InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS reminds covered entities of upcoming cybersecurity regulation compliance dates; updates FAQs
On August 8, the New York Department of Financial Services (NYDFS) issued a reminder for regulated entities required to comply with the state’s cybersecurity requirements under 23 NYCRR Part 500 that the third transitional period ends September 4. Banks, insurance companies, and other financial services institutions (collectively, “covered entities”) that are required to implement a cybersecurity program to protect consumer data must be in compliance with additional provisions of the cybersecurity regulation by this date. As of September 4, a covered entity must (i) start presenting annual reports to the board by the Chief Information Security Officer on “critical aspects of the cybersecurity program”; (ii) create an “audit trail designed to reconstruct material financial transactions” in case of a breach; (iii) institute policies and procedures to ensure the use of “secure development practices for IT personnel that develop applications”; and (iv) implement encryption to protect nonpublic information it holds or transmits. Covered entities are also required to have policies and procedures in place “to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.” Covered entities are further reminded that they have until March 1, 2019, to assess the risks presented by the use of a third-party service provider to ensure the protection of their security systems and data.
In coordination with the reminder, NYDFS provided new updates to its FAQs related to 23 NYCRR Part 500. The original promulgation of the FAQs was covered in InfoBytes, as were the last updates in February and March. The four new updates to the FAQs add the following guidance:
- Clarifies that in certain circumstances, an entity can be a covered entity, an authorized user, and a third party service provider, and therefore must comply fully with all applicable provisions;
- Outlines specific compliance provisions for covered entities that have limited exemptions from the NYDFS cybersecurity requirements;
- Identifies a covered entity’s responsibilities when addressing cybersecurity risks with respect to bank holding companies; and
- Clarifies situations and requirements for when a covered entity can rely upon the cybersecurity program that another covered entity has implemented for a common trust fund.
Find continuing InfoBytes coverage on NYDFS’ cybersecurity regulations here.
Fannie Mae issues updated mortgage industry alert in California
Recently, Fannie Mae’s Mortgage Fraud Program issued an industry alert to mortgage companies operating in California regarding the use of false employment information by mortgage loan applicants. (See previous coverage in InfoBytes here). Fannie Mae extended its alert to Northern California and identified additional employers whose existence could not be verified by Fannie Mae. The alert provides “red flags” to help lenders and originators identify potential mortgage fraud when reviewing employment information.
Maryland Court of Appeals holds foreign securitization trusts do not need to be licensed in the state as collection agencies
On August 2, the Maryland Court of Appeals, in a consolidated appeal of four circuit cases, held that foreign statutory trusts are not required to obtain a debt collection agency license under the Maryland Collection Agency Licensing Act (MCALA) before filing foreclosure actions in state circuit courts. The decision results from two cases consolidated before the Court of Special Appeals and two actions appealed directly from circuit court proceedings, in which substitute trustees acting on behalf of two Delaware statutory trusts initiated foreclosure proceedings on homeowners who had defaulted on their mortgage payments. The homeowners challenged the foreclosure actions, arguing that the Delaware statutory trusts acted as collection agencies under MCALA by “obtain[ing] mortgage loans and then collet[ing] mortgage payments through communication and foreclosure actions” without being licensed. The lower courts dismissed all four foreclosure actions, finding the Delaware statutory trusts did not fall under the trust exemption to MCALA and were in the business of collecting consumer debts and therefore, subject to the MCALA licenses requirements, which both trusts had not obtained.
The overarching issue presented in the consolidated appeal was whether the Maryland General Assembly intended a foreign statutory trust, as owner of a delinquent mortgage loan, to obtain a license as a collection agency before directing trustees to initiate foreclosure proceedings. The court concluded that the plain language of MCALA was ambiguous as to the question and therefore, analyzed the legislative history and other similar statutes in order to determine the intent of the 1977 version of the law, as well as the reason the Department of Labor Licensing and Regulation revised the law in 2007 by departmental bill. Ultimately, the appeals court found the lower courts erred in dismissing the foreclosure actions against the homeowners, holding the General Assembly did not intend for MCALA to apply to foreclosure proceedings generally and therefore, foreign statutory trusts are not required to obtain a license under MCALA to initiate foreclosure proceedings.
Washington state updates mortgage provisions of Consumer Loan Act
On July 24, the Washington Department of Financial Institutions adopted new mortgage-related provisions of the state’s Consumer Loan Act (CLA). In addition to technical changes and certain definition modifications, the rulemaking, among other things, (i) adds a requirement that if electronic records are stored using a closed service, the service must be located in the U.S. or its territories; (ii) prohibits certain servicing activities, such as receiving payments and collection activities, from being conducted outside the U.S. or its territories; and (iii) requires servicers to maintain a compliance management system with the functionalities that are described in the CFPB’s Supervision and Examination Manual. The rulemaking is effective September 1.
Georgia Attorney General reaches settlement with mortgage company to resolve allegations concerning unauthorized third-party fees
On August 1, the Georgia Attorney General announced a settlement with a New Jersey-based mortgage company to resolve allegations that it charged unauthorized fees to Georgia consumers in violation of the state’s Fair Business Practices Act. According to the Attorney General’s office, the company allegedly marketed various third-party products and services, such as insurance products and home warranty programs, for certain mortgages it serviced and added the charges for these products and services to consumers’ monthly mortgage bills without their knowledge. Under the settlement terms, the company is required to (i) comply with the Fair Business Practices Act; (ii) refrain from soliciting third-party products and/or services to Georgia consumers; (iii) cease all billing for the alleged third-party products and services; (iv) notify consumers currently being billed for the alleged third-party products and services that the remainder of their contracts may be cancelled without penalty; (v) pay $25,000 in restitution; and (vi) pay $50,000 to the Attorney General’s office to go towards fees, penalties, investigation and litigation costs, and future consumer protection and education costs.
Bipartisan group of state Attorneys General seek legislative enhancements to combat anonymous shell companies
On August 2, a bipartisan group of 24 state Attorneys General sent a letter to ranking leaders of the House Financial Services Committee expressing support for legislation that requires disclosure of the owners of companies at the time of incorporation—in order to prevent “individuals from using anonymous shell companies to evade accountability”—but encouraged the adoption of additional components. The letter emphasizes that the use of anonymous shell companies allows criminals to launder and spend money attained through activities such as human trafficking and drug dealing, and legislative change could assist states in their investigation and enforcement against these crimes. Specifically, the letter requests that legislation addressing anonymous shell companies include the following components: (i) availability of information to state and local law enforcement to assist in civil and criminal investigations and provide states authority to enact relevant state laws; (ii) continued access to information throughout the investigation; and (iii) the definition of “beneficial ownership” does not allow loopholes that can be exploited by criminals.
District Court denies service provider’s motion to dismiss on several grounds, rules Bureau’s structure is constitutional
On August 3, the U.S. District Court for the District of Montana denied a Texas-based service provider’s motion to dismiss a suit brought by the CFPB over allegations that the service provider engaged in unfair, deceptive, and abusive acts or practices in violation of the Consumer Financial Protection Act (CFPA) by assisting three tribal lenders in the improper collection of short-term, small-dollar loans that were, in whole or in part, void under state law. (See previous InfoBytes coverage here.) The defendants moved to dismiss the claims on multiple grounds: (i) the Bureau’s structure is unconstitutional; (ii) the claims are not permitted under the CFPA; (iii) the complaint “fails to, and cannot, join indispensable parties;” and (iv) certain claims are time-barred.
In answering the service provider’s challenges to the Bureau’s constitutionality, the court ruled that the CFPB’s structure is legal and cited to orders from nine district courts and an en banc panel of the D.C. Circuit Court, which also rejected similar arguments. (See Buckley Sandler Special Alert.) Addressing whether the Bureau’s claims were permitted under the CFPA, the court ruled that other courts have held that enforcing a prohibition on amounts that consumers do not owe is different from establishing a usury limit, and that moreover, “[t]he fact that state law may underlie the violation . . . does not relieve [d]efendants . . . of their obligation to comply with the CFPA.” Regarding the defendants’ argument that the complaint should be dismissed on the grounds of failure to join an indispensable party because the tribal lenders possess sovereign immunity to the suit, the court wrote that “[u]nder these circumstances, the Court will not create a means for businesses to avoid regulation by hiding behind the sovereign immunity of tribes when the tribes themselves have failed to claim an interest in the litigation.” Furthermore, the court found that the remedies sought by the Bureau would not “impede the [t]ribal [l]enders’ ability to collect on their contracts or enforce their choice of law provisions directly.” Finally, the court stated that, among other things, the service provider failed to show that the Bureau’s suit fell outside the CFPA’s three-year statute of limitations for filing claims after violations have been identified.
Arizona Supreme Court holds statute of limitations for credit cards begins to accrue upon first missed payment
On July 27, the Arizona Supreme Court held that a cause of action to collect a credit card debt subject to an acceleration clause begins to accrue as of the date of the consumer’s first uncured missed payment. According to the opinion, the consumer was sued in 2014 by a debt collector for an unpaid balance of over $17,000 on a credit card issued in 2007. Throughout 2007 and 2008 the consumer routinely made late payments and completely missed the February 2008 payment. The consumer moved for summary judgment, arguing that the claim was barred by Arizona’s six-year statute of limitations, which began to accrue at the time of the first missed payment in February 2008. The motion was granted by the trial court. The appellate court reversed, agreeing with the debt collector that the cause of action for the entire debt does not accrue until the creditor accelerates the debt. Disagreeing with the appeals court, and affirming the trial court’s decision, the Arizona Supreme Court distinguished revolving credit card accounts from closed-end installment contracts, which have a set date that the debt must be paid in full. The court explained that with installment contracts, the accrual date can be no later than the date in which the entire balance must be paid, as compared to credit card accounts, which have no end date. On that basis, the court held that allowing a creditor to delay accrual by not accelerating the debt, would “functionally eliminate the protection provided to defendants by the statute of limitations.”
New Jersey state appeals court reverses $1.8 million ruling against bank over flood damage
On July 30, a New Jersey state appeals court reversed a lower court’s judgment awarding consumers over $1.8 million in connection with allegations that a national bank’s predecessor violated the state’s Consumer Fraud Act (CFA) by misrepresenting information to the town’s planning board in order to secure approvals for a housing development. Specifically, the plaintiffs had argued that, because of misrepresentations to the town’s planning board, the construction of a housing development was approved and resulted in the flooding of their home. According to the plaintiffs, the national bank’s predecessor was aware that their housing section could be susceptible to groundwater runoff but concealed the information from the planning board, and that had the planning board been aware of the information, the board would have denied the plans and the plaintiffs’ home would not have flooded. A jury agreed, and the trial court ultimately awarded the plaintiffs almost $50,000 in treble damages under the CFA claim, and $1.8 million in fees and expenses, along with smaller amounts of damages for nuisance and trespass claims.
On appeal, the panel reversed the damages for the CFA claims, including the fee award, holding that “there is a complete lack of proof of a causal connection” between the predecessor’s misrepresentations and the plaintiffs’ decision to purchase their residence. The court rejected the plaintiffs’ arguments that had the misrepresentations not been made, the construction of the development would have been denied and their house would not have flooded. The court concluded the argument was “speculative and attenuated” and there was no proof the development “would not have been built by another developer.”
Ohio Governor signs bill limiting payday lending
On July 30, Ohio’s governor signed into law HB 123, which “modifies the Short-Term Loan Act, specifies a minimum loan amount and duration for loans made under the Small Loan Law and General Loan Law, and limits the authority of credit services organizations to broker extensions of credit for buyers.” Under these amendments, payday lenders in the state will now be restricted to short-term loans of $1,000 or less, with terms for a single short-term loan set at a 91-day minimum and a one year maximum. Exemptions provided under the legislation will allow short-term loans with a minimum term of less than 91 days if the total monthly payments do not exceed an amount greater than six percent of the borrower’s verified gross monthly income or seven percent of the borrower’s verified net monthly income. Moreover, lenders are: (i) prohibited from demanding collateral for short-term loans; (ii) restricted to a small-dollar loan cap—including both fees and interest—set at 60 percent of the original principal; and (iii) required to grant borrowers three business days to rescind loans without interest. HB 123 further prohibits credit service organizations from extending credit in amounts of $5,000 or less, with repayment terms of one year or less, or with annual percentage rates exceeding 28 percent. The amendments, which take effect 90 days after the governor’s signature, will “apply only to loans that are made, or extensions of credit that are obtained, on or after the date that is [180] days after the effective date of this act.”