InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court remands debt collection class action to state court for lack of standing
On October 12, the U.S. District Court for the Northern District of Illinois granted plaintiff’s motion to remand a debt collection class action lawsuit back to state court. The plaintiff claimed the defendants violated the Illinois Collection Agency Act and FDCPA Section 1692c(b) by using a third-party mailing vendor to print and mail collection letters to class members. According to the plaintiff’s complaint filed in state court, conveying the information to the vendor—an allegedly unauthorized party—served as a communication under the FDCPA. The defendants removed the case to federal court, but on review, the court determined the plaintiff did not have Article III standing to sue because Congress did not intend to prevent debt collectors from using mail vendors when the FDCPA was enacted. Specifically, the court disagreed with the U.S. Court of Appeals for the Eleventh Circuit’s decision in Hunstein v. Preferred Collection & Management Services, which held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” (Covered by InfoBytes here.) In this case, the court stated it “is difficult to imagine Congress intended for the FDCPA to extend so far as to prevent debt collectors from enlisting the assistance of mailing vendors to perform ministerial duties, such as printing and stuffing the debt collectors’ letters, in effectuating the task entrusted to them by the creditors—especially when so much of the process is presumably automated in this day and age.” According to the court, “such a scenario runs afoul of the FDCPA’s intended purpose to prevent debt collectors from utilizing truly offensive means to collect a debt.”
Agencies extend comment period on proposed third-party relationship risk management guidance
On September 10, the OCC, Federal Reserve Board, and FDIC extended the comment period on the regulators’ proposed interagency guidance designed to aid banking organizations in managing risks related to third-party relationships, including relationships with fintech-focused entities. The deadline has been extended to October 18 and interested parties may submit comments until the deadline.
As previously covered by InfoBytes, the proposed guidance addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Coupled with the release of a Federal Reserve Board paper describing community bank and fintech partnerships, as well as interagency guidance to help community banks evaluate fintech relationships (covered by InfoBytes here), the federal bank regulators are demonstrating continued and increased focus on third-party risk management issues.
Fed describes landscape of community banks and fintech partnerships
On September 9, the Federal Reserve Board published a paper describing the landscape of community banks and fintech partnerships. The paper, Community Bank Access to Innovation through Partnerships, is not guidance but is intended to promote and support “responsible innovation” through access and understanding to financial technology, as well as appropriate third-party risk management and compliance guardrails. The paper follows interagency guidance released last month by the Fed, OCC, and FDIC, which addressed several key due diligence topics for community banks considering relationships with prospective fintech companies, as well as interagency proposed guidance on third party risk management—signals of the regulators’ continued and increased focus on third-party relationships. (Covered by InfoBytes here and here.) The paper provides anecdotal observations shared with the Fed by outreach participants and discusses the benefits and risks of different broad partnership types (operational technology partnerships, customer-oriented partnerships, and front-end fintech partnerships), and key considerations for engaging in such partnerships. According to the report, outreach participants presented a general belief that “fintech partnerships were most effective when three elements were present: a commitment to innovation across the community bank; alignment of priorities and objectives of the community bank and its fintech partner; and a thoughtful approach to establishing technical connections between key parties, including the bank, fintech, and the bank’s core services provider.”
District Court rules in defendants’ favor regarding third-party disclosure
On August 25, the U.S. District Court for the Eastern District of Missouri granted a motion for judgment on the pleadings in favor of a defendant debt collector over a plaintiff alleging FDCPA violations. The plaintiff, a bankruptcy attorney who represents consumers in connection with discharging their debts, received a letter from defendant that disclosed a debt for a consumer he did not represent and has never represented. The plaintiff sued under the FDCPA, claiming that the defendant, among other things, engaged in abusive, deceptive, and unfair debt collection practices when defendant disclosed the existence of this third-party debt to the plaintiff by contacting him via letter. The plaintiff alleged that he was injured and suffered damages “due to the time Plaintiff had to spend trying to learn why he was being contacted and whether he had ever represented Plaintiff.” However, the court held that because the plaintiff was not a “consumer” under the FDCPA, he did not have standing to bring the FDCPA case. In so ruling, the court noted that the U.S. Court of Appeals for the Eighth Circuit has not yet ruled on whether the FDCPA “applies to persons other than a consumer[‘]” but agreed “with the greater weight of authority that concludes” only consumers have standing to bring such actions.
Agencies issue fintech guidance for community banks
On August 27, the FDIC, OCC, and Federal Reserve Board released a guide as part of its efforts to promote and support the adoption of new technologies by financial institutions. (See also FIL-59-2021 and OCC Bulletin 2021-40.) The Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks is intended to help community banks conduct due diligence when considering relationships with prospective fintech companies. Among other things, the guide addresses six key due diligence topics for community banks to consider, including (i) business experience, strategic goals, and qualifications; (ii) financial conditions and market information; (iii) legal and regulatory compliance; (iv) risk management policies, processes, and controls; (v) information security programs; and (vi) operational resilience, such as business continuity planning, incident response, service level agreements, and reliance on subcontractors. The guide also provides practical sources of information that may be useful when evaluating fintech companies. The agencies note that use of the guide, which is consistent with the FDIC’s Guidance for Managing Third-Party Risk, is voluntary and that the guide does not anticipate all types of fintech relationships and risks. Consistent with risk-based programs, a community bank may tailor how it uses the information “based on specific circumstances, the risks posed by each third-party relationship, and the related product, service, or activity. . . offered by the fintech company.”
HUD again extends procedures for FHA mortgages on healthcare facilities
On August 27, HUD issued Mortgagee Letter 21-20, which extended interim procedures addressing site access issues associated with FHA Section 232 mortgage insurance applications during the Covid-19 pandemic from July 31, 2021 to December 31, 2021. As previously covered by InfoBytes, HUD first provided temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities in April 2020 (see Mortgagee Letter 20-10) and extended those procedures in May 2020 (see Mortgagee Letter 20-15). In July 2020, HUD released Mortgagee Letter 20-25, further extending these interim procedures (covered by InfoBytes here). Mortgagee Letter 21-20 also provides guidance on other aspects relating to Section 232 properties, including Property Capital Needs Assessments, appraisals, Section 232 Phase 1 Environmental Site Assessments, asbestos surveys, and radon testing.
Illinois amends state Human Rights Act
On August 13, the Illinois governor signed SB 1561, which amends the Illinois Human Rights Act to include provisions regarding third-party loan modification service providers. According to the bill, it is a civil rights violation for a third-party loan modification service provider because of unlawful discrimination, familial status, or an arrest record, to (i) refuse to engage in loan modification services or to discriminate in making such services available; or (ii) alter the terms, conditions, or privileges of such services. The bill also clarifies that a third-party loan modification service provider is a person or entity, licensed or unlicensed, that “provides assistance or services to a loan borrower to obtain a modification to a term of an existing real estate loan or to obtain foreclosure relief,” but does not include lenders, brokers or appraisers of mortgage loans, or the servicers, subsidiaries, affiliates, or agents of the lender. Among other things, the bill provides that, in relation to real estate transactions, the failure of the Department to notify a complainant or respondent in writing for not completing an investigation on the allegations set forth in a charge within 100 days shall not deprive the Department of jurisdiction over the charge. This bill is effective January 1, 2022.
FINRA reminds firms of third-party supervisory obligations
On August 13, the Financial Industry Regulatory Authority (FINRA) reminded member firms of their supervisory obligations related to outsourcing to third-party vendors. Regulatory Notice 21-29 reiterates that supervisory obligations under FINRA Rule 3110 extend to member firms’ outsourcing of certain “covered activities” and reminds firms that under Regulatory Notice 05-48, “‘outsourcing an activity or function to … [a vendor] does not relieve members of their ultimate responsibility for compliance with all applicable federal securities laws and regulations and [FINRA] and MSRB rules regarding the outsourced activity or function.’” Emphasizing that “member firms have continued to expand the scope and depth of their use of technology and have increasingly leveraged [v]endors to perform risk management functions and to assist in supervising sales and trading activity and customer communications,” FINRA reminds member firms that supervisory systems and associated written supervisory procedures extend to the “outsourced activities or functions” of their vendors. The notice also cites examples of violations uncovered during previous examinations linked to third-party vendors related to data integrity, cybersecurity and technology governance, and books and records requirements. These include instances where firms’ vendors failed to implement technical controls or failed to properly manage customers’ nonpublic information. Member firms are encouraged to take a “risk-based approach” to vendor management and to assess whether their supervisory procedures for third-party vendors are “sufficient to maintain compliance with applicable rules.”
Massachusetts Division of Banks issues guidance to debt collectors and student loan servicers
Recently, the Massachusetts Division of Banks published guidance related to the conduct of debt collectors, student loan servicers, and third-party loan servicers. 209 CMR 18.00 defines unfair or deceptive acts or practices for entities servicing loans or collecting debts within the commonwealth, and provides licensing, registration, and supervision procedures. Those provisions of the regulation that govern fair debt collection and third party loan servicing practices apply both to licensed entities, and entities exempt from licensure. Additionally, the regulation specifies that licensed debt collectors are not required to register as third party loan servicers but must still comply with all relevant state and federal laws and regulations that govern third party loan servicers when acting in that capacity. Student loan servicers engaged in third party loan servicing activities or debt collection activities within the scope of student loan servicing activities described within Massachusetts’ law are also required to comply with all applicable state and federal laws and regulations governing third party loan servicers and debt collectors when acting in such capacity. Additionally, 209 CMR 18.00 outlines, among other things, (i) licensing application requirements; (ii) licensing standards; (iii) registration procedures and standards; (iv) notice, reporting, and recordkeeping requirements; (v) collection practices and consumer communication restrictions; (vi) prohibitions related to harassment or abuse, false or misleading representations, and unfair, deceptive, or unconscionable practices; (vii) debt validation requirements; (viii) mortgage loan servicing practices; (ix) student loan servicing practices; and (x) confidentiality provisions. The regulation took effect July 1.
Federal agencies seek comments on third-party relationships
On July 13, the Federal Reserve Board, FDIC, and OCC announced a request for public comments on proposed guidance designed to aid banking organizations manage risks related to third-party relationships, including relationships with financial technology-focused entities. The guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance. The proposed guidance provides “a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.” The proposal addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Comments on the proposal are due 60 days after publication in the Federal Register.