InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
10th Circuit: Payday lender must pay $38.4 million restitution order
On September 15, the U.S. Court of Appeals for the Tenth Circuit affirmed the CFPB’s administrative ruling against a Delaware-based online payday lender and its founder and CEO (respondents/petitioners) regarding a 2015 administrative enforcement action that alleged violations of the Consumer Financial Protection Act (CFPA), TILA, and EFTA. As previously covered by InfoBytes, in 2015, the CFPB announced an action against the respondents for alleged violations of TILA and the EFTA, and for engaging in unfair or deceptive acts or practices. Specifically, the CFPB alleged that, from May 2008 through December 2012, the online lender (i) continued to debit borrowers’ accounts using remotely created checks after consumers revoked the lender’s authorization to do so; (ii) required consumers to repay loans via pre-authorized electronic fund transfers; and (iii) deceived consumers about the cost of short-term loans by providing them with contracts that contained disclosures based on repaying the loan in one payment, while the default terms called for multiple rollovers and additional finance charges. The order required the respondents to pay $38.4 million as both legal and equitable restitution, along with $8.1 million in penalties for the company and $5.4 million in penalties for the CEO.
According to the opinion, between 2018 and 2021, the U.S. Supreme Court issued four decisions, Lucia v. SEC (covered by InfoBytes here), Seila Law v. CFPB (covered by a Buckley Special Alert here), Liu v. SEC (covered by InfoBytes here), and Collins v. Yellen (covered by InfoBytes here), which “bore on the Bureau’s enforcement activity in this case,” by “decid[ing] fundamental issues such as the Bureau’s constitutional authority to act and the appointment of its administrative law judges (‘ALJ’).” The decisions led to intermittent delays and restarts in the Bureau’s case against the petitioners. For instance, the opinion noted that two different ALJs decided the present case years apart, with their recommendations separately appealed to the Bureau’s director. The CFPB’s director upheld the decision by the second ALJ and ordered the lender and its owner to pay the restitution, and a district court issued a final order upholding the award. The petitioners appealed.
On appeal, the petitioners made three substantive arguments for dismissing the director’s final order. The petitioners argued that under Seila, the CFPB’s structure was unconstitutional and therefore the agency did not have authority to issue the order. The appellate court disagreed, stating that it is “to use a ‘scalpel rather than a bulldozer’ in remedying a constitutional defect,” and that “because the Director’s actions weren’t unconstitutional, we reject Petitioners’ argument to set aside the Bureau’s enforcement action in its entirety.”
The petitioners also argued that the enforcement action violated their due-process rights by denying the CEO additional discovery concerning the statute of limitations. The petitioners claimed that they were entitled to a “new hearing” under Lucia, and that the second administrative hearing did not rise to the level of due process prescribed in that case. The appellate court determined that there was “no support for a bright-line rule against de novo review of a previous administrative hearing," nor did it see a reason for a more extensive hearing. Moreover, the petitioners “had a full opportunity to present their case in the first proceeding,” the 10th Circuit wrote. The appellate court further rejected the company’s argument regarding various evidentiary rulings, including permitting evidence about the company’s operational expenses, among other things. The appellate court also concluded that the CFPA’s statute of limitations commences when the Bureau either knows of a violation or, through reasonable diligence, would have discovered the violation. Therefore, the appellate court rejected the argument “that the receipt of consumer complaints triggered the statute of limitations.”
The petitioners also challenged the remedies order, claiming they were not allowed “to present evidence of their good-faith reliance on counsel (as to restitution and civil penalties) and evidence of their expenses (as to the Director’s residual disgorgement order).” The appellate court rejected that challenge, holding that the director properly considered all factors, including good faith, and rejected the petitioners’ challenge to the ALJ’s recommended civil penalties.
The 10th Circuit affirmed the district court’s order of a $38.4 million restitution award, rejecting the petitioners’ various challenges and affirming the director’s order.
OCC announces Alaska and Puerto Rico disaster relief
On September 19, the OCC issued proclamations (see here and here) permitting OCC-regulated institutions, at their discretion, to close offices affected by flooding in Alaska and Hurricane Fiona in Puerto Rico “for as long as deemed necessary for bank operation or public safety.” The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the 2012 Bulletin, only bank offices directly affected by potentially unsafe conditions should close, and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.
CFPB examines relationship between high vehicle costs and loan performance
On September 19, the CFPB published a blog post exploring the potential relationship between high vehicle costs and changes in auto loan characteristics and performance, particularly with respect to consumers with near-prime or subprime credit scores. The Bureau reported that the average vehicle price increased over the past two years, particularly throughout 2021, and that data from the Bureau’s Consumer Credit Panel showed that an increase in the size of newly originated auto loans coincided with a spike in vehicle price. The blog post also highlighted a recent Federal Reserve Bank of New York report, which found that higher vehicle prices are a significant factor driving larger loan amounts. “The dollar value of outstanding auto loans increased by $33 billion between the first and second quarters of 2022 to $1.5 trillion outstanding,” the report said, noting that the increase “is due in large part to larger loan originations rather than by an increase in the number of loans.” The Bureau also reported that recent data has shown that delinquency rates, especially for low-income borrowers, has increased over the past year. While the Bureau said it cannot fully infer that the end of pandemic-related stimulus policies or inflationary pressures are possible explanations for the rise in delinquency rates, the agency said it “cannot ignore the relationship between larger loan amounts and increasing interest rates to consumer’s monthly budgets and some consumers’ struggle to stay current on their loans.” The Bureau stressed, however, that while current data provides insight into broad indicators, it “lacks the granularity to isolate specific economic trends or to fully explore the impact on subsets of consumers.” The agency said it will continue to seek data that allows for better visibility in this market and will remain focused on ensuring that the auto lending market is fair, transparent, and competitive.
SEC proposes new rules for clearing agencies
On September 14, the SEC announced a proposed rule regarding risk management practices for central counterparties in the U.S. Treasury Department market. Among other things, the proposed rule would update the membership standards required of covered clearing agencies for the Treasury market with respect to a member’s clearance and settlement of specified secondary market transactions. Specifically, the proposal would require that clearing agencies in the U.S. Treasury market adopt policies and procedures designed to require their members to submit for clearing certain specified secondary market transactions, which would include: “all repurchase and reverse repurchase agreements collateralized by U.S. Treasury securities entered into by a member of the clearing agency; all purchase and sale transactions entered into by a member of the clearing agency that is an interdealer broker; and all purchase and sale transactions entered into between a clearing agency member and either a registered broker-dealer, a government securities broker, a government securities dealer, a hedge fund, or a particular type of leveraged account.” According to a statement by SEC Chair Gary Gensler, the proposed rule would “reduce risk across a vital part of our capital markets in both normal and stress times.” The SEC also released a Fact Sheet providing more information on the proposal. Comments are due 60 days after publication in the Federal Register.
OFAC issues sanctions, general licenses, and FAQs on Russia’s invasion of Ukraine
On September 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), in coordination with the Departments of Commerce and State, announced sanctions against 22 individuals and two entities connected to Russia’s invasion of Ukraine. According to OFAC, the designated persons include multiple individuals who have furthered the Government of the Russian Federation’s objectives in Ukraine, both prior to and during Russia’s invasion of Ukraine in 2022. Also included among those designated is a neo-Nazi paramilitary group that has aided Russia’s military in Ukraine, and two of the group’s senior leaders. As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” OFAC further noted that “transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or blocked persons are prohibited unless authorized by a general or specific license issued by OFAC, or exempt,” which “include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.”
The same day, OFAC issued Russia-related General License (GL) 51, authorizing the wind down of transactions involving the Limited Liability Company Group of Companies Akvarius, and GL 52, which relates to journalistic activities and the establishment of news bureaus. According to the GL 51, “all transactions ordinarily incident and necessary to the wind down of any transaction involving Limited Liability Company Group of Companies Akvarius (Aquarius), or any entity in which Aquarius owns, directly or indirectly, a 50 percent or greater interest, that are prohibited by Executive Order (E.O.) 14024,” are authorized as of October 15, subject to certain qualifications. According to GL 52, “news reporting organizations that are U.S. persons, and individual U.S. persons who are journalists or broadcast or technical personnel, are authorized to engage in certain transactions where such transactions are ordinarily incident and necessary to such U.S. persons’ journalistic activities or to the establishment or operation of a news bureau and are prohibited” by E.O. 14024, subject to certain qualifications.
Additionally, OFAC published several frequently asked questions clarifying “Russian Harmful Foreign Activities Sanctions,” which include guidance on the use of the National Payment Card System (NSPK) or the Mir National Payment System given the broad sanctions imposed on Russia’s financial system this year.
CISA urges companies to take action to combat malicious cyber activity
On September 14, the Cybersecurity and Infrastructure Security Agency, along with several other federal agencies and international partners, released a joint cybersecurity advisory (CSA) highlighting continued malicious cyber activity taken by advanced persistent threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). The CSA recommended that companies continually test their security programs to protect against longstanding online threats that may arise from IRGC-affiliated actors known for exploiting vulnerabilities for ransom operations. “Our unified purpose is to drive timely and prioritized adoption of mitigations and controls that are most effective to reducing risk to all cyber threats,” CISA said in its announcement. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson added that the U.S. Treasury Department “is dedicated to collaborating with other U.S. government agencies, allies, and partners to combat and deter malicious cyber-enabled actors and their activities, especially ransomware and cybercrime that targets economic infrastructure.” He noted that the CSA provides information on specific tactics, techniques, and procedures used by IRGC-affiliated actors, and advised both the public and private sector to use the information to strengthen cybersecurity resilience and reduce the risk of ransomware incidents. Organizations are encouraged to review a 2021 Treasury advisory, which highlights the sanctions risks associated with ransomware payments and provides steps for companies to take to mitigate the risk of being a victim of ransomware (covered by InfoBytes here).
California adopts “first-in-nation” act to safeguard children’s online data and privacy
On September 15, the California governor signed into law the California Age-Appropriate Design Code Act (the Act), calling it the “first-in-nation” bill to protect children’s online data and privacy. AB 2273 establishes new legal requirements for businesses that provide online products and services that are “likely to be accessed by children” under 18 years of age based on certain factors. These factors include whether the feature is: (i) “directed to children,” as defined by the Children’s Online Privacy Protection Act (COPPA); (ii) “determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children”; (iii) advertised to children; (iv) is substantially similar to, or the same as, an online service, product, or feature routinely accessed by a significant number of children; (v) designed to appeal to children; or (vi) determined to be, based on internal company research, significantly accessed by children. Notably, in contrast to COPPA, the Act more broadly defines “child” as a consumer who is under the age of 18 (COPPA defines “child” as an individual under 13 years of age).
The Act also outlines specific requirements for covered businesses, including:
- Businesses must configure all default privacy settings offered by the online service, product, or feature to one that offers a high level of privacy, “unless the business can demonstrate a compelling reason that a different setting is in the best interests of children”;
- Businesses must “concisely” and “prominently” provide clear privacy information, terms of service, policies, and community standards suited to the age of the children likely to access the online service, product, or feature;
- Prior to offering any new online services, products, or features that are likely to be accessed by children before July 1, 2024, businesses must complete a Data Protection Impact Assessment (DPIA) on or before the same date. Businesses must also document any “risk of material detriment to children” that arises from the DPIA, create a mitigation plan, and, upon written request, provide the DPIA to the state attorney general;
- Businesses must “[e]stimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers”;
- Should an online service, product, or feature allow a child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location, businesses must provide an obvious signal to the child when the child is being monitored or tracked;
- Businesses must “[e]nforce published terms, policies and community standards established by the business, including, but not limited to, privacy policies and those concerning children”; and
- Businesses must provide prominent, accessible, and responsive tools to help children (or their parents/guardians) exercise their privacy rights and report concerns.
Additionally, covered businesses are prohibited from using a child’s personal information (i) in a way that the business knows, or has reason to know, is materially detrimental to a child’s physical health, mental health, or well-being; or (ii) for any reason other than a reason for which the personal information was collected, unless a business can show a compelling reason that using the personal information is in the “best interests of children.” The Act also places restrictions on profiling, collecting, selling, or sharing children’s geolocation data, or using dark patterns to encourage children to provide personal information beyond what is reasonably expected.
The Act also establishes the California Children’s Data Protection Working Group, which will study and report to the legislature best practices for implementing the Act, and will also, among other things, evaluate ways to leverage the expertise of the California Privacy Protection Agency in the long-term development of data privacy policies that affect the privacy, rights, and safety of children online. The state attorney general is tasked with enforcing the Act and may seek an injunction or civil penalty against any business that violates its provisions. Violators may be subject to a penalty of up to $2,500 per affected child for each negligent violation, and up to $7,500 per affected child for each intentional violation; however, businesses may be provided a 90-day cure period if they have achieved “substantial compliance” with the Act’s assessment and mitigation requirements.
The Act takes effect July 1, 2024.
FDIC announces Arizona disaster relief
On September 15, the FDIC issued FIL-41-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Salt River Pima-Maricopa Indian Community (Arizona) affected by severe storms from July 17-18. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements.
OCC reports on mortgage performance
On September 15, the OCC released a report on the performance of first-lien mortgages in the federal banking system during the second quarter of 2022, providing information on mortgage performance through June 30. According to the OCC, 97 percent of mortgages were current and performing at the end of the quarter, compared to 95 percent a year earlier. The percentage of seriously delinquent mortgages was 1.5 percent in the second quarter of 2022, compared to 1.8 percent in the prior quarter and 3.8 percent a year ago. The report also found that servicers completed 28,109 modifications in the second quarter of 2022—a decrease of 33.7 percent from the previous quarter. Additionally, of the 28,109 mortgage modifications, 78.2 percent reduced borrowers’ monthly payments and 95.6 percent were “combination modifications,” which are modifications that include multiple actions affecting the affordability and sustainability of the loan, such as an interest rate reduction and a term extension.
FTC proposes rulemaking to combat impersonation fraud
On September 15, the FTC issued a notice of proposed rulemaking (NPRM) to prohibit the impersonation of government, businesses, or their officials. According to the FTC, reported losses due to impersonation fraud spiked at the beginning the Covid-19 pandemic, and more than 2.5 million scams were reported nationwide from the beginning of 2017 through the middle of 2022, with consumers reporting losses of more than $2 billion. These impersonation scams include persons posing as government officials or employees, or persons claiming that they represent well-known businesses or charities who may use “misleading domain names and URLs and ‘spoofed’ contact information’” to create the illusion of legitimacy. The FTC added that scammers are looking for information that can be used to commit identity theft or seek monetary payment, and often request that funds be paid through wire transfer, gift cards, or cryptocurrency.
The NPRM follows an advanced notice of proposed rulemaking issued last December (covered by InfoBytes here), for which the FTC received more than 160 comments from members of the public, as well as a coalition of 49 state attorneys general and many companies and industry organizations. According to the FTC, the NPRM would codify the principle that impersonation scams violate the FTC Act, allowing the Commission to seek civil penalties and recover money from those who violate the rule. Among other things, the NPRM would ban scammers from (i) using government identifiers when communicating with consumers via mail or online; (ii) spoofing government and business email and web addresses “or using lookalike email addresses or websites that rely on misspellings of a company’s name”; or (iii) falsely implying an affiliation with a government or a business by using commonly known terms. The FTC noted that the NPRM would also apply to persons who provide the “means or instrumentalities” for scammers, such as suppliers who manufacture the fake government credentials used by scammers. Additionally, non-profit organizations would be included in the definition of a business under the NPRM, so that the FTC can take action against scammers impersonating charities. Comments on the NPRM are due 60 days after publication in the Federal Register.