InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Dems ask regulators to address crypto’s “revolving door”
On October 24, Democratic lawmakers sent letters to the leaders of the SEC, CFTC, Treasury Department, Federal Reserve, FDIC, OCC and CFPB regarding concerns about “the revolving door between [] financial regulatory agencies and the cryptocurrency (crypto) industry.” In the letters, the lawmakers argued “that the crypto revolving door risks corrupting the policymaking process and undermining the public’s trust in our financial regulators.” The letters also noted that Treasury saw the most movement from the Treasury Department, with 31 former employees joining the crypto industry. The SEC was second with 28 former employees, according to Tech Transparency Project. The lawmakers argued that “Americans should be able to trust that financial rules are crafted to reduce risk, improve security, and ensure the fair and efficient functioning of the market,” and that “Americans should be confident that regulators are working on behalf of the public, rather than auditioning for a high-paid lobbying job upon leaving government service.” The letters requested that the agencies provide information by November 7, including answers to inquiries about each agency’s ethics guidelines and polices in place to protect the agency from being influenced by current or former employees’ potential conflicts of interest.
Fed releases study on racial bias in mortgage lending
Recently, the Federal Reserve Board published a study titled How Much Does Racial Bias Affect Mortgage Lending? Evidence from Human and Algorithmic Credit Decisions. Using confidential supervisory data collected under HMDA to estimate the extent of racial and ethnic discrimination in mortgage lending, the study found that racial bias has played “a limited role” in recent years in generating disparities seen in mortgage lending denials. The researchers acknowledged that as a self-reporting mechanism, HDMA reports may not reflect reality, “as a lender engaged in illegal discrimination would be unlikely to explicitly admit this.” The study also analyzed denial rates among fintech lenders, finding that by automating more of the application process, fintech firms have the potential to decrease racial discrimination. The study also found that excess denials are higher at fintech lenders, which is “the opposite result we would expect if excess denials reflect racially biased human judgment.” Additionally, the study found that group differences in risk characteristics drive most of the disparities in credit access. The study showed that Black and Hispanic applicants tend to be more leveraged and have much lower credit scores. Both groups of applicants are “less likely to receive algorithmic approval recommendations from government automated underwriting systems (AUS) than white applicants,” the study found. The study also noted caveats, such as that the researchers “only study discrimination in approval decisions conditional on formally applying.”
DOE announces PSLF changes
On October 25, the Department of Education (DOE) announced executive actions intended to bring loans managed by the DOE closer to forgiveness, including credit toward the Public Service Loan Forgiveness (PSLF) Program for borrowers who have qualifying employment. According to the DOE, these actions will provide borrowers with many of the same benefits already going to those who have applied for PSLF under temporary changes (known as the Limited PSLF Waiver), before its October 31, 2022 end date. The announcement further noted that borrowers with Direct Loans or DOE-managed Federal Family Education Loans (FFEL) will receive credit toward forgiveness on income-driven repayment (IDR) for all months spent in repayment, including payments prior to consolidation, regardless of whether they made partial or late payments or are on a repayment plan. Borrowers will also receive credit for specific periods in deferment and forbearance. Even with these actions, the DOE encouraged borrowers to take the necessary steps to apply for the Limited PSLF Waiver by October 31. The DOE also released a Fact Sheet outlining benefits for borrowers who have Direct or DOE-managed FFEL loans as well as Direct Loan borrowers seeking PSLF.
FTC’s proposed breach order would apply personally to CEO
On October 24, the FTC announced an action against a company operating an online alcohol marketplace and its CEO related to a data breach that allegedly exposed the personal information of roughly 2.5 million consumers. The FTC alleged in its complaint that the respondents were alerted to problems with the company’s data security procedures following an earlier security incident in 2018, which involved hackers accessing company servers to mine cryptocurrency until the company changed its cloud computing account login information. According to the FTC, the company failed to take appropriate measures to address its security problems, but publicly claimed it had appropriate security protections in place. Two years later, an employee account was breached, thus allowing a hacker to gain access to login information, hack into the company’s database, and steal customers’ information. Among other things, the respondents allegedly violated the FTC Act by (i) failing to implement basic security measures or put in place reasonable safeguards to secure the personal information it collected and stored; (ii) storing critical database information, including login credentials, on an unsecured platform; (iii) failing to monitor its network for security threats or unauthorized attempts to access or remove personal data; and (iv) exposing customers to hackers, identity thieves, and malicious actors who use personal information to open fraudulent lines of credit or commit other fraud.
Under the terms of the proposed decision and order, the respondents will be required to take several measures to prevent further violations, including destroying unnecessary personal data, limiting future data collection to what is necessary for specifically outlined purposes, and implementing a comprehensive information security program. As part of these requirements, the respondents must establish security safeguards to protect against the identified security incidents, such as providing employees security training, designating a high-level employee to oversee the company’s information security program, implementing controls on who is able to access personal data, and requiring multi-factor authentication in order to access databases and other assets containing consumer data.
Notably, the FTC said in its announcement that the proposed order applies personally to the individual respondent who presided over the company’s insufficient data security practices. The FTC explained that the proposed order will follow the individual respondent even if he leaves the company, and that he “will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals” where the individual respondent “is a majority owner, CEO, or senior officer with information security responsibilities.”
FHFA announces validation of FICO 10T and VantageScore 4.0 for GSE use
On October 24, FHFA announced the validation and approval of both the FICO 10T credit score model and the VantageScore 4.0 credit score model for use by Fannie Mae and Freddie Mac (GSEs). The agency also announced that the GSEs will require two credit reports from the national consumer reporting agencies, rather than three. According to the announcement, FHFA expects implementation of FICO 10T and VantageScore 4.0 to be a multiyear effort, but once in place, lenders will be required to deliver both FICO 10T and VantageScore 4.0 credit scores with each loan sold to the GSEs. FHFA noted that FICO 10T and VantageScore 4.0 are more accurate than the classic FICO model because they include payment history for factors like rent, utilities, and telecommunications. FHFA also released a Fact Sheet on the newly approved models, which “will improve accuracy, strengthen access to credit, and enhance safety and soundness.”
States launch investigation into banks’ ESG investing and banking
On October 19, a coalition of 19 state attorneys general, led by Missouri, Arizona, Kentucky, and Texas, announced that six large U.S. banks were served civil investigative demands (CIDs) asking for information related to their involvement with the U.N.’s Net-Zero Banking Alliance (NZBA). The Missouri AG’s office, which has led the opposition against ESG (environmental, social, governance) investing and banking practices, stated that NZBA-member banks are required to set emissions reduction targets in their lending and investment portfolios to reach net zero by 2050. According to the Missouri AG, the NZBA serves to “starve companies engaged in fossil fuel-related activities of credit on national and international markets” by requiring banks to cede authority to the U.N. The CIDs seek information from the banks on topics related to, among other things, (i) their involvement in affiliated global climate initiatives; (ii) how NZBA and Principles for Responsible Banking objectives have been incorporated into their operations; and (iii) the extent to which the banks have fulfilled their “commitment to ‘facilitat[e] the necessary transition in the real economy through prioritizing client engagement and offering products and services to support clients’ transition,’” as well as their “commitment to ‘engag[e] on corporate and industry (financial and real economy) action, as well as public policies, to help support a net-zero transition of economic sectors in line with science and giving consideration to associated social impacts.’”
FAFT restricts Russia’s membership, takes action on corruption and drug trafficking
On October 20, the U.S. Treasury Department announced that the Financial Action Task Force (FATF) concluded its first plenary of the Singaporean presidency, in which it, among other things, took steps to combat corruption and illegal fentanyl trafficking and enhance financial transparency. During the meeting, FATF agreed to seek public input on draft guidance for implementing the FATF standard on beneficial ownership transparency for legal persons. The efforts to improve transparency in beneficial ownership “seek to improve the ability of law enforcement to trace, report, and seize illicit proceeds, and to make it harder for criminals and others to exploit opaque legal structures such as shell companies to hide and launder the proceeds of their crimes.” FATF also adopted a U.S.-led report on money laundering related to the illicit trafficking of synthetic opioids, including fentanyl, which provides information and best practices so that law enforcement and financial investigators around the world can expand their work on complex, cross-border money laundering investigations involving the proceeds of drug trafficking. The FATF also agreed to additional restrictions on the membership rights of the Russian Federation due to its war against Ukraine, including by barring them from participating in current and future FATF project teams.
France fines facial recognition company €20 million for GDPR violations
On October 20, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €20 million penalty against a facial recognition company for violating the EU’s General Data Protection Regulation (GDPR). In 2020, CNIL opened an investigation after receiving complaints from individuals about the company’s facial recognition software. CNIL stated in its announcement that it cooperated with its European counterparts to share the results of the investigations, as each authority is permitted to act on its own territory since the company has no establishment in Europe. The investigations identified several violations of the GDPR, including that the company allegedly unlawfully processed personal biometric data without a legal basis (a breach of article 6 of the GDPR), and failed to take into account an individual’s rights in an “effective and satisfactory way”—particularly with respect to requests for access to their data (a breach of articles 12, 15 and 17 of the GDPR). A formal notice was issued to the company last year requiring it to stop collecting and using data belonging to persons on French territory without a legal basis. The company was also ordered to “facilitate the exercise of individuals’ rights and to comply with requests for erasure.” CNIL contended that after the company failed to respond to the formal notice, it referred the matter to a restricted committee for sanctions.
The restricted committee imposed the maximum financial penalty (€20 million) under article 83 of the GDPR, and ordered the company “to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it has already collected, within a period of two months.” Failure to comply within this time frame will result in a €100,000 penalty per day of delay. The restricted committee also cited the company for breaching its obligation to cooperate with CNIL.
District Court grants FDCPA defendant’s motion for summary judgment
On October 18, the U.S. District Court for the Eastern District of Pennsylvania granted a second summary judgment motion by a debt collection agency (defendant) in an FDCPA suit, after the plaintiff filed a motion for reconsideration, ruling that a collection letter sent to the plaintiff was not false, deceptive, misleading, unfair or unconscionable. According to the order, the plaintiff received two bills after being treated at a hospital for an automobile accident: one in the amount of $675, which was adjusted from $900 because the plaintiff lacked insurance, and a second bill from a doctor’s network for $468. The hospital placed the unpaid account with the defendant who in turn sent a collection letter to the plaintiff, which was the only contact between the plaintiff and the defendant. The plaintiff filed suit, alleging that under Pennsylvania’s Motor Vehicle Financial Responsibility Law the defendant was permitted to attempt to collect only $141.15, and that its failure to do so violated the FDCPA. This value was based on the Current Procedural Terminology (CPT) code associated with the doctor’s network bill, but the hospital’s bill did not contain a CPT code. The district court found that the plaintiff did not demonstrate any material issue of disputed fact that the services provided by the hospital were or should have been billed under the same CPT code as the doctor’s network bill, nor did the plaintiff provide sufficient evidence to prove that the amount billed by the hospital violated state law, and therefore, granted the defendant’s motion for summary judgment.
7th Circuit: Plaintiff lacks standing to bring FCRA claim on credit report disputes
On October 18, the U.S. Court of Appeals for the Seventh Circuit affirmed dismissal of an FCRA action in favor of a defendant bank. According to the opinion, the plaintiff real estate investor obtained a loan secured by a mortgage from the defendant bank. The mortgage required the plaintiff to maintain a certain level of hazard insurance or the defendant bank could lender-place such insurance, with the cost of the lender-placed insurance amounts becoming additional debt secured by the mortgage. After the plaintiff underpaid on his flood insurance premiums, the defendant bank obtained lender-placed insurance. When the plaintiff did not pay the increased monthly payment associated with the lender-placed insurance amounts in full, the defendant bank informed the plaintiff that he was in default and that the entire amount of the loan would be accelerated if the default was not cured. While the plaintiff continued to submit partial payments, the defendant began reporting certain 2011 payments as 60 days or more late to the credit reporting agencies (CRAs). In 2012, the plaintiff disputed these purportedly late payments with the CRAs.
The plaintiff sued claiming, among other things, that the defendant violated the FCRA by failing to responsibly investigate the 2012 disputes. On appeal, after determining that the district court did not abuse its discretion by failing to rely on unsupported statements in the plaintiff's affidavit, the 7th Circuit found that the district court erred in requiring the plaintiff to prove damages as an element of his FCRA claim. However, the appellate court held that the plaintiff ultimately lacked standing to bring a claim under the FCRA because, as the appellate court highlighted, the injury that the plaintiff alleged—a decrease in his credit score in November 2011—could not be fairly traced to the defendant’s alleged action—a failure to reasonably investigate credit reporting disputes in January 2012.