Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 23, the Oklahoma Department of Consumer Credit extended, for the third time, its interim guidance to regulated entities on working from home (see here, here, here and here for previous coverage). The guidance sets forth data security standards that regulated entities must meet in order to satisfy the department guidance. The guidance also provides that the department will expedite and waive fees for change of address applications in the event that a licensed location is compromised by Covid-19 or is undergoing decontamination. The guidance was extended through October 31, 2020.
On September 22, the Colorado governor issued Executive Order 2020 202, which amends Executive Order 2020 101, as amended and extended by earlier orders. The amendment provides that an individual is prohibited from filing or initiating actions for forcible entry and detainer (i.e. eviction), including any demand for rent, unless the individual has notified the tenant in writing of the federal protections against eviction provided by the Centers for Disease Control and Prevention’s Temporary Halt in Residential Evictions To Prevent the Further Spread of Covid-19. The individual must provide as notice a copy of the CDC’s order. Certain aspects of Executive Order 2020 101, including the amendments pursuant to Executive 2020 202, will expire 30 days from September 2020. Other aspects of Executive Order 2020 101 will remain in full force and effect as originally promulgated. Previous coverage relating to Colorado’s eviction orders can be found here, here, and here.
On September 17, the California attorney general announced a settlement with a technology company that operates a fertility-tracking mobile app to resolve claims that security flaws put users’ sensitive personal and medical information at risk in violation of state consumer protection and privacy laws. According to the complaint filed in the Superior Court for the County of San Francisco, the company’s app allegedly failed to adequately safeguard and preserve the confidentiality of medical information by, among other things, (i) allowing access to user information without the user’s consent, by failing to “authenticate the legitimacy of the user to whom the medical information was shared”; (ii) allowing a password-change vulnerability to permit unauthorized access and disclosure of information stored in the app without the user’s consent; (iii) making misleading statements concerning implemented security measures and the app’s ability to protect consumers’ sensitive personal and medical information from unauthorized disclosure; and (iv) failing to implement and maintain reasonable security procedures and practices.
Under the terms of the settlement, the company—which does not admit liability—is required to pay a $250,000 civil penalty and incorporate privacy and security design principles into its mobile apps. The company must also obtain affirmative authorization from users before sharing or disclosing sensitive personal and medical information, and must allow users to revoke previously granted consent. Additionally, the company is required to provide ongoing annual employee training concerning the proper handling and protection of sensitive personal and medical information, in addition to training on cyberstalking awareness and prevention. According to the AG’s press release, the settlement also includes “a first-ever injunctive term that requires [the company] to consider how privacy or security lapses may uniquely impact women.”
On September 21, the Virginia governor announced the expansion of the Rebuild VA, the $70 million economic recovery fund for small businesses and nonprofits impacted by Covid-19. As a result of the expanded eligibility requirements, businesses that received funding from the federal CARES Act and supply chain partners of businesses whose normal operations were impacted by the Covid-19 pandemic will be eligible to receive grants of up to $10,000. The Rebuild VA funding may be used for, among other things, payroll support, employee salaries, and mortgage payments, rent, and utilities. The announcement provides additional information regarding eligibility for the grants.
On September 21, the New York governor issued Executive Order 202.64, which extends the moratorium on Covid-19-related commercial evictions until October 20. The eviction moratorium, which was first issued on March 20, has been extended several times. For our previous coverage, see here.
On September 21, the California Department of Real Estate issued FAQs on licensing processes during Covid-19. The FAQs respond to questions regarding, among other things, how to determine whether an exam has been cancelled and how to reschedule the exam, the best way to complete a renewal of an expiring real estate license, completing continuing education requirements, and whether the DRE will accept electronic signatures on licensing documents.
On September 16, NYDFS filed a statement of charges against a debt collector for allegedly failing to honor consumers’ requests for substantiation of debt. This is the first enforcement action alleging violations of New York’s Debt Collection Regulation, 23 NYCRR Part 1, which was promulgated in 2015. New York law dictates that substantiation must be provided within 60 days after receiving a request, and specifies what documentation must be provided to substantiate the debt. Charges filed against the company allege that requests made by consumers for information proving the validity of the debt and the company’s right to collect the debt were not honored in several ways, such as failing to provide (i) any substantiation to dozens of consumers; (ii) sufficient substantiation to hundreds of consumers, for example, by omitting a complete chain of title or underlying transaction documents; and (iii) substantiation within the required timeframes. NYDFS maintains that the company’s actions violate 23 NYCRR Part 1, Section 1.4, and that such violation carries civil penalties of up to $1,000 per offense under state law. Additionally, NYDFS claims that “each failure to provide any substantiation, timely substantiation, or sufficient substantiation of debt constitutes an independent offense.” A hearing is scheduled for January 12, 2021 before a hearing officer to be appointed by the Superintendent of Financial Services.
