InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
States reach $1.85 billion settlement with student loan servicer
On January 13, a coalition of attorneys general from 38 states and the District of Columbia reached a $1.85 billion settlement with one of the nation’s largest student loan servicers, resolving allegations that it engaged in misconduct when servicing student loans. The settlement, subject to court approval, brings to an end multistate litigation and investigations into the allegations that the servicer steered borrowers into costly forbearances and expensive repayment plans rather than helping borrowers find affordable income-driven repayment (IDR) plans. The servicer denies violating any consumer financial laws or causing borrower harm, as stated in a separate press release, but has agreed to maintain servicing practices to support borrower success.
Under the terms of the settlement, the servicer has agreed to cancel more than $1.7 billion in private student loan balances owed by roughly 66,000 borrowers. An additional $95 million in restitution payments of about $260 each will also be sent to approximately 357,000 federal student loan borrowers, and the servicer will also pay approximately $142.5 million to the signatory AGs. The settlement also requires the servicer to make several reforms, including explaining the benefits of IDR plans and offering estimated income-driven payment options to borrowers prior to placing them into deferment or discretionary forbearance. The servicer is also required to notify borrowers about the Department of Education’s Public Service Loan Forgiveness limited waiver opportunity (covered by InfoBytes here), implement changes to its payment-processing procedures to limit certain fees for late payments or entering forbearance status, and improve communications informing borrowers of their rights and obligations.
3rd Circuit vacates TILA/RESPA judgment in favor of mortgage lender
On January 12, the U.S. Court of Appeals for the Third Circuit vacated an order granting summary judgment in favor of a mortgage lender (defendant) for alleged violations of TILA and RESPA, among other claims. The plaintiff, a retired disabled military veteran, contracted with a home builder to purchase a home and used the defendant to obtain mortgage financing, which was later transferred to a servicing company. The plaintiff contended that the defendant allegedly (i) provided outdated TILA and RESPA disclosures; (ii) misrepresented that the plaintiff would not have to pay property taxes; (iii) failed to make a reasonable and good faith determination of the plaintiff’s ability to pay; and (iv) failed to provide notice of the transfer of servicing rights. On appeal, the 3rd Circuit determined that the defendant did not meet the initial burden to show no genuine dispute as to any material fact related to the plaintiff’s claims, and remanded the action. Without assessing the evidentiary value of the testimonies and materials submitted by each party in support of their own version of events, the appellate court reasoned that “these materials do not foreclose a reasonable jury from crediting [the plaintiff’s] testimony over [the defendant’s] account and finding [the defendant] liable.”
Supreme Court vacates $10 million judgment in light of TransUnion ruling
On January 10, the U.S. Supreme Court issued a short summary disposition granting a petition for a writ of certiorari filed by a lender and an appraisal management company. Rather than hearing arguments in the case, the Court immediately vacated the judgment against the defendants and ordered the U.S. Court of Appeals for the Fourth Circuit to reexamine its decision in light of the Court’s ruling in TransUnion v. Ramirez (which clarified the type of concrete injury necessary to establish Article III standing, and was covered by InfoBytes here).
As previously covered by InfoBytes, in March 2021, a divided 4th Circuit affirmed a district court’s award of over $10 million in penalties and damages based on a summary judgment that an appraisal practice common before 2009 was unconscionable under the West Virginia Consumer Credit and Protection Act. During the appeal, the defendants argued that summary judgment was wrongfully granted and that the class should not have been certified since individual issues predominated over common ones, but the appellate court majority determined, among other things, that there was not a large number of uninjured members within the plaintiffs’ class because plaintiffs paid for independent appraisals and “received appraisals that were tainted.”
The defendants argued in their petition to the Court that the 4th Circuit’s “fundamentally unjust” holding could not stand in the wake of TransUnion, which ruled that every class member must be concretely harmed by an alleged statutory violation in order to have Article III standing. According to the defendants, the divided panel “affirmed the class certification and the class-wide statutory-damages award, because the class members all faced the same risk of harm: the appraisers had been ‘exposed’ to the supposed procedural error, and the class members paid for the appraisals, even though the court ‘cannot evaluate whether’ any harm ever materialized.”
FFIEC proposes amendments to temporary waiver proceedings
On January 13, the Appraisal Subcommittee (ASC) of the Federal Financial Institutions Examination Council (FFIEC) published a request for comments on proposed amendments to provide greater transparency and clarity to the existing rules of practice and procedure governing temporary waiver proceedings. The existing temporary waiver proceedings, which were promulgated in 1992 under FIRREA, allow temporary waivers to be granted if a state appraiser regulatory agency makes a written determination that a scarcity of state-certified or licensed appraisers in a state or geographical area is causing significant delays in the performance of real estate appraisals utilized in connection with federally related transactions. Temporary waivers terminate once the ASC determines that the significant delays have been eliminated.
The FFIEC’s notice of proposed rulemaking (NPRM) seeks “to clarify the procedural differences in processing a Request for Temporary Waiver accompanied by a written determination as compared to a Petition requesting the ASC exercise its discretion to initiate a temporary waiver proceeding.” Among other things, the NPRM would allow the ASC to draw a clear distinction between: (i) a state appraiser regulatory agency’s request that is accompanied by a written determination (referred to in the NPRM as a “Request for Temporary Waiver”); and (ii) information received from other persons or entities, which could include a state appraiser regulatory agency (referred to as a “Petition”). As presented in the NPRM’s accompanying flowchart, the procedures will vary depending on whether the ASC has received a Request for Temporary Waiver or a Petition requesting the initiation of a temporary waiver proceeding. Comments on the NPRM must be received by March 14.
DFPI enters into a settlement with a rent-to-own furniture provider
On January 10, the California Department of Financial Protection and Innovation (DFPI) announced a settlement with a Los Angeles-based rent-to-own furniture provider for allegedly failing to comply with the Karnette Rental-Purchase Act (Karnette Act) in connection with its subscription agreements. This settlement constitutes the first action against a rent-to-own firm for violating the California Consumer Financial Protection Law (CCFPL). According to the settlement, in addition to charging excessive late fees, the company failed to: (i) disclose whether the property subject to the rental-purchase agreement is new or used; (ii) clearly and conspicuously provide the Karnette Act’s mandated contractual disclosures; and (iii) adhere to the Karnette Act’s prescribed formula for calculating the maximum cash price, among other things. As part of the settlement, the company must desist and refrain from violating the CCFPL, refund customers late fee overcharges, offer its rent-to-own products and services in compliance with the Karnette Act and applicable consumer laws, and report on its activities semi-annually to the DFPI. According to DFPI Commissioner Clothilde V. Hewlett, the consent order “reminds California businesses and consumers that the DFPI will be exercising its expanded authority under the new law.”
NYDFS concerned with CFPB’s small business loan data collection proposal
On January 6, NYDFS issued a comment letter responding to the CFPB’s Notice of Proposed Rulemaking (NPRM), “Small Business Lending Data Collection under the Equal Credit Opportunity Act (Regulation B).” The NPRM—mandated under Section 1071 of the Dodd-Frank Act—would require a broad swath of lenders to collect data on loans they make to small businesses, including information about the loans themselves, the characteristics of the borrower, and demographic information regarding the borrower’s principal owners. This information would be reported annually to the Bureau, and eventually published by the Bureau on its website, with some potential modifications. According to the Bureau, the statute’s stated intent is to “facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities of women-owned, minority-owned, and small businesses.” (Covered by a Buckley Special Alert.)
In its comment letter, NYDFS discussed its responsibilities for examining state-chartered banking institutions’ compliance with the New York Community Reinvestment Act (NYCRA), New York Banking Law § 28-b, which NYDFS noted largely mirrors the current federal Community Reinvestment Act (CRA). Additionally, NYDFS stated that it examines regulated institutions for compliance with state fair lending requirements and agreed with the Bureau that “collecting critical information about minority- and women-owned businesses (MWOBs) to address fair lending concerns and allow financial institutions to identify gaps in the market” is an important goal. To that end, NYDFS is in the process of implementing its own MWOB data collection regulation under the NYCRA, which would require New York state-chartered banking institutions to start collecting MWOB-related data. (Covered by InfoBytes here.) Due to similarities between the proposed regulation and the Bureau’s NPRM, and to avoid imposing an undue burden on institutions covered by both regulations, NYDFS’s proposed regulation includes language that would “permit, but not obligate, NYDFS to treat compliance with the CFPB’s rule implementing Section 1071 as compliance with the NYCRA’s MWOB-related data collection regulation.”
Two specific issues were raised in response to the Bureau’s NPRM. First, NYDFS expressed concerns about the NPRM’s silence as to whether the Bureau intends to share more detailed data with state regulators to help states identify fair lending violations and enforce anti-discrimination laws, even if this information is not made available to the public. NYDFS urged the Bureau to include specific language stating it “may share all data submitted by financial institutions with state regulators in accordance with information sharing agreements between the CFPB and the state regulators.” Second, NYDFS asked the Bureau to reconsider its proposal to require data collection only for MWOBs with a threshold of $5 million or less in gross annual revenue. In particular, NYDFS warned of the risk of “dissimilarity in data collected by lenders for submission to the CFPB and the NYDFS” as NYDFS’s proposed regulation “requires evaluation of MWOB lending without respect to size.” NYDFS stressed that this dissimilarity “may prevent the NYDFS from deeming compliance with the CFPB regulation sufficient to comply with the NYDFS regulation.”
NYDFS puts CFDL compliance obligations on hold
On December 31, NYDFS announced that providers’ compliance obligations under the state’s Commercial Finance Disclosure Law (CFDL) will not take effect until the necessary implementing regulations are issued and effective. The CFDL was enacted at the end of December 2020, and amended in February 2021, to expand coverage and delay the effective date to January 1, 2022. (See S5470-B, as amended by S898.) Under the CFDL, providers of commercial financing, which include persons and entities who solicit and present specific offers of commercial financing on behalf of a third party, are required to give consumer-style loan disclosures to potential recipients when a specific offering of finance is extended for certain commercial transactions of $2.5 million or less. In October 2021, NYDFS published a notice announcing a proposed regulation (23 NYCRR 600) to implement the CFDL, which provided that the compliance date for the final regulation will be six months after the final adoption and publication of the regulation in the State Register (covered by InfoBytes here). Comments on the proposed regulation were due December 19. NYDFS noted in its announcement that “[i]n light of the significant feedback received, the Department is carefully considering the comments received and intends to publish a revised proposed regulation for notice-and-comment early in the new year.”
New York AG alerts companies on “credential stuffing” cyberattacks
On January 5, the New York attorney general issued a report, which highlights the results of an investigation into “credential stuffing.” The investigation discovered over 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. The report, Business Guide for Credential Stuffing Attacks, details attacks, which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services, and provides recommendations on how business can protect themselves. Through credential stuffing, which is one of the most common forms of cyberattacks, offenders utilize automated software to reuse stolen usernames and passwords, relying on the human tendency to reuse the same credentials to access various online accounts and platforms. The AG’s office launched the investigation “in light of the growing threat of credential stuffing,” and monitored several online communities dedicated to credential stuffing. According to the report, the office discovered thousands of posts that had customer login credentials that were tested by hackers in a credential stuffing attack and found that the information could be used to access other accounts. From these posts, the office compiled credentials to compromised accounts at seventeen companies, which consisted of online retailers, restaurant chains, and food delivery services, and collected credentials for over 1.1 million customer accounts, all of which seemed to have been compromised. After alerting the companies regarding the compromised accounts and urging them to investigate and take protective action, every company did so. The report recommended that businesses maintaining online accounts have a data security program, including effective safeguards for protecting customers from credential stuffing attacks in four areas: (i) defending against credential stuffing attacks; (ii) detecting a credential stuffing breach; (iii) preventing fraud and misuse of customer information; and (iv) responding to a credential stuffing incident. Specifically, three safeguards considered to be “highly effective” at defending against credential stuffing attacks were bot detection services, multi-factor authentication, and password-less authentication. The report also recommended that companies require reauthentication at the time of a purchase. Additionally, “[b]usinesses should have a written incident response plan that includes processes for responding to credential stuffing attacks” and notification to affected parties.
DFPI adopts debt collector license application and requirements
On December 22, the California Department of Financial Protection and Innovation (DFPI) adopted regulations, beginning at section 1850, title 10 of the California Code of Regulations, under the Debt Collection Licensing Act. As previously covered by InfoBytes, in July, DFPI issued a notice of proposed rulemaking to incorporate changes to its debt collection licensing requirements and application. Among other things, the regulations set forth the: (i) application form and procedures for filing a license application through the Nationwide Multistate Licensing System & Registry (NMLS); (ii) requirements for a licensee to maintain information filed through the NMLS current; and (iii) procedures for surrendering a license as a debt collector.
DFPI acknowledges challenges in obtaining a NMLS account
On December 23, the California Department of Financial Protection and Innovation (DFPI) released a notice on its website regarding DFPI’s awareness of a “temporary slowdown in obtaining a new Nationwide Multistate Licensing System or NMLS account.” DFPI noted that it is “working cooperatively with the NMLS team to be able to verify those that have attempted to apply.” DFPI observed that “[w]ith various DFPI year-end deadlines, the NMLS team is experiencing an unprecedented volume of account requests.” DFPI further acknowledged the “predicament this puts entities in who are trying to comply with the new debt collector licensing requirement to apply for a license by Dec. 31, 2021,” and stated it “will not take any action against a debt collector solely on the basis of the temporary slowdown with NMLS.”