InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Republicans seek to overturn CFPB small-biz lending rule; Georgia AG says rule is unnecessary and burdensome
Recently, several House Republicans introduced a joint resolution of disapproval (H.J. Res. 66) under the Congressional Review Act to overturn the CFPB’s small business lending rule. As previously covered by InfoBytes, last month the Bureau released its final rule implementing Section 1071 of the Dodd-Frank Act. Effective August 29, the final rule will require financial institutions to collect and provide to the Bureau data on lending to small businesses (defined as an entity with gross revenue under $5 million in its last fiscal year). Both traditional banks and credit unions, as well as non-banks, will be required to collect and disclose data about small business loan recipients’ race, ethnicity, and gender, as well as geographic information, lending decisions, and credit pricing. The final rule prescribes a tiered compliance date schedule, with the earliest compliance date being October 1, 2024, for financial institutions that originate at least 2,500 covered small business loans in both 2022 and 2023 (financial institutions with lower origination amounts have later compliance dates).
Also opposing the final rule, Georgia Attorney General Christopher M. Carr sent a letter to CFPB Director Chopra requesting that the final rule be rescinded. Carr argued that the final rule places an unnecessary and expensive burden on financial institutions, and that “[w]ith the current uneasiness in the market and a plethora of other challenges facing community banks, now is not the time to require them to gather more information that has absolutely nothing to do with the process of evaluating which applicants are the strongest and most deserving of capital.” Carr further contended that if lending discrimination is a “rampant problem,” the Bureau should use channels already in place to address this issue. Pointing out that states already have their own consumer protection and anti-discrimination statutes in place, Carr argued that the final rule imposes redundant compliance requirements on financial institutions, particularly community banks. Carr asked the Bureau to “allow states to continue to address lending issues as they occur, rather than saddling small businesses with burdensome regulations.”
Additionally, in April, a group of plaintiffs, including a Texas banking association, filed a lawsuit against the Bureau seeking to invalidate the final rule. (Covered by InfoBytes here.) Plaintiffs argued that the final rule will drive from the market smaller lenders who are not able to effectively comply with the final rule’s “burdensome and overreaching reporting requirements” and decrease the availability of products to customers, including minority and women-owned small businesses.
District Court says MLA’s statute of limitations begins upon discovery of facts
The U.S. District Court for the Eastern District of Virginia recently granted an installment lender’s motion to dismiss, ruling that most of the class members’ claims are time-barred by the Military Lending Act’s (MLA) two-year statute of limitations. Plaintiffs are active duty servicemembers who entered into installment loans with the defendant. Claiming four violations of the MLA, plaintiffs alleged the defendant (i) extended loans with interest rates exceeding the MLA’s 36 percent interest rate cap; (ii) extended loans that involved roll overs of prior loans; (iii) required plaintiffs to agree to repayment by allotment (with a backup preauthorized electronic fund transfer) as a condition to receiving a loan; and (iv) required plaintiffs to provide a security interest in their bank accounts as a condition for receiving a loan. Plaintiff sought to certify a class covering the five years preceding the date the complaint was filed. Defendant moved to dismiss, arguing that plaintiffs have only been harmed by technical violations of the MLA and did not suffer a concrete injury. Plaintiffs countered that the defendant’s MLA violations caused them to sustain injuries from making payments, including interest payments, “on loans that were ‘void from [their] inception’ [] due to their unlawful refinancing, allotment, and security interest requirements.”
