InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Chopra testifies at congressional hearings
On June 13, CFPB Director Rohit Chopra testified before the Senate Banking Committee to discuss the Bureau’s most recent semi-annual report to Congress. Covering the period beginning April 1, 2022 and ending September 30, 2022, the semi-annual report addressed a wide range of issues, including the adoption of significant rules and orders, supervisory and enforcement actions, and actions taken by states relating to federal consumer financial law. The report also stated the Bureau received approximately 1.237 million consumer complaints, for which roughly 75 percent pertained to credit or consumer reporting. With respect to the Bureau’s mandated objectives, Chopra’s prepared statement highlighted rulemaking progress on several topics, including small business lending data collection and PACE lending. He also emphasized the agency’s heightened focus on supervising nonbank financial firms and reiterated that the Bureau will continue to shift its enforcement focus from small businesses to repeat offenders.
Committee Chair Sherrod Brown (D-OH) praised Chopra’s leadership in his opening statement, highlighting actions taken by the Bureau since Chopra’s last hearing appearance and disagreeing with the U.S. Court of Appeals for the Fifth Circuit’s decision that the agency’s funding authority violates the Constitution’s Appropriations Clause and the separation of powers. However, Ranking Member Tim Scott (R-SC) argued that Chopra “has created uncertainty in the marketplace by attempting to regulate through speeches and blog posts under the guise of ‘clarifying guidance,’” and continues to mislabel payment incentives as “junk fees” or “illegal fees.” Scott also took issue with the Bureau’s small business lending rule and asked why the agency should be trusted to collect a large amount of lending data when the agency itself experienced a data breach when an employee transferred sensitive consumer data to a personal email account without authorization.
During the hearing, Chopra addressed concerns accusing him of bypassing regulatory review by issuing policy changes through agency guidance and press announcements. “The things we hear from small firms is they really want to know how existing law applies,” Chopra said. “We have so many changes in technology, and these small firms don’t have the ability to hire so many lawyers[,] [s]o I’ve actually continued a practice of my predecessor, Director Kraninger to issue these advisory opinions and other guidance documents. They do not create any new obligations. They simply restate what the existing laws are.”
Chopra also answered questions relating to the Bureau’s proposal to limit credit card late fees and, among other things, adjust the safe harbor dollar amount for late fees to $8 for any missed payment (issuers are currently able to charge late fees of up to $41). (Covered by InfoBytes here.) Chopra explained that the proposed rule still allows recovery of costs but said the agency is trying to make the process “more rigorous and make sure it reflects market realities.” “[I]ssuers tell us is that they don’t want to profit off of late fees,” Chopra added. “That's exactly the goal here, because the law says those penalty fees are supposed to be reasonable and proportional. We’re trying to make it more clear about the way we can do that, while also making the market more competitive.”
Republican senators expressed concerns with the proposal during the hearing, with Scott commenting that no one wants to pay the late fee, but that “the truth of the matter is that fee is going to be paid just in a different form. . . .whether it’s through increased interest rates or increased cost of products, it doesn’t go away.” Senator Elizabeth Warren (D-MA) countered that “if there’s an $8 cap on credit card late fees, unless the banks can show that their costs are higher, in which case they can charge more, all that will happen, as best I can tell is that the banks will have slightly lower profit margins.”
Chopra faced similar question during a hearing held the next day before the House Financial Services Committee. Among the topics, committee members raised questions relating to technology risks presented by artificial intelligence and how existing law applies to machine learning. Chopra was also accused of overseeing an unconstitutional agency and flouting the notice-and-comment rulemaking process. Also discussed during the hearing was a recently introduced joint resolution to nullify the Bureau’s small business lending rule. (Covered by InfoBytes here.) Representative Roger Williams (R-TX) stressed that community banks are “concerned that the complicated reporting requirements will tie up loan officers and increase compliance costs plus compliance officers, which will be passed down to the consumer.”
Hsu discusses significance of consumer trust in banking
On June 8, acting Comptroller of Currency Michael J. Hsu discussed the significance of consumer trust in banking, and announced the OCC is considering designing and releasing an annual survey to measure the extent of consumer trust in banking. (See OCC’s request for comments on its proposed annual trust survey.) Hsu noted that public trust in banking is imperative to a good relationship with the communities served and to ensure consumers do not rely on risky means for storing funds. Distrust also presents risks for banks, Hsu said, explaining that “banks that have material fairness and compliance deficiencies may face stiff civil money penalties, restrictions on growth, and sustained reputational damage, limiting their capacities to make loans.” Hsu’s focus on trust in the banking system is also inspired by the threatening impact of unfairness and a lack of inclusivity. Therefore, in addition to the survey, the OCC is focusing on methods of consumer protection to underpin public trust in banks. Efforts include strengthening and modernizing the Community Reinvestment Act to create more lending opportunities to those in low- and moderate-income areas, reforming overdrafts by issuing guidance on overdraft protection programs, and addressing bias in the appraisal of homes by issuing a proposed rule to implement quality control standards for automated valuation models.
CFPB says it wants to simplify rules on mortgage servicing
On June 15, CFPB Director Rohit Chopra said the Bureau is considering whether to streamline mortgage servicing rules. Last September, the Bureau requested input from the public on mortgage refinance and forbearance standards and sought feedback on ways to reduce risks for borrowers who experience disruptions in their ability to make mortgage payments. (Covered by InfoBytes here.) Specifically, the Bureau sought ways to: (i) “facilitate mortgage refinances for consumers who would benefit from refinancing, especially consumers with smaller loan balances”; and (ii) “reduce risks for consumers who experience disruptions in their financial situation that could interfere with their ability to remain current on their mortgage payments.”
Chopra flagged several issues raised by commenters, including that borrowers seeking loss mitigation options can face a “paperwork treadmill” that disadvantages both homeowners and mortgage servicers. Commenters also reported that borrowers often incur servicing fees and experience negative credit reporting when waiting for servicers to review their options, Chopra said, explaining that even after a loss mitigation option has been implemented, these penalties can continue to negatively impact borrowers (such as preventing loan modifications and other interventions designed to allow borrowers to keep their homes).
Chopra said the Bureau intends to use the feedback to propose ways to streamline servicing standards but noted that the agency “will propose streamlining only if it would promote greater agility on the part of mortgage servicers in responding to future economic shocks while also continuing to ensure they meet their obligations for assisting borrowers promptly and fairly.”
Republicans seek to overturn CFPB small-biz lending rule; Georgia AG says rule is unnecessary and burdensome
Recently, several House Republicans introduced a joint resolution of disapproval (H.J. Res. 66) under the Congressional Review Act to overturn the CFPB’s small business lending rule. As previously covered by InfoBytes, last month the Bureau released its final rule implementing Section 1071 of the Dodd-Frank Act. Effective August 29, the final rule will require financial institutions to collect and provide to the Bureau data on lending to small businesses (defined as an entity with gross revenue under $5 million in its last fiscal year). Both traditional banks and credit unions, as well as non-banks, will be required to collect and disclose data about small business loan recipients’ race, ethnicity, and gender, as well as geographic information, lending decisions, and credit pricing. The final rule prescribes a tiered compliance date schedule, with the earliest compliance date being October 1, 2024, for financial institutions that originate at least 2,500 covered small business loans in both 2022 and 2023 (financial institutions with lower origination amounts have later compliance dates).
Also opposing the final rule, Georgia Attorney General Christopher M. Carr sent a letter to CFPB Director Chopra requesting that the final rule be rescinded. Carr argued that the final rule places an unnecessary and expensive burden on financial institutions, and that “[w]ith the current uneasiness in the market and a plethora of other challenges facing community banks, now is not the time to require them to gather more information that has absolutely nothing to do with the process of evaluating which applicants are the strongest and most deserving of capital.” Carr further contended that if lending discrimination is a “rampant problem,” the Bureau should use channels already in place to address this issue. Pointing out that states already have their own consumer protection and anti-discrimination statutes in place, Carr argued that the final rule imposes redundant compliance requirements on financial institutions, particularly community banks. Carr asked the Bureau to “allow states to continue to address lending issues as they occur, rather than saddling small businesses with burdensome regulations.”
Additionally, in April, a group of plaintiffs, including a Texas banking association, filed a lawsuit against the Bureau seeking to invalidate the final rule. (Covered by InfoBytes here.) Plaintiffs argued that the final rule will drive from the market smaller lenders who are not able to effectively comply with the final rule’s “burdensome and overreaching reporting requirements” and decrease the availability of products to customers, including minority and women-owned small businesses.
District Court says MLA’s statute of limitations begins upon discovery of facts
The U.S. District Court for the Eastern District of Virginia recently granted an installment lender’s motion to dismiss, ruling that most of the class members’ claims are time-barred by the Military Lending Act’s (MLA) two-year statute of limitations. Plaintiffs are active duty servicemembers who entered into installment loans with the defendant. Claiming four violations of the MLA, plaintiffs alleged the defendant (i) extended loans with interest rates exceeding the MLA’s 36 percent interest rate cap; (ii) extended loans that involved roll overs of prior loans; (iii) required plaintiffs to agree to repayment by allotment (with a backup preauthorized electronic fund transfer) as a condition to receiving a loan; and (iv) required plaintiffs to provide a security interest in their bank accounts as a condition for receiving a loan. Plaintiff sought to certify a class covering the five years preceding the date the complaint was filed. Defendant moved to dismiss, arguing that plaintiffs have only been harmed by technical violations of the MLA and did not suffer a concrete injury. Plaintiffs countered that the defendant’s MLA violations caused them to sustain injuries from making payments, including interest payments, “on loans that were ‘void from [their] inception’ [] due to their unlawful refinancing, allotment, and security interest requirements.”
The court reviewed a significant issue raised by the parties’ differing interpretations of the MLA’s statute of limitations and its applicability to plaintiffs’ loans. Specifically, the parties disagreed as to whether “discovery by the plaintiff of the violation,” which triggers the two-year limitations period, requires that a plaintiff only discover the facts constituting the basis for the violation, as argued by the defendant, or instead requires that a plaintiff also know that the MLA was violated, as the plaintiffs argued. While acknowledging that the text in question is inconclusive, the court stated that since the MLA “does not require ‘discovery’ of both the ‘violation’ and ‘liability’ but only the ‘violation that is the basis for such liability,’ the text appears to support the interpretation that only discovery of the violative conduct is required, and
not discovery of the actionability of that conduct.” The court also reviewed other federal statutory discovery rules where other courts “have consistently found that ‘discovery’ requires that a plaintiff have knowledge only of the facts constituting the violation and not the legal implications of those facts.” Relying on this, as well as other court interpretations, the court determined that “the two-year limitations period is triggered when a plaintiff discovers the facts
constituting the basis for the MLA violation and not when the plaintiff recognizes that these facts
support a legal claim.” Thus, the court found that most of the loans underlying the claims are time-barred.
However, for loans that fell within the applicable limitations period, the court granted defendant’s motion to dismiss for failure to state a claim, concluding, among other things, that a creditor is not prohibited from taking a security interest in a plaintiff’s bank account by way of a preauthorized electronic fund transfer provided the military annual percentage rate does not exceed the allowable 36 percent (a claim, the court noted, plaintiffs dismissed and did not otherwise address). Moreover, the court determined that plaintiffs failed to allege that the defendant was a “creditor” under the narrower definition used by the MLA in its refinancing and roll-over prohibition or that the defendant’s “characterization of the convenience of repayment by allotment amounted to a misrepresentation or concealment of facts giving rise to plaintiffs’ MLA claim.”
7th Circuit: Time and money in responding to second verification request confers standing under FDCPA
On June 7, the U.S. Court of Appeals for the Seventh Circuit held that spending time and money to send a second verification request is enough to confer standing under the FDCPA. Plaintiff’s defaulted credit card debt was purchased by one of the defendants and placed with a collection agency. A letter providing details about the debt, including the original creditor, current creditor, and a validation notice, was sent to the plaintiff. Within the required 30-day timeframe, plaintiff sent a letter to the collection agency requesting validation of the debt. However, instead of receiving a response from the agency, plaintiff received another letter from one of the defendants that provided information on the debt and informed her that it had initiated a review of the inquiry it had received. The second letter also included a validation notice, which confused the plaintiff and resulted in her spending time and money ($3.95) to request validation again. Plaintiff filed suit accusing the defendants of violating the FDCPA and asserting that the second letter would lead a consumer to believe that they must re-dispute the debt. According to the plaintiff, the letter, among other things, used false, deceptive, misleading, and unfair or unconscionable means to collect or attempt to collect a debt. The defendants moved to dismiss for lack of standing, arguing that while the letter may have confused and alarmed the plaintiff, it did not cause her to initiate “any action to her detriment on account of her confusion.” The district court granted defendants’ motion to dismiss, ruling that the time and money spent on sending the second validation request did not rise to the level of detriment required for standing under the FDCPA, and that, moreover, it provided plaintiff with another opportunity to dispute the debt if she failed to properly do so the first time.
Disagreeing with the dismissal, the 7th Circuit wrote that the second postage fee (albeit modest in size) is the type of harm that Congress intended to protect consumers from when it enacted the FDCPA. “Money damages caused by misleading communications from the debt collector are certainly included in the sphere of interests that Congress sought to protect,” the appellate court stated, explaining that the second letter caused the plaintiff “to suffer a concrete detriment to her debt-management choices in the form of the expenditure of additional money to preserve rights she had already preserved.”
11th Circuit revises data breach negligence claim
The U.S. Court of Appeals for the Eleventh Circuit recently reversed the dismissal of a negligence claim brought against a Georgia-based airport retailer, determining that a company of its size and sophistication “could have foreseen being the target of a cyberattack.” Plaintiff, who used to work for the defendant, filed suit alleging the defendant failed to protect thousands of current and former employees’ sensitive personally identifiable information (PII), including Social Security numbers, from an October 2020 ransomware attack. Bringing claims for negligence and breach of implied contract on behalf of class members, plaintiff contended that not only should the defendant have protected the PII, but it also took several months for the defendant to notify affected individuals. A notice provided by the company claimed the attack only affected an internal, administrative system, but according to the plaintiff, the attacker uploaded the PII to third-party servers. Plaintiff was later informed that an unknown party used his Social Security number to file pandemic-related unemployment assistance claims under his name in Rhode Island and Kentucky. Plaintiff challenged that the defendant should have taken steps before the hack to better protect the information and that the alleged “harms he suffered were a foreseeable result of [defendant’s] inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining.” The district court disagreed and granted defendant’s motion to dismiss for failure to state a claim. Plaintiff appealed, arguing that “the district court demanded too much at the pleadings stage.”
On appeal, the 11th Circuit concluded, among other things, that the plaintiff could not have been expected to plead details about the defendant’s private data security policies. “We cannot expect a plaintiff in [this] position to plead with exacting detail every aspect of [defendant’s] security history and procedures that might make a data breach foreseeable, particularly where ‘the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts,’” the appellate court wrote, noting that plaintiff had sufficiently pled the existence of a special relationship as well as a foreseeable risk of harm. However, the 11th Circuit affirmed dismissal of plaintiff’s claim for breach of implied contract, stating that he failed to allege any facts showing that the defendant agreed to be bound by a data retention or protection policy.
A few days later, the 11th Circuit issued an opinion saying class members in a different action should be allowed to amend their data breach negligence claim in light of the appellate court’s decision discussed above. The 11th Circuit wrote that the decision in the aforementioned case “undermined” the dismissal of plaintiff’s negligence claim alleging a defendant warehousing company allowed a data breach to occur because it failed to take appropriate measures to secure its network. Class members in this case also alleged their PII was improperly accessed during a ransomware attack. The appellate court agreed with class members’ contention that the defendant had failed to address a newly created legal standard for data breach negligence claims in its motion to dismiss: “Indeed, the plaintiffs would have been hard-pressed to predict that they might need to amend their complaint to add more specific foreseeability allegations in response to [defendant’s] renewed motion to dismiss,” the appellate court wrote, reversing the denial of the motion for leave to amend.
7th Circuit: Time and money spent responding to second verification request is sufficient for standing
On June 7, the U.S. Court of Appeals for the Seventh Circuit held that spending time and money to send a second verification request is enough to confer standing under the FDCPA. Plaintiff’s defaulted credit card debt was purchased by one of the defendants and placed with a collection agency. A letter providing details about the debt, including the original creditor, current creditor, and a validation notice, was sent to the plaintiff. Within the required 30-day timeframe, plaintiff sent a letter to the collection agency requesting validation of the debt. However, instead of receiving a response from the agency, plaintiff received another letter from one of the defendants that provided information on the debt and informed her that it had initiated a review of the inquiry it had received. The second letter also included a validation notice, which confused the plaintiff and resulted in her spending time and money ($3.95) to request validation again. Plaintiff filed suit accusing the defendants of violating the FDCPA and asserting that the second letter would lead a consumer to believe that they must re-dispute the debt. According to the plaintiff, the letter, among other things, used false, deceptive, misleading, and unfair or unconscionable means to collect or attempt to collect a debt. The defendants moved to dismiss for lack of standing, arguing that while the letter may have confused and alarmed the plaintiff, it did not cause her to initiate “any action to her detriment on account of her confusion.” The district court granted defendants’ motion to dismiss, ruling that the time and money spent on sending the second validation request did not rise to the level of detriment required for standing under the FDCPA, and that, moreover, it provided plaintiff with another opportunity to dispute the debt if she failed to properly do so the first time.
Disagreeing with the dismissal, the 7th Circuit wrote that the second postage fee (albeit modest in size) is the type of harm that Congress intended to protect consumers from when it enacted the FDCPA. “Money damages caused by misleading communications from the debt collector are certainly included in the sphere of interests that Congress sought to protect,” the appellate court stated, explaining that the second letter caused the plaintiff “to suffer a concrete detriment to her debt-management choices in the form of the expenditure of additional money to preserve rights she had already preserved.”
11th Circuit revises data breach negligence claim
The U.S. Court of Appeals for the Eleventh Circuit recently reversed the dismissal of a negligence claim brought against a Georgia-based airport retailer, determining that a company of its size and sophistication “could have foreseen being the target of a cyberattack.” Plaintiff, who used to work for the defendant, filed suit alleging the defendant failed to protect thousands of current and former employees’ sensitive personally identifiable information (PII), including Social Security numbers, from an October 2020 ransomware attack. Bringing claims for negligence and breach of implied contract on behalf of class members, plaintiff contended that not only should the defendant have protected the PII, but it also took several months for the defendant to notify affected individuals. A notice provided by the company claimed the attack only affected an internal, administrative system, but according to the plaintiff, the attacker uploaded the PII to third-party servers. Plaintiff was later informed that an unknown party used his Social Security number to file pandemic-related unemployment assistance claims under his name in Rhode Island and Kentucky. Plaintiff challenged that the defendant should have taken steps before the hack to better protect the information and that the alleged “harms he suffered were a foreseeable result of [defendant’s] inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining.” The district court disagreed and granted defendant’s motion to dismiss for failure to state a claim. Plaintiff appealed, arguing that “the district court demanded too much at the pleadings stage.”
On appeal, the 11th Circuit concluded, among other things, that the plaintiff could not have been expected to plead details about the defendant’s private data security policies. “We cannot expect a plaintiff in [this] position to plead with exacting detail every aspect of [defendant’s] security history and procedures that might make a data breach foreseeable, particularly where ‘the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts,’” the appellate court wrote, noting that plaintiff had sufficiently pled the existence of a special relationship as well as a foreseeable risk of harm. However, the 11th Circuit affirmed dismissal of plaintiff’s claim for breach of implied contract, stating that he failed to allege any facts showing that the defendant agreed to be bound by a data retention or protection policy.
A few days later, the 11th Circuit issued an opinion saying class members in a different action should be allowed to amend their data breach negligence claim in light of the appellate court’s decision discussed above. The 11th Circuit wrote that the decision in the aforementioned case “undermined” the dismissal of plaintiff’s negligence claim alleging a defendant warehousing company allowed a data breach to occur because it failed to take appropriate measures to secure its network. Class members in this case also alleged their PII was improperly accessed during a ransomware attack. The appellate court agreed with class members’ contention that the defendant had failed to address a newly created legal standard for data breach negligence claims in its motion to dismiss: “Indeed, the plaintiffs would have been hard-pressed to predict that they might need to amend their complaint to add more specific foreseeability allegations in response to [defendant’s] renewed motion to dismiss,” the appellate court wrote, reversing the denial of the motion for leave to amend.
Chopra says open-banking rule is coming
On June 12, CFPB Director Rohit Chopra announced that the agency is currently working to propose a rule that will assist consumers in making the switch to open banking. Chopra explained how consumers are “deadlocked” when it comes to control of their personal financial data, and consequentially cannot switch banks or apply for loans. Considering this issue, Chopra declared, “The CFPB is working to accelerate the shift to open banking through a new personal data rights rule intended to break down these obstacles, jumpstart competition, and protect financial data.” Chopra also discussed the topic of maintaining open market principles and stressed that the Bureau does not intend to micromanage this space but rather release consumers from a situation preventing them from participating in open banking. He ensured that open banking will generally be managed through standard-setting outside of the agency, and that the Bureau intends to safeguard fair standards at play. Chopra also shared his concerns about the power of large players in the market, warning that standard-setting organizations must consider consumers and smaller actors’ interests as well. The Bureau’s new rule will be open for comments in the coming months and is expected to finalize in 2024.