Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 22, NYDFS filed a statement of charges against a title insurer for allegedly failing to safeguard mortgage documents, including bank account numbers, mortgage and tax records, and other sensitive personal information. This is the first enforcement action alleging violations of NYDFS’ cybersecurity regulation (23 NYCRR Part 500), which took effect in March 2017 and established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) Charges filed against the company allege that a “known vulnerability” in the company’s online-based data storage platform was not fixed, which allowed unauthorized users to access restricted documents from roughly 2014 through 2019 by changing the ImageDocumentID number in the URL. Although an internal penetration test (i.e., an authorized simulated cyberattack) discovered the vulnerability in December 2018, NYDFS claims that the company did not take corrective action until six months later, when a well-known journalist publicized the problems.
The company allegedly violated six provisions of 23 NYCRR Part 500, including failing to (i) conduct risk assessments for sensitive data stored or transmitted within its information systems; (ii) maintain appropriate, risk-based policies governing access controls to sensitive data; (iii) limit user-access privileges to information systems providing access to sensitive data, or periodically reviewing these access privileges; (iv) implement a risk assessment system to sufficiently identify the availability and effectiveness of controls for protecting sensitive data and the company’s information system; (v) provide adequate data security training for employees and affiliated title agents responsible for handling sensitive data; and (vi) encrypt sensitive documents or implement suitable controls to protect sensitive data. Additionally, NYDFS maintains that, among other things, the company misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, failed to investigate the vulnerability within the timeframe dictated by the company’s internal cybersecurity policies, and did not conduct a reasonable investigation into the exposure or follow recommendations made by its internal cybersecurity team.
A hearing is scheduled for October 26 to determine whether violations occurred for the company’s alleged failure to safeguard consumer information.
On June 9, the CFPB released a factsheet on TRID Title Insurance Disclosures and FAQs regarding lender credits on the total payments disclosure, the optional signature line, and separating consumer and seller information. Highlights of each document include:
- TRID Title Insurance Disclosures. The factsheet discusses the two forms of title insurance commonly purchased in residential transactions—lender’s title insurance and owner’s title insurance. The factsheet breaks down the disclosure rules for each, including, among other things, (i) when and how the costs are required to be disclosed; (ii) specifics regarding simultaneous title insurance; and (iii) differences between state disclosures and TRID disclosures for simultaneous rates. The Bureau also provides detailed disclosure examples for various title insurance scenarios.
- FAQs. The updated FAQs note, among other things, that when providing separate closing disclosures to sellers and consumers, the TRID Rule requires seller-paid loan costs and other costs to be disclosed on page 2 of the consumer’s Closing Disclosure. Additionally, the FAQs provide a breakdown of the Total of Payments disclosure on the Closing Disclosure and discuss when a creditor may require a consumer to sign a Loan Estimate or Closing Disclosure.
Illinois Department of Financial and Professional Regulation issues notice to title insurance licensees and registered agents
On March 30, the Illinois Department of Financial and Professional Regulation (Department) issued a notice encouraging title insurance licensees and registered agents to provide the Department with advance notice of any changes to their usual business practices. If a registered agent application has been submitted, it will be processed as quickly as possible.
On March 29, the Utah governor signed SB 121, which modifies certain title insurance definitions and provisions and adopts, with certain exceptions, Section 8 of RESPA for the purposes of state law governing affiliated business arrangements involving title entities. SB 121 “repeals existing provisions governing controlled business relationships in the title industry,” and permits an “affiliated business arrangement” as defined under 12 U.S. Code § 2602, with the exception that the “services that are the subject of the arrangement do not need to involve a federally related mortgage loan.”
Specifically, title entities with affiliated-business arrangements will be regulated by the state’s Division of Real Estate (Division), which has enforcement authority over the bill’s provisions, including over certain RESPA provisions against real estate licensees such as “failing to timely disclose to a buyer or seller an affiliated business relationship.” Title companies are also required to file annual reports to the Division related to affiliated business arrangements as well as capitalization for the previous calendar year. SB 121 further provides a specific list of RESPA violations pertaining to affiliated business arrangements. The amendments take effect 60 days after adjournment of the legislature.
On January 31, NYDFS issued Supplement No. 2 to Insurance Circular Letter No. 1 (2003), which provides guidance to the title insurance industry following a January 15 unanimous decision by the Appellate Division of the New York State Supreme Court to uphold Insurance Regulation 208. The Appellate Division’s decision vacated the majority of a trial court order annulling Regulation 208, which limits title insurers’ ability to offer inducements to obtain business. (See previous InfoBytes coverage here.)
The NYDFS supplement highlighted three critical holdings from the Appellate Division’s decision. First, the court upheld Regulation 208’s ban on inducements for future title insurance business, recognizing that NYDFS had found that lavish gifts were routinely offered to intermediaries such as lawyers in anticipation of receiving business. Second, the appellate court held that Insurance Law § 6409(d), which prohibits a commission, rebate, fee, or “other consideration or valuable thing,” is not limited to a prohibition on quid pro quo exchanges for specific business. Third, the court annulled Regulation 208’s ban on certain closer fees and fees for ancillary searches.
On July 5, the Supreme Court of the State of New York ordered the annulment of Insurance Regulation 208, which was promulgated by the New York State Department of Financial Services (NYDFS) in October 2017. The decision results from an Article 78 petition by several title insurance companies challenging the state regulation, which prohibits title insurance entities from providing benefits such as meals, tickets to events, gifts, cash, access to parties, trips and other incentives to referral sources. The regulation clarifies that certain “reasonable and customary” advertising and marketing expenses are permitted under New York’s insurance law, provided they are “without regard to insured status or conditioned directly or indirectly on the referral of title business.” The title insurance companies argue that Regulation 208’s restrictions are inconsistent with New York’s insurance law because the law only prohibits “quid pro quo inducements given in exchange for title insurance business” and the law permits marketing and entertainment payments so long as they are not being exchanged for “a specific identified piece of business.”
The court agreed and found that the insurance law—which prohibits a “commission,” “rebate,” “fee,” or “other consideration or valuable thing”—could not be construed to include marketing and entertainment expenses because “it is common sense that marketing is an inducement for business” and it would be “an absurd proposition” that the New York Legislature intended to prohibit companies from marketing themselves. Additionally, construing the insurance law to include marketing and entertainment expenses as prohibited expenditures but also including a provision which delineates certain types of marketing and entertainment expenses as permissible is “irreconcilable and irrational.” The court ultimately concluded that Regulation 208 must fail because it contravenes the will of the Legislature under the insurance law.
In response to the decision, NYDFS Superintendent, Maria T. Vullo, issued a statement that the state intends to appeal as they “remain certain of [their] legal opinion and are confident [they] will prevail on appeal.” On July 6, NYDFS filed a notice of appeal with the court.
On October 17, the New York Department of Financial Services (NYDFS) adopted two final regulations designed to stop “unscrupulous practices” in the title insurance industry. The final regulations—which are the culmination of a NYDFS’ investigation into the practices of title insurers—supersede “emergency” versions of both regulations that went into effect earlier this year. (See previously InfoBytes coverage here.) Specifically, the first rule clarifies that certain “reasonable and customary” advertising and marketing expenses will be permitted provided “they are without regard to insured status or conditioned directly or indirectly on the referral of title business.” Meals, entertainment, and other forms of inducements are prohibited. According to a NYDFS press release, the state’s “anti-inducement statute is not limited to situations in which there is a direct quid pro quo for business.” The second rule requires, among other things, that title insurance companies or agents function independently from any affiliates through which they generate a portion of their business and make “good faith” efforts to accept business from non-affiliate sources.
FinCEN Renews GTOs for Title Insurance Companies in Six Major Metropolitan Areas Upon Finding that GTOs Provide ‘Valuable Data’
On February 23, the Financial Crimes Enforcement Network (FinCEN) announced the renewal of its existing GTOs Geographic Targeting Orders (GTOs), each of which temporarily require U.S. title insurance companies to identify the natural persons behind shell companies used to pay “all cash” for high-end residential real estate in six major metropolitan areas. Generally, the GTOs require all title insurance companies in the targeted cities to file a FinCEN Form 8300 within 30 days of closing a covered transaction, identifying the buyer, any beneficial owner of the buyer, and the individual primarily responsible for representing the buyer in an “all-cash” purchase of high-end residential real estate. Covered businesses must also retain their records for at least five years after the GTO expires.
Notably, the decision to continue the GTO program for another 180 days—beginning on February 24, 2017—was based largely on FinCEN’s finding that the first GTOs issued back in July are producing “valuable data” that is assisting both law enforcement and FinCEN’s efforts to address money laundering through real estate transactions. Nearly one-third of the targeted transactions covered by the July GTOs ended up involving a beneficial owner or representative who is already the subject of a previous suspicious activity report. The results appear to validate the concerns underlying FinCEN’s rationale for issuing GTOs in the first place, namely the use of shell companies to buy luxury real estate in all-cash transactions.
The targeted geographic areas and corresponding closing price thresholds include: (i) Manhattan ($3 million) and all other boroughs of New York City ($1.5 million); (ii) Miami-Dade, Broward, and Palm Beach counties ($1 million); (iii) Los Angeles County ($2 million); (iv) San Francisco, San Mateo, and Santa Clara counties ($2 million); (v) San Diego County ($2 million); and (vi) Bexar County, Texas, which includes San Antonio ($500,000). In targeting the above-listed metropolitan areas, FinCEN clarified that “GTOs do not imply any derogatory finding by FinCEN with respect to the covered companies.” Rather, as explained by FinCEN Acting Director Jamal El-Hindi, “Money laundering and illicit financial flows involving the real estate sector is something that we have been taking on in steps to ensure that we continue to build an efficient and effective regulatory approach.”
For additional information concerning GTO compliance, FAQs released by FinCEN in August 2016 are available here.
Foreclosure Law Firms and Title Companies to Pay $1.8 for Violations of Colorado Consumer Protection Laws
On August 3, Colorado AG Cynthia H. Coffman announced that certain Colorado foreclosure law firms and title insurance companies must pay, pursuant to a court order, $1.8 million in penalties to resolve allegations that they participated in a scheme to defraud consumers. According to AG Coffman’s announcement, between 2008 and 2013, the law firms and title companies violated the Colorado Consumer Protection Act (CPA) and the Colorado Fair Debt Collection Practices Act (CFDCPA) by charging “false and misleading costs for title insurance policies” on more than 2,000 foreclosures. The court originally imposed penalties of $2,291,000 for violations of the CPA and $1,374,600 for violations of the CFDCPA, but the penalties were reduced to a combined $1.8 million because of a statutory maximum penalty cap.
On July 27, FinCEN issued temporary Geographical Targeting Orders (GTO) requiring certain U.S. title insurance companies to identify and report the natural persons behind shell companies used to conduct “all-cash” purchases of high-end real estate in six major metropolitan areas. The GTOs cover the following areas: (i) all boroughs of New York City; (ii) Miami-Date, Broward and Palm Beach Counties in South Florida; (iii) Los Angeles County; (iv) San Francisco, San Mateo, and Santa Clara counties; (v) San Diego Country; and (vi) Bexar County, Texas, which includes San Antonio. FinCEN simultaneously released a table outlining the monetary thresholds that trigger the identification and reporting requirements in each jurisdiction. Upon taking effect, the GTOs will remain effective for 180 days absent an extension. As previously covered in InfoBytes, FinCEN remains concerned that all-cash purchases conducted through LLCs or other “opaque structures,” may be conducted by natural persons trying to hide their assets and identity. According to FinCEN’s Acting Director Jamal El-Hindi, “[b]y expanding the GTOs to other major cities, we will learn even more about the money laundering risks in the national real estate markets, helping us determine our future regulatory course.”
- Kathryn L. Ryan and Jedd R. Bellman to discuss “Risk and compliance management: Are you covered?” at a Mortgage Bankers Association webinar
- Melissa Klimkiewicz and Daniel A. Bellovin to discuss “Things to know about flood insurance” at a NAFCU webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Max Bonici will moderate a panel on “Enforcement risk and other regulatory and compliance issues related to crypto and digital assets” at the American Bar Association’s 2022 Annual Meeting
- John R. Coleman to provide a “CFPB Update” at MBA’s 2022 Regulatory Compliance Conference
- Amanda R. Lawrence to discuss “The shifting data privacy and data protection landscape” at MBA’s 2022 Regulatory Compliance Conference
- Jeffrey P. Naimon to provide “An update on key fair lending cases and the CRA and UDAAP rules” at MBA’s 2022 Regulatory Compliance Conference
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The Evolving Regulatory Landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference