InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
West Virginia regulator permits financial institution employees to work remotely
On March 13, the West Virginia Division of Financial Institutions issued temporary guidance permitting employees of regulated entities to work from home or another remote location approved by the financial institution. Temporary assignments under the guidance are permitted from March 13 through May 1. The Division emphasized that regulated institutions should ensure that privacy and security issues are adequately addressed. The Division reminded depository entities of the prior notice requirements for branch closures or limited service, and requested that they review and implement pandemic preparedness plans. The guidance also addressed requirements specific to mortgage loan originators, indicating that they must, among other things, maintain records identifying the dates and locations where each licensed originator worked remotely and have current and approved policies for access to secure origination systems. In addition, MLOs and other employees working remotely may not meet with borrowers at an unlicensed branch location.
Minnesota banking regulator issues guidance for collection agencies and debt collectors
On March 13, the Minnesota Commerce Department released guidance to licensed collection agencies granting permission for individual debt collectors to work from home, even where the residence is not a licensed branch location. The collection agencies should ensure that no activity will be conducted in person with members of the public from the home location, the licensee must “at all times exercise supervision of the activity being performed” at the home office, and ensure there are the appropriate safeguards to protect consumer data and information. The guidance is effective through April 30.
Mississippi Department of Banking and Consumer Finance encourages institutions to work with customers during pandemic
On March 13, Mississippi’s Department of Banking and Consumer Finance announced regulatory guidance encouraging financial institutions to work with customers and communities affected by the Covid-19 pandemic. Specifically, financial institutions are encouraged to engage in various efforts, including: (i) waiving fees such as ATM, overdraft, and late fees; (ii) increasing ATM daily cash withdrawal limits; (iii) easing restrictions on cashing checks; (iv) increasing credit card limits for creditworthy borrowers; and (v) offering payment accommodations including forbearance. The Department also addressed financial condition review, supervisory responses, and regulatory relief, as well as reporting requirements, and making alternative service options available to customers.
New Hampshire regulator provides guidance on branch closures, annual meetings, and examinations
On March 13, the New Hampshire Banking Department (NHBD) issued a memorandum to state-chartered banks, credit unions, and trust companies encouraging them to work constructively with customers experiencing difficulty due to Covid-19 and offering guidance on branch closures, annual meetings, examinations, and liquidity. Banks and credit unions do not need prior authorization to use only the drive-through portion of a branch or adjust normal business hours but must submit applications to the NHBD for branch closures in excess of 48 hours. If necessary, credit unions may conduct annual meetings via video or teleconference and both banks and credit unions may request adjustments to examination schedules or additional time to respond to consumer complaints. Finally, institutions are asked to closely monitor liquidity levels in the event of higher than normal consumer cash withdrawals and ensure sources of liquidity are readily available.
Texas regulator: credit unions are free to react to Covid-19 pandemic
On March 13, the Texas Credit Union Department clarified its supervisory stance regarding how credit unions react to swiftly changing conditions resulting from Covid-19. The regulator indicated that while credit unions and their management teams should consult with appropriate legal and medical professionals when making Covid-19 related decisions, they are free to react as the Covid-19 scenario plays out so long as their decisions are reasonable and documented.
Wisconsin endorses FFIEC guidance for credit unions
On March 13, the Wisconsin Department of Financial Institution sent a letter to credit unions to support and reinforce the guidelines issued by the Federal Financial Institutions Examination Council on March 6, which recommended steps for credit unions to proactively prevent disruptions of operation and minimize contact with customers. The letter also encouraged credit unions to consider postponing annual meetings or conducting such meetings remotely.
California AG releases second set of modified proposed CCPA regulations
On March 11, the California attorney general released a second set of draft modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). These modifications follow the initial proposed regulations published last October and the first set of draft modifications published last month (covered by Buckley Special Alerts here and here). According to a notice issued by the California Department of Justice, these changes are in response to roughly 100 comments received by the Department to the proposed February modifications and are intended “to clarify and conform the proposed regulations to existing law.”
Key modifications are as follows:
- Personal Information. In the February modifications, a section was added to provide guidance regarding the interpretation of CCPA definitions and specifically defined the term “personal information” and provided an example of when IP addresses were not considered “personal information.” In the recent modifications, the Attorney General (AG) struck this section of the regulations.
- Indirectly Receiving Personal Information. The modifications clarify that a business that does not collect personal information directly from a consumer is not required to provide a consumer with a notice at collection if it does not sell the consumer’s personal information.
- Notice at Collection for Employees. The modifications clarify that the notice at collection of employment-related information is not required to include a link to the business’s privacy policy.
- “Opt-Out Button” Button. The modifications strike a provision that previously provided a model for the opt-out button that companies could include on their websites as an additional way for consumers to opt out of selling their information, as well as information about when the button should be used.
