InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Freddie allows digital paystubs in underwriting
On May 22, Freddie Mac announced new capabilities allowing lenders to use a borrower’s digital paystub data when assessing income paid through direct deposit. Lenders will be able to access the enhancements to Freddie’s automated income assessment tool through the Loan Product Advisor (LPA) asset and income modeler (AIM). Freddie noted that in addition to providing access to direct deposit data, AIM is also able to “assess income from tax return data for self-employed borrowers as well as bank account data to identify a history of positive monthly cash flow activity” to help first-time homebuyers and borrowers in underserved communities who may not qualify through traditional methods of underwriting. AIM is also designed to notify lenders when submitting this type of account data may benefit a borrower. The new AIM capability will be available beginning June 7 to Freddie-approved sellers that use LPA.
FHA expedites claims process for HECMs
On May 17, HUD announced new policies to expedite claims processing for home equity conversion mortgages (HECM). Specifically, FHA’s policies will allow for faster payment of funds to mortgagees upon assignment of an HECM to HUD by allowing borrowers with FHA mortgages to submit a request for a preliminary title approval earlier in the process and with fewer documents. Mortgagees will now be able to assign an HECM to HUD once the HECM reaches 98 percent of the maximum claim amount (MCA) and may begin submitting required information to HUD when the HECM reaches 97 percent of the MCA (based on the value of the property at the time the HECM loan is originated). The previous percentage was set at 97.5 percent. Additionally, mortgagees will be able to submit original notes and mortgages after assignment claim payment rather than before. HUD explained that allowing for earlier claim submission and improving document submission measures will hopefully shorten the time between the HECM reaching 98 percent of MCA and FHA paying the mortgagee for the claim.
FTC, DOJ sue maker of health app over data sharing
On May 17, the DOJ filed a complaint on behalf of the FTC against a health app for violating the Health Breach Notification Rule (HBNR) by allegedly sharing users’ sensitive personal information with third parties, disclosing sensitive health data, and failing to notify users of these unauthorized disclosures. According to the complaint, users were allegedly repeatedly and falsely promised via privacy policies that their health information would not be shared with third parties without the user’s knowledge or consent, and that any collected data was non-identifiable and only used for the defendant’s own analytics or advertising. The FTC charged the defendant with failing to implement reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools and for sharing health information used for advertising purposes without obtaining users’ affirmative express consent. Under the HBNR, companies with access to personal health records are required to notify users, the FTC, and media outlets in certain situations, if there has been an unauthorized acquisition of unsecured personal health information. The defendant also allegedly failed to impose limits on how third parties could use the data and failed to adequately encrypt data shared with third parties, thus subjecting the data to potential interception and/or seizure by bad actors.
The proposed court order would require the defendant to pay a $100,000 civil penalty, and would permanently prohibit the company from sharing personal health data with third parties for advertising and from making future misrepresentations about its privacy practices. The defendant would also be required to (i) obtain user consent before sharing personal health data; (ii) limit data retention; (iii) request deletion of data shared with third parties; (iv) provide notices to users explaining the FTC’s allegations and the proposed settlement; and (v) implement comprehensive security and privacy programs to protect consumer data. The defendant has also agreed to pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon (who collaborated with the FTC on the action) for violating state privacy laws with respect to its data sharing and privacy practices.
FinCEN, Commerce urge monitoring of attempts to evade Russian export controls
On May 19, FinCEN and the Department of Commerce’s Bureau of Industry and Security (BIS) issued a supplemental joint alert urging continued vigilance for potential Russian export control evasion attempts. The alert reinforces ongoing initiatives to further constrain and prevent Russia from accessing critical technology and goods to support its war-making efforts against Ukraine. It follows a joint alert issued last June which urged financial institutions to take a “risk-based approach” for identifying potentially suspicious activity, such as end-use certificates, export documents, or letters of credit-based trade financing. (Covered by InfoBytes here.) The supplemental alert provides information on new export control restrictions implemented since the last joint alert was issued, including evasion typologies, new high priority Harmonized System codes to inform U.S. financial institutions’ customer due diligence, and additional transactional and behavioral red flags to help identify suspicious transactions relating to possible export control evasion.
FHFA requests feedback on single-family pricing framework
Recently, the FHFA issued a request for input (RFI) on a single-family pricing framework for Fannie Mae and Freddie Mac (GSEs), including feedback on policy priorities and goals that FHFA should pursue in its oversight of the framework. “Through this RFI, FHFA seeks input on how to ensure the pricing framework adequately protects the [GSEs] and taxpayers against potential future losses, supports affordable, sustainable housing and first-time homebuyers, and fosters liquidity in the secondary mortgage market,” FHFA Director Sandra L. Thompson said in the announcement. The RFI also seeks input on the GSEs’ single-family upfront guarantee fees and whether it is appropriate to continue linking those fees to the Enterprise Regulatory Capital Framework. FHFA explained that guarantee fees are intended to cover the GSEs’ administrative costs, expected credit losses, and cost of capital associated with guaranteeing securities backed by single-family mortgage loans. Comments on the RFI are due August 14.
FTC proposes changes to Health Breach Notification Rule
On May 18, the FTC issued a notice of proposed rulemaking (NPRM) and request for public comment on changes to its Health Breach Notification Rule (Rule), following a notice issued last September (covered by InfoBytes here) warning health apps and connected devices collecting or using consumers’ health information that they must comply with the Rule and notify consumers and others if a consumer’s health data is breached. The Rule also ensures that entities not covered by HIPAA are held accountable in the event of a security breach. The NPRM proposed several changes to the Rule, including modifying the definition of “[personal health records (PHR)] identifiable health information,” clarifying that a “breach of security” would include the unauthorized acquisition of identifiable health information, and specifying that “only entities that access or send unsecured PHR identifiable health information to a personal health record—rather than entities that access or send any information to a personal health record—qualify as PHR related entities.” The modifications would also authorize the expanded use of email and other electronic methods for providing notice of a breach to consumers and would expand the required content for notices “to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information.” Comments on the NPRM are due 60 days after publication in the Federal Register.
The same day, the FTC also issued a policy statement warning businesses against making misleading claims about the accuracy or efficacy of biometric technologies like facial recognition. The FTC emphasized that the increased use of consumers’ biometric information and biometric information technologies (including those powered by machine learning) raises significant consumer privacy and data security concerns and increases the potential for bias and discrimination. The FTC stressed that it intends to combat unfair or deceptive acts and practices related to these issues and outlined several factors used to determine potential violations of the FTC Act.
CFPB issues guide on collecting small-biz data
The CFPB recently issued a compliance guide for its final rule implementing Section 1071 of the Dodd-Frank Act. Consistent with Section 1071, the final rule (issued at the end of March) will require financial institutions to collect and provide to the Bureau data on lending to small businesses, defined as an entity with gross revenue under $5 million in its last fiscal year (covered by InfoBytes here). The guide: (i) includes a detailed summary of the final rule’s requirements, including data reporting deadlines; (ii) provides comprehensive information on the types of data financial institutions need to collect and report on small business lending applications and decisions; and (iii) includes parameters for covered institutions and covered originations. The guide further breaks down reportable data points and explains the final rule’s “firewall” provision, which states that employees and officers of a financial institution or its affiliates “involved in making any determination” on a reportable application are generally prohibited from accessing applicant demographic information relating to ethnicity, race, sex, and status as a minority-owned, women-owned, or LGBTQI+-owned business. The guide specifies that certain exceptions may apply to situations where an employee involved in decision-making must have access to the data to fulfill their assigned job duties (e.g. a loan officer or loan processor). In these situations, financial institutions are required to provide notice to applicants that employees and officers involved in decision-making may have access to their demographic data.
CFPB examines consumer overdraft experiences
On May 18, the CFPB published a data spotlight reporting on consumers’ experiences with overdraft programs. The Bureau conducted interviews and focus groups with low- and moderate-income consumers last summer where participants were asked about their use of deposit accounts and debit cards, their understanding of overdraft fees and non-sufficient funds (NSF) fees, and their perceptions of ways to avoid these fees. The Bureau found that, among other things, many consumers were not aware of their financial institution’s overdraft policies and thought protection automatically came with their account, while others were unaware that they could end overdraft protection. Others expressed concerns about fees, payment timing, and notifications, with some consumers saying that the typical $35 overdraft fee was “excessive” and “not necessarily proportional to the covered transaction.” Additional concerns flagged by consumers included: (i) financial hardships and fee waivers due to cascading overdraft fees; (ii) negative balances due to delayed merchant holds or delayed deposits; (iii) account closures because of overdraft fees, leading to difficulties when opening new accounts for some consumers; and (iv) limited awareness of various account options, including deposit accounts without overdraft fees and second-chance accounts. The Bureau reported that while some financial institutions have reduced or eliminated overdraft and NSF fees, implementation is “uneven and impermanent,” so consumers may not yet have benefited from the changes.
Chopra highlights APOR in call for resilient and durable rules
On May 17, CFPB Director Rohit Chopra announced that the agency is currently reviewing several of its rules and guidance documents in an effort to eliminate unnecessary complexities and create “more durable rules that don’t over-rely on single entities.” Chopra flagged issues related to the federal mortgage rules as an example of unnecessarily complex policies with a penchant for accommodating “dominant industry incumbents.” Last month, the Bureau announced a revised version of its methodology for calculating the average prime offer rates (APORs), which highlighted broader weaknesses resulting from single points of failure and a reliance on overly complicated benchmarks. As previously covered by InfoBytes, the methodology statement was revised to address the imminent unavailability of certain data that the Bureau previously relied on to calculate APORs, including changes made by Freddie Mac to its Primary Mortgage Market Survey used to calculate APORs for three types of loans. Noting that the Bureau has had other challenges relying on a single entity for calculating the APOR benchmark over the last decade, Chopra commented that “[n]o consumer protection rule should be designed so that its important protections are threatened by single points of failure or single sources.” He added that the revised APOR methodology further “highlighted the risks of relying on complicated reference rates that must be manually constructed rather than potentially more robust market-based measures that stand on their own.”
Tennessee becomes 8th state to enact comprehensive privacy legislation
On May 11, the Tennessee governor signed HB 1181 to enact the Tennessee Information Protection Act (TIPA) and establish a framework for controlling and processing consumers’ personal data in the state. Tennessee is now the eighth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, and Indiana. TIPA applies to any person that conducts business in the state or produces products or services targeted to residents and, during a calendar year, (i) controls or processes personal data of at least 100,000 Tennessee residents or (ii) controls or processes personal data of at least 25,000 Tennessee residents and derives 50 percent of gross revenue from the sale of personal data. TIPA provides for several exemptions, including financial institutions and data governed by the Gramm-Leach-Bliley Act and certain other federal laws, as well as covered entities governed by the Health Insurance Portability and Accountability Act. Highlights of TIPA include:
- Consumers’ rights. Under TIPA, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; request what categories of information were sold or disclosed; and opt out of the sale of their data.
- Controllers’ responsibilities. Data controllers under TIPA will be responsible for, among other things, (i) responding to consumers’ requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, up to twice annually for each consumer; (ii) establishing an appeals process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (iv) not processing data for reasons incompatible with the specified purpose; (v) securing personal data from unauthorized access; (vi) not processing data in violation of state or federal anti-discrimination laws; (vii) obtaining consumer consent in order to process sensitive data; (viii) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (ix) providing clear and meaningful privacy notices. TIPA also sets forth obligations relating to contracts between a controller and a processor.
- No private right of action but enforcement by state attorney general. TIPA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law and seek penalties of up to $15,000 per violation and treble damages for willful or knowing violations. The attorney general may also recover reasonable expenses, including attorney fees, for any initiated action.
- Right to cure. Upon discovering a potential violation of TIPA, the attorney general must give the data controller written notice. The data controller then has 60 days to cure the alleged violation before the attorney general can file suit.
- Affirmative defense. TIPA establishes an affirmative defense for violations for controllers and processors that adopt a privacy program “that reasonably conforms” to the National Institute of Standards and Technology Privacy Framework and complies with required provisions. Failing “to maintain a privacy program that reflects the controller or processor's data privacy practices to a reasonable degree of accuracy” will be considered an unfair and deceptive act or practice under Tennessee law.
TIPA takes effect July 1, 2024.