InfoBytes Blog

Pennsylvania amends remote work definition

On November 3, the Pennsylvania governor signed HB 2667, which amends the definition of “remote location” in the Pennsylvania Consolidated Statutes. In order for a mortgage loan originator sponsored by a licensee to be permitted to work from a “remote location,” the location must meet certain criteria. The amended definition includes a prohibition against “in-person consumer interaction” that is limited to “in-person consumer interaction” at a mortgage loan originator’s personal residence. It also removes a requirement for a “remote location” to maintain “physical records regarding the licensee’s mortgage loan business . . . at the location.” The bill is effective immediately.

Licensing State Issues Pennsylvania State Legislation Mortgages Mortgage Origination

Debt collection company issued a CDO for operating without a license

On November 3, the Massachusetts Division of Banks issued a cease directive to a formerly-licensed debt collector company for allegedly operating for more than six years without a license. According to the order, the debt collecting company was a foreign company conducting business in Massachusetts with a main address in Florida. According to records maintained on file with the Division and the NMLS, the Commissioner initially issued a debt collector license to the company to engage in the business of debt collection in Massachusetts on or about January 14, 2010. In December 2012, the debt collector license expired due to the company's failure to respond to license items placed on the NMLS account of the company. In May 2013, the debt collector license was placed into a status of “Terminated – Expired.” During an examination of a separate debt collector licensee, the Division became aware that the company continued to engage in now unlicensed debt collection activity in Massachusetts on behalf of the licensee being examined. As a result, the Division directed the company to immediately cease collecting debts on any accounts in Massachusetts until it obtained the proper license to do so. The company was also been directed to provide a complete record of all funds collected from Massachusetts consumers from January 2019 through November 3, 2022, as well as a detailed record of the Massachusetts accounts it is holding for collection. The company can request a hearing to contest the Division’s allegations and has 30 days from November 3 to request such hearing. If it does not do so or fails to appear at a scheduled hearing, it will have been deemed to have consented to the issuance of the cease directive.

Licensing State Issues Massachusetts Enforcement Debt Collection

Delaware enacts licensing legislation

On November 2, the Delaware governor signed SB 296, which increases the threshold for licensed property appraisers so that they may appraise complex one to four residential units valued up to $400,000. Among other things, the bill also amends the requirements for licensure and registration, such as that property appraisers must renew their licenses every other year instead of yearly, whereas appraisal management companies are now required to reregister and certify annually, rather than biennially. The bill is effective immediately.

Licensing State Issues State Legislation Delaware Appraisal Appraisal Management Companies

California DFPI concludes MTA licensure not required for crypto exchange

On November 3, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to a cryptocurrency exchange’s transactions. The redacted opinion letter examines whether the inquiring company’s proposed business activities—which “will offer the purchase, sale, and trading of various cryptocurrencies using a platform provided by its affiliate and in conjunction with another affiliate that is a . . . registered broker-dealer”—are exempt from the MTA. Transactions on the company’s platform will involve the use of the company’s tokenized version of the U.S. dollar. Customers will deposit U.S. dollar funds into a company account where an equivalent amount of tokens will be created and used to facilitate a trade for cryptocurrency. The tokens can also be exchanged for U.S. dollars, or customers can hold the tokens in their wallet. According to the letter, the company says it “does not take custody of its client’s currencies or offer digital wallets,” but rather a “client’s digital wallet is directly linked to the platform and transacts on a peer-to-peer basis with other clients.” In addition to trading cryptocurrencies, the company also plans to allow customers to “trade in cryptographic representations of publicly listed securities,” thereby permitting customers to purchase, sell, or trade the securities tokens on the platform. The company will also be able to transfer customers’ shares of securities tokens from the platform to a customer’s traditional brokerage account. The company explained that these transactions of securities tokens will be covered by the company’s affiliate’s broker-dealer license.

DFPI concluded that because the Department has not yet “determined whether the issuance of tokenized versions of the U.S. Dollar or securities, or their use to trade cryptocurrencies, is money transmission,” it will not require the company to obtain an MTA license in order to perform the aforementioned services or to issue tokenized version of the U.S. dollar or securities. DFPI noted, however, that its conclusions are subject to change, and emphasized that its letter does not address whether the proposed activities are subject to licensure or registration under other laws, including the Corporate Securities Law of 1968.

Licensing State Issues Digital Assets DFPI California State Regulators Money Service / Money Transmitters Cryptocurrency California Money Transmission Act

CFPB analyzes crypto complaints

On November 10, the CFPB released a consumer complaint bulletin analyzing consumer complaints related to crypto-assets that the Bureau received from October 2018 to September 2022. According to the report, the Bureau received more than 8,300 complaints, with the greatest number of complaints coming from California. Among the complaints, the most common issue consumers identified was fraud and scams, followed by transaction issues. Additionally, analysis suggests that complaints related to crypto-assets may increase when the price of Bitcoin and other crypto-assets increase. The report noted that consumers had issues with accessing funds in their accounts due to identity verification issues, security holds, or because of technical issues with platforms. The Bureau also reported that customer service issues also were a common theme across crypto-related complaints. Other highlights of the report included, among other things, that: (i) crypto-assets are often targeted in romance scams, where scammers play on a victim’s emotions to extract money; (ii) crypto-assets are a common target for hacking; (iii) older consumers report a higher rate of crypto-asset related frauds and scams compared to complaints overall; and (iv) crypto-asset complaints and fraud reports have also been increasing at the FTC and SEC. The Bureau also provided steps for consumers to take to protect themselves, such as watching for signs of a scam, reporting suspicious FDIC insurance claims, and submitting a complaint to the CFPB.

Federal Issues Digital Assets CFPB Consumer Complaints Cryptocurrency

FTC looks to Section 5 in enforcing “unfair” competition

On November 10, the FTC issued a policy statement announcing that it would “rigorously enforc[e] the federal ban on unfair methods of competition.” According to the announcement, the FTC intends to make wider use of the FTC Act to police companies that use unfair tactics to try to gain a competitive advantage. “When Congress created the FTC, it clearly commanded us to crack down on unfair methods of competition,” FTC Chair Lina M. Khan said. “Enforcers have to use discretion, but that doesn’t give us the right to ignore a central part of our mandate. Today’s policy statement reactivates Section 5 and puts us on track to faithfully enforce the law as Congress designed.” In enacting Section 5, Congress purposely introduced the phrase “unfair methods of competition” in the statute to distinguish the FTC’s authority from the definition of “unfair competition” at common law, the policy explained, adding that Section 5 was designed to extend beyond the reach of antitrust laws. However, recognizing that a static definition would become outdated, Congress afforded the FTC flexibility to adapt to changing circumstances. The policy statement lays out the FTC’s approach for policing unfair methods of competition, and will allow the Commission to, among other things, sue companies under its mandate to protect consumers from fraudulent practices, price discrimination, exclusive deals and loyalty rebates, and misleading business practices such as commercial bribery and false or deceptive advertising.

Federal Issues Agency Rule-Making & Guidance FTC Unfair FTC Act Competition Antitrust

Chopra discusses SIFI risks

On November 9, CFPB Director and FDIC Board Member Rohit Chopra delivered remarks before the FDIC Systemic Resolution Advisory Committee to discuss challenges facing systemically important financial institutions. Chopra began by raising concerns related to domestic systemically important banks (DSIBs) and the potentially disruptive impact facing consumers and small businesses should one of these bank fail. Chopra explained that, because DSIBs are heavily involved in retail banking with large consumer businesses and carry relatively high levels of uninsured deposits, “DSIB resolutions could pose serious technical challenges for the FDIC” that would necessitate serious consideration. Chopra also pointed out concerns raised by many experts that a large number of nonbank systemically important financial institutions (which have not yet been formally designated by the Financial Stability Oversight Council) pose systemic risk to the financial system. “Absent a designation, these institutions are not required to file a resolution plan,” Chopra said, noting that “[r]esolving these institutions without a plan would be an enormous challenge.” He also emphasized the importance of finding ways to eliminate bailout risks for global systemically important banks.

Federal Issues Bank Regulatory CFPB FDIC DSIB Nonbank FSOC GSIBs

CFPB tells CRAs, furnishers to investigate disputes

On November 10, the CFPB issued Circular 2022-07 to outline how federal and state consumer protection enforcers can bring claims against companies that fail to investigate and resolve consumer report disputes. According to the Bureau, consumer reporting agencies (CRAs) and some furnishers have failed to conduct reasonable investigations of consumer disputes. The Circular affirmed that CRAs and furnishers must reasonably investigate all disputes that they have not reasonably determined to be frivolous or irrelevant, and may be liable under the Fair Credit Reporting Act if they fail to do so. Additionally, the Circular noted that claims can be pursued by both state and federal consumer protection enforcers and regulators. The Circular also described that enforcers can “bring a claim if a consumer reporting agency fails to promptly provide to the furnisher ‘all relevant information’ regarding the dispute that the consumer reporting agency receives from the consumer.” On the topic of whether CRAs need to forward to furnishers consumer-provided documents attached to a dispute, the Circular noted that “[i]t depends.” The Circular then explained that even “[w]hile there is not an affirmative requirement to specifically provide original copies of documentation submitted by consumers, it would be difficult for a consumer reporting agency to prove they provided all relevant information if they fail to forward even an electronic image of documents that constitute a primary source of evidence.”

Agency Rule-Making & Guidance Federal Issues CFPB Consumer Finance Consumer Reporting Agency Credit Furnishing

3rd Circuit says defendants conducted reasonable investigations into FCRA claims

On November 9, the U.S. Court of Appeals for the Third Circuit affirmed a district court’s summary judgment ruling in favor of defendants in an FCRA reasonable investigation suit. According to the opinion, the plaintiff obtained a credit card from one of the defendants, exceeded her credit limit, and was past due on payments. Another of the defendants (furnishing defendant) acquired her account and reported the outstanding debt to the consumer reporting agencies (CRAs). Plaintiff disputed the tradeline as inaccurate with two of the CRAs claiming several alleged inaccuracies, including that the date the account was opened and the original balance were inaccurate, and the payment history was incomplete, among other things. The CRAs notified the furnishing defendant of the disputes, and the furnishing defendant conducted an investigation in accordance with its FCRA dispute policies and procedures, which revealed that the account status, payment history, current balance, amount past due, and account number were accurate. Discrepancies in the spelling of the plaintiff’s name and street address were corrected however. It was not until after the plaintiff sued the defendants for violations of the FCRA that she asserted the furnishing defendant should have been aware she was enrolled in a credit protection program and that it was therefore liable for the original creditor’s failure to apply the program’s benefits to her credit card account. The opinion noted that the plaintiff also filed a “similarly vague dispute” against a student loan servicer for allegedly misreporting information about her account with the CRAs.

In agreeing with the district court, the 3rd Circuit concluded that summary judgment in favor of the defendants was properly granted as the plaintiff “failed to introduce any direct or circumstantial evidence” showing either of the defendants failed to “conduct reasonable investigations with respect to the disputed information.” Additionally, the plaintiff’s disputes were vague and failed to provide specifics as to the alleged errors or explain why the information was inaccurate or incomplete. “To the extent that [plaintiff] claims that the investigations were unreasonable because a reasonable investigation would have revealed the inaccuracies alleged, her conclusory assertion is insufficient to defeat summary judgment,” the appellate court wrote.

Courts Appellate Third Circuit FCRA Consumer Finance Consumer Reporting Agency

NYDFS amends cybersecurity regs

On November 9, NYDFS proposed expanded amendments to the state’s cybersecurity regulation (23 NYCRR 500) to strengthen the Department’s risk-based approach for ensuring cybersecurity risk is integrated into regulated entities’ business planning, decision making, and ongoing risk management. NYDFS’ cybersecurity regulation took effect in March 2017 (covered by InfoBytes here) and imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. NYDFS is proposing the new amendments via a data-driven approach to ensure regulated entities implement effective controls and best practices to protect consumers and businesses. “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Superintendent Adrienne A. Harris said in the announcement. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”

Some changes within the proposed amended regulation include:

• New Obligations for Larger Companies. The proposed amended regulation adds a new subcategory of larger covered entities called “Class A companies,” which would be subject to additional security and external auditing requirements in addition to the general requirements that apply to all covered entities. This includes, among other things, a requirement to have an external audit of a Class A company’s cybersecurity program annually. Class A companies are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years (generated from the business operations of a covered entity and its affiliates in New York) that have either (i) more than 2,000 employees averaged over the last two fiscal years (includes both the covered entity and all affiliates despite the location); or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years (generated from all business operations of a covered entity and all of its affiliates).
• Cybersecurity Governance. The proposed amended regulation provides several enhancements to the Part 500 governance requirements including:
  • The chief information security officer (CISO) must have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
  • The CISO must present an annual written report to the covered entity’s senior governing body that addresses the covered entity’s cybersecurity program as well as five topics described in the regulation and the company’s plans for remediating material inadequacies.
  • The CISO must timely report to the senior governing body material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cyber events.
  • If the covered entity has a board of directors or equivalent, the board or an appropriate committee shall have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyber risk management.
• Notice of Compliance. The annual certification of compliance must be signed by the covered entity’s highest-ranking executive and its CISO. The proposed amended regulation would allow a covered entity to choose to alternatively provide written acknowledgement that a covered entity did not fully comply with the regulation by describing the areas of noncompliance, including areas, systems, and processes that require material improvement, updating, or redesign, and a remedial plan and timeline for their implementation.
• Requirements for Resiliency, Business Continuity, and Disaster Recovery Plans. The proposed amended regulation adds significant documentation and technical requirements for business continuity and disaster recovery plans, including: (i) designation of essential data and personnel; (ii) communication preparations; (iii) back-up facilities; and (iv) identification of necessary third parties.
• Risk Assessments. The proposed amended regulation expands the definition of risk assessment. A covered entity’s risk assessment shall be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. Class A companies are required to use external experts to conduct a risk assessment at least once every three years.
• Technology. The proposed amended regulation adds several significant mandatory security control requirements, including:
  • Asset Inventory: Each covered entity will be required to implement written policies and procedures to ensure a complete, accurate, and documented asset inventory.  At a minimum, the policies and procedures should include a method to track key information for each asset, including, as applicable, the owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
  • Privilege Management: The proposed amended regulation introduces additional standards for privilege management, including, among other things, that covered entities must (i) limit privileged accounts to only those that are necessary and to conduct only specific functions; (ii) conduct access reviews on at least an annual basis; (iii) disable or securely configure remote access protocols; and (iv) promptly terminate access privileges for departing users.
  • Multi-Factor Authentication:  The proposed amendment expands the type of accounts and access types that require multi-factor authentication, to include all privileged accounts.
  • Vulnerability Management: Cybersecurity programs must now, through policies and procedures, explicitly address internal and external vulnerabilities, remediate issues in a timely manner, and report material issues to senior management.
• Reporting Requirements. The proposed amended regulation contains provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or “deployment of ransomware within a material part of the covered entity’s information system.” This timeframe also applies to cybersecurity events that occur at a third-party service provider. Entities would also be directed to provide the superintendent within 90 days of the notice of the cybersecurity event “any information requested regarding the investigation of the cybersecurity event.” Additionally, entities would also be directed to alert the Department within 24 hours of making a ransom payment. Within 30 days, entities must also explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations, including federal sanctions implications.
• Small Business Exemption. NYDFS noted in its announcement that based on industry feedback as well as the operating realities facing small businesses, it is proposing to raise the exemption threshold for small companies. If adopted, limited exemptions will be provided to covered entities with (i) fewer than 20 employees, including any of the entity’s independent contractors or its affiliates located in the state or that are responsible for the business of a covered entity; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of a covered entity and its affiliates in the state; and (iii) less than $15 million in year-end total assets, including the assets of all affiliates.

The proposed amended regulation is subject to a 60-day comment period beginning on November 8th upon publication in the State Register. NYDFS stated it looks forward to receiving feedback on the proposed amended regulation during this comment period. As the comment period ends, NYDFS will then review received comments and either repropose a revised version or adopt the final regulation. Covered entities will have 180 days from the effective date to comply except as otherwise specified.

See continuing InfoBytes coverage on 23 NYCRR Part 500 here.

Privacy, Cyber Risk & Data Security Bank Regulatory Agency Rule-Making & Guidance State Issues New York NYDFS 23 NYCRR Part 500