InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS puts CFDL compliance obligations on hold
On December 31, NYDFS announced that providers’ compliance obligations under the state’s Commercial Finance Disclosure Law (CFDL) will not take effect until the necessary implementing regulations are issued and effective. The CFDL was enacted at the end of December 2020, and amended in February 2021, to expand coverage and delay the effective date to January 1, 2022. (See S5470-B, as amended by S898.) Under the CFDL, providers of commercial financing, which include persons and entities who solicit and present specific offers of commercial financing on behalf of a third party, are required to give consumer-style loan disclosures to potential recipients when a specific offering of finance is extended for certain commercial transactions of $2.5 million or less. In October 2021, NYDFS published a notice announcing a proposed regulation (23 NYCRR 600) to implement the CFDL, which provided that the compliance date for the final regulation will be six months after the final adoption and publication of the regulation in the State Register (covered by InfoBytes here). Comments on the proposed regulation were due December 19. NYDFS noted in its announcement that “[i]n light of the significant feedback received, the Department is carefully considering the comments received and intends to publish a revised proposed regulation for notice-and-comment early in the new year.”
SEC levies $18 million fine for mishandling MNPI
On November 19, the SEC announced that an investment company affiliate of a global consulting firm agreed to pay $18 million to settle alleged compliance failures. The affiliate provided investment services to current and former partners and employees of the consulting firm. The SEC alleged that the affiliate failed to maintain adequate policies and procedures to prevent firm partners from misusing material nonpublic information (MNPI) gained from consulting clients to make investment decisions. The SEC alleged that the affiliate invested hundreds of millions of dollars in companies that the firm was advising. According to the SEC, certain firm partners oversaw these investments and had access to MNPI, such as financial results, planned bankruptcy filings, mergers and acquisitions, among other things, as a result of the consulting work they did for the firm.
According to the cease-and-desist order, allowing active firm partners, “individuals who had access to MNPI about issuers in which [affiliate] funds were invested, to oversee and monitor [the affiliate’s] investment decisions presented an ongoing risk of misuse of MNPI.” The SEC claimed that the affiliate allegedly violated Sections 204A and 206(4) of the Investment Advisers Act of 1940 (related to the prevention and misuse of MNPI and prohibited investment adviser transactions), as well as Rule 206(4)-7 (concerning compliance policies and procedures). Without admitting or denying the findings, the affiliate consented to the entry of the cease-and-desist order, a censure, and the $18 million penalty.
CFPB publishes Regulation F debt collection compliance guidance
On October 29, the CFPB released information on validation notices to help facilitate compliance with requirements in the Regulation F debt collection final rule. As previously covered by InfoBytes, in October 2020 the CFPB issued its final rule (effective November 30) amending Regulation F, which implements the Fair Debt Collection Practices Act, addressing debt collection communications and prohibitions on harassment or abuse, false or misleading representations, and unfair practices. The CFPB released guidance for debt collectors offering instructions on how to provide certain validation information, including using the “Itemization Table” in the model validation notice as well as examples of how the table might be completed for different types of debts. The guidance also provides, among other things, examples of itemization tables for the collection of multiple debt owned by the same consumer.
The Bureau also issued new FAQs related to Regulation F that address validation information generally and validation information related to residential mortgage debt. Among other things, the FAQs: (i) specify the validation information debt collectors must provide consumers who owe or allegedly owe a debt; (ii) clarify that while the use of the model validation notice provided in Appendix B of the final rule is not required, debt collectors must comply with the validation information content and format requirements in Regulation F; (iii) specify that a debt collector can make changes to the model validation notice and still obtain the validation information content and format safe harbor with certain limitations; (iv) state that a debt collector does not need to provide the itemization-related information in a validation notice provided the debt collector follows a special rule for certain residential mortgage debt; (v) outline validation information that may be omitted if using the Mortgage Special Rule, and clarify that generally if a debt collector uses the Mortgage Special Rule with the model validation notice, the debt collector may still receive a safe harbor as long as certain criteria is met; (vi) define “most recent periodic statement” for purposes of the Mortgage Special Rule; and (vii) clarify that under the Mortgage Special Rule, a debt collector “uses the date of the periodic statement provided under that Special Rule as the itemization date.” As previously covered by InfoBytes, the Bureau issued FAQs last month discussing limited-content messages and the call frequency provisions under the Debt Collection Rule in Regulation F.
SEC Division of Enforcement says firms should take proactive compliance measures
On October 6, the SEC Director of the Division of Enforcement, Gurbir Grewal, discussed the agency’s mission to maintain market integrity and improve public confidence in the securities market. While Grewal noted that enforcement actions taken over the past few years have helped to significantly animate the idea that the SEC “will pursue potential violations by any market participant,” he stressed the need for joint coordination to promote better conduct among market participants. According to Grewal, this includes firms examining ways their specific business models and products interact with both emerging risks and enforcement priorities and tailoring compliance practices and policies accordingly. He stressed that market participants should take “proactive” compliance measures, including enhancing recordkeeping requirements, and anticipate emerging challenges instead of waiting for an enforcement action to implement the appropriate policies and procedures. Grewal also discussed the key role market participants play in identifying and addressing emerging risks. This could include ensuring proactive compliance efforts continue even after violative conduct has occurred, cooperating with SEC investigations, and voluntarily self-reporting potential violations “before the violation is about to be publicly announced." Grewal also noted that the SEC is currently evaluating its approach to enforcement action penalties to better assess whether past penalties have sufficiently deterred misconduct.
CFPB offers reminder on forbearance options for borrowers
On September 30, the CFPB issued an analysis of recent rules that ensure mortgage servicers provide options to potentially vulnerable borrowers exiting forbearance. The analysis points out that there are approximately 1.6 million borrowers exiting mortgage forbearance programs and that many may be vulnerable to a greater risk of harm due to a variety of circumstances, which may have been exacerbated by the effects of the Covid-19 pandemic. As previously covered by a Buckley Special Alert, the Bureau issued a final rule earlier this year, which took effect August 31, obligating servicers to continue specifying, with substantial detail, any loss mitigation options that may help borrowers resolve their delinquencies. In April, the CFPB also urged mortgage servicers “to take all necessary steps now to prevent a wave of avoidable foreclosures this fall.” Citing the millions of homeowners in forbearance due to the Covid-19 pandemic, the Bureau’s April compliance bulletin warned servicers that consumers would need assistance when pandemic-related federal emergency mortgage protections expire (covered by InfoBytes here). In addition, in August the Bureau released an overview report of Covid-19 pandemic responses from 16 large mortgage servicers, finding that, among other things: (i) most servicers reported abandonment rates of less than 5 percent during the reporting period, while others’ rates exceeded 20 percent, with one servicer as high as 34 percent; (ii) most servicers saw increased rates of borrowers who were delinquent upon exiting pandemic hardship forbearance programs in March and April 2021 compared to previous months; and (iii) delinquency rates ranged from about 1 percent to 26 percent for federally-backed and private loans (covered by InfoBytes here). According to the September analysis, the Bureau “encourages servicers to enhance their communication capabilities and outreach efforts to educate and assist all borrowers in resolving delinquency and enrolling in widely available assistance and loss mitigation options.” The Bureau further encourages servicers to ensure that their compliance management systems include robust measures and warns against one-size-fits-all practices that may harm vulnerable consumers.
OCC to host risk management workshops
On September 23, the OCC released its lineup of free, virtual workshops for boards of directors of community national banks and federal savings associations. Included as part of the workshops to be held this fall and winter is a risk management series focusing on risk governance, credit risk, operational risk, and compliance risk. Another workshop will present guidance for directors and senior managers on building blocks for success. A schedule of the upcoming workshops is available here.
OCC issues cease and desist order against bank
On September 20, the OCC announced a cease and desist order issued against a bank for alleged “unsafe or unsound practices” related to “technology and operational risk management,” in addition to the bank’s noncompliance with the OCC’s Interagency Guidelines Establishing Information Security Standards contained in Appendix B to 12 CFR Part 30. Without admitting to or denying the claims, the bank is required by the order to improve information technology and operational risk governance, technology risk assessments, internal controls, and staffing deficiencies. Specifically, the bank must develop an acceptable, written action plan outlining the remedial actions necessary to achieve compliance with the order by addressing the alleged unsafe or unsound practices and noncompliance, which must specify, among other things, a description of the corrective actions, reasonable and well-supported timelines, and those responsible for completing the actions. The order provides that the bank must also establish a Compliance Committee to quarterly submit: (i) “a description of the corrective actions needed to achieve compliance with each Article of the order”; (ii) the specific corrective actions undertaken to comply with each Article of the Order”; and (iii) “the results and status of the corrective actions.”
FTC says health apps must comply with Health Breach Notification Rule
On September 15, the FTC warned health apps and connected devices collecting or using consumers’ health information that they must comply with the FTC’s Health Breach Notification Rule (Rule). The Rule requires companies to notify consumers and others if consumers’ health data is breached, and ensures that entities not covered by HIPAA are held accountable in the event of a security breach. Companies that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation per day. The FTC’s policy statement (approved by a 3-2 vote) clarifies the Rule’s scope and puts companies on notice of their reporting obligations. According to the FTC, health apps that are increasingly collecting sensitive and personal data from consumers have a responsibility to ensure the collected data is secured from unauthorized access. However, the FTC expressed concern that there are still few applicable privacy protections. “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” FTC Chair Lina M. Khan stated. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
NYDFS offers guidance on preventing sexual orientation discrimination in mortgage lending
On August 31, NYDFS issued new guidance to regulated mortgage lenders for developing and implementing programs to comply with the state’s fair lending law, which “prohibits discrimination in, among other things, the granting, withholding, extending, or renewing, or in the fixing of the rates, terms, or conditions of any form of credit on the basis of sexual orientation.” According to an analysis conducted by NYDFS of mortgage loan applications and mortgage loan terms (between 2016 and 2018) from four non-depository lenders and one bank, “in all but two of the fifteen data sets reviewed, same-sex pairs of applicants were denied mortgage loans at higher rates than opposite-sex pairs of applicants.” Additionally, the analysis found that “in six of the data sets, same-sex pairs received between 9 and 17 basis points higher average annual percentage rates than opposite-sex pairs.” NYDFS emphasized that a “same-sex pair” does not necessarily involve LGBTQI individuals, but could also be a mortgage loan application from a father and son or two business partners of the same sex, among other pairings. As such, NYDFS acknowledged that it was “unable to determine with certainty whether discrimination based on sexual orientation occurred as to any particular same-sex pair within the data set.”
However, because NYDFS concluded that its findings raised enough concerns over the potential for discrimination against LGBTQI mortgage applicants, NYDFS advised mortgage lenders to take the following actions, among others, to mitigate discrimination: (i) vest responsibility in senior management to develop a fair lending plan and ensure mortgage lending practices comply; (ii) monitor the implementation of the fair lending plan and “continually address[] application and underwriting processes as well as pricing policies”; (iii) implement a training program and semi-annually provide updates on fair lending issues; (iv) “[e]nsure automatic and timely review by a higher-level supervisor of all rejected or withdrawn applications for loans from same-sex pairs who indicated that they would live together in the mortgaged property; (v) extend (in writing) a fair lending plan’s principles to a mortgage lender’s refinancing and collection practices; and (vi) periodically review and update fair lending compliance programs and fair lending plans to ensure they remain current. Mortgage lenders are also advised to utilize rate sheets and exception logs to document applications from same-sex pairs, document approved loans for such applicants that received less favorable terms, and conduct statistical and regression analysis of loan data.
FINRA reminds firms of third-party supervisory obligations
On August 13, the Financial Industry Regulatory Authority (FINRA) reminded member firms of their supervisory obligations related to outsourcing to third-party vendors. Regulatory Notice 21-29 reiterates that supervisory obligations under FINRA Rule 3110 extend to member firms’ outsourcing of certain “covered activities” and reminds firms that under Regulatory Notice 05-48, “‘outsourcing an activity or function to … [a vendor] does not relieve members of their ultimate responsibility for compliance with all applicable federal securities laws and regulations and [FINRA] and MSRB rules regarding the outsourced activity or function.’” Emphasizing that “member firms have continued to expand the scope and depth of their use of technology and have increasingly leveraged [v]endors to perform risk management functions and to assist in supervising sales and trading activity and customer communications,” FINRA reminds member firms that supervisory systems and associated written supervisory procedures extend to the “outsourced activities or functions” of their vendors. The notice also cites examples of violations uncovered during previous examinations linked to third-party vendors related to data integrity, cybersecurity and technology governance, and books and records requirements. These include instances where firms’ vendors failed to implement technical controls or failed to properly manage customers’ nonpublic information. Member firms are encouraged to take a “risk-based approach” to vendor management and to assess whether their supervisory procedures for third-party vendors are “sufficient to maintain compliance with applicable rules.”