InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FHFA announces validation of FICO 10T and VantageScore 4.0 for GSE use
On October 24, FHFA announced the validation and approval of both the FICO 10T credit score model and the VantageScore 4.0 credit score model for use by Fannie Mae and Freddie Mac (GSEs). The agency also announced that the GSEs will require two credit reports from the national consumer reporting agencies, rather than three. According to the announcement, FHFA expects implementation of FICO 10T and VantageScore 4.0 to be a multiyear effort, but once in place, lenders will be required to deliver both FICO 10T and VantageScore 4.0 credit scores with each loan sold to the GSEs. FHFA noted that FICO 10T and VantageScore 4.0 are more accurate than the classic FICO model because they include payment history for factors like rent, utilities, and telecommunications. FHFA also released a Fact Sheet on the newly approved models, which “will improve accuracy, strengthen access to credit, and enhance safety and soundness.”
States launch investigation into banks’ ESG investing and banking
On October 19, a coalition of 19 state attorneys general, led by Missouri, Arizona, Kentucky, and Texas, announced that six large U.S. banks were served civil investigative demands (CIDs) asking for information related to their involvement with the U.N.’s Net-Zero Banking Alliance (NZBA). The Missouri AG’s office, which has led the opposition against ESG (environmental, social, governance) investing and banking practices, stated that NZBA-member banks are required to set emissions reduction targets in their lending and investment portfolios to reach net zero by 2050. According to the Missouri AG, the NZBA serves to “starve companies engaged in fossil fuel-related activities of credit on national and international markets” by requiring banks to cede authority to the U.N. The CIDs seek information from the banks on topics related to, among other things, (i) their involvement in affiliated global climate initiatives; (ii) how NZBA and Principles for Responsible Banking objectives have been incorporated into their operations; and (iii) the extent to which the banks have fulfilled their “commitment to ‘facilitat[e] the necessary transition in the real economy through prioritizing client engagement and offering products and services to support clients’ transition,’” as well as their “commitment to ‘engag[e] on corporate and industry (financial and real economy) action, as well as public policies, to help support a net-zero transition of economic sectors in line with science and giving consideration to associated social impacts.’”
FAFT restricts Russia’s membership, takes action on corruption and drug trafficking
On October 20, the U.S. Treasury Department announced that the Financial Action Task Force (FATF) concluded its first plenary of the Singaporean presidency, in which it, among other things, took steps to combat corruption and illegal fentanyl trafficking and enhance financial transparency. During the meeting, FATF agreed to seek public input on draft guidance for implementing the FATF standard on beneficial ownership transparency for legal persons. The efforts to improve transparency in beneficial ownership “seek to improve the ability of law enforcement to trace, report, and seize illicit proceeds, and to make it harder for criminals and others to exploit opaque legal structures such as shell companies to hide and launder the proceeds of their crimes.” FATF also adopted a U.S.-led report on money laundering related to the illicit trafficking of synthetic opioids, including fentanyl, which provides information and best practices so that law enforcement and financial investigators around the world can expand their work on complex, cross-border money laundering investigations involving the proceeds of drug trafficking. The FATF also agreed to additional restrictions on the membership rights of the Russian Federation due to its war against Ukraine, including by barring them from participating in current and future FATF project teams.
France fines facial recognition company €20 million for GDPR violations
On October 20, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €20 million penalty against a facial recognition company for violating the EU’s General Data Protection Regulation (GDPR). In 2020, CNIL opened an investigation after receiving complaints from individuals about the company’s facial recognition software. CNIL stated in its announcement that it cooperated with its European counterparts to share the results of the investigations, as each authority is permitted to act on its own territory since the company has no establishment in Europe. The investigations identified several violations of the GDPR, including that the company allegedly unlawfully processed personal biometric data without a legal basis (a breach of article 6 of the GDPR), and failed to take into account an individual’s rights in an “effective and satisfactory way”—particularly with respect to requests for access to their data (a breach of articles 12, 15 and 17 of the GDPR). A formal notice was issued to the company last year requiring it to stop collecting and using data belonging to persons on French territory without a legal basis. The company was also ordered to “facilitate the exercise of individuals’ rights and to comply with requests for erasure.” CNIL contended that after the company failed to respond to the formal notice, it referred the matter to a restricted committee for sanctions.
The restricted committee imposed the maximum financial penalty (€20 million) under article 83 of the GDPR, and ordered the company “to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it has already collected, within a period of two months.” Failure to comply within this time frame will result in a €100,000 penalty per day of delay. The restricted committee also cited the company for breaching its obligation to cooperate with CNIL.
District Court grants FDCPA defendant’s motion for summary judgment
On October 18, the U.S. District Court for the Eastern District of Pennsylvania granted a second summary judgment motion by a debt collection agency (defendant) in an FDCPA suit, after the plaintiff filed a motion for reconsideration, ruling that a collection letter sent to the plaintiff was not false, deceptive, misleading, unfair or unconscionable. According to the order, the plaintiff received two bills after being treated at a hospital for an automobile accident: one in the amount of $675, which was adjusted from $900 because the plaintiff lacked insurance, and a second bill from a doctor’s network for $468. The hospital placed the unpaid account with the defendant who in turn sent a collection letter to the plaintiff, which was the only contact between the plaintiff and the defendant. The plaintiff filed suit, alleging that under Pennsylvania’s Motor Vehicle Financial Responsibility Law the defendant was permitted to attempt to collect only $141.15, and that its failure to do so violated the FDCPA. This value was based on the Current Procedural Terminology (CPT) code associated with the doctor’s network bill, but the hospital’s bill did not contain a CPT code. The district court found that the plaintiff did not demonstrate any material issue of disputed fact that the services provided by the hospital were or should have been billed under the same CPT code as the doctor’s network bill, nor did the plaintiff provide sufficient evidence to prove that the amount billed by the hospital violated state law, and therefore, granted the defendant’s motion for summary judgment.
7th Circuit: Plaintiff lacks standing to bring FCRA claim on credit report disputes
On October 18, the U.S. Court of Appeals for the Seventh Circuit affirmed dismissal of an FCRA action in favor of a defendant bank. According to the opinion, the plaintiff real estate investor obtained a loan secured by a mortgage from the defendant bank. The mortgage required the plaintiff to maintain a certain level of hazard insurance or the defendant bank could lender-place such insurance, with the cost of the lender-placed insurance amounts becoming additional debt secured by the mortgage. After the plaintiff underpaid on his flood insurance premiums, the defendant bank obtained lender-placed insurance. When the plaintiff did not pay the increased monthly payment associated with the lender-placed insurance amounts in full, the defendant bank informed the plaintiff that he was in default and that the entire amount of the loan would be accelerated if the default was not cured. While the plaintiff continued to submit partial payments, the defendant began reporting certain 2011 payments as 60 days or more late to the credit reporting agencies (CRAs). In 2012, the plaintiff disputed these purportedly late payments with the CRAs.
The plaintiff sued claiming, among other things, that the defendant violated the FCRA by failing to responsibly investigate the 2012 disputes. On appeal, after determining that the district court did not abuse its discretion by failing to rely on unsupported statements in the plaintiff's affidavit, the 7th Circuit found that the district court erred in requiring the plaintiff to prove damages as an element of his FCRA claim. However, the appellate court held that the plaintiff ultimately lacked standing to bring a claim under the FCRA because, as the appellate court highlighted, the injury that the plaintiff alleged—a decrease in his credit score in November 2011—could not be fairly traced to the defendant’s alleged action—a failure to reasonably investigate credit reporting disputes in January 2012.
OFAC sanctions Nicaraguan mining authority; Biden issues new E.O. expanding Treasury’s authority to hold Nicaraguan regime accountable
On October 24, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order (E.O.) 13851 against the Nicaraguan mining authority General Directorate of Mines and a Government of Nicaragua official. OFAC stated that the mining authority is “being designated for being owned or controlled by, or having acted or purported to act for or on behalf of, directly or indirectly,” the Nicaraguan Minister of Energy and Mines whose property and interests in property were blocked in 2021. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons in the U.S. are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more in the aggregate by one or more of such persons are also blocked.” U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license.
The same day, President Biden signed a new E.O., Taking Additional Steps to Address the National Emergency With Respect to the Situation in Nicaragua, to amend E.O. 13851 and, according to the announcement, expand Treasury’s “authority to hold the Ortega-Murillo regime accountable for its continued attacks on Nicaraguans’ freedom of expression and assembly.” The new E.O. grants Treasury authority to target certain persons operating or that have operated in Nicaragua’s gold sector, as well as other sectors identified by Treasury in consultation with the State Department. According to OFAC’s announcement, the E.O. “provides expanded sanctions authorities that could be used to prohibit new U.S. investment in certain identified sectors in Nicaragua, the importation of certain products of Nicaraguan origin into the United States, or the exportation, from the United States, or by a United States person, wherever located, of certain items to Nicaragua.” In conjunction with the E.O., OFAC issued Nicaragua-related General License 4, which authorizes the wind down of transactions involving the Directorate General of Mines of the Nicaraguan Ministry of Energy and Mines that are otherwise normally prohibited by the Nicaragua Sanctions Regulations, and issued one related frequently asked question regarding that General License.
UK Information Commissioner fines company £4.4 million for data breach
On October 24, the UK Information Commissioner fined a construction company £4.4 million for a data breach that allegedly allowed hackers to access thousands of employees’ personal data. According to the monetary penalty notice, the company failed to process personal data in a manner that ensured the appropriate security of individuals’ personal data as required by Article 5(1)(f) and Article 32 of the EU’s General Data Protection Regulation. This includes protecting against unauthorized or unlawful processing, against accidental loss, destruction, or damage, and using appropriate technical and organizational measures, the regulator said. As a result of insufficient security measures, the company was exposed to a cyber-attack that affected the personal data of up to 113,000 company employees, including personal information such as phone numbers, email addresses, national insurance numbers, and bank account details, among others. An investigation found that the company allegedly failed to follow-up on a suspicious activity alert, used outdated software systems and protocols, and lacked adequate staff training and insufficient risk assessments. The regulator warned companies that “[t]he biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.” The regulator further stressed that failure to regularly monitor for suspicious activity, act on warnings, update software, or provide training may expose other companies to a similar fine.
West Virginia AG pings CFPB on "unconstitutionally appropriated" funds
On October 24, the West Virginia attorney general sent a letter to CFPB Director Rohit Chopra, and to the leadership of both the House Financial Services Committee and the Senate Banking Committee, regarding the constitutionality of the Bureau’s continuing operation. As previously covered by a Buckley Special Alert, the U.S. Court of Appeals for the Fifth Circuit held that the CFPB funding structure created by Congress violated the Appropriations Clause of the Constitution, which provides that “no money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law.” The 5th Circuit ruled that, although the CFPB spends money pursuant to a validly enacted statute, the structure violates the Appropriations Clause because the CFPB obtains its funds from the Federal Reserve (not the Treasury), the CFPB maintains funds in a separate account, the Appropriations Committees do not have authority to review the agency’s expenditures, and the Bureau exercises broad authority over the economy. In the letter, the AG argued that the Bureau cannot discharge its duties in a constitutionally permissible way. He further noted that the Bureau “plainly cannot do that with a funding scheme that ‘sever[s] any line of accountability between [Congress] and the CFPB.’” The AG urged the Bureau to reassess its future plans and to reevaluate whether its present regulations have any effect. The letter also requested answers to a series of questions, no later than November 1: (i) “Does the agency believe that any of the regulations that it promulgated under the unconstitutional funding scheme remain in effect? If so, which ones—and why? Similarly, how does the decision affect past enforcement actions?”; and (ii) “What plans does the Bureau plan to undertake to comply with the ruling? How will its ongoing enforcement efforts be effected? How will this change affect any promulgation of regulations? How will bank supervision continue, if at all?”
9th Circuit says district court must reassess statutory damages in TCPA class action
On October 20, the U.S. Court of Appeals for the Ninth Circuit ordered a district court to reassess the constitutionality of a statutory damages award in a TCPA class action. Class members alleged the defendant (a multi-level marketing company) made more than 1.8 million unsolicited automated telemarketing calls featuring artificial or prerecorded voices without receiving prior express consent. The district court certified a class of consumers who received such a call made by or on behalf of the defendant, and agreed with the jury’s verdict that the defendant was responsible for the prerecorded calls at the statutorily mandated damages of $500 per call, resulting in total damages of more than $925 million. Two months later, the FCC granted the defendant a retroactive waiver of the heightened written consent and disclosure requirements, and the defendant filed post-trial motions with the district court seeking to “decertify the class, grant judgment as a matter of law, or grant a new trial on the ground that the FCC’s waiver necessarily meant [defendant] had consent for the calls made.” In the alternative, the defendant challenged the damages award as being “unconstitutionally excessive” under the Due Process Clause of the Fifth Amendment.
On appeal, the 9th Circuit affirmed most of the district court’s ruling, including upholding its decision to certify the class. Among other things, the appellate court determined that the district court correctly held that the defendant waived its express consent defense based on the retroactive FCC waiver because “no intervening change in law excused this waiver of an affirmative defense.” The appellate court found that the defendant “made no effort to assert the defense, develop a record on consent, or seek a stay pending the FCC’s decision,” even though it knew the FCC was likely to grant its petition for a waiver. While the 9th Circuit did not take issue with the $500 congressionally-mandated per call damages figure, and did not disagree with the total number of calls, it stressed that the “due process test applies to aggregated statutory damages awards even where the prescribed per-violation award is constitutionally sound.” Recognizing that Congress “set a floor of statutory damages at $500 for each violation of the TCPA but no ceiling for cumulative damages, in a class action or otherwise,” the appellate court explained that such damages “are subject to constitutional limitation in extreme situations,” and “in the mass communications class action context, vast cumulative damages can be easily incurred, because modern technology permits hundreds of thousands of automated calls and triggers minimum statutory damages with the push of a button.” Accordingly, the 9th Circuit ordered the district court to reassess the damages in light of these concerns.