InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC extends compliance on some Safeguards provisions
On November 15, the FTC announced that covered financial institutions now have until June 9, 2023, to comply with certain updated Safeguards Rule requirements. The Commission issued this extension based on reports, including a letter from the SBA’s Office of Advocacy, that a shortage of qualified personnel to implement financial institutions’ information security programs and supply chain issues could delay security system upgrades.
As previously covered by InfoBytes, in October 2021, the FTC issued a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. Among other things, the final rule added specific criteria financial institutions and other entities, such as mortgage brokers, motor vehicle dealers, and payday lenders, must undertake when conducting a risk assessment and implementing an information security program. Among other requirements, these include implementing provisions related to access controls, data inventory and classification, authentication, encryption, disposal procedures, and incident response. The final rule also added measures to ensure employee training and service provider oversight are effective and expanded the definition of “financial institution” to include “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.” Included in the definition are “finders” (i.e. companies that bring together buyers and sellers of products or services that fall within the scope of the Safeguards Rule). While many provisions of the Safeguards Rule became effective 30 days after publication in the Federal Register, certain other provisions, including requirements applicable to covered financial institutions, were set to take effect December 9, 2022.
CFPB asks Supreme Court to review 5th Circuit decision
On November 14, the DOJ, on behalf of the CFPB, submitted a petition for a writ of certiorari asking the U.S. Supreme Court to review whether the U.S. Court of Appeals for the Fifth Circuit erred in holding that the Bureau’s funding structure violates the Appropriations Clause of the Constitution. The Bureau also asked the court to consider the 5th Circuit’s decision to vacate the agency’s 2017 final rule covering “Payday, Vehicle Title, and Certain High-Cost Installment Loans” (Payday Lending Rule) on the premise that it was promulgated at a time when the Bureau was receiving unconstitutional funding.
The Bureau’s funding is derived through the Federal Reserve instead of the annual congressional appropriations process—a process, the appellate court said, that violates the Constitution. Specifically, the 5th Circuit’s October 19 holding (covered by a Buckley Special Alert) found that although the Bureau spends money pursuant to a validly enacted statute, the structure violates the Appropriations Clause because (i) the Bureau obtains its funds from the Federal Reserve (not the Treasury); (ii) the agency maintains funds in a separate account; (iii) the Appropriations Committees do not have authority to review the agency’s expenditures; and (iv) the Bureau exercises broad authority over the economy. The 5th Circuit also rejected the Bureau’s arguments that the funding structure was necessarily constitutional because it was created by and subject to Congress, and distinguished other agencies that are funded outside of the annual appropriations process.
The case involves a challenge to the Bureau’s Payday Lending Rule, which prohibits lenders from attempting to withdraw payments for covered loans from consumers’ accounts after two consecutive withdrawal attempts have failed due to insufficient funds. As a result of the 5th Circuit’s decision, lenders’ obligation to comply with the rule (originally set for August 19, 2019, but repeatedly delayed) will be further delayed while the constitutional issue winds its way through the courts.
“No other court has ever held that Congress violated the Appropriations Clause by passing a statute authorizing spending,” the Bureau argued as it requested a prompt Supreme Court review, asserting that the 5th Circuit’s decision “threatens to inflict immense legal and practical harms on the CFPB, consumers, and the Nation’s financial sector.” The agency also stressed that “[n]ew challenges to the Bureau’s rules and other actions can be expected to multiply in the weeks and months to come, and will presumably be filed in the 5th Circuit whenever possible.” The decision also has the potential to impact past enforcement actions and rulemaking as well, the Bureau said.
The Bureau further asserted that while the 5th Circuit concluded that “‘an appropriation is required’ to authorize spending” and that “‘[a] law’ providing an agency with a funding source and spending authority ‘does not suffice,’” the appellate court failed to specify what would be required for such a law to qualify as an appropriation.
Moreover, the 5th Circuit’s reasoning was incorrect, the Bureau argued, because Congress specified that the agency could claim up to 12 percent of the Fed’s budget to fund its operations, and it is subject to, among other things, budget and financial oversight, government audits, and requirements that its director prepare and submit annual reports to the Senate and House appropriations committees concerning its fiscal operating plans and forecasts. These safeguards, the Bureau stressed, should assuage concerns about whether the agency is insulated from congressional oversight. “The court of appeals’ novel and ill-defined limits on Congress’s spending authority contradict the Constitution’s text, historical practice, and this Court’s precedent,” the Bureau said, adding that the decision also conflicts with a holding issued by the U.S. Court of Appeals for the D.C. Circuit where the appellate court recognized that “Congress can, consistent with the Appropriations Clause, create governmental institutions reliant on fees, assessments, or investments rather than the ordinary appropriations process.”
The Bureau asked the Supreme Court to review the case during its current term, which would ensure resolution of the issue by the summer of 2023.
District Court says university is a financial institution exempt from state privacy law
On November 4, the U.S. District Court for the Northern District of Illinois granted a defendant university’s motion to dismiss Illinois’ Biometric Information Privacy Act claims (BIPA), ruling that because the defendant participates in the Department of Education’s Federal Student Aid Program, it is a “financial institution” subject to Title V of the Gramm-Leach-Bliley Act (GLBA) and therefore exempt from BIPA. Plaintiff sued the defendant claiming the university used technology to collect biometric identifiers to surveil students taking online exams. According to the plaintiff, the defendant’s use of this technology violated students’ biometric privacy rights because the defendant did not obtain students’ written consent to collect and use that data, failed to disclose what happens with the data after collection, and failed to adhere to BIPA’s retention and destruction requirements.
The court disagreed and dismissed the putative class action. The court explained that the defendant’s direct student lending and participation in the Federal Student Aid Program allows it to qualify as a “financial institution,” defined by the GLBA as “any institution the business of which is engaging in financial activities.” As such, it is expressly exempt from BIPA. The court rejected plaintiff’s argument that the defendant did not fit within this definition because it is in the business of higher education rather than financial activities because at least five other courts that have also concluded that “institutions of higher education that are significantly engaged in financial activities such as making or administering student loans” qualify for exemption. The court also referred to a 2000 FTC rule issued when the Commission had both enforcement and rulemaking authority under the GLBA. The rule considered colleges and universities to be financial institutions if they “appear to be significantly engaged in lending funds to consumers,” which the court found to be “particularly persuasive because it evidences longstanding, consistent, and well-reasoned interpretation of the statute that it had been tasked to administer.”
OFAC sanctions firms for aiding Russia’s acquisition of UAVs
On November 15, the U.S. Treasury Department’s Office of Foreign Assets Control announced sanctions pursuant to Executive Orders (E.O.) 13382 and 14024 against several firms responsible for the production and transfer of Iranian unmanned aerial vehicles (UAVs) to Russia for use in the country’s war against Ukraine. OFAC also designated two individuals who facilitated the acquisition of UAVs for a previously State Department-designated company. According to the announcement, the designations “implement commitments to target international actors involved in supporting Russia’s war machine, as highlighted by OFAC FAQs 1091 and 1092 and reinforced by an October 14, 2022 meeting of senior officials in Washington representing ministries of finance and other government agencies from 33 countries, in which the participants acknowledged the significance of sanction actions taken so far and discussed additional steps to further impair Russia’s military-industrial complex and critical defense supply chains.” The sanctions follow OFAC’s September designations against several persons involved in the shipment, production, and procurement of UAVs for Russia’s benefit. (Covered by InfoBytes here.) As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Additionally, persons that engage in certain transactions with the sanctions individuals or entities may themselves be exposed to sanctions. OFAC further warned that “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today pursuant to E.O. 13382 could be subject to U.S. sanctions.”
The same day, the Departments of Treasury, Commerce, and State issued a joint alert detailing the impact of international sanctions and export controls on Russia’s military-industrial complex to date.
OFAC issues new counter terrorism GL and FAQ
On November 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued Counter Terrorism General License (GL) 21, “Authorizing Limited Safety and Environmental Transactions Involving Certain Vessels,” which authorizes limited safety and environmental transactions involving certain persons or vessels that are normally prohibited by the Global Terrorism Sanctions Regulations (GTSR) through 12:01 a.m. EST, December 15, 2022. OFAC explained that such transactions are authorized provided payments to a blocked person are made into a blocked account in accordance with the GTSR. A list of unauthorized transactions are also included. OFAC also issued related FAQ 1097 to provide additional clarification on permitted transactions.
SEC releases enforcement results for fiscal year 2022
On November 15, the SEC announced that it filed 760 total enforcement actions in fiscal year 2022—a nine percent increase in total enforcement actions from fiscal year 2021. The fiscal year 2022 actions included: (i) 462 new, or “stand alone,” enforcement actions, a 6.5 percent increase over fiscal year 2021; (ii) 129 actions against issuers who were allegedly delinquent in making required filings with the SEC; and (iii) 169 “follow-on” administrative proceedings seeking to bar or suspend individuals from certain functions in the securities markets based on criminal convictions, civil injunctions, or other orders. The SEC also noted that the stand-alone enforcement actions in fiscal year 2022 “ran the gamut of conduct, from ‘first-of-their-kind’ actions to cases charging traditional securities law violations.” Among other things, the SEC described that money ordered in the actions, which is comprised of civil penalties, disgorgement, and pre-judgment interest, totaled $6.439 billion, the most on record in SEC history and an increase from $3.852 billion in fiscal year 2021. However, disgorgement was down 6 percent from the prior year, according to the SEC. The SEC also noted that fiscal year 2022 was its second highest year ever in whistleblower awards. According to SEC Director of the Division of Enforcement Gurbir S. Grewal, “the Enforcement Division is working with a sense of urgency to protect investors, hold wrongdoers accountable and deter future misconduct in our financial markets.”
District Court denies dismissal of RESPA "dual-tracking" suit
On November 1, the U.S. District Court for the Northern District of Ohio declined to grant summary judgment in favor of a mortgage servicer defendant in a Regulation X, RESPA, and Ohio Residential Mortgage Lending Act (RMLA) suit against the mortgage servicer and a law firm (collectively, “defendants”). The case concerned a loan modification that plaintiff had allegedly sought from defendants, for which the defendant mortgage servicer ultimately denied, and the defendant law firm initiated a foreclosure action. The defendant mortgage servicer challenged the count in the complaint alleging that the defendant mortgage servicer’s moving for summary judgment in the state foreclosure action violated Regulation X and RESPA’s prohibition on dual tracking. Dual tracking “occurs when a lender ‘actively pursues foreclosure while simultaneously considering the borrower for loss mitigation options.’” The defendant mortgage servicer argued that the prohibition on moving for summary judgment found in Regulation X did not apply because the plaintiff rejected the loan modification. The defendant mortgage servicer based this argument on the fact that it did not receive the plaintiff’s executed modification by a certain date. Because of this, the defendant mortgage servicer argued that it was permitted to move forward with a foreclosure judgment, and its decision to reverse the denial of the modification was at its discretion and not subject to the requirements of 12 C.F.R.1024.41(g).
The court found, however, that there was a genuine dispute as to whether the plaintiff returned the loan modification agreement by the designated date. The court continued, “[the defendant mortgage servicer’s] explanation regarding all three of the exceptions found at §41(g) subsections (1) through (3) each expressly depend upon the factual assertion that [the plaintiff] did not return a signed modification agreement and thereby rejected same. Inasmuch as there is evidence that [the plaintiff] did so, the court cannot conclude that [the defendant mortgage servicer] is entitled to judgment as a matter of law regarding the exceptions in §41(g) of Regulation X.” Among other things, the court also found that the defendant mortgage servicer “failed to act with reasonable care and diligence, in good faith, to safeguard and account for money tendered by [the plaintiff].” The court concluded by finding that the plaintiff sufficiently identified plausible damages as a result of a RESPA violation, further permitting her claims to stand.
Tech company to pay $391.5 million to resolve data tracking allegations
On November 10, forty states and a multinational technology company reached a $391.5 million settlement resolving allegations that the company tracked users’ locations even after they believed the feature was turned off. According to the assurance of voluntary compliance, the company allegedly misrepresented and omitted, among other things, material information regarding the location history and web and app activity settings, which “confused users about how location information would be captured, stored, and used without users’ knowledge or consent.” Additionally, the company allegedly used deceptive and unfair practices in a setting “that purports to allow users to opt out of personalized advertising and allows users to ‘control’ [the company’s] use of their location information.” The company agreed to, among other things: (i) “issue a pop-up notification to users who have location history or web & app activity enabled at the time of the notification”; (ii) “send an email to users who have location history or web & app activity enabled at the time of the notification”; and (iii) design and present a location technologies page “in a clear and conspicuous disclosure.”
OCC senior deputy comptroller discusses fair lending
On November 14, Senior Deputy Comptroller for Bank Supervision Policy Grovetta Gardineer delivered remarks on behalf of acting Comptroller Michael J. Hsu before the CRA & Fair Lending Colloquium to discuss the agency’s ongoing efforts to ensure its regulated institutions provide fair and equitable credit services. Among other topics, Gardineer mentioned the agency’s initiatives to identify and address discriminatory lending practices, including addressing fair lending in advanced analytics and reducing barriers to financial inclusion. Noting that the banking industry has evolved “rapidly,” Gardineer stated that the OCC has “remained focused on the solid foundation of our mission,” and identified “three strategic goals: (1) agility and learning; (2) credibility and trust; and (3) leadership in supervision.”
She also said that the OCC is enhancing its risk-based supervisory approach by, among other things, “[r]ecognizing our strategic goal for ‘agility and learning,’” and by “conducting fair lending risk assessments during every supervisory cycle for each bank that engages in retail lending.” Regarding the agency’s efforts to reduce inequality in banking, Gardineer stated that the OCC has taken an active role on the Interagency Task Force on Property Appraisal and Valuation Equity, or PAVE, which is an initiative to evaluate the causes, extent, and consequences of appraisal bias. As previously covered by InfoBytes in March, the thirteen member agencies and offices of the PAVE Task Force came together in an extraordinary interagency effort to issue the Action Plan to Advance Property Appraisal and Valuation Equity, which represents “the most wide-ranging set of reforms ever put forward to advance equity in the home appraisal process.”
Gardineer also disclosed that the OCC is developing other internal measures to enhance credibility and trust, including measures to “improv[e] supervisory methods for identifying potential discrimination in property valuations.” In regard to addressing fair lending in advanced analytics, Gardineer warned that “the growing use of advanced analytics such as artificial intelligence or machine learning offers both the opportunity to help reduce inequality and to address safety, soundness, and fairness risks,” and emphasized that the agency “supports fair, ethical, responsible, and transparent adoption of advanced analytics, including artificial intelligence and machine learning, in the financial sector.”
In terms of the future, she highlighted that “the OCC is focused on strengthening our supervision processes and resources devoted to compliance with fair lending laws, while enhancing our ability to remain agile and successfully execute our mission to ensure that national banks and federal savings associations operate in a safe and sound manner, provide fair access to financial services, treat customers fairly, and comply with applicable laws and regulations..”
Biden nominates Gruenberg for FDIC chair
On November 14, President Biden announced his intention to nominate Martin Gruenberg to serve as chair and member of the FDIC Board of Directors. Following the resignation of the FDIC’s former chair, Jelena McWilliams (covered by InfoBytes here), Gruenberg has been acting chairman. Since joining the FDIC Board of Directors in 2005, Gruenberg has served as vice chairman, chairman, and acting chairman. Prior to joining the FDIC, Gruenberg served on the staff of the Senate Banking Housing and Urban Affairs Committee as Senior Counsel of the full Committee, and as staff director of the Subcommittee on International Finance and Monetary Policy.
CSBS President and CEO James M. Cooper issued a statement following the announcement: “Today’s announcement from the White House means that none of the nominees to the FDIC Board will meet the requirement for state bank supervisory experience. This requirement is not only the law but also a great benefit for consumers and the banking sector when the dual-banking system is fully represented on the FDIC Board. We encourage Senators, in their role in the confirmation process, to ask nominees how they will work with state bank regulators to benefit from their experience sitting closer to citizens and local economies.”