InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN’s interactive SAR stats now include 2021 data
On March 28, FinCEN announced that its Interactive SAR Stats webpage now includes Filing Trend Data by industry updated through December 31, 2021. As previously covered by InfoBytes, SAR Stats—formerly called By the Numbers—is an annual compilation of numerical data gathered from the Suspicious Activity Reports (SARs) filed by financial institutions using FinCEN’s new unified SAR form and e-filing process. Interactive SAR Stats provide users the opportunity to find FinCEN’s trend data for aggregated counts of defined suspicious activities that financial institutions file with FinCEN as required by the Bank Secrecy Act.
EU and U.S. agree in principle on new Trans-Atlantic Data Privacy Framework
On March 25, the U.S. and the European Commission announced their agreement in principle on a new Trans-Atlantic Data Privacy Framework (Framework) to foster cross-border transfers of personal data from the EU to the U.S. (See also White House and European Commission fact sheets here and here.) Under the Framework, the U.S. has committed to implementing reforms and safeguards to “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” The announcement follows negotiations that began after the Court of Justice of the EU (CJEU) issued an opinion in the Schrems II case (Case C-311/18) in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements.
As previously covered by InfoBytes, the CJEU’s ruling (which could not be appealed) concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. However, the Court invalidated the EU-U.S. Privacy Shield. In annulling the EU-U.S. Privacy Shield, the CJEU determined that because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR. Specifically, the CJEU held that the surveillance programs used by U.S. authorities are not proportionally equivalent to those allowed under the EU law because they are not “limited to what is strictly necessary,” nor, under certain surveillance programs, does the U.S. “grant data subjects actionable rights before the courts against the U.S. authorities.”
According to the factsheet released by the White House, the U.S. has made “unprecedented commitments” that build on the safeguards that were in place under the annulled EU-U.S. Privacy Shield with the goal of addressing issues identified in the Schrems II decision. These commitments include (i) strengthening the privacy and civil liberties safeguards governing U.S. signals intelligence activities through measures that would limit U.S. intelligence authorities’ data collection to what is necessary to advance legitimate national security objectives; (ii) establishing a new, multi-layered redress mechanism with independent and binding authority “consist[ing] of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures, as needed”; and (iii) enhancing the U.S.’s existing rigorous and layered oversight of signals intelligence activities, and requiring U.S. intelligence agencies to “adopt procedures to ensure effective oversight of new privacy and civil liberties standards.” The factsheet further stated that participating companies and organizations will continue to be required to adhere to the EU-U.S. Privacy Shield principles, including the requirement of self-certification through the U.S. Department of Commerce. EU individuals will also continue to have access to avenues of recourse to resolve complaints against businesses and organizations participating in the Framework, including through alternative dispute resolution and binding arbitration.
The White House stated that President Biden will issue an executive order outlining the aforementioned commitments “that will form the basis of the Commission’s assessment in its future adequacy decision.” According to the announcement, the U.S. and European Commission “will now continue their cooperation with a view to translate this arrangement into legal documents that will need to be adopted on both sides to put in place this new Trans-Atlantic Data Privacy Framework.”
Utah enacts financial institution provisions
On March 24, the Utah governor signed SB 183 into law, which amends the state’s provisions related to financial institutions. Among other things, the bill: (i) modifies the definition of “control” for purposes of the Financial Institutions Act and provides penalties for failure to comply with registration and disclosure requirements. Additionally, the bill enacts the Commercial Financing Registration and Disclosure Act, which requires individuals who provide certain commercial financing products to register with the Department of Financial Institutions and make certain disclosures in connection with each commercial financing product.
State AGs urge CFPB to prioritize consumers during inquiry into BNPL industry
On March 25, a coalition of state attorneys general, led by Illinois Attorney General Kwame Raoul, announced that they are urging the CFPB to ensure that “buy-now-pay-later” (BNPL) lenders are not engaging in practices that trap consumers in a cycle of debt. As previously covered by InfoBytes, in December 2021, the CFPB issued a series of orders to five companies seeking information regarding the risks and benefits of the BNPL credit model. In the letter, the state AGs requested that the CFPB prioritize robust consumer protections during its review of the BNPL loan industry, and noted that they are concerned that BNPL loans and services appeal to borrowers who already struggle to make ends meet or owe on other debts. The letter also noted the AGs’ concern that BNPL lenders can designate their loans to evade federal and state consumer protection and credit laws, and may not adequately disclose lending and repayment terms. The letter also pointed out that, like predatory lending products, BNPL loans may contain terms and features that are known to trap people in cycles of debt. Among other things, the state AGs urged the Bureau to: (i) explore “whether and how BNPL providers ensure consumer rights and protections, disclosure of fees, charges, and other essential terms to consumers, as well as how they comply with general requirements to refrain from unfair, deceptive, and abusive acts and practices”; (ii) assess “what steps, if any, BNPL providers take in considering ability-to-repay and the types and sources of information they rely on”; (iii) study “the emerging role of credit bureaus in the BNPL marketplace”; (iv) monitor partnerships “between BNPL providers and for-profit schools and online course providers” and “consider issuing guidance and rulemaking clarifying regulations for BNPL credit to finance education”; and (v) review the policies, procedures, and practices of BNPL providers regarding debt collection “to ensure that providers comply with all applicable consumer protections.”
NY AG warns debt collectors of new state regulations
On March 29, the New York attorney general announced that letters were sent to large credit card companies and major debt collectors operating in New York, providing a warning regarding new state debt collection regulations. As previously covered by InfoBytes, the New York governor signed S.153 in November 2021, which enacted The Consumer Credit Fairness Act and expanded consumer protections against abusive debt collection by, as explained by NYDFS acting Superintendent Adrienne A. Harris, “address[ing] known predatory debt collection practices, [and] barring an abusive common tactic engaged by predatory debt collectors which is to sue on time-barred consumer debts for which they lack even the most basic of documentation.” The letter noted that its recipients are “aware of these obligations and that [they] are taking appropriate steps to comply with the new requirements.” The letter stated that beginning April 7, the statute of limitations on consumer debt collection actions in the state will be decreased to three years, a period of time that cannot be extended by partial payments made after the statute of limitations has expired, and that “debt collectors must ensure that validation notices for debts that will become time-barred on April 7, 2022 include this disclosure if the notice is likely to be received after that date.” The letter also reminded debt collectors of new disclosures that will be required when filing collection lawsuits against consumers starting May 7. Complaints are required to include an itemization of the debt and include more information about the chain of ownership, including providing a copy of the original contract on which the debt is based. Collectors must also begin utilizing a “more comprehensive” notice that is provided to the clerk of the court and subsequently passed on to consumers and must use a new form when filing for summary judgments. Lastly, the letter requested information on how the companies are complying with Regulation F and the new disclosure requirements.
North Carolina appellate court affirms district court’s decision in debt collection case
On March 15, the Court of Appeals of North Carolina affirmed a district court’s grant of summary judgment in favor of a debt buyer plaintiff and rejected the debtor defendant’s argument that the plaintiff failed to comply with a provision of North Carolina’s Consumer Economic Protection Act (CEPA). According to the order, the defendant appealed the district court’s grant of summary judgment to the plaintiff in its 2019 suit to renew a default judgment that was entered in 2010 against the defendant. The defendant argued that the default judgment “is void because it was procured by fraud and the clerk lacked jurisdiction to enter the default judgment for various reasons,” and “that Plaintiff’s interest rates on Defendant’s debt violate North Carolina law.” The appellate court noted that the CEPA “did not apply” because the statute requires that, “[p]rior to entry of a default judgment or summary judgment against a debtor in a complaint initiated by a debt buyer, the plaintiff shall file evidence with the court to establish the amount and nature of the debt.” The appellate court noted that although the plaintiff filed its original complaint against the defendant in August 2009, this CEPA provision did not take effect until October 1, 2009, and therefore only applies to “foreclosures initiated, debt collection activities undertaken, and actions filed on or after that date.” The defendant argued that the plaintiff was still required to comply with the CEPA provision because the plaintiff filed its motion for a default judgment in February 2010—after the effective date of the CEPA provision. But the appellate court determined that the plaintiff’s motion for a default judgment “was part of prosecuting its ‘action filed’ and was not a ‘debt collection activity’ within the meaning of the Act.”
District Court denies majority of MSJ requests in FTC action against online discount club
On March 28, the U.S. District Court for the Northern District of Georgia denied the majority of motions for summary judgment filed by the FTC and defendants in a 2017 action that charged the operators of a group of marketing entities and payment processors (collectively, “defendants”) with numerous violations of law for allegedly debiting more than $40 million from consumers’ bank accounts for membership in online discount clubs without their authorization. As previously covered by InfoBytes, the FTC’s 2017 complaint alleged that the online discount clubs claimed to offer services to consumers in need of payday, cash advance, or installment loans, but instead enrolled consumers in a coupon service that charged an initial application fee as well as automatically recurring monthly fees.
In reviewing the parties’ respective motions for summary judgment, the court first reviewed the FTC’s claims against the defendants allegedly responsible for launching the discount program (lead generator defendants) “as a way to salvage leads on loan-seeking consumers that the [lead generator defendants] were not able to sell to lenders or others.” The lead generator defendants allegedly used loan-seeking consumers’ banking information to enroll them in discount club memberships with automatically recurring monthly charges debited from the consumers’ bank accounts. While the lead generator defendants contended that the enrollments were authorized by the consumers themselves, the FTC claimed, among other things, that “loan-seeking consumers were redirected to the discount club webpage during the loan application process.” The court determined that because there exists a genuine issue of material fact as to whether the lead generator defendants’ loan application process, discount club webpages, and telemarketing practices were deceptive or if their practices violated the Restore Online Shoppers’ Confidence Act and the Telemarketing and Consumer Fraud and Abuse Prevention Act, the FTC is not entitled to judgment as a matter of law on its claim for injunctive relief or equitable monetary relief.
The court also concluded that the FTC failed to present evidence showing that another defendant—a now-defunct entity whose assets and business operations were sold to some of the defendants—is violating or is about to violate the law because the FTC’s action was filed more than three years after the defunct entity ceased all operations. As such, the court found that the statute of limitations applies and the defunct entity is entitled to judgment as a matter of law on the FTC’s claims. However, the court determined that there is evidence suggesting the possibility that two individual defendants involved in monitoring and advising the defendants in the alleged discount club scheme, may continue the scrutinized conduct.
With respect to the FTC’s claims against certain other individual defendants allegedly responsible for owning and managing some of the corporate defendants and their wholly-owned subsidiaries, the court considered defendants’ arguments “that they had a general lack of knowledge of (or authority to control) the alleged violative conduct” and “that the FTC does not have the right to seek equitable monetary relief” as a result. In denying the FTC’s motions for summary judgment against these individual defendants, the court found “that there are disputed issues of material fact as to these matters which should be decided by the trier of fact,” and that the FTC’s claim for equitable monetary relief required further analysis following the U.S. Supreme Court’s ruling in AMG Capital Management, LLC v. FTC, which held that the FTC does not have statutory authority to obtain equitable monetary relief under Section 13(b) of the FTC Act. (Covered by InfoBytes here.)
Finally, the court concluded that sufficient evidence showed that another individual (who served as an officer of a defendant identified as being responsible for processing the remotely created checks used to debit consumers’ accounts during the discount club scheme) “knowingly and actively participated in acts that were crucial to the success of the . . . alleged discount scheme.” However, because there exists a genuine issue of material fact as to whether the lead generator and named defendants’ loan application process, discount club webpages, and telemarketing practices were deceptive, the court ruled that the FTC is not entitled to judgment as a matter of law as to its claims against the individual’s estate. The court also found that the individual’s estate is not entitled to summary judgment on either of its arguments related to the FTC’s request for monetary relief.
District Court denies defendant's motion in FCCPA case
On March 25, the U.S. District Court for the Middle District of Florida denied a TV provider’s (defendant) motion for summary judgment while partially granting and partially denying a motion for partial summary judgment from the plaintiff in a Florida Consumer Collection Practices Act (FCCPA) suit. According to the order, the plaintiff allegedly signed up for the defendant’s service, but “pause[d]” the program, which permitted her to suspend her service for nine months for $5 per month. The plaintiff filed for bankruptcy protection, listed the defendant as an unsecured creditor, and obtained a discharge. The plaintiff’s lawyer sent two faxes to the defendant, which disclosed to the defendant that the plaintiff was represented by counsel. The defendant sent five billing notifications and made six calls to the plaintiff, attempting to collect on the $5 monthly payment. A district court granted the defendant summary judgment on claims that it violated the FCCPA and the TCPA. The plaintiff appealed the decision, which affirmed the ruling on the TCPA claim, but reversed the FCCPA ruling, finding that the defendant may have attempted to collect a debt that was discharged and that it contacted the plaintiff after being notified that she was represented by an attorney. According to the order, the court stated that the “[p]laintiff has proffered enough evidence in the record from which a jury could reasonably infer that [the defendant] knew the Pause debt was invalid and that it did not have the right to collect it,” but “[o]n the other hand, considering the evidence in a light most favorable to [the defendant], a jury could reach the opposite conclusion, as [the defendant] has provided record evidence from which a jury could infer [the defendant] did not know that the Pause debt was invalid.”
FDIC issues draft principles on climate risk management
On March 30, the FDIC announced a request for comment on draft principles, which provide a high-level framework for the safe and sound management of exposures to climate-related financial risks. The principles are intended for the largest financial institutions (those with over $100 billion in total consolidated assets), though the announcement notes that all financial institutions, regardless of size, can have material exposures to climate-related financial risks. The topics covered by the principles include: (i) governance; (ii) policies, procedures, and limits; (iii) strategic planning; (iv) risk management; (v) data, risk measurement, and reporting; and (vi) scenario analysis. The draft principles also highlight management of risk areas. Comments close 60 days after publication in the Federal Register. In a statement, acting FDIC Chairman Martin Gruenberg said the key principles are “an initial step toward the promotion of a consistent understanding of the effective management of climate-related financial risks.”
Agencies provide points of contact for computer security incident notifications
On March 29, the FDIC, OCC, and Federal Reserve Board issued guidance related to a final rule issued last November by the agencies along with the Federal Reserve Board, which requires a banking organization to timely notify its primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place. As previously covered by InfoBytes, the “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” final rule states that notification is required in certain circumstances for incidents that have affected: (i) the viability of a banking organization’s operations; (ii) its ability to deliver banking products and services; or (iii) the stability of the financial sector. Additionally, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s operations for four or more hours. Compliance with the final rule begins May 1.
FDIC FIL-12-2022 states that supervised banks can comply with the final rule by notifying their case manager of an incident, notifying any member of an FDIC examination team if the event occurs during an examination, or by notifying the FDIC by email if it is unable to access its supervisory team contacts.
OCC Bulletin 2022-8 provides points of contact for national banks, federal savings associations, covered savings associations, and federal branches and agencies of foreign banking organizations for satisfying the final rule’s notification requirement. Banks may contact their supervisory office or submit a notification through the BankNet website or contact the BankNet Help Desk.
Fed SR 22-4/CA 22-3 states that regulated banking organizations should contact their designated point of contact about a notification incident, and may submit notice via email or phone. Banking organizations are also encouraged to contact the FRB through the same means if there is doubt as to whether a notification incident was experienced. Bank service providers are encouraged to contact the affected banking organization customer or its own legal advisor should there be doubt as to whether a material disruption or degradation in services has occurred that may impact the banking organization customer.