InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court grants full remedies to CFPB, State AGs
On March 31, the U.S. District Court for the Western District of Virginia entered an order granting the plaintiff state attorneys general and CFPB’s requested remedies in full against a defendant accused of violating consumer protection laws in administering “immigration bonds” for indigent consumers facing deportation. As previously covered by InfoBytes, in 2021 the CFPB, and the Massachusetts, New York, and Virginia State Attorneys General filed a 17-count complaint against the defendant, a subsidiary of a bond service for non-English speaking U.S. Immigration and Customs Enforcement (ICE) detainees. The complaint accused the defendant of misrepresenting the cost of immigration bond services and deceiving migrants into continuing to pay monthly fees by making false threats of deportation for failure to pay. Last May, the court entered default judgment against defendants (covered by InfoBytes here). In the court’s most recent order, it granted the plaintiff’s request for injunctive relief, stating that the CFPB met the standard for injunctive relief under the CFPA, and it would “undoubtedly serve the public interest.” The court also noted that the plaintiffs’ claims supported injunctive relief under state laws as well. The order also included (i) $230.9 million in restitution to the CFPB; (ii) a $111 million civil money penalty to the CFPB; (iii) a $7.1 million civil money penalty to Virginia; (iv) a $3.4 million civil money penalty to Massachusetts; and (v) a $13.89 million civil money penalty to New York.
Fed’s Bowman speaks on bank liquidity a year after banking crises
On April 3, Fed member Michelle Bowman delivered a speech on “Bank Liquidity, Regulation, and the Fed’s Role as Lender of Last Resort.” Her speech highlighted three points: first, she discussed how the Fed supported liquidity in the banking system; second, she discussed the broader framework that supported bank liquidity, including regulatory requirements, bank supervision, and deposit insurance; and third, she discussed the challenges the Fed faced in implementing liquidity tools. On the Fed’s role in banking system liquidity, Bowman mentioned how the banking system was stronger today than before the 2008 financial crisis due to having more capital and more liquidity, as well as new stress testing requirements. The Fed’s emergency lending authority also changed to be broad-based, as opposed to having designed it for individual companies, and now required approval by the Secretary of the Treasury. On challenges, Bowman highlighted how to reduce the stigma associated with discount window borrowing by mandating that banks “pre-position collateral” and “periodically borrow from the discount window.”
OCC releases March CRA evaluations for 19 banks
On April 1, the OCC released its Community Reinvestment Act (CRA) performance evaluations for last March. The OCC evaluated 19 national banks, federal savings associations, and insured federal branches of foreign banks with a rubric that included four possible ratings: Outstanding, Satisfactory, Needs to Improve, and Substantial Noncompliance. Of the 19 evaluations reported by the OCC, two Midwest banks received the lowest rating, which was “Needs to Improve.” Most entities were rated “Satisfactory,” and four entities were rated “Outstanding.” A full list of the bank evaluations is available here. In an OCC FAQ regarding the implementation of the CRA, the OCC detailed how it evaluated and rated financial institutions by reviewing both the institution itself (such as its capacity, constraints, business strategies, competitors, and peers) and the community the institution serves (such as its demographics, economic data, and its lending, investment, and service opportunities).
FDIC’s Consumer Compliance report outlines most frequently cited violations and observations
On March 28, the FDIC released its March 2024 version of the Consumer Compliance Supervisory Highlights from the previous year, a report that enhanced transparency regarding the FDIC’s consumer compliance supervisory activities. The FDIC reported 16 formal enforcement actions and another 16 informal enforcement actions to address consumer compliance examination findings. The report highlighted how the FDIC conducted almost 900 consumer compliance examinations. The top five most frequently cited violations of moderate severity (levels two and three out of five of supervisory concern), which represented 74 percent of the total violations, included, in order from most frequently cited to least: TILA, and its implementing regulation, Regulation Z; the Flood Disaster Protection Act (FDPA) and its implementing regulation, Part 339; EFTA, and its implementing regulation, Regulation E; TISA, and its implementing regulation, Regulation DD; and Section 5 of the FTC Act. The report noted how Section 5 of the FTC Act dropped from the second most frequently cited to the fifth.
The FDIC’s report outlined the most significant consumer compliance examination observations including the misuse of the FDIC’s logo, advertising of credit builder products, electronic fund transfer (EFT) error resolutions by third parties, mortgage broker relationships, and fair lending compliance. On the misuse of the FDIC’s logo, the FDIC found “a number of third parties” misrepresented the FDIC’s deposit insurance in violation of Section 18(a)(4) of the FDI Act. On substantiating claims in the advertising of credit builder products, the FDIC found that institutions collaborated with fintech companies on credit builder products and falsely advertised “these products would improve” one’s credit score, in violation of Section 5 of the FTC Act. On EFTs handled by third parties, the FDIC identified an issue with a security program in validating customer transactions in violation of Regulation E of EFTA. On payments for mortgage brokerage services, the FDIC found RESPA Section 8 violations involving mortgage broker relationships. On oversight of third parties, the FDIC identified issues with an institution that partnered with third-party lenders to offer unsecured consumer loans, finding the institution violated Section 39 of the FDI Act. Last and on fair lending, the FDIC found that most of the DOJ’s referral matters pertinent to discrimination related to redlining, automobile financing, and credit underwriting.
FDIC issues February enforcement action against New York bank for lack of effective third-party oversight
On March 29, the FDIC released its list of February 2024 enforcement actions, which included a consent order against a New York digital bank in which the FDIC alleged a lack of sufficient oversight of the bank’s third-party relationships. According to the consent order, the bank allegedly engaged in unsafe and unsound banking practices due to a lack of internal controls appropriate to the bank’s size and risk of its third-party relationships, and weaknesses in board oversight of asset growth and management, among other issues. The FDIC further alleged that the bank violated several laws including BSA, EFTA, and TISA.
The FDIC ordered the bank’s board to increase its oversight of the bank’s management and the bank’s financial condition commensurate with the size of the bank and the risk of its third-party relationships. Further, the FDIC ordered the board to correct or eliminate any unsafe banking practices or violations of the law. On data and systems, the FDIC ordered the bank to conduct a data and systems review and develop a written action plan to address any deficiencies or weaknesses. Notably for the bank’s third-party relationships, the FDIC ordered that the bank’s procedures, data, and systems include “clear lines of authority” responsible for monitoring bank procedures and effective risk assessments. Finally, among other things, the FDIC ordered the bank to implement look-back reviews and have its board review the bank’s program to ensure compliance with consumer-related laws.
FinCEN seeks public comment for changing SSN requirements during customer identification
On March 29, FinCEN published a request for information (RFI) and comment in the Federal Register, in consultation with the OCC, FDIC, NCUA, and the Fed, to receive more information on the Customer Identification Program (CIP) Rule requirement. This announcement extended the comment period as the regulators explored how banks can better collect a customer’s social security number (SSN). Specifically, FinCEN sought information on the “potential risks and benefits” if banks were to be allowed to collect partial SSNs from customers, and then used a “reputable” third-party source to obtain the full SSN. FinCEN noted there has been “expressed interest” in permitting this practice. Written comments must be received on or before May 28.
CFPB, FTC submit amicus brief in FCRA case
On March 29, the CFPB and the FTC filed an amicus brief in the U.S. Court of Appeals for the Eleventh Circuit, arguing that the FCRA mandated consumer reporting agencies (CRAs) when a consumer challenged the “completeness or accuracy of any item or information” in their file, must perform a “reasonable reinvestigation.”
In the underlying case, a consumer claimed she identified multiple inaccuracies in her credit report held by the defendant CRA, including issues with her name, address, and Social Security number. She allegedly contacted the defendant three times to dispute these errors, but the defendant directed her to resolve the issues with the misinformation sources and did not conduct its own reinvestigation as the consumer believed was required by the FCRA.
The consumer then filed a lawsuit against the defendant CRA for not performing the reinvestigation. The district court acknowledged that the defendant should have completed the reinvestigation under the FCRA but nonetheless concluded that the defendant did not violate the statute because it did not reasonably interpret that the FCRA did not require a reinvestigation.
The case will now be under the appeal process and the CFPB and FTC have submitted a joint amicus brief arguing that the FCRA required a CRA to reinvestigate a consumer’s dispute about personal identifying information, and that the district court correctly determined that a reinvestigation was required. The brief also argued that the district nonetheless erred in concluding that the defendant did not negligently or willfully violate the FCRA because the defendant’s interpretation of the FCRA was not “objectively reasonable.”
FTC to hold an informal hearing on its proposed “junk fee” rules
On March 27, the FTC published a notice in the Federal Register informing the public of its decision to hold an informal hearing on its proposed rule prohibiting “junk fees.” As previously covered by InfoBytes, the FTC released a notice of proposed rulemaking (“NPRM”) titled “Rule on Unfair or Deceptive Fees” and extended the comment period last October. In the NPRM, the FTC presented the opportunity for any party to present their positions orally. The FTC announced that 17 commenters requested to partake in the informal hearing by presenting oral statements and an administrative law judge for the FTC will serve as the presiding officer. The informal hearing will be presented virtually on April 24 at 10:00 a.m. Eastern time. The hearing will be presented live to the public on the FTC’s website, and a recording will be placed in the rulemaking record.
State AGs sue to block Biden's SAVE Plan for student loan forgiveness
On April 1, 10 state attorneys general filed a lawsuit in the U.S. District Court for the District of Kansas against President Biden, the Secretary of Education, and the Department of Education seeking to block the enactment of the SAVE Plan. As previously covered by InfoBytes, the SAVE Plan was an income-driven repayment plan, intended to calculate payments based on a borrower’s income and family size, rather than the loan balance, and forgave balances after several years since repayment. According to the complaint, the government released a rule for the new SAVE Plan intended to eliminate at least $156 billion in student debt as the second step in a three-part loan forgiveness initiative. The first step involved an attempt to cancel $430 billion in student loans under the HEROES Act, which the U.S. Supreme Court ruled unconstitutional in Biden v. Nebraska.
The SAVE Plan assumed $430 billion in loans would be forgiven beforehand, but after the Supreme Court's decision, the defendants allegedly did not revise the cost estimate in anticipation of overturning the case. This oversight led to a significant underestimation of the SAVE Plan's true cost; plaintiffs alleged.
Plaintiffs further claimed that the SAVE Plan was written before the Supreme Court's ruling in Biden v. Nebraska and thus included outdated statements of confidence in the defendants' authority to pursue debt relief. The rule would take effect on July 1, but defendants allegedly have already started forgiving loans for some individuals before this date. The complaint alleged that on February 21, the Department of Education forgave the debt of 153,000 borrowers, which the state attorneys general claimed violated Biden v. Nebraska.
Plaintiffs brought claims under the Administrative Procedure Act, contending that the Department of Education exceeded its authority under the Higher Education Act of 1965 by issuing the rule and that the rule would be arbitrary and capricious since defendants failed to account for the full cost of the rule.
New Hampshire enacts SB 255, a comprehensive consumer privacy bill
Recently, the Governor of New Hampshire signed SB 255 (the “Act”) making New Hampshire the 14th state to enact a comprehensive consumer privacy bill. The Act will apply to entities that engage in commercial activities within New Hampshire or target New Hampshire consumers for their products or services and that during a one-year period either: (i) control or process data of 35,000 New Hampshire consumers (except solely for purposes of completing a payment transaction); or (ii) control or process data of 10,000 New Hampshire consumers and derive more than 25 percent of their revenue from selling the data. Exemptions include entities or data subject to the Gramm-Leach-Bliley Act’s Title V, non-profit organizations, and higher education institutions. The legislation will also exempt specific types of data, such as health information that is protected under HIPAA or data subject to the FCRA. The definition of consumer is limited to an individual residing in New Hampshire and excludes both employee and business-to-business (B2B) data.
The Act will define new terms, such as "sensitive data” which could mean “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status.” “Sensitive data” also includes genetic or biometric information, data on children, and precise location details. New Hampshire will now mandate that companies obtain explicit consent from consumers before processing sensitive data.
The Act also granted consumers the following rights: the right to know, the right to correct, the right to delete, the right to opt out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer in furtherance of solely automated decisions that produce legal effects or other effects of similar significance, and the right to data portability. Consumers will also be protected against discrimination for exercising any of the above rights.
The Act contained controller responsibilities, including:
- Limiting the collection of personal data to what is adequate, relevant and reasonably necessary;
- not processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes that were disclosed to the consumer, unless the controller obtains the consumer's consent;
- Establishing, implementing and maintaining reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
- Not processing sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;
- Providing an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, ceasing to process the data as soon as practicable, but not later than 15 days after the receipt of such request; and
- Not processing the personal data of a consumer for purposes of targeted advertising, or selling the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age.
The controller also must provide a privacy notice meeting the standards set forth by the Secretary of State. Controllers must conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including: (i) the processing of personal data for the purpose of targeted advertising; (ii) the sale of personal data; (iii) the processing of sensitive data; and (iv) the processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.
The attorney general has exclusive authority to enforce the Act. Between January 1, 2025, and December 31, 2025, the attorney general is required to provide notice of an alleged violation and an accompanying 60-day cure period before commencing an enforcement action. Beginning January 1, 2026, the attorney general has the discretion to provide an opportunity to cure but is not required to provide such an opportunity. The Act does not include a private right of action. The Act will take effect on January 1, 2025.