InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC orders card company to let merchants use other debit networks
On December 23, the FTC ordered a payment card company to stop blocking merchants from using competing debit payment networks. According to an agency investigation, the company allegedly violated provisions of the Durbin Amendment, which requires “banks to enable at least two unaffiliated networks on every debit card, thereby giving merchants a choice of which network to use for a given debit transaction,” and “bars payment card networks from inhibiting merchants from using other networks.” The FTC claimed that the company’s policy requires the use of a token when a cardholder loads a company-branded debit card into an ewallet. Ewallets are used to make online and in-app transactions, the FTC explained, adding that because competing networks cannot access the company’s token vault, merchants are dependent on the company to convert the token to process ewallet transactions using company-branded debit cards. Moreover, since the company allegedly did not provide conversion services to competing networks for remote ewallet debit transactions, the FTC asserted that it is impossible for merchants to route their ewallet transactions on other payment networks.
Under the terms of the proposed order, the company will be required to (i) provide other payment networks with customer account information in order to process ecommerce debit payments, and prohibit any efforts that may prevent other networks from serving as token service providers; (ii) provide notice to affected persons; (iii) provide 60-days advance written notice to the FTC before launching any pilot programs or new debit products that would require merchants to route electronic debit transactions only to the company; (iv) file regular compliance reports with the FTC; and (v) notify the FTC of any events that may affect compliance with the order.
DFPI modifies proposed regulations for complaints and inquiries under the CCFPL
On December 22, the California Department of Financial Protection and Innovation (DFPI) released modifications to proposed regulations for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. As previously covered by InfoBytes, DFPI issued a notice of proposed rulemaking (NPRM) last May to implement Section 90008 subdivisions (a) and (b) of the CCFPL, which authorize DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and DFPI concerning consumer complaints and inquiries, as well as subdivision (d)(2)(D), which “permits covered persons to withhold nonpublic or confidential information, including confidential supervisory information, in response to a consumer request to the covered person for information regarding a consumer financial product or service.”
After considering comments received on the NPRM, changes proposed by the DFPI include the following:
- Amended definitions. The proposed regulations will not apply to, in addition to consumer reporting agencies and student loan servicers, a person or entity already exempt from the CCFPL under Section 90002. The definition of “complaint” is amended to include “an oral or written expression of dissatisfaction from a complainant regarding a specific issue or problem with a financial product or service.” Additionally, “complainant” is amended to also provide that a consumer must have been a resident of California at the time of the act, omission, decision, condition, or policy giving rise to the complaint. The proposed regulations also outline several categories that are not included in the definition of “complaint” or “inquiry.”
- Complaint procedure updates. The proposed regulations outline requirements for covered persons related to consumer disclosures and written communications covering the complaint process. The proposed regulations also require covered persons to accept all complaints, whether written or oral, provided the complaint includes a reason for filing the complaint and sufficient information to identify the complainant.
- Restrictions. Covered persons shall not (i) “[r]equest personal identifying information beyond what is reasonably necessary to identify the complainant and to send correspondence”; (ii) “[r]equest financial information unrelated to the specific complaint of the consumer:” or (iii) impose a time limit for filing a complaint that is shorter than one year from the time the complainant discovers the act, omission, decision, condition, or policy that is the subject of the complaint (if a time limit is imposed it must be stated in the required consumer disclosures).
- Complaint acknowledgements. For every complaint received, covered persons must send the complainant a written acknowledgement of receipt that is postmarked or otherwise shows that acknowledgement was sent within five business days after receiving the complaint. Within 15 business days after receiving a complaint, a covered person must provide a final decision on all issues. If additional time is required, a covered person must provide the complainant with a written update within three business days after the initial 15-business day period ends.
- Inquiry response requirements. Covered persons are required to develop and implement written policies and procedures to implement the regulations’ inquiry requirements, and must also respond to all issues raised by an inquiry within 10 business days. Covered persons must retain copies of all written inquiries and written responses for at least three years from the time the written response was issued.
- Reporting requirements. Covered persons must submit an annual complaint report to DFPI for each financial product or service offered or provided that will be made available to the public with limited exceptions. Each report shall include information regarding all complaints received by the covered person during the reporting period, and must be filed electronically with the Consumer Financial Protection Division no later than 60 business days after the end of each calendar year.
Comments on the proposed modifications are due January 20 (extended from January 13).
Colorado releases second draft of Colorado Privacy Act rules
On December 21, the Colorado attorney general released a second set of draft rules for the Colorado Privacy Act (CPA). As previously covered by a Buckley Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The first set of draft rules was issued last September and published by the Secretary of State on October 10 (covered by InfoBytes here).
The second set of draft rules seeks to address concerns raised through public comments as well as feedback received during three stakeholder sessions. The AG seeks specific input on questions related to (i) clarifications to definitions; (ii) the use of IP addresses to verify consumer opt-out requests; (iii) implementation of a universal opt-out mechanism; (iv) controller obligations related to meaningful privacy notices; and (v) bona fide loyalty programs. Among other things, the modifications would:
- Clarify definitions. The modifications add, delete, and amend several definitions, including those related to “biometric identifiers,” “commercial product or service,” “controller,” “employee,” “employer,” “employment records,” “noncommericial purpose,” “personal data,” “process,” “processor,” “profiling,” and terms involving automated processing.
- Amend purpose-based privacy notices. The modifications remove the requirement that privacy notices be purpose-based, and will instead require that the processing purpose and type of personal data processed be connected in a way that provides consumers a meaningful understanding of how their personal data will be used. The AG seeks feedback on ways the draft rules can “be made interoperable with California’s privacy notice requirements, while still considering the CPA’s purpose specification, secondary use requirements, and ensuring that a consumer has a meaningful understanding of the way their personal data will be used when they interact with a controller.” Feedback is also requested on whether controllers “who have updated their privacy policies to comply with California’s privacy notice requirements anticipate making a separate policy for Colorado, updating a California specific privacy notice to include Colorado or other state requirements, or revising the main privacy policy/notice to meet Colorado and other non-California state requirements[.]”
- Update universal opt-out mechanism. The modifications grant controllers six months from the date a universal opt-out mechanism is recognized by the AG to begin complying with that new mechanism. An initial public list of approved opt-out mechanisms will be published no later than January 1, 2024, and will be updated periodically.
- Clarify security measures and duty of care. The modifications provide additional details about the duty to safeguard personal data, and will require controllers to, among other things, consider “[a]pplicable industry standards and frameworks,” and the sensitivity, amount, and original source of the personal data when identifying reasonable and appropriate safeguards. The modifications also include provisions related to the processing of sensitive data inferences and specifies deletion requirements.
- Reduce data protection assessment requirements. The modifications reduce the information that must be included in a controller’s data protection assessment.
- Clarify privacy notice changes. The modifications clarify when a controller must notify a consumer of “substantive or material” changes to its data processing that trigger updates to its privacy notice. The modifications emphasize that disclosure of a new processing purpose in a privacy policy alone does not constitute valid consent.
- Address refreshing of consumer consent. The modifications provide that consumer consent must be refreshed when a consumer has not interacted with the controller in the last 12 months, and (i) the controller is processing sensitive personal information; or (ii) is processing personal data for secondary data use that involves profiling for a decision that could result “in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.” However, controllers will not be required to refresh consent in situations where consumers have the ability to update their own opt-out preferences at any time.
Comments on the second set of draft rules are due February 1. If the formal rulemaking hearing on the proposed rules (scheduled for February 1) extends beyond that date, comments must be received on or before the last day of the hearing.
OFAC issues preliminary guidance on price cap policy implementation
On December 30, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced preliminary guidance on the implementation of the price cap policy for petroleum products of Russian Federation origin. As previously covered by InfoBytes, in November, OFAC published a Determination Pursuant to Executive Order (E.O.) 14071 stating that the prohibitions of E.O. 14071 apply to U.S. persons providing covered services (including (i) trading/commodities brokering; (ii) financing; (iii) shipping; (iv) insurance, including reinsurance and protection and indemnity; (v) flagging; and (vi) customs brokering) as they relate to the maritime transport of Russian Federation crude oil, provided, however, that such covered services are authorized if the Russian oil is purchased at or below the price cap. OFAC also published guidance on the implementation of a policy for crude oil of Russian Federation origin to provide an overview of the determination and the price cap. OFAC noted that it anticipates publishing final, combined guidance for both Russian oil and Russian petroleum products before February 5.
District Court grants summary judgment to bank in discriminatory lending suit
On December 19, the U.S. District Court for the Northern District of Illinois granted summary judgment in favor of a national bank with respect to discriminatory lending allegations brought by the County of Cook in Illinois (County). As previously covered by InfoBytes, the County alleged that the bank’s lending practices were discriminatory and led to an increase in foreclosures among Black and Latino borrowers, causing the County to incur financial injury, including foreclosure-related and judicial proceeding costs and municipal expenses due to an increase in vacant properties. In 2021, the court denied the bank’s motion to dismiss the alleged Fair Housing Act violations after determining that all the County had to do was show a reasonable argument that the bank’s lending practices resulted in foreclosures, and that the bank failed to dispute that the County properly alleged a financial injury sufficient to support standing.
The court explained in its December 19 order, however, that two of the County’s expert witnesses did not make valid comparisons when measuring the denial rate for minority borrowers compared to white borrowers. According to the court, the expert witnesses failed to properly account for the financial conditions of the borrowers seeking mortgage modifications, leaving the County with “no other evidentiary basis to establish that [the bank] engaged in intentionally discriminatory servicing practices that caused minority borrowers to disproportionately suffer default and foreclosure.” The court found that, accordingly, the County cannot demonstrate “intentional discrimination against minority borrowers that proximately caused the County’s injuries, and its disparate treatment claim accordingly cannot survive summary judgment.” Additionally, the court found that the County failed to cite authority for its arguments that the bank can be liable for loans it purchased “and for which it did not commit any discriminatory acts in servicing” or for loans it originated but sold and never serviced.
District Court approves $2.8 million settlement in FDCPA convenience fee class action
On December 22, the U.S. District Court for the Southern District of Florida granted preliminary approval of a $2.8 million settlement in an FDCPA class-action suit resolving allegations that convenience fees were charged when consumers made payments on their mortgages over the phone or online. According to the suit, the plaintiffs claimed the defendant did not charge processing fees if borrowers made payments by check or signed up for automatic monthly debits from their bank accounts. The plaintiffs further argued that the processing fees were “illegal and improper because neither the mortgages themselves nor applicable statutes authorize such fees.” The parties agreed to mediation in April 2022, and a motion for preliminary approval of a settlement was filed in August. A coalition of state attorneys general from 32 states and the District of Columbia, led by the New York AG filed an amicus brief in the district court opposing the original proposed $13 million settlement in the suit (covered previously by InfoBytes here). The AGs outlined concerns with the proposed settlement, including that (i) the relief provided to class members violates various state laws, and that the defendant seeks to ratify fees in an “unwritten, mass amendment” that violates state laws and regulations; (ii) class members only receive an “inadequate” one-time payment, while the defendant may continue to charge excessive fees for the life of the loan; and (iii) low- and moderate-income borrowers are not treated equitably under the proposed settlement. Under the terms of the new settlement, members of the class who do not opt out of the settlement will receive a share of the $2.8 million. The settlement also reduces the fees class members will have to pay when making payments online or via the telephone for the next two years. The defendant also agreed to add additional disclosures to its website to increase borrower awareness of alternative payment methods that could have lower fees or no fees. Defendant’s representatives will also receive additional training to ensure they provide additional information and disclosures about convenience fees when speaking with customers.
On June 16, the court granted final approval of the settlement.
FinCEN data reveals Russian oligarchs’ financial activity
On December 22, the Financial Crimes Enforcement Network (FinCEN) issued a Financial Trend Analysis on the financial activity of Russian oligarchs. In the analysis, FinCEN examined Bank Secrecy Act (BSA) reports from March 2022 to October 2022 involving Russian oligarchs, high-ranking officials, and sanctioned individuals. FinCEN identified 454 reports detailing suspicious activity and reported that some of the trends in the data by Russian oligarchs included: (i) the movement of funds around the start of the invasion of Ukraine in February 2022; (ii) the purchase of high-value goods or property in 2022; and (iii) based on the movement of funds from accounts in Russia to other countries, an indication of potential changes in longstanding oligarch-linked financial flows related to U.S. properties and companies. FinCEN noted that 78 percent of the 454 BSA reports were filed by U.S.-based depository institutions. Other types of financial institutions—such as holding companies or financial technology companies—submitted roughly 19 percent of reports, mainly on suspicious electronic funds transfers or wire transfers and suspicions concerning the source of funds.
CFPB adjusts annual dollar amount thresholds under TILA, HMDA regulations
On December 21, the CFPB released a final rule revising the dollar amounts for provisions implementing TILA and its amendments that impact loans under the Home Ownership and Equity Protection Act of 1994 (HOEPA) and qualified mortgages (QM). The Bureau is required to make annual adjustments to dollar amounts in certain provisions in Regulation Z, and has based the adjustments on the annual percentage change reflected in the Consumer Price Index for Urban Wage Earners and Clerical Workers (CPI-W) in effect on June 1, 2022. The following thresholds are effective January 1, 2023:
- For open-end consumer credit plans under TILA, the threshold for disclosing an interest charge will remain unchanged at $1.00;
- For HOEPA loans, the adjusted total loan amount threshold for high-cost mortgages will be $24,866, and the adjusted points-and-fees dollar trigger for high-cost mortgages will be $1,243;
- For qualified mortgages under the General QM loan definition, the thresholds for the spread between the annual percentage rate and the average prime offer rate will be: “2.25 or more percentage points for a first-lien covered transaction with a loan amount greater than or equal to $124,331; 3.5 or more percentage points for a first-lien covered transaction with a loan amount greater than or equal to $74,599 but less than $124,331; 6.5 or more percentage points for a first-lien covered transaction with a loan amount less than $74,599; 6.5 or more percentage points for a first-lien covered transaction secured by a manufactured home with a loan amount less than $124,331; 3.5 or more percentage points for a subordinate-lien covered transaction with a loan amount greater than or equal to $74,599; or 6.5 or more percentage points for a subordinate-lien covered transaction with a loan amount less than $74,599”; and
- For all QM categories, the adjusted thresholds for total points and fees will be “3 percent of the total loan amount for a loan greater than or equal to $124,331; $3,730 for a loan amount greater than or equal to $74,599 but less than $124,331; 5 percent of the total loan amount for a loan greater than or equal to $24,866 but less than $74,599; $1,243 for a loan amount greater than or equal to $15,541 but less than $24,866; and 8 percent of the total loan amount for a loan amount less than $15,541.”
With respect to credit card annual adjustments, the Bureau noted that its 2023 annual adjustment analysis on the CPI-W in effect on June 1, did not result in an increase to the current minimum interest charge threshold (which requires “creditors to disclose any minimum interest charge exceeding $1.00 that could be imposed during a billing cycle”).
The Bureau also issued a final rule adjusting the asset-size threshold under HMDA (Regulation C). Under HMDA, institutions with assets below certain dollar thresholds are exempt from collection and reporting requirements. The final rule increases the asset-size exemption threshold for banks, savings associations, and credit unions from $50 million to $54 million, thereby exempting institutions with assets of $54 million or less as of December 31, 2022, from collecting HMDA data in 2023.
CFPB discusses mortgage financing risk options in current environment
On December 21, the CFPB reported that higher mortgage interest rates have led to increased monthly payments and higher debt-to-income ratios for borrowers. According to a recent Bureau analysis of quarterly HMDA data, some interest rates on 30-year fixed-rate mortgages have risen as high as seven percent and are at levels higher than what has been seen for nearly 20 years. The Bureau reported that in response to increasing interest rates, financial service providers are offering alternative financing options to provide opportunities for consumers to access lower rates, including adjustable-rate mortgages, temporary buydowns, home equity lines of credit and loans, and loan assumptions where a homebuyer assumes responsibility for the remaining balance of a home seller’s mortgage with the original loan terms. Explaining the various risks associated with these offerings, the Bureau warned consumers that they should understand the costs associated with cash-out refinances and risks related to alternative sales transactions (e.g., contract-for-deeds or land contracts, rent-to-own arrangements, and equity-sharing arrangements), which may sound appealing in a higher interest rate market but may “lack the protections of traditional mortgages, including the ability to build and access home equity, foreclosure protections, or even basic disclosures that allow for comparison shopping.”
VA to update appraisal requirements and guidance for guaranteed housing loans
On December 27, President Biden signed H.R. 7735, the Improving Access to the VA Home Loan Benefit Act of 2022, which requires the Department of Veterans Affairs to update its regulations, requirements, and guidance related to appraisals for housing loans guaranteed by the agency. The regulations and requirements must specify when an appraisal is required, how an appraisal is to be conducted, and who is eligible to conduct an appraisal for such loans. The Act also requires the VA to submit recommendations to Congress no later than 90 days after the date of enactment for improving appraisal delivery times for VA loans. The agency must consider these recommendations when it prescribes its updated regulations and requirements. Additionally, the VA must provide guidance for desktop appraisals, taking into account situations where a desktop appraisal could provide cost savings for borrowers whereas “a traditional appraisal requirement could cause time delays and jeopardize the completion of a transaction.”