The court reviewed a significant issue raised by the parties’ differing interpretations of the MLA’s statute of limitations and its applicability to plaintiffs’ loans. Specifically, the parties disagreed as to whether “discovery by the plaintiff of the violation,” which triggers the two-year limitations period, requires that a plaintiff only discover the facts constituting the basis for the violation, as argued by the defendant, or instead requires that a plaintiff also know that the MLA was violated, as the plaintiffs argued. While acknowledging that the text in question is inconclusive, the court stated that since the MLA “does not require ‘discovery’ of both the ‘violation’ and ‘liability’ but only the ‘violation that is the basis for such liability,’ the text appears to support the interpretation that only discovery of the violative conduct is required, and
not discovery of the actionability of that conduct.” The court also reviewed other federal statutory discovery rules where other courts “have consistently found that ‘discovery’ requires that a plaintiff have knowledge only of the facts constituting the violation and not the legal implications of those facts.” Relying on this, as well as other court interpretations, the court determined that “the two-year limitations period is triggered when a plaintiff discovers the facts
constituting the basis for the MLA violation and not when the plaintiff recognizes that these facts
support a legal claim.” Thus, the court found that most of the loans underlying the claims are time-barred.
However, for loans that fell within the applicable limitations period, the court granted defendant’s motion to dismiss for failure to state a claim, concluding, among other things, that a creditor is not prohibited from taking a security interest in a plaintiff’s bank account by way of a preauthorized electronic fund transfer provided the military annual percentage rate does not exceed the allowable 36 percent (a claim, the court noted, plaintiffs dismissed and did not otherwise address). Moreover, the court determined that plaintiffs failed to allege that the defendant was a “creditor” under the narrower definition used by the MLA in its refinancing and roll-over prohibition or that the defendant’s “characterization of the convenience of repayment by allotment amounted to a misrepresentation or concealment of facts giving rise to plaintiffs’ MLA claim.”
7th Circuit: Time and money in responding to second verification request confers standing under FDCPA
On June 7, the U.S. Court of Appeals for the Seventh Circuit held that spending time and money to send a second verification request is enough to confer standing under the FDCPA. Plaintiff’s defaulted credit card debt was purchased by one of the defendants and placed with a collection agency. A letter providing details about the debt, including the original creditor, current creditor, and a validation notice, was sent to the plaintiff. Within the required 30-day timeframe, plaintiff sent a letter to the collection agency requesting validation of the debt. However, instead of receiving a response from the agency, plaintiff received another letter from one of the defendants that provided information on the debt and informed her that it had initiated a review of the inquiry it had received. The second letter also included a validation notice, which confused the plaintiff and resulted in her spending time and money ($3.95) to request validation again. Plaintiff filed suit accusing the defendants of violating the FDCPA and asserting that the second letter would lead a consumer to believe that they must re-dispute the debt. According to the plaintiff, the letter, among other things, used false, deceptive, misleading, and unfair or unconscionable means to collect or attempt to collect a debt. The defendants moved to dismiss for lack of standing, arguing that while the letter may have confused and alarmed the plaintiff, it did not cause her to initiate “any action to her detriment on account of her confusion.” The district court granted defendants’ motion to dismiss, ruling that the time and money spent on sending the second validation request did not rise to the level of detriment required for standing under the FDCPA, and that, moreover, it provided plaintiff with another opportunity to dispute the debt if she failed to properly do so the first time.
Disagreeing with the dismissal, the 7th Circuit wrote that the second postage fee (albeit modest in size) is the type of harm that Congress intended to protect consumers from when it enacted the FDCPA. “Money damages caused by misleading communications from the debt collector are certainly included in the sphere of interests that Congress sought to protect,” the appellate court stated, explaining that the second letter caused the plaintiff “to suffer a concrete detriment to her debt-management choices in the form of the expenditure of additional money to preserve rights she had already preserved.”
11th Circuit revises data breach negligence claim
The U.S. Court of Appeals for the Eleventh Circuit recently reversed the dismissal of a negligence claim brought against a Georgia-based airport retailer, determining that a company of its size and sophistication “could have foreseen being the target of a cyberattack.” Plaintiff, who used to work for the defendant, filed suit alleging the defendant failed to protect thousands of current and former employees’ sensitive personally identifiable information (PII), including Social Security numbers, from an October 2020 ransomware attack. Bringing claims for negligence and breach of implied contract on behalf of class members, plaintiff contended that not only should the defendant have protected the PII, but it also took several months for the defendant to notify affected individuals. A notice provided by the company claimed the attack only affected an internal, administrative system, but according to the plaintiff, the attacker uploaded the PII to third-party servers. Plaintiff was later informed that an unknown party used his Social Security number to file pandemic-related unemployment assistance claims under his name in Rhode Island and Kentucky. Plaintiff challenged that the defendant should have taken steps before the hack to better protect the information and that the alleged “harms he suffered were a foreseeable result of [defendant’s] inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining.” The district court disagreed and granted defendant’s motion to dismiss for failure to state a claim. Plaintiff appealed, arguing that “the district court demanded too much at the pleadings stage.”
On appeal, the 11th Circuit concluded, among other things, that the plaintiff could not have been expected to plead details about the defendant’s private data security policies. “We cannot expect a plaintiff in [this] position to plead with exacting detail every aspect of [defendant’s] security history and procedures that might make a data breach foreseeable, particularly where ‘the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts,’” the appellate court wrote, noting that plaintiff had sufficiently pled the existence of a special relationship as well as a foreseeable risk of harm. However, the 11th Circuit affirmed dismissal of plaintiff’s claim for breach of implied contract, stating that he failed to allege any facts showing that the defendant agreed to be bound by a data retention or protection policy.
A few days later, the 11th Circuit issued an opinion saying class members in a different action should be allowed to amend their data breach negligence claim in light of the appellate court’s decision discussed above. The 11th Circuit wrote that the decision in the aforementioned case “undermined” the dismissal of plaintiff’s negligence claim alleging a defendant warehousing company allowed a data breach to occur because it failed to take appropriate measures to secure its network. Class members in this case also alleged their PII was improperly accessed during a ransomware attack. The appellate court agreed with class members’ contention that the defendant had failed to address a newly created legal standard for data breach negligence claims in its motion to dismiss: “Indeed, the plaintiffs would have been hard-pressed to predict that they might need to amend their complaint to add more specific foreseeability allegations in response to [defendant’s] renewed motion to dismiss,” the appellate court wrote, reversing the denial of the motion for leave to amend.
7th Circuit: Time and money spent responding to second verification request is sufficient for standing
On June 7, the U.S. Court of Appeals for the Seventh Circuit held that spending time and money to send a second verification request is enough to confer standing under the FDCPA. Plaintiff’s defaulted credit card debt was purchased by one of the defendants and placed with a collection agency. A letter providing details about the debt, including the original creditor, current creditor, and a validation notice, was sent to the plaintiff. Within the required 30-day timeframe, plaintiff sent a letter to the collection agency requesting validation of the debt. However, instead of receiving a response from the agency, plaintiff received another letter from one of the defendants that provided information on the debt and informed her that it had initiated a review of the inquiry it had received. The second letter also included a validation notice, which confused the plaintiff and resulted in her spending time and money ($3.95) to request validation again. Plaintiff filed suit accusing the defendants of violating the FDCPA and asserting that the second letter would lead a consumer to believe that they must re-dispute the debt. According to the plaintiff, the letter, among other things, used false, deceptive, misleading, and unfair or unconscionable means to collect or attempt to collect a debt. The defendants moved to dismiss for lack of standing, arguing that while the letter may have confused and alarmed the plaintiff, it did not cause her to initiate “any action to her detriment on account of her confusion.” The district court granted defendants’ motion to dismiss, ruling that the time and money spent on sending the second validation request did not rise to the level of detriment required for standing under the FDCPA, and that, moreover, it provided plaintiff with another opportunity to dispute the debt if she failed to properly do so the first time.
Disagreeing with the dismissal, the 7th Circuit wrote that the second postage fee (albeit modest in size) is the type of harm that Congress intended to protect consumers from when it enacted the FDCPA. “Money damages caused by misleading communications from the debt collector are certainly included in the sphere of interests that Congress sought to protect,” the appellate court stated, explaining that the second letter caused the plaintiff “to suffer a concrete detriment to her debt-management choices in the form of the expenditure of additional money to preserve rights she had already preserved.”
