InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
State AGs Urge the CFPB to Ensure that States Maintain the Right to Set Usury Caps on High Cost Loans
In October, New York AG Eric T. Schneiderman, along with seven other state AGs (Connecticut, Maryland, Massachusetts, New Hampshire, Pennsylvania, Vermont and the District of Columbia), submitted a letter to the CFPB in response to the agency’s proposed rule addressing payday loans, vehicle title loans, and certain high-cost installment loans. While commending the CFPB for introducing additional consumer protections, the letter urges the CFPB to integrate the following language from the preamble of the proposed rule into the body of the final rule: “The protections imposed by this proposal would operate as a floor across the country, while leaving State and local jurisdictions to adopt additional regulatory requirements (whether a usury limit or another form of protection) above that floor as they judge appropriate to protect consumers in their respective jurisdictions.” The letter explains that because the CFPB does not have the authority to set interest rates – or usury caps – for loans, it is “crucial” that states maintain their right to do so.
California AG Harris Launches New Consumer Privacy Tool
On October 14, California AG Harris released an online complaint form designed to help consumers report potential violations of the California Online Privacy Protection Act (CalOPPA). Pursuant to the CalOPPA, commercial websites and online services collecting consumer information are required to post privacy policies that include “the categories of information collected, the types of the third parties with whom the operator may share that information, instructions regarding how the consumer can review and request changes to his or her information, and the [policy’s] effective date.” As part of AG Harris’s “multi-pronged” effort to improve online privacy for consumers, the form will allow consumers to “crowdsource” privacy policy violations, thus “exponentially increasing the California Department of Justice’s ability to identify and notify those in violation of CalOPPA.”
NYDFS Issues New Guidance on Banks' Incentive Compensation Arrangements
On October 11, the New York Department of Financial Services (NYDFS) issued new guidance regarding incentive compensation arrangements, advising “all regulated banking institutions that no incentive compensation may be tied to employee performance indicators, such as the number of accounts opened, or the number of products sold per customer, without effective risk management, oversight and control.” At a minimum, the guidance requires that a bank’s incentive compensation arrangement address the following principles: (i) balance between risks and rewards; (ii) effective controls and risk management; and (iii) effective corporate governance. NYDFS stated that a bank’s lack of compliance with the guidance will be reflected in its regulatory examination rating and may result in additional regulatory action.
The NYDFS’s recently released guidance comes in the wake of a September action taken jointly by the OCC and the CFPB over a bank’s alleged sales practices under which, in an effort to meet sales goals and earn financial rewards under the bank’s incentive compensation program, employees purportedly opened deposit and credit card accounts for consumers without obtaining those consumers’ consent.
California Amends Finance Lenders Law and Residential Mortgage Lending Act
The California legislature amended the California Finance Lenders Law (CFLL) allowing persons to make one commercial loan in a 12-month period without obtaining a license. This change effectively reenacts a de minimis exemption that was repealed in 2014, and is effective January 1, 2017 through January 1, 2022.
Effective September 28, 2016, the implementing regulations to the CFLL and California Residential Mortgage Lending Act (CRMLA) were amended such that subsidiaries and affiliates of exempt institutions are no longer exempt, by nature of this association, from the licensing requirements with respect to consumer and residential mortgage loans. The Department of Business Oversight filed the action to reverse through regulation previous Commissioner opinions that interpreted licensing exemptions under the CFLL and CRMLA to apply broadly to include subsidiaries of exempt financial institutions.
The definition of a lender under the CRMLA was also amended and now includes a person, other than a natural person, and a natural person who is also an independent contractor, who engages in the activities of a loan processor or underwriter for residential mortgage loans, but does not solicit loan applicants, originate mortgage loans, or fund mortgage loans. Further, the Commissioner may require a licensee who is engaged in the processing or underwriting of residential mortgage loans to continuously maintain a minimum tangible net worth in an amount that is greater than $250,000, but that does not exceed the net worth required of an approved lender under the Federal Housing Administration.
Connecticut AG Jepsen and Banking Commissioner Perez Resolve RMBS Investigation
On October 3, Connecticut AG Jepsen, alongside Banking Commissioner Jorge Perez, resolved a four-year investigation into a Connecticut-based investment bank’s residential mortgage-back securities (RMBS) practices. According to the consent order, from January 2005 to December 2008, the investment bank was the lead securities underwriter of about 250 RMBS deals with a value of more than $250 billion. The state alleged, among other things, that the bank’s due diligence process on the 250 RMBS deals was “inadequate and resulted in omissions and misstatements in the representations made to the public and investors about the securities.” The $120 million settlement is Connecticut’s largest single settlement in history.
Special Alert: NYDFS Stakes Claim on Cybersecurity Regulation
On September 13, the New York Department of Financial Services (DFS) issued a proposed rule establishing cybersecurity requirements for financial services companies, and has thus ventured into new territory for state regulators. In the words of Governor Cuomo, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises."
Given the concentrated position of financial service companies in New York and the regulation’s definition of a Covered Entity – which includes “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” – it could create an almost de facto national standard for medium to large financial services companies, regardless of where they keep their servers or suffer a cyberattack. This type of state-level regulation is not unprecedented. In 2003, California passed a data breach notification law that requires companies doing business in California to notify California residents of the breach and more recently amended the law to require 12 months of identity protection and strengthen data security requirements. In 2009, Massachusetts enacted a regulation mandating businesses implement security controls to protect personal information relating to state residents.
The DFS designed the regulation to protect both consumers and the financial industry by establishing minimum cybersecurity standards and processes, while allowing for innovative and flexible compliance strategies by each regulated entity. Yet the proposed regulation goes further than to just ask financial entities to conduct a risk assessment and to design measures to address the identified risks.
Click here to view the full Special Alert.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- John P. Kromer, (202) 349-8040
- Elizabeth E. McGinn, (202) 349-7968
California AG Harris Announces Settlement with San Francisco-Based Bank Over Consumer Privacy Violations
On March 28, California AG Harris announced an $8.5 million settlement with a San Francisco-based bank for alleged violations of California consumer privacy laws. Specifically, AG Harris’s and five district attorneys’ investigation into the bank found that its employees failed to “timely and adequately disclose the recording of communications they had with members of the public” in violation of sections 632 and 632.7 of the California Penal Code. Without admitting liability, the bank agreed to (i) implement changes to its policies; (ii) comply fully with California’s laws concerning the recording of communications between the bank and California consumers, making a clear, conspicuous, and accurate disclosure (the Recorded Call Disclosure) at the beginning of any communication that is subject to recording; and (iii) implement an internal compliance program to “promote full compliance with the requirements of Penal Code sections 632.7 and 632, and the Recorded call disclosure.” Of the $8.5 million civil money penalty, $384,000 will be used to reimburse the prosecutors’ investigative costs, and $500,000 will be contributed to two California organization dedicated to advancing consumer protection and privacy rights.