On September 15, the New York attorney general announced a settlement with a national franchisor of a coffee retail chain to resolve allegations that the company violated New York’s data breach notification statute and several state consumer protection laws by failing to protect thousands of customer accounts from a series of cyberattacks. As previously covered by InfoBytes, the AG claimed that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in more than 20,000 compromised accounts and “tens of thousands” of dollars stolen. Following the attacks, the AG alleged that the company failed to take steps to protect the affected customers or to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. The settlement, subject to court approval, would require the company to (i) notify affected customers, reset their passwords, and refund any stored value cards used without permission; (ii) pay $650,000 in penalties and costs; (iii) maintain safeguards to protect against similar attacks in the future; and (iv) develop and follow appropriate incident response procedures.
On September 15, the Conference of State Bank Supervisors (CSBS) announced the launch of a single, streamlined examination for money transmitters operating nationwide (i.e., in 40 or more states), known as “MSB Networked Supervision.” The single exam—which will apply to “78 of the nation’s largest payments and cryptocurrency companies”—will be led by one state overseeing a group of examiners sourced from around the country. MSB Networked Supervision is a result of recommendations from the CSBS Fintech Industry Advisory Panel and CSBS Vision 2020 (covered by InfoBytes here).
On September 15, the CFPB filed a complaint and proposed stipulated judgment against a trust, along with three banks acting in their capacity as trustees to the trust, for allegedly providing substantial assistance to a now defunct for-profit educational institution in engaging in unfair acts and practices in violation of the Consumer Financial Protection Act. The Bureau asserted that the trust owned and managed private loans for students attending the defunct institution, even though the trust “allegedly knew or was reckless in not knowing that many student borrowers did not understand the terms and conditions of those loans, could not afford them, or in some cases did not even know they had them.” The Bureau alleged that the defunct institution induced students to take out loans through several unfair practices, including “using aggressive tactics, and in some cases, gaining unauthorized access to student accounts to sign students up for loans without permission.” These loans, the Bureau contended, carried default rates well above what was expected for student loans. According to the Bureau, the trust was allegedly actively involved in the servicing, managing, and collection of these student loans.
If approved by the court, the Bureau’s proposed settlement would require the trust to (i) cease collection efforts on all outstanding loans owned and managed by the trust; (ii) discharge all outstanding loans owned and managed by the trust; (iii) ask all consumer reporting agencies to delete information related to the trust’s loans; and (iv) notify all affected consumers of these actions. The Bureau estimated that the total amount of loan forgiveness is roughly $330 million.
This settlement is the third reached by the Bureau in relation to the defunct institution’s private loan programs. In 2019, the defunct institution reached a settlement with the Bureau (covered by InfoBytes here), which required the payment of a $60 million judgment. Additionally, the Bureau entered into another settlement in 2019 with a different company that managed student loans for the defunct institution’s students, which required the loan management company to comply with similar requirements as the trust (covered by InfoBytes here).
- Daniel P. Stipano to discuss "Making customers whole: Trends in remediation and restitution expectations" at the American Bar Association Business Law Virtual Section Meeting
- Jonice Gray Tucker to discuss "Fairness gone viral: Fair lending considerations for financial institutions amid Covid-19" at the American Bar Association Business Law Virtual Section Meeting
- Daniel P. Stipano to discuss "High standards: Best practices for banking marijuana-related businesses" at the ACAMS AML & Anti-Financial Crime Conference
- Daniel P. Stipano to discuss "Wait wait ... do tell me! Where the panelists answer to you" at the ACAMS AML & Anti-Financial Crime Conference
- Matthew P. Previn and Walter E. Zalenski to discuss "Is valid when made ... valid?" at the Women in Housing & Finance Partner Series webinar
- Warren W. Traiger and Caroline K. Eisner to discuss "CRA modernization and the OCC final rule" at CBA Live
- Daniel R. Alonso to discuss "Transnational corruption: A chat with former U.S. federal prosecutors in New York" at Marval Live Talks
- Sherry-Maria Safchuk and Lauren Frank to discuss "New CFPB interpretation on UDAAP" at a California Mortgage Bankers Association Mortgage Quality and Compliance Committee webinar
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute