InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FHFA requests feedback on single-family pricing framework
Recently, the FHFA issued a request for input (RFI) on a single-family pricing framework for Fannie Mae and Freddie Mac (GSEs), including feedback on policy priorities and goals that FHFA should pursue in its oversight of the framework. “Through this RFI, FHFA seeks input on how to ensure the pricing framework adequately protects the [GSEs] and taxpayers against potential future losses, supports affordable, sustainable housing and first-time homebuyers, and fosters liquidity in the secondary mortgage market,” FHFA Director Sandra L. Thompson said in the announcement. The RFI also seeks input on the GSEs’ single-family upfront guarantee fees and whether it is appropriate to continue linking those fees to the Enterprise Regulatory Capital Framework. FHFA explained that guarantee fees are intended to cover the GSEs’ administrative costs, expected credit losses, and cost of capital associated with guaranteeing securities backed by single-family mortgage loans. Comments on the RFI are due August 14.
FTC proposes changes to Health Breach Notification Rule
On May 18, the FTC issued a notice of proposed rulemaking (NPRM) and request for public comment on changes to its Health Breach Notification Rule (Rule), following a notice issued last September (covered by InfoBytes here) warning health apps and connected devices collecting or using consumers’ health information that they must comply with the Rule and notify consumers and others if a consumer’s health data is breached. The Rule also ensures that entities not covered by HIPAA are held accountable in the event of a security breach. The NPRM proposed several changes to the Rule, including modifying the definition of “[personal health records (PHR)] identifiable health information,” clarifying that a “breach of security” would include the unauthorized acquisition of identifiable health information, and specifying that “only entities that access or send unsecured PHR identifiable health information to a personal health record—rather than entities that access or send any information to a personal health record—qualify as PHR related entities.” The modifications would also authorize the expanded use of email and other electronic methods for providing notice of a breach to consumers and would expand the required content for notices “to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information.” Comments on the NPRM are due 60 days after publication in the Federal Register.
The same day, the FTC also issued a policy statement warning businesses against making misleading claims about the accuracy or efficacy of biometric technologies like facial recognition. The FTC emphasized that the increased use of consumers’ biometric information and biometric information technologies (including those powered by machine learning) raises significant consumer privacy and data security concerns and increases the potential for bias and discrimination. The FTC stressed that it intends to combat unfair or deceptive acts and practices related to these issues and outlined several factors used to determine potential violations of the FTC Act.
CFPB issues guide on collecting small-biz data
The CFPB recently issued a compliance guide for its final rule implementing Section 1071 of the Dodd-Frank Act. Consistent with Section 1071, the final rule (issued at the end of March) will require financial institutions to collect and provide to the Bureau data on lending to small businesses, defined as an entity with gross revenue under $5 million in its last fiscal year (covered by InfoBytes here). The guide: (i) includes a detailed summary of the final rule’s requirements, including data reporting deadlines; (ii) provides comprehensive information on the types of data financial institutions need to collect and report on small business lending applications and decisions; and (iii) includes parameters for covered institutions and covered originations. The guide further breaks down reportable data points and explains the final rule’s “firewall” provision, which states that employees and officers of a financial institution or its affiliates “involved in making any determination” on a reportable application are generally prohibited from accessing applicant demographic information relating to ethnicity, race, sex, and status as a minority-owned, women-owned, or LGBTQI+-owned business. The guide specifies that certain exceptions may apply to situations where an employee involved in decision-making must have access to the data to fulfill their assigned job duties (e.g. a loan officer or loan processor). In these situations, financial institutions are required to provide notice to applicants that employees and officers involved in decision-making may have access to their demographic data.
CFPB examines consumer overdraft experiences
On May 18, the CFPB published a data spotlight reporting on consumers’ experiences with overdraft programs. The Bureau conducted interviews and focus groups with low- and moderate-income consumers last summer where participants were asked about their use of deposit accounts and debit cards, their understanding of overdraft fees and non-sufficient funds (NSF) fees, and their perceptions of ways to avoid these fees. The Bureau found that, among other things, many consumers were not aware of their financial institution’s overdraft policies and thought protection automatically came with their account, while others were unaware that they could end overdraft protection. Others expressed concerns about fees, payment timing, and notifications, with some consumers saying that the typical $35 overdraft fee was “excessive” and “not necessarily proportional to the covered transaction.” Additional concerns flagged by consumers included: (i) financial hardships and fee waivers due to cascading overdraft fees; (ii) negative balances due to delayed merchant holds or delayed deposits; (iii) account closures because of overdraft fees, leading to difficulties when opening new accounts for some consumers; and (iv) limited awareness of various account options, including deposit accounts without overdraft fees and second-chance accounts. The Bureau reported that while some financial institutions have reduced or eliminated overdraft and NSF fees, implementation is “uneven and impermanent,” so consumers may not yet have benefited from the changes.
