InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC and Wisconsin sue auto dealer group for alleged discrimination and illegal fees
The FTC and the State of Wisconsin announced that they filed a complaint in the District Court for the Western District of Wisconsin against an auto dealer group, and its current and former owners, and general manager, alleging that the defendants deceived consumers by tacking hundreds or even thousands of dollars in illegal junk fees onto car prices and discriminated against American Indian customers by charging them higher financing costs and fees relative to similarly situated non-Latino whites.
The complaint also notes the disparity only increased since a change of ownership in 2019. Specifically, the complaint alleges that the defendants regularly charged many of their customers junk fees for “add-on” products or services without their consent, which resulted in additional fees and interest on the customers’ loans. Further, the defendants allegedly discriminated against American Indian customers in the cost of financing by adding more “markup” to their interest rates. This additional markup cost American Indian customers, on average, $401 more compared to non-Latino white customers.
The complaint resulted in two proposed settlements. The proposed settlement with the auto dealer, its current owners, and the general manager requires the company to stop deceiving consumers about whether add-ons are required for a purchase and obtain consumers’ express informed consent before charging them for add-ons. The settlement will also the require the defendants to establish a comprehensive fair lending program that, among other components, will allow consumers to seek outside financing for a purchase and cap the additional interest markup the auto dealer can charge consumers. The current owners and general manager will also be required to pay $1 million to be used to refund affected consumers.
Separately, the former owners agreed to pay $100,000 to be used to refund affected consumers.
Treasury official discusses AI and cloud computing at Gov2Gov summit
On October 24, Assistant Secretary for Financial Institutions at the U.S. Department of Treasury Graham Steele delivered remarks at the Gov2Gov Summit to discuss the benefits and risks of artificial intelligence (AI) and machine learning (ML) in the financial services sector.
First, Assistant Secretary Steele discussed the role of cloud computing and cloud service providers (CSPs) in supporting financial institutions’ work, following the Department’s release of a February report which discussed the financial sector’s adoption of cloud services. Assistant Secretary Steele indicated, among other things, that while cloud services can offer more scalable and flexible solutions for financial services institutions to store and manage their data, financial institutions have struggled to understand clearly and implement the cloud services they are purchasing from large, market-dominating CSPs. Assistant Secretary Steele stated that the Department is working toward a model that will allow financial institutions to “unbundle” cloud service packages so that financial institutions can provide more individualized services.
Next, Assistant Secretary Steele discussed the potential advantages and disadvantages of the use of AI among financial institutions, which use AI for tasks including credit underwriting, fraud prevention, and document review. Among the benefits AI offers to financial institutions are reduced costs, improved performance, and the identification of complex relationships. The risks of AI, according to Assistant Secretary Steele, fall into three categories: (i) the design of AI, which can raise discrimination concerns, such as in consumer lending; (ii) how humans implement AI, including the possible overreliance on AI to render financial decisions; and (iii) operational and cyber risks, including the dangers around data quality and security, as AI consumes significant volumes of data.
Last, Assistant Secretary Steele discussed how policymakers are addressing privacy and discrimination concerns with AI. He mentioned the White House’s Blueprint for an AI Bill of Rights, which would require, among other things, regular assessment of algorithms for certain disparities and biases. Assistant Secretary Steele also cited regulatory actions that can address the risks of AI, including a CFPB rulemaking under the FCRA and Federal banking agency guidance on third party risk management.
Agencies issue final rule to modernize Community Reinvestment Act regulations
On October 24, the Fed, FDIC, and OCC issued an interagency announcement regarding the modernization of their rules under the Community Reinvestment Act (CRA), a law enacted in 1977 to encourage banks to help meet the credit needs of their communities, especially low- and moderate-income (LMI) neighborhoods, in a safe and sound manner. The new rule overhauls the existing regulatory scheme that was first implemented in the mid-1990s.
For banks with assets of at least $2 billion (Large Banks), the final rule adds a new category of assessment area to the existing facility based assessment area (FBAA). Large Banks that do more than 20 percent of their CRA-related lending outside their FBAAs will have that lending evaluated in retail lending assessment areas, i.e., MSAs or states where it originated at least 150 closed-end home mortgage loans or 400 small business loans in both of the previous two years. All Large Banks will be subject to two new lending and two new community development tests, with lending and community development activities each counting for half a bank’s overall CRA rating. Banks with assets between $600 million and $2 billion will be subject to a new lending test. Large Banks with assets greater than $10 billion will also have special reporting requirements.
Additionally, the rule (i) implements a standardized scoring system for performance ratings; (ii) revises community development definitions and creates a list of community development activities eligible for CRA consideration, regardless of location; (iii) permits regulators to evaluate “impact and responsiveness factors” of community development activities; (iii) continues to make strategic plans available as an alternative option for evaluation; (iv) revises the definition of limited purpose bank so that it includes both existing limited purpose and wholesale banks and subjects those banks to a new community development financing test; and (v) considers online banking in the bank’s evaluations.