11th Circuit revises data breach negligence claim
The U.S. Court of Appeals for the Eleventh Circuit recently reversed the dismissal of a negligence claim brought against a Georgia-based airport retailer, determining that a company of its size and sophistication “could have foreseen being the target of a cyberattack.” Plaintiff, who used to work for the defendant, filed suit alleging the defendant failed to protect thousands of current and former employees’ sensitive personally identifiable information (PII), including Social Security numbers, from an October 2020 ransomware attack. Bringing claims for negligence and breach of implied contract on behalf of class members, plaintiff contended that not only should the defendant have protected the PII, but it also took several months for the defendant to notify affected individuals. A notice provided by the company claimed the attack only affected an internal, administrative system, but according to the plaintiff, the attacker uploaded the PII to third-party servers. Plaintiff was later informed that an unknown party used his Social Security number to file pandemic-related unemployment assistance claims under his name in Rhode Island and Kentucky. Plaintiff challenged that the defendant should have taken steps before the hack to better protect the information and that the alleged “harms he suffered were a foreseeable result of [defendant’s] inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining.” The district court disagreed and granted defendant’s motion to dismiss for failure to state a claim. Plaintiff appealed, arguing that “the district court demanded too much at the pleadings stage.”
On appeal, the 11th Circuit concluded, among other things, that the plaintiff could not have been expected to plead details about the defendant’s private data security policies. “We cannot expect a plaintiff in [this] position to plead with exacting detail every aspect of [defendant’s] security history and procedures that might make a data breach foreseeable, particularly where ‘the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts,’” the appellate court wrote, noting that plaintiff had sufficiently pled the existence of a special relationship as well as a foreseeable risk of harm. However, the 11th Circuit affirmed dismissal of plaintiff’s claim for breach of implied contract, stating that he failed to allege any facts showing that the defendant agreed to be bound by a data retention or protection policy.
A few days later, the 11th Circuit issued an opinion saying class members in a different action should be allowed to amend their data breach negligence claim in light of the appellate court’s decision discussed above. The 11th Circuit wrote that the decision in the aforementioned case “undermined” the dismissal of plaintiff’s negligence claim alleging a defendant warehousing company allowed a data breach to occur because it failed to take appropriate measures to secure its network. Class members in this case also alleged their PII was improperly accessed during a ransomware attack. The appellate court agreed with class members’ contention that the defendant had failed to address a newly created legal standard for data breach negligence claims in its motion to dismiss: “Indeed, the plaintiffs would have been hard-pressed to predict that they might need to amend their complaint to add more specific foreseeability allegations in response to [defendant’s] renewed motion to dismiss,” the appellate court wrote, reversing the denial of the motion for leave to amend.
Chopra says open-banking rule is coming
On June 12, CFPB Director Rohit Chopra announced that the agency is currently working to propose a rule that will assist consumers in making the switch to open banking. Chopra explained how consumers are “deadlocked” when it comes to control of their personal financial data, and consequentially cannot switch banks or apply for loans. Considering this issue, Chopra declared, “The CFPB is working to accelerate the shift to open banking through a new personal data rights rule intended to break down these obstacles, jumpstart competition, and protect financial data.” Chopra also discussed the topic of maintaining open market principles and stressed that the Bureau does not intend to micromanage this space but rather release consumers from a situation preventing them from participating in open banking. He ensured that open banking will generally be managed through standard-setting outside of the agency, and that the Bureau intends to safeguard fair standards at play. Chopra also shared his concerns about the power of large players in the market, warning that standard-setting organizations must consider consumers and smaller actors’ interests as well. The Bureau’s new rule will be open for comments in the coming months and is expected to finalize in 2024.
FTC submits annual enforcement report to CFPB
On June 7, the FTC announced that it submitted its 2022 Annual Financial Acts Enforcement Report to the CFPB. The report covers FTC enforcement activities regarding the Truth in Lending Act (TILA), the Consumer Leasing Act (CLA), and the Electronic Fund Transfer Act (EFTA). Highlights of the enforcement matters covered in the report include, among other things:
- Automobile purchase and financing. The report discussed an April 2022 settlement with a car dealership group, which resolved claims that the dealership group added on unwanted fees to consumers and allegedly failed to include details on repayment and annual percentage rates in advertising mailers. The settlement led to a redress sent to consumers.
- Payday lending. The report highlighted a settlement reached with a payday lending enterprise for allegedly overcharging consumers millions of dollars. The FTC claimed the enterprise made deceptive statements about the terms of their loan agreements and payments and withdrew funds from consumers’ accounts without consent. The order resulted in consumers receiving refunds.
- Credit repair and debt relief. The report included a settlement with the operators of a student loan debt relief scheme, who were charged with “falsely promising consumers it could lower or eliminate student loan balances, illegally imposing upfront fees for credit repair services, and signing consumers up for high-interest loans to pay the fees without making required loan disclosures in violation of the FTC Act and TILA.” The order also resulted in consumers receiving refunds.
- Other credit. The report detailed the first case involving the Military Lending Act, where a jewelry company was charged with allegedly charging military families illegal financing and using deceptive sales practices. Specifically, the company was charged with deceptively claiming that financing jewelry through the company would increase the consumer’s credit score, misrepresenting that their protection plans were required, and adding plans without the consumer’s consent. The company was also charged with failing to provide clear terms for preauthorized electronic fund transfers. The settlement required the company to provide refunds, stop collecting debt, and cease operations and dissolve.
Additionally, the FTC addressed rulemaking that is underway. The agency highlighted an impending ban on junk fees and bait and switch advertising tactics, and briefly discussed two advance notices of proposed rulemaking issued last October that would crack down on junk fees and fake reviews and endorsements. The FTC also highlighted the Military Task Force’s work on consumer protection issues.
DFPI highlights CCFPL enforcement actions
On June 8, the Department of Financial Protection and Innovation (DFPI) released its second annual report covering California Consumer Financial Protection Law (CCFPL) actions two years after the statute took effect. DFPI reported growth across rulemaking, enforcement, supervision, complaint handling, stakeholder outreach, and consumer education. It also developed several new department functions to support historically underserved communities.
According to the report, DFPI’s increased visibility in the consumer protection space has generated more consumer complaints, resulting in more enforcement actions. Compared to 2021, there was a 514 percent increase in CCFPL-related complaints (approximately 454 complaints), and an 85 percent increase in CCFPL-related investigations (approximately 196 investigations). Top complaint categories included debt collection and crypto assets, with student loan servicers and credit reporting closely following at third and fourth. To address these issues, DFPI opened 110 crypto-related investigations and launched a consumer alerts page on its website featuring 67 public actions and 65 consumer alerts.
Other key takeaways from the report include that DFPI (i) ordered more than $250,000 in penalties; (ii) ordered over $300,000 in restitution to consumers; (iii) brought its first two civil actions using CCFPL authority; (iv) had 105,000 people attend its outreach and education events; (v) published a notice of proposed rulemaking requiring providers of certain financial services and products to register with the DFPI; and (vi) chaptered two pieces of legislation adding to the laws that DFPI may enforce under the CCFPL.
OFAC sanctions network supporting Iran’s missile and military programs
On June 6, the U.S. Treasury Department’s Office of Foreign Assets Control announced sanctions, pursuant to Executive Order 13382, against seven individuals and six entities in Iran, China, and Hong Kong for supporting Iran’s ballistic missile program. These sanctions build on OFAC’s March 30, 2022, designations against other supporters of the Iran-based missile program (covered by InfoBytes here) in an effort to target weapons of mass destruction proliferators and their supporters. OFAC explained that the designated individuals and entities have done business with and supported the procurement of critical parts and technology for Iran’s ballistic missile development.
As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to sanctions, and “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today pursuant to E.O. 13382 could be subject to U.S. sanctions.”