InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB report finds one in four consumers have debts in collection
On July 18, the CFPB released a report providing an overview of third-party debt collection tradelines from 2004 to 2018, which the Bureau segmented into two parts: debt buyer tradelines and non-buyer debt collections tradelines. The CFPB’s report, “Market Snapshot: Third-Party Debt Collections Tradeline Reporting,” is based on a nationally representative sample of approximately 5 million credit records from one of the three major credit bureaus. According to the report, as of the second quarter of 2018, more than one in four consumers in the sample have at least one debt in collection by third-party debt collectors. Additionally, fewer than 900 unique furnishers of third-party collections tradelines nationwide reported unpaid debts for consumers in the sample, according to the Bureau—a decrease from the 2,294 collectors reported back in 2004. The report also notes that in the second quarter of 2018, the top four debt buyers account for 90 percent of all debt buyer tradelines for consumers in the sample, while the top four non-buyers, by comparison, accounted for just 13 percent of reported tradelines. Furthermore, in the second quarter of 2018, 3 out of 4 of all reported tradelines in the sample from non-buyers were for non-financial debt, such as medical, telecommunications, or utilities debt. Buyers, in contrast, were more likely to report unpaid financial, retail, or banking debts.
Oregon enacts new vendor data breach notification requirements
On May 24, the Oregon Governor signed SB 684, which amends the state’s data breach notification provisions related to third-party vendors. Among other provisions, the amendments require vendors that are contracted to maintain or access personal information on behalf of a covered entity to (i) notify the covered entity “as soon as is practicable but not later than 10 days” after discovering a security breach or believing a breach has occurred; and (ii) notify the state Attorney General if a security breach involves personal information of more than 250 consumers, or an undetermined amount of consumers, provided that the covered entity has not already done so. SB 684 also updates the definition of personal information to include usernames in combination with other authentication factors used to access a consumer’s account, and establishes that a covered entity or vendor may “affirmatively defend” against allegations it has not adequately safeguarded personal information by showing that it maintained reasonable security measures for protecting personal information in compliance with HIPAA or the Gramm-Leach-Bliley Act, as applicable. The amendments take effect January 1, 2020.
District Court finds auto dealerships did not violate UTPA or financial elder abuse law
On March 30, the U.S. District Court for the District of Oregon granted a group of car dealerships’ (defendants) summary judgment motion in a putative class action involving claims that the dealership violated Oregon’s Unlawful Trade Practices Act (UTPA) as well as the state’s financial elder-abuse law. The plaintiffs, who all purchased vehicles along with other goods or services from one or more of the defendants, asserted that the defendants allegedly failed to “appropriately disclose [their] specific fees associated with arrangement of financing or the profit margins related to the sale of third-party products and services.” By failing to comply with these disclosure requirements, the plaintiffs alleged that the defendants “wrongfully appropriated money from elderly persons.” Concerning the alleged violations of UTPA, the defendants argued that its section titled “Undisclosed Fee Payments” only applies to referral fees greater than $100 paid to non-employee third-parties and not to other payments made by a dealership to a third party. The court agreed and stated that the defendants’ position was further supported by the state’s official commentary. With regard to the plaintiffs’ other claim concerning deficiencies in the disclosures, the court concluded that “strict recitation of the statute is not required to meet the clear and conspicuous standard,” and that the disclosures in question were clearly visible and easy to understand. Finally, the court granted summary dismissal on the plaintiffs’ claim of elder abuse because the claim was premised on the alleged violations of UTPA, which were dismissed.
HUD permits use of third-party verification services
On February 15, HUD released Mortgagee Letter 2019-01, which provides guidance on the use of third-party verification (TPV) services for FHA-insured mortgages. Effective immediately, FHA now allows mortgagees to use TPV services for verification of a borrower’s employment, income, and asset information. The Letter provides specific requirements for each category of information but, in all circumstances, a borrower must authorize the mortgagee’s use of a TPV vendor for the verification (whether direct or electronic).
Final deadline approaching for NYDFS cybersecurity regulation
On January 31, NYDFS issued a reminder for regulated entities that the final deadline for implementing NYDFS’s cybersecurity regulation ends March 1. Under the new regulation, banks, insurance companies, mortgage companies, money transmitters, licensed lenders and other financial services institutions regulated by NYDFS are required to implement a cybersecurity program to protect consumer data. The last step in the implementation timeline requires covered entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and nonpublic information accessible to, or held by, such third parties. NYDFS also reminded regulated entities that the deadline to file their second certification of compliance via NYDFS’ cybersecurity portal is February 15.
Previously InfoBytes coverage on NYDFS’ cybersecurity regulation are available here.
7th Circuit affirms summary judgment for repossession company, holds property-retrieval fee is not subject to FDCPA
On October 31, the U.S. Court of Appeals for the 7th Circuit affirmed summary judgment for a third-party repossession company and an auto lender, holding that a fee that the repossession company required to process personal items left in a repossessed car did not constitute an impermissible demand for repayment under the FDCPA. According to the opinion, after a consumer fell behind on her auto payments, the third-party company repossessed her vehicle on behalf of the auto lender. The repossession company, according to the consumer, demanded a $100 payment in order to retrieve personal property she had left in the car. The consumer sued the company and the lender arguing that the retrieval fee was an impermissible debt collection in violation of the FDCPA. In response, the repossession company and the lender moved for summary judgment, arguing that the fee was an administrative handling fee that the lender had agreed to pay to the repossession company—not a fee assessed to the consumer. The lower court agreed.
On appeal, the 7th Circuit determined that the documentary evidence showed that the $100 fee was an administrative fee that the lender agreed to pay to the repossession company, stating “[t]here is no way on this record to view the handling fee as some sort of masked demand for principal payment to [the lender].” The appellate court concluded the consumer did not establish a genuine issue of fact as to whether the repossession company demanded the $100 payment on behalf of the lender and, therefore, affirmed summary judgment in favor of the repossession company and the lender.
FFIEC issues joint statement on OFAC Cyber-Related Sanctions Program
On November 5, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement alerting financial institutions to the potential impact that the U.S. Treasury Department’s Office of Foreign Assets Control’s (OFAC) recent actions under its Cyber-Related Sanctions Program may have on financial institutions’ risk management programs. OFAC implemented the Cyber-Related Sanctions Program in response to Executive Order 13694 to address individuals and entities that threaten national security, foreign policy, and the economy of the U.S. by malicious cyber-enabled activities. FFIEC’s press release announcing the joint statement references OFAC’s June action against five Russian entities and three Russian individuals who, through “malign and destabilizing cyber activities,” provided material and technological support to Russia’s Federal Security Service (previously covered by InfoBytes here), noting that these entities may offer services to financial institutions operating in the U.S.
The joint statement reminds financial institutions to ensure that their compliance and risk management processes address possible interactions with an OFAC sanctioned entity. The statement notes that continued use of products or services from a sanctioned entity may cause the financial institution to violate the OFAC sanctions. Additionally, use of software or technical services from a sanctioned entity may increase a financial institution’s cybersecurity risk. The statement encourages financial institutions to take appropriate corrective action, as well as to ensure their third-party service providers comply with OFAC’s requirements.
The OCC also released Bulletin 2018-40, which corresponds with the FFIEC’s joint statement.
FINRA fines broker-dealer firm for AML program deficiencies
On October 29, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), fining a broker-dealer $2.75 million for identified deficiencies in its anti-money laundering (AML) program. According to FINRA, design flaws in the firm’s AML program allegedly resulted in the firm’s failure to properly investigate (i) certain third-party attempts to gain unauthorized access to its electronic systems, and (ii) other potential illegal activity, which should have led to the filing of Suspicious Activity Reports (SARs). FINRA notes that this failure primarily stemmed from the firm's use of an inaccurate “fraud case chart,” which provided guidance to employees about investigating and reporting requirements related to suspicious activity where third parties use “electronic means to attempt to compromise a customer's email or brokerage account.” Consequently, FINRA alleges that the firm failed to file more than 400 SARs and did not investigate certain cyber-related events. Among other things, FINRA also asserts that the firm failed to file or amend forms U4 or U5, which are used to report certain customer complaints, due to an overly restrictive interpretation of a requirement that complaints contain a claim for compensatory damages exceeding $5,000.
The firm neither admitted nor denied the findings set forth in the AWC agreement, but agreed to address identified deficiencies in its programs.
FTC approves final expanded settlement with global ride-sharing company over data breaches
On October 26, the FTC announced its final approval of an expanded settlement with a global ride-sharing company over allegations that the company violated the FTC Act by deceiving consumers regarding the company’s privacy and data practices. Specifically, the company allegedly failed to closely monitor and audit its employees’ internal access to consumer and driver data. Furthermore, the company represented to consumers and drivers that personal information stored in its databases were secure, but, according to the FTC, the company failed to implement reasonable measures to prevent unauthorized access to consumers and driver data maintained by the ride-sharing company’s third-party cloud service provider. In April, the FTC announced it would be expanding the original settlement from August 2017 (previously covered by InfoBytes here), which covered a 2014 data breach, because it was discovered the company failed to disclose a subsequent data breach that occurred in 2016 for more than a year, despite the on-going FTC investigation of the 2014 data breach.
The expanded final settlement subjects the company to civil penalties if it fails to notify the FTC of future incidents involving unauthorized access to data. The settlement also, among other things, requires the company to implement a comprehensive privacy program, including biennial third-party privacy assessments for 20 years.
CFPB announces settlement with companies that allegedly delayed transfer of consumer payments to debt buyers
On October 4, the CFPB announced a settlement with a group of Minnesota-based companies that allegedly violated the Consumer Financial Protection Act when consumers made payments on debts that the companies had already sold to third parties, and the companies improperly delayed the forwarding of some of those payments to debt buyers. According to the consent order, the companies—whose practices include the purchasing, servicing, collection, and furnishing consumer-report information on consumer loans—partnered with third-party banks to sell merchandise on closed-end or open-end revolving credit. Within a few days, banks originated the loans and sold the receivables to the companies. The companies subsequently serviced the debts and sold the receivables to a third party. For defaulted accounts, the companies charged off the accounts and sold them to third-party debt buyers. According to the Bureau, the companies allegedly failed to notify consumers when their accounts were sold, failed to inform them who now owned the debt, and continued to accept direct pays from consumers. The Bureau contends that between 2013 and 2016, the companies delayed forwarding direct pays for more than 31 days in 18,000 instances, and in 3,500 of those instances, the companies did not forward the payments for more than a year. Moreover, the Bureau asserts that these delays led to misleading collection efforts, including collection activity on accounts consumers had completely paid off. The order requires the companies to pay a civil money penalty of $200,000, and improve their policies and procedures to prevent further violations.