Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • OCC allows institutions affected by Vermont flooding to temporarily close

    Federal Issues

    On July 11, the OCC issued a proclamation permitting OCC-regulated institutions to close offices, at their discretion, affected by severe flooding in Vermont “for as long as deemed necessary for bank operation or public safety.” In issuing the proclamation, the OCC noted that only bank offices directly affected by potentially unsafe conditions should close, and that institutions should make every effort to reopen as quickly as possible to address customers’ banking needs. The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions.

    Find continuing InfoBytes coverage on disaster relief here.

    Federal Issues OCC Disaster Relief Vermont Consumer Finance

  • FHA updates HECM procedures for mortgagee default

    Agency Rule-Making & Guidance

    On July 11, FHA announced modifications to certain FHA home equity conversion mortgage requirements in Mortgagee Letter (ML) 2023-15, entitled “Modifications to FHA Home Equity Conversion Mortgage (HECM) Requirements Related to Secretary Payment of Borrower Disbursements Due to Mortgagee Default.”  The letter updates FHA’s investigation requirements regarding situations where a mortgage lender is unable or unwilling to fulfill a borrower’s payment obligations required under an HECM. Mortgagees that fail to make a necessary payment to a borrower must now furnish specific information to FHA. The modifications provide additional sources where FHA can receive notice of a mortgagee’s anticipated or actual default on borrower payments and are designed to improve FHA’s ability to make prompt payments in the event of mortgagee default to ensure HECM borrowers timely receive scheduled or requested funds. ML 2023-15 is effective immediately.

    Agency Rule-Making & Guidance Federal Issues FHA Mortgages HUD HECM

  • CFPB holds hearing on medical billing and collections

    Federal Issues

    On July 11, CFPB Director Rohit Chopra delivered prepared remarks at a public hearing on medical billing and collections. Chopra commented on the prevalence of medical debt in the country, which affects over 100 million Americans, while $433.2 billion of the national GDP is sourced from consumers’ out-of-pocket expenses. Specifically, the CFPB hearing addressed the effects of medical payment products, including special-purpose credit cards and installment loans used to cover the cost of medical treatment, which Chopra claimed can leave patients “worse off.” The Bureau highlighted the predatory nature of such medical credit cards, which typically have a higher interest rate than other cards and are often presented to consumers by their providers. According to Chopra, the Bureau recently launched a public inquiry (covered by InfoBytes here) to answer questions related to these products.

    During the expert panel discussion, multiple panelists raised issues regarding the federal requirements for hospital financial assistance programs that exist in exchange for tax benefits. Panelists criticized the complicated processes patients must follow for such programs and compared it to the simple and fast online application process for medical credit cards. Panelists also highlighted the need to include stronger, clearer federal requirements for hospital financial assistance programs, such as setting standards on income and setting minimums or floors, so consumers can access such services more easily. Panelists commonly noted that state requirements for hospital financial assistance programs are more robust than the federal requirements. In response to Chopra’s question on what the panelists wish to see from the Bureau regarding regulation, one panelist asked for a ban on deferred interest, noting the “special regulatory authority” the Bureau has. Another panelist requested that the agency ban medical credit cards from being offered in a medical setting, citing her communication with clients who claim they feel “pressured” to sign the paperwork in that setting. Additionally, another panelist requested that the Bureau prohibit the reporting of medical debt on credit reports—mentioning Colorado’s headway in being the first state to ban such reporting and noting the Bureau’s potential to ban it at a federal level. The panelists each applauded the agency’s efforts to bolster regulations on medical payment products.

    Federal Issues Agency Rule-Making & Guidance CFPB DHHS Department of Treasury Credit Cards Consumer Finance Medical Debt Installment Loans

  • European Commission approves transatlantic data-transfer framework

    Privacy, Cyber Risk & Data Security

    On July 10, the European Commission adopted an adequacy decision as part of the EU-U.S. Data Privacy Framework, concluding that the U.S. “ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to U.S. companies under the new framework.” In the announcement, European Commission President Ursula von der Leyen stated that the “new EU-US Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.” She explained that with the new adequacy decision, personal data can now be transferred securely from the EU to U.S. companies participating in the framework without having to implement additional data protection safeguards. The framework will be administered by the Department of Commerce. Compliance by U.S. companies with their obligations under the framework will be enforced by the FTC.

    As previously covered by InfoBytes, Presidents von der Leyen and Biden announced in March 2022 that they had reached an agreement in principle on a new transatlantic data flows framework to foster cross-border transfers of personal data from the EU to the U.S. Under the framework, the U.S. agreed to implement reforms and safeguards to “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” The announcement followed negotiations that began after the Court of Justice of the EU issued an opinion in the Schrems II case in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements.

    The DOJ released a statement welcoming the European Commission’s adoption of the adequacy decision and expressing its eagerness to collaborate with the Commission, along with representatives from European data protection authorities, to ensure the ongoing implementation of data privacy safeguards.

    Privacy, Cyber Risk & Data Security Federal Issues Of Interest to Non-US Persons EU Consumer Protection Biden EU-US Data Privacy Framework Department of Commerce FTC

  • Senators demand that CFPB address voice-cloning risks

    Privacy, Cyber Risk & Data Security

    On July 6, four Democrats on the Senate Banking Committee sent a letter to CFPB Director Rohit Chopra, in which they expressed their concerns about the emergence of voice cloning technology. The senators observed that “voice cloning, the process of reproducing an individual’s voice with high accuracy using AI and machine learning techniques, has seen remarkable advancements in recent years, and is increasingly being used in malicious ways.” The letter noted the “particularly alarming” use of voice cloning in financial scams, in which scammers use the technology to convincingly impersonate family, friends, and even financial advisors or bank employees. Many times, the letter mentioned, scammers target consumers “who often have no reimbursement recourse from banks and peer-to-peer payment apps.” The senators also highlighted the threat that this technology poses to financial institutions that utilize voice authentication services. The senators urged Chopra and the Bureau to review the risks posed by voice cloning technology and implement measures to effectively address the emerging threat to unsuspecting consumers.

    Privacy, Cyber Risk & Data Security Federal Issues CFPB Senate Banking Committee Artificial Intelligence Consumer Protection

  • Hawaii amends money transmitter provisions

    On July 3, the Hawaii governor signed HB 1027 (the “Act”) into law, amending several provisions relating to the Money Transmitters Modernization Act. The Act adds and amends several definitions. Changes include defining “money,” “receiving money or monetary value for transmission,” and “tangible net worth.” The definition of “money transmission” has also been amended to clarify its connection to business done in Hawaii, and “stored value” has been amended to mean monetary value “that represents a claim against the issuer evidenced by an electronic or digital record and that is intended and accepted for use as a means of redemption for money or monetary value, or payment for goods or services.” Stored value does not include “a payment instrument or closed loop stored value, or stored value not sold to the public but issued and distributed as part of a loyalty, rewards, or promotional program.”

    Among the various exemptions, the Act also provides for an exemption for an agent of the payee to collect and process a payment from a payor to the payee for goods or services, other than money transmission services, provided certain criteria is met. Additional exemptions include certain persons acting as intermediaries, persons expressly appointed as third-party service providers to an exempt entity, and registered futures commission merchants and securities broker-dealers, among others. Anyone claiming to be exempt from licensing may be required to provide information and documentation demonstrating their qualification for the claimed exemption.

    The amendments outline numerous licensing application and renewal procedures, including largely adopting the net worth, surety bond, and permissible investment requirements set forth in the Money Transmission Modernization Act. Several other states have also recently enacted provisions relating to the licensing and regulation of money transmitters (see InfoBytes coverage here and here).

    The Act took effect July 1.

