InfoBytes Blog

Massachusetts Division of Banks issues guidance to debt collectors and student loan servicers

Recently, the Massachusetts Division of Banks published guidance related to the conduct of debt collectors, student loan servicers, and third-party loan servicers. 209 CMR 18.00 defines unfair or deceptive acts or practices for entities servicing loans or collecting debts within the commonwealth, and provides licensing, registration, and supervision procedures. Those provisions of the regulation that govern fair debt collection and third party loan servicing practices apply both to licensed entities, and entities exempt from licensure. Additionally, the regulation specifies that licensed debt collectors are not required to register as third party loan servicers but must still comply with all relevant state and federal laws and regulations that govern third party loan servicers when acting in that capacity. Student loan servicers engaged in third party loan servicing activities or debt collection activities within the scope of student loan servicing activities described within Massachusetts’ law are also required to comply with all applicable state and federal laws and regulations governing third party loan servicers and debt collectors when acting in such capacity. Additionally, 209 CMR 18.00 outlines, among other things, (i) licensing application requirements; (ii) licensing standards; (iii) registration procedures and standards; (iv) notice, reporting, and recordkeeping requirements; (v) collection practices and consumer communication restrictions; (vi) prohibitions related to harassment or abuse, false or misleading representations, and unfair, deceptive, or unconscionable practices; (vii) debt validation requirements; (viii) mortgage loan servicing practices; (ix) student loan servicing practices; and (x) confidentiality provisions. The regulation took effect July 1.

Licensing State Issues State Regulators Massachusetts Debt Collection Student Lending Student Loan Servicer Third-Party Compliance

Federal agencies seek comments on third-party relationships

On July 13, the Federal Reserve Board, FDIC, and OCC announced a request for public comments on proposed guidance designed to aid banking organizations manage risks related to third-party relationships, including relationships with financial technology-focused entities. The guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance. The proposed guidance provides “a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.” The proposal addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Comments on the proposal are due 60 days after publication in the Federal Register. 

Agency Rule-Making & Guidance FDIC OCC Federal Reserve Third-Party Fintech Risk Management Third-Party Risk Management Bank Regulatory

District Court says retailer not an intended third-party beneficiary of a credit card arbitration provision

On July 8, the U.S. District Court for the Central District of California denied a retailer’s motion to compel arbitration in a consumer data sharing putative class action, ruling that the retailer was not an intended third-party beneficiary of an arbitration provision in a credit card agreement. The proposed class had filed an amended complaint accusing several national retailers of illegally sharing consumer transaction data in violation of the FCRA, the California Consumer Privacy Act, and California’s unfair competition law, among others. The motion at issue, filed by one of the retailers, addresses a named plaintiff’s opposition to compel arbitration. The retailer argued that as an “intended” third-party beneficiary of the contract, it had the right to enforce an arbitration clause contained in a credit card agreement purportedly signed by the plaintiff when she opened a retailer credit card account issued by an online bank.

The court disagreed, finding that the contract’s arbitration provisions specifically referred to the bank, and that the contract did not clearly “express an intention to confer a separate and distinct benefit on [the retailer].” Moreover, the court noted the contract at issue instructed the plaintiff to send any arbitration demand notices to the bank, adding that “[i]t seems unlikely that the parties would expect a demand for arbitration solely against the [retailer]—that does not involve [the bank]—to be sent to [the bank].”

Courts Arbitration Third-Party Credit Cards Class Action State Issues CCPA FCRA Privacy/Cyber Risk & Data Security

NYDFS tells industry to tighten third-party risk management

On April 27, NYDFS released a report warning the financial services industry to tighten third-party risk management measures, as the “next great financial crisis could come from a cyber-attack.” The report covers a December 2020 cyber-attack described as “part of a widespread, sophisticated cyber espionage campaign by Russian Foreign Intelligence Service actors” focusing on “stealth and stealing sensitive information.” According to the report, hackers installed malware into a software platform used by the government and financial services and telecommunications companies to monitor and manage the performance of their networks. This attack, NYDFS noted, is “the most visible, widespread, and intrusive information technology software supply chain attack” to date and “opened back doors into thousands of organizations, including almost 100 companies in New York’s financial services industry.” While none of NYDFS’s regulated entities’ networks were actively exploited, the regulator warned that these types of attacks highlight the financial services industry’s vulnerability to supply chain attacks. Moreover, because third-party risk management is a key part of NYDFS’s Cybersecurity Regulation, the regulator is “exploring ways to further address this critical component of cybersecurity.” Report findings highlight that, among other things, (i) the patch-management programs for many regulated entities “are immature and lack the proper ‘patching cadence’ needed to ensure timely remediation of high-risk cyber vulnerabilities,” and (ii) “supply chain” cyber-attacks are dangerous since “malware is embedded inside a legitimate product,” allowing “an attacker to access the networks of many organizations in a single stroke.”

The report provides several recommendations, including that entities should (i) include in their vendor risk-management policies and procedures “processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors”; (ii) adopt a “zero trust” approach and implement multiple layers of security and extra protection for sensitive information; (iii) address vulnerabilities in a timely manner through patch testing, validation processes, and deployment; and (iv) ensure their incident response plans address supply chain compromises.

State Issues NYDFS State Regulators Privacy/Cyber Risk & Data Security Third-Party Vendor Management Risk Management Bank Regulatory

11th Circuit: Outsourcing debt collection letters can violate FDCPA

On April 21, the U.S. Court of Appeals for the Eleventh Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” According to the opinion, the plaintiff’s medical debt was assigned to the defendant debt collector, who, in turn, hired a mail vendor to produce a dunning letter in the course of collecting the outstanding debt. In order to produce the letter, information about the plaintiff was allegedly electronically transmitted from the defendant to the mail vendor, including his status as a debtor, the exact balance of the debt, its origin, and other personal information. The plaintiff filed suit, claiming the disclosure of the information to the mail vendor violated the FDCPA’s third-party disclosure provisions, which the district court dismissed for failure to state a claim.

On appeal, the 11th Circuit reviewed whether a violation of § 1692c(b) gives rise to a concrete injury under Article III, and whether the defendant’s communication with the mail vendor was “in connection with the collection of any debt.” In reversing the district court’s ruling, the appellate court determined that communicating debt-related personal information with the third-party mail vendor is a concrete injury under Article III. Even though the plaintiff did not allege a tangible injury, the appellate court held, in a matter of first impression, that under the circumstances, the plaintiff alleged a communication “in connection with the collection of any debt” within the meaning of § 1692c(b). In choosing this interpretation over the defendant’s “‘industry practice argument,’” in which the defendant referred to the widespread use of mail vendors and the relative lack of FDCPA suits brought against debt collectors who use these vendors, the 11th Circuit recognized that its interpretation of the statute may require debt collectors to in-source many of the services previously outsourced to third-parties at a potentially great cost. “We recognize, as well, that those costs may not purchase much in the way of ‘real’ consumer privacy, as we doubt that the [mail vendors] of the world routinely read, care about, or abuse the information that debt collectors transmit to them,” the appellate court wrote, adding, “Even so, our obligation is to interpret the law as written, whether or not we think the resulting consequences are particularly sensible or desirable.”

Courts Debt Collection Third-Party Disclosures Appellate Eleventh Circuit Vendor Hunstein

Court rules software service provider did not eavesdrop when capturing website data for retailer

On April 15, the U.S. District Court for the Northern District of California dismissed class claims alleging a software-services provider for a clothing retailer wiretapped consumers’ communication with the retailer in violation of California’s Invasion of Privacy Act and the California Constitution. The software at issue was sold to the service provider’s clients to capture and analyze data so companies can see how website visitors use their sites. The plaintiff alleged that during a visit to one of the retailer’s websites, the defendant’s software captured information including when she visited, the length of her visit, her IP address and location, browser type, and the operating system on her device. The plaintiff further claimed that, in addition to the aforementioned information, the software also captured personally identifiable information such as email, shipping addresses, and payment-card information. The defendant moved to dismiss, which was granted by the court. In dismissing the action, the court referenced its dismissal of virtually identical claims against another software-services provider and ruled that the defendant’s recording of activities such as keystrokes, mouse clicks, and page scrolling does not amount to wiretapping. “[The defendant] is not a third-party eavesdropper,” the court wrote, “[i]t is a vendor that provides a software service that allows its clients to monitor their website traffic.” Moreover, the court determined that information—“such as IP addresses, locations, browser types, and operating systems”—is not “content” under the plaintiff’s Section 631(a) claim.

Privacy/Cyber Risk & Data Security Courts Third-Party Class Action State Issues California

FTC settles with mortgage analytics company over vendor oversight deficiencies

On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform text recognition scanning on tens of thousands of mortgage documents was adequately securing consumers’ personal data. The FTC’s complaint alleges that the vendor stored the unencrypted contents of these documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. The data contained sensitive personal information, including “names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, or other personal and financial information of borrowers, as well as of family members and others whose information was included in the mortgage application.” According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was accessed approximately 52 times. The FTC claims, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of all of its vendors as required by the Safeguards Rule.

The proposed settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.

Federal Issues FTC Enforcement Consumer Protection Privacy/Cyber Risk & Data Security Gramm-Leach-Bliley FTC Act Third-Party Vendor Management

HUD re-extends procedures to address Section 232 mortgage insurance issues

On October 1, 2020, the U.S. Department of Housing and Urban Development issued Mortgagee Letter 20-33, which extends interim procedures regarding site access issues related to Section 232 mortgage insurance applications during the Covid-19 pandemic (previously covered here and here). The guidance provides temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities effective through December 31, 2020. The letter also provides guidance on other aspects relating to Section 232 properties, including regarding lender underwriter site visits, appraisals, and inspections on new construction, among other things.

Federal Issues Covid-19 HUD Mortgages Insurance Mortgage Insurance Third-Party FHA Underwriting Appraisal Home Inspection

HUD issues mortgagee letter extending interim procedures relating to FHA Section 232 approved mortgages

On July 31, 2020, the U.S. Department of Housing and Urban Development issued Mortgagee Letter 2020-25, which extends interim procedures regarding site access issues related to Section 232 mortgage insurance applications during the Covid-19 pandemic (previously covered here). The guidance provides temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities with effective dates within 60 days of the issuance of the mortgagee letter. The letter also provides guidance on other aspects relating to Section 232 properties, including regarding Property Capital Needs Assessments, appraisals, Section 232 Phase 1 Environmental Site Assessments, asbestos surveys, and radon testing, among other things.

Federal Issues Covid-19 HUD Mortgages FHA Third-Party

FDIC seeks input on voluntary certification of innovative technologies

On July 20, the FDIC issued a Request for Information (RFI) seeking input on whether a public/private standard-setting partnership and voluntary certification program could be established to (i) promote the efficient and effective adoption of innovative technologies at supervised financial institutions; and (ii) support financial institutions’ efforts to implement innovative models, manage risk, and conduct due diligence of third-party fintech firms. The RFI is being issued as part of the agency’s FDiTech initiative (covered by InfoBytes here), which was established in 2019 to encourage innovation within the banking industry (particularly at community banks), support collaboration for piloting new products and services, eliminate regulatory uncertainty, and manage risks.

The FDIC stated that establishing a standards-setting body, developed by regulators and industry stakeholders, would help promote innovation across the banking sector and streamline the vetting process for fintech partners. The agency noted that a voluntary certification program could assist in standardizing due diligence practices and reduce costs for financial institutions that choose to participate. Additionally, the FDIC emphasized that it “is especially interested in information on models and technology services developed and provided by [fintechs].” Comments are due 60 days after publication in the Federal Register.

Agency Rule-Making & Guidance FDIC Fintech Third-Party Risk Management