Chopra highlights APOR in call for resilient and durable rules
On May 17, CFPB Director Rohit Chopra announced that the agency is currently reviewing several of its rules and guidance documents in an effort to eliminate unnecessary complexities and create “more durable rules that don’t over-rely on single entities.” Chopra flagged issues related to the federal mortgage rules as an example of unnecessarily complex policies with a penchant for accommodating “dominant industry incumbents.” Last month, the Bureau announced a revised version of its methodology for calculating the average prime offer rates (APORs), which highlighted broader weaknesses resulting from single points of failure and a reliance on overly complicated benchmarks. As previously covered by InfoBytes, the methodology statement was revised to address the imminent unavailability of certain data that the Bureau previously relied on to calculate APORs, including changes made by Freddie Mac to its Primary Mortgage Market Survey used to calculate APORs for three types of loans. Noting that the Bureau has had other challenges relying on a single entity for calculating the APOR benchmark over the last decade, Chopra commented that “[n]o consumer protection rule should be designed so that its important protections are threatened by single points of failure or single sources.” He added that the revised APOR methodology further “highlighted the risks of relying on complicated reference rates that must be manually constructed rather than potentially more robust market-based measures that stand on their own.”
Tennessee becomes 8th state to enact comprehensive privacy legislation
On May 11, the Tennessee governor signed HB 1181 to enact the Tennessee Information Protection Act (TIPA) and establish a framework for controlling and processing consumers’ personal data in the state. Tennessee is now the eighth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, and Indiana. TIPA applies to any person that conducts business in the state or produces products or services targeted to residents and, during a calendar year, (i) controls or processes personal data of at least 100,000 Tennessee residents or (ii) controls or processes personal data of at least 25,000 Tennessee residents and derives 50 percent of gross revenue from the sale of personal data. TIPA provides for several exemptions, including financial institutions and data governed by the Gramm-Leach-Bliley Act and certain other federal laws, as well as covered entities governed by the Health Insurance Portability and Accountability Act. Highlights of TIPA include:
- Consumers’ rights. Under TIPA, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; request what categories of information were sold or disclosed; and opt out of the sale of their data.
- Controllers’ responsibilities. Data controllers under TIPA will be responsible for, among other things, (i) responding to consumers’ requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, up to twice annually for each consumer; (ii) establishing an appeals process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (iv) not processing data for reasons incompatible with the specified purpose; (v) securing personal data from unauthorized access; (vi) not processing data in violation of state or federal anti-discrimination laws; (vii) obtaining consumer consent in order to process sensitive data; (viii) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (ix) providing clear and meaningful privacy notices. TIPA also sets forth obligations relating to contracts between a controller and a processor.
- No private right of action but enforcement by state attorney general. TIPA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law and seek penalties of up to $15,000 per violation and treble damages for willful or knowing violations. The attorney general may also recover reasonable expenses, including attorney fees, for any initiated action.
- Right to cure. Upon discovering a potential violation of TIPA, the attorney general must give the data controller written notice. The data controller then has 60 days to cure the alleged violation before the attorney general can file suit.
- Affirmative defense. TIPA establishes an affirmative defense for violations for controllers and processors that adopt a privacy program “that reasonably conforms” to the National Institute of Standards and Technology Privacy Framework and complies with required provisions. Failing “to maintain a privacy program that reflects the controller or processor's data privacy practices to a reasonable degree of accuracy” will be considered an unfair and deceptive act or practice under Tennessee law.
TIPA takes effect July 1, 2024.
CFPB brief defends funding structure
On May 8, petitioner CFPB filed its brief with the U.S. Supreme Court, criticizing the U.S. Court of Appeals for the Fifth Circuit’s decision in Community Financial Services Association of America v. Consumer Financial Protection Bureau, where the appellate court found that the Bureau’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause (covered by InfoBytes here and a firm article here). The 5th Circuit’s decision also vacated the agency’s Payday Lending Rule on the premise that it was promulgated at a time when the Bureau was receiving unconstitutional funding.