    Licensing State Issues Digital Assets Fintech State Legislation Hawaii Money Service / Money Transmitters

  • States endorse CFPB’s policy statement on abusive conduct

    State Issues

    On July 6, the California attorney announced that he had joined a coalition of state attorneys general in submitting a comment letter endorsing the CFPB’s recently issued policy statement on abusive conduct in consumer financial markets. The multi-state coalition comprises Arizona, California, Colorado, Connecticut, the District of Columbia, Delaware, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New York, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, and Wisconsin. In April, the Bureau issued a policy statement containing an “analytical framework” for identifying abusive conduct prohibited under the Consumer Financial Protection Act, in which it broadly defined abusive conduct as anything that obscures, withholds, de-emphasizes, renders confusing, or hides information about the key features of a product or service. (Covered by InfoBytes here.)

    In their letter, the state attorneys general emphasized the importance of preventing abusive conduct in consumer financial markets and highlighted the partnership between states and the Bureau in achieving this goal. The states also commended the Bureau for providing a clear, analytical framework for what constitutes abusive acts or practices and expressed appreciation for the agency’s use of real enforcement actions as examples of illegal abusive conduct. The multi-state coalition applauded the flexibility and guidance provided by the policy statement and complimented the Bureau for acknowledging the realities of modern consumer markets by clarifying that both acts and omissions can hinder consumers’ understanding of terms and conditions, including the use of fine print or complex language that limits comprehension.

    State Issues Federal Issues State Attorney General CFPB CFPA UDAAP Abusive Consumer Finance

  • 7th Circuit affirms dismissal of FCRA claims against subservicer

    Courts

    On July 5, the U.S. Court of Appeals for the Seventh Circuit affirmed summary judgment in favor of a defendant data furnisher in an FCRA case, holding that the plaintiff failed to establish that the defendant provided “patently incorrect or materially misleading information” to a credit reporting agency (CRA). Defendant was the subservicer for plaintiff’s mortgage and was responsible for accepting and tracking payments and providing payment data to the CRAs. After plaintiff failed to make her monthly payments, she resolved the delinquency through a short sale of her home. Several years later, plaintiff noticed that the closed mortgage account appeared on her credit reports as delinquent. She disputed the information to several CRAs. To confirm the accuracy of its records on plaintiff’s mortgage, one of the CRAs sent the defendant data furnisher four automated consumer dispute verification (ACDV) forms. In the ACDV responses, the defendant amended or verified several contested data points, including the pay rate and account history. The CRA reported this amended data to indicate on plaintiff’s credit report that she was currently delinquent on the mortgage with missed payments in the months following the short sale. After plaintiff applied for and was denied a new mortgage based on the credit report, plaintiff sued the defendant data furnisher for alleged violations of the FCRA, alleging that the defendant failed to conduct a reasonable investigation of the disputed data and provided false and misleading information to CRAs. The district court granted summary judgment in favor of the defendant, finding that plaintiff failed to make a threshold showing that the defendant’s data was incomplete or inaccurate.

    On appeal, the 7th Circuit disagreed with plaintiff that “completeness or accuracy” under the FCRA “must be judged based, not on the ACDV response the data furnisher provided, but on the credit report generated from it.” The court reasoned that the text of the statute “says nothing about a credit report, let alone a duty of a data furnisher with respect to credit reports produced using its amended data. To the contrary, the statute sets out the data furnisher’s duties to investigate disputes, correct incomplete or inaccurate information, and report results from an investigation” to the CRA. Holding that “context can play a large role in determining completeness or accuracy” in this situation, the appellate court agreed with the district court that the data provided by the defendant to the CRA was “not materially misleading” and that “no reasonable jury could find” that the data meant that plaintiff was currently delinquent on her debt, particularly because of strong “contextual evidence”—specifically, that the disputed data appeared directly beside a status code showing that the account was closed. The appeals court affirmed summary judgment for the data furnisher.

