Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 15, the FTC warned health apps and connected devices collecting or using consumers’ health information that they must comply with the FTC’s Health Breach Notification Rule (Rule). The Rule requires companies to notify consumers and others if consumers’ health data is breached, and ensures that entities not covered by HIPPA are held accountable in the event of a security breach. Companies that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation per day. The FTC’s policy statement (approved by a 3-2 vote) clarifies the Rule’s scope and puts companies on notice of their reporting obligations. According to the FTC, health apps that are increasingly collecting sensitive and personal data from consumers have a responsibility to ensure the collected data is secured from unauthorized access. However, the FTC expressed concern that there are still few applicable privacy protections. “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” FTC Chair Lina M. Khan stated. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
On August 31, NYDFS issued new guidance to regulated mortgage lenders for developing and implementing programs to comply with the state’s fair lending law, which “prohibits discrimination in, among other things, the granting, withholding, extending, or renewing, or in the fixing of the rates, terms, or conditions of any form of credit on the basis of sexual orientation.” According to an analysis conducted by NYDFS of mortgage loan applications and mortgage loan terms (between 2016 and 2018) from four non-depository lenders and one bank, “in all but two of the fifteen data sets reviewed, same-sex pairs of applicants were denied mortgage loans at higher rates than opposite-sex pairs of applicants.” Additionally, the analysis found that “in six of the data sets, same-sex pairs received between 9 and 17 basis points higher average annual percentage rates than opposite-sex pairs.” NYDFS emphasized that a “same-sex pair” does not necessarily involve LGBTQI individuals, but could also be a mortgage loan application from a father and son or two business partners of the same sex, among other pairings. As such, NYDFS acknowledged that it was “unable to determine with certainty whether discrimination based on sexual orientation occurred as to any particular same-sex pair within the data set.”
However, because NYDFS concluded that its findings raised enough concerns over the potential for discrimination against LGBTQI mortgage applicants, NYDFS advised mortgage lenders to take the following actions, among others, to mitigate discrimination: (i) vest responsibility in senior management to develop a fair lending plan and ensure mortgage lending practices comply; (ii) monitor the implementation of the fair lending plan and “continually address application and underwriting processes as well as pricing policies”; (iii) implement a training program and semi-annually provide updates on fair lending issues; (iv) “[e]nsure automatic and timely review by a higher-level supervisor of all rejected or withdrawn applications for loans from same-sex pairs who indicated that they would live together in the mortgaged property; (v) extend (in writing) a fair lending plan’s principles to a mortgage lender’s refinancing and collection practices; and (vi) periodically review and update fair lending compliance programs and fair lending plans to ensure they remain current. Mortgage lenders are also advised to utilize rate sheets and exception logs to document applications from same-sex pairs, document approved loans for such applicants that received less favorable terms, and conduct statistical and regression analysis of loan data.
On August 13, the Financial Industry Regulatory Authority (FINRA) reminded member firms of their supervisory obligations related to outsourcing to third-party vendors. Regulatory Notice 21-29 reiterates that supervisory obligations under FINRA Rule 3110 extend to member firms’ outsourcing of certain “covered activities” and reminds firms that under Regulatory Notice 05-48, “‘outsourcing an activity or function to … [a vendor] does not relieve members of their ultimate responsibility for compliance with all applicable federal securities laws and regulations and [FINRA] and MSRB rules regarding the outsourced activity or function.’” Emphasizing that “member firms have continued to expand the scope and depth of their use of technology and have increasingly leveraged [v]endors to perform risk management functions and to assist in supervising sales and trading activity and customer communications,” FINRA reminds member firms that supervisory systems and associated written supervisory procedures extend to the “outsourced activities or functions” of their vendors. The notice also cites examples of violations uncovered during previous examinations linked to third-party vendors related to data integrity, cybersecurity and technology governance, and books and records requirements. These include instances where firms’ vendors failed to implement technical controls or failed to properly manage customers’ nonpublic information. Member firms are encouraged to take a “risk-based approach” to vendor management and to assess whether their supervisory procedures for third-party vendors are “sufficient to maintain compliance with applicable rules.”
On August 16, the OCC released an annual update to its Bank Accounting Advisory Series (BAAS). Intended to address a variety of accounting topics and promote consistent application of accounting standards and regulatory reporting among OCC-supervised banks, the BAAS reflects updates to accounting standards issued by the Financial Accounting Standards Board through March 31, 2021, related to, among other things, (i) the amortization of premiums on callable debt securities; and (ii) evaluating goodwill impairment triggering events for private companies. The 2021 edition also includes answers to frequently asked questions from industry and bank examiners. Additionally, the OCC notes that the BAAS does not represent OCC rules or regulations but rather “represents the Office of the Chief Accountant’s interpretations of generally accepted accounting principles and regulatory guidance based on the facts and circumstances presented.”
On July 26, the Georgia Department of Banking and Finance (Department) announced that the Superior Court of DeKalb County entered an order granting default judgment against defendants for unauthorized banking activities and the unapproved use of the word “bank.” Under Georgia law, it is unlawful to conduct, advertise, or be affiliated with a banking business in the state without a bank charter. Georgia law also prohibits the use of the words “bank” and/or “trust” in any entity’s name without permission from the Department. In 2020, the Department issued a cease and desist order against the defendants after the Department determined that it had no records of the entity and had not approved it or the individual defendant to organize a bank and/or conduct a banking business in or from Georgia. Nor had the Department granted the entity defendant the ability to use the word “bank” in its name. The Department later discovered that the defendants violated the cease and desist order by continuing to engage in unauthorized banking activities and continuing to advertise using the word “bank” without approval. The court ordered the defendants to comply with the cease and desist order and permanently enjoined them from, among other things, using bank nomenclature and advertising or providing financial products or services from within Georgia without written authorization from the Department.
Recently, the Massachusetts Division of Banks published guidance related to the conduct of debt collectors, student loan servicers, and third-party loan servicers. 209 CMR 18.00 defines unfair or deceptive acts or practices for entities servicing loans or collecting debts within the commonwealth, and provides licensing, registration, and supervision procedures. Those provisions of the regulation that govern fair debt collection and third party loan servicing practices apply both to licensed entities, and entities exempt from licensure. Additionally, the regulation specifies that licensed debt collectors are not required to register as third party loan servicers but must still comply with all relevant state and federal laws and regulations that govern third party loan servicers when acting in that capacity. Student loan servicers engaged in third party loan servicing activities or debt collection activities within the scope of student loan servicing activities described within Massachusetts’ law are also required to comply with all applicable state and federal laws and regulations governing third party loan servicers and debt collectors when acting in such capacity. Additionally, 209 CMR 18.00 outlines, among other things, (i) licensing application requirements; (ii) licensing standards; (iii) registration procedures and standards; (iv) notice, reporting, and recordkeeping requirements; (v) collection practices and consumer communication restrictions; (vi) prohibitions related to harassment or abuse, false or misleading representations, and unfair, deceptive, or unconscionable practices; (vii) debt validation requirements; (viii) mortgage loan servicing practices; (ix) student loan servicing practices; and (x) confidentiality provisions. The regulation took effect July 1.
Recently, the Federal Reserve Board and the OCC issued reports pursuant to Section 367 of the Dodd-Frank Act generally detailing the health of Minority Depository Institutions (MDIs) and the agencies’ efforts taken to assist MDIs as the Covid-19 pandemic disproportionately affected low- and moderate-income communities and racial and ethnic minorities. The Fed’s report, “Promoting Minority Depository Institutions,” discussed, among other things, extra steps taken by the agency to support and assist MDIs over the past year, which included conducting individualized outreach on several topics like how to access the discount window and the Paycheck Protection Program Liquidity Facility (covered by InfoBytes here and here). The report also examined efforts taken by the Fed to preserve and promote MDIs through its Partnership for Progress program—“a national outreach effort to help MDIs confront unique business-model challenges, cultivate safe banking practices, and compete more effectively in the marketplace”—and covered the Fed’s unanimous approval last September to approve an Advance Notice of Proposed Rulemaking on modernizing the Community Reinvestment Act (covered by InfoBytes here).
The OCC outlined actions taken to preserve and promote MDIs in its “2020 Annual Report,” including the launch of the Roundtable for Economic Access and Change known as Project REACh (covered by InfoBytes here). OCC subject matter experts also provided regulatory technical assistance to MDIs on topics including safety and soundness, cybersecurity, compliance with Bank Secrecy Act/anti-money laundering requirements, and current expected credit loss accounting methodology, among others. The OCC also noted that despite a seven-basis-points drop on the average return on assets for MDIs through the pandemic, the health of those institutions “remained satisfactory.”
On July 1, the Financial Crimes Enforcement Network (FinCEN) announced updates to the Financial Action Task Force (FATF) statements concerning jurisdictions with strategic anti-money laundering, countering the financing of terrorism, and combating weapons of mass destruction proliferation financing (AML/CFT/CPF) deficiencies. Specifically, to ensure compliance with international standards, the FAFT updated the following two statements: (i) High-Risk Jurisdictions Subject to a Call for Action, which identifies jurisdictions with significant strategic deficiencies in their AML/CFT/CPF regimes and instructs FATF members to apply enhanced due diligence, and in the most serious cases, apply counter-measures to protect the international financial system from such risks; and (ii) Jurisdictions under Increased Monitoring, which “publicly identifies jurisdictions with strategic deficiencies in their AML/CFT/CPF regimes that have committed to, or are actively working with, the FATF to address those deficiencies in accordance with an agreed upon timeline.” Notably, Haiti, Malta, the Philippines, and South Sudan have been added to the Jurisdictions under Increased Monitoring, while Ghana has been removed from the list. Among other things, through the announcement, FinCEN further instructs financial institutions to comply with U.S. prohibitions against the opening or maintaining of any correspondent accounts, whether directly or indirectly, for North Korean or Iranian financial institutions, which are already prohibited under existing U.S. sanctions and FinCEN regulations.
On June 10, the U.S. District Court for the Middle District of Pennsylvania granted the DOJ’s unopposed motion to dismiss anti-money laundering charges brought against a money services business, ending an extended deferred prosecution agreement (DPA) related to deficiencies in the company’s anti-fraud and anti-money laundering (AML) programs. As previously covered by InfoBytes, the DOJ filed charges against the company in 2012 for allegedly “willfully failing to maintain an effective AML program and aiding and abetting wire fraud,” including scams targeting the elderly and other vulnerable groups that involved victims sending funds through the company’s money transfer system. In 2018, the DOJ and the company extended and amended the DPA through May 2021 after the DOJ alleged that the company continued to experience significant weaknesses in its AML and anti-fraud programs. At the time, the company agreed to, among other things, comply with additional enhanced anti-fraud and AML compliance obligations. The DOJ noted in its motion to dismiss with prejudice that the company has forfeited $225 million as required and has “satisfied the conditions and obligations imposed under the DPA and the Amendment.” Additionally, the DOJ confirmed that an independent compliance monitor has certified that the company’s “anti-fraud and anti-money laundering compliance program, including its policies and procedures, are reasonably designed and implemented to detect and prevent fraud and money laundering and to comply with the Bank Secrecy Act.”
On June 2, the CFPB released new FAQs regarding the Mortgage Servicing Rule and Regulation X and Regulation Z relating to escrow account guidance and analysis. General highlights from the FAQs are listed below:
- Regulation X provides that (i) an escrow account is any account established or controlled by a servicer for a borrower to pay taxes or other charges associated with a federally related mortgage loan, including charges that the servicer and borrower agreed to have the servicer collect and pay; and (ii) the computation year for an escrow account is a 12-month period that the servicer establishes for the account, starting with the borrower’s first payment date and including each subsequent 12-month period, unless the servicer issues a short year statement.
- Servicers must send the borrower an annual escrow account statement “within 30 days of the completion of the escrow account computation year.”
- Disbursement date is defined as “the date the servicer pays an escrow item from the escrow account.”
- “The initial escrow statement is the first disclosure statement that the servicer delivers to the borrower concerning the borrower’s escrow account,” and must include: (i) “the amount of the monthly mortgage payment”; (ii) “the portion of the monthly payment going into the escrow account”; (iii) “itemized anticipated disbursements to be paid from the escrow account”; (iv) “anticipated disbursement dates”; (v) “the amount the servicer elects as a cushion”; and (vi) “trial running balance for the account.”
- The annual escrow statement must include, among other things, “an account history that reflects the activity in the escrow account during the prior escrow account computation year and a projection of the activity in the account for the next escrow account computation year.”
- An escrow account analysis is the accounting a servicer conducts in the form of a trial running balance for an escrow account to: (i) “determine the appropriate target balances”; (ii) “compute the borrower’s monthly payments for the next escrow account computation year and any deposits needed to establish or maintain the account”; and (iii) “determine whether a shortage, surplus, or deficiency exists.”
- “If there is a shortage that is equal to or more than one month’s escrow account payment, the servicer may accept an unsolicited lump sum repayment to resolve the shortage. However, the servicer cannot require or provide the option of a lump sum payment on the annual escrow account statement. In addition, Regulation X does not govern whether borrowers can freely pay the servicer to satisfy an escrow account shortage. Therefore, “the acceptance of a voluntary, unsolicited payment made by the borrower to the servicer to satisfy an escrow account shortage is not a violation of Regulation X.”
- Servicers may inform borrowers that borrowers “may voluntarily provide a lump sum payment to satisfy an escrow shortage if they choose to” if “the communication is not in the annual escrow account statement itself and does not appear to indicate that a lump sum payment is something that the servicer requires but rather is an entirely voluntary option.”
- Buckley Webcast: Best practices for incident-response planning in a dangerous and regulated world
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- APPROVED Webcast: California debt collection license requirement: Overview and analysis
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- Jeffrey P. Naimon to discuss “Regulators are gearing up: Are you ready?” at HousingWire Annual
- Amanda R. Lawrence and Elizabeth E. McGinn discuss “U.S. state privacy legislation – Are you compliant?” at the Privacy+Security Forum
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jeffrey P. Naimon to discuss "Truth in lending” at the American Bar Association National Institute on Consumer Financial Services Basics
- John R. Coleman and Amanda R. Lawrence to discuss “Consumer financial services government enforcement actions – The CFPB and beyond” at the Government Investigations & Civil Litigation Institute Annual Meeting
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek