InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FCC fines companies $20M for insufficient consumer data security measures
On July 28, the FCC announced a proposed fine of $20 million for two affiliated mobile carrier companies over alleged violations of FCC rules. The Commission alleged that the companies failed to protect the privacy and security of subscribers’ personal data by violating three provisions of section 64.2010 of FCC rules, which requires carriers to authenticate customers’ identity before providing online access to their network information. The alleged violations included relying on readily available information to control access to the network information, failing to establish “reasonable” data security standards. FCC Chairwoman Jessica Rosenworcel cited such failures to protect consumers’ privacy to underpin the importance of the FCC’s newly established Privacy and Data Protection Task Force (covered by InfoBytes here). The proposed sanctions are not final, and the companies will have an opportunity to respond.
CSBS announces Nonbank Model Data Security Law
The Conference of State Bank Supervisors (CSBS) recently released a comprehensive framework for safeguarding sensitive information held at nonbank financial institutions. CSBS’s Nonbank Model Data Security Law is largely based on the FTC’s updated Safeguards Rule, which added specific criteria for financial institutions and other entities, such as mortgage brokers, motor vehicle dealers, and payday lenders, to undertake when conducting risk assessments and implementing information security programs. (Covered by InfoBytes here.) Adopting the Nonbank Model Data Security Law allows for a streamlined and efficient approach to data security regulations for nonbank financial institutions, CSBS explained, adding that by leveraging the existing Safeguards Rule’s applicability to state covered nonbanks, the model law imposes minimal additional compliance burdens and ensures smoother implementation for financial institutions. States can also choose an alternative approach by requiring nonbank financial institutions to conform to the Safeguards Rule, CSBS said.
The Nonbank Model Data Security Law outlines numerous provisions, which are intended to protect customer information, mitigate cyber threats, and foster a secure financial ecosystem. These include standards for safeguarding customer information, required elements that must be included in a nonbank financial institution’s information security program, and an optional section that requires entities to notify the commissioner in the wake of a security event. CSBS noted that because “the proposed rule on notification requirements for the FTC Safeguards Rule is still pending, the model law allows each state to establish their own customer threshold number, providing flexibility in determining the extent of impact that triggers the notification obligation.” CSBS also provided a list of resources for adopting the Nonbank Model Data Security Law.
California AG warns against unlawful employer-driven debt arrangements
On July 25, California Attorney General Rob Bonta issued a Legal Alert to remind all employers of state-law restrictions on employer-driven debt. Bonta highlighted concerns about employers engaging in exploitative practices that lead to employees accumulating debts as a result of their employment. (Also covered by InfoBytes here). Such practices may include employers withholding wages, failing to reimburse necessary expenses, or charging fees that are unlawful under California labor laws.
The alert outlines that employer-driven debt arrangements may violate California Labor Code section 2802, “which mandates that employers ‘indemnify employees for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties.’” Regarding job training, the alert mentions that California law forbids employers from making workers repay training costs, except in two cases: (i) when the training is necessary for legally practicing the profession, and (ii) when the worker voluntarily undertakes the training, not due to employer mandate. The alert warns companies that engage in exploitative practices that the protections established in the Labor Code cannot be waived by contract. The alert also states that such practices risk violating the state’s Rosenthal Fair Debt Collection Practices Act, which “prohibits an employer or its agent from engaging in unfair or deceptive acts or practices when attempting to collect on employer-driven debt.” Finally, the alert notes that if an employer takes advantage of a worker’s lack of information or knowledge about the risks or costs of the debt, they may violate the California Consumer Financial Protection Law.
Supreme Court of New York: FDCPA does not require collectors to explain how debt is acquired
On July 19, the Supreme Court of the State of New York filed an order granting defendants’ motion for summary judgment, ruling that the FDCPA does not require debt collectors to provide debtors with proof of how they came to acquire the debt from the original creditor. One of the defendants purchased plaintiff’s defaulted credit card debt, which was placed with the second defendant for collection. The second defendant sent plaintiff a collection letter that identified the original creditor, along with the last four digits of the account number and identified the current creditor by name. Plaintiff sued, alleging violations of several sections of the FDCPA, claiming the letter was “false, deceptive, and misleading” because he never entered into a transaction with the current creditor and that the defendants reported the alleged debt to the credit reporting agencies. Plaintiff also maintained that prior to filing the lawsuit, he sought to validate the alleged debt but that neither defendant provided information sufficient to establish the current creditor’s ownership of the debt. Defendants filed for summary judgment seeking dismissal of plaintiff’s claims. In granting the motion, the court held that nothing in the FDCPA requires debt collectors “to educate the debtor ‘with proof, or at least a narrative, as to how it came to acquire the debt from [the] original creditor,’” and that the statute does not require plaintiffs to be notified when their debt is sold.
DOE recognizes states’ role in investigating student loan servicers
On July 24, the Department of Education (DOE) issued a final interpretation to clarify that the Higher Education Act (HEA) preempts state laws and other applicable federal laws “only in limited and discrete respects.” Specifically, the final interpretation revises and clarifies the DOE’s position on the legality of state laws and regulations regarding certain aspects of the federal student loan servicing, including preventing unfair or deceptive practices, correcting misapplied payments, or addressing servicers’ refusals to communicate with borrowers.
The final interpretation supersedes a 2021 DOE interpretation (covered by InfoBytes here), as well as prior statements and interpretations issued by the agency, which addressed state regulation of the servicing of student loans under the William D. Ford Federal Direct Loan Program and the Federal Family Education Loan Program. Following a review of public comments, the DOE modified its interpretation to more clearly describe the standard for conflict preemption, explaining that recent court rulings on the issue of conflict preemption have consistently found that the HEA does not prioritize maintaining uniformity in federal student loan servicing, and that as a result, the courts have upheld the authority of individual states to address fraud and affirmative misrepresentations in the federal student aid program without being hindered by federal preemption. Additionally, the DOE noted that courts have consistently applied conflict preemption to state laws that require licensing of the DOE’s student loan servicers, particularly in limited circumstances where the licensing requirement aims to disqualify a federal contractor from operating within the state. The final interpretation states that it is firmly established that states cannot hinder the federal government's ability to choose its contractors by imposing such licensing requirements, noting that two courts recently concluded that such preemption also applies to a state’s refusal to license federal student loan servicers.
The final interpretation is effective immediately.
SEC proposes rules for addressing conflicts of interest raised by predictive data analytics
On July 26, the SEC issued proposed rules under the Securities Exchange Act of 1924 and the Investment Advisors Act of 1940 to address certain conflicts of interest associated with the use of predictive data analytics, including artificial intelligence (AI) and similar technologies, “that optimize for, predict, guide, forecast, or direct investment-related behaviors or outcomes.” The SEC explained that broker-dealers and investment advisors (collectively, “firms”) are increasingly using AI to improve efficiency and returns but cautioned that, due to the scalability of these technologies and the potential for firms to quickly reach a large audience, any resulting conflicts of interest could result in harm to investors that is more pronounced and on a broader scale than previously possible.
Based on existing legal standards, the proposed rules generally would require a firm to identify and eliminate, or neutralize, the effects of conflicts of interest that result in the firm’s (or associated persons) interests being placed ahead of investors’ interests. Firms, however, would be permitted to employ tools that they believe would address such risks and that are specific to the particular technology being used. Firms that use covered technology for investor interactions would also be required to have written policies and procedures in place to ensure compliance with the proposed rules, the SEC said. These policies and procedures must include a process for evaluating the use of covered technology in investor interactions and addressing any conflicts of interest that may arise. Firms must also maintain books and records related to these requirements. Comments on the proposed rules are due 60 days after publication in the Federal Register.
SEC adopts breach-reporting rules, establishes requirements for cybersecurity risk management
On July 26, a divided SEC adopted a final rule outlining disclosure requirements for publicly traded companies in the event of a material cybersecurity incident. The final rule (proposed last year and covered by InfoBytes here) also requires companies to periodically disclose their cybersecurity risk management processes and establishes requirements for how cybersecurity disclosures must be presented. The final rule requires that material cybersecurity incidents be disclosed within four days from the time a company determines the incident was material (a disclosure may be delayed should the U.S. attorney general notify the SEC in writing that immediate disclosure poses a substantial risk to national security or public safety). Companies must also identify material aspects of the incident’s nature, scope, and timing, as well as its impact or reasonably likely impact on the company, and are required to describe their board’s and management’s oversight of risks from cybersecurity threats and previous cybersecurity incidents. These disclosures will be required in a company’s annual report. The final rule will also mandate foreign private issuers to provide comparable disclosures on forms related to material cybersecurity incidents and risk management, strategy, and governance.
The final rule is effective 30 days following publication of the adopting release in the Federal Register. The SEC noted that incident-specific disclosures will be required in Forms 8-K and 6-K beginning either 90 days after the final rule’s publication in the Federal Register or on December 18, whichever is later, though smaller reporting companies are provided an extra 180 days before they must begin providing such disclosures. Annual disclosures on cyber risk management, strategy, and governance will be required in Form 10-K and Form 20-F reports starting with annual reports for fiscal years ending on or after December 15. In terms of structured data requirements, all companies must tag disclosures in the required format beginning one year after initial compliance with the related disclosure requirement.
SEC Chair Gary Gensler commented that, in response to public comments received on the proposed rule, the final rule “streamlines required disclosures for both periodic and incident reporting” and requires companies “to disclose only an incident’s material impacts, nature, scope, and timing, whereas the proposal would have required additional details, not explicitly limited by materiality.”
In voting against the final rule, Commissioner Hester M. Pierce raised concerns that the final rule’s compliance timelines are overly aggressive even for large companies and that the short incident disclosure period could potentially mislead otherwise uninformed investors and “lead to disclosures that are ‘tentative and unclear, resulting in false positives and mispricing in the market.’” The final rule allows a company to update its incident disclosure with new information in subsequent reports that was unavailable at first and could impact investors who may suffer a loss due to the mispricing of the company’s securities following the initial reporting, Pierce said. She also criticized the risk to national security or public safety exemption as being overly narrow. Commissioner Mark Uyeda also opposed the adoption, writing that “[n]o other Form 8-K event requires such broad forward-looking disclosure that needs to be constantly assessed for a potential amendment.” Uyeda also questioned whether “[p]remature public disclosure of a cybersecurity incident at one company could result in uncertainty of vulnerabilities at other companies, especially if it involves a commonly used technology provider, [thus] resulting in widespread panic in the market and financial contagion.”
CFPB examines relationship between cashflow and serious delinquency
On July 26, the CFPB posted a blog entry explaining that cashflow data could be more telling in determining a person’s ability to repay their loans than credit reports, which are typically calculated through a variety of credit products such as mortgages, credit cards, auto loans, and student loans. The Bureau referenced its July 2020 Making Ends Meet Survey (covered by InfoBytes here), which was sampled off the Consumer Credit Panel, in order to “show that three self-reported proxies for cashflow appear predictive of serious delinquency, even when analyzing people with similar traditional credit scores.” The proxies include high accumulated savings, regularly saving and no overdrafts, and paying bills on time. While accounting for deficiencies such as sample size, the Bureau’s analysis showed that individuals with self-reported positive cash flow perform notably better than those with less positive cash flow, even with similar credit scores. Other findings include that individuals with higher credit scores are more likely to report (i) relatively high accumulated savings, which the Bureau defined as at least $3,000 across their checking and savings accounts; (ii) positive savings and no overdrafts; and (iii) no issues paying rent, mortgage, utilities, and regular household expenses. All three findings are also indicative of a reduced likelihood of serious delinquency, the Bureau found. According to the blog entry, the analysis “suggests that cashflow data may help lenders better identify borrowers with low likelihood of serious delinquency, even if these borrowers’ credit scores may have otherwise prevented them from receiving credit.”
CFPB issues Summer ’23 supervisory highlights
On July 26, the CFPB released its Summer 2023 issue of Supervisory Highlights, which covers enforcement actions in areas such as auto origination, auto servicing, consumer reporting, debt collection, deposits, fair lending, information technology, mortgage origination, mortgage servicing, payday lending and remittances from June 2022 through March 2023. The Bureau noted significant findings regarding unfair, deceptive, and abusive acts or practices and findings across many consumer financial products, as well as new examinations on nonbanks.
- Auto Origination: The CFPB examined auto finance origination practices of several institutions and found deceptive marketing of auto loans. For example, loan advertisements showcased cars larger and newer than the products for which actual loan offers were available, which misled consumers.
- Auto Servicing: The Bureau’s examiners identified unfair and abusive practices at auto servicers related to charging interest on inflated loan balances resulting from fraudulent inclusion of non-existent options. It also found that servicers collected interest on the artificially inflated amounts without refunding consumers for the excess interest paid. Examiners further reported that auto servicers engaged in unfair and abusive practices by canceling automatic payments without sufficient notice, leading to missed payments and late fee assessments. Additionally, some servicers allegedly engaged in cross-collateralization, requiring consumers to pay other unrelated debts to redeem their repossessed vehicles.
- Consumer Reporting: The Bureau’s examiners found that consumer reporting companies failed to maintain proper procedures to limit furnishing reports to individuals with permissible purposes. They also found that furnishers violated regulations by not reviewing and updating policies, neglecting reasonable investigations of direct disputes, and failing to notify consumers of frivolous disputes or provide accurate address disclosures for consumer notices.
- Debt Collection: The CFPB's examinations of debt collectors (large depository institutions, nonbanks that are larger participants in the consumer debt collection market, and nonbanks that are service providers to certain covered persons) uncovered violations of the FDCPA and CFPA, such as unlawful attempts to collect medical debt and deceptive representations about interest payments.
- Deposits: The CFPB's examinations of financial institutions revealed unfair acts or practices related to the assessment of both nonsufficient funds and line of credit transfer fees on the same transaction. The Bureau reported that this practice resulted in double fees being charged for denied transactions.
- Fair Lending: Recent examinations through the CFPB's fair lending supervision program found violations of ECOA and Regulation B, including pricing discrimination in granting pricing exceptions based on competitive offers and discriminatory lending restrictions related to criminal history and public assistance income.
- Information Technology: Bureau examiners found that certain institutions engaged in unfair acts by lacking adequate information technology security controls, leading to cyberattacks and fraudulent withdrawals from thousands of consumer accounts, causing substantial harm to consumers.
- Mortgage Origination: Examiners found that certain institutions violated Regulation Z by differentiating loan originator compensation based on product types and failing to accurately reflect the terms of the legal obligation on loan disclosures.
- Mortgage Servicing: Examiners identified UDAAP and regulatory violations at mortgage servicers, including violations related to loss mitigation timing, misrepresenting loss mitigation application response times, continuity of contact procedures, Spanish-language acknowledgment notices, and failure to provide critical loss mitigation information. Additionally, some servicers reportedly failed to credit payments sent to prior servicers after a transfer and did not maintain policies to identify missing information after a transfer.
- Payday Lending: The CFPB identified unfair, deceptive, and abusive acts or practices, including unreasonable limitations on collection communications, false collection threats, unauthorized wage deductions, misrepresentations regarding debt payment impact, and failure to comply with the Military Lending Act. The report also highlighted that lenders reportedly failed to retain evidence of compliance with disclosure requirements under Regulation Z. In response, the Bureau directed lenders to cease deceptive practices, revise contract language, and update compliance procedures to ensure regulatory compliance.
- Remittances: The CFPB evaluated both depository and non-depository institutions for compliance with the EFTA and its Regulation E, including the Remittance Rule. Examiners found that some institutions failed to develop written policies and procedures to ensure compliance with the Remittance Rule's error resolution requirements, using inadequate substitutes or policies without proper implementation.
CFPB, FTC to conduct inquiry into high housing costs for renters
On July 25, CFPB Director Rohit Chopra shared prepared remarks for the Community Table on a White House Blueprint for a Renters Bill of Rights to address high housing costs for renters. Chopra raised concerns about corporate investors imposing high rents and charging renters with what the director described as “junk fees and other aggressive tactics.” He mentioned that corporate investor owners, including private equity firms, are more likely to evict tenants, even when controlling for other factors, and that corporate investor ownership of rental units has risen to over 45 percent. Chopra also emphasized the growing use of artificial intelligence and social scoring in the rental process, stating that such changes can lead to rent hikes and denials of housing due to an algorithm's definition of "high-quality tenants." The remarks suggested that tenants are not being given appropriate opportunity to correct inaccurate information in their background checks, despite the legal requirement for companies to inform consumers when using such information for adverse rental decisions. The speech also stressed the CFPB's commitment to identifying inaccurate AI and illegal practices that lead to misleading data and clarified that name-only matching, a common but illegal practice in screening, can result in inaccurate information, disproportionately affecting individuals with common last names. To address these issues, Chopra announced a joint inquiry with the FTC, to collect feedback from the public about their experiences with tenant screening.