InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC rescinds Covid-19 filing extension for Part 363 annual reports
On March 15, the FDIC rescinded its Statement on Part 363 Annual Reports in Response to the Coronavirus, which had provided certain insured depository institutions (IDIs) with total assets of $500 million or more an additional 45 days to file their Part 363 Annual Reports and Other Reports and Notices. FIL-10-2022 rescinds FIL-30-2020 and is effective for fiscal years beginning after December 31, 2021. Going forward, the deadline for IDIs to file their annual reports “reverts to either 90 or 120 days after the end of the IDI’s fiscal year, depending on the IDI’s status as a public filer.” The FDIC reminded IDIs that if they are unable to meet their filing deadline, they “must submit a written Notice of Late Filing to the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor by the 90- or 120-day report filing deadline.”
CFPB updates debt collection examination procedures to include Regulation F provisions
Recently, the CFPB updated its debt collection examination procedures to incorporate provisions of Regulation F (the FDCPA’s implementing regulation). As previously covered by InfoBytes, in October 2020, the Bureau issued its final rule (effective November 30, 2021) amending Regulation F to address debt collection communications and prohibitions on harassment or abuse, false or misleading representations, and unfair practices. Following the publication of the final rule, the Bureau also released debt collection compliance guidance and frequently asked questions that address validation information generally and validation information related to residential mortgage debt (covered by InfoBytes here). The Bureau noted that depending on the scope of an examination, “and in conjunction with the compliance management system and consumer complaint response review procedures,” an examination will cover at least one of the following modules: (i) entity business model; (ii) communications in connection with debt collection; (iii) information sharing, privacy, and interactions with consumer reporting agencies; (iv) validation notice, consumer FDCPA disputes and complaints, and ceasing communication; (v) payment processing and account maintenance; (vi) ECOA; and (vii) litigation practices, administrative wage garnishment and repossession, and time-barred debt.
FHFA orders stress tests for Fannie and Freddie
On March 16, FHFA published orders applicable March 10 for Fannie Mae and Freddie Mac (GSEs) with respect to stress test reporting as of December 31, 2021, under Dodd-Frank as amended by the Economic Growth, Regulatory Relief, and Consumer Protection Act. Under Dodd-Frank, certain federally regulated financial companies with total consolidated assets of more than $250 billion are required to conduct periodic stress tests to determine whether the companies have the capital necessary to absorb losses as a result of severely adverse economic conditions. The orders are accompanied by Summary Instructions and Guidance, which include stress test scenarios and revised templates (baseline, severely adverse, and variables and assumptions) for regulated companies to use when reporting the results of the stress tests (orders and instructions are available here). According to the Summary Instructions and Guidance, the GSEs have until May 20 to submit baseline and severely adverse results to FHFA and the Federal Reserve Board, and must publicly disclose a summary of severely adverse results between August 1 and 15.
FTC settles action against e-commerce platform for data breach cover up
On March 15, the FTC announced a proposed settlement with two limited liability companies, the former and current owners, of an online customized merchandise platform (collectively, “respondents”) for allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. According to the complaint, the respondents allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect the personal information (PI) of customers against unauthorized access and for misrepresenting that appropriate steps to secure consumer account information following security breaches were taken. The complaint further alleged that respondents failed to apply readily available protections against well-known threats and adequately respond to security incidents, which resulted in the respondents' network being breached multiple times. Notably, one of the breaches involved a hacker gaining access to “millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates.” The complaint goes on to allege that the online customized merchandise platform failed to properly investigate the breach for several months despite additional warnings, including failing to promptly notify its customers of the breach. Under the terms of the proposed settlement, the respondents are: (i) ordered to pay $500,000 in redress to victims of the data breaches: (ii) prohibited from making misrepresentations about their privacy and security measures, among other things, and (iii) required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.
Biden signs $1.5 trillion omnibus package
On March 15, President Biden signed H.R. 2471 the “Consolidated Appropriations Act, 2022” (Act) into law. According to House Appropriations Committee Chair Rosa DeLauro’s press release, the Act is an omnibus spending measure that provides $1.5 trillion in discretionary resources across the 12 fiscal year 2022 appropriations bills. Among other things, the Act includes the “Cyber Incident Reporting for Critical Infrastructure Act of 2022,” which establishes requirements for reporting ransomware incidents on critical infrastructure to the DHS Cybersecurity and Infrastructure Security Agency (CISA). Specifically, Division Y Section 2242, establishes that companies must report incidents to CISA 72 hours after the covered entity reasonably believes that a cyber incident has occurred, or within 24 hours if a ransomware payment has occurred. If a company fails to meet the reporting requirements, the Act permits the cyber security director to “obtain information about the cyber incident or ransom payment by engaging the covered entity directly to request information about the cyber incident or ransom payment, and if the Director is unable to obtain information through such engagement, by issuing a subpoena to the covered entity, pursuant to subsection (c), to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred.” The Act also establishes that if CISA determines that the incident requires regulatory enforcement action or criminal prosecution, such information may be provided to the Attorney General or the appropriate regulator, who may utilize such information for a regulatory enforcement action or criminal prosecution. Within 24 months, CISA is directed to publish a notice of proposed rulemaking (NPRM) in the Federal Register to implement the Act, followed by the issuance of a final rule within 18 months of the NPRM. The final rule will outline the criteria of reporting and provide the effective dates for the reporting requirements. The Act also directs CISA to carry out an outreach and education campaign to inform covered entities about the rule’s requirements. Though the bill establishes that a court shall dismiss a cause of action against a person or entity for submitting a report, the liability protections “shall only apply to or affect litigation that is solely based on the submission of a covered cyber incident report or ransom payment report to the [Sector Risk Management] Agency.”
The Act also includes the “Adjustable Interest Rate (LIBOR) Act,” which establishes “a clear and uniform process, on a nationwide basis, for replacing LIBOR in existing contracts the terms of which do not provide for the use of a clearly defined or practicable replacement benchmark rate, without affecting the ability of parties to use any appropriate benchmark rate in new contracts,” among other things. Additionally, the Act includes rental assistance programs and climate restoration grants, which, according to a statement by HUD Secretary Marcia L. Fudge, “provides funding to improve the energy efficiency of housing and increase resilience to climate impacts.”
FTC alleges company misrepresented the quality, source of leads
On March 11, the FTC issued an administrative complaint against a Colorado-based digital marketplace company (defendant) alleging it used deceptive and misleading practices in selling home improvement project leads to service providers. The complaint alleges that since 2014 the defendant has made false, misleading, or unsubstantiated claims regarding the quality and source of the leads it sells to service providers, such as general contractors and small lawn care businesses. The complaint alleges, among other things, that the defendant told service providers that its leads resulted in actual home improvement jobs at rates higher than its own data supported, and that the defendant misled service providers about the cost of an optional one-month subscription to a software platform that it sold with its leads and the cost of the optional one-month help desk subscription. The defendant’s actions allegedly resulted in service providers, many of whom operate in the gig economy, spending time following leads below the promised quality and seeking refunds for those leads. The FTC’s Director of Bureau of Consumer Protection stated, “Today’s administrative complaint against [the defendant] shows that the FTC will use every tool in its toolbox to combat dishonest commercial practices.”
CFPB reminds servicers to use HAF funds to prevent foreclosure
On March 14, the CFPB published a blog post strongly encouraging mortgage servicers to participate in the Homeowner Assistance Fund (HAF) to help borrowers avoid foreclosure and resolve delinquencies. While participation is voluntary, the Bureau reminded servicers that it remains focused on preventing avoidable foreclosures, and HAF funds can only help “if mortgage servicers work with state housing finance agencies and HUD-approved housing counselors to help borrowers” complete the process. HAF funds may allow borrowers to pay down the amount owed on a mortgage and help them enter loan modifications with lower payments. The Bureau also encouraged servicers to offer HAF program training to customer service representatives to ensure borrowers are provided accurate information about the loss mitigation process. Additionally, servicers should maintain policies and procedures that are designed to properly evaluate loss mitigation applications and should review existing policies and procedures to ensure borrowers are not improperly referred to foreclosure, especially in cases where a borrower’s HAF application is pending, or a borrower is awaiting HAF funds. The Bureau reminded servicers that it will continue to closely monitor servicer conduct and review mortgage servicing complaints to ensure compliance with all applicable federal consumer financial laws.
OFAC sanctions Russians connected to human rights violations and Belarusian leader engaged in corruption
On March 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to the Russia Magnitsky Act against four individuals and one entity. According to OFAC, the sanctioned individuals and entity were involved in concealing events surrounding the death of renowned Russian whistleblower, Sergei Magnitsky, or were connected to gross violations of human rights against a Russian human rights defender. OFAC also re-designated, pursuant to Executive Order 13405, the head of a corrupt government in Belarus who used his authorities to benefit his inner circle and regime, and newly designated his wife for being a senior level official engaged in public corruption.
As previously covered by InfoBytes, President Biden issued E.O 13405, “Blocking Property of Additional Persons Contributing to the Situation in Belarus,” which expanded the scope addressing the national emergency declared in E.O. 13405, “finding that the Belarusian regime’s harmful activities and long-standing abuses aimed at suppressing democracy and the exercise of human rights and fundamental freedoms in Belarus—including illicit and oppressive activities stemming from the August 9, 2020, fraudulent Belarusian presidential election and its aftermath, such as the elimination of political opposition and civil society organizations and the regime’s disruption and endangering of international civil air travel—constitute an unusual and extraordinary threat to the national security and foreign policy of the United States.” As a result of the sanctions, all property and interests in property belonging to the sanctioned entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” OFAC noted that U.S. persons are prohibited from participating in transactions with these persons, which includes “the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person or the receipt of any contribution or provision of funds, goods or services from any such person.”
SEC awards $14 million to whistleblower
On March 11, the SEC announced that it awarded a whistleblower nearly $14 million for exposing ongoing fraud by publishing on online report. According to the redacted order, the whistleblower voluntarily provided original information and prompted the opening of an investigation, which resulted in a successful enforcement action against the company and its CEO and the return of millions of dollars to harmed investors.
The SEC has awarded approximately $1.2 billion to 249 individuals since issuing its first award in 2012.
CFTC awards $500,000 to whistleblowers
On March 10, the CFTC announced awards totaling approximately $500,000 to two whistleblowers who “separately provided significant information and substantial assistance” that led to a successful Commodity Exchange Act enforcement action. The associated order noted that the claimants voluntarily provided original information, which began an underlying investigation and “significantly contributed to the success” of the enforcement action.
The CFTC has awarded approximately $300 million to whistleblowers since the enactment of its Whistleblower Program under Dodd-Frank, and whistleblower information has led to nearly $3 billion in monetary relief.