InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DFPI grants license to ISA servicer
On August 5, the California Department of Financial Protection and Innovation (DFPI) announced an agreement to issue a license to a New York-based company that partners with educational institutions to offer Income Share Agreements (ISAs) to students to finance their post-secondary education and training. The agreement reflects DFPI’s decision to “treat these private financing products as student loans” for purposes of the California Student Loan Servicing Act (SLSA)” and represents “a significant first step toward providing greater oversight of the ISA industry.” As previously covered by InfoBytes, in 2018, the California governor approved AB 38 to amend the state’s Student Loan Servicing Act, which provides for the licensure, regulation, and oversight of student loan servicers by the California Department of Business Oversight (now DFPI). The agreement is the first of its kind to subject an ISA servicer to state licensing and regulation. In the agreement, DFPI explains that the SLSA defines a “student loan” “by the purposes for which financing is used,” and includes an “extension of credit” that is “solely for use to finance post-secondary education.” The SLSA expressly excludes certain types of credit, but does not exclude contingent debt or ISAs. Therefore, the agreement concludes, “the Commissioner finds that ISAs made solely for use to finance a postsecondary education are ‘student loans’ for the purposes of the SLSA.”
As part of the agreement, the company, among other things: (i) must submit all audited financial statements; (ii) must report any ISAs it services as “student loans” for purposes of the SLSA; and (iii) “shall not service any ISAs or other forms of credit extended to California consumers that have been determined or declared unenforceable or void by the DFPI or any regulatory agency that licenses, charters, registers, or otherwise approves the issuer of the ISA.” In addition, DFPI will issue the company a regular, unconditional California SLSA license “within 5 business days of the Commissioner’s approval of [the company’s] Audited Financials.” According to DFPI, “some ISA issuers have contended that state and federal lending laws are inapplicable to ISAs, and students who finance education under ISAs did not enjoy the same regulatory protections as other borrowers,” and DFPI “expects to clarify requirements for ISA providers and servicers through future rulemaking.”
State AGs ask for faster implementation of STIR/SHAKEN
On August 9, state attorneys general from all 50 states and the District of Columbia, through the National Association of Attorneys General, sent a letter to the FCC urging the Commission to confront illegal robocalls by moving the deadline for smaller telephone companies to implement caller ID technology, STIR/SHAKEN, by June 30, 2022 at the latest. The TRACED Act (the Act), which became law in 2019 (covered by InfoBytes here), requires phone companies to implement STIR/SHAKEN technology on their networks to ensure that telephone calls are originating from verified numbers, not spoofed sources. As previously covered by InfoBytes, the STIR/SHAKEN caller ID authentication framework is an “industry-developed system to authenticate Caller ID and address unlawful spoofing by confirming that a call actually comes from the number indicated in the Caller ID, or at least that the call entered the US network through a particular voice service provider or gateway.” Currently under the Act, large companies are required to implement the technology by June 2021, and smaller voice service providers have until June 2023. According to the letter, the state attorney generals’ advocate that “[r]emoving — or, at least, curtailing — the Commission's blanket extension for small voice service providers that flout the commission's largess by perpetrating this high-volume traffic would truly serve the purpose of the TRACED Act: ‘to deter criminal robocall violations and improve enforcement’ of the TCPA.”
DFPI takes action against student debt-relief company
On August 9, the California Department of Financial Protection and Innovation (DFPI) issued a consent order with a student loan debt relief company, resolving allegations that the company violated the California Consumer Financial Protection Law (CCFPL) by collecting illegal advance fees prohibited under the federal TSR. According to DFPI, the announcement follows a “wider crackdown” initiated in February against student loan debt-relief companies in violation of the CCFPL and the Student Loan Servicing Act (covered by InfoBytes here). The company allegedly advertised promises of reducing student debt in exchange for an initial payment as high as $899 and an ongoing monthly fee of $39. DFPI alleges that over 1,000 California student loan borrowers signed up and were charged illegal up-front fees prohibited under the federal telemarketing law. The consent order requires the company to refund California student loan borrowers the approximate $870,000 it collected in fees and to pay a $500,000 penalty to DFPI. The company also agreed to cease its illegal conduct, cancel all unlawful contracts with consumers, and refund consumers within 60 days.
Oregon enacts student loan servicer provisions
On July 27, the Oregon governor signed SB 485, which outlines licensing provisions for student loan servicers and implements consumer protections for borrowers. Among other things, the act requires, subject to certain exemptions, persons servicing student loans to obtain a license from the Oregon Department of Consumer and Business Services (DCBS). Should the director reasonably believe that a person subject to the act’s provisions is “engaging in or is about to engage in an act or practice that constitutes servicing a student loan in this state without first obtaining a license” the director may order the person to cease and desist, affirmatively perform the act, or may apply to an Oregon circuit court to enjoin the person from engaging in such act or practice. Additionally, the act outlines requirements related to, among other things, (i) licensing applications, including that the director may require applicants to submit applications to the Nationwide Multistate Licensing System instead of, or in addition to, submitting the application to the director; (ii) licensing renewals, reinstatements, and surrenders; (iii) a licensee’s principal place of business; (iv) liquidity standards; and (v) branch closures, relocations, or the opening of new locations. Under the act, the director is also granted general supervisory authority over each licensee in the state, examination authority, and the ability to participate in multistate examinations scheduled and conducted by the Conference of State Bank Supervisors or the CFPB. The director may also investigate borrower complaints and servicers’ policies and procedures, may impose civil penalties for violations of the act’s provisions, and may promulgate rules and take any other actions necessary to undertake and exercise the duties and powers conferred on the position. The act also outlines provisions related to servicing obligations, prohibits student loan servicers from engaging in fraudulent, deceptive, and dishonest activities, and creates a student loan ombudsperson at DCBS to handle complaints against student loan servicers and educate borrowers about loan repayment options. The act took effect on its passage.
State AGs filed amicus brief in support of federal student loan borrowers
On July 29, a coalition of attorneys general from 20 states and the District of Columbia filed an amicus brief in the U.S. Court of Appeals for the Second Circuit against Secretary of Education Miguel Cardona and the Department of Education in support of an appeal challenging the Department’s 2019 rule governing student loan relief for defrauded borrowers (“2019 Rule”). As summarized in the brief, Congress