InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SBA creates new SBLC category and ends moratorium
On April 12, the SBA published a final rule in the Federal Register lifting the moratorium on licensing new nondepository small business lending companies (SBLCs) and adding a new type of entity called a “Community Advantage SBLC.” The moratorium was imposed in 1982, after the agency determined it lacked adequate resources to effectively service and supervise additional SBLCs participating in SBA’s 7(a) loan program beyond the 14 it was authorized to approve. According to SBA, while the majority of 7(a) lenders are federally-regulated depository institutions, “SBLCs are regulated, supervised, and examined solely by SBA” and “are subject to specific regulations regarding formation, capitalization, and enforcement actions.” SBA explained that there are capital market gaps in certain markets that “continue to struggle to obtain financing on non-predatory terms.” The final rule lifts the licensing moratorium and eliminates the cap on the number of nondepository institutions in the program. The final rule also creates the Community Advantage SBLC to help bridge the financing gap that small businesses face in the private market. Community Advantage SBLCs are nonprofit organizations that will be licensed to make 7(a) loans to small businesses and will help SBA meet the needs of underserved communities. SBA also revised its regulations to remove the requirement for a separate loan authorization document to “eliminate the duplication of effort and opportunity for a mismatch of information between multiple sources of the loan terms and conditions.” The final rule is effective May 12.
CFPB revises APOR methodology
On April 14, the CPFB announced a revised version of its Methodology for Determining Average Prime Offer Rates (APORs). APORs are a series of benchmark APRs derived from the average interest rates and other loan pricing terms currently offered to consumers by a representative sample of creditors for mortgage loans with low-risk pricing characteristics. APORs are used to determine whether a particular loan is a “Qualified Mortgage” or a “Higher-Priced Mortgage Loan,” which determines the treatment of that loan under various consumer protection laws.
The methodology statement has been revised to address the imminent unavailability of certain data the CFPB previously relied on to calculate APORs. Specifically, Freddie Mac recently made changes to its Primary Mortgage Market Survey (PMMS) used to calculate APORs for three types of loans. These changes make the PMMS unsuitable to be used in the APOR calculations. The CFPB is replacing data from the PMMS with data from ICE Mortgage Technology. This change also requires the CFPB to change certain of the product types for which APORs are produced. The CFPB will begin using ICE Mortgage Technology data and the revised methodology to calculate APORs on April 21, 2023.
We note that the CFPB is not changing the frequency of the APOR calculations, which will still be calculated on a weekly basis. These changes will therefore not address industry concerns that the APORs can be as much as seven days old, which can result in the APORs being significantly different than the actual market rates on a given day. This dissonance can lead to significant issues during periods where interest rates rise rapidly as we saw during much of 2022.
CFPB reports on Section 1033 rulemaking
The CFPB recently released a final report issued by the Small Business Review Panel (Panel), which examines the impact of the Bureau’s proposals to address consumers’ personal financial data rights. Section 1033 of Dodd-Frank generally provides that covered entities, such as banks, must make available to consumers, upon request, transaction data and other information concerning consumer financial products or services that the consumer obtains from the covered entity. Over the past several years, the Bureau has engaged in a series of rulemaking steps to prescribe standards for this requirement, including the release of a 71-page outline of proposals and alternatives in advance of convening a panel under the Small Business Regulatory Enforcement Fairness Act. The outline presents items under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” (Covered by InfoBytes here.)
While the Panel’s final report reflects its review of the Bureau’s proposals and the feedback received from small entity representatives that likely would be subject to the rule, it may not reflect updated findings uncovered during the process of producing a notice of proposed rulemaking because the report is drafted at the preliminary stage of the Bureau’s required rulemaking process.
The report includes an overview of proposals and alternatives under consideration for the use of two existing definitions to establish data provider coverage: “financial institution” as defined by Regulation E (i.e. “depository and nondepository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution”), and “card issuer” as defined by Regulation Z (i.e. “depository and nondepository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer”). Entities that meet the definition of a “card issuer” would include both the person that issues a credit card and the person’s agents with respect to the card.
The report analyzes numerous topics, including proposals covering asset accounts and credit card accounts, potential exemptions for certain covered data providers, the process for making information available to consumers and to third parties (including third-party commitments to data security, data accuracy and limitations, and disclosure compliance), record retention obligations, and the potential impact on small entities. The report includes a thorough breakdown of panel findings and recommendations.
FTC, Florida AG sue “chargeback mitigation” company
On April 12, the FTC and the Florida attorney general filed a complaint in the U.S. District Court for the Middle District of Florida alleging a “chargeback mitigation” company and its owners (collectively, “defendants”) used numerous unfair tactics to thwart consumers trying to dispute credit card charges through the chargeback process. The chargeback process allows consumers to contest unwanted, fraudulent, or incorrect credit card charges with their credit card companies. According to the complaint, the defendants regularly sent screenshots and statements on behalf of company clients to credit card companies allegedly showing that consumers had agreed to the disputed charges. However, the FTC claimed that in many instances, the misleading screenshots did not come from the merchant’s website where the consumer made the disputed purchase. The complaint further alleged that the defendants used a system that allowed company clients to run numerous small-value transactions via prepaid debit cards in order to raise the number of transactions, thus lowering the percentage of charges that were disputed by consumers. The service, the FTC maintained, “enabled fraudulent merchants to evade or delay chargeback monitoring programs, fines, and account terminations designed to protect consumers from fraud.”
The FTC noted that three of the defendants’ major clients (for which the defendants disputed tens of thousands of chargebacks on behalf of each of the companies) were previously sued by the FTC for engaging in deceptive negative-option marketing practices. The complaint accused the defendants of ignoring clear warning signs that the screenshots were misleading, including instances where the name of the product referenced in the screenshot did not match the product in the disputed purchase. The defendants also allegedly often overlooked company clients that opened and used a large number of different merchant accounts to process charges. Asserting violations of the FTC Act and the Florida Unfair and Deceptive Trade Practices Act, the complaint seeks permanent injunctive relief, restitution, and civil penalties.
FTC program targets robocalls from overseas
On April 11, the FTC implemented Project Point of No Entry (PoNE) in an attempt to stop foreign-based scammers and imposters from targeting U.S. consumers with illegal robocalls. The FTC warned “point of entry” or “gateway” VoIP service providers that routing or transmitting illegal call traffic may violate the Telemarketing Sales Rule, which allows the Commission to seek civil penalties, restitution, and injunctions to stop violations. Through Project PoNE, the FTC will identify violators and “pursue recalcitrant providers” by opening enforcement investigations and filing lawsuits, as appropriate. According to the FTC, “Project PoNE has uncovered the activity of 24 target point of entry service providers responsible for routing and transmitting illegal robocalls between 2021 and 2023, in connection with approximately 307 telemarketing campaigns, including government and business imposters, COVID-19 relief payment scams, and student loan debt relief and forgiveness schemes, among others.” The FTC attributed the results to its collaboration with the Industry Traceback Group, the FCC, and state attorneys general, and said it will make publicly available recordings of the robocalls that target providers have allowed into the U.S. to help consumers identify and avoid scams. The announcement highlighted that before being contacted by the FTC, “the targets had a combined total of 1,043 tracebacks,” but that after being warned about the possible illegal conduct, the number decreased to 196 tracebacks. Of these 196 tracebacks, the FTC said “147 are linked to two uncooperative providers, one of which is subject to an FCC law enforcement action.”
OFAC sanctions former Haitian politician
On April 5, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 13818, against the former President of the Haitian Chamber of Deputies “for his extensive involvement in corruption in Haiti.” OFAC explained that the designated individual “is a current or former government official, or a person acting for or on behalf of such an official, who is responsible for or complicit in, or has directly or indirectly engaged in, corruption, including the misappropriation of state assets, the expropriation of private assets for personal gain, corruption related to government contracts or the extraction of natural resources, or bribery.” The sanctions follow the designation of two Haitian politicians last December for their involvement in activities or transactions that have materially contributed to, or pose a significant risk of materially contributing to, the international proliferation of illicit drugs or their means of production. (Covered by InfoBytes here.)
As a result of the sanctions, all property and interests in property belonging to the sanctioned individual subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons unless authorized by a general or specific license, or exempt. Financial institutions and persons that engage in certain transactions with the designated individual may themselves be exposed to sanctions or subject to enforcement.
OFAC sanctions politically connected Lebanese individuals
On April 4, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 13441, against two politically connected Lebanese brothers who engaged in corrupt practices that contributed to the undermining of Lebanon’s democratic process. As a result of the sanctions, “all property and interests in property of the individuals named above, and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, must be blocked and reported to OFAC.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons.
Treasury recommends stronger DeFi supervision
On April 6, the U.S. Treasury Department published a report on illicit finance risks in the decentralized finance (DeFi) sector, building upon Treasury’s other risk assessments, and continuing the work outlined in Executive Order 14067, Ensuring Responsible Development of Digital Assets (covered by InfoBytes here).
Written by Treasury’s Office of Terrorist Financing and Financial Crimes, in consultation with numerous federal agencies, the Illicit Finance Risk Assessment of Decentralized Finance is the first report of its kind in the world. The report explained that, while there is no generally accepted definition of DeFi, the term has broadly referred to virtual asset protocols and services that allow for automated peer-to-peer transactions through the use of blockchain technology. Used by a host of illicit actors to transfer and launder funds, the report found that “the most significant current illicit finance risk in this domain is from DeFi services that are not compliant with existing AML/CFT [anti-money laundering and countering the financing of terrorism] obligations.” These obligations include establishing effective AML programs, assessing illicit finance risks, and reporting suspicious activity, the report said.
The report made several recommendations for strengthening AML/CFT supervision and regulation of DeFi services, such as “closing any identified gaps in the [Bank Secrecy Act (BSA)] to the extent that they allow certain DeFi services to fall outside the scope of the BSA’s definition of financial institutions.” The report also recommended, “when relevant,” the “enforcement of virtual asset activities, including DeFi services, to increase compliance by virtual asset firms with BSA obligations,” and suggested continued research and engagement with the private sector on this subject.
In addition, the report pointed to a lack of implementation of international AML/CFT standards by foreign countries, “which enables illicit actors to use DeFi services with impunity in jurisdictions that lack AML/CFT requirements,” and commented that “poor cybersecurity practices by DeFi services, which enable theft and fraud of consumer assets, also present risks for national security, consumers, and the virtual asset industry.” To address these concerns, the report recommended “stepping up engagements with foreign partners to push for stronger implementation of international AML/CFT standards and advocating for improved cybersecurity practices by virtual asset firms to mitigate these vulnerabilities.” The report seeks input from the public sector to inform next steps.
NYDFS, crypto payment company reach AML/cybersecurity settlement
On March 16, NYDFS issued a consent order against a payment service provider for allegedly failing to comply with the state’s virtual currency and cybersecurity regulations. The company was licensed to engage in virtual currency business activity in the state pursuant to 23 NYCRR Part 200. Licensees under Part 200 are required to, among other things, comply with federal and state laws mandating effective controls to guard against money laundering and certain other illegal activities. A 2022 NYDFS examination revealed that, although the company made improvements to address deficiencies within its AML and cybersecurity compliance programs that were identified during a 2018 examination, the programs still required additional improvements to achieve regulatory compliance. NYDFS concluded that the company violated sections of Part 200 by allegedly failing to develop adequate internal policies and controls to maintain compliance with applicable AML laws or to develop procedures to ensure compliance with necessary risk management requirements under applicable OFAC regulations. Furthermore, the company violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to conduct periodic cybersecurity risk assessments and failing to timely appoint a designated chief information security officer responsible for overseeing, implementing, and reporting on the company’s cybersecurity program. Under the terms of the consent order, the company agreed to pay a $1 million civil monetary penalty and submit an action plan to NYDFS within 180 days detailing its remediation efforts. The company also agreed to conduct a comprehensive cybersecurity risk assessment within 150 days and to continue to strengthen its controls, policies, and procedures to prevent future violations.
District Court dismisses RESPA claims that servicer failed on QWRs
The U.S. District Court for the Western District of Washington recently ruled on a loan servicer’s motion for summary judgment concerning claims that the servicer violated RESPA when it failed to respond to multiple qualified written requests (QWR) alleging account errors and improperly reported alleged delinquencies to credit reporting agencies (CRAs). Plaintiffs executed a promissory note and deed of trust, and later entered into a Chapter 11 bankruptcy plan to modify the terms of the loan. Plaintiffs sued, asserting violations of RESPA and various state laws, claiming, among other things, that the servicer failed to timely respond to their QWRs, provided false information to CRAs, and failed to adjust the loan to reflect the modified payment schedule from the bankruptcy plan.
The court granted summary judgment in favor of the servicer. On the QWR-related allegations, the court found that, “while the [plaintiffs] say that [the servicer] did not address the issues raised in the QWRs, their brief does not identify a single issue that went unaddressed. . . Their brief does not, for example, point to a request in any QWR that went unanswered in [the servicer’s] corresponding response. Merely providing a laundry list of documents—without specifically identifying how [the servicer’s] responses were incomplete—is insufficient.” The court also found that the plaintiffs failed to show that the servicer’s responses were misleading, confusing, or incorrect. Though the plaintiffs provided a list of statements made by the servicer when responding to the QWRs, plaintiffs failed to explain what exactly was inaccurate or confusing about the servicer’s responses, the court said.
While the court flagged one possible inconsistency in at least one of the servicer’s responses (where the servicer incorrectly stated the monthly principal amount due but corrected the mistake less than a month later), the court determined that “this alone does not suffice under RESPA.”
With respect to plaintiffs’ allegations of false credit reporting, the court concluded that there was no evidence that the servicer submitted negative information about plaintiffs to a CRA, nor did the plaintiffs demonstrate how any such reports hurt their credit or identify whether the reports were filed within RESPA’s 60-day non-reporting period. Under RESPA, a servicer is prohibited from providing certain information regarding “any overdue payment, owed by such borrower and relating to such period or qualified written request, to any consumer reporting agency” during the 60-day period beginning on the date the servicer receives a QWR. The court further noted that the plaintiffs failed to show that they suffered actual damages “flowing from” the alleged RESPA violations, which is a requirement of the statute.
The court granted summary judgment on the RESPA claims in favor of the servicer and remanded the remaining state-law claims to state court.