Earlier this year, the Bureau filed a petition for a writ of certiorari, which the Court granted (covered by InfoBytes here). The Bureau explained in its petition that the 5th Circuit’s decision would negatively impact its “critical work administering and enforcing consumer financial protection laws” and “threatens the validity of all past CFPB actions as well” as the decision vacates a past agency action based on the purported Appropriations Clause violation. Community Financial Services Association of America (CFSA) filed a conditional cross-petition, seeking review on other aspects of the 5th Circuit’s decision, including that the 5th Circuit’s decision does not warrant review because the appellate court correctly vacated the Payday Lending Rule, which, according to the respondents, has “multiple legal defects, including but not limited to the Appropriations Clause issue.” (Covered by InfoBytes here.)
In its opening brief, the Bureau expanded on why it believes the 5th Circuit erred in its holding. The Bureau argued that the text of the Appropriations Clause “does not limit Congress’ authority to determine the specificity, duration, and source of its appropriations.” The agency further explained that Congress has chosen similar funding mechanisms for many other financial regulatory agencies, including the FDIC, NCUA, FHFA, and the Farm Credit Administration (and agencies outside of the financial regulatory sector), where they are all funded in part through the collection of fees, assessments, and investments. The Bureau emphasized that the 5th Circuit and the CFSA failed “to grapple with the Appropriation Clause’s text, Congress’ historical practice, or [Supreme] Court precedent,” but instead asserted only that the funding mechanism was “unprecedented.” “Congress enacted a statute explicitly authorizing the CFPB to use a specified amount of funds from a specified source for specified purposes,” the Bureau emphasized. “The Appropriations Clause requires nothing more.” The 5th Circuit’s “novel and ill-defined limits on Congress’s appropriations authority contradict the Constitution’s text and congressional practice dating to the Founding.”
The Bureau also addressed the now-vacated Payday Lending Rule. Arguing that even if there were some constitutional flaw in 12 U.S.C. § 5497 (the statute creating the Bureau’s funding mechanism), the 5th Circuit should have looked for some cure to allow the remainder of the funding mechanism to stand independently instead of “adopting an unjustified and profoundly disruptive retrospective remedy” and presuming the funding mechanism created under Section 5497(a)-(c) was entirely invalid. The Bureau also stressed that vacatur of the agency’s past actions was not an appropriate remedy and is inconsistent with historical practice. Adopting a remedial approach, the Bureau warned, would inflict significant disruption by calling into question 12 years of past agency actions.
The Bureau urged the Court to at most grant only “prospective relief preventing the CFPB from enforcing the Payday Lending Rule against [CFSA] or their members until Congress provides the Bureau with funding from another source.” While such an approach could still “upend” the Bureau’s activities, “it would at least avoid the profoundly disruptive effect of unwinding already completed and concededly authorized agency actions like the Payday Lending Rule,” the Bureau wrote, adding that “[v]acatur of the CFPB’s past actions would be inappropriate in light of the significant disruption that such vacatur would produce.”
District Court denies servicer’s claims that it never received QWR
The U.S. District Court for the Eastern District of Missouri recently considered whether a mortgage servicer received a borrower’s qualified written request (QWR) relating to a missed mortgage payment. The borrower sent a money order to cover two monthly mortgage payments, but the payments were not properly credited to her account. The borrower made several attempts to contact the mortgage servicer about the improperly credited payment. After receiving a formal notice of default, the borrower sent a “Request for Information and Notice of Error” (NOE) to the servicer explaining the situation and asking that her account be updated to reflect that all payments had been made and requesting the removal of late fees and charges. She also asked that her loan be removed from default status and sent letters to the credit reporting agencies formally disputing the delinquent payment reports. According to the court’s opinion, the borrower claimed that the servicer violated RESPA by failing to respond and violated the FCRA by failing to conduct a reasonable investigation into her credit disputes and verifying inaccurately furnished information.
In considering both parties’ motions for summary judgment, the court granted the borrower’s motion on liability with respect to her RESPA claim and denied the servicer’s motion for summary judgment on the FCRA claims on the basis that the borrower provided evidence of actual damages resulting from the servicer’s alleged FCRA violation. The court explained that RESPA requires mortgage servicers to respond to a QWR within five days to acknowledge receipt, and again within 30 days by either correcting the account, providing a written explanation as to why it believes the account is correct, or providing the information requested by the borrower or an explanation of why the information requested is unavailable. Failure to do so entitles a borrower to any actual damages suffered as result of the failure. Claiming the NOE was a QWR, the borrower presented evidence, including a certified mail receipt allegedly showing the NOE was signed for by one of the servicer’s representatives. The servicer countered that because it had no record of the correspondence, its RESPA duties were not triggered. The servicer further argued that the NOE did not qualify as a QWR because it failed to provide sufficient information for it to investigate or respond to the request, and that even if it was a QWR, the borrower had failed to show actual damages.
The court disagreed, determining (i) that the servicer failed to prove it did not receive the NOE, and (ii) that the NOE constituted a QWR. “The information in the letter alone is sufficient to qualify as a QWR,” the court wrote. “The letter quite specifically states the error [the borrower] believed to have occurred…. This is not an ‘overbroad’ and generalized statement of ‘bad servicing.’ It identifies an error specifically contemplated by RESPA’s regulations.” The court further added that “RESPA does not require that a lender’s violations be the sole cause of a borrower’s emotional distress. It merely requires that damages be causally related to a violation of the statute.” However, the court noted that the borrower still needs to prove at trial the extent of damages caused by the servicer's alleged violation.
FHFA rescinds GSE fee based on DTI ratios
On May 10, FHFA announced it is rescinding a debt-to-income-based loan-level pricing adjustment announced in January. As previously covered by InfoBytes, FHFA made several changes relating to upfront fees for certain borrowers with debt-to-income (DTI) ratios above 40 percent. The updated and recalibrated pricing grids also included the upfront fee eliminations announced last October to increase pricing support for purchase borrowers limited by income or by wealth, FHFA said at the time. The implementation of the DTI pricing adjustment, which would have affected loans acquired by Fannie Mae and Freddie Mac, was delayed to August 1, but after the mortgage industry and other market participants expressed concerns about implementation challenges, FHFA made the decision to rescind the DTI-ratio based fee to provide additional transparency. The agency will issue a request for public input on the single-family guarantee fee pricing framework shortly.
CFPB: Reopening a closed account could be a UDAAP
On May 10, the CFPB released Circular 2023-02 to opine that unilaterally reopening a closed account without a customer’s permission in order to process a transaction is a likely violation of federal law, particularly if a bank collects fees on the account. “When a bank unilaterally chooses to open an account in someone’s name after they have already closed it, this is a fake account,” CFPB Director Rohit Chopra said in the announcement. “The CFPB is acting on all fronts to halt the harvesting of illegal junk fees.”
The Bureau described receiving complaints from consumers about banks reopening closed accounts and then assessing overdraft/nonsufficient funds fees and monthly maintenance fees. Such practices, the Bureau warned, may violate the Consumer Financial Protection Act’s prohibition on unfair acts or practices. Consumers may experience substantial injury including monetary harm by paying fees due to the unfair practice, the Bureau said, explaining that because consumers likely cannot reasonably avoid the injury, “[a]ctual injury is not required; significant risk of concrete harm is sufficient.” Aside from subjecting consumers to fees, when a bank processes a credit through a reopened account, the consumers’ funds may become available to third parties, including those that do not have permission to access such funds, the Bureau warned, adding that there is also a risk that banks may furnish negative information to consumer reporting agencies if reopening the account overdraws the account and the consumer does not quickly repay the amount owed. The Bureau further noted that deposit account agreements typically indicate that a financial institution “may return any debits or deposits to the account that the financial institution receives after closure and faces no liability for failing to honor any debits or deposits received after closure.”
The Circular explained that rather than reopening an account when a third party attempts to deposit or withdraw money from it, banks should decline the transactions. This allows customers the opportunity to update their information with the entity attempting to access a closed account while avoiding potential fees. “Reopening a closed account does not appear to provide any meaningful benefits to consumers or competition,” the Bureau said in the Circular. “While consumers might potentially benefit in some instances where their accounts are reopened to receive deposits, which then become available to them, that benefit does not outweigh the injuries that can be caused by unilateral account reopening.”