Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • EU Commission, Council, and Parliament agree on details of AI Act

    Privacy, Cyber Risk & Data Security

    On December 9, the EU Commission announced a political agreement between the European Parliament and the European Council regarding the proposed Artificial Intelligence Act (AI Act).  The agreement is provisional and is subject to finalizing the text and formal approval by lawmakers in the European Parliament and the Council. The AI Act will regulate the development and use of AI systems, as well as impose fines on any non-compliant use. The object of the law is to ensure that AI technology is safe and that its use respects fundamental democratic rights while balancing the need to allow businesses to grow and thrive. The AI Act will also create a new European AI Office to ensure coordination, transparency, and to “supervise the implementation and enforcement of the new rules.” According to this EU Parliament press release, powerful foundation models that pose systemic risks will be subject to specific rules in the final version of the AI Act based on a tiered classification.

    Except with foundation models, the EU AI Act adopts a risk-based approach to the regulation of AI systems, classifying these into different risk categories: minimal risk, high-risk, and unacceptable risk. Most AI systems would be deemed as minimal risk since they pose little to no risk to citizens’ safety. High-risk AI systems would be subject to the heaviest obligations, including certifications on the adoption of risk-mitigation systems, data governance, logging of activity, documentation obligations, transparency requirements, human oversight, and cybersecurity standards.  Examples of high-risk AI systems include utility infrastructures, medical devices, institutional admissions, law enforcement, biometric identification and categorization, and emotion recognition systems. AI systems deemed “unacceptable” are those that “present a clear threat to the fundamental rights of people” such as systems that manipulate human behaviors, like “deep fakes,” and any type of social scoring done by governments or companies. While some biometric identification is allowed, “unacceptable” uses include emotional recognition systems at work or by law enforcement agencies (with narrow exceptions).

    Sanctions for breach of the law will range from a low of €7.5 million or 1.5 percent of a company’s global total revenue to as high as €35 million or 7 percent of revenue. Once adopted, the law will be effective from early 2026 or later. Compliance will be challenging (the law targets AI systems made available in the EU), and companies should identify whether their use and/or development of such systems will be impacted.

    Privacy, Cyber Risk & Data Security Privacy European Union Artificial Intelligence Privacy/Cyber Risk & Data Security Of Interest to Non-US Persons

  • California’s new mortgage servicer during a “state of emergency” to be effective

    State Issues

    Recently, California enacted SB 455 to address mortgage servicing during a state of emergency. SB 455 will require a mortgage servicer (transferring a mortgage secured by a property within a proclaimed emergency zone) to provide the new servicer with written records between the borrower and the old servicer on the borrower’s election to use insurance proceeds to repair or replace property damaged by a disaster. Additionally, SB 455 prevents the new servicer from disregarding any prior written agreements between the original servicer and the borrower regarding property repairs that were approved by the owner of the promissory note. The SB 455 bill will be effective January 1, 2024. 

    State Issues California State Legislation Mortgages Mortgages Servicing

  • District Court partially dismisses TCPA claims

    Courts

    On December 12, the U.S. District Court for the Northern District of Illinois partially granted a culinary school’s motion to dismiss claims concerning unwanted calls to enroll in cooking classes. According to the memorandum opinion and order, the plaintiff filed suit after the culinary school called her over 30 times, even though she had requested the school to place her on a do-not-call list. The plaintiff claimed the school violated the Telephone Consumer Protection Act (TCPA) by making unwanted calls and leaving prerecorded messages on her cell phone.  

    According to the court, any calls made to a cell phone cannot violate § 227(b)(1)(B) because the court reasoned that “a cellular phone and a residential phone are not the same thing,” and that § 227(b)(1)(B) of the TCPA expressly covers “residential telephone line[s],” but not cellular telephone services. Regarding the plaintiff’s claim under § 227(b)(1)(A) of the TCPA, although the school argued there was not enough proof that the calls were prerecorded, including because some of the calls came from different states, the court disagreed and provided examples of why the calls could have been prerecorded. The court consequently denied the school’s motion to dismiss the plaintiff’s § 227(b)(1)(A) claim.

    Courts TCPA

  • Agencies extend Regulation O relief for some companies controlled by funds

    On December 15, the Fed, FDIC, and the OCC announced the issuance of an interagency statement to further extend the “Extension of the Revised Statement Regarding Status of Certain Investment Funds and their Portfolio Investments for Purposes of Regulation O and Reporting Requirements under Part 363 of FDIC Regulations.” The original statement was issued on December 22, 2022, with an expiration of January 1, 2024. The new interagency statement effectively extends the prior no-action position (covered by InfoBytes here) until either January 1, 2025 or the effective date of amendments to Regulation O that addresses the treatment of extensions of credit by a bank to fund complex–controlled portfolio companies that are bank insiders.

    The agencies noted that they will refrain from acting against banks extending credit to complex-controlled portfolio companies that would otherwise violate Regulation O, provided the company controls (directly or indirectly) less than 15 percent of the bank’s voting securities (or 20 percent under certain circumstances) and does not plan to place representatives or exercise a controlling influence over the bank. Additionally, the agencies will not pursue action against insured depository institutions for failing to report credit extensions that would violate Regulation O but fall under the interagency statement’s coverage. The agencies explained how credit extensions must be on “substantially the same terms as those prevailing for comparable transactions with unaffiliated third parties” and may not “involve more than normal risk of repayment or present other unfavorable features.”

    Bank Regulatory Federal Issues Agency Rule-Making & Guidance FDIC OCC Federal Reserve Regulation O

  • Fed enters into written agreement with Ohio bank

    Agency Rule-Making & Guidance

    On December 19, the Federal Reserve Board announced a written agreement with an Ohio state-chartered bank and its holding company to address certain deficiencies identified during a recent examination of the bank. Under the agreement, the bank and its holding company agreed to: (i) use the bank’s resources as a “source of strength”; (ii) submit a written plan to enhance board oversight and management; (iii) conduct a third-party assessment of the bank’s staff; (iv) submit an enhanced written investment policy that includes “periodic analysis of the investment portfolio, including, but not limited to the assessment of market risk, credit risk, interest rate risk, and liquidity risk of the underlying investments”; (v) improve the bank’s investment portfolio management and interest rate risk management practices; (vi) implement an enhanced liquidity risk management program; and (vii) submit a written plan regarding sufficient capital (among other corrective actions). 

    Agency Rule-Making & Guidance Ohio Federal Reserve Enforcement

  • OCC issues cease-and-desist order to NY bank

    Agency Rule-Making & Guidance

    On December 14, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals that are or were affiliated with such entities. Included is a cease-and-desist order against an upstate New York bank for allegedly engaging in unsafe or unsound practices, including on the bank’s corporate governance, capital planning, interest rate risk management, liquidity risk management, and reports of condition.

    Under the order, the bank must appoint a compliance committee to take corrective action, submit a three-year strategic plan to establish objectives for the bank’s risk profile, earnings performance, growth, and balance sheet mix, among other areas, and maintain a capital ratio of at least 15 percent, a common equity tier 1 capital of at least equal to 14 percent, and a leverage ratio of at least ten percent. The order also requires the bank to create an interest rate risk program and a third-party risk management program.

    Agency Rule-Making & Guidance Cease and Desist New York Banking Corporate Governance Capital Requirements

  • CFPB fines and shuts down debt collector for alleged FDCPA, FCRA violations

    Federal Issues

    On December 15, the CFPB announced a consent order against a Pennsylvania-based nonbank medical debt collection company for alleged violations of the FCRA and FDCPA. According to the order, the company failed to (i) establish and implement reasonable written policies and procedures for ensuring the accuracy and integrity of information furnished to consumer reporting agencies; (ii) conduct reasonable investigations into direct and indirect consumer disputes about furnished information; (iii) report direct dispute investigation results to consumers; and (iv) indicate disputed items when furnishing information to reporting agencies. The company also allegedly lacked a reasonable basis for debt-related representations made to consumers and engaged in collection activities after receiving a written dispute within 30 days of the consumer’s receipt of a debt validation notice but before obtaining and mailing a verification of the debt.

    The consent order permanently bans the company from involvement or aid in debt collection, purchasing or selling of any debts, or any consumer reporting activities. The company must also request credit reporting agencies to delete all collection accounts previously reported by the company. Additionally, the company is obligated to pay a $95,000 civil money penalty and must display on its website information that informs consumers about the option to file a complaint with the CFPB.

    Federal Issues CFPB Debt Collection Consent Order Enforcement FDCPA FCRA Regulation V Nonbank

  • District Court grants motion to dismiss in FDCPA case regarding an undated Model Validation Notice

    Courts

    On December 5, the U.S. District Court for the Southern District of New York granted a debt collection agency (the defendant) a motion to dismiss an individual’s (plaintiff’s) complaint. The case considers whether an undated Model Validation Notice (MVN) is a material detail that provides standing to sue under the FDCPA. An MVN is a form provided by the CFPB in Appendix B of the Debt Collection Rule to assist debt collection agencies in complying with FDCPA notice and disclosure requirements. However, the CFPB provides an undated MVN, so many debt collectors who use this template fail to provide a date when sending a debt collection letter to individuals, leading to a recipient’s confusion when the debt collector writes “today” or “now.”

    In this case, the plaintiff alleges that the undated collection letter suggests the defendant “withheld a material term from [p]laintiff which made it confusing for him to understand the nature of the subject debt.” The plaintiff did not pay the debt, and instead, he alleged that he suffered damages from the defendant’s “suspicious, misleading, deceptive, unfair, and unconscionable actions.”

    Before addressing the merits of the plaintiff’s claims, the court applied Article III standing to determine if the plaintiff had a basis to sue. The court considered whether the plaintiff had suffered a “concrete, particularized injury” in receiving an undated letter from the defendant and concluded that the plaintiff did not suffer harm as a result of this act under Article III because “[t]ime and money spent due to concern and confusion are not concrete harms.” The court held the plaintiff had no standing to bring this action and granted the defendant’s motion to dismiss the plaintiff’s claims. The court, however, gave the plaintiff the opportunity to file an amended complaint.

    Courts FDCPA Debt Collection CFPB SDNY Consumer Finance

  • NY enacts the Fair Medical Debt Reporting Act

    State Issues

    On December 13, the New York governor signed into law S4907A, or the Fair Medical Debt Reporting Act (the “Act”), a medical debt credit reporting bill that will bar credit reporting agencies from directly or indirectly incorporating medical debt into consumer credit reports. The Act specifically prohibits hospitals, health care professionals, and ambulances from reporting medical debt to credit agencies. The Act defines medical debt as any amount owed or claimed by a consumer “related to the receipt of health care services, products, or devices provided to a person” by a hospital, health care professional, or ambulance service. Notably, obligations charged to a credit card are excluded from medical debts unless the card is specifically designated for health care expenses under an open-ended or closed-end plan. 

    State Issues State Legislation New York Medical Debt Credit Reporting Agency Credit Report Consumer Protection Consumer Finance

  • NY passes law to preserve credit card points and rewards for consumers

    State Issues

    On December 10, New York General Business Law § 520-e went into effect according to the Governor’s press release. The new law prevents credit card holders from losing unused earned credit card points and requires credit card issuers to send consumers a notice of any outstanding credit card points or rewards they have accrued in their accounts, even after the account is closed. Specifically, credit card issuers will have 45 days to provide notice of any outstanding credit card rewards or points following the closing of a consumer’s account. From the date of the issuer’s notice, consumers will have a 90-day grace period to redeem their points or rewards.

    State Issues New York Credit Cards Rewards Programs State Legislation

Pages

Upcoming Events