Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Recently, NYDFS issued an industry letter to regulated entities advising that a covered entity may adopt the cybersecurity program of an affiliate. New York’s Cybersecurity Regulation (23 NYCRR Part 500) requires regulated entities (Covered Entities) to implement risk-based cybersecurity programs to protect their information systems as well as the nonpublic information maintained on them. (See continuing InfoBytes coverage on 23 NYCRR Part 500 here.) Specifically, 23 NYCRR Part 500 allows “Covered Entities to adopt ‘the relevant and applicable provisions’ of the cybersecurity program of an affiliate provided that such provisions satisfy the requirements of the Cybersecurity Regulation.” NYDFS is also permitted to fully examine the adopted portions of the affiliate’s cybersecurity program to ensure compliance, even if that affiliate is not covered or regulated by NYDFS otherwise. Covered Entities are reminded that while they may adopt an affiliate’s cybersecurity program in whole or in part, the Covered Entity may not delegate compliance responsibility to the affiliate, and is responsible for ensuring it cybersecurity program complies with 23 NYCRR Part 500, “regardless of whether its cybersecurity program is its own or was adopted in whole or in part from an affiliate.” Additionally, a Covered Entity’s compliance obligations are the same whether it adopts an affiliate’s cybersecurity program or implements its own cybersecurity program. Among other things, Covered Entities are required to provide, upon request, all “documentation and information” related to their cybersecurity programs, including evidence that an adopted affiliate’s cybersecurity program meets the requirements of 23 NYCRR Part 500. At a minimum, NYDFS requires access to an affiliate’s “cybersecurity policies and procedures, risk assessments, penetration testing and vulnerability assessment results, and any third party audits that relate to the adopted portions of the cybersecurity program of the affiliate.” NYDFS also explained that foreign bank branches and representative offices often have head offices located outside the U.S. that are not directly regulated by NYDFS. For these entities, all documentation and information relevant to the adopted portions of their head offices’ cybersecurity programs must be provided to NYDFS examiners to evaluate the Covered Entities’ compliance with 23 NYCRR Part 500.
On February 5, Federal Reserve Governor Lael Brainard spoke at the “Symposium on the Future of Payments” to discuss benefits and risks associated with the digitalization of payments and currency. Noting that some of the new players in this space are outside financial regulatory guardrails and offer new currencies that “could pose challenges in areas such as illicit finance, privacy, financial stability, and monetary policy transmission,” Brainard stressed the importance of assessing new approaches and redrawing existing parameters. Emphasizing, however, that no federal agency has broad authority over the payments systems, Brainard stated that Congress should review how retail payments are regulated in the U.S., given the growth in ways that money is able to move around without the need for a financial intermediary. Banking agencies may oversee nonbank payments “to the extent there is a bank nexus” or bank affiliation, Brainard noted, however, she cautioned that “this oversight will be quite limited to the extent that nonbank players reduce or eliminate the nexus to banks, such as when technology firms develop payments services connected to digital wallets rather than bank accounts and rely on digital currencies rather than sovereign currencies as the means of exchange.” According to Brainard, “a review of the nation’s oversight framework for retail payment systems could be helpful to identify important gaps.”
Among other topics, Brainard stated that the Fed is currently reviewing nearly 200 comment letters concerning the proposed FedNow Service announced last summer, which would “facilitate end-to-end faster payment services, increase competition, and ensure equitable and ubiquitous access to banks of all sizes nationwide.” (Covered by InfoBytes here.) Brainard also discussed the possibility of creating a central bank digital currency (CBDC). While noting that the “prospect for rapid adoption of global stablecoin payment systems has intensified calls for central banks to issue digital currencies in order to maintain the sovereign currency as the anchor of the nation’s payment systems,” Brainard stressed the importance of taking into account private sector innovations and considering whether adding a new form of central bank liability would improve the payment system and reduce operational vulnerabilities from a safety and resilience perspective. She noted that the Fed is “conducting research and experimentation related to distributed ledger technologies and their potential use case for digital currencies, including the potential for a CBDC.”
On April 4, the Colorado Court of Appeals reversed the trial court’s ruling assessing civil penalties against a foreclosure law firm for allegedly failing to disclose that its principals had an ownership interest in one of its vendors. The appeals court found that the civil penalty was not warranted because the failure to disclose “did not significantly impact members of the public as actual or potential consumers.” According to the opinion, the State of Colorado brought an enforcement action against a foreclosure law firm and its affiliated vendors, alleging, among other things, that the law firm and its vendors violated the Colorado Consumer Protection Act (the Consumer Act) by making “false or misleading statements of fact concerning the price” of their foreclosure services. The State argued that the relationship between the law firm and its vendors allowed the vendors to charge for services in excess of the market rate, pass on those costs to the law firm’s customers, and share a portion of the inflated costs with the law firm. While the trial court rejected two of the State’s claims against the defendants, it concluded that the law firm committed a deceptive practice under the Consumer Act that, “significantly impact[ed] the public as actual or potential consumers,” by failing to disclose its affiliated relationship with one of the vendors.
On appeal, the appellate court rejected the trial court’s conclusion that the alleged deception significantly impacted the public, noting that the deception was confined to two clients, Fannie Mae and Freddie Mac, in the context of their private agreements with the firm. Because the misrepresentation was in the context of a private relationship, and the tax-paying public were not “consumers of the law firm’s services for purposes of the Consumer Act,” the appellate court found the trial court erred when awarding the civil penalties under the Act. Moreover, the appellate court affirmed the trial court’s rejection of the State’s other claims against the law firm.
Court holds lenders may not require borrowers to use an affiliated appraisal management company under RESPA; denies class certification
On February 7, a magistrate judge of the U.S. District Court for the Northern District of Georgia recommended denial of a motion for class certification in a case alleging that a mortgage lender, an affiliated appraisal management company (AMC), and the individual owner, through trusts, of both the lender and the AMC committed RESPA violations. The plaintiffs alleged that the individual owner received a thing of value, i.e, profit distributions from the AMC, that were generated from the lender’s referrals to the AMC in violation of Section 8(a) of RESPA, notwithstanding the exemption for affiliated business arrangements, (i) because no disclosure of the affiliation was provided to the borrowers, or (ii) because, even when a disclosure was provided, the borrowers were required to use the AMC.
While reviewing whether the class would have standing, the court disagreed with the defendant’s assertion that the affiliated business arrangement exemption under Section 8(c)(4) of RESPA, which generally bans the required use of an affiliate, but permits a lender to impose its choice of an attorney, credit reporting agency, or real estate appraiser to represent the lender’s interest, should be interpreted to permit the mortgage lender’s required use of an affiliated AMC. The defendants argued that allowing a consumer to shop for an appraisal management company would be inconsistent with TILA and Regulation Z, whose official commentary to Section 1026.37(f)(2) lists “appraisal management company fee” as an example of an item that may be disclosed under “services you cannot shop for” in the Good Faith Estimate. The court rejected that assertion, stating that there are multiple settlement services the lender may require the consumer to use which do not run afoul of RESPA or TILA and that Section 8 is only implicated where there is a kickback involved. The court further examined the plain meaning of Section 8(c)(4) and determined that, from a statutory interpretation perspective, an appraiser and an appraisal management company are not “one and the same.”
Additionally, the court disagreed with the defendants argument that the plaintiffs’ payment to the AMC was covered under the exception in Section 8(c)(2) of RESPA because the payment was not a “thing of value” under Section 8(a). In rejecting the defendants’ argument, the court noted the kickback at issue is the profit ultimately paid to the individual owner, not the plaintiffs’ payment to the AMC, and the defendants did not present any authority that the exception applies when the payment is for ownership interest.
The court ultimately recommended the denial of the class certification because plaintiffs did not demonstrate that ascertaining the class was administratively feasible, including the problem of ascertaining which loans were federally related mortgage loan and which were not. The court also concluded that, given the number of individual inquiries in the case, the requirement that common question of law and fact predominate was not satisfied.
On March 22, the U.S. District Court for the Western District of Kentucky denied the CFPB’s motion to reconsider an opinion issued in July 2017, which held that a safe harbor provision for affiliated business arrangements under Section 8(c)(4) of RESPA protects a Louisville law firm's relationship with a string of now-closed title insurance agencies (previously covered by InfoBytes here). In denying the request, the court clarified its previous reasoning and found that the transactions did not violate Section 8(a) because the law firm did not give the title insurance agencies a “thing of value,” and even assuming a violation, the safe harbor under Section 8(c)(2)—even though the court previously relied on Section 8(c)(4)—applied. The court relied on the D.C. Circuit’s 2016 interpretation of Section 8(c)(2) in PHH Corporation v. CFPB, which found that payments made in exchange for a service “actually received” is not the same as payments made for referrals and a payment is bona fide if it amounts to “reasonable market value” for the service. In applying the PHH holding to the present facts, the court concluded that the payments consumers made to the title agencies, which were subsequently distributed as profits to corresponding partners, were made in exchange for title insurance that was actually received by the consumer. Moreover, the court noted that there was no evidence that the payments were above market value, and therefore determined they were bona fide. Lastly, the opinion emphasized that the purpose of RESPA is to prevent unnecessary increases in costs of certain settlement services for consumers, and the payments resulting from the relationship between the law firm and the title agencies not only were for services actually received but were not found to increase the cost of those services at settlement.