Most of the rule’s requirements will be effective January 1, 2026. The remaining requirements, including the data reporting requirements, will apply on January 1, 2027.
FTC reports on efforts to combat cross-border fraud and ransomware attacks
On October 20, the FTC published two reports outlining its efforts to protect consumers against cross-border fraud and ransomware attacks.
In the first report, the FTC described the US SAFE Web Act (SAFE WEB), passed in 2006, as an “indispensable” tool to combat cross-border fraud and protect consumers in an increasingly global and digital economy. For example, the report noted that since SAFE WEB was passed, the FTC has used the law in myriad ways: issuing more than 140 civil investigative demands on behalf of 21 foreign agencies from eight countries; engaging in 148 staff exchanges to build cooperation with foreign counterparts; and sharing confidential information from FTC files with 43 law enforcement agencies in twenty different countries. The report also indicated that SAFE WEB has allowed the FTC to pursue and stop harmful conduct in the US and defend against challenges to its jurisdictional authority over foreign companies targeting American consumers. Notably, SAFE WEB helped the FTC (i) shut down a real estate investment scam that took in more than $100 million (the largest such scheme the FTC has ever targeted); (ii) cooperate with privacy authorities in Canada and the United Kingdom to pursue actions against an online dating site that deceived consumers and failed to protect the account and profile information of more than 36 million individuals; (iii) and work with foreign law enforcement agencies to stop fraudulent money transfers to certain money transfer companies located in Spain in connection with a Nigerian email scam. The FTC recommends that Congress permanently reauthorize SAFE WEB to preserve the agency’s ability to fight cross-border fraud.
In the second report, the FTC discussed its work to target ransomware and other cyber-attacks. The FTC highlighted its longstanding data security enforcement program, which seeks to ensure that businesses engage in reasonable practices to protect the data of their customers. Moreover, the RANSOMWARE Act refers specifically to China, Russia, North Korea, and Iran. The report stated that although the FTC has taken data security-related enforcement actions involving connections to China and Russia, the FTC has had limited interactions with government agencies in China, Russia, North Korea, and Iran. The report included several recommendations for Congress, including making SAFE WEB permanent, amending a provision in the FTC act which would restore the FTC’s ability to provide refunds to harmed consumers, and enacting privacy and data security legislation which would be enforceable by the FTC. The FTC also urged businesses to take steps to safeguard customer data, including retaining information only so long as there is a legitimate business need, restricting access to sensitive data, and storing personal information securely and protecting it during transmission.
CFPB releases education ombudsman’s annual report
On October 20, the CFPB Education Loan Ombudsman published its annual report on consumer complaints submitted between September 1, 2022, and August 31, 2023. The report is based on approximately 9,284 student loan complaints received by CFPB regarding federal and private student loans. Roughly 75 percent of complaints were related to federal student loans while the remaining 25 percent concerned private student loans. Overall, the report found underlying issues in student loan servicing that threaten borrowers’ ability to make payments, achieve loan cancellation, or receive other protections to which they are entitled under federal law. The report indicated that challenges and risks facing federal student loan borrowers include customer service problems, errors related to basic loan administration, and problems accessing loan cancellation programs. Similarly, private borrowers face issues accessing loan cancellation options, misleading origination tactics, and coercive debt collection practices related to private student loans.
The Ombudsman’s report advised policymakers, law enforcement, and industry participants to consider several recommendations: (i) ensuring that federal student loan borrowers can access all protections intended for them under the law; (ii) ensuring that loan holders and servicers of private student loans do not collect debt where it may no longer be legally owed or previously discharged; and (iii) using consumer complaints to develop policies and procedures when they reveal systemic problems.
Bank to pay Fed, NYDFS almost $30 million for deficient third-party risk management practices
On October 19, the Fed and NYDFS announced an enforcement action against a New York-based bank for alleged violations of consumer identification rules and deficient third-party risk management practices. NYDFS Superintendent Adrienne A. Harris stated that the bank failed to prevent a “massive, ongoing fraud” related to its prepaid card program. According to the Fed’s cease-and-desist order, illicit actors managed to open prepaid card accounts through a third-party, and moved hundreds of millions of dollars of direct deposit payroll payments and state unemployment benefits through the accounts. The Fed’s order requires the bank to, among other things, improve its oversight, create a new product review program, enhance its customer identification program, and submit a plan to enhance its third-party risk management program. The bank’s plan must include (i) policies and procedures to ensure third-party service providers are complying with federal and state law; (ii) a third-party risk management oversight program; (iii) policies and procedures to ensure the bank’s Chief Compliance Officer has sufficient resources to properly access the bank’s prepaid card program and is adequately staffed; and (iv) a comprehensive identity theft prevention program. The Fed also requires the bank to pay a civil money penalty of approximately $14.5 million. Under NYDFS’s consent order, the bank agreed to pay an additional $15 million civil monetary penalty, and to submit remediation and program reporting.
