InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
6th Circuit affirms decision compelling arbitration in data breach case
On December 2, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s decision dismissing a nationwide putative class action against an e-commerce provider, holding that challenges raised to the validity of an agreement to arbitrate were for the arbitrator to decide, not the court. According to the opinion, the plaintiff class, including four minor individuals, filed suit after the defendant allegedly failed to protect millions of customers’ personal account information that was then obtained in a 2019 data breach. The opinion noted that the defendant’s Terms of Service contained an arbitration agreement, a delegation provision, a class action waiver, and instructions regarding how to opt-out of the arbitration agreement. The district court granted the defendant’s motion to dismiss and compel arbitration after rejecting the plaintiffs’ arguments that the arbitration clause is “invalid” and “unenforceable” as to the minor plaintiffs under the infancy doctrine.
On appeal, the plaintiffs argued that there was an issue of fact regarding whether four of the plaintiffs had agreed to the Terms of Service, and that the defenses of infancy and unconscionability rendered the Terms of Service invalid. According to the appellate court, though “a contract exists and . . . the delegation provision itself is valid, the arbitrator must decide in the first instance whether the defenses of infancy and unconscionability allow plaintiffs to avoid arbitrating the merits of their claims.” The appellate court further agreed with the district court that “[i]t’s not about the merits of the case. It’s not even about whether the parties have to arbitrate the merits. Instead, it’s about who should decide whether the parties have to arbitrate the merits.”
OCC reports on mortgage performance
On December 10, the OCC reported that 95.6 percent of first-lien mortgages were current and performing at the end of the third quarter of 2021—an increase from 92.5 percent at the end of the third quarter of 2020. According to the report, seriously delinquent mortgages declined from 3.8 percent in the prior quarter (5.8 percent a year ago) to 3.1 percent. In the third quarter of 2021, servicers initiated 925 new foreclosures, which is a 56.3 percent increase from the previous quarter and an increase of 150.7 percent compared to a year ago. The OCC noted that events related to the pandemic, such as foreclosure moratoriums, “significantly affected these metrics.” Additionally, mortgage modifications decreased 14.8 percent from the prior quarter. Of the reported 33,721 mortgage modifications, 59.6 percent reduced borrowers’ pre-modification monthly payments, while 98.3 percent were “combination modifications” that “included multiple actions affecting affordability and sustainability of the loan, such as an interest rate reduction and a term extension.”
FDIC refutes CFPB’s bank merger policy announcement
On December 9, the FDIC issued a statement refuting a request for review of bank merger policies announced in a CFPB blog post. According to a joint statement issued by FDIC Board member Martin J. Gruenberg and Rohit Chopra (who has an automatic board seat as Director of the CFPB), the FDIC Board of Directors voted to launch a public comment period on updating the FDIC’s regulatory implementation of the Bank Merger Act. Gruenberg and Chopra indicated that the Board members taking part in this action have approved a Request for Information and Comment on Rules, Regulations, Guidance, and Statements of Policy Regarding Bank Merger Transactions, which would seek public input on the FDIC’s approach to considering prudential factors in acting on a bank merger application, specifically related to “whether bright line minimum standards for prudential factors should be established, and if so, what minimum standards for which prudential factors.” In his blog post, Chopra noted that the Bureau is particularly interested in how the assessment of a bank merger’s impact on families and businesses in local communities would work in practice, and how should regulators ensure a merger does not increase the risk of bank failure or otherwise disrupt the economy should the bank face financial distress. According to the Gruenberg and Chopra joint statement, the Board’s action authorizes the FDIC’s executive secretary to publish the RFI in the Federal Register, upon which a 60-day window for comments will commence.
Shortly following the release of the joint statement, the FDIC released a statement disputing that any action had been approved, stressing that it “has longstanding internal policies and procedures for circulating and conducting votes of its Board of Directors, and for issuing documents for publication in the Federal Register.” Adding that “[i]n this case, there was no valid vote by the Board, and no such request for information and comment has been approved by the agency for publication in the Federal Register,” the FDIC commented that “[n]otwithstanding the actions taken today, the FDIC expects this time-honored tradition of collegiality and comity to continue.”
DFPI reminds debt collectors and buyers of December 31 application deadline
Recently, the California Department of Financial Protection and Innovation (DFPI) reminded debt buyers and debt collectors operating in the state of California that applications must be submitted on or before December 31, 2021 through the Nationwide Multistate Licensing System & Registry (NMLS). The Debt Collection Licensing Act, which takes effect January 1, 2022, requires all persons engaging in the business of debt collection to be licensed by DFPI. Debt collectors that have submitted applications may continue operating in the state while the applications are pending. However, debt collectors that miss the December 31 deadline will be required to wait for the issuance of a license before operating in the state. Application materials and a checklist of requirements are available on NMLS. DFPI noted it will review applications and issue licenses in 2022 and 2023, and stated that once a debt collector is licensed it will not need to register under the California Consumer Financial Protection Law.
Hsu discusses bank overdraft reform
On December 8, acting Comptroller of the Currency Michael J. Hsu spoke before the Consumer Federation of America’s 34th Annual Financial Services Conference. His remarks centered on reforming bank overdraft programs to “empower and promote financial health” of consumers. Quoting a recent Brookings Institution publication, Hsu noted, “The existing system is regressive (reverse Robin Hood), creating structural barriers and elevating costs to those on the lower end of the income spectrum, while simultaneously showering benefits to those on the upper end.” To eliminate this “regressive system,” Hsu noted that banking deposit account services need to be structured “so that they improve customers’ financial capabilities and are priced to be low to no cost.” According to Hsu, Bank On’s approach, which sets a “baseline standard for safe, affordable, and appropriate accounts that meet the needs of low-income consumers, particularly those outside of the financial mainstream,” appears to be a natural solution for decreasing the population of unbanked individuals and eliminating overdraft fees. However, Hsu also acknowledged that “limiting overdrafts may limit the financial capacity for those who need it most.”
Hsu identified several product features “that could be modified or recalibrated to support financial health” and laid out specific recommendations on the heels of the OCC’s staff review of bank overdraft programs, which he noted already align with the overdraft efforts by many banks, including (i) requiring consumers to opt in to overdrafts; (ii) providing an overdraft “grace period” prior to assessing a fee; (iii) allowing negative balances without triggering an overdraft fee; (iv) offering access to real-time account balance information and alerts; and (v) linking checking accounts to another account for overdraft protection, among others.
FINRA fines financial firms $2.25 million for alleged improper storage of customer data
On December 6, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), which requires two units of a national bank (respondents) to jointly and severally pay a $2.25 million fine for allegedly failing to store customer information in the format required under federal securities regulations, and then taking three years to report the issue after it was discovered. According to FINRA, in 2016, the agency found that the respondents allegedly violated various books and records retention requirements and related supervisory rules when maintaining approximately one million electronic brokerage records. In 2017, the respondents certified that they “had ‘adopted and implemented policies and procedures reasonably designed to achieve compliance with the applicable federal securities laws and FINRA rules’ addressed in the December 2016 AWC.” However, FINRA claimed that from 2003 to August 2020, the respondents allegedly failed to properly store roughly 13 million records related to their customer identification program (CIP) in the required “write once, read many” format (known as “WORM”). This “non-rewritable, non-erasable” format required under federal securities regulations is intended to prevent the alteration or destruction of customer identification information, FINRA explained. The respondents conducted an internal review in 2020, which concluded that the respondents were storing CIP records on a non-WORM compliant system. However, the respondents self-reported the issue to FINRA in April 2020 and migrated the relevant records to a WORM-compliant system by August 2020. The respondents did not admit nor deny the findings as part of the AWC, but have agreed to a censure and will pay the fine.
OFAC reaches $133,860 settlement in Iranian sanctions matter
On December 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $133,860 settlement against an individual for allegedly facilitating four payments on behalf of an Iranian company using a personal bank account in the U.S., in violation of the Iranian Transactions and Sanctions Regulations (ITSR), 31. C.F.R. part 560. According to OFAC’s web notice, between February 2016 and March 2016, the individual accepted $133,860 in the U.S., which went to a personal bank account, on behalf of an Iran-based company selling Iranian-origin cement to another company for a project in a third country.
In arriving at the settlement amount, OFAC considered various aggravating factors, including, among other things, that the individual: (i) willfully was in violation of or recklessly ignored U.S. sanctions on Iran when receiving payments on behalf of an Iranian company; (ii) was aware of, and actively participated in, the violations; and (iii) “harmed the objectives of the ITSR by enabling the evasion of sanctions by an Iranian company.” OFAC also considered various mitigating factors, including that the individual did not receive a penalty notice, finding of violation, or cautionary letter from OFAC in the past five years, and is a natural person with a limited ability to pay.
NYDFS addresses multi-factor authentication weaknesses
On December 7, NYDFS issued guidance on multi-factor authentication (MFA) to all regulated entities. According to NYDFS, “MFA weaknesses are the most common cybersecurity gap exploited at financial services companies,” affecting both large companies and small businesses. The regulator noted that, since the Cybersecurity Regulation (23 NYCRR Part 500) went into effect (covered by InfoBytes here), MFA failures have continued to impact both financial services entities and consumers. From January 2020 to July 2021, more than 18.3 million consumers were affected by reported cyber incidents involving covered entities’ MFA failures, according to NYDFS. NYDFS has also taken two enforcement actions in the past year against companies whose failure to implement MFA fully resulted in unauthorized access to nonpublic information. The New York banking regulator is increasing its review of MFA during examinations and will focus on searching for common MFA failures discussed in the guidance. Covered entities are advised to consider carefully the importance of MFA as they implement their risk-based cybersecurity programs. Under the Cybersecurity Regulation, MFA is required for remote access, and must “be implemented beyond that as necessary to ensure effective access controls based on a comprehensive risk assessment.” The guidance provides examples of common problems related to MFA as well as recommendations for preventing problems.
CFPB supervisory highlights cover wide range of violations
On December 8, the CFPB released its fall 2021 Supervisory Highlights, which details its supervisory and enforcement actions in the areas of credit card account management, debt collection, deposits, fair lending, mortgage servicing, payday lending, prepaid accounts, and remittance transfers. The report’s findings cover examinations that were completed between January and June of 2021 in addition to prior supervisory findings that led to public enforcement actions in the first half of 2021. Highlights of the examination findings include:
- Credit Card Account Management. Bureau examiners identified violations of Regulation Z related to billing error resolution, including instances where creditors failed to (i) resolve disputes within two complete billing cycles after receiving a billing error notice; (ii) reimburse late fees after determining a missed payment was not credited to a consumer’s account; and (iii) conduct reasonable investigations into billing error notices concerning missed payments and unauthorized transactions. Examiners also identified deceptive acts or practices related to credit card issuers’ advertising practices.
- Debt Collection. The Bureau found instances of FDCPA violations where debt collectors represented to consumers that their creditworthiness would improve upon final payment under a repayment plan and the deletion of the tradeline. Because credit worthiness is impacted by numerous factors, examiners found “that such representations could lead the least sophisticated consumer to conclude that deleting derogatory information would result in improved creditworthiness, thereby creating the risk of a false representation or deceptive means to collect or attempt to collect a debt in violation of Section 807(10).”
- Deposits. The Bureau discussed violations related to Regulation E, including error resolution violations related to misdirected payment transfers and failure to investigate error notices where consumers alleged funds were sent via a person-to-person payment network but the intended recipient did not receive the funds.
- Fair Lending. The report noted instances where examiners cited violations of ECOA and Regulation B by lenders "discriminating against African American and female borrowers in the granting of pricing exceptions based upon competitive offers from other institutions,” which led to observed pricing disparities, specifically as compared to similarly situated non-Hispanic white and male borrowers. Among other things, examiners also observed that lenders’ policies and procedures contributed to pricing discrimination, and that lenders improperly inquired about small business applicants’ religion and considered religion in the credit decision process.
- Mortgage Servicing. The Bureau noted that it is prioritizing mortgage servicing supervision attributed to the increase in borrowers needing loss mitigation assistance due to the Covid-19 pandemic. Examiners found violations of Regulations Z and X, as well as unfair and deceptive acts and practices. Unfair acts or practices included those related to (i) charging delinquency-related fees to borrowers in CARES Act forbearances; (ii) failing to terminate preauthorized EFTs; and (iii) assessing fees for services exceeding the actual cost of the performed services. Deceptive acts or practices found by examiners related to mortgage servicers included incorrectly disclosed transaction and payment information in a borrower’s online mortgage loan account. Mortgage servicers also allegedly failed to evaluate complete loss mitigation applications within 30 days, incorrectly handled partial payments, and failed to automatically terminate PMI in a timely manner. The Bureau noted in its press release that it is “actively working to support an inclusive and equitable economic recovery, which means ensuring all mortgage servicers meet their homeowner protection obligations under applicable consumer protection laws,” and will continue to work with the Federal Reserve Board, FDIC, NCUA, OCC, and state financial regulators to address any compliance failures (covered by InfoBytes here).
- Payday Lending. The report identified unfair and deceptive acts or practices related to payday lenders erroneously debiting consumers’ loan balances after a consumer applied and received confirmation for a loan extension, misrepresenting that consumers would only pay extension fees on the original due dates of their loans, and failing to honor loan extensions. Examiners also found instances where lenders debited or attempted one or more duplicate unauthorized debits from a consumer’s bank account. Lenders also violated Regulation E by failing “to retain, for a period of not less than two years, evidence of compliance with the requirements imposed by EFTA.”
- Prepaid Accounts. Bureau examiners found violations of Regulation E and EFTA related to stop-payment waivers at financial institutions, which, among other things, failed to honor stop-payment requests received at least three business days before the scheduled date of the transfer. Examiners also observed instances where service providers improperly required consumers to contact the merchant before processing a stop-payment request or failed to process stop-payment requests due to system limitations even if a consumer had contacted the merchant. The report cited additional findings where financial institutions failed to properly conduct error investigations.
- Remittance Transfers. Bureau examiners identified violations of Regulation E related to the Remittance Rule, in which providers “received notices of errors alleging that remitted funds had not been made available to the designated recipient by the disclosed date of availability” and then failed to “investigate whether a deduction imposed by a foreign recipient bank constituted a fee that the institutions were required to refund to the sender, and subsequently did not refund that fee to the sender.”
The report also highlights recent supervisory program developments and enforcement actions.
Chopra concerned about PE investment in nursing homes
On December 7, CFPB Director Rohit Chopra spoke before the Elder Justice Coordinating Council Meeting and raised concerns regarding worsening fraud, neglect, and financial exploitation in nursing homes and other for-profit facilities. Chopra discussed that financial straits due to the pandemic would continue leading to increased nursing home closures or takeovers of nursing homes by private equity investors. He noted that typically, private equity investors purchase assets, often using significant amounts of debt financing, to increase profits prior to selling the asset in a short amount of time, and warned that, due to the short investment and need to escalate profitability, “this investment approach invites aggressive strategies that warrant regulatory scrutiny.”
Citing to a recent NYU study that found private equity investments in U.S. healthcare to be on the rise, Chopra inquired whether for-profit incentives are misaligned with serving seniors well. He specifically warned that for-profit nursing homes “disproportionately lag behind their nonprofit counterparts across a broad array of measures for quality” and that “private equity owners may also have the incentive to drain financial assets from residents or increase risks of other financial exploitation.”
In conclusion, Chopra noted that he had asked the Bureau’s Office of Financial Protection for Older Americans to “identify cross-cutting consumer protection issues, including when it comes to housing, as many older Americans with substantial financial assets are a target for bad actors,” and will be working “to find systemic fixes to emerging risks, such as the encroachment of private equity into facilities serving and housing America’s older adults.”