InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
D.C. reaches $2.54 million settlement with online delivery company
On August 17, the Superior Court of the District of Columbia issued a consent order and judgment against an online delivery company resolving claims that it charged consumers millions of dollars in deceptive service fees. According to a press release issued by the D.C. AG, from 2016 until 2018, the company allegedly misled consumers into believing that service fees charged on their orders were tips that went to delivery workers. Instead, these fees went to the company to subsidize operating expenses. Without admitting any wrongdoing, the company agreed to pay $1.8 million to the district to go towards restitution and cover litigation costs. The company also agreed it will not seek refunds of $739,057 in previously disputed sales tax payments and will collect and remit sales tax on the total amount of the sales price it charges consumers going forward. Additionally, the company will cease making any misrepresentations about the nature of fees on consumer orders.
States sue installment lender for hidden add-on products
On August 16, a multistate lawsuit led by the Pennsylvania attorney general was filed against a subprime installment lender for allegedly charging consumers for hidden add-on products without their consent. According to the Pennsylvania AG’s press release, consumers believed they had entered into agreements to borrow and repay, over time, a fixed loan amount when allegedly the lender “added hundreds to thousands of dollars to the total amount a consumer owed.” Among other things, the complaint claimed the lender’s alleged “aggressive, high-pressure sales tactics” were “dictated by a profit-driven model,” and that its loans and aggressive sales tactics targeted the most vulnerable borrowers (often subprime and deep subprime borrowers that already carry significant credit card, installment loan, and/or student loan debt) by offering them “small dollar personal loans with high interest costs.” Additionally, the complaint contended that the lender’s corporate policies and practices resulted in employees charging consumers for add-on products they did not know about and did not consent to buy, and that employees were encouraged to perpetrate the unlawful conduct by being rewarded for maximizing add-on charges. The complaint seeks restitution, repayment of unlawfully obtained profits, civil penalties, rescission or reformation of all contracts or loan agreements between the lender and affected consumers, and injunctive relief.
California requires consumer credit contract notices to be provided in multiple languages
On August 15, the California governor signed SB 633, which expands the obligation of creditors who obtain more than one person’s signature on a consumer credit contract when providing cosigners a notice regarding their obligation if the borrower does not pay the debt. Under existing law, these notices had to be provided in English and in Spanish. A creditor who provides a consumer a contract in a foreign language will now have to provide the cosigner notice in the language in which the contract is written. In addition to expanding the languages the notice must be provided in, the required cosigner notice must be provided even if the individuals are married to each other. SB 633 also requires the California Department of Financial Protection and Innovation to provide translations of these notices on its website by January 1, 2023, along with any translations of languages later added to state law. Additionally, notice must be provided only on a separate sheet preceding the contract.
Maryland Court of Appeals says law firm collecting HOA debt is not engaged in the business of making loans
On August 11, a split Maryland Court of Appeals held that “a law firm that engages in debt collection activities on behalf of a client, including the preparation of a promissory note containing a confessed judgment clause and the filing of a confessed judgment complaint to collect a consumer debt, is not subject to the Maryland Consumer Loan Law [(MCLL)].” A putative class action challenging the law firm’s debt collection practices was filed in Maryland state court in 2018. According to the opinion, several homeowners associations and condominium regimes (collectively, “HOAs”) retained the law firm to help them draft and negotiate promissory notes memorializing repayment terms of delinquent assessments. These promissory notes, the opinion said, included confessed judgment clauses that were later used against homeowners who defaulted on their obligations. The suit was removed to federal court and was later stayed while the Maryland Court of Appeals weighed in on whether the law firm was subject to the MCLL. Loans made under the MCLL by an unlicensed entity render the loans void and unenforceable, the opinion said.
Class members claimed that the law firm is in the business of making loans and that the promissory notes are subject to the MCLL and “constitute ‘loans’ because they are an extension of credit enabling the homeowners to pay delinquent debt to the HOAs.” Because neither the law firm nor the HOAs are licensed to make loans the promissory notes are void and unenforceable, class members argued. The law firm countered that it (and the HOAs) are not obligated to be licensed because they are not lenders that “engage in the business of making loans” as provided in the MCLL.
On appeal, the majority concluded that there is no evidence that the state legislature intended to require HOAs to be licensed “in order to exercise their statutory right to collect delinquent assessments or charges, including entering into payment plans for the repayment of past-due assessments.” Moreover, in order to qualify for a license, an applicant “must demonstrate, among other things, that its ‘business will promote the convenience and advantage of the community in which the place of business will be located[]’”—criteria that does not apply to an HOA or a law firm, the opinion stated. Additionally, applying class members’ interpretation would lead to “illogical and unreasonable results that are inconsistent with common sense,” the opinion read, adding that “[t]o hold that the MCLL covers all transactions involving any small loan or extension of credit—without regard to whether the lender is ‘in the business of making loans’—would cast a broad net over businesses that are not currently licensed under the MCLL.”
The dissenting judge countered that the law firm should be subject to the MCC because to determine otherwise would allow law firms to engage in the business of making loans in the form of new extensions of credit with confessed judgment clauses and would “create a gap in the Maryland Consumer Loan Law that the General Assembly did not intend.”
DFPI enters into settlement with unlicensed point-of-sale lender
On August 3, the California Department of Financial Protection and Innovation (DFPI) announced a settlement with a Florida-based point-of-sale lender for allegedly engaging in the business of finance lending in California without obtaining a license. According to the settlement, after conducting an inquiry, DFPI determined that the company violated California Financial Code section 22100(a) “by making loans through the operation of buy now, pay later’ point-of-sale products” without obtaining a proper license. The company voluntarily agreed to the consent order, and, among other things: (i) agreed to desist and refrain from engaging in the business of a finance lender or broker in California unless/until it obtains a California Financing Law (CFL) license authorizing the company to conduct business as a finance lender or broker; (ii) must pay an administrative penalty of $2,500; and (iii) refund fees totaling $13,065. The company also agreed that it will only make loans, deferred payment products, and extensions of credit to California residents under the authority of a CFL license and in compliance with the statute.
California Privacy Protection Agency opposes federal privacy bill
On August 15, the California Privacy Protection Agency (CPPA) sent a letter to House Speaker Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) opposing H.R.8152, the American Data Privacy and Protection Act (ADPPA). The CPPA expressed concerns that the proposed legislation “could nearly eliminate” the agency’s ability to fulfill its responsibility to protect Californians’ privacy rights and claimed that the bill’s provisions are “substantively weaker” than the California Privacy Rights Act. “ADPPA represents a false choice, that the strong rights of Californians and others must be taken away to provide privacy rights federally,” the CPPA stressed in its letter. “Americans deserve, and the Agency could support, a framework that offers both: a floor of federal protections that preserves the ability of the states to continue to improve protections in response to future threats to consumer privacy.”
Last month the U.S. House Committee on Energy and Commerce voted 53-2 to send the ADPPA to the House floor with amendments that would enable the California agency to enforce the federal law (covered by InfoBytes here). However, the CPPA noted that “the language in the bill still raises significant uncertainties for the Agency were it to seek to enforce the federal measure.” Additionally, the bill, which has been revised from its initial draft (covered by a Buckley Special Alert), would preempt the current patchwork of five state privacy laws—which “would be an anomaly,” the CPPA said, given that current federal privacy laws such as the Health Information Portability and Accountability Act, the Gramm Leach Bliley Act, and the FCRA all contain language allowing states to adopt stronger protections. Pointing out that the bill’s “preemption language is especially concerning given the rate at which technology continues to advance and evolve,” the CPPA stressed the importance of states being able to build on their existing laws and allowing voters to seek out additional protections.
District Court grants summary judgment concerning TILA, ECOA, FHA claims
On August 12, the U.S. District Court for the Southern District of Indiana issued an order denying plaintiffs’ motion for partial summary judgment and granting defendants’ cross-motion for summary judgment in an action concerning alleged violations of TILA, ECOA, and FHA disparate impact claims. According to the court’s determination, the defendant corporate entity was not a “creditor” during the leasing portion of the underlying rent-to-buy (RTB) agreements, and the plaintiffs lacked standing on certain claims because the wrong parties were targeted.
The defendant realty group purchases, sells, and manages real estate. The plaintiffs all entered into RTB agreements with the realty group that allowed the renter to make 24 payments and then execute a sales contract for the property. The agreements carried interest rate terms between 9.87 and 18 percent. According to the plaintiffs, the defendants, among other things, did not provide TILA-required disclosures for high-cost mortgages, did not require written certifications that tenants had obtained counseling prior to entering into the transaction, and did not provide property appraisals to tenants.
The plaintiffs sued alleging several claims under TILA for failure to provide required information. However, the court concluded that during the 24-month rental period, the realty group was not a “creditor” but was instead a “landlord.” Moreover, the court determined that “the only entities that could arguably be considered creditors are the Individual Land Trusts as the sellers and parties to the Conditional Sales Contract.” These trusts were not named as defendants, the court observed, adding that the plaintiffs failed to meet the burden of showing that the land trusts were sufficiently related to the named defendants to allow the court to “pierce the corporate veil” and hold the named defendants liable for actions conducted by the non-party individual land trusts.
With respect to the plaintiffs’ ECOA claims, which claimed that the realty group’s policies and practices were intentionally discriminatory and had a disparate impact on the basis of race, color, and/or national origin, the court applied the same rationale as it did to the TILA claims and again ruled that the realty group was not a “creditor.” In terms of plaintiffs’ FHA claims, the court said that “the racial disparity must have been created by the defendant.” In this action, the court determined that the realty group did not create the condition, reasoning that “the fact that lower-priced homes are more likely to exist in minority neighborhoods is not of Defendants’ making and existed before, and without, the RTB Program.”
However, the court’s order does allow certain individual and class claims related to disparate treatment under the FHA to proceed, as well as certain claims regarding Indiana law related to standard contract terms and the condition of homes in the RTB program.
States stress importance of CRA modernization
On August 5, a coalition of 15 state attorneys general submitted a comment letter in support of the joint notice of proposed rulemaking (NPRM) issued by the FDIC, OCC, and Federal Reserve Board (collectively, “agencies”) regarding modernizing the Community Reinvestment Act (CRA). As previously covered by InfoBytes, the NPRM, among other things, would update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. According to the letter, the NPRM is “a marked improvement over prior proposals that some of the agencies set out in the last several years.” The AGs noted that the final rule “must ensure that all members of our communities are fully served by financial institutions” and urged the agencies to continue to strengthen it. The AGs further encouraged the agencies to focus on: (i) ensuring the NPRM “vindicates CRA’s core purpose to address racial inequalities”; (ii) increasing the regulatory bar so “that banks are taking meaningful action to meet low- and moderate income (LMI) community needs; and (iii) “[l]everaging incentives to encourage affordable housing development for LMI communities without displacement.” Additionally, the AGs suggested that the NPRM “should be modified to ensure that this once-in-a-generation modernization effort gives the regulators the tools they need to carry out CRA’s imperative—that financial institutions be required to address the needs of our most vulnerable communities—in our States and across the Nation.” The AGs also noted that some states “expressed concern that the widening racial wealth gap stemming from historical redlining would be exacerbated by an uneven pandemic recovery.” Specifically, the letter stated that “two-and-a-half years into the COVID-19 crisis, the States face an affordable and accessible housing crisis, increased homelessness and housing insecurity, and historic levels of inflation that disproportionally threaten low-income communities and communities of color.” The AGs stated that CRA regulatory reform “can be a key element of addressing these problems.”
New York proposes new cybersecurity reporting requirements for financial institutions
Recently, NYDFS released proposed second amendments to New York’s Cybersecurity Regulation (23 NYCRR Part 500), which would, if adopted, require a financial institution’s senior officer or board of directors to approve the entity’s cybersecurity policy. Entities would also be required to disclose whether their directors have expertise in overseeing security risks or whether they rely on third-party cyber consultants. Among other things, the proposed amendments would require cybersecurity executives to provide directors timely alerts of significant cyber issues or events and provide annual reports to the board on cyber risks and defenses as well as on plans for remediating identified inadequacies. Additional requirements include: (i) multi-factor authentication for all privileged accounts (except for service accounts), as well as for “remote access to the network and enterprise and third-party applications from which nonpublic information is accessible”; (ii) limitations on asset and data retention management; (iii) training and monitoring of email to prevent unauthorized access; and (iv) incident response, business continuity, and disaster recovery plans.
The proposed amendments also contain provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a “material” part of the entity’s information system. Entities would also be directed to alert the Department within 24 hours of making a ransom payment to a hacker—similar to a ransomware payment disclosure mandate included within the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” covering critical infrastructure (covered by InfoBytes here). Within 30 days, entities would also be required to explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations including federal sanctions implications.
Comments on the proposed amendments are due August 18.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.
CSBS releases nonbank cybersecurity examination tools
On August 9, the Conference of State Bank Supervisors (CSBS) released two new tools used by state examiners to assess nonbank financial services companies’ cyber preparedness. Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program provide nonbanks the opportunity to improve their cybersecurity posture and better prepare for cybersecurity exams conducted by state examiners. The “Baseline” program is geared toward exams of “smaller, noncomplex, low-risk institutions,” and “is targeted for use by examiners with or without specialized IT and cybersecurity knowledge.” The “Enhanced” program includes all of the Baseline procedures as well as additional procedures to provide a “more in-depth review for larger, more complex institutions or for those where concerns are raised during exams.” The program is intended for use by examiners with specialized IT and cybersecurity knowledge.
“Supervisory clarity is essential to increasing industry awareness and making our financial system more resilient to cyber-attacks,” CSBS Senior Vice President of Nonbank Supervision Chuck Cross said in the announcement. “The Nonbank Cybersecurity Exam Procedures released today provide nonbank institutions additional optional tools to guard against cyber-attacks, data breaches or lapses in management oversight in this crucial area.”
CSBS announced that it intends to provide additional tools tailored to the needs of smaller nonbank financial institutions in the coming months.