Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 10, Federal Reserve (Fed) Governor Michelle W. Bowman spoke before the Conference for Community Bankers on the interaction between innovation and regulation for community banks. In discussing her “vision for creating pathways to responsible community bank innovation,” Bowman identified particular challenges facing smaller banks when identifying and integrating new technologies and offered suggestions for ways the Fed can assist these banks in managing relationships with third-party service providers. Acknowledging that responsible innovation requires community banks to identify goals and pinpoint products and services to implement their strategies, Bowman recognized that compliance costs can create an outsized and undue burden on smaller banks and stated that federal regulations should be tailored to bank size, risk, and complexity. Among other things, Bowman stated that the Fed could align its third-party service provider guidance with the OCC and other banking agencies to provide uniform standards to banks. “It is incredibly inefficient to have banks and their potential fintech partners and other vendors try to navigate unnecessary differences and inconsistencies in guidance across agencies,” Bowman noted. Regulators and supervisors have a role in easing the burden for community banks, she added, noting that third-party guidance should allow banks to conduct shared due diligence on potential partners and pool resources to avoid duplicating work. In addition, Bowman commented that the Fed could help banks make this choice by publishing a list of service providers subject to regulatory supervision and increasing transparency around “who and what” the Fed evaluates. Bowman further stated that any guidance should also explain what due diligence looks like for potential fintech partners, since standards applied to other third parties may not be universally applicable. Giving community banks a better vision of what success in due diligence looks like, Bowman stated, will require releasing more information on its necessary elements.
Bowman also highlighted the Fed’s upcoming fintech innovation office hours, as well as the Fed’s recently launched fintech website section, (both covered by InfoBytes here), which are designed to help provide access to Fed staff, highlight supervisory observations regarding fintech, provide a hub of information for interested stakeholders on innovation-related matters, and deliver practical tips for banks and other companies interested in engaging in fintech activity.
On January 16, the U.S. District Court for the Eastern District of Michigan denied a publishing company’s motion to dismiss putative class allegations that it disclosed subscribers’ personal information to third parties, ruling that the subscribers did not need to live in Michigan in order to bring claims under the state’s Personal Privacy Protection Act (PPPA). According to the plaintiff, the company allegedly disclosed magazine subscribers’ personal reading information (PRI) to data aggregators that would then supplement it with additional information (including age, gender, income, and employer names) in order to create detailed customer profiles. The company then allowed “almost any organization to rent a customer list containing numerous categories of detailed customer information,” the plaintiff alleged. The company argued, however, that the plaintiff, who resides in Virginia, lacked standing to bring claims under the PPPA because the law protects only Michigan residents. The company also contended that the plaintiff failed to demonstrate concrete injury suffered as a result of the company’s alleged disclosure of PRI to third parties without consent.
The court disagreed with both arguments, stating that the company’s argument “rests solely on the fact that a non-Michigan resident has never brought suit under the PPPA,” which is “unpersuasive and contravened by the language of the statute and case law.” The PPPA does not impose a residency requirement in order for customers to qualify for protections under the statute, the court stated, noting that “[i]f the Michigan legislature intended to limit the statute to Michigan residents, it could have done so explicitly.” Among other things, the court also concluded that the plaintiff satisfied the injury-in-fact element for Article III standing because “the alleged economic harm caused by the disclosure of PRI provides support to conclude [the plaintiff] suffered a concrete injury.”
On December 9, the OCC released its Semiannual Risk Perspective for Fall 2019, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations, including credit, operational, and interest rate risks. While the OCC commented that “bank financial performance is sound,” it also advised that “[b]anks should prepare for a cyclical change while credit performance is strong,” emphasizing that “[c]redit risk has accumulated in many portfolios.” The OCC also highlighted that competition with nonbank mortgage and commercial lending could pose a risk as well.
Specific areas of concern that the OCC described include: elevation of operational risk as advances in technology and innovation in core banking systems result in a changing and increasingly complex operating environment; increased use of third-party service providers that contribute to continued threats of fraud; need for prudent credit risk management practices that include “identifying borrowers that are most vulnerable to reduced cash flows from slower than anticipated economic growth”; “volatility in market rates [leading] to increasing levels of interest rate risk”; LIBOR’s anticipated cessation and whether banks have started to determine the potential impact of cessation and develop risk management strategies; and strategic risks facing banks as non-depository financial institutions (NDFI) use evolving technology and expand data analysis abilities (the OCC commented that NDFIs “are strong competitors to bank lending models”). The OCC also noted that there is increased interest from banks in sharing utilities with NDFIs to implement Bank Secrecy Act/anti-money laundering compliance programs and sanctions processes and controls.
On October 18, the U.S. District Court for the District of Columbia denied defendants’ request to enforce a modified Civil Investigative Demand (CID) and prevent the CFPB from obtaining personal information about the defendants’ clients via CIDs to third parties. In August 2017, the CFPB issued a CID to the defendants requesting various documents and information. The defendants challenged the scope of the original CID and, following mediation, the parties stipulated to a modified CID that no longer sought personal information of the defendants’ clients who obtained products or services related to immigration bonds. The CFPB subsequently issued third party CIDs and requested the personal information of the defendants’ clients from certain other parties. In March 2019, the defendants moved to enforce the modified CID, claiming that the CFPB “reneged on its stipulation and [acted] in bad faith” by seeking this personal information from third parties. The court, however, denied the defendants’ request to enforce the modified CID, ruling that “the modified CID makes no mention of CIDs issued to other parties,” and that the parties’ stipulation did not “preclude the CFPB from acquiring any type of information from third parties.” The court also explained that it was unclear whether the defendants had standing to contest the CFPB’s CID to a third party, noting that the defendants failed to state how they would suffer an injury if the pertinent information was disclosed by a third party.
On July 18, the CFPB released a report providing an overview of third-party debt collection tradelines from 2004 to 2018, which the Bureau segmented into two parts: debt buyer tradelines and non-buyer debt collections tradelines. The CFPB’s report, “Market Snapshot: Third-Party Debt Collections Tradeline Reporting,” is based on a nationally representative sample of approximately 5 million credit records from one of the three major credit bureaus. According to the report, as of the second quarter of 2018, more than one in four consumers in the sample have at least one debt in collection by third-party debt collectors. Additionally, fewer than 900 unique furnishers of third-party collections tradelines nationwide reported unpaid debts for consumers in the sample, according to the Bureau—a decrease from the 2,294 collectors reported back in 2004. The report also notes that in the second quarter of 2018, the top four debt buyers account for 90 percent of all debt buyer tradelines for consumers in the sample, while the top four non-buyers, by comparison, accounted for just 13 percent of reported tradelines. Furthermore, in the second quarter of 2018, 3 out of 4 of all reported tradelines in the sample from non-buyers were for non-financial debt, such as medical, telecommunications, or utilities debt. Buyers, in contrast, were more likely to report unpaid financial, retail, or banking debts.
On May 24, the Oregon Governor signed SB 684, which amends the state’s data breach notification provisions related to third-party vendors. Among other provisions, the amendments require vendors that are contracted to maintain or access personal information on behalf of a covered entity to (i) notify the covered entity “as soon as is practicable but not later than 10 days” after discovering a security breach or believing a breach has occurred; and (ii) notify the state Attorney General if a security breach involves personal information of more than 250 consumers, or an undetermined amount of consumers, provided that the covered entity has not already done so. SB 684 also updates the definition of personal information to include usernames in combination with other authentication factors used to access a consumer’s account, and establishes that a covered entity or vendor may “affirmatively defend” against allegations it has not adequately safeguarded personal information by showing that it maintained reasonable security measures for protecting personal information in compliance with HIPAA or the Gramm-Leach-Bliley Act, as applicable. The amendments take effect January 1, 2020.
On March 30, the U.S. District Court for the District of Oregon granted a group of car dealerships’ (defendants) summary judgment motion in a putative class action involving claims that the dealership violated Oregon’s Unlawful Trade Practices Act (UTPA) as well as the state’s financial elder-abuse law. The plaintiffs, who all purchased vehicles along with other goods or services from one or more of the defendants, asserted that the defendants allegedly failed to “appropriately disclose [their] specific fees associated with arrangement of financing or the profit margins related to the sale of third-party products and services.” By failing to comply with these disclosure requirements, the plaintiffs alleged that the defendants “wrongfully appropriated money from elderly persons.” Concerning the alleged violations of UTPA, the defendants argued that its section titled “Undisclosed Fee Payments” only applies to referral fees greater than $100 paid to non-employee third-parties and not to other payments made by a dealership to a third party. The court agreed and stated that the defendants’ position was further supported by the state’s official commentary. With regard to the plaintiffs’ other claim concerning deficiencies in the disclosures, the court concluded that “strict recitation of the statute is not required to meet the clear and conspicuous standard,” and that the disclosures in question were clearly visible and easy to understand. Finally, the court granted summary dismissal on the plaintiffs’ claim of elder abuse because the claim was premised on the alleged violations of UTPA, which were dismissed.
On February 15, HUD released Mortgagee Letter 2019-01, which provides guidance on the use of third-party verification (TPV) services for FHA-insured mortgages. Effective immediately, FHA now allows mortgagees to use TPV services for verification of a borrower’s employment, income, and asset information. The Letter provides specific requirements for each category of information but, in all circumstances, a borrower must authorize the mortgagee’s use of a TPV vendor for the verification (whether direct or electronic).
On January 31, NYDFS issued a reminder for regulated entities that the final deadline for implementing NYDFS’s cybersecurity regulation ends March 1. Under the new regulation, banks, insurance companies, mortgage companies, money transmitters, licensed lenders and other financial services institutions regulated by NYDFS are required to implement a cybersecurity program to protect consumer data. The last step in the implementation timeline requires covered entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and nonpublic information accessible to, or held by, such third parties. NYDFS also reminded regulated entities that the deadline to file their second certification of compliance via NYDFS’ cybersecurity portal is February 15.
Previously InfoBytes coverage on NYDFS’ cybersecurity regulation are available here.
7th Circuit affirms summary judgment for repossession company, holds property-retrieval fee is not subject to FDCPA
On October 31, the U.S. Court of Appeals for the 7th Circuit affirmed summary judgment for a third-party repossession company and an auto lender, holding that a fee that the repossession company required to process personal items left in a repossessed car did not constitute an impermissible demand for repayment under the FDCPA. According to the opinion, after a consumer fell behind on her auto payments, the third-party company repossessed her vehicle on behalf of the auto lender. The repossession company, according to the consumer, demanded a $100 payment in order to retrieve personal property she had left in the car. The consumer sued the company and the lender arguing that the retrieval fee was an impermissible debt collection in violation of the FDCPA. In response, the repossession company and the lender moved for summary judgment, arguing that the fee was an administrative handling fee that the lender had agreed to pay to the repossession company—not a fee assessed to the consumer. The lower court agreed.
On appeal, the 7th Circuit determined that the documentary evidence showed that the $100 fee was an administrative fee that the lender agreed to pay to the repossession company, stating “[t]here is no way on this record to view the handling fee as some sort of masked demand for principal payment to [the lender].” The appellate court concluded the consumer did not establish a genuine issue of fact as to whether the repossession company demanded the $100 payment on behalf of the lender and, therefore, affirmed summary judgment in favor of the repossession company and the lender.
- Melissa Klimkiewicz to discuss "Private flood insurance updates" at the Mortgage Bankers Association Servicing Solutions Conference & Expo
- Jonice Gray Tucker and H Joshua Kotin to discuss regulatory compliance issues in the fintech industry at Protiviti's Risk & Compliance Innovation Roundtable
- APPROVED Checkpoint Webcast: CFL overview
- Amanda R. Lawrence and Sherry-Maria Safchuk to discuss "California privacy rule" on an NAFCU webinar
- Sasha Leonhardt to discuss "MLA & SCRA" on a NAFCU webinar
- Daniel P. Stipano to discuss "Pathway of the SARs: Tracking trajectories of suspicious activity reports from alerts to prosecution" at the ACAMS International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Which bud’s for you? A deep-dive into evolving marijuana laws" at the ACAMS International AML & Financial Crime Conference
- Brandy A. Hood to discuss "RESPA 8 (TRID applied compliance)" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- John P. Kromer to discuss "Navigating the multi-state fintech regulatory regime" at the American Conference Institute Legal, Regulatory and Compliance Forum on Fintech & Emerging Payment Systems
- Jonice Gray Tucker to discuss "Leveraging big data responsibly" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Hank Asbill to discuss "Critique of direct examination; Questions and answers" at the American Bar Association Section of Litigation Anatomy of a Trial: Murder Trial of Ziang Sung Wan
- Hank Asbill to discuss "What judges want from trial lawyers" at the American Bar Association Section of Litigation Anatomy of a Trial: Murder Trial of Ziang Sung Wan
- Steven R. vonBerg to speak at the "Conference super session" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference