InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York Court of Appeals rules claims under Martin Act governed by three-year statute of limitations
On June 12, the New York Court of Appeals issued a 4 to 1 ruling that claims brought under the state’s Martin Act are governed by a statute of limitations of three years, not six. Former New York Attorney General Eric Schneiderman filed a suit against a bank alleging that in 2006 and 2007, the bank misrepresented the quality of residential mortgage-backed securities it created and sold, bringing its claims under the state’s Martin Act, which grants the Attorney General of New York expanded liability for investigating and enjoining fraudulent practices in the marketing of stocks, bonds and other securities beyond what can be recognized under the common law fraud statute. The bank argued that the action was time-barred because too much time had elapsed to bring claims under the Martin Act, and an argument ensued as to whether the three-year statute of limitations that applies to actions to recover upon a liability or penalty imposed by a statute, or the six-year statute of limitations that applies to an action based upon fraud, applied. In its decision, the majority wrote that the three-year period applied because the Martin Act “expands upon, rather than codifies, the common law of fraud” and “imposes numerous obligations—or ‘liabilities’—that did not exist at common law, justifying the imposition of a three-year statute of limitations.” The court concluded that the broad definition of “fraudulent practices” encompasses wrongs that are not otherwise cognizable under the common law and “dispenses, among other things, with any requirement that the Attorney General prove scienter or justifiable reliance on the part of investors.” The court remanded the case to the New York State Supreme Court for further proceedings concerning the state’s claim against the bank for alleged violations of Executive Law Section 63(12).
District Court denies joint request to stay payday rule but agrees to stay lawsuit
On June 12, the U.S. District Court for the Western District of Texas denied a joint request by the CFPB and two payday loan trade groups to stay the compliance date (August 19, 2019) of the Bureau’s final rule on payday loans, vehicle title loans, and certain other high-cost installment loans (Rule) until 445 days after final judgment in the pending litigation. The court declined to provide an explanation for the denial, but did grant the parties’ joint request to stay the lawsuit pending further court order. As previously covered by InfoBytes, the payday loan trade groups filed a lawsuit in April asking the court to set aside the Rule on the grounds that, among other reasons, the CFPB is unconstitutional and the Bureau’s rulemaking failed to comply with the Administrative Procedure Act. On May 31, the parties filed a joint request to stay the lawsuit and the compliance date for the Rule because of the Bureau’s plans to reconsider the Rule, which may repeal or revise certain provisions rendering the case moot or otherwise resolved.
Illinois, Connecticut, and Hawaii pass security freeze legislation
On June 8, the Illinois governor approved HB 4095, which amends the Consumer Fraud and Deceptive Business Practices Act to prohibit consumer reporting agencies (CRAs) from charging consumers a fee for placing, removing, or temporarily lifting a security freeze. The act takes effect immediately. The Act also permits a consumer to request a security freeze by phone or electronic means, in addition to a request in writing.
This followed a similar action by the Connecticut governor, who on June 4 signed SB 472 to prohibit CRAs from charging a fee to consumers to place, remove, or temporarily lift a security freeze on a consumer's account. The legislation also, among other things, (i) prohibits CRAs from—as a condition of placing the freeze—requiring that consumers agree to limit their claims against the agency; (ii) increases the length of time that identity theft prevention and mitigation services must be provided to a consumer after a security breach from 12 to 24 months; and (iii) provides that the banking commissioner will adopt regulations that require CRAs to provide it with “dedicated points of contact” to allow the Department of Banking to assist consumers when a data breach occurs. The act takes effect October 1.
On June 6, the Hawaii governor signed HB 2342 to enhance protection of consumer information by expanding the methods consumers may use to request security freezes, and by prohibiting credit reporting agencies (CRAs) from charging consumers a fee to place, remove, or temporarily lift a security freeze on a consumer's credit report or records. Among other things, the act now permits a consumer or a “protected consumer’s representative” to request a security freeze via first-class mail, a telephone call, or through a CRA’s designated secure website, and also preserves the CRA’s ability to lift a security freeze when the freeze was executed due to material misrepresentation by the consumer. When lifting a security freeze, CRAs are required to send written confirmation to the affected consumer within five business days. The act takes effect July 1.
NYDFS will continue to pursue litigation if OCC moves forward with fintech charter
On June 6, New York Department of Financial Services (NYDFS) Superintendent, Maria T. Vullo, spoke to the Exchequer Club in Washington, DC, emphasizing, among other things, her opposition to the OCC’s proposal for a fintech charter. Vullo noted that the OCC has not actually finalized plans for the new charter and Comptroller, Joseph Otting, is expected to announce his views on the pending proposal soon. As previously covered by InfoBytes, two legal challenges, one by NYDFS and one by the Conference of State Bank Supervisors, were recently dismissed in separate district courts for lack of subject matter jurisdiction and ripeness due to the fact that the OCC has not issued a fintech charter nor has it finalized its plans to issue one. In her speech, Vullo, acknowledged these lawsuits and her desire to continue the litigation “rather than accept the OCC’s lack of authority in the non-depository space and respect the states’ regulation of and consumer protections in this area.” Vullo noted that fintech, when done right, is a “very good thing” that can assist in bringing banking services to underserved customers. But she also stated that companies that use financial technology should not be granted “an exemption from the rules that banks and other financial institutions follow to manage risk and protect consumers.”
Vullo also touched on (i) her support for the CFPB’s final rule on payday loans, vehicle title loans, and certain other high-cost installment loans; (ii) her concerns over the dismantling of the Bureau’s Office for Students; (iii) her opposition to the Department of Education’s position that only the federal government may oversee student loan servicers (see InfoBytes coverage here); and (iv) the potential risks with the unregulated virtual currency market.
Sixteen State Attorneys General urge the CFPB to maintain the public consumer complaint database
On June 4, the New York Attorney General, Barbara Underwood, along with fourteen other state Attorneys General submitted a comment letter in response to the CFPB’s Request for Information (RFI) on the public reporting of consumer complaints, previously covered by InfoBytes here. The Attorneys General highlight the utility of the CFPB’s consumer complaint database, stating it “has been an invaluable resource for identifying trends and patterns,” and noting its usefulness in investigations into certain companies “whose misconduct was initially brought to [their] attention through a critical mass of complaints filed with the CFPB.” The letter also comments on the database’s benefit to the public for (i) empowering consumers to educate themselves; (ii) incentivizing companies to treat consumers fairly; and (iii) potentially revealing patterns of widespread misconduct. The coalition concludes the letter by urging the CFPB to maintain the public database.
Additionally, on the same day, the New Jersey Attorney General, Gurbir Grewal, responded to the same RFI with similar sentiments but also emphasized that eliminating or reducing the public availability of the database “would conflict with the open-government principles of the Freedom of Information Act” (FOIA) because FOIA requires government agencies to proactively disclose frequently requested records. According to Grewal, the Bureau receives a substantial number of requests for consumer complaint records and this number will likely increase without the public database.
Maryland alters certain mortgage broker finder’s fee restrictions
On May 16, the Maryland legislature enacted, without the governor’s signature, HB 1511, which will alter Maryland’s mortgage broker “finder’s fee” law to place a limit on the amount a broker may charge on the same property more than once within a 24-month period. Effective October 1, the law will only allow a mortgage broker to charge a finder’s fee with respect to the same property within a 24-month period if the fee is equal to or less than eight percent of the initial loan amount, combined with (i) the finder’s fee charged on the initial loan; and (ii) any other finder’s fee collected during the 24-month period.
Fannie Mae issues industry alert concerning borrower employment scheme in Southern California
On May 24, Fannie Mae’s Mortgage Fraud Program issued an industry alert to mortgage lenders in Los Angeles County identifying 34 entities and businesses listed as employers on loan applications, the existence of which could not be confirmed by Fannie Mae. In the event one of the identified companies is provided as a borrower’s place of employment, Fannie Mae warns lenders to exercise caution when reviewing the entire loan file and “take appropriate steps to prevent the institution from being the victim of fraud.” The alert provides additional fraud detection and prevention steps, including encouraging awareness of third-party originators/brokers, educating staff, and reporting suspicious activity.
New York governor signs bill authorizing NYDFS to study online lending in the state
On June 1, the New York governor signed AB 8938, which authorizes and directs the New York Department of Financial Services (NYDFS) to study online lending institutions that conduct business in the state, and requires NYDFS to submit a report containing analysis, assessments, and recommendations pertaining to online lending institutions by July 1. As previously covered in InfoBytes, NYDFS announced plans on April 24 to issue a report, which would include an analysis of the differences between online lending products and services and those of traditional lending institutions, the risks/benefits of the products offered, and the availability of various credit products in the absence of online lending. With the enactment of AB 8938, NYDFS is also tasked with, among other things, surveying existing state and federal laws and regulations applicable to the online lending industry. The act is effective immediately and shall expire July 1—the report’s due date.
District Court rules South Dakota banking regulator exceeded authority in revoking payday lender’s license
On May 29, the U.S. District Court for the District of South Dakota denied a motion to dismiss filed by the director of the South Dakota Division of Banking (defendant), ruling that the defendant exceeded his authority when he revoked a payday lender’s (plaintiff) operating license instead of initiating a cease and desist order, and that he failed to provide sufficient opportunities for the plaintiff to respond. According to the court, the defendant “had good cause to revoke [the plaintiff’s] money lending licenses,” having determined that late fees on the plaintiff’s loan product violated the 36 percent finance charge cap in the state’s 2017 payday lending law. But the court also held that the defendant committed a “procedural error” when he chose to “revoke the licenses rather than afford[] a hearing or [give the plaintiff] an opportunity to bring its practices into compliance. . . .”
The court further granted the plaintiff’s motion for partial summary judgment “on the violation of procedural due process” for a period from September 13 through September 28, 2017—the date that the defendant issued a limited stay on the license revocation allowing the company to collect on loans issued before the South Dakota payday lending law went into effect. “In short, [the defendant’s] Order did not meaningfully advance the interests of the state (and indeed contravened state law), and the ‘substitute procedures’ sought by [the plaintiff] (and required under state law) would have accommodated the competing interests, provided due process, and not needlessly compromised the private interests of [the plaintiff],” the court wrote.
Colorado enacts expansive consumer data protection law, includes 30-day breach notification requirement
On May 29, the Colorado governor signed HB1128, which significantly expands Colorado’s consumer data protection laws to include a broader definition of personal information and a 30-day notice requirement regarding data breaches. The law, which is effective on September 1, requires covered entities—defined in the statute as, “a person . . . that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation”— to notify affected Colorado residents within 30 days after the determination that a security breach occurred. The notice to residents must include, among other things, (i) the date range of the security breach; (ii) a description of the personal information that was part of the security breach; (iii) contact information for the entity; and (iv) contact information for credit reporting agencies and the FTC. The act defines personal information to include a Colorado resident’s first name or first initial and last name in combination with the following non-encrypted or redacted items: “social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data.” Other key elements of the law include:
- In addition to notifying affected residents, covered entities must notify the Colorado Attorney General within 30 days if the entity determines 500 or more people have been affected by the security breach, unless the entity determines that misuse of the information has not and is not likely to occur.
- If the covered entity determines 1000 or more people are affected by the security breach, “in the most expedient time possible and without unreasonable delay” the entity must notify all consumer reporting agencies.
- Covered entities are required to implement and maintain reasonable security procedures that are “appropriate to the nature of the personal identifying information and to the nature and size of the business and its operations.”
- If a covered entity discloses a consumer’s personal information to a third-party service provider, the covered entity must require the third-party to implement and maintain reasonable security procedures.
The law also includes security and notification requirements for Colorado governmental entities.