all publicly available data from all HMDA reporters, as well as aggregate and disclosure reports with summary information by geography and lender, to allow users the ability to create custom datasets and reports. The Bureau also said it plans to publish a Data Point article highlighting key trends in the annual HMDA data.
Banking company pleads guilty to mortgage fraud
On March 15, a Michigan-headquartered bank holding company agreed to plead guilty to securities fraud for filing misleading statements related to its 2017 initial public offering (IPO) and its 2018 and 2019 annual filings. According to the DOJ’s announcement, the bank holding company and its wholly owned subsidiary were under investigation over allegations that loan officers were encouraged to increase the volume of residential mortgage loan originations in order to artificially inflate bank revenue leading up to and following the IPO. The DOJ explained that the bank filed false securities statements about its residential mortgage loan program in its IPO, as well as in subsequent annual filings that “contained materially false and misleading statements that touted the soundness of the [] loans.” These loans were actually “rife with fraud,” the DOJ said and cost non-insider victim-shareholders nearly $70 million. Senior management allegedly knew that loan officers were falsifying loan documents and concealing the fraudulent information from the bank’s underwriting and quality control departments, the DOJ maintained, noting that the actions caused the bank to originate loans and extend credit to borrowers who would have otherwise not qualified.
Under the terms of the plea agreement (which must be accepted by the court), the bank holding company will “be required to serve a term of probation through 2026, submit to enhanced reporting obligations to the department, and pay more than $27.2 million in restitution to its non-insider victim-shareholders.” The DOJ considered several factors when determining the criminal resolution, including the nature and seriousness of the offense and the pervasiveness of the misconduct at the most senior levels. The bank holding company received credit for its cooperation and for implementing extensive remedial measures, and has agreed to continue to fully cooperate with the DOJ in all matters relating to the covered conducts and other conduct under investigation. It is also required to self-report criminal violations and must continue to implement a compliance and ethics program to detect and deter future violations of U.S. securities law.
As previously covered by InfoBytes, the bank holding company’s subsidiary paid a $6 million civil money penalty to the OCC last September for alleged unsafe or unsound practices related to the residential mortgage loan program.