InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS launches online registration form for credit reporting agencies to comply with new regulation
On August 22, the New York Department of Financial Services (NYDFS) announced an online registration form for credit reporting agencies (CRAs) to comply with the state’s final regulation that requires CRAs with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity regulation. (As previously covered by InfoBytes, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS.) Registration must be complete by September 15 of this year and by February 1 of each successive year for the calendar year thereafter. Under the new regulation, CRAs are also required to comply with New York’s cybersecurity requirements by November 1, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Continuing InfoBytes coverage on NYDFS’ cybersecurity regulation available here.)
11th Circuit: No FCRA violation for reporting as delinquent during forbearance plan
On June 27, the U.S. Court of Appeals for the 11th Circuit affirmed summary judgment for a mortgage servicer, concluding that reporting the consumer as delinquent to credit bureaus during a forbearance plan is neither inaccurate nor materially misleading under the Fair Credit Reporting Act (FCRA). According to the opinion, a borrower enrolled in a forbearance plan with her mortgage servicer, which allowed for a “monthly forbearance plan payment” of $25 while the remaining payment balance accrued and became due at the end of the plan. Before the borrower agreed to the plan, a representative for the servicer explained to the borrower that because she was not paying the actual contractual payment under the note, the monthly payments would still be considered late. The mortgage servicer reported the borrower past due for the duration of the plan, and the borrower subsequently filed suit alleging violations of the FCRA. In affirming the lower court’s decision, the appeals court found that while the borrower made timely payments under the forbearance plan, the payments were not the ones she was contractually bound to make under the mortgage note. Additionally, the appeals court found that the borrower did not establish that the forbearance plan legally modified the original note and, therefore, the information the servicer reported to the credit bureaus was not inaccurate and was also not materially misleading “particularly in light of [the servicer’s] additional affirmative statement that [the borrower] was paying under a partial payment agreement.”
New York regulation requires all credit reporting agencies to register with NYDFS
On June 25, the New York governor announced the issuance by the New York Department of Financial Services (NYDFS) of a final regulation that requires consumer credit reporting agencies (CRAs) with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity standard. Specifically, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS, beginning on or before September 1, 2018 for 2017 reporting, and by February 1 for every year thereafter. Among other things, the regulation also (i) authorizes the NYDFS superintendent to refuse to renew a CRA’s registration for various reasons, including if the applicant or affiliate of the applicant fails to comply with the cybersecurity regulations; (ii) subjects the CRAs to examination by NYDFS at the superintendent’s discretion; and (iii) prohibits CRAs from engaging in any “unfair, deceptive, or predatory act or practice toward any consumer,” to the extent not preempted by federal law. Additionally, beginning on November 1, the regulation requires every CRA to comply with NYDFS’ cybersecurity regulation, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Recent InfoBytes coverage on NYDFS’ cybersecurity regulation available here and here.)
According to Governor Cuomo, the oversight of CRAs will help to ensure New York consumers’ information is less vulnerable to the threat of cyber-attacks, stating, “[a]s the federal government weakens consumer protections, New York is strengthening them with these new standards.”
Rhode Island and New Hampshire prohibit security freeze fees
On June 14, the governor of Rhode Island signed S2562, which prohibits consumer reporting agencies from charging a fee for security freeze services, including the placement, removal, or temporary lifting of a security freeze for a consumer. The law also prohibits the charging of a fee in connection with issuing or reissuing a personal identification number that is used by a consumer to authorize the use of his or her credit or to remove the freeze. Previously, Rhode Island allowed credit reporting agencies to charge a fee up to $10 dollars for security freeze services and $5 for reissuances of personal identification numbers, although customers were entitled to a free initial reissuance of their personal identification numbers. The law is effective September 1.
Similarly, on June 8, the governor of New Hampshire signed HB1700, which prohibits a consumer reporting agency from charging a fee to place, remove, or temporarily lift a security freeze. The law also prohibits a consumer reporting agency from charging a fee to issue or replace a consumer’s personal identification number used in connection with the security freeze. The law requires the consumer reporting agencies to place the freeze within three business days after receiving a consumer request, if the consumer makes the request via mail and within 24 hours after receiving a consumer request, if made electronically or by telephone. The law is effective January 1, 2019.
House passes bill allowing for reporting of rental, telecom, and utility payments to CRAs
On June 25, the House passed H.R. 435, the “The Credit Access and Inclusion Act of 2017.” The bill would amend the Fair Credit Reporting Act to include a section allowing a person or the Department of Housing and Urban Development to furnish information to credit reporting agencies relating to the payment performance of a residential lease agreement, contract for a utility, or contract for a telecommunications service. The bill does not allow an energy utility to furnish information related to the usage of utility services or information related to an outstanding consumer balance if the consumer has entered into a payment plan and is meeting the obligations of the payment plan. Civil liability for violations of the Consumer Credit Protection Act do not apply to violations of the bill.
Illinois, Connecticut, and Hawaii pass security freeze legislation
On June 8, the Illinois governor approved HB 4095, which amends the Consumer Fraud and Deceptive Business Practices Act to prohibit consumer reporting agencies (CRAs) from charging consumers a fee for placing, removing, or temporarily lifting a security freeze. The act takes effect immediately. The Act also permits a consumer to request a security freeze by phone or electronic means, in addition to a request in writing.
This followed a similar action by the Connecticut governor, who on June 4 signed SB 472 to prohibit CRAs from charging a fee to consumers to place, remove, or temporarily lift a security freeze on a consumer's account. The legislation also, among other things, (i) prohibits CRAs from—as a condition of placing the freeze—requiring that consumers agree to limit their claims against the agency; (ii) increases the length of time that identity theft prevention and mitigation services must be provided to a consumer after a security breach from 12 to 24 months; and (iii) provides that the banking commissioner will adopt regulations that require CRAs to provide it with “dedicated points of contact” to allow the Department of Banking to assist consumers when a data breach occurs. The act takes effect October 1.
On June 6, the Hawaii governor signed HB 2342 to enhance protection of consumer information by expanding the methods consumers may use to request security freezes, and by prohibiting credit reporting agencies (CRAs) from charging consumers a fee to place, remove, or temporarily lift a security freeze on a consumer's credit report or records. Among other things, the act now permits a consumer or a “protected consumer’s representative” to request a security freeze via first-class mail, a telephone call, or through a CRA’s designated secure website, and also preserves the CRA’s ability to lift a security freeze when the freeze was executed due to material misrepresentation by the consumer. When lifting a security freeze, CRAs are required to send written confirmation to the affected consumer within five business days. The act takes effect July 1.
9th Circuit affirms credit reporting agency’s code data did not violate the FCRA
On May 29, the U.S. Court of Appeals for the 9th Circuit affirmed summary judgment for a national credit reporting agency, holding that the company did not violate the Fair Credit Reporting Act (FCRA) in its reporting of short sales executed by the plaintiffs. The decision results from a proposed class action suit alleging that the credit reporting agency violated the FCRA by reporting short sales executed between 2010 and 2011 with code numbers that misreported the data as foreclosures. In September 2016, the lower court found that the credit reporting agency provided creditors with clear instructions on how to interpret the code system and Fannie Mae’s Desktop Underwriter program misinterpreted the “settled” code number “9” as a foreclosure, which was not the credit reporting agency’s fault. In affirming the lower court’s decision, the 9th Circuit held that the credit reporting agency “clearly and accurately disclosed to [consumers] all information that [the company] recorded and retained that might be reflected in a consumer report.” Additionally, the panel noted that the credit reporting agency was not required to report that Fannie Mae mishandled the code data when it became aware of it.
Minnesota prohibits security freezes fees, authorizes security freezes for protected persons
On May 19, the Minnesota governor signed HF1243, which, effective immediately, prohibits credit reporting agencies for charging a fee for the placement, removal, or temporary lift of a security freeze. The law previously allowed for a fee of $5.00. Additionally, effective January 1, 2019, the law authorizes the placement of a security freeze for a protected person – defined by the law as an individual under the age of 16 – if a consumer reporting agency receives a request by the protected person’s representative and certain authentication standards are met. The law also outlines the requirements for removing a security freeze for a protected person.
Maryland and Georgia prohibit security freeze fees
On May 15, the Maryland governor signed SB 202, which prohibits consumer reporting agencies from charging consumers, or protected consumers’ representatives, a fee for the placement, removal, or temporary lift of a security freeze. Previously, Maryland allowed for a fee, in most circumstances, of up to $5.00 for each placement, temporary lift, or removal. The law takes effect October 1.
On May 3, the Georgia governor signed SB 376, which amends Georgia law to prohibit consumer reporting agencies from charging a fee for placing or removing a security freeze on a consumer’s account. Previously, Georgia law allowed for a fee of no more than $3.00 for each security freeze placement, removal, or temporary lift, unless the consumer was a victim of identity theft or over 65 years old. Under SB 376, consumer reporting agencies may not charge a fee to any consumer at any time for the placement or removal of a security freeze. This law takes effect July 1.
Maryland expands authority over credit reporting agencies
On May 8, Maryland governor Larry Hogan signed HB848, which expands Maryland’s authority over Credit Reporting Agencies (CRAs) by requiring CRAs to develop a secure system to process electronic requests for placing, lifting, or removing a security freeze. Additionally, the law expands the definition of “protected consumer” for purposes of free security freezes to include persons age 85 or older, certain members of the military, and incarcerated individuals. The law also (i) codifies an existing requirement that CRAs register with the Office of the Commissioner of Financial Regulation (OCFR); (ii) allows the OCFR to investigate written consumer complaints against CRAs; and (iii) increases the maximum civil monetary penalty to $1,000 for the first violation and $2,500 for each subsequent violation. The law is effective October 1.