InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS fines mortgage loan servicer for alleged violations of Abandoned Property Relief Act
On January 16, NYDFS announced a $100,000 settlement with a New York state-registered mortgage loan servicer for allegedly failing to register and maintain two properties as required by the state’s Abandoned Property Relief Act. Under the Act, NYDFS can hold banks and mortgage servicers accountable should they fail to fulfill certain maintenance obligations at vacant and abandoned residential properties (“zombie” properties) securing mortgage loans in their portfolios. NYDFS rejected claims that the servicer was unable to maintain the “zombie” properties due to not receiving authorization from the mortgagee and that the properties were not subject to the requirements of the Act because backdated lien releases extinguished its maintenance obligation. Under the terms of the consent order, the servicer has also agreed to provide confirmation within 30 days to NYDFS that all properties subject to New York’s Vacant and Abandoned Property Law have been sufficiently registered with NYDFS’ registry of vacant and abandoned properties, are maintained properly, and that all quarterly filings for each property have been submitted.
CFPB releases new No-Action Letter policy and new product sandbox
On December 10, the CFPB released a new proposed policy on No-Action Letters (NAL) and a new federal product sandbox. The new NAL proposal, which would replace the 2016 NAL policy, is “designed to increase the utilization of the Policy and bring certain elements more in line with similar no-action letter programs offered by other agencies.” The proposal consists of six sections. Highlights include:
- Description of No-Action Letters. The letter would indicate to the applicant, that subject to good faith, substantial compliance with the terms of the letter, the Bureau would not bring a supervisory or enforcement action against the recipient for offering or providing the described aspects of the product or service covered by the letter.
- Submitting Applications. The proposal includes a description of the items an application should contain and invites applications from trade associations on behalf of their members, and from service providers and other third parties on behalf of their existing or prospective clients.
- Assessment of Applications. The Bureau intends to grant or deny an application within 60 days of notifying the applicant that the application is deemed complete.
- Issuing No-Action Letters. NALs will be signed by the Assistant Director of the Office of Innovation or other members in the office, and will be duly authorized by the Bureau. The Bureau may revoke a NAL in whole or in part, but before the Bureau revokes a NAL, recipients will have an opportunity to cure a compliance failure within a reasonable period.
- Regulatory Coordination. In order to satisfy the coordination requirements under Dodd-Frank, the Bureau notes it is interested in partnering with state authorities that issue similar forms of no-action relief in order to provide state applicants an alternative means of also receiving a letter from the Bureau.
- Disclosure of Information. The Bureau intends to publish NALs on its website and in some cases, a version or summary of the application. The Bureau may also publish denials and an explanation of why the application was denied. The policy notes that disclosure of information is governed by the Dodd-Frank Act, FOIA and the Bureau’s rule on Disclosure of Records and Information, which generally would prohibit the Bureau from disclosing confidential information.
Notable changes from the 2016 NAL policy include, (i) NALs no longer have a temporal duration—under the new proposal, there is no temporal limitation except in instances of revocation; (ii) applicants are no longer are required to commit to sharing data about the product or service covered by the application; and (iii) the letters are no longer staff recommendations, but issued by authorized officials in the Bureau to provide recipients greater assurance of the relief.
The proposal also introduces the Bureau’s “Product Sandbox,” which offers substantially the same relief as the NAL proposal but also includes: (i) approvals under one or more of three statutory safe harbor provisions of TILA, ECOA, or the EFTA; and (ii) exemptions by order from statutory provisions of ECOA, HOEPA, and FDIA, or regulatory provisions that do not mirror statutory provisions under rulemaking authority. The proposal notes that two years is the expected duration for participation in the Sandbox, but similar to the no-action relief above, the no-action relief from the Sandbox program can be of unlimited duration—if approved under the sandbox program, “the recipient would be immune from enforcement actions by any Federal or State authorities, as well as from lawsuits brought by private parties.”
Comments on the proposals are due within 60 days of publication in the Federal Register.
New York Attorney General reaches largest ever COPPA settlement to resolve violations of children’s privacy
On December 4, the New York Attorney General announced the largest Children’s Online Privacy Protection Act (COPPA) settlement in U.S. history—totaling approximately $6 million —to resolve allegations with a subsidiary of a telecommunications company that allegedly conducted billions of auctions for ad space on hundreds of websites it knew were directed to children under the age of 13. According to the Attorney General’s office, the subsidiary collected and disclosed personal data on children through auctions for ad space, allowing advertisers to track and serve targeted ads to children without parental consent. Under COPPA, operators of websites and other online services are prohibited from collecting or sharing the information of children under the age of 13 unless they give notice and have express parental consent. Among other things, the subsidiary also allegedly placed ads on other exchanges that possessed the capability to auction ad space on child-directed websites, but that when it won ad space on COPPA-covered websites, the subsidiary treated the space as it would any other and collected user information to serve targeted ads.
Under the terms of the settlement, the subsidiary must (i) create a comprehensive COPPA compliance program, which requires annual COPPA training for staff, regular compliance monitoring, and the retention of service providers that can comply with COPPA, as well as a third party who will assess the privacy controls; (ii) enable website operators that sell ad inventory to indicate what portion of a website is subject to COPPA; and (iii) destroy the personal data it collected on children.
OCC's Semiannual Risk Perspective highlights key risks affecting the federal banking system
On December 3, the OCC released its Semiannual Risk Perspective for Fall 2018, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. The report focuses on risks to the federal banking system based on five areas: the operating environment, bank performance, special topics in emerging risk, trends in key risks, and supervisory actions. Overall, loans and bank profitability grew in 2018 as the U.S. economy continued to grow. Moreover, recent examination findings indicate incremental improvements in banks’ general risk management practices. Specific risk areas of concern noted by the OCC include: (i) the origination quality of new loans and potential embedded risks from previously successive years of relaxed underwriting standards; (ii) an increasingly complex operating environment, including the continually evolving threat to cybersecurity; (iii) elevated money-laundering risks; and (iv) rising market interest rates, including certain risks associated with heightened competition for deposits.
The report also notes that outstanding enforcement actions continue to decline since peaking in 2010, which, according to the OCC, reflects an overall improvement in, among other things, banks’ risk management practices. The leading cause of current enforcement actions continues to be compliance or operational failures.
FDIC releases October enforcement actions, includes BSA and TILA violations
On November 30, the FDIC announced a list of administrative enforcement actions taken against banks and individuals in October. Included among the actions is an order to pay a civil money penalty of $9,600 issued against a Louisiana-based bank for alleged violations of the Flood Disaster Protection Act in connection with alleged failures to obtain flood insurance coverage on loans at or before origination or renewal.
Consent orders were also issued against three separate banks related to alleged weaknesses in their Bank Secrecy Act (BSA) and/or BSA/anti-money laundering (BSA/AML) compliance programs. (See orders here, here, and here.) Among other things, the banks are ordered to: (i) implement comprehensive written BSA/AML compliance programs, which include revising BSA risk assessment policies, developing a system of BSA internal controls, and enhancing suspicious activity monitoring and reporting and customer due diligence procedures; (ii) conduct independent testing; and (iii) implement effective BSA training programs. The FDIC further requires the Florida and New Jersey-based banks to conduct suspicious activity reporting look-back reviews.
In addition, a Kentucky-based bank was ordered to pay a civil money of $300,000 for allegedly violating TILA by “failing to clearly and conspicuously disclose required information related to the [b]ank’s Elastic line of credit product” and Section 5 of the FTC ACT by “using a processing order for certain deposit account transactions contrary to the processing orders disclosed in the [b]ank’s deposit account disclosures.”
There are no administrative hearings scheduled for December 2018. The FDIC database containing all 17 enforcement decisions and orders may be accessed here.
FTC commissioners discuss need for expanded authority over consumer data privacy and security
On November 27, the Senate Committee on Commerce, Science and Transportation’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security conducted a hearing to discuss, among other topics, whether the FTC should be granted expanded authority over consumer data privacy and security. The hearing entitled “Oversight of the Federal Trade Commission” heard from the Chairman of the FTC as well as the agency’s four commissioners. Ranking Member Senator Bill Nelson’s opening statement discussed the need for providing additional resources to the FTC in order to ensure the agency is able to perform its mandated duties and effectively protect U.S. consumers from unfair or deceptive acts or practices. The five witnesses agreed that enforcement remains a priority for the FTC and called for comprehensive consumer privacy legislation that would clarify the agency’s authority and the rules relating to data security and breach notification, while fostering competition and innovation to the benefit of consumers. Specifically, FTC Chairman Joseph Simons stated he would support federal data security legislation if it provided the following three items: (i) the ability to seek civil money penalties to effectively deter unlawful conduct; (ii) jurisdiction over nonprofits and common carriers; and (iii) broad rulemaking authority to issue implementing rules under the Administrative Procedures Act for consumer protection issues such as privacy and data security. Commissioner Rohit Chopra also emphasized the need for Congress to support the FTC’s authority under Section 13B of the FTC Act, which authorizes the FTC to seek preliminary and permanent injunctions against companies and individuals.
However, Senator Blumenthal argued that too often the FTC has “fallen short” on protecting consumer privacy, particularly in terms of enforcement and pressing challenges. According to Senator Blumenthal, big tech companies misuse their power and consent orders are not “vigorously and adequately enforced.” He argued that the FTC must have the tools and resources to establish meaningful penalties for first offenses that pose a credible deterrent and recognize state attorneys general to ensure violations are investigated and punished.
Among other things, the hearing also discussed topics addressing: (i) the FTC’s ongoing series of public hearings reexamining the agency’s approach to consumer privacy in light of changing technologies (see previous InfoBytes coverage here); (ii) federal preemption versus state-by-state laws and the risk of inconsistencies and compliance challenges; (iii) the potential use of the FTC’s Section 6B authority, which would allow requests to be sent to the tech industry to understand what data is collected from consumers and how that information is used, shared, and sold; (iv) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; (v) data minimization controls; and (vi) notice and comment rulemaking authority.
Colorado Division of Securities issues cease-and-desist orders against ICOs
On November 20, the Colorado Department of Regulatory Agencies Division of Securities (Division) released a statement announcing four new cease-and-desist orders taken against companies for allegedly selling unregistered securities through initial coin offerings (ICOs) to Colorado consumers. The orders come as a result of investigations conducted by the Division’s ICO Task Force, which was created to investigate potentially fraudulent activity. According to the announcement, the Colorado Securities Commissioner has now signed orders for 18 cases against ICOs, and currently has at least two additional pending orders.
OCC releases recent enforcement actions
On November 15, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include cease and desist orders, civil money penalty orders, formal agreements, prompt corrective action directives, removal/prohibition orders, and terminations of existing enforcement actions. Two notable enforcement actions are discussed below.
On October 25, the OCC issued a consent order against a Louisiana-based bank related to examination findings from 2018 wherein the bank failed to adopt and implement an adequate Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program. Among other conditions, the consent order requires the bank to (i) develop and implement an ongoing BSA/AML risk assessment program; (ii) adopt an independent audit program to conduct a review of the bank’s BSA/AML compliance program; and (iii) submit a written progress report within 30 days after the end of each calendar quarter that details actions undertaken to ensure compliance with the consent order’s provisions. The bank neither admitted nor denied the OCC’s findings and is not required to pay a civil money penalty.
On October 23, the OCC assessed a $100 million civil money penalty against a national bank for alleged deficiencies in the bank’s BSA/AML compliance programs. Specifically, the alleged deficiencies include the failure to comply with a 2015 consent order in a timely manner, which required the bank to, among other things, adopt and implement an adequate BSA/AML compliance program and file timely Suspicious Activity Reports. The consent order acknowledges that the bank has undertaken corrective action to remedy the deficiencies noted by the OCC.
Federal Reserve issues flood insurance enforcement action against Illinois bank
On November 13, the Federal Reserve Board announced an enforcement action against an Illinois state bank for allegedly violating the National Flood Insurance Act (NFIA) and Regulation H, which implements the NFIA. The consent order assesses a $15,000 penalty against the bank, but does not specify the number or the precise nature of the alleged violations. The maximum civil money penalty for a pattern or practice of violations under the NFIA is $2,000 per violation.
CFPB issues semi-annual report to Congress
On November 9, the CFPB issued its semi-annual report to Congress, covering the Bureau’s work from October 1, 2017 to March 30, 2018. The report, which is required by the Dodd-Frank Act, addresses, among other things, problems faced by consumers with regard to consumer financial products or services; significant rules and orders adopted by the Bureau; and various supervisory and enforcement actions taken during the majority of acting Director Mick Mulvaney’s tenure. Specifically, the report includes (i) a summary of five “significant” state Attorney General actions pursuant to Section 1042 of the Dodd-Frank Act, which allows states to enforce the federal law; (ii) a review of the Bureau’s fair lending efforts, noting that it “conducted fewer fair lending supervisory events. . .than in the prior period,” but “cleared a substantially higher number of MRAs or MOU items from past supervisory events than in the prior period”; (iii) a discussion of non-prime and secured credit cards marketed to consumers; and (iv) a list of upcoming initiatives, which includes requests for information regarding, among other things, the Bureau’s consumer complaint and consumer inquiry handling processes, the Bureau’s inherited regulations and inherited rulemaking authorities, the Bureau’s adopted regulations and new rulemaking authorities, Bureau rulemaking processes, Bureau public reporting practices of consumer complaint information, Bureau external engagements, the Bureau’s supervision program, and the Bureau’s enforcement processes.
Notably, the report also discusses the budget for FY 2018, acknowledging the unusual January 2018 request for zero dollars in funding for the Bureau’s quarterly operations (previously covered by InfoBytes here). As for FY 2019, Mulvaney most recently requested nearly $173 million for Q1, which is still significantly below former Bureau Director Richard Cordray’s FY 2017 Q1 request of $217 million.