Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Fed governor discusses need for new banks

    Federal Issues

    On October 22, Federal Reserve Governor Michelle W. Bowman spoke at the 2021 Community Bankers Symposium: Banking on the Future regarding why there have been so few de novo bank formations over the last decade and what can be done to encourage more de novo banks. Bowman discussed “the importance of community banks,” noting that they “provide critical financial services to their communities and to many customers who might have limited geographic access to banking services.” She pointed out that community banking has been declining in both rural and urban communities due in part to an increased need to hire experienced staff, which is challenging to attract and retain. To encourage more de novo banks, Bowman stated it is “crucial to provide a balanced, transparent, and effective regulatory framework that promotes a vibrant community bank sector.” She also emphasized that policymakers should “appropriately refine the regulatory and supervisory framework to minimize unnecessary compliance costs for smaller banks and address impediments to bank formations.”

    Federal Issues Federal Reserve Community Banks Bank Regulatory

  • OCC releases October enforcement actions

    Federal Issues

    On October 21, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently or formerly affiliated with such entities. Included is a civil money penalty order against a Seattle-based bank, which requires the bank to pay $2.5 million for, among other things, allegedly failing to adopt and implement a Bank Secrecy Act/Anti-Money Laundering compliance program.

    Federal Issues OCC Enforcement Bank Secrecy Act Anti-Money Laundering Bank Regulatory

  • CFPB orders tech companies to submit payment system information

    Federal Issues

    On October 21, the CFPB issued orders to six large U.S. technology companies seeking information and data on their payment system business practices. The Bureau stated that the information is intended to help the Bureau understand how these companies use personal payments data and manage data access to users. The Bureau issued the orders citing its authority under the CFPA, Section 1022(c)(4), which grants the agency “statutory authority to order participants in the payments market to turn over information to help the Bureau monitor for risks to consumers and to publish aggregated findings that are in the public interest.” The Bureau’s press release also noted it intends to study the payment system practices of two major Chinese tech companies.

    The Bureau made available an example order that contains 55 requests seeking various information and data on several topics, including: (i) “[d]ata harvesting and monetization”; (ii) “[a]ccess restrictions and user choice”; and (iii) documents and information related to payment platforms and compliance with federal consumer protection laws, such as the EFTA and the Gramm-Leach-Bliley Act. Citing consumer data and privacy expectations, the Bureau explained that “[c]onsumers expect certain assurances when dealing with companies that move their money. They expect to be protected from fraud and payments made in error, for their data and privacy to be protected and not shared without their consent, to have responsive customer service, and to be treated equally under relevant law.”

    Director Rohit Chopra issued a statement commenting on the purpose of the orders. He noted that the Bureau’s inquiry “is one of many efforts within the Federal Reserve System to plan for the future of real-time payments” and that it “will help to inform regulators and policymakers about the future of our payments system.” 

    Federal Issues CFPB CFPA Consumer Finance Privacy/Cyber Risk & Data Security Payments Payment Systems EFTA Gramm-Leach-Bliley

  • Agencies release statement on LIBOR transition

    Federal Issues

    On October 20, the CFPB, Federal Reserve Board, FDIC, NCUA, and OCC, in conjunction with the state bank and state credit union regulators, (collectively, “agencies”) released a joint statement regarding the transition away from LIBOR. As previously covered by InfoBytes, the Fed, FDIC, and OCC issued a joint statement encouraging banks to cease entering into new contracts that use LIBOR as a reference rate as soon as practicable, but by December 31, 2021 at the latest. The agencies' October 20 joint statement provides supervisory considerations for institutions when choosing an alternative reference rate, such as, among other things: (i) the meaning of new LIBOR contracts; (ii) understanding how the chosen reference rate is constructed and the fragilities associated with it; and (iii) expectations for fallback language. In addition, the agencies noted that supervised institutions should “develop and implement a transition plan for communicating with consumers, clients, and counterparties; and ensure systems and operational capabilities will be ready for transition to a replacement reference rate after LIBOR’s discontinuation.”

    Federal Issues CFPB LIBOR Agency Rule-Making & Guidance FDIC OCC Federal Reserve NCUA Bank Regulatory

  • CFPB releases Spanish-language model validation notice for debt collectors

    Agency Rule-Making & Guidance

    Recently, the CFPB issued a Spanish-language translation of its Model Validation Notice. Debt collectors are permitted to send a consumer a completely and accurately translated validation notice if the consumer was either provided an English-language version in the same communication or in a prior communication. Debt collectors that meet these requirements and use the translated notice qualify for the Debt Collection Rule’s safe harbor that any translation be complete and accurate. The Bureau noted that the translated validation notice omits the disclosure informing consumers of their right to request the validation notice in Spanish, “because no translation of those disclosures is necessary,” but debt collectors who choose to include the optional Spanish-language disclosures in a Spanish-language validation notice are still eligible for the safe harbor.

    Agency Rule-Making & Guidance CFPB Consumer Finance Debt Collection Regulation F Validation Notice Limited English Proficiency

  • CFPB updates 2022 HMDA filing instructions

    Agency Rule-Making & Guidance

    On October 20, the CFPB released three updates regarding the Filing Instructions Guide for HMDA data collected in 2022 that must be reported in 2023. As previously covered by InfoBytes, the CFPB released the Filing Instructions Guide for HMDA, which states that there are no significant changes to the submission process and that the required data fields to be collected and reported have not changed. Instructions for quarterly reporting can be found in the Supplemental Quarterly Reporting Guide.

    On October 25, the CFPB reminded that, "[f]or data collected beginning January 1, 2022, financial institutions should use census tract information provided in the 2020 Census." In addition, the FFIEC’s Geocoder will utilize census tract information from the 2020 Census beginning January 1, 2022.

    Agency Rule-Making & Guidance CFPB HMDA Mortgages

  • District Court partially denies company’s motion to dismiss in data breach class action

    Courts

    On October 19, the U.S. District Court for the District of South Carolina granted in part and denied in part a defendant software company’s motion to dismiss a putative class action, which alleged the company had a “deficient security program” in place that led to a ransomware attack. The plaintiffs alleged that the defendant failed to comply with industry and regulatory standards by neglecting to implement proper security measures. According to the plaintiffs, after the ransomware attack, the defendant “launched a narrow internal investigation into the attack that analyzed a limited number of [the defendant's] systems and did not address the full scope of the attack.” The plaintiffs contended that the defendant also failed to provide timely and adequate notice of the attack and the extent of the resulting data breach.

    The court ordered various phases of motions practice, and addressed certain common law claims against the defendant for negligence, negligence per se, gross negligence, and unjust enrichment. With respect to the negligence and gross negligence claims, the court denied the defendant’s motion to dismiss, finding that plaintiffs alleged sufficient facts to show that the defendant owed them a duty to protect the information. The court, however, granted defendant’s motion to dismiss the plaintiffs’ negligence per se claims premised on defendant’s alleged violations of the FTC Act, HIPAA, and COPPA, finding that the plaintiff failed to state such a claim as applied under South Carolina law. Finally, the court granted the defendant’s motion to dismiss the plaintiffs’ unjust enrichment claim because plaintiffs failed to allege facts to show that they conferred a benefit on defendant to support a claim for unjust enrichment.

    Courts Class Action Ransomware Negligence Data Breach State Issues Privacy/Cyber Risk & Data Security

  • CFPB and debt relief company agree to permanent injunction

    Courts

    On October 20, the U.S. District Court for the Northern District of Georgia entered a default judgment and order against five participants in an allegedly illegal debt collection scheme involving certain payment processors and a telephone broadcast service provider (collectively, “default defendants”) for their role in the operation. As previously covered by InfoBytes, in 2017, the U.S. District Court for the Northern District of Georgia dismissed claims brought by the CFPB against the default defendants. (See additional InfoBytes coverage here.) According to a complaint filed in 2015, the defendants “knew, or should have known” that the debt collectors were contacting millions of consumers in an attempt to collect debt that consumers did not owe or that the collectors were not authorized to collect by using threats, intimidation, and deceptive techniques in violation of the CFPA and the FDCPA.

    The court entered a $5.1 million judgment against the default defendants, who are jointly and severally liable with the non-default defendants. The default defendants must pay civil monetary penalties ranging from $100,000 to $500,000 to the Bureau. The judgment also, among other things, permanently bans the default defendants from attempting collections on any consumer financial product or service and from selling any debt-relief service.

    Courts CFPB Payment Processors CFPA FDCPA UDAAP Debt Collection Enforcement

  • District Court approves non-party settlement in student debt-relief action

    Courts

    On October 20, the U.S. District Court for the Central District of California approved a settlement with two non-parties in an action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney, alleging a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint asserted that the defendants violated the CFPA, the Telemarketing Sales Rule, and various state laws. Amended complaints (see here and here) also added new defendants and included claims for avoidance of fraudulent transfers under the FDCPA and California’s Uniform Voidable Transactions Act, among other things. A stipulated final judgment and order was entered against the named defendant in July (covered by InfoBytes here), which required the payment of more than $35 million in redress to affected consumers, a $1 civil money penalty to the Bureau, and $5,000 in civil money penalties to each of the three states. The court also previously entered final judgments against several of the defendants, as well as a default judgment and order against two other defendants (covered by InfoBytes hereherehere, and here). The most recent settlement resolves a dispute between a court-appointed receiver and the two non-parties. The settlement requires the non-parties to pay $675,000 to the receiver.

    Courts CFPB Enforcement State Attorney General State Issues CFPA UDAAP Telemarketing Sales Rule FDCPA Student Lending Debt Relief Consumer Finance Settlement

  • NIST issues draft cybersecurity framework to mitigate ransomware events

    Privacy, Cyber Risk & Data Security

    Recently, the National Institute of Standards and Technology (NIST) issued a draft version of its Cybersecurity Framework Profile for Ransomware Risk Management, which proposes recommended steps for organizations to follow to prevent and mitigate ransomware events. The profile identifies Cybersecurity Framework Version 1.1 security objectives and can be used as a risk-management guide to help gauge an organization’s readiness level. Steps include “identifying and protecting critical data, systems, and devices; detecting ransomware events as early as possible (preferably before the ransomware is deployed); and preparing for responses to and recovery from any ransomware events that do occur.” The profile also outlines basic preventative measures organizations should take, including: (i) using antivirus software at all times to automatically scan emails and flash drives; (ii) ensuring computers are fully patched and running scheduled checks to identify and install new patches; (iii) segmenting internal networks as a precaution against malware; (iv) continuously monitoring directory services (and other primary user stores) to identify indicators of compromise or active attack; (v) blocking access to potentially malicious web resource and allowing only authorized applications; (vi) using standard user accounts; (vii) restricting personally owned devices and the use of personal applications on work computers; (viii) educating employees about social engineering; and (ix) assigning and managing credential authorization and running periodic reviews to ensure each account has the appropriate access only. Among other things, NIST further outlines five cybersecurity framework functions (identify, protect, detect, respond and recover), and advises organizations to develop an incident recovery plan; develop, implement, and test data backups and restoration strategies; and maintain updated contacts for ransomware attacks. According to NIST, taking these proactive measures will help organizations recover from future ransomware events.

    Privacy/Cyber Risk & Data Security NIST Ransomware Risk Management

Pages

Upcoming Events