InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB sues debt collectors
On January 10, the CFPB filed a complaint against three debt collection companies and their owners (collectively, “defendants”) for allegedly engaging in illegal debt-collection practices. According to the Bureau, the defendants purchase debt portfolios and place them with other collection companies or sell them. The complaint states that from September 2017 through April 2020, the defendants placed debts valued at more than $8 billion and asserts that the defendants knew or should have known that these third-party collection companies were engaging in unlawful and deceptive debt collection measures. The Bureau alleges the defendants were aware of the companies’ false statements to consumers because they received hundreds of complaints from consumers claiming the companies were threating to arrest or file lawsuits if the consumers’ debts were not paid imminently, and the defendants received recorded phone calls alerting them to the companies’ threats and false statements regarding credit reporting. Further, the Bureau claims that the defendants continued to place debts with and sold debts to these companies even after an internal review found major violations of federal law. The Bureau’s complaint, which alleges violations of the CFPA and the FDCPA, seeks consumer restitution, disgorgement, injunctive relief, and civil money penalties.
FTC settles with mortgage analytics company
On December 22, the FTC announced the final approval of a settlement with a mortgage industry data analytics firm (defendant) for allegedly failing to develop, implement, and maintain a comprehensive information security program and ensure third-party vendors are capable of implementing and maintaining appropriate safeguards for customer information in violation of the Gramm-Leach Bliley Act’s Safeguards Rule. As previously covered by InfoBytes, in December 2020, the FTC alleged that a vendor hired by the defendant stored the unencrypted contents of mortgage documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was improperly accessed approximately 52 times. The FTC claimed, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of its vendors.
The settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.
FTC Commissioner Rebecca Kelly Slaughter provided a lone dissenting statement.
NYDFS issues proposed amendment to third-party debt collection rules
On December 15, NYDFS announced a proposed amendment to 23 NYCRR 1, which regulates third-party debt collectors and debt buyers. The proposed amendment factored in findings from NYDFS investigations, which revealed instances of abusive and deceptive debt collection practices, as well as consumer debt collection complaint data. According to acting Superintendent Adrienne A. Harris, the “proposed amendment requires clear communication on consumer debt obligations and ensures the consumer has the right information to dispute the validity of the debt.” The proposed regulation will mitigate predatory debt collection by taking measures to ensure consumers only pay debts they owe and only pay them once. Harris added that the proposed amendment will offer enhanced consumer protections by increasing transparency, requiring enhanced disclosures, reducing misleading statements about consumer debt obligations, and limiting harassment by placing stricter limits on debt collection phone calls than those currently imposed under federal regulations. Among other things, the proposed amendment also:
- Defines “communication” as “the conveying of information regarding a debt directly or indirectly to any person through any medium.”
- Defines “creditor” as “any person or such person’s successor in interest by way of merger, acquisition, or otherwise, to whom a debt is owed or allegedly owed.”
- Amends the definition of “debt collector” to include “any creditor that, in collecting its own debts, uses any name other than its own that would suggest or indicate that someone other than such creditor is collecting or attempting to collect such debts.” The definition also includes certain exemptions, such as persons “performing the activity of serving or attempting to serve legal process” in the judicial enforcement of a debt “or serving, filing, or conveying” other specified documents pursuant to rules of civil procedure, but that are “not a party to, or providing legal representation to a party to, the action[.]”
- Requires collectors to clearly and conspicuously send written notification within 5 days after an initial communication with a consumer letting the consumer know specific information about the debt, including (i) validation information; (ii) the type of reference date used to determine the itemization date; (iii) account information associated with the debt; (iv) merchant/affinity/facility brand association; (v) the date the last payment (including any partial payment) was made; and (vi) the statute of limitations, if applicable.
- Requires collectors to inform consumers they have “the right to dispute the validity of the debt, in part or in whole,” and provides instructions on how consumers may dispute the validity of the debt.
- States that certain disclosures may not be sent exclusively through an electronic communication, and prohibits treating a formal pleading in a civil action as an initial communication.
- Provides that, if a collector “has reason to know or has determined” that the statute of limitations on a debt it seeks to collect has expired, the collector is required to provide clear and conspicuous notice in all communications that, among other items, it believes the statute of limitations has expired. For debts not subject to a statute of limitations, collectors must notify consumers that they are “not required to provide the debt collector with an admission, affirmation, or acknowledgment of the debt, a promise to pay the debt, or a waiver of the statute of limitations.”
- Prohibits collectors from communicating by telephone or other means of oral communication when attempting to collect on debts for which the statute of limitations has expired, without certain consent or permission.
- Requires collectors to provide consumers written substantiation of a debt (no longer specified as a “charged-off” debt) in hard copy by mail within 30 days of receiving a request for substantiation of a debt (unless a consumer has consented to receiving electronic communications). The written substantiation must include, among other information, (i) a statement describing the complete chain of title from the creditor “to which the debt was originally owed or alleged to be owed” to the present creditor “or owner of the debt”; and (ii) notice that a consumer may request additional documentation and instructions on how to make such a request. Collectors are also required to provide within 30 days after the consumer makes such a request for substantiation, documents sufficient to establish the complete chain of title, including documents sufficient to establish the specific dates on which the debt was assigned, sold or transferred and names of each previous owner of the account to the current owner.
- Requires collectors to retain certain information on a debt “until the debt is discharged, sold, or transferred, or for 7 years, whichever is longer.”
- Requires collectors to provide written confirmation of the satisfaction of a debt to a consumer within 20 business days of receiving receipt of the satisfaction of a debt. The confirmation must include the name of the creditor to which the debt was originally owed and the account number unless stipulated otherwise.
- Limits collectors to 1 telephone call and 3 attempted telephone calls in a 7-day period per alleged debt, without certain consents or permission, “except that telephone calls in excess of one time per seven day period are permitted when” a consumer requests to be contacted or when the communication is required under the proposed amendment or other federal or state law.
- Permits collectors to communicate with persons through electronic channels to collect a debt only if (i) the person has voluntarily provided certain contact information to the debt collector; and (ii) the person has given certain revocable consent in writing directly to the debt collector. The proposed amendment also provides (i) certain disclosure requirements for electronic communications “initiated by” a collector; (ii) privacy requirements that incorporate 15 U.S. Code § 1692c(b); and (iii) outlines compliance requirements for collectors should a consumer revoke consent.
11th Circuit to rehear Hunstein v. Preferred Collection & Management Services
On November 17, the U.S. Court of Appeals for the Eleventh Circuit vacated an opinion in Hunstein v. Preferred Collection & Management Services, ordering an en banc rehearing of the case. The order vacates an 11th Circuit decision to revive claims that the defendant’s use of a third-party mail vendor to write, print, and send requests for medical debt repayment violated privacy rights established in the FDCPA. As previously covered by InfoBytes, in April, the 11th Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” According to the order issued sua sponte by the 11th Circuit, an en banc panel of appellate judges will convene at a later date to rehear the case.
New rule gives banks 36 hours to disclose cybersecurity incidents
On November 18, the FDIC, Federal Reserve Board, and the OCC issued a final rule intended to enhance information sharing about cyber incidents that may affect the U.S. banking system. The final rule, among other things, requires a banking organization to timely notify its primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place. The final rule notes that notification is required for incidents that have affected, in certain circumstances: (i) the viability of a banking organization’s operations; (ii) its ability to deliver banking products and services; or (iii) the stability of the financial sector. Additionally, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially dispute or degrade, a banking organization’s customers for four or more hours. The final rule further provides that the notification requirement for bank service providers is important since “banking organizations have become increasingly reliant on third parties to provide essential services,” which may also experience computer-security incidents that could affect the support services they provide to banking organization customers, along with other significant impacts. The rule is effective April 1, 2022, and banking organizations are expected to comply with the final rule by May 1, 2022.
NYDFS issues proposed amendments to debt collection rules for third-parties
On October 29, NYDFS issued draft proposed amendments to 23 NYCRR 1, which regulates third-party debt collectors and debt buyers. Among on things, the proposed amendments:
- Define “communication” as “the conveying of information regarding a debt directly or indirectly to any person through any medium.”
- Amend the definition of a “debt collector” to include “as any creditor that, in collecting its own debts, uses any name other than its own that would suggest or indicate that someone other than such creditor is collecting or attempting to collect such debts.”
- Require collectors to clearly and conspicuously send written notification within five days after an initial communication with a consumer letting the consumer know specific information about the debt, including (i) the name of the creditor to which the debt was originally owed or alleged to be owed; (ii) account information associated with the debt; (iii) merchant/affinity/facility brand association; (iv) the name of the creditor to which the debt is currently owed; (v) the date of alleged default; (vi) the date the last payment (including any partial payment) was made; (vii) the statute of limitations, if applicable; (viii) an itemized accounting of the debt, including the amount currently due; and (ix) notice that the consumer “has the right to dispute the validity of the debt, in part or in whole, including instructions for how to dispute the validity of the debt.”
- State that disclosures may not be sent exclusively through an electronic communication, and that a formal pleading in a civil action shall not be treated as an initial communication.
- Prohibit collectors from communicating by telephone or other means of oral communication when attempting to collect on debts for which the statute of limitations has expired.
- Require collectors to provide consumer written substantiation of a debt within 30 days of receiving a written request via mail (consumers who consent to receiving electronic communications must still receive substantiation via mail).
- Limit collectors to three contact attempts via telephone in a seven-day period. Only one conversation with a consumer is permitted unless a consumer requests to be contacted.
- Permit collectors to communicate with consumers through electronic channels only if the consumer has voluntarily provided consent directly to the debt collector.
Comments on the proposal are due November 8.
11th Circuit’s new opinion says plaintiff still has standing to sue in outsourced debt collection letter action
On October 28, the U.S. Court of Appeals for the Eleventh Circuit issued a split opinion in Hunstein v. Preferred Collection & Management Services, vacating its April 21 decision but still finding that the plaintiff had standing to sue. As previously covered by InfoBytes, last April the 11th Circuit reviewed the district court’s dismissal of plaintiff’s claims that the disclosure of medical debt to a mail vendor violated the FDCPA’s third-party disclosure provisions. The 11th Circuit originally held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” At the time, the appellate court determined that communicating debt-related personal information with the third-party mail vendor is a concrete injury under Article III. Even though the plaintiff did not allege a tangible injury, the appellate court held, in a matter of first impression, that under the circumstances, the plaintiff alleged a communication “in connection with the collection of any debt” within the meaning of § 1692c(b).
In its most recent opinion, the majority wrote that it was vacating its prior opinion “[u]pon consideration of the petition for rehearing, the amicus curiae briefs submitted in support of that petition, and the Supreme Court’s intervening decision in TransUnion LLC v. Ramirez.” The appellate court first re-examined whether the plaintiff had standing to sue. Among other things, the majority held that while the plaintiff cannot demonstrate “a risk of real harm,” he was able to show standing “through an intangible injury resulting from a statutory violation.” Further, the majority determined that TransUnion reaffirmed its conclusion that the plaintiff “alleged a harm that bears a close relationship to a harm that has traditionally been recognized in American courts.” (In TransUnion, the Court concluded, among other things, that “[i]n looking to whether a plaintiff’s asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts, we do not require an exact duplicate.”) The majority further concluded that Congress’s judgment also favors the plaintiff because Congress indicated that violations of § 1692c(b) constitute a concrete injury.
The appellate court next considered the merits of the case, with the majority concluding that the plaintiff adequately stated a claim that the transmittal of personal debt-related information to the vendor constituted a communication within the meaning of § 1692c(b)’s phrase “in communication with the collection of the debt.”
Judge Tjoflat dissented, arguing that the April decision was issued before TransUnion, and following the Supreme Court’s reasoning, the plaintiff did not have standing because he did not suffer a concrete injury, and that there is an important difference between a plaintiff’s statutory cause of action to sue over a violation of federal law and “a plaintiff’s suffering concrete harm because of the defendant’s violation of federal law.” Judge Tjoflat further added that a “simple transmission of information along a chain that involves one extra link because a company uses a mail vendor to send out the letters about debt is not a harm at which Congress was aiming.”
States, consumer advocates urge agencies to explicitly disavow rent-a-bank schemes
On October 18, consumer advocates and several state attorneys general and financial regulators responded to a request for comments issued by the OCC, Federal Reserve Board, and the FDIC on proposed interagency guidance designed to aid banking organizations in managing risks related to third-party relationships, including relationships with fintech-focused entities. (See letters here and here.) As previously covered by InfoBytes, the proposed guidance addressed key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Consumer advocates and the states, however, expressed concerns that the agencies’ proposed guidance does not “highlight the significant risks associated with high-cost lending involving third-party relationships,” and does not include measures to prevent banks from entering into nonbank lending partnerships (e.g. “rent-a-bank schemes”).
According to the consumer advocates’ letter, the agencies’ guidance “should unequivocally declare that it is inappropriate for a bank to rent out its charter to enable attempted avoidance of state consumer protection laws, in particular interest rate and fee caps, or state oversight through licensing regimes.” The consumer advocates stated that they are aware of six FDIC-supervised banks involved in rent-a-bank schemes with nonbank lenders making allegedly illegal high-cost loans, and urged the FDIC to take immediate, “overdue” action to put an end to them. Among other things, the consumer advocates said the new guidance should explicitly specify: (i) that a bank’s involvement in lending that exceeds state interest rate limits with a nonbank is a “critical activity”; (ii) that lending partnerships involving loans exceeding a fee-inclusive 36 percent annual percentage rate (APR) “pose especially high risks”; and (iii) that in instances where a loan exceeds the Military Lending Act’s 36 percent APR, the federal banking supervisor will directly examine the third-party partner and charge the bank for the cost of the examination.
The states wrote in their letter that “experience teaches us that, in the absence of an explicit disavowal of rent-a-bank schemes, the [p]roposed [g]uidance invites continued abuse of banks’ interest exportation rights, to the considerable detriment of state regulation, consumer protection, and banks’ safety and soundness.” The states strongly encouraged the agencies to “explicitly disavow rent-a-bank schemes.”
Financial Stability Board calls for uniformity in cyber-breach reporting
On October 19, the Financial Stability Board (FSB) released a report calling for a convergence in the reporting of cyber incidents given the digitalization of financial services and the growing use of third-party service providers. According to FSB’s report, Cyber Incident Reporting: Existing Approaches and Next Steps for Broader Convergence, financial institutions operating across borders or sectors are subjected to multiple reporting requirements for one cyber incident. Pointing out that “fragmentation exists across sectors and jurisdictions in the scope of what should be reported for a cyber incident; methodologies to measure severity and impact of an incident; timeframes for reporting cyber incidents; and how cyber incident information is used,” FSB cautioned that the lack of a common method for reporting cyber incidents “could undermine a financial institution's response and recovery actions.” FSB also warned that the dissemination of “heterogeneous information” concerning a cyber incident “underscores a need to address constraints in information-sharing among financial authorities and financial institutions.” Harmonizing regulatory reporting would promote financial stability by ensuring there is a common method for monitoring cyberattacks in the sector, supporting effective supervision of cyber-risks at financial institutions, and helping authorities share information between jurisdictions. FSB stated it plans to create a detailed plan by the end of the year to (i) develop best practices for authorities to consider when developing their cyber incident reporting regime; (ii) identify key types of information that should be shared across the financial sector; and (iii) create a common terminology for cyber-incident reporting.
OCC releases bank supervision operating plan for FY 2022
On October 15, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2022. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) strategic and operational planning; (ii) credit risk management, including allowances for loan and lease losses and credit losses; (iii) cybersecurity and operational resiliency; (iv) third-party oversight; (v) Bank Secrecy Act/anti-money laundering compliance; (vi) consumer compliance management systems and fair lending risk assessments; (vii) Community Reinvestment Act performance; (viii) LIBOR phase-out preparations; (ix) payment systems products and services; (x) fintech partnerships involving potential cryptocurrency-related activities and other services; and (xi) climate-change risk management. The plan will be used by OCC staff members to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches, federal agencies, and technology service providers.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered.