InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC announces Arizona disaster relief
On September 15, the FDIC issued FIL-41-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Salt River Pima-Maricopa Indian Community (Arizona) affected by severe storms from July 17-18. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements.
OCC reports on mortgage performance
On September 15, the OCC released a report on the performance of first-lien mortgages in the federal banking system during the second quarter of 2022, providing information on mortgage performance through June 30. According to the OCC, 97 percent of mortgages were current and performing at the end of the quarter, compared to 95 percent a year earlier. The percentage of seriously delinquent mortgages was 1.5 percent in the second quarter of 2022, compared to 1.8 percent in the prior quarter and 3.8 percent a year ago. The report also found that servicers completed 28,109 modifications in the second quarter of 2022—a decrease of 33.7 percent from the previous quarter. Additionally, of the 28,109 mortgage modifications, 78.2 percent reduced borrowers’ monthly payments and 95.6 percent were “combination modifications,” which are modifications that include multiple actions affecting the affordability and sustainability of the loan, such as an interest rate reduction and a term extension.
FTC proposes rulemaking to combat impersonation fraud
On September 15, the FTC issued a notice of proposed rulemaking (NPRM) to prohibit the impersonation of government, businesses, or their officials. According to the FTC, reported losses due to impersonation fraud spiked at the beginning the Covid-19 pandemic, and more than 2.5 million scams were reported nationwide from the beginning of 2017 through the middle of 2022, with consumers reporting losses of more than $2 billion. These impersonation scams include persons posing as government officials or employees, or persons claiming that they represent well-known businesses or charities who may use “misleading domain names and URLs and ‘spoofed’ contact information’” to create the illusion of legitimacy. The FTC added that scammers are looking for information that can be used to commit identity theft or seek monetary payment, and often request that funds be paid through wire transfer, gift cards, or cryptocurrency.
The NPRM follows an advanced notice of proposed rulemaking issued last December (covered by InfoBytes here), for which the FTC received more than 160 comments from members of the public, as well as a coalition of 49 state attorneys general and many companies and industry organizations. According to the FTC, the NPRM would codify the principle that impersonation scams violate the FTC Act, allowing the Commission to seek civil penalties and recover money from those who violate the rule. Among other things, the NPRM would ban scammers from (i) using government identifiers when communicating with consumers via mail or online; (ii) spoofing government and business email and web addresses “or using lookalike email addresses or websites that rely on misspellings of a company’s name”; or (iii) falsely implying an affiliation with a government or a business by using commonly known terms. The FTC noted that the NPRM would also apply to persons who provide the “means or instrumentalities” for scammers, such as suppliers who manufacture the fake government credentials used by scammers. Additionally, non-profit organizations would be included in the definition of a business under the NPRM, so that the FTC can take action against scammers impersonating charities. Comments on the NPRM are due 60 days after publication in the Federal Register.
FTC aims to protect gig workers from unfair, deceptive, and anticompetitive practices
On September 15, the FTC adopted a new policy statement outlining several issues facing consumers working in jobs that are part of the gig economy. According to the Commission, gig workers face potential harm related to misrepresentations about the nature of the work, diminished bargaining power for transparency, and anticompetitive hurdles resulting in reduced choice. The policy statement “makes clear that the FTC’s authority to enforce both competition and consumer protection law in the gig economy is not affected by how companies choose to classify the consumers who perform gig work.” Specifically, the Commission lists several areas where it will focus its attention on preventing consumer harm: (i) companies will be held accountable for claims and conduct about costs and benefits, including potential earnings, and must be transparent about costs borne by workers; (ii) companies using artificial intelligence or other advanced technologies for pay, performance, and work assignments are required to uphold promises made to workers, and must ensure that any restrictive contract terms do not violate the FTC Act or other statutes; and (iii) companies may be subject to investigations related to potential exclusionary or predatory conduct causing reduced compensation or poor working conditions. Companies that fail to comply with laws governing unfair, deceptive, or anticompetitive practices may be required to pay consumer redress and civil penalties, and may also be ordered to cease their unlawful business practices.
FINRA fines broker dealer for AML failures
On September 9, FINRA settled charges with a broker dealer (respondent) for alleged failures in its anti-money laundering (AML) compliance program. According to the letter of acceptance, waiver, and consent, the respondent allegedly failed to, among other things: (i) establish a reasonably designed AML program; (ii) implement a customer identification program; (iii) reasonably supervise for potentially manipulative trading; and (iv) preserve and maintain certain electronic communications. Additionally, FINRA found that the respondent unreasonably relied on manual reviews of the daily trade blotter to identify market manipulation. FINRA’s order includes alleged violations of FINRA Rule 2010, Rule 3110, Rule 3310(a)-(b) and Rule 4511. FINRA also determined that the respondent violated Securities Exchange Act of 1934 Section 17(a) and Rule 17a-4(b)(4). The respondent agreed to pay a $450,000 civil monetary penalty to FINRA and is prohibited from providing market access for two years.
FTC, CFPB say furnishers must investigate indirect disputes
On September 13, the FTC and CFPB (agencies) filed a joint amicus brief with the U.S. Court of Appeals for the Third Circuit, seeking the reversal of a district court decision that held furnishers of credit information are only obligated to investigate “bona fide” indirect disputes and may choose to decline to investigate other indirect disputes raised by consumers that are deemed frivolous. The agencies argued that this “atextual, judge-made exception” could undermine a key FCRA protection that allows consumers to dispute and correct inaccurate information in their credit reports, leading to a likely increase in consumer complaints related to credit reporting inaccuracies. Under the FCRA, consumers may file a direct dispute with a furnisher or file an indirect dispute with a consumer reporting agency (CRA), which may refer the dispute to the furnisher.
The case involves a direct dispute submitted by a plaintiff to a cable company, requesting an investigation into an allegedly fraudulent delinquent account listed on his credit report. The plaintiff informed the cable company that he was a victim of identity theft and that the account was opened in his name without his authorization. The cable company eventually referred the account to a debt collector (defendant) for collection after the plaintiff failed to provide requested information showing his account was opened due to fraud. An indirect dispute was later filed by the plaintiff with the CRA, which in turn sent the dispute to the defendant as the furnisher of the allegedly inaccurate information. After a second indirect dispute was filed noting the allegedly fraudulent account was the subject of litigation, the defendant removed the account from the plaintiff’s credit report and ceased collections. The plaintiff sued, asserting claims under the FCRA, FDCPA, and Pennsylvania law. The district court granted summary judgment in favor of the defendant, ruling that the plaintiff failed to provide evidence substantiating the basis of his dispute, and that “a furnisher is obligated to investigate only ‘bona fide’ indirect disputes and may therefore decline to investigate any indirect dispute it deems frivolous.”
In urging the appellate court to overturn the decision, the agencies countered in their amicus brief that the text of the FCRA is unambiguous—“furnishers must investigate all indirect disputes.” Nothing in the text suggests that a furnisher can choose not to investigate an indirect dispute if it determines it to be frivolous, the agencies stressed, further noting that if Congress intended to “create an exception for frivolous disputes, it knew how to do so,” and that in other parts of the statute Congress expressly provided that certain frivolous disputes do not need to be investigated.
The amicus brief also pointed out that under the FCRA, consumers are entitled to be notified about the outcome of their disputes, as well as given an opportunity to cure any deficiencies. The district court holding, the agencies said, would circumvent these requirements, thereby undercutting a central remedy under the FCRA that ensures consumers are able to dispute and correct inaccurate information in their credit reports. If furnishers were able to ignore disputes referred to them by CRAs, it could open an unintended loophole that would allow disputes to disappear “into a proverbial black hole,” the agencies asserted, emphasizing that if the district court’s interpretation is affirmed, consumers who submit an indirect dispute that is deemed frivolous by a furnisher may never receive any notice of that determination, and therefore, may never be able to cure any deficiencies or correct erroneous information in their credit reports.
The agencies also challenged whether the exception created by the district court’s ruling is necessary, as the FCRA already provides protections to furnishers from investigating frivolous disputes. Specifically, the statute allows CRAs to determine if a dispute a frivolous before forwarding a dispute to the furnisher. Moreover, furnishers “are not required to conduct an unreasonably onerous investigation into a conclusory or unsubstantiated dispute,” the agencies explained, stating that whether a furnisher has satisfied its obligation to conduct a reasonable investigation is normally a fact-intensive question for trial.
The Bureau noted in an accompanying blog post that it has also filed several other amicus briefs in other pending FCRA cases (previously covered by InfoBytes here) related to consumer reporting obligations.
District Court denies defendant summary judgment in data breach suit
On September 8, the U.S. District Court for the District of Maryland denied a defendant hotel corporation’s summary judgment motion, concluding that an economic expert’s opinion that the City of Chicago (plaintiff) experienced a loss in tax revenue due to a security breach of the defendant’s guest information database—and that the breach caused that loss—should be admissible. As previously covered by InfoBytes, a consolidated class action suit was filed by consumers after they allegedly learned that the defendant took more than four years to discover the data breach and took nearly three months to notify customers of their exposed information. The defendant discovered the breach in September 2018 when a consulting company contracted to provide data security services reported an anomaly pertaining to the defendant’s guest information database. In total, the breach impacted approximately 133.7 million guest records.
Last May, the court granted in part and denied in part certification of eight class actions against the defendant, noting that the plaintiffs did not need to demonstrate that every class member has standing at the class certification stage. The size of the certified classes based on an overpayment theory was decreased, because the court agreed with the defendant’s argument that the plaintiffs were too broad in seeking to include all customers who were affected by the breach, rather than those who only “bore the economic burden.” The court also declined to certify one class seeking only injunctive or declaratory relief, stating that “[w]ithout any direction as to the nature of the injunction sought, besides a request for further discovery, plaintiffs’ motion goes no further than requesting that defendants discontinue their current practices with respect to the [personally identifiable information] at issue.”
According to the recent opinion, the City of Chicago alleged that the defendant violated the city’s consumer protection ordinance by failing to safeguard the personal information of city residents and misrepresented that it had reasonable security safeguards in place. The defendant argued that the City of Chicago’s claims exceeded the limit of the city’s authority under the Illinois Constitution, because it attempted to apply its ordinance to a specific data-security incident. The court found that the Illinois Constitution permits the City of Chicago, a “home-rule unit,” to enforce its consumer protection ordinance against the defendant for harm and injuries arising from the data security incident. Additionally, the court found “in order to respect ’the constitutional design’ granting broad home rule authority and permitting concurrent local and state authority, ‘the courts should step in to compensate for legislative inaction or oversight only in the clearest cases of oppression, injustice, or interference by local ordinances with vital state policies.’” The court also found that the City of Chicago has standing to bring claims for monetary fines, citing that “expert opinions establish, by a preponderance of the evidence, that Chicago suffered an injury-in-fact—the loss of tax revenue—that was traceable to the data breach, and that can be redressed by monetary fines paid by [the defendant].”
OFAC issues Zimbabwe-related sanctions
On September 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13469 against a Zimbabwe individual for his role in undermining Zimbabwe’s democratic processes and institutions. OFAC also removed eleven others from the Specially Designated Nationals List (SDN List) under the Zimbabwe sanctions program. According to OFAC, the sanctioned individual, among other things, undermined political parties that opposed the policies of the ruling Zimbabwe African National Union-Patriotic Front party, and, in 2020, supported Zimbabwe security services’ use of pressure and intimidation on prominent opposition figures. As a result of the sanctions, all property and interests in property belonging to the sanctioned individual that are in the U.S. or in the possession or control of U.S. persons, and “any entities that are owned 50 percent or more by one or more designated persons” are blocked. Additionally, U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license.
2nd Circuit requires second look at “design and content” of online user agreement
On September 14, the U.S. Court of Appeals for the Second Circuit reversed a district court’s order denying a credit union’s motion to compel arbitration in a case involving the “unique question” of “whether and how to address incorporation by reference in web-based contracts under New York law.” The plaintiff claimed that the credit union wrongfully assessed and collected overdraft and insufficient funds fees on checking accounts that were not actually overdrawn. After the credit union moved to compel arbitration pursuant to a mandatory arbitration clause and class action waiver provision contained in the account agreement, the plaintiff argued that she was not bound by these provisions because they were not included in the original agreement and the credit union did not notify her when it added them to the agreement. According to the credit union, the plaintiff was on inquiry notice of the modified agreement because she separately agreed to an internet banking agreement that incorporated the modified account agreement by reference, and because the modified account agreement was published on the credit union’s website, which the plaintiff used for online banking. The district court disagreed, finding, among other things, that the hyperlink and language related to the account agreement appeared to be “buried” in the internet banking agreement.
On appeal, the 2nd Circuit held that the district court “erred in engaging in the inquiry notice analysis, which requires an examination of the ‘design and content’ of the webpage, without reviewing the actual screenshots of the web-based contract.” Recognizing that the internet banking agreement was a “clickwrap” or a “scrollwrap” agreement, the appellate court explained that it has “consistently upheld such agreements because the user has affirmatively assented to the terms of the agreement by clicking ‘I agree’ or similar language.” While the plaintiff did not dispute that she signed up for internet banking, this did not end the court’s analysis; according to the 2nd Circuit, when addressing questions concerning digital contract formation, “courts also evaluate visual evidence that demonstrates ‘whether a website user has actual or constructive notice of the conditions.’” The credit union did not provide evidence showing how the internet banking agreement was presented to users—thereby preventing the district court from assessing whether the relevant language and hyperlink were clear and conspicuous. The 2nd Circuit, therefore, instructed the district court to consider on remand the design and content of the internet banking agreement “as it was presented to users” to determine whether the plaintiff agreed to its terms, and to assess whether the account agreements are “clearly identified and available to the users” based on applicable precedents regarding inquiry notice of terms in web-based contracts.
CFPB studying BNPL growth
On September 15, the CFPB announced plans to consider issuing interpretive guidance or regulations to ensure that buy now, pay later (BNPL) lenders follow many of the same consumer protection measures that exist for credit cards. “We will be working to ensure that borrowers have similar protections, regardless of whether they use a credit card or a Buy Now, Pay Later loan,” CFPB Director Rohit Chopra said in the announcement. The Bureau described BNPL products as a form of interest-free credit that “serves as a close substitute for credit cards” and allows consumers to split a retail transaction into smaller, interest-free installments that are repaid over time.
Recognizing that BNPL products are a rapidly growing alternative form of credit for online retail purchases, the Bureau published a report providing key insights into the industry. According to the report, the number of BNPL loans originated from 2019 to 2021 in the US grew 970 percent, from 16.8 million to 180 million. The total dollar volume of these loans grew by 1,092 percent in that period, from $2 billion in 2019 to $24.2 billion in 2021, the report said, noting that 73 percent of applicants were approved for credit in 2021, up from 69 percent in 2020. Additionally, the report found that 89 percent of consumers using BNPL loans linked their accounts to their debit cards, and that late fee policies vary by issuer.
The Bureau raised several concerns with BNPL products in the report, including (i) inconsistent standardized cost-of-credit disclosures, minimal dispute resolution rights, a forced opt-in to autopay, and occurrences where consumers are assessed multiple late fees on the same missed payment; (ii) risks related to data harvesting and monetization, as many BNPL lenders shift business models toward proprietary app usage, allowing lenders “to build a valuable digital profile of each user’s shopping preferences and behavior”; and (iii) concerns over consumers taking out several loans during a short period of time at multiple lenders. According to the Bureau, because most BNPL lenders currently do not furnish data to the major credit reporting companies, many lenders are unaware of a consumer’s current liabilities when deciding whether to originate new loans.
The Bureau noted in its announcement that while BNPL lenders are currently subject to some federal and state oversight, compliance and licensing requirements vary. In addition to exploring potential new regulatory guidance, the Bureau said it plans to identify surveillance practices that BNPL lenders should seek to avoid, and it will continue to address the development of appropriate and accurate credit reporting practices for the industry. Chopra further announced that the Bureau is inviting BNPL lenders to self-identify if they wish to be examined for any potentially problematic business practices. The Bureau is also reviewing its authorities to conduct examinations on a compulsory basis and will work with state regulators that license nonbank finance companies on examinations of BNPL firms.