InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB releases regulatory agenda
Recently, the Office of Information and Regulatory Affairs released the CFPB’s fall 2022 regulatory agenda. Key rulemaking initiatives that the agency expects to initiate or continue include:
- Overdraft and NSF fees. The Bureau is considering whether to engage in pre-rulemaking activity in November to amend Regulation Z with respect to special rules for determining whether overdraft fees are considered finance charges. According to the Bureau, the rules, which were created when Regulation Z was adopted in 1969, have remained largely unchanged despite the fact that the nature of overdraft services has significantly changed over the years. The Bureau is also considering whether to engage in pre-rulemaking activity in November regarding non-sufficient fund (NSF) fees. The Bureau commented that while NSF fees have been a significant source of fee revenue for depository institutions, recently some institutions have voluntarily stopped charging such fees.
- FCRA rulemaking. The Bureau is considering whether to engage in pre-rulemaking activity in November to amend Regulation V, which implements the FCRA. As previously covered by InfoBytes, on January 3, the Bureau issued its annual report covering information gathered by the Bureau regarding certain consumer complaints on the three largest nationwide consumer reporting agencies (CRAs). CFPB Director Rohit Chopra noted that the Bureau “will be exploring new rules to ensure that [the CRAs] are following the law, rather than cutting corners to fuel their profit model.”
- Section 1033 rulemaking. Section 1033 of Dodd-Frank provides that covered entities, such as banks, must make available to consumers, upon request, transaction data and other information concerning consumer financial products or services that the consumer obtains from the covered entity. Over the past several years, the Bureau has engaged in a series of rulemaking steps to prescribe standards for this requirement, including the release of a 71-page outline of proposals and alternatives in advance of convening a panel under the Small Business Regulatory Enforcement Fairness Act (SBREFA). The outline presents items under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” (Covered by InfoBytes here.) The Bureau anticipates issuing a SBREFA report in February.
- Amendments to FIRREA concerning automated valuation models. The Bureau is participating in interagency rulemaking with the Fed, OCC, FDIC, NCUA, and FHFA to develop regulations to implement the amendments made by Dodd-Frank to FIRREA concerning appraisal automated valuation models (AVMs). The FIRREA amendments require implementing regulations for quality control standards for AVMs. The Bureau released a SBREFA outline and report in February and May 2022 respectively (covered by InfoBytes here), and estimates that the agencies will issue a notice of proposed rulemaking (NPRM) in March.
- Property Assessed Clean Energy (PACE) financing. The Bureau issued an advance notice of proposed rulemaking (ANPRM) in March 2019 to extend TILA’s ability-to-repay requirements to PACE transactions. (Covered by InfoBytes here.) The Bureau is working to develop a proposed rule to implement Economic Growth, Regulatory Relief, and Consumer Protection Act Section 307 in April.
- Nonbank registration. The Bureau issued an NPRM in December to enhance market monitoring and risk-based supervision efforts by including all final public written orders and judgments (including any consent and stipulated orders and judgments) obtained or issued by any federal, state, or local government agency for violation of certain consumer protection laws related to unfair, deceptive, or abusive acts or practices in a database of enforcement actions taken against certain nonbank covered entities. (Covered by InfoBytes here.) In a separate agenda item, the Bureau states that the NPRM would also require supervised nonbanks to register with the Bureau and provide information about their use of certain terms and conditions in standard-form contracts. The Bureau proposes “to collect information on standard terms used in contracts that are not subject to negotiating or that are not prominently advertised in marketing.”
- Credit card penalty fees. The Bureau issued an ANPRM last June to solicit information from credit card issuers, consumer groups, and the public regarding credit card late fees and late payments, and card issuers’ revenue and expenses. (Covered by InfoBytes here.) Under the CARD Act rules inherited by the Bureau from the Fed, credit card late fees must be “reasonable and proportional” to the costs incurred by the issuer as a result of a late payment. Calling the current credit card late fees “excessive,” the Bureau stated it intends to review the “immunity provision” to understand how banks that rely on this safe harbor set their fees and to examine whether banks are escaping enforcement scrutiny “if they set fees at a particular level, even if the fees were not necessary to deter a late payment and generated excess profits.” The Bureau is considering comments received on the ANPRM as it develops an NPRM that may be released this month.
- Small business rulemaking. Section 1071 of Dodd-Frank amended ECOA to require financial institutions to report information concerning credit applications made by women-owned, minority-owned, and small businesses, and directed the Bureau to promulgate rules for this reporting. An NPRM was issued in August 2021 (covered by InfoBytes here). The Bureau anticipates issuing a final rule later this month.
CFPB releases 2023 rural or underserved counties list
Recently, the CFPB released its annual lists of rural counties and rural or underserved counties for lenders to use when determining qualified exemptions to certain TILA regulatory requirements. In connection with these releases, the Bureau also directed lenders to use its web-based Rural or Underserved Areas Tool to assess whether a rural or underserved area qualifies for a safe harbor under Regulation Z.
Senators ask FTC, CFPB to investigate deceptive listing agreements
In December, Senate Banking Committee Chairman Sherrod Brown (D-OH), along with Senators Tina Smith (D-MN) and Ron Wyden (D-OR) sent a letter to the FTC and the CFPB requesting a review of a Florida-based real estate brokerage firm’s use of exclusive 40-year listing agreements marketed as a “loan alternative.” The request follows a November press release by the Florida attorney general announcing legal action against the firm for engaging in allegedly deceptive, unfair, and unconscionable business practices. According to the AG’s complaint, the firm offered homeowners $300 to $5,000 as a cash loan alternative in exchange for an agreement to use the firm as an exclusive real estate listing broker for a 40-year period. The complaint claimed the firm informs homeowners that there is no obligation to return the cash, stressing the homeowner will owe the firm nothing unless and until the home is sold. The AG asserted, however, that what is not clearly disclosed is that after accepting the payment, the firm files a 40-year lien on the property so that if at any time within 40 years the home is foreclosed upon or transferred to heirs upon the homeowner’s death, or if homeowners simply wish to cancel the deal, the firm will attempt to take three percent of the home’s value. Further, the AG claimed that the firm also failed to inform customers that the liens are filed in the public record, which can make it difficult for homeowners to refinance or access their home’s equity. The complaint seeks injunctive relief, restitution, and civil penalties.
NYDFS announces winter storm relief
On December 27, NYDFS announced actions to provide financial relief to New Yorkers in the Western and North Country regions in the aftermath of a historic winter storm. The relief is part of New York’s continuing and comprehensive efforts to address the historic winter storm that caused statewide devastation. According to the announcement, NYDFS requested that state-chartered banking organizations, federally-chartered banks, and credit unions operating in the area provide fee-free access services to nearby customers and non-customers while travel conditions remain dangerous. NYDFS will also issue temporary adjuster permits to qualified out-of-state independent insurance adjusters to expedite insurance claims in light of the winter storm. Expediting permits will increase the number of adjusters available to process claims and help New Yorkers get their claims paid faster. Insurers are encouraged to make any necessary applications on the NYDFS website. NYDFS urged the insurance industry to work towards a fair and speedy resolution of all claims and provide the necessary resources to do so.
New Jersey reaches $27.3 million settlement with merchant cash advance operation
On January 3, the New Jersey attorney general announced a $27.4 million settlement with a private equity firm, its parent company, and six other associated companies (collectively, “respondents”) to resolve allegations related to violations of the New Jersey Consumer Fraud Act (CFA). According to the press release, the respondents targeted small businesses to enter into lending arrangements disguised as merchant cash advances (MCA) on future receivables. The AG claimed these loans effectively charged interest rates far exceeding the state’s usury caps. According to the attorney general’s press release, the respondents also allegedly engaged in deceptive servicing and collection practices against small businesses.
Under the terms of the consent order, the respondents are permanently enjoined from engaging in any acts or practices that violate the CFA and any applicable Advertising Regulations. The respondents have also agreed to forgive all outstanding balances for customers who entered MCAs (approximately $21.75 million) and pay $5.625 million to cover restitution, attorneys’ fees, costs of investigation and litigation and costs of administering restitution, and penalties not to exceed $250,000. The press release stated that the respondents will also (i) dismiss any pending debt collection actions against customers who had their balances forgiven as a result of the settlement; (ii) provide current customers with the ability to request modifications to their payment terms based on actual receivables; (iii) “[i]mprove internal business practices, be transparent in any terms of future MCA agreements regarding fees and reconciliation rights, and give notice to customers before taking legal action to collect on purported unpaid balances”; and (iv) ensure that all respondents, principals, and any future business entities that may result from a change in structure comply with the terms of the consent order.
DFPI issues recommendations for engaging in crypto technologies
In December, the California Department of Financial Protection and Innovation (DFPI) issued a report identifying six recommendations for how California should engage with blockchain and Web3 industries. The report follows a May 2022 Executive Order (E.O.) from the California governor to create a regulatory and business environment for blockchain and cryptocurrency companies that balances the benefits and risks to consumers. As previously covered by InfoBytes, one of the priorities of the E.O. included for DFPI to, among other things, engage in a public process, including with federal agencies, to “develop a comprehensive regulatory approach to crypto assets harmonized with the direction of federal regulations and guidance” and “exercise its authority under the California Consumer Financial Protection Law (CCFPL) to develop guidance and, as appropriate, regulatory clarity and supervision of private entities offering crypto asset-related financial products and services” in California. The report made six recommendations to “encourage the continued growth and adoption of blockchain technology.”
- Engagement with stakeholders. The state should “continue dialogue with industry, advocates, and regulators to stay apprised of new technologies, products, definitions and risks.”
- Consumer protection and education. The state should promote consumer protection and consumer education about blockchain and crypto products, which includes, among other things: (i) training staff to better supervise regulated entities, products, and services; (ii) increasing efforts to educate Californians on how to use certain crypto-asset related financial products and services; and (iii) developing and publishing “standards for use in reviewing crypto asset-related securities to help provide more meaningful investor disclosures and to allow companies who wish to offer such securities more quickly and efficiently.”
- Legislation and regulation. The state should identify legislative gaps and clarify statutory authority regarding crypto assets. DFPI will attempt to harmonize California’s regulatory approach with federal regulators, other states, and local jurisdictions.
- Government use. The state should consider ways to use blockchain technology to “increase efficiencies, improve access, and reduce costs.”
- Environmental protection. The state should encourage more environmentally efficient blockchain technologies and explore policy interventions to reduce energy use.
- Workforce and economic development. The state should tap its higher education systems to help support and grow the blockchain sector and related technologies.
Social media users denied preliminary injunction in privacy suit
On December 22, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for preliminary injunction in a privacy suit. According to the order, the plaintiffs alleged that the social media company improperly acquired their confidential health information in violation of state and federal law and in contravention of the company’s own policies regarding the use and collection of users’ data. The plaintiffs alleged that each of their healthcare providers allegedly installed the company’s software, which is a free and publicly available piece of code that the company allows third-party website developers to install on their patient portals. When the plaintiffs logged into the portal on their medical provider’s website, the software allegedly transmitted certain information to the social media company. The plaintiffs claimed that the software allowed the company to intercept personally identifiable medical information and the content of patient communications for its financial gain. The court found,however, that though the plaintiffs “raise potentially strong claims on the merits and their alleged injury would be irreparable if proven,” the “plaintiffs need to show ‘that the law and facts clearly favor [their] position, not simply that [they are] likely to succeed.’” The court also noted that the company’s “core defense is that it has systems in place to address the receipt of the information at issue and that it would be unfairly burdensome and technologically infeasible for them to take further action.” The court continued, “[w]ithout further factual development, it is unclear where the truth lies, and plaintiffs do not meet the high standard required for a mandatory injunction.”
2nd Circuit affirms dismissal in FCRA suit
On January 4, the U.S. Court of Appeals for the Second Circuit affirmed a district court’s decision to grant summary judgment for a credit reporting agency (defendant) in a suit alleging FCRA violations. According to the opinion, four years after the plaintiff took out a student loan, he filed for bankruptcy protection. The bankruptcy court issued a final decree of discharge, which released the plaintiff from all “dischargeable debts,” but did not specifically indicate that the loan was discharged. The student loan servicer indicated that the student loan was not discharged, and the plaintiff executed a loan modification agreement with the loan holder and made payments for several years. The plaintiff filed suit against the defendant consumer reporting agency, alleging that it violated the FCRA and New York law for including the loan on his credit report. The district court granted summary judgment in favor of the defendant after determining that the consumer’s loan had not been discharged. The plaintiff appealed.
On appeal, the 2nd Circuit noted that the plaintiff’s claim “hinges on the resolution of an unsettled legal question”: whether the loan was in fact discharged in the bankruptcy proceeding. Making such a determination would have required the defendant to resolve a legal question related to the debt, which the appellate court concluded was not required under the FCRA. As a result, the appellate court affirmed the dismissal of the plaintiff’s complaint because the alleged inaccuracy is not considered to not be an actionable “inaccuracy” under the FCRA.
Agencies extend Reg. O relief for some companies controlled by funds
On December 22, the Federal Reserve Board, FDIC, and OCC extended Regulation O relief for certain investment fund-controlled companies. The agencies issued a temporary no-action position in 2019 to allow time for the Federal Reserve, in consultation with the FDIC and OCC, “to consider whether to amend Regulation O to address concerns about unintended consequences of the application of Regulation O to companies that sponsor, manage, or advise investment funds and institutional accounts that invest in voting securities of banking organizations.” The interagency statement extends the no-action relief under Regulation O for another year to the sooner of either January 1, 2024, or the effective date of a final Federal Reserve rule revising Regulation O “that addresses the treatment of extensions of credit by a bank to fund complex-controlled portfolio companies that are insiders of the bank.” Specifically, the agencies state that action will not be taken against banks extending credit to fund complex-controlled portfolio companies that would otherwise violate Regulation O, provided the company controls (directly or indirectly) less than 15 percent of the bank’s voting securities (or 20 percent under certain circumstances) and has not or does not plan to place representatives in the bank or seek to exercise a controlling influence over the bank. Extensions of credit to these companies must be on “substantially the same terms as those prevailing for comparable transactions with unaffiliated third parties” and may not “involve more than normal risk of repayment or present other unfavorable features,” the agencies explained, noting that the relief applies only to fund complex-controlled portfolio companies, not the fund complexes.
FCC proposes new data breach notification requirements
On January 6, the FCC announced a notice of proposed rulemaking (NPRM) to launch a formal proceeding for strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI). FCC Chairwoman Jessica Rosenworcel noted that “given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements.” She commented that the “new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.” The NPRM, which seeks to improve alignment with recent developments in federal and state data breach laws covering other sectors, would require telecommunications providers to notify impacted customers of CPNI breaches without unreasonable delay, thus eliminating the current seven business day mandatory waiting period for notifying customers of a breach.
Among other things, the FCC requests feedback on whether to establish a specific timeframe (e.g. a requirement to report breaches of customers’ data within 24 or 72 hours of discovery of a breach) or whether a disclosure deadline should vary based on a graduated scale of severity. The FCC also seeks comments on whether a carrier should “be held to have ‘reasonably determined’ a breach has occurred when it has information indicating that it is more likely than not that there was a breach,” and whether the Commission should publish guidance on what constitutes a reasonable determination or adopt a more definite standard. Feedback is also solicited on topics such as threshold triggers, what should be included in a security breach notification, the delivery method of these notifications, and whether to expand the definition of a data breach to also include inadvertent disclosures. Comments are due 30 days after publication in the Federal Register.