    Courts Appellate Seventh Circuit FCRA Consumer Finance Credit Furnishing Mortgages Credit Reporting Agency Credit Report

  • 1st Circuit confirms standing for data breach victims

    Courts

    On June 30, the U.S. Court of Appeals for the First Circuit overruled a district court’s dismissal of a putative class action against a home delivery pharmacy service for allegedly failing to prevent a 2021 data breach that exposed the personally identifiable information (PII) of over 75,000 patients. The class action complaint alleged state law claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty, and sought damages and injunctive relief. The putative class was comprised of U.S. residents whose PII was compromised in the data breach. The two named plaintiffs were former or current patients whose PII were compromised in the data breach, and one of the two named plaintiffs had her stolen PII used to file a fraudulent tax return. The district court dismissed the lawsuit for lack of Article III standing.

    Affirming in part and reversing in part, the 1st Circuit held that the complaint “plausibly demonstrates” the plaintiffs’ standing to seek damages, applying the principles articulated by the Supreme Court in TransUnion LLC v. Ramirez, which clarified the type of concrete injury necessary to establish Article III standing (covered by InfoBytes here).

    First, the court concluded that, with respect to the named plaintiff whose PII was used to file a fraudulent tax return, the complaint’s “plausible allegations of actual misuse” of the stolen PII constituted a “concrete injury in fact” for purposes of Article III standing. According to the 1st Circuit, there existed “an “obvious temporal connection” between the timing of the data breach and the filed return, among other facts. The appellate court also found that the fraudulent tax return could make it probable that more of the named plaintiff’s information could be further misused—changing the risk of future misuse from speculative to “imminent and substantial.”

    Second, with respect to the named plaintiff for whom there was no allegation of actual misuse of PII, the court reasoned that “the complaint plausibly alleges a concrete injury in fact based on the material risk of future misuse of [plaintiff’s] PII and a concrete harm caused by exposure to this risk.” The appellate court also found that, because the data here was compromised in a “targeted attack,” then “it stands to reason that [such data] is more likely to be misused…and the risk of future misuse is heightened when the compromised data is particularly sensitive.”

    Third, the court concluded that the complaint plausibly alleged a “separate concrete, present harm” caused by exposure to the risk of future harm, “based on the allegations of the plaintiffs’ lost time spent taking protective measures [against further identity theft] that would otherwise have been put to some productive use.” “The loss of this time is equivalent to a monetary injury, which is indisputably a concrete injury,” the appellate court wrote, adding that it joins other circuits in holding that time spent responding to a data breach is sufficient to establish standing.

    Finally, the court held that plaintiffs lacked standing to pursue injunctive relief “because their desired injunctions would not likely redress their alleged injuries” as any such relief would only safeguard against future breaches and would not protect “plaintiffs from future misuse of their PII by the individuals they allege now possess it.”

    Courts Privacy, Cyber Risk & Data Security Appellate First Circuit Data Breach Class Action Consumer Protection

  • District Court orders crypto platform and its CEO to disgorge and pay penalty in SEC case

    Courts

    On July 5, the U.S. District Court for the Southern District of New York ordered a crypto platform and its CEO to each pay a civil money penalty of $141,410, as well as to jointly pay disgorgement in the same amount, in a case brought by the SEC. The SEC filed a complaint in February 2021 alleging that the defendants violated the registration provisions of the Securities Act of 1933 in connection with their offer and sale of digital asset securities. According to the SEC, the defendants sold digital asset securities to hundreds of investors, including investors based in the United States, but failed to file a registration statement for the offering. The complaint further charged the defendants with denying prospective investors the material information required for such an offering to the public. The SEC alleged that the defendants raised at least $141,410 through their offering.

    Neither defendant responded to the complaint, and the court accordingly entered an order of default against the defendants, permanently enjoining the defendants from violating the registration provisions of the Securities Act. The court also referred the case to a magistrate judge to make a recommendation regarding disgorgement and penalties. The magistrate judge concluded—and the court agreed—that there were sufficient facts supporting the SEC’s allegations against the defendants and that disgorgement and civil monetary penalties were appropriate remedies. In addition to the civil monetary penalty of $141,410 per defendant, the court held the defendants jointly and severally liable for disgorgement of $141,410 plus pre-judgment interest.

    Courts Securities Digital Assets Fintech Cryptocurrency SEC Securities Act

Pages

Upcoming Events