CSBS offers guidance for licensees to prepare for NMLS renewal
On October 24, CSBS released tips for licensees to prepare for NMLS renewal. As previously covered by InfoBytes, NMLS announced it will be rolling out a new version of its mortgage call report which will include new requirements for many licensees. Kelly O'Sullivan, the chair of the NMLS Policy Committee and deputy commissioner of the Montana Division of Banking and Financial Institutions, advises licensees to proactively update their information in NMLS and make use of available training and resources to address their queries before the renewal period begins. This is particularly crucial for those individuals who typically only engage with NMLS during the license renewal phase.
CSBS recommended five essential tips for licensees:
- Licensees should log into NMLS and thoroughly review and update their profile record to ensure accuracy;
- Licensees should reset their NMLS password in advance to have a current password ready for accessing NMLS when needed;
- Licensees should provide and maintain a current email address to receive essential updates from NMLS during the renewal process;
- Licensees should review state-specific renewal requirements, as state agencies typically begin publishing details, including deadlines and fees, in September;
- Licensees are encouraged to take advantage of the free, on-demand renewal training resources provided by CSBS to become familiar with the renewal process.
CFPB announces civil money penalty against nonbank, alleges EFTA and CFPA violations
On October 17, the CFPB announced an enforcement action against a nonbank international money transfer provider for alleged deceptive practices and illegal consumer waivers. According to the consent order, the company facilitated remittance transfers through its app that required consumers to sign a “remittance services agreement,” which included a clause protecting the company from liability for negligence over $1,000. The Bureau alleged that such waiver violated the Electronic Fund Transfer Act (EFTA) and its implementing Regulation E, including Subpart B, known as the Remittance Transfer Rule, by (i) requiring consumers sign an improper limited liability clause to waive their rights; (ii) failing to provide contact and cancellation information in disclosures, and other required terms; (iii) failing to provide a timely receipt when payment is made for a transfer; (iv) failing to develop and maintain required policies and procedures for error resolution; (v) failing to investigate and determine whether an error occurred, possibly preventing consumers from receiving refunds or other remedies they were entitled to; and (vi) failing to accurately disclose exchange rates and the date of fund availability. The CFPB further alleged that the company’s representations regarding the speed (“instantly” or “within seconds”) and cost (“with no fees”) of its remittance transfers to consumers were inaccurate and constituted violations of CFPA. The order requires the company to pay a $1.5 million civil money penalty and provide an additional $1.5 in consumer redress. The company must also take measures to ensure future compliance.
SEC announces 2024 examination priorities, excludes ESG
On October 16, the SEC’s Division of Examinations announced that its 2024 examination priorities will focus on key risk factors related to information security and operational resiliency, crypto assets and emerging financial technology, regulation systems compliance and integrity, and anti-money laundering. SEC registrants, including investment advisers, investment companies, broker dealers, self-regulatory organizations, clearing agencies, and other market participants are reminded of their obligations to address, manage, and mitigate these key risks. Notably, ESG was a “significant focus area[]” in 2022 (covered by InfoBytes here) and 2023, but it is not directly mentioned in the 2024 examination priorities.
According to the report, examiners plan to increase their engagement to support the evolving market and new regulatory requirements. Regarding information security and operational resiliency, examiners will focus on registrants’ procedures surrounding “internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents, including those related to ransomware attacks.” Additionally, regarding crypto assets and emerging fintech, examiners will focus on registrants’ business practices involving compliance practices, risk disclosures, and operational resiliency practices. The SEC also mentioned in the “Crypto Assets and Emerging Financial Technology” section of the report that it will assess registrant preparations for the recently adopted rule for broker dealer transactions that shortens the standard settlement cycle to one business day (previously two days) after the trade, which has a compliance date of May 28, 2024. Among other things, the SEC will also focus on whether registrants’ regulation systems compliance and integrity are “reasonably designed” to ensure the security of its systems, including physical security of the systems housed in data centers.
SEC chair Gary Gensler said that the Division of Examinations plays an important role in “protecting investors and facilitating capital formation,” adding that the commission will focus on “enhancing trust” in the changing markets.
Healthcare clearinghouse settles for $1.4M over data breach
On October 17, a healthcare clearinghouse reached a $1.4 million settlement with a coalition of 33 state attorneys general for allegedly exposing the protected health information of approximately 1.5 million consumers. As a health care clearinghouse, the company facilitates transactions between health care providers and insurers. The states began investigating the company in 2019, when the U.S. Department of Health and Human Services discovered that personal health information maintained by the company was available through search engines, which appeared to be the result of a coding error by the company. According to the states, after the company was alerted to the breach, it delayed notification to impacted customers for over three months and sent notices to impacted consumers that were vague and confusing. Under the settlement, in addition to the $1.4 million payment, the company agreed to overhaul its data security and breach notification practices. The multistate coalition was led by the Indiana Attorney General’s Office.