- Privacy Policy. The privacy policy section appears to have been updated to further align with the CCPA. In addition to the currently proposed disclosure requirements, the modifications provide that privacy policies also identify: (i) the categories of sources from which personal information is collected, and describe these categories in such a way that allows consumers to meaningfully understand the information being collected; and (ii) all business or commercial purposes for collecting or sending consumers’ personal information, and describe the purposes in a way that allows consumers to meaningfully understand why the information is collected and sold. Further, if a “business has actual knowledge that it sells the personal information of minors under 16 years of age,” it must provide a description of the processes as required by sections 999.330 and 999.331, which outline special rules regarding minors.
- Responding to Requests to Know. While the regulations have made clear that there are certain types of data that a business must never disclose in response to a request to know, such as Social Security number, driver’s license or government ID number, biometric data, etc., the modifications clarify that when responding to a request to know, businesses must inform consumers “with sufficient particularity” that they have collected that type of information. The modifications provide the following example – the business must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
- Responding to Requests to Delete. The modifications provide that if a business denies a consumer’s request to delete, the business sells personal information, and the consumer has not already made a request to opt out of the sale, then the business must ask the consumer if he/she would like to opt out and include either the contents of, or a link to, the notice of right to opt-out.
- Service Providers. The modifications clarify that a service provider may not retain, use, or disclose personal information obtained while providing services unless the information is used to “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information” and complies with the CCPA’s requirements for a written contract for services. The modifications also add that while the service provider may use the personal information to build or improve the quality of it services, it may not build or modify household or consumer profiles to use in providing services to another business.
- Training: Record-Keeping. The modifications clarify that information retained for record-keeping purposes may not be shared with third parties “except as necessary to comply with a legal obligation.”
- Authorized Agent. The modifications clarify that businesses shall not require consumers, or a consumer’s authorized agent, to pay a fee to verify requests to know or to delete.
- Calculating the Value of Consumer Data. The modifications provide that for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons in the United States and not just consumers.
Comments on the second set of proposed modifications are due by March 27. As a reminder, the CCPA became effective January 1.
Virginia eliminates fee for credit report security freezes
On March 10, the Virginia governor signed HB 509, which amends certain statutory provisions related to fees for security freezes on credit reports. Currently, a credit reporting agency (CRA) may charge a fee of not more than $5 when a consumer or his representative requests a security freeze on his credit report, though victims of identity theft are exempt from this fee. HB 509 prohibits CRAs from charging a fee for credit report freezes, regardless of whether the request comes from a victim of identity theft. The amendments take effect on July 1.
West Virginia amends Safe Mortgage Licensing Act for MLOs
On March 5, the governor of West Virginia signed HB 4353, which, among other things, amends the state’s Safe Mortgage Licensing Act as it relates to the issuance of mortgage loan originator (MLO) licenses. HB 4353 creates “a rational nexus requirement between prior criminal conduct and initial licensure decision making,” to guide commissioners or commissions with licensing authority. The law also details the consideration of past criminal conduct in the initial licensing of an MLO and eliminates offenses of “moral turpitude” from disqualifying an applicant from receiving a license, provided the crime does not have a “rational nexus” to MLO licensure.
New provisions added to the license issuance section of the Safe Mortgage Licensing Act address disqualification from license issuance. Under the new law, the commissioner may not disqualify an applicant from initial licensure because of a prior criminal conviction unless the crime bears a rational nexus to MLO licensure, as determined by consideration of (i) the nature and seriousness of the crime; (ii) the passage of time since the commission of the crime; (iii) the “relationship of the crime to the ability, capacity, and fitness required to perform the duties and discharge the responsibilities of the profession or occupation”; and (iv) any evidence of the applicant’s rehabilitation. In addition, the law permits an individual with a criminal record who has not previously applied for licensure to “petition the commissioner at any time for a determination of whether the individual’s criminal record will disqualify the individual from obtaining a license.” The amendments take effect on May 19.
ARRC proposes legislation for US dollar LIBOR contracts
On March 6, the Alternative Reference Rates Committee (ARRC) announced a legislative proposal for New York state legislation for U.S. dollar LIBOR contracts intended to “minimize legal uncertainty and adverse economic impacts associated with LIBOR transition.” The ARRC—a group of private-market participants convened by the Federal Reserve Board and the Federal Reserve Bank of New York in cooperation with a number of other federal financial regulatory agencies—explained that it proposed legislation in New York because the state’s law governs a substantial number of financial contracts that refer to U.S. dollar LIBOR. The proposed bill includes measures to address the absence of sufficient LIBOR fallback or transition language in existing financial contracts referencing LIBOR. The proposed legislation would prohibit parties from being able to use the discontinuance of LIBOR as a reason for declaring a breach of contract, establish a recommended benchmark replacement index as a commercially reasonable substitute for LIBOR, and override contractual language referencing a LIBOR-based rate and require use of the benchmark replacement. Contractual parties would also be permitted to mutually opt-out of any mandatory application of the proposed legislation under the bill. The ARRC specifically highlighted that its proposed legislation would not override existing contract language that already delineated a non-LIBOR rate as a fallback to LIBOR.