Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 28, the Maryland commissioner of financial regulation issued guidance that extends the “re-start date” for the initiation of residential foreclosures to March 1, 2021. The guidance is issued pursuant to the Maryland governor’s executive order 20-12-17-02, which amended and restated previous executive orders covered here, and here.
On January 8, the governor of Illinois issued Executive Order 2021-01 extending numerous executive orders through February 6, 2021 (previously covered here, here, here, here, and here). Among other things, the order extends: (i) Executive Order 2020-07 regarding in-person meeting requirements, (ii) Executive Order 2020-23 regarding actions by individuals licensed by the Illinois Department of Financial and Professional Regulation engaged in disaster response, (iii) Executive Order 2020-25 regarding garnishment and wage deductions (previously covered here), (iv) Executive Order 2020-30 regarding residential evictions (previously covered here and here).
On November 6, the Federal Reserve Board (Fed) issued its Supervision and Regulation Report, which summarizes banking system conditions and the Fed’s supervisory and regulatory activities. The current report discusses the safety and soundness of the banking industry, especially with respect to economic and financial stresses resulting from Covid-19 containment measures. The report highlights, among other things, that Fed programs “have helped to preserve the flow of credit” and that banks have taken several actions to maintain financial and operational resiliency. These actions include providing access to substantial lines of credit for corporate borrowers and playing a significant role in supporting small businesses through the Paycheck Protection Program. In addition, the report notes that loan growth has grown slightly since the beginning of the year and that capital positions and liquidity conditions remain strong. However, the report cautions that while “economic indicators have shown marked improvement since the second quarter, a high degree of uncertainty persist.” The report also details the Fed’s current areas of supervisory focus and describes how banks have adapted to a largely remote working environment.
The same day, the Fed also announced updates to the list of firms supervised by its Large Institution Supervision Coordinating Committee Program, which is responsible for supervising the largest and most complex firms. As a result, “certain foreign banks with U.S. operations that have substantially decreased in size and risk over the past decade will move to the Large and Foreign Banking Organization supervision portfolio, where they will be supervised with other banks of similar size and risk.” The Fed stresses that the “portfolio move will have no effect on the regulatory capital or liquidity requirements of any firm.”
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. While the regulation package was under review by the OAL, the California attorney general made certain “nonsubstantial changes” and “changes without regulatory effect” to the CCPA regulations, which are outlined here (Buckley created redline available here). Under the OAL’s regulations, changes are considered “nonsubstantial” if they clarify without materially altering the requirements, rights, responsibilities, conditions, or prescriptions contained in the original text. Changes are considered to be “without regulatory effect” if they involve renumbering or relocating a provision, revising structure, syntax, grammar or punctuation, and, subject to certain conditions, making a provision consistent with statute.
Among others, the following nonsubstantial changes were made to the final regulations:
- The shorthand phrase “Do Not Sell My Info” was removed from several sections in order for the language to track the statute (i.e. “Do Not Sell My Personal Information”).
- The severability provision, formerly in Section 999.341 was deleted as unnecessary. This provision previously stated: “If any article, section, subsection, sentence, clause or phrase of these regulations contained in this Chapter is for any reason held to be unconstitutional, contrary to statute, exceeding the authority of the Attorney General, or otherwise inoperative, such decision shall not affect the validity of the remaining portion of these regulations.” (formerly § 999.341).
Additionally, the following requirements were deleted from the regulations at this time, although the California attorney general has indicated that these provisions may be resubmitted “after further review and possible revisions”:
- The requirement, formerly in Section 999.305(a)(4), that the business notify and obtain explicit consent from a consumer to use the consumer’s personal information for a purpose materially different than those disclosed in the notice at collection.
- The requirement, formerly in Section 999.306(b)(2), that a business that substantially interacts with consumers offline must provide a notice to the consumer offline to facilitate their awareness of the right to opt-out.
- The requirement in Section 999.315(c) that the business’s methods for submitting the request to opt-out must “be easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out.”
- The provision, formerly in Section 999.326(c), permitting a business to deny a request from an authorized agent if the agent fails to submit proof of authorization from the consumer.
The final regulations became effective on August 14, 2020.
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. The proposed final regulations were submitted to OAL on June 1 and were “nonsubstantially changed” during OAL’s review process for “accuracy, consistency, and clarity.” The final regulations are effective as of August 14.
For a detailed overview of the regulations, see here (the InfoByte details an earlier version of the regulations, which remain substantially unchanged). Details discussing the nonsubstantial changes available by InfoBytes here.
On July 17, the U.S. Treasury Department issued a joint statement on the EU - U.S. Financial Regulatory Forum, which met virtually on July 14 and 15 and included participants from Treasury, the Federal Reserve Board, CFTC, FDIC, SEC, and OCC. Forum participants discussed six key themes: (i) potential financial stability implications and economic responses to the Covid-19 pandemic; (ii) capital market supervisory and regulatory cooperation, including cross-border supervision; (iii) “multilateral and bilateral engagement in banking and insurance,” including “cross-border resolution of systemic banks” and Volcker Rule implementation; (iv) approaches to anti-money laundering/countering the financing of terrorism financing and remittances; (v) the regulation and supervision of digital finance and financial innovation, such as “digital operational resilience and developments in crypto-assets, so-called stablecoins, and central bank digital currencies”; and (vi) sustainable finance developments. EU and U.S. participants recognized the importance of communicating mutual supervisory and regulatory concerns to “support financial stability, investor protection, market integrity, and a level playing field.”
On June 18, the CFPB launched a pilot advisory opinion program (AO program) to allow entities to submit requests to the Bureau for written guidance in cases of regulatory compliance uncertainty. The pilot AO program procedural rule went into effect June 22, and states that the AO program—established in response to external stakeholder feedback encouraging the Bureau to provide written guidance—will primarily focus on clarifying ambiguities in Bureau regulations, although AOs may also clarify statutory ambiguities. The Bureau notes, however, that it will not issue AOs on matters that require notice-and-comment rulemaking or that are better addressed through that process, and does not intend to issue an AO that will change a regulation or replace a regulation or statute with a “bright-light standard that eliminates all the required analysis.” During the pilot, requests will not be accepted from third parties, such as trade associations or law firms, on behalf of unnamed entities. According to the Bureau’s announcement, it will select topics based on the program’s priorities, and, if appropriate, may publicly “issue an [AO] based on its summary of the facts presented that would be applicable to other entities in situations with similar facts and circumstances.”
The pilot AO program will focus on the following four priorities: (i) providing consumers “with timely and understandable information to make responsible decisions”; (ii) identifying “outdated, unnecessary or unduly burdensome regulations in order to reduce regulatory burdens”; (iii) consistently enforcing federal consumer financial laws “in order to promote fair competition”; and (iv) “[e]nsuring markets for consumer financial products and services operate transparently and efficiently to facilitate access and innovation.”
In determining the appropriateness of an AO, the Bureau will consider several factors, including whether (i) prior Bureau examinations have identified the issue as one that may benefit from additional regulatory clarity; (ii) the issue is “of substantive importance or impact or one whose clarification would provide significant benefit”; and/or (iii) the issue concerns an ambiguity not previously addressed through an interpretive rule or other authoritative source. Additionally, issues currently under investigation or enforcement likely will not be considered appropriate for an AO.
A proposed procedural rule and information collection was also announced June 18, which requests comments on the proposed AO program. Comments must be received 60 days after publication in the Federal Register. The proposed AO program, following the conclusion of the pilot, will be fully implemented after the Bureau reviews the comments.
On April 13, the CFPB issued an Interpretive Rule (IR) addressing the “Treatment of Pandemic Relief Payments Under Regulation E and Application of the Compulsory Use Prohibition.” Pursuant to the CARES Act, many consumers are entitled to pandemic relief payments, generally provided through direct deposit to the consumer’s bank account. When that information is unavailable, or when the consumer does not have a bank account, the IR allows government agencies to provide the economic impact payments via alternative means, including by issuing prepaid account cards. However, the Electronic Fund Transfer Act and implementing Regulation E prohibit government agencies from requiring consumers to “establish accounts for receipt of electronic fund transfers with a particular financial institution as a condition of receipt of a government benefit. ” According to the IR, the “compulsory use prohibition” will not apply to prepaid cards and the Covid-19 relief payments will not be classified as government benefits, provided the cards fulfill certain requirements. In order to not be considered “government benefits” the payments must: (i) be to aid consumers impacted by Covid-19; (ii) not be “part of an already-established government benefit program”; (iii) be distributed “on a one-time or otherwise limited basis”; and (iv) not require consumers to apply for the funds.
On April 1, the CFPB published a statement which assured that the Bureau will continue to perform examinations and other supervisory work during the Covid-19 pandemic, reinforcing the Bureau’s mission to protect consumers. The statement explains that the Bureau is taking advantage of technology to fulfill its examination duties and to stay in communication with supervised entities. Additionally, the statement suggests that the Bureau will consider individual circumstances and good faith efforts to comply when performing examination and supervisory work.
On March 11, the California attorney general released a second set of draft modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). These modifications follow the initial proposed regulations published last October and the first set of draft modifications published last month (covered by Buckley Special Alerts here and here). According to a notice issued by the California Department of Justice, these changes are in response to roughly 100 comments received by the Department to the proposed February modifications and are intended “to clarify and conform the proposed regulations to existing law.”
Key modifications are as follows:
- Personal Information. In the February modifications, a section was added to provide guidance regarding the interpretation of CCPA definitions and specifically defined the term “personal information” and provided an example of when IP addresses were not considered “personal information.” In the recent modifications, the Attorney General (AG) struck this section of the regulations.
- Indirectly Receiving Personal Information. The modifications clarify that a business that does not collect personal information directly from a consumer is not required to provide a consumer with a notice at collection if it does not sell the consumer’s personal information.
- “Opt-Out Button” Button. The modifications strike a provision that previously provided a model for the opt-out button that companies could include on their websites as an additional way for consumers to opt out of selling their information, as well as information about when the button should be used.
- Responding to Requests to Know. While the regulations have made clear that there are certain types of data that a business must never disclose in response to a request to know, such as Social Security number, driver’s license or government ID number, biometric data, etc., the modifications clarify that when responding to a request to know, businesses must inform consumers “with sufficient particularity” that they have collected that type of information. The modifications provide the following example – the business must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
- Responding to Requests to Delete. The modifications provide that if a business denies a consumer’s request to delete, the business sells personal information, and the consumer has not already made a request to opt out of the sale, then the business must ask the consumer if he/she would like to opt out and include either the contents of, or a link to, the notice of right to opt-out.
- Service Providers. The modifications clarify that a service provider may not retain, use, or disclose personal information obtained while providing services unless the information is used to “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information” and complies with the CCPA’s requirements for a written contract for services. The modifications also add that while the service provider may use the personal information to build or improve the quality of it services, it may not build or modify household or consumer profiles to use in providing services to another business.
- Training: Record-Keeping. The modifications clarify that information retained for record-keeping purposes may not be shared with third parties “except as necessary to comply with a legal obligation.”
- Authorized Agent. The modifications clarify that businesses shall not require consumers, or a consumer’s authorized agent, to pay a fee to verify requests to know or to delete.
- Calculating the Value of Consumer Data. The modifications provide that for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons in the United States and not just consumers.
Comments on the second set of proposed modifications are due by March 27. As a reminder, the CCPA became effective January 1.
- Jonice Gray Tucker to discuss “How the new administration sets the tone for 2021” at the American Conference Institute Legal, Regulatory and Compliance Forum on Fintech & Emerging Payment Systems
- Sherry-Maria Safchuk to discuss UDAAP in consumer finance at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable