InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC, DOJ sue maker of health app over data sharing
On May 17, the DOJ filed a complaint on behalf of the FTC against a health app for violating the Health Breach Notification Rule (HBNR) by allegedly sharing users’ sensitive personal information with third parties, disclosing sensitive health data, and failing to notify users of these unauthorized disclosures. According to the complaint, users were allegedly repeatedly and falsely promised via privacy policies that their health information would not be shared with third parties without the user’s knowledge or consent, and that any collected data was non-identifiable and only used for the defendant’s own analytics or advertising. The FTC charged the defendant with failing to implement reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools and for sharing health information used for advertising purposes without obtaining users’ affirmative express consent. Under the HBNR, companies with access to personal health records are required to notify users, the FTC, and media outlets in certain situations, if there has been an unauthorized acquisition of unsecured personal health information. The defendant also allegedly failed to impose limits on how third parties could use the data and failed to adequately encrypt data shared with third parties, thus subjecting the data to potential interception and/or seizure by bad actors.
The proposed court order would require the defendant to pay a $100,000 civil penalty, and would permanently prohibit the company from sharing personal health data with third parties for advertising and from making future misrepresentations about its privacy practices. The defendant would also be required to (i) obtain user consent before sharing personal health data; (ii) limit data retention; (iii) request deletion of data shared with third parties; (iv) provide notices to users explaining the FTC’s allegations and the proposed settlement; and (v) implement comprehensive security and privacy programs to protect consumer data. The defendant has also agreed to pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon (who collaborated with the FTC on the action) for violating state privacy laws with respect to its data sharing and privacy practices.
Oregon clarifies appraisal company registration authority
On March 13, the Oregon governor signed HB 2287 to clarify that the Appraiser Certification and Licensure Board (the “Board”) is the entity responsible for determining specified criteria for registration or certification of real estate appraisal management companies. In Oregon, “[a] person may not directly or indirectly engage in or attempt to engage in business as an appraisal management company or advertise or represent that the entity is an appraisal management company unless the person is” registered with the Board or is owned and controlled by an insured depository institution. The Act takes effect 91 days following adjournment of the legislature.
Oregon issues remote work guidance to licensed loan originators
On September 21, the Oregon Department of Consumer and Business Services filed permanent administrative order FSR 3-2022 with the Secretary of State to allow licensed loan originators and employees to work from home. Under the order, Oregon licensed mortgage loan originators “may originate loans from a location other than from a licensed branch office if the location is the licensed mortgage loan originator’s home; the licensed mortgage loan originator is an employee of a mortgage banker or mortgage broker; and the mortgage banker or the mortgage broker complies with OAR 441-860- 0040, as applicable.” Mortgage bankers or brokers must have in place appropriate policies and procedures to supervise licensees working from home, including data security measures to protect consumers’ personal data. Additionally, licensees working from home “are prohibited from engaging in person with consumers for loan origination purposes at the home of the loan originator or employee, unless the home is licensed as a branch.” Licensees may, however, “engage with consumers for loan origination purposes at the home of the loan originator or employee by means of conference telephone or similar communications equipment that allows all persons participating in the visitation to hear each other, provided that participation is controlled and limited to those entitled to attend, and the identity of participants is determinable and reasonably verifiable.” Licensees who work from home are also prohibited from keeping any physical business records at any location other than a licensed location, and must also ensure that all origination records are available at a licensed location.
District Court rules non-judicial foreclosure claims fail
On August 30, the U.S. District Court for the District of Oregon granted defendants’ motion for summary judgment in an action concerning an allegedly unlawful non-judicial foreclosure. Plaintiffs obtained a cash-out loan in 2005 and modified their mortgage terms. The plaintiffs stopped making payments after one of the defendant loan servicer’s agents allegedly informed them that “help was only available if they were in default,” and the defendant loan servicer threatened foreclosure. Following several years of bankruptcy proceedings and foreclosure mediation, plaintiffs sued to stop the foreclosure proceedings, claiming “that the deed of trust was void and that defendants committed fraud in attempting to foreclos[e] on the debt.” The initial non-judicial foreclosure proceedings were rescinded after the suit was dismissed with prejudice, and the defendant loan servicer was eventually allowed to proceed with a second non-judicial foreclosure under Oregon law. Plaintiffs sent a dispute letter demanding that the foreclosure be rescinded because the order in which several notices of default showing the amounts due and the amounts necessary to reinstate were sent did not comply with state law. After the notice was rescinded and a new notice of default was issued and recorded, plaintiffs sued again, seeking to enjoin the defendant trustee’s sale and filing several claims, including breach of contract and violations of the Oregon Unfair Trade Practices Act (OUTPA), RESPA, and FDCPA.
In granting summary judgment to the defendants on each of the claims, the court determined that the breach of contract claim fails because plaintiffs acknowledged that because “they have not substantially performed under the relevant contract,” they are precluded from seeking damages. The FDCPA claim against the defendant trustee also fails “because it is based on a perceived lack of authority under the relevant contract, but as explained in the breach of contract claim, that authority was not lacking.” Finally, the OUTPA and RESPA claims both fail “because there is no evidence that they incurred damages arising out of either claim”—a required element under both statutes, the court said. According to the court, plaintiffs failed “to support their drastic allegations with relevant evidence” and failed to “point to specific evidence supporting valid legal claims.”
Oregon approves final student loan servicer regulations
Recently, the Oregon Department of Consumer and Business Services, Division of Finance and Securities Regulation (the Department), filed agency-approved student loan servicer licensing regulations with the Oregon Office of the Secretary of State. The regulations implement SB 485 (enacted last July and covered by InfoBytes here), which established provisions for student loan servicers related in part to licensing requirements, including the requirement that an applicant for a student loan servicer license should submit applications via the Nationwide Multistate Licensing System (NMLS).The act also implemented related consumer protections for borrowers.
The new regulations establish specific application requirements, including provisions related to subcontractors performing servicing activities on behalf of the student loan servicer. The regulations also provide for automatic licensure for applicants that service student loans under a contract with the Department of Education. Additionally, the regulations address (i) procedures for licensing branch locations; (ii) licensing renewals and fees; (iii) liquidity standards; (iv) bond requirements; (v) various annual reporting requirements; (vi) assessment payments and examination fees; (vii) rules for using an assumed business name; (viii) financial responsibility criteria; (ix) student loan servicer duties and responsibilities in addition to prohibited acts; and (x) licensing exemptions. The regulations also establish the Department director’s supervisory authority and outline disclosure requirements for significant developments or changes to a licensee’s record. The regulations became effective July 1.
States settle with company on fraudulent MLO certifications
On February 10, the Conference of State Bank Supervisors announced that the California Department of Financial Protection and Innovation, Maryland’s Office of the Commissioner of Financial Regulation, and the Oregon Division of Financial Regulation have reached a settlement agreement with the owner of a California-based company for providing false certificates claiming that mortgage loan originators (MLOs) took mandatory eight-hour continuing education courses as required for licensure under state and federal law. The three state financial regulators brought separate enforcement actions alleging violations of the Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act) against the individual and his family (collectively, “respondents”) for their role in the “multi-state fraud scheme that involved hundreds of mortgage loan originators.” According to the announcement, the respondents have “agreed to fully cooperate and provide testimony against implicated mortgage loan originators,” and have “agreed to a lifetime restriction from direct and indirect involvement in businesses that provide mortgage lending-related education.” In addition to a $75,000 monetary penalty (which will be divided between the three states), the respondents have agreed to a non-compliance penalty of $15 million should they fail to fully comply with the terms of the settlement agreement.
The action follows a multistate $1.2 million settlement reached last month with 441 MLOs. As previously covered by InfoBytes, the enforcement action included the participation of 44 state agencies from 42 states, and required the settling MLOs to surrender their licenses for three months, pay a $1,000 fine to each state that is a signatory to the consent order in which the MLO holds a license, and take pre-licensing and continuing-education courses before petitioning or reapplying for an MLO endorsement or license.
Oregon enacts student loan servicer provisions
On July 27, the Oregon governor signed SB 485, which outlines licensing provisions for student loan servicers and implements consumer protections for borrowers. Among other things, the act requires, subject to certain exemptions, persons servicing student loans to obtain a license from the Oregon Department of Consumer and Business Services (DCBS). Should the director reasonably believe that a person subject to the act’s provisions is “engaging in or is about to engage in an act or practice that constitutes servicing a student loan in this state without first obtaining a license” the director may order the person to cease and desist, affirmatively perform the act, or may apply to an Oregon circuit court to enjoin the person from engaging in such act or practice. Additionally, the act outlines requirements related to, among other things, (i) licensing applications, including that the director may require applicants to submit applications to the Nationwide Multistate Licensing System instead of, or in addition to, submitting the application to the director; (ii) licensing renewals, reinstatements, and surrenders; (iii) a licensee’s principal place of business; (iv) liquidity standards; and (v) branch closures, relocations, or the opening of new locations. Under the act, the director is also granted general supervisory authority over each licensee in the state, examination authority, and the ability to participate in multistate examinations scheduled and conducted by the Conference of State Bank Supervisors or the CFPB. The director may also investigate borrower complaints and servicers’ policies and procedures, may impose civil penalties for violations of the act’s provisions, and may promulgate rules and take any other actions necessary to undertake and exercise the duties and powers conferred on the position. The act also outlines provisions related to servicing obligations, prohibits student loan servicers from engaging in fraudulent, deceptive, and dishonest activities, and creates a student loan ombudsperson at DCBS to handle complaints against student loan servicers and educate borrowers about loan repayment options. The act took effect on its passage.
Oregon extends moratorium on evictions, creates rent payment grace period
On June 30, Oregon enacted legislation that prohibits residential and commercial evictions based on nonpayment of rent during an “emergency period,” which extends from April 1 until September 30, 2020. The law also creates a six month grace period for tenants to make outstanding rental payments accrued during the emergency period. Tenants cannot be evicted during the grace period for failure to repay rent accrued during the emergency period, but tenants must make rental payments going forward. Prior to enactment of the legislation, the Oregon governor created a moratorium on eviction using an executive order.
Oregon enacts bill providing payment deferrals and foreclosure relief
On June 30, the Oregon governor signed HB 4204, which requires mortgage payment deferrals and limits foreclosures during the Covid-19 emergency period, which runs from March 8 until September 30. Among other things, during that period, a lender may not treat as a default a borrower’s failure to make a periodic installment payment or to pay any other amount that is due to the lender if, at any time during the emergency period, the borrower notifies the lender of his or her inability to make the periodic installment payment. Unless the lender and borrower do not otherwise agree to otherwise modify, defer, or mitigate a loan, the lender must refrain from collecting during the emergency period and must permit the borrower to pay the amounts deferred at the end of the mortgage term. The bill also imposes certain restrictions on a lender’s ability to assess late fees and to pursue a foreclosure. The bill became effective on June 30.
Oregon authorizes remote notarizations through July 2021
On June 30, the Oregon governor signed HB 4212A into law, which authorizes remote online notarization through July 2021. Under the new law, a commissioned notary public may use audio-visual technology to perform notarizations, subject to certain requirements, limitations and conditions. The Oregon secretary of state also issued guidance which assists notaries to find technology vendors that meet the requirements of the new law, register for online notarization training, and submit the required notice form.