Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On April 21, the U.S. Court of Appeals for the Eleventh Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” According to the opinion, the plaintiff’s medical debt was assigned to the defendant debt collector, who, in turn, hired a mail vendor to produce a dunning letter in the course of collecting the outstanding debt. In order to produce the letter, information about the plaintiff was allegedly electronically transmitted from the defendant to the mail vendor, including his status as a debtor, the exact balance of the debt, its origin, and other personal information. The plaintiff filed suit, claiming the disclosure of the information to the mail vendor violated the FDCPA’s third-party disclosure provisions, which the district court dismissed for failure to state a claim.
On appeal, the 11th Circuit reviewed whether a violation of § 1692c(b) gives rise to a concrete injury under Article III, and whether the defendant’s communication with the mail vendor was “in connection with the collection of any debt.” In reversing the district court’s ruling, the appellate court determined that communicating debt-related personal information with the third-party mail vendor is a concrete injury under Article III. Even though the plaintiff did not allege a tangible injury, the appellate court held, in a matter of first impression, that under the circumstances, the plaintiff alleged a communication “in connection with the collection of any debt” within the meaning of § 1692c(b). In choosing this interpretation over the defendant’s “‘industry practice argument,’” in which the defendant referred to the widespread use of mail vendors and the relative lack of FDCPA suits brought against debt collectors who use these vendors, the 11th Circuit recognized that its interpretation of the statute may require debt collectors to in-source many of the services previously outsourced to third-parties at a potentially great cost. “We recognize, as well, that those costs may not purchase much in the way of ‘real’ consumer privacy, as we doubt that the [mail vendors] of the world routinely read, care about, or abuse the information that debt collectors transmit to them,” the appellate court wrote, adding, “Even so, our obligation is to interpret the law as written, whether or not we think the resulting consequences are particularly sensible or desirable.”
On April 15, the U.S. District Court for the Northern District of California dismissed class claims alleging a software-services provider for a clothing retailer wiretapped consumers’ communication with the retailer in violation of California’s Invasion of Privacy Act and the California Constitution. The software at issue was sold to the service provider’s clients to capture and analyze data so companies can see how website visitors use their sites. The plaintiff alleged that during a visit to one of the retailer’s websites, the defendant’s software captured information including when she visited, the length of her visit, her IP address and location, browser type, and the operating system on her device. The plaintiff further claimed that, in addition to the aforementioned information, the software also captured personally identifiable information such as email, shipping addresses, and payment-card information. The defendant moved to dismiss, which was granted by the court. In dismissing the action, the court referenced its dismissal of virtually identical claims against another software-services provider and ruled that the defendant’s recording of activities such as keystrokes, mouse clicks, and page scrolling does not amount to wiretapping. “[The defendant] is not a third-party eavesdropper,” the court wrote, “[i]t is a vendor that provides a software service that allows its clients to monitor their website traffic.” Moreover, the court determined that information—“such as IP addresses, locations, browser types, and operating systems”—is not “content” under the plaintiff’s Section 631(a) claim.
On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform text recognition scanning on tens of thousands of mortgage documents was adequately securing consumers’ personal data. The FTC’s complaint alleges that the vendor stored the unencrypted contents of these documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. The data contained sensitive personal information, including “names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, or other personal and financial information of borrowers, as well as of family members and others whose information was included in the mortgage application.” According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was accessed approximately 52 times. The FTC claims, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of all of its vendors as required by the Safeguards Rule.
The proposed settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.
On October 1, 2020, the U.S. Department of Housing and Urban Development issued Mortgagee Letter 20-33, which extends interim procedures regarding site access issues related to Section 232 mortgage insurance applications during the Covid-19 pandemic (previously covered here and here). The guidance provides temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities effective through December 31, 2020. The letter also provides guidance on other aspects relating to Section 232 properties, including regarding lender underwriter site visits, appraisals, and inspections on new construction, among other things.
HUD issues mortgagee letter extending interim procedures relating to FHA Section 232 approved mortgages
On July 31, 2020, the U.S. Department of Housing and Urban Development issued Mortgagee Letter 2020-25, which extends interim procedures regarding site access issues related to Section 232 mortgage insurance applications during the Covid-19 pandemic (previously covered here). The guidance provides temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities with effective dates within 60 days of the issuance of the mortgagee letter. The letter also provides guidance on other aspects relating to Section 232 properties, including regarding Property Capital Needs Assessments, appraisals, Section 232 Phase 1 Environmental Site Assessments, asbestos surveys, and radon testing, among other things.
On July 20, the FDIC issued a Request for Information (RFI) seeking input on whether a public/private standard-setting partnership and voluntary certification program could be established to (i) promote the efficient and effective adoption of innovative technologies at supervised financial institutions; and (ii) support financial institutions’ efforts to implement innovative models, manage risk, and conduct due diligence of third-party fintech firms. The RFI is being issued as part of the agency’s FDiTech initiative (covered by InfoBytes here), which was established in 2019 to encourage innovation within the banking industry (particularly at community banks), support collaboration for piloting new products and services, eliminate regulatory uncertainty, and manage risks.
The FDIC stated that establishing a standards-setting body, developed by regulators and industry stakeholders, would help promote innovation across the banking sector and streamline the vetting process for fintech partners. The agency noted that a voluntary certification program could assist in standardizing due diligence practices and reduce costs for financial institutions that choose to participate. Additionally, the FDIC emphasized that it “is especially interested in information on models and technology services developed and provided by [fintechs].” Comments are due 60 days after publication in the Federal Register.
On June 29, the OCC released its Semiannual Risk Perspective for Spring 2020, which reports on key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. In particular, the OCC focused this report on the financial impacts of the Covid-19 pandemic on the federal banking industry, emphasizing that weak economic conditions stemming from the shutdown will stress financial performances in 2020, and that banks should monitor elevated compliance risks that may occur as a result of their responses to the pandemic, including participating in the Paycheck Protection Program as well as forbearance and deferred payment programs. The report highlighted that the surge in consumer demands, government programs, and the modifications to operations due to remote work and the “short timelines for implementing changes placed additional strains on banks already operating in a stressed environment.” However, the report noted that, “[s]ome banks are leveraging innovative technologies and third parties, including fintech firms, to help manage these challenges,” and that “[b]ank risk management programs should maintain effective controls for third-party due diligence and monitoring and other oversight processes, operational errors, heightened cyber security risks, and potential fraud related to stimulus programs.” The report highlighted several areas of concern for banks, including (i) credit risk increases; (ii) interest rate risk, including risks related to the LIBOR cessation; (iii) operational risks related to banks’ Covid-19 response; (iv) heightened cyber risks; and (v) compliance risks related to Bank Secrecy Act/anti-money laundering laws, consumer compliance, and fair lending.
On June 20, the Federal Reserve Bank of Boston updated FAQs for its Main Street Lending Program (see here, here and here for previous coverage). Among other things, new FAQs address the treatment of applicant debt to third party lenders for purposes of calculating outstanding and undrawn debt, certifications regarding conflicts of interest, and the application of regulatory lending limits imposed on national banks, federal savings associations, and state savings associations to loans issued under the Main Street Lending Program.
HUD issues mortgagee letter extending interim procedures relating to FHA Section 232 approved mortgages
On May 28, the U.S. Department of Housing and Urban Development issued Mortgagee Letter 2020-15 to all FHA Section 232 Approved Mortgagees regarding the extension of interim procedures issued in Mortgagee Letter 20-10 to address site access issues during the Covid-19 pandemic. The guidance provides temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities with effective dates within 60 days of the issuance of the mortgagee letter. The letter also provides guidance on other aspects relating to Section 232 properties, including regarding Property Capital Needs Assessments, appraisals, Section 232 Phase 1 Environmental Site Assessments, asbestos surveys, and radon testing, among other things.
Texas regulator urges credit access businesses to consider emergency measures, extends reporting deadlines
On May 15, the Texas Office of the Consumer Credit Commissioner revised an advisory bulletin to credit access businesses, extending the deadline to file 2020 first quarter reports until May 31, 2020 (previously covered here). The office also encouraged credit access businesses to work with third-party lenders to provide relief to consumers negatively impacted by the Covid-19 pandemic.