Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 17, the U.S. Court of Appeals for the Eleventh Circuit vacated an opinion in Hunstein v. Preferred Collection & Management Services, ordering an en banc rehearing of the case. The order vacates an 11th Circuit decision to revive claims that the defendant’s use of a third-party mail vendor to write, print, and send requests for medical debt repayment violated privacy rights established in the FDCPA. As previously covered by InfoBytes, in April, the 11th Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” According to the order issued sua sponte by the 11th Circuit, an en banc panel of appellate judges will convene at a later date to rehear the case.
On November 18, the FDIC, Federal Reserve Board, and the OCC issued a final rule intended to enhance information sharing about cyber incidents that may affect the U.S. banking system. The final rule, among other things, requires a banking organization to timely notify its primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place. The final rule notes that notification is required for incidents that have affected, in certain circumstances: (i) the viability of a banking organization’s operations; (ii) its ability to deliver banking products and services; or (iii) the stability of the financial sector. Additionally, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially dispute or degrade, a banking organization’s customers for four or more hours. The final rule further provides that the notification requirement for bank service providers is important since “banking organizations have become increasingly reliant on third parties to provide essential services,” which may also experience computer-security incidents that could affect the support services they provide to banking organization customers, along with other significant impacts. The rule is effective April 1, 2022, and banking organizations are expected to comply with the final rule by May 1, 2022.
On October 29, NYDFS issued draft proposed amendments to 23 NYCRR 1, which regulates third-party debt collectors and debt buyers. Among on things, the proposed amendments:
- Define “communication” as “the conveying of information regarding a debt directly or indirectly to any person through any medium.”
- Amend the definition of a “debt collector” to include “as any creditor that, in collecting its own debts, uses any name other than its own that would suggest or indicate that someone other than such creditor is collecting or attempting to collect such debts.”
- Require collectors to clearly and conspicuously send written notification within five days after an initial communication with a consumer letting the consumer know specific information about the debt, including (i) the name of the creditor to which the debt was originally owed or alleged to be owed; (ii) account information associated with the debt; (iii) merchant/affinity/facility brand association; (iv) the name of the creditor to which the debt is currently owed; (v) the date of alleged default; (vi) the date the last payment (including any partial payment) was made; (vii) the statute of limitations, if applicable; (viii) an itemized accounting of the debt, including the amount currently due; and (ix) notice that the consumer “has the right to dispute the validity of the debt, in part or in whole, including instructions for how to dispute the validity of the debt.”
- State that disclosures may not be sent exclusively through an electronic communication, and that a formal pleading in a civil action shall not be treated as an initial communication.
- Prohibit collectors from communicating by telephone or other means of oral communication when attempting to collect on debts for which the statute of limitations has expired.
- Require collectors to provide consumer written substantiation of a debt within 30 days of receiving a written request via mail (consumers who consent to receiving electronic communications must still receive substantiation via mail).
- Limit collectors to three contact attempts via telephone in a seven-day period. Only one conversation with a consumer is permitted unless a consumer requests to be contacted.
- Permit collectors to communicate with consumers through electronic channels only if the consumer has voluntarily provided consent directly to the debt collector.
Comments on the proposal are due November 8.
11th Circuit’s new opinion says plaintiff still has standing to sue in outsourced debt collection letter action
On October 28, the U.S. Court of Appeals for the Eleventh Circuit issued a split opinion in Hunstein v. Preferred Collection & Management Services, vacating its April 21 decision but still finding that the plaintiff had standing to sue. As previously covered by InfoBytes, last April the 11th Circuit reviewed the district court’s dismissal of plaintiff’s claims that the disclosure of medical debt to a mail vendor violated the FDCPA’s third-party disclosure provisions. The 11th Circuit originally held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” At the time, the appellate court determined that communicating debt-related personal information with the third-party mail vendor is a concrete injury under Article III. Even though the plaintiff did not allege a tangible injury, the appellate court held, in a matter of first impression, that under the circumstances, the plaintiff alleged a communication “in connection with the collection of any debt” within the meaning of § 1692c(b).
In its most recent opinion, the majority wrote that it was vacating its prior opinion “[u]pon consideration of the petition for rehearing, the amicus curiae briefs submitted in support of that petition, and the Supreme Court’s intervening decision in TransUnion LLC v. Ramirez.” The appellate court first re-examined whether the plaintiff had standing to sue. Among other things, the majority held that while the plaintiff cannot demonstrate “a risk of real harm,” he was able to show standing “through an intangible injury resulting from a statutory violation.” Further, the majority determined that TransUnion reaffirmed its conclusion that the plaintiff “alleged a harm that bears a close relationship to a harm that has traditionally been recognized in American courts.” (In TransUnion, the Court concluded, among other things, that “[i]n looking to whether a plaintiff’s asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts, we do not require an exact duplicate.”) The majority further concluded that Congress’s judgment also favors the plaintiff because Congress indicated that violations of § 1692c(b) constitute a concrete injury.
The appellate court next considered the merits of the case, with the majority concluding that the plaintiff adequately stated a claim that the transmittal of personal debt-related information to the vendor constituted a communication within the meaning of § 1692c(b)’s phrase “in communication with the collection of the debt.”
Judge Tjoflat dissented, arguing that the April decision was issued before TransUnion, and following the Supreme Court’s reasoning, the plaintiff did not have standing because he did not suffer a concrete injury, and that there is an important difference between a plaintiff’s statutory cause of action to sue over a violation of federal law and “a plaintiff’s suffering concrete harm because of the defendant’s violation of federal law.” Judge Tjoflat further added that a “simple transmission of information along a chain that involves one extra link because a company uses a mail vendor to send out the letters about debt is not a harm at which Congress was aiming.”
On October 18, consumer advocates and several state attorneys general and financial regulators responded to a request for comments issued by the OCC, Federal Reserve Board, and the FDIC on proposed interagency guidance designed to aid banking organizations in managing risks related to third-party relationships, including relationships with fintech-focused entities. (See letters here and here.) As previously covered by InfoBytes, the proposed guidance addressed key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Consumer advocates and the states, however, expressed concerns that the agencies’ proposed guidance does not “highlight the significant risks associated with high-cost lending involving third-party relationships,” and does not include measures to prevent banks from entering into nonbank lending partnerships (e.g. “rent-a-bank schemes”).
According to the consumer advocates’ letter, the agencies’ guidance “should unequivocally declare that it is inappropriate for a bank to rent out its charter to enable attempted avoidance of state consumer protection laws, in particular interest rate and fee caps, or state oversight through licensing regimes.” The consumer advocates stated that they are aware of six FDIC-supervised banks involved in rent-a-bank schemes with nonbank lenders making allegedly illegal high-cost loans, and urged the FDIC to take immediate, “overdue” action to put an end to them. Among other things, the consumer advocates said the new guidance should explicitly specify: (i) that a bank’s involvement in lending that exceeds state interest rate limits with a nonbank is a “critical activity”; (ii) that lending partnerships involving loans exceeding a fee-inclusive 36 percent annual percentage rate (APR) “pose especially high risks”; and (iii) that in instances where a loan exceeds the Military Lending Act’s 36 percent APR, the federal banking supervisor will directly examine the third-party partner and charge the bank for the cost of the examination.
The states wrote in their letter that “experience teaches us that, in the absence of an explicit disavowal of rent-a-bank schemes, the [p]roposed [g]uidance invites continued abuse of banks’ interest exportation rights, to the considerable detriment of state regulation, consumer protection, and banks’ safety and soundness.” The states strongly encouraged the agencies to “explicitly disavow rent-a-bank schemes.”
On October 19, the Financial Stability Board (FSB) released a report calling for a convergence in the reporting of cyber incidents given the digitalization of financial services and the growing use of third-party service providers. According to FSB’s report, Cyber Incident Reporting: Existing Approaches and Next Steps for Broader Convergence, financial institutions operating across borders or sectors are subjected to multiple reporting requirements for one cyber incident. Pointing out that “fragmentation exists across sectors and jurisdictions in the scope of what should be reported for a cyber incident; methodologies to measure severity and impact of an incident; timeframes for reporting cyber incidents; and how cyber incident information is used,” FSB cautioned that the lack of a common method for reporting cyber incidents “could undermine a financial institution's response and recovery actions.” FSB also warned that the dissemination of “heterogeneous information” concerning a cyber incident “underscores a need to address constraints in information-sharing among financial authorities and financial institutions.” Harmonizing regulatory reporting would promote financial stability by ensuring there is a common method for monitoring cyberattacks in the sector, supporting effective supervision of cyber-risks at financial institutions, and helping authorities share information between jurisdictions. FSB stated it plans to create a detailed plan by the end of the year to (i) develop best practices for authorities to consider when developing their cyber incident reporting regime; (ii) identify key types of information that should be shared across the financial sector; and (iii) create a common terminology for cyber-incident reporting.
On October 15, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2022. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) strategic and operational planning; (ii) credit risk management, including allowances for loan and lease losses and credit losses; (iii) cybersecurity and operational resiliency; (iv) third-party oversight; (v) Bank Secrecy Act/anti-money laundering compliance; (vi) consumer compliance management systems and fair lending risk assessments; (vii) Community Reinvestment Act performance; (viii) LIBOR phase-out preparations; (ix) payment systems products and services; (x) fintech partnerships involving potential cryptocurrency-related activities and other services; and (xi) climate-change risk management. The plan will be used by OCC staff members to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches, federal agencies, and technology service providers.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered.
On October 12, the U.S. District Court for the Northern District of Illinois granted plaintiff’s motion to remand a debt collection class action lawsuit back to state court. The plaintiff claimed the defendants violated the Illinois Collection Agency Act and FDCPA Section 1692c(b) by using a third-party mailing vendor to print and mail collection letters to class members. According to the plaintiff’s complaint filed in state court, conveying the information to the vendor—an allegedly unauthorized party—served as a communication under the FDCPA. The defendants removed the case to federal court, but on review, the court determined the plaintiff did not have Article III standing to sue because Congress did not intend to prevent debt collectors from using mail vendors when the FDCPA was enacted. Specifically, the court disagreed with the U.S. Court of Appeals for the Eleventh Circuit’s decision in Hunstein v. Preferred Collection & Management Services, which held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” (Covered by InfoBytes here.) In this case, the court stated it “is difficult to imagine Congress intended for the FDCPA to extend so far as to prevent debt collectors from enlisting the assistance of mailing vendors to perform ministerial duties, such as printing and stuffing the debt collectors’ letters, in effectuating the task entrusted to them by the creditors—especially when so much of the process is presumably automated in this day and age.” According to the court, “such a scenario runs afoul of the FDCPA’s intended purpose to prevent debt collectors from utilizing truly offensive means to collect a debt.”
On September 10, the OCC, Federal Reserve Board, and FDIC extended the comment period on the regulators’ proposed interagency guidance designed to aid banking organizations in managing risks related to third-party relationships, including relationships with fintech-focused entities. The deadline has been extended to October 18 and interested parties may submit comments until the deadline.
As previously covered by InfoBytes, the proposed guidance addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Coupled with the release of a Federal Reserve Board paper describing community bank and fintech partnerships, as well as interagency guidance to help community banks evaluate fintech relationships (covered by InfoBytes here), the federal bank regulators are demonstrating continued and increased focus on third-party risk management issues.
On September 9, the Federal Reserve Board published a paper describing the landscape of community banks and fintech partnerships. The paper, Community Bank Access to Innovation through Partnerships, is not guidance but is intended to promote and support “responsible innovation” through access and understanding to financial technology, as well as appropriate third-party risk management and compliance guardrails. The paper follows interagency guidance released last month by the Fed, OCC, and FDIC, which addressed several key due diligence topics for community banks considering relationships with prospective fintech companies, as well as interagency proposed guidance on third party risk management—signals of the regulators’ continued and increased focus on third-party relationships. (Covered by InfoBytes here and here.) The paper provides anecdotal observations shared with the Fed by outreach participants and discusses the benefits and risks of different broad partnership types (operational technology partnerships, customer-oriented partnerships, and front-end fintech partnerships), and key considerations for engaging in such partnerships. According to the report, outreach participants presented a general belief that “fintech partnerships were most effective when three elements were present: a commitment to innovation across the community bank; alignment of priorities and objectives of the community bank and its fintech partner; and a thoughtful approach to establishing technical connections between key parties, including the bank, fintech, and the bank’s core services provider.”