Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB finalizes nonbank supervisory rule
On November 10, the CFPB announced a final rule finalizing changes to a nonbank supervision procedural rule issued in April. As previously covered by InfoBytes, the Bureau announced earlier this year that it was invoking a “dormant authority” under the Dodd-Frank Act to conduct supervisory examinations of fintech firms and other nonbank financial services providers based upon a determination of risk. Specifically, the Bureau said it intends to use a provision under Section 1024 of Dodd-Frank that allows it to examine nonbank financial entities, upon notice and an opportunity to respond, if it has “reasonable cause” to determine that consumer harm is possible. Concurrently, the Bureau issued a request for public comment on an updated version of a procedural rule that implements its statutory authority to supervise nonbanks “whose activities the CFPB has reasonable cause to determine pose risks to consumers,” including potentially unfair, deceptive, or abusive acts or practices. Provisions outlined in the procedural rule would exempt final decisions and orders by the Bureau director from being considered confidential supervisory information, thus allowing the Bureau to publish the decisions on its website. Subject companies would be given an opportunity seven days after a final decision is issued to provide input on what information, if any, should be publicly released, the Bureau said.
After reviewing public comments received on the procedural rule, the Bureau incorporated certain changes to clarify the standard that the agency will apply when deciding what information is appropriate for public release, in whole or in part. The Bureau explained that information falling within Freedom of Information Act Exemptions 4 and 6 (which protect confidential commercial information and personal privacy) will not be published. Additionally, the Bureau said it may also choose to withhold information if the director determines there is other good cause to do so. The final rule also extends the deadline from seven to ten business days for nonbanks to submit input about what information should be released. The final rule will take effect upon publication in the Federal Register.
Notably, the Bureau emphasized that the “amended procedures only relate to the initial decision to extend supervision to a nonbank entity” and “do not affect the confidentiality of any ensuing supervisory examination or any other aspect of the supervisory process.”
District Court grants SBA’s summary judgment in Covid-19 relief disclosure case
On December 13, the U.S. District Court for the District of Columbia granted summary judgment in a Freedom of Information (FOIA) case in favor of the U.S. Small Business Administration (SBA) (defendant), resolving allegations that the agency improperly withheld loan payment status and tax-identification numbers for recipients of loans under its Paycheck Protection Program (PPP). As previously covered by InfoBytes, national-news organizations filed an action against the SBA seeking disclosure of loan recipient information, after the rejection of their FOIA requests. The court previously ordered the SBA to disclose some information—loan amounts, names, addresses—but later gave the SBA a second chance to argue against disclosure of default status and tax-identification numbers.
According to the most recent opinion, the SBA ultimately satisfied Exemption 4 to FOIA (related to confidential or privileged commercial or financial information) as to the current loan status of the PPP loans by filing declarations from lenders stating that they “customarily and actually treat interim PPP loan status as confidential.” The court also concluded that disclosure would concretely cause harm to an interest protected by the FOIA exemption, accepting the agency’s arguments that identifying a delinquent borrower, even if that status is temporary or ultimately irrelevant, could “negatively impact the borrower’s reputation or creditworthiness, or adversely affect its survivability and growth,” and that “disclosure would cause ‘regulated lenders [to] lose confidence in the agency’s future ability to protect confidential information . . . creat[ing] an incentive not to participate in the agency’s programs.’” Regarding tax-identification numbers, the court accepted the SBA’s assertion that it could not separate Social Security Numbers (SSN) from Employer Identification Numbers (EIN) and only release the EINs. Withholding the identification number data set was therefore permissible under Exemption 6 to FOIA, regarding “unwarranted invasion of personal privacy.” The SBA had attempted to get the help of the IRS and Social Security Administration to differentiate the numbers, but both agencies concluded they could not legally release that information to the SBA.
Chamber of Commerce requests access to FTC privacy-related communications
On November 19, the U.S. Chamber of Commerce sent FOIA requests to the FTC seeking, among other things, communications on consumer data privacy policies the FTC has discussed or considered as ordered by President Biden’s broad July 9 executive order, which tasked the FTC with establishing rules to address concerns about “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.” (Covered by InfoBytes here.) The Chamber is seeking all communications between FTC Chair and Commissioner Lina Khan and former commissioner Rohit Chopra related to the FTC’s Penalty Offense Authority and/or enforcement policy statements addressing privacy-related topics, as well as communications with the Center on Privacy and Technology at Georgetown Law. As previously covered by InfoBytes, the Center’s founder, Alvaro Bedoya, was nominated in September by President Biden to serve as an FTC commissioner. With respect to the requests for records related to the FTC’s Penalty Offense Authority, over the past few months the FTC has issued several warnings using its Penalty Offense Authority related to false money-making claims, misleading online endorsements, and unlawful for-profit education institution practices. (Covered by InfoBytes here, here, and here.) Among other things, the FOIA letters also request all records related to artificial intelligence, including communications between the FTC and the White House Office of Science and Technology Policy and/or the CFPB.
SBA must release PPP and EIDL borrower information by December 1
On November 24, the U.S. District Court for the District of Columbia denied the U.S. Small Business Administration’s (SBA) request for stay and ordered the release of the names, addresses, and precise loan amounts of all Paycheck Protection Program (PPP) and Economic Injury Disaster Loans (EIDL) by December 1. As previously covered by InfoBytes, the court ordered the SBA to supplement their July disclosure and release the “names, addresses, and precise loan amounts of all individuals and entities that obtained PPP and EIDL COVID-related loans by November 19, 2020,” concluding that the SBA’s claimed FOIA exemptions do not cover the requested information disclosures. The SBA moved to stay the order to “preserve [the] SBA’s right to appeal and to avoid irreparable harm to [the] SBA and to privacy and business confidentiality interests of the millions of individuals and businesses….” The court initially granted a temporary stay to review the motion (covered by InfoBytes here). Upon review, the court denied the stay, concluding that staying the disclosure through an appeal “would deprive the public of information critical to an ongoing national debate of considerable importance, as well as basic details surrounding an unprecedented federal relief effort financed by taxpayer dollars.” The SBA must release the supplemental information by December 1, however, the court noted that “nothing in this decision prevents SBA from seeking its desired relief in the Court of Appeals before that date.”
Updated PPP loan data available here.
Court stays PPP and EIDL borrower disclosure
On November 13, the U.S. District Court for the District of Columbia temporarily stayed the U.S. Small Business Administration's (SBA) mandatory release of the names, addresses, and precise loan amounts of all Paycheck Protection Program (PPP) and Economic Injury Disaster Loans (EIDL) borrowers until the court rules on the motion to stay filed by the SBA. As previously covered by InfoBytes, the court ordered the SBA to supplement their July disclosure and release the “names, addresses, and precise loan amounts of all individuals and entities that obtained PPP and EIDL COVID-related loans by November 19, 2020,” concluding that the SBA’s claimed Freedom of Information Act (FOIA) exemptions do not cover the requested information disclosures. The SBA moved to stay the order to “preserve [the] SBA’s right to appeal and to avoid irreparable harm to [the] SBA and to privacy and business confidentiality interests of the millions of individuals and businesses….” The SBA requested the order be stayed until December 7 or pending appeal, if filed by that date. In response, the court issued a minute order, granting a temporary stay until it rules on the motion.
Court orders SBA to release more PPP and EIDL information
On November 5, the U.S. District Court for the District of Columbia ordered the U.S. Small Business Administration (SBA) to release the names, addresses, and precise loan amounts of all Paycheck Protection Program (PPP) and Economic Injury Disaster Loans (EIDL) borrowers. According to the opinion, national-news organizations filed an action against the SBA seeking disclosure of the loan recipient information, after the rejection of their Freedom of Information Act (FOIA) requests. In July, the SBA released the business information of certain PPP loan recipients (covered by InfoBytes here). For any loan over $150,000, the SBA data release included business names, addresses, NAICS codes, zip codes, business type, demographic data, non-profit information, name of lender, jobs supported, and a loan amount range. For loans under $150,000, the SBA withheld the business names and addresses in the release. Additionally, the SBA did not release the names and addresses of sole proprietorships and independent contractors receiving EIDL loans. The parties filed cross-motions for summary judgment as to the propriety of SBA’s withholdings.
The court agreed with the plaintiffs, concluding that the SBA’s claimed FOIA exemptions do not cover the requested information disclosures. Specifically, the court determined that SBA’s invocation of Exemption 4 of FOIA, which “shields from disclosure ‘commercial or financial information obtained from a person and privileged or confidential,’” was not applicable because the SBA did not give borrowers the assurance of privacy. In fact, according to the court, the government explicitly told the borrowers that the information would be disclosed in a form disclaimer. The court further rejected the SBA’s claim of Exemption 6 of FOIA, concluding that the “weighty public interest in disclosure easily overcomes the far narrower privacy interest of borrowers who collectively received billions of taxpayer dollars in loans.” Thus, the court ordered the SBA to supplement the earlier disclosure and release the “names, addresses, and precise loan amounts of all individuals and entities that obtained PPP and EIDL COVID-related loans by November 19, 2020.”
Fed updates FOIA rules for CSI
On July 24, the Federal Reserve Board issued a final rule revising its “Rules Regarding Availability of Information,” to update and clarify the Board’s regulations implementing the Freedom of Information Act (FOIA) and the rules covering the disclosure of confidential supervisory information (CSI). The final rule, among other things, adopts standards consistent with the OCC’s rules, including (i) permitting supervised financial institutions to disclose CSI with their directors, officers, and employees “when necessary or appropriate for business purposes”; (ii) “permitting disclosures to the supervised financial institution’s outside legal counsel and auditors when the disclosures are ‘necessary or appropriate in connection with the provision of legal or auditing services’”; and (iii) “eliminat[ing] the requirement that supervised financial institutions obtain prior [Board] approval to disclose [CSI] to their other service providers, such as consultants, contractors, and contingent workers.” The final rule also updates definitions for expedited processing, clarifies terms, and helps users “more easily navigate the process of filing a FOIA request.” The final rule is effective 30 days after publication in the Federal Register.
CFPB publishes final rule relating to disclosure of confidential records and information
On September 12, the CFPB published a final rule to modify its procedures for the disclosure of records and information. As previously covered in InfoBytes, the notice of proposed rulemaking—published August 2016—sought to amend procedures used to obtain information from the Bureau under the Freedom of Information Act (FOIA), the Privacy Act of 1974, and in legal proceedings. In response to comments on its proposal, the final rule revises the following subparts under section 1070 of title 12 of the Code of Federal Regulations: (i) Subpart A: “procedures related to the certification of authenticity of Bureau records and the service of summonses or complaints on the Bureau”; (ii) Subpart B: practices to provide requesters additional flexibility under FOIA; and (iii) Subpart C: “procedures for requests for information from the Bureau in connection with legal proceedings.” Subpart E, which implements the Privacy Act of 1974, received no comments and has been finalized without modification. The Bureau noted that the final rule does not revise Subpart D, which relates to the “confidential treatment of information obtained from persons in connection with the exercise of its authorities under federal consumer financial law.” The final rule takes effect October 12.
District Court Rules CFPB Violates FOIA in Withholding Documents Produced in Response to CID; Upholds Other CFPB Interpretations of FOIA
On December 14, the U.S. District Court for the District of Columbia ruled that any CFPB policy considering information provided to the CFPB in response to CID requests to have been submitted “voluntarily” and therefore exempt from public disclosure violates the Freedom of Information Act (FOIA). In response to a lawsuit filed by a consumer class action law firm, the court reviewed numerous claims related to the CFPB’s use of FOIA Exemptions. As explained in the opinion, the D.C. Circuit views information provided voluntarily to government entities as “more stringently protected” than compulsory submissions in determining whether materials qualify as “confidential” under FOIA Exemption 4. The court, in granting summary judgment, agreed with the plaintiff in holding that the CFPB had “actual legal authority” to issue the CID and obtain the related materials, and therefore the CFPB cannot treat information produced in response as having been disclosed voluntarily. In addressing other claims, however, the court agreed with the CFPB that documents it relied upon to identify wrongful collection lawsuits were exempt from public disclosure under FOIA Exemption 7(E), which protects “records or information compiled for law enforcement purposes,” and that CFPB attorney notes from a settlement conversation were exempt under FOIA Exemption 5, which protects intra-agency memoranda and has been interpreted to protect attorney work product. The court also supported the CFPB’s policy treating debt collectors and debt buyers as financial institutions as consistent with FOIA Exemption 8 related to financial institution information, finding that debt collectors “as a link in the credit-management chain” fit comfortably within the “inherently broad” term financial institutions.
Federal Reserve Updates Requirements for Processing FOIA Requests
On October 19, the Federal Reserve Board finalized amendments to regulations for the processing of Freedom of Information Act (FOIA) requests by the Board. The amendments (i) “clarify and update procedures for requesting information from the Federal Reserve Board”; (ii) “extend the deadline for administrative appeals”; and (iii) “add information on dispute resolution services.”
The Board published the final rule in the Federal Register on October 25; the rule will become effective on November 24 of this year.