Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Fed describes landscape of community banks and fintech partnerships

    Federal Issues

    On September 9, the Federal Reserve Board published a paper describing the landscape of community banks and fintech partnerships. The paper, Community Bank Access to Innovation through Partnerships, is not guidance but is intended to promote and support “responsible innovation” through access and understanding to financial technology, as well as appropriate third-party risk management and compliance guardrails. The paper follows interagency guidance released last month by the Fed, OCC, and FDIC, which addressed several key due diligence topics for community banks considering relationships with prospective fintech companies, as well as interagency proposed guidance on third party risk management—signals of the regulators’ continued and increased focus on third-party relationships. (Covered by InfoBytes here and here.) The paper provides anecdotal observations shared with the Fed by outreach participants and discusses the benefits and risks of different broad partnership types (operational technology partnerships, customer-oriented partnerships, and front-end fintech partnerships), and key considerations for engaging in such partnerships. According to the report, outreach participants presented a general belief that “fintech partnerships were most effective when three elements were present: a commitment to innovation across the community bank; alignment of priorities and objectives of the community bank and its fintech partner; and a thoughtful approach to establishing technical connections between key parties, including the bank, fintech, and the bank’s core services provider.”

    Federal Issues Federal Reserve Community Banks Fintech Third-Party Risk Management FDIC OCC Bank Regulatory

    Share page with AddThis
  • District Court rules in defendants’ favor regarding third-party disclosure

    Courts

    On August 25, the U.S. District Court for the Eastern District of Missouri granted a motion for judgment on the pleadings in favor of a defendant debt collector over a plaintiff alleging FDCPA violations. The plaintiff, a bankruptcy attorney who represents consumers in connection with discharging their debts, received a letter from defendant that disclosed a debt for a consumer he did not represent and has never represented. The plaintiff sued under the FDCPA, claiming that the defendant, among other things, engaged in abusive, deceptive, and unfair debt collection practices when defendant disclosed the existence of this third-party debt to the plaintiff by contacting him via letter. The plaintiff alleged that he was injured and suffered damages “due to the time Plaintiff had to spend trying to learn why he was being contacted and whether he had ever represented Plaintiff.” However, the court held that because the plaintiff was not a “consumer” under the FDCPA, he did not have standing to bring the FDCPA case. In so ruling, the court noted that the U.S. Court of Appeals for the Eighth Circuit has not yet ruled on whether the FDCPA “applies to persons other than a consumer[‘]” but agreed “with the greater weight of authority that concludes” only consumers have standing to bring such actions.

    Courts Third-Party Debt Collection FDCPA

    Share page with AddThis
  • Agencies issue fintech guidance for community banks

    Agency Rule-Making & Guidance

    On August 27, the FDIC, OCC, and Federal Reserve Board released a guide as part of its efforts to promote and support the adoption of new technologies by financial institutions. (See also FIL-59-2021 and OCC Bulletin 2021-40.) The Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks is intended to help community banks conduct due diligence when considering relationships with prospective fintech companies. Among other things, the guide addresses six key due diligence topics for community banks to consider, including (i) business experience, strategic goals, and qualifications; (ii) financial conditions and market information; (iii) legal and regulatory compliance; (iv) risk management policies, processes, and controls; (v) information security programs; and (vi) operational resilience, such as business continuity planning, incident response, service level agreements, and reliance on subcontractors. The guide also provides practical sources of information that may be useful when evaluating fintech companies. The agencies note that use of the guide, which is consistent with the FDIC’s Guidance for Managing Third-Party Risk, is voluntary and that the guide does not anticipate all types of fintech relationships and risks. Consistent with risk-based programs, a community bank may tailor how it uses the information “based on specific circumstances, the risks posed by each third-party relationship, and the related product, service, or activity. . . offered by the fintech company.”

    Agency Rule-Making & Guidance FDIC OCC Federal Reserve Fintech Community Banks Third-Party Risk Management Bank Regulatory

    Share page with AddThis
  • HUD again extends procedures for FHA mortgages on healthcare facilities

    Federal Issues

    On August 27, HUD issued Mortgagee Letter 21-20, which extended interim procedures addressing site access issues associated with FHA Section 232 mortgage insurance applications during the Covid-19 pandemic from July 31, 2021 to December 31, 2021. As previously covered by InfoBytes, HUD first provided temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities in April 2020 (see Mortgagee Letter 20-10) and extended those procedures in May 2020 (see Mortgagee Letter 20-15). In July 2020, HUD released Mortgagee Letter 20-25, further extending these interim procedures (covered by InfoBytes here). Mortgagee Letter 21-20 also provides guidance on other aspects relating to Section 232 properties, including Property Capital Needs Assessments, appraisals, Section 232 Phase 1 Environmental Site Assessments, asbestos surveys, and radon testing.

    Federal Issues Mortgages Covid-19 HUD Third-Party

    Share page with AddThis
  • Illinois amends state Human Rights Act

    State Issues

    On August 13, the Illinois governor signed SB 1561, which amends the Illinois Human Rights Act to include provisions regarding third-party loan modification service providers. According to the bill, it is a civil rights violation for a third-party loan modification service provider because of unlawful discrimination, familial status, or an arrest record, to (i) refuse to engage in loan modification services or to discriminate in making such services available; or (ii) alter the terms, conditions, or privileges of such services. The bill also clarifies that a third-party loan modification service provider is a person or entity, licensed or unlicensed, that “provides assistance or services to a loan borrower to obtain a modification to a term of an existing real estate loan or to obtain foreclosure relief,” but does not include lenders, brokers or appraisers of mortgage loans, or the servicers, subsidiaries, affiliates, or agents of the lender. Among other things, the bill provides that, in relation to real estate transactions, the failure of the Department to notify a complainant or respondent in writing for not completing an investigation on the allegations set forth in a charge within 100 days shall not deprive the Department of jurisdiction over the charge. This bill is effective January 1, 2022.

    State Issues State Legislation Illinois Consumer Lending Third-Party

    Share page with AddThis
  • FINRA reminds firms of third-party supervisory obligations

    Agency Rule-Making & Guidance

    On August 13, the Financial Industry Regulatory Authority (FINRA) reminded member firms of their supervisory obligations related to outsourcing to third-party vendors. Regulatory Notice 21-29 reiterates that supervisory obligations under FINRA Rule 3110 extend to member firms’ outsourcing of certain “covered activities” and reminds firms that under Regulatory Notice 05-48, “‘outsourcing an activity or function to … [a vendor] does not relieve members of their ultimate responsibility for compliance with all applicable federal securities laws and regulations and [FINRA] and MSRB rules regarding the outsourced activity or function.’” Emphasizing that “member firms have continued to expand the scope and depth of their use of technology and have increasingly leveraged [v]endors to perform risk management functions and to assist in supervising sales and trading activity and customer communications,” FINRA reminds member firms that supervisory systems and associated written supervisory procedures extend to the “outsourced activities or functions” of their vendors. The notice also cites examples of violations uncovered during previous examinations linked to third-party vendors related to data integrity, cybersecurity and technology governance, and books and records requirements. These include instances where firms’ vendors failed to implement technical controls or failed to properly manage customers’ nonpublic information. Member firms are encouraged to take a “risk-based approach” to vendor management and to assess whether their supervisory procedures for third-party vendors are “sufficient to maintain compliance with applicable rules.”

    Agency Rule-Making & Guidance FINRA Compliance Third-Party Risk Management Vendor Management

    Share page with AddThis
  • Massachusetts Division of Banks issues guidance to debt collectors and student loan servicers

    Recently, the Massachusetts Division of Banks published guidance related to the conduct of debt collectors, student loan servicers, and third-party loan servicers. 209 CMR 18.00 defines unfair or deceptive acts or practices for entities servicing loans or collecting debts within the commonwealth, and provides licensing, registration, and supervision procedures. Those provisions of the regulation that govern fair debt collection and third party loan servicing practices apply both to licensed entities, and entities exempt from licensure. Additionally, the regulation specifies that licensed debt collectors are not required to register as third party loan servicers but must still comply with all relevant state and federal laws and regulations that govern third party loan servicers when acting in that capacity. Student loan servicers engaged in third party loan servicing activities or debt collection activities within the scope of student loan servicing activities described within Massachusetts’ law are also required to comply with all applicable state and federal laws and regulations governing third party loan servicers and debt collectors when acting in such capacity. Additionally, 209 CMR 18.00 outlines, among other things, (i) licensing application requirements; (ii) licensing standards; (iii) registration procedures and standards; (iv) notice, reporting, and recordkeeping requirements; (v) collection practices and consumer communication restrictions; (vi) prohibitions related to harassment or abuse, false or misleading representations, and unfair, deceptive, or unconscionable practices; (vii) debt validation requirements; (viii) mortgage loan servicing practices; (ix) student loan servicing practices; and (x) confidentiality provisions. The regulation took effect July 1.

    Licensing State Issues State Regulators Massachusetts Debt Collection Student Lending Student Loan Servicer Third-Party Compliance

    Share page with AddThis
  • Federal agencies seek comments on third-party relationships

    Agency Rule-Making & Guidance

    On July 13, the Federal Reserve Board, FDIC, and OCC announced a request for public comments on proposed guidance designed to aid banking organizations manage risks related to third-party relationships, including relationships with financial technology-focused entities. The guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance. The proposed guidance provides “a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.” The proposal addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Comments on the proposal are due 60 days after publication in the Federal Register. 

    Agency Rule-Making & Guidance FDIC OCC Federal Reserve Third-Party Fintech Risk Management Third-Party Risk Management Bank Regulatory

    Share page with AddThis
  • District Court says retailer not an intended third-party beneficiary of a credit card arbitration provision

    Courts

    On July 8, the U.S. District Court for the Central District of California denied a retailer’s motion to compel arbitration in a consumer data sharing putative class action, ruling that the retailer was not an intended third-party beneficiary of an arbitration provision in a credit card agreement. The proposed class had filed an amended complaint accusing several national retailers of illegally sharing consumer transaction data in violation of the FCRA, the California Consumer Privacy Act, and California’s unfair competition law, among others. The motion at issue, filed by one of the retailers, addresses a named plaintiff’s opposition to compel arbitration. The retailer argued that as an “intended” third-party beneficiary of the contract, it had the right to enforce an arbitration clause contained in a credit card agreement purportedly signed by the plaintiff when she opened a retailer credit card account issued by an online bank.

    The court disagreed, finding that the contract’s arbitration provisions specifically referred to the bank, and that the contract did not clearly “express an intention to confer a separate and distinct benefit on [the retailer].” Moreover, the court noted the contract at issue instructed the plaintiff to send any arbitration demand notices to the bank, adding that “[i]t seems unlikely that the parties would expect a demand for arbitration solely against the [retailer]—that does not involve [the bank]—to be sent to [the bank].”

    Courts Arbitration Third-Party Credit Cards Class Action State Issues CCPA FCRA Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • NYDFS tells industry to tighten third-party risk management

    State Issues

    On April 27, NYDFS released a report warning the financial services industry to tighten third-party risk management measures, as the “next great financial crisis could come from a cyber-attack.” The report covers a December 2020 cyber-attack described as “part of a widespread, sophisticated cyber espionage campaign by Russian Foreign Intelligence Service actors” focusing on “stealth and stealing sensitive information.” According to the report, hackers installed malware into a software platform used by the government and financial services and telecommunications companies to monitor and manage the performance of their networks. This attack, NYDFS noted, is “the most visible, widespread, and intrusive information technology software supply chain attack” to date and “opened back doors into thousands of organizations, including almost 100 companies in New York’s financial services industry.” While none of NYDFS’s regulated entities’ networks were actively exploited, the regulator warned that these types of attacks highlight the financial services industry’s vulnerability to supply chain attacks. Moreover, because third-party risk management is a key part of NYDFS’s Cybersecurity Regulation, the regulator is “exploring ways to further address this critical component of cybersecurity.” Report findings highlight that, among other things, (i) the patch-management programs for many regulated entities “are immature and lack the proper ‘patching cadence’ needed to ensure timely remediation of high-risk cyber vulnerabilities,” and (ii) “supply chain” cyber-attacks are dangerous since “malware is embedded inside a legitimate product,” allowing “an attacker to access the networks of many organizations in a single stroke.”

    The report provides several recommendations, including that entities should (i) include in their vendor risk-management policies and procedures “processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors”; (ii) adopt a “zero trust” approach and implement multiple layers of security and extra protection for sensitive information; (iii) address vulnerabilities in a timely manner through patch testing, validation processes, and deployment; and (iv) ensure their incident response plans address supply chain compromises.

    State Issues NYDFS State Regulators Privacy/Cyber Risk & Data Security Third-Party Vendor Management Risk Management Bank Regulatory

    Share page with AddThis

Pages