InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB proposal targets late fees on cards
On February 1, the CFPB issued a notice of proposed rulemaking (NPRM) to amend Regulation Z, which implements TILA, and its commentary to better ensure that late fees charged on credit card accounts are “reasonable and proportional” to the late payment as required under the statute, the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act). The NPRM would (i) adjust the safe harbor dollar amount for late fees to $8 for any missed payment—issuers are currently able to charge late fees of up to $41—and eliminate a higher safe harbor dollar amount for late fees for subsequent violations of the same type (a company would be able to charge above the immunity provision provided it could prove the higher fee is necessary to cover the incurred collection costs); (ii) eliminate the automatic annual inflation adjustment for the immunity provision amount (the Bureau would instead monitor market conditions and make adjustments as necessary); and (iii) cap late fees at 25 percent of the consumer’s required minimum payment (issuers are currently able to potentially charge a late fee that is 100 percent of the cardholder’s minimum payment owed).
The NPRM also seeks feedback on other possible changes to the CARD Act regulations, including “whether the proposed changes should apply to all credit card penalty fees, whether the immunity provision should be eliminated altogether, whether consumers should be granted a 15-day courtesy period, after the due date, before late fees can be assessed, and whether issuers should be required to offer autopay in order to make use of the immunity provision.” Comments on the NPRM are due by April 3, or 30 days after publication in the Federal Register, whichever is later.
According to the CFPB, the Federal Reserve Board “created the immunity provisions to allow credit card companies to avoid scrutiny of whether their late fees met the reasonable and proportional standard.” As a result, the CFPB stated that immunity provisions have risen (due to inflation) to $30 for an initial late payment and $41 for subsequent late payments, resulting in consumers being charged approximately $12 billion in late fees in 2020. Based on CFPB estimates, the NPRM could reduce late fees by as much as $9 billion per year. CFPB Director Rohit Chopra issued a statement commenting that the current immunity provisions are not what Congress intended when it passed the CARD Act.
The Bureau also released an unofficial, informal redline of the NPRM to help stakeholders review the proposed changes, as well as a report titled Credit Card Late Fees: Revenue and Collection Costs at Large Bank Holding Companies, which documents findings on the relationship between late fee revenue and pre-charge-off collection costs for certain large credit card issuers. According to the report, “revenue from late fees has consistently far exceeded pre-charge-off collection costs over the last several years.”
The NPRM follows several actions initiated by the Bureau last year, including a request for comments on junk fees, a research report analyzing credit card late fees, and an advance notice of proposed rulemaking that solicited information from credit card issuers, consumer groups, and the public regarding credit card late fees and late payments, and card issuers’ revenue and expenses (previously covered by InfoBytes here and here).
Senators exploring bank’s dealings with collapsed crypto exchange
On January 30, Senators Elizabeth Warren (D-MA), John Kennedy (R-LA), and Roger Marshall (R-KS) sent a follow-up letter to a California-based bank asking for additional responses to questions related to the bank’s relationship with several cryptocurrency firms founded by the CEO of a now-collapsed crypto exchange. As previously covered by InfoBytes, the senators pressed the CEO for an explanation for why the bank failed to monitor for and report suspicious transactions to the Financial Crimes Enforcement Network, and asked for information about how deposits it was holding on behalf of the collapsed exchange and related firm were being handled. The senators stressed that the bank has a legal responsibility under the Bank Secrecy Act to maintain an effective anti-money laundering program that may have flagged suspicious activity.
In the letter, the senators accused the bank of evading their previous questions in its December response, writing that while the bank’s answers confirm the extent of its failure to monitor and report suspicious financial activity, it failed “to provide key information needed by Congress to understand why and how these failures occurred.” The bank’s “repeated reference to ‘confidential supervisory information’” as a justification for its refusal to provide the requested information “is simply not an acceptable rationale,” the senators said. They also noted that the bank’s recent advance from the Federal Home Loan Bank of San Francisco—intended “to ‘stave off a further run on deposits’”—has introduced additional crypto market risks into the traditional banking system, especially should the bank fail. The bank was asked to explain how it plans to use the $4.3 billion it received.
The senators further commented that additional findings have revealed that neither the Federal Reserve nor the bank’s independent auditors were able to identify the “extraordinary gaps” in the bank’s due diligence process. The senators asked the bank to provide responses to questions related to its risk management policies, as well as how many safety and soundness exams were conducted, and whether any of the bank’s executives were “held accountable” for the failures related to the collapsed exchange, among other things.
Biden administration presents roadmap for mitigating crypto risks
On January 27, the Biden administration presented a roadmap for mitigating cryptocurrency risks to ensure that cryptocurrencies do not undermine financial stability, investors are protected, and bad actors are held accountable. At President Biden’s direction, the administration previously laid out a comprehensive framework for developing digital assets in a safe, responsible way that also identifies clear risks. (Covered by InfoBytes here.) The administration identified clear risks taken by some crypto entities, such as ignoring applicable financial regulations and basic risk controls, misleading consumers, having conflicts of interest, failing to provide adequate disclosures, or committing fraud. The roadmap also outlined actions taken by the federal banking agencies, including a recently issued joint interagency statement that highlighted key risks banks should consider when choosing to engage in crypto-related services and a notice of proposed rulemaking issued by the FDIC warning companies against making false or misleading claims about digital assets being insured by the agency (covered by InfoBytes here and here). The administration also noted that agencies across the government are developing public-awareness programs to help consumers understand the risks associated with digital assets.
The administration stressed, however, that further action is needed. Priorities for digital asset research and development will be unveiled in the coming months, the administration said, adding that Congress should also step up efforts in this space. This includes expanding regulators’ powers to prevent misuses of customers’ assets, “strengthen[ing] transparency and disclosure requirements for cryptocurrency companies so that investors can make more informed decisions about financial and environmental risks,” “strengthen[ing] penalties for violating illicit-finance rules and subject cryptocurrency intermediaries to bans against tipping off criminals,” and limiting crypto risks to the financial system by following steps outlined in a recent Financial Stability Oversight Council report (covered by InfoBytes here), the administration said.
FHA expands Covid-19 loss mitigation options
On February 13, HUD issued Mortgagee Letter 2023-03, which makes technical corrections to Mortgagee Letter 2023-02 issued in January that expanded and enhanced loss mitigation options for borrowers struggling to make payments on FHA-insured mortgages. The enhancements extend FHA’s Covid-19 loss mitigation options to all eligible borrowers, including non-occupant borrowers, who fall behind on mortgage payments, regardless of the cause of delinquency. Mortgage servicers must use FHA’s Covid-19 recovery loss mitigation “waterfall” of options to assess all borrowers who are in default (or at risk of imminent default). The enhancements also raise the maximum partial claim amount from 25 percent of the mortgage’s unpaid principal balance to the maximum 30 percent allowed by statute to help increase home retention. Mortgage servicers can also offer loss mitigation options to borrowers who qualified for or used homeowner assistance funds who may no longer technically be delinquent but require further assistance to avoid redefault. Additionally, the enhancements provide incentive payments to mortgage servicers when Covid-19 recovery options are successfully completed.
The availability of FHA’s Covid-19 loss mitigation options are extended for 18 months beyond the April 30 mandatory effective date for servicers to remove “uncertainties associated with the timing of the end of the National Emergency,” HUD explained, adding that “FHA is temporarily suspending the use of its FHA-Home Affordable Modification (FHA-HAMP) options concurrent with [Mortgagee Letter 2023-02]” in order to simplify loss mitigation options. Mortgage servicers may begin offering these options to borrowers immediately.
District Court denies certification and defendants’ motion for summary judgment in FDCPA class action
On January 26, the U.S. District Court for the Western District of Washington denied a plaintiff’s motion for class certification and denied motions for summary judgment from defendants in an FDCPA case stemming from a consent order between one of the defendants and the CFPB. As previously covered by InfoBytes, in September 2017, the CFPB announced it had filed a complaint in the U.S. District Court for the District of Delaware against a collection of 15 Delaware statutory trusts and their debt collector for, among other things, allegedly filing lawsuits against consumers for private student loan debt that they could not prove was owed or that was outside the applicable statute of limitations. According to the consent judgment, the trusts were required to pay at least $3.5 million in restitution to more than 2,000 consumers who made payments resulting from the improper collection suits, to pay $7.8 million in disgorgement to the Treasury Department, and to pay an additional $7.8 million civil money penalty to the CFPB. In addition, the trusts were required to: (i) hire an independent auditor, subject to the Bureau’s approval, to audit all 800,000 student loans in the portfolio to determine if collection efforts must be stopped on additional accounts; (ii) cease collection attempts on loans that lack proper documentation or that are time-barred; and (iii) ensure false or misleading documents are not filed and that documents requiring notarization are handled properly. A separate consent order issued against the debt collector orders the company to pay a $2.5 million civil money penalty to the CFPB.
According to the district court’s order, the plaintiffs, who were sued by the defendants for failing to pay their student loans, alleged that the defendants filed fraudulent, deceptive, and misleading affidavits in order to obtain default judgments. The plaintiffs sought to include a class of those residing in Washington for which the defendants sought to collect a debt allegedly owned by one of the trusts. The district court, however, was “unconvinced” that any of the questions would generate common answers on a class-wide basis. For example, the question of whether the defendants’ employees filed false or misleading affidavits “cannot be resolved in one stroke,” the district court said, because the plaintiffs “cannot show by a preponderance of the evidence that the documents Defendants used in every debt collection action suffered from the same alleged deficiencies.” With respect to the defendants’ summary judgment motion, the district court determined there were genuine issues of material fact regarding the alleged violations of the FDCPA and state law in Washington. The district court denied the defendants’ motion for summary judgment, noting noted that “[a]ttempts to collect debts with false affidavits and without the necessary documentation to prove the claims is unfair or unconscionable and involves false, deceptive, and/or misleading representations in violation of the FDCPA.”
FTC finalizes data-security order with ed tech provider
On January 27, the FTC finalized an order with an education technology (ed tech) provider which claimed that the provider’s lax data security practices led to the exposure of millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords. As previously covered by InfoBytes, due to the company’s alleged failure to adequately protect the personal information collected from its users and employees, the company experienced four data breaches beginning in September 2017, when a phishing attack granted a hacker access to employees’ direct deposit information. Claiming violations of Section 5(a) of the FTC Act, the FTC alleged the company failed to implement basic security measures, stored personal data insecurely, and failed to implement a written security policy until January 2021, despite experiencing three phishing attacks.
Under the terms of the final decision and order, the company (who neither admitted nor denied any of the allegations) is required to take several measures to address the alleged conduct, including: (i) implementing a data retention and deletion process, which will allow users to request access to and deletion of their data; (ii) providing multi-factor authentication methods for users to secure their accounts; (iii) providing notice to affected individuals; (iv) implementing a comprehensive information security program; and (v) obtaining initial and biennial third-party information security assessments. The company must also submit covered incident reports to the FTC and is prohibited from making any misrepresentations relating to how it collects, maintains, uses, deletes, permits, or denies access to individuals’ covered information.
NCUA will maintain loan interest rate ceiling at 18%
On January 27, the NCUA board unanimously voted to maintain the current temporary 18 percent interest rate ceiling for loans made by federal credit unions (FCUs) for another 18 months. The extension starts after the current period ends March 10. According to the announcement, the National Association of Federally-Insured Credit Unions (NAFCU) urged the NCUA to immediately raise the interest rate ceiling to 21 percent in order to help mitigate interest rate-related risks facing FCUs. Recognizing that the NAFCU “has consistently advocated for a floating permissible interest rate ceiling to address constraints of the 15 percent ceiling set by the FCU Act,” NCUA Chairman Todd Harper said the agency is conducting an analysis of a floating interest rate ceiling that should be completed by the April board meeting.
FDIC issues December enforcement actions
On January 27, the FDIC released a list of administrative enforcement actions taken against banks and individuals in December. The FDIC made public nine orders, including “one order to pay civil money penalty, two consent orders, one combined personal consent order and order to pay, two Section 19 orders, four prohibition orders, and seven orders of termination of insurance.”
The actions included a civil money order against a Georgia-based bank related to violations of the Flood Disaster Protection Act. The FDIC determined that the bank had engaged in a pattern or practice of violations because it “made, increased, extended, or renewed loans secured by a building or mobile home located in a special flood hazard area or to be located in a special flood hazard area without providing timely notice to the borrower and/or the servicer as to whether flood insurance was available for the collateral.”
Additionally, the FDIC issued a consent order against a Texas-based bank alleging the bank engaged in “unsafe or unsound banking practices or violations of law or regulation relating to, among other things, weaknesses in board and management oversight of the information technology function.” The bank neither admitted nor denied the allegations but agreed, among other things, that it would develop a staffing analysis plan “to ensure sufficient resources are available with the knowledge [and] prerequisite skills commensurate with the risk profile and complexity of the Bank’s information technology [] function.”
Fed says limits on banking activities will apply regardless of insurance status
On January 27, the Federal Reserve Board issued a policy statement providing guidelines on how the agency evaluates requests from supervised uninsured and insured banks seeking to engage in novel activities, such as those involving crypto assets. Recognizing that in recent years the Fed has received numerous inquiries, notifications, and proposals from banks seeking to engage in new or unprecedented activities, the Fed clarified that when evaluating such inquiries, uninsured and insured banks supervised by the Fed would be subject to the same limitations that are currently imposed on OCC-supervised national banks, including crypto-asset-related activities. According to a board memo published the same day, the Fed said it “will presumptively exercise its authority to limit state member banks to engaging as principal in only those activities that are permissible for national banks—in each case, subject to the terms, conditions, and limitations placed on national banks with respect to the activity—unless those activities are permissible for state banks by federal law.” This “equal treatment” is intended to “promote a level playing field and limit regulatory arbitrage,” the Fed said.
The Fed reiterated that banks must be able to ensure that any activities they plan to engage in are permitted by law and conducted in a safe and sound manner. A bank should implement risk management processes, internal controls, and information systems that are “appropriate and adequate for the nature, scope, and risks of its activities,” the Fed noted. The Fed, however, explained that the policy statement does “not prohibit a state member bank, or prospective applicant, from providing safekeeping services, in a custodial capacity, for crypto-assets if conducted in a safe and sound manner and in compliance with consumer, anti-money laundering, and anti-terrorist financing laws.”
The policy statement was issued the same day the Fed denied a request from a Wyoming-based digital asset firm to become a member of the Federal Reserve System. The Fed explained that the firm—a special purpose depository institution chartered by the state of Wyoming that “proposed to engage in novel and untested crypto activities that include issuing a crypto asset on open, public and/or decentralized networks…“ presented significant safety and soundness risks.” Additionally, the Fed determined that the digital asset firm’s risk management framework failed to sufficiently address heighted risk concerns, including its ability to mitigate money laundering and terrorism financing risks.
DFPI announces $22.5 million multistate settlement with crypto platform
On January 26, the California Department of Financial Protection and Innovation (DFPI) announced that it entered into a $22.5 million settlement agreement with a Cayman Islands digital asset firm to resolve a securities enforcement action regarding its interest-bearing virtual currency account. As previously covered by InfoBytes, in September 2022, the New York attorney general sued the firm for allegedly offering unregistered securities and defrauding investors. A North American Securities Administrators Association working group—composed of the DFPI and state regulators from Washington, Kentucky, New York, Oklahoma, Indiana, Maryland, South Carolina, Vermont, and Wisconsin—collaborated in the investigation into the firm. The states alleged that the platform failed to register as a securities and commodities broker but told investors that it was fully in compliance. According to the New York AG’s complaint, the platform promoted and sold securities through an interest-bearing virtual currency account that promised high returns for participating investors. The New York AG said that a cease-and-desist letter was sent to the platform in October 2021, and that while the platform stated it was “working diligently to terminate all services” in the state, it continued to handle more than 5,000 accounts as of July. The complaint charges the platform with violating New York’s Martin Act and New York Executive Law § 63(12), and seeks restitution, disgorgement of profits, and a permanent injunction. The announcement also noted the SEC entered into a separate settlement with the firm for the same penalty amount, alleging that it to register the offer and sale of its retail crypto-asset lending product (covered by InfoBytes here).