Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform text recognition scanning on tens of thousands of mortgage documents was adequately securing consumers’ personal data. The FTC’s complaint alleges that the vendor stored the unencrypted contents of these documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. The data contained sensitive personal information, including “names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, or other personal and financial information of borrowers, as well as of family members and others whose information was included in the mortgage application.” According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was accessed approximately 52 times. The FTC claims, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of all of its vendors as required by the Safeguards Rule.
The proposed settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.
On October 1, 2020, the U.S. Department of Housing and Urban Development issued Mortgagee Letter 20-33, which extends interim procedures regarding site access issues related to Section 232 mortgage insurance applications during the Covid-19 pandemic (previously covered here and here). The guidance provides temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities effective through December 31, 2020. The letter also provides guidance on other aspects relating to Section 232 properties, including regarding lender underwriter site visits, appraisals, and inspections on new construction, among other things.
HUD issues mortgagee letter extending interim procedures relating to FHA Section 232 approved mortgages
On July 31, 2020, the U.S. Department of Housing and Urban Development issued Mortgagee Letter 2020-25, which extends interim procedures regarding site access issues related to Section 232 mortgage insurance applications during the Covid-19 pandemic (previously covered here). The guidance provides temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities with effective dates within 60 days of the issuance of the mortgagee letter. The letter also provides guidance on other aspects relating to Section 232 properties, including regarding Property Capital Needs Assessments, appraisals, Section 232 Phase 1 Environmental Site Assessments, asbestos surveys, and radon testing, among other things.
On July 20, the FDIC issued a Request for Information (RFI) seeking input on whether a public/private standard-setting partnership and voluntary certification program could be established to (i) promote the efficient and effective adoption of innovative technologies at supervised financial institutions; and (ii) support financial institutions’ efforts to implement innovative models, manage risk, and conduct due diligence of third-party fintech firms. The RFI is being issued as part of the agency’s FDiTech initiative (covered by InfoBytes here), which was established in 2019 to encourage innovation within the banking industry (particularly at community banks), support collaboration for piloting new products and services, eliminate regulatory uncertainty, and manage risks.
The FDIC stated that establishing a standards-setting body, developed by regulators and industry stakeholders, would help promote innovation across the banking sector and streamline the vetting process for fintech partners. The agency noted that a voluntary certification program could assist in standardizing due diligence practices and reduce costs for financial institutions that choose to participate. Additionally, the FDIC emphasized that it “is especially interested in information on models and technology services developed and provided by [fintechs].” Comments are due 60 days after publication in the Federal Register.
On June 29, the OCC released its Semiannual Risk Perspective for Spring 2020, which reports on key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. In particular, the OCC focused this report on the financial impacts of the Covid-19 pandemic on the federal banking industry, emphasizing that weak economic conditions stemming from the shutdown will stress financial performances in 2020, and that banks should monitor elevated compliance risks that may occur as a result of their responses to the pandemic, including participating in the Paycheck Protection Program as well as forbearance and deferred payment programs. The report highlighted that the surge in consumer demands, government programs, and the modifications to operations due to remote work and the “short timelines for implementing changes placed additional strains on banks already operating in a stressed environment.” However, the report noted that, “[s]ome banks are leveraging innovative technologies and third parties, including fintech firms, to help manage these challenges,” and that “[b]ank risk management programs should maintain effective controls for third-party due diligence and monitoring and other oversight processes, operational errors, heightened cyber security risks, and potential fraud related to stimulus programs.” The report highlighted several areas of concern for banks, including (i) credit risk increases; (ii) interest rate risk, including risks related to the LIBOR cessation; (iii) operational risks related to banks’ Covid-19 response; (iv) heightened cyber risks; and (v) compliance risks related to Bank Secrecy Act/anti-money laundering laws, consumer compliance, and fair lending.
On June 20, the Federal Reserve Bank of Boston updated FAQs for its Main Street Lending Program (see here, here and here for previous coverage). Among other things, new FAQs address the treatment of applicant debt to third party lenders for purposes of calculating outstanding and undrawn debt, certifications regarding conflicts of interest, and the application of regulatory lending limits imposed on national banks, federal savings associations, and state savings associations to loans issued under the Main Street Lending Program.
HUD issues mortgagee letter extending interim procedures relating to FHA Section 232 approved mortgages
On May 28, the U.S. Department of Housing and Urban Development issued Mortgagee Letter 2020-15 to all FHA Section 232 Approved Mortgagees regarding the extension of interim procedures issued in Mortgagee Letter 20-10 to address site access issues during the Covid-19 pandemic. The guidance provides temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities with effective dates within 60 days of the issuance of the mortgagee letter. The letter also provides guidance on other aspects relating to Section 232 properties, including regarding Property Capital Needs Assessments, appraisals, Section 232 Phase 1 Environmental Site Assessments, asbestos surveys, and radon testing, among other things.
Texas regulator urges credit access businesses to consider emergency measures, extends reporting deadlines
On May 15, the Texas Office of the Consumer Credit Commissioner revised an advisory bulletin to credit access businesses, extending the deadline to file 2020 first quarter reports until May 31, 2020 (previously covered here). The office also encouraged credit access businesses to work with third-party lenders to provide relief to consumers negatively impacted by the Covid-19 pandemic.
On March 24, the Utah governor signed HB 319, which modifies provisions related to consumer lending in the state, including registration, reporting, and operational requirements for deferred deposit lenders. Among other things, the provisions require deferred deposit lenders to provide borrowers at least 30 days’ notice of default before initiating a civil action, allowing a borrower the opportunity to remedy the default. HB 319 also requires deferred deposit lenders seeking to renew a registration to report, for the immediately preceding calendar year, the total number of loans extended, the total dollar amount loaned, the number of borrowers who were extended loans, and the percentage of loans that were not repaid based on the terms of the loan, among other items. HB 319 further allows third party debt collection agencies to charge a “convenience fee” when debtors use a credit or debit card for the transaction of business, provided the convenience fee amount is disclosed prior to being charged and the debtor is given an alternative payment method that does not carry a fee. The amendments take effect 60 days following adjournment of the legislature.
On March 5, the OCC released Bulletin 2020-10, which provides answers to frequently asked questions (FAQs) concerning its existing guidance on management of third-party relationships, including relationships with fintech firms and data aggregators. This bulletin, issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” rescinds (but incorporates the substance of) OCC Bulletin 2017-21 (covered by InfoBytes here). Key topics addressed in the new FAQs include:
- clarifying the definition of “third-party relationships” and “business arrangements”;
- outlining expectations for banks that have third-party relationships with cloud computing providers or data aggregators;
- addressing a bank’s reliance on and use of third party-provided reports, certificates of compliance, and independent audits;
- discussing risk management when a third party—such as a less established fintech firm, start-up, or other small business—has limited ability to provide the same level of financial information or other due diligence-related information as a more established third party;
- suggesting approaches for due diligence and ongoing monitoring in instances where the bank has limited negotiating power;
- addressing ways banks can offer products or services to underbanked/underserved populations through fintech third-party relationships;
- discussing considerations for banks when entering into a marketplace lending arrangement with a nonbank entity; and
- outlining measures to address risk management when obtaining alternative data from a third party that may be used by or on behalf of a bank.
The bulletin also reiterates that banks are expected “to practice effective risk management regardless of whether the bank performs an activity internally or through a third party,” and that a “bank’s use of third parties does not diminish the bank’s responsibility to perform the activity in a safe and sound manner and in compliance with applicable laws and regulations.”
- Magda Gathani to discuss "Cryptocurrency meets banks" at the Women in Housing & Finance Partner Series
- Garylene D. Javier to moderate "Innovation in an evolving privacy landscape" at the American Bar Association Business Law Section Consumer Financial Services Committee Winter Meeting
- Buckley Webcast: What’s next for privacy and data security in 2021 and beyond?
- H Joshua Kotin to discuss "Diversity & inclusion: Litigation and enforcement" at the Tri-State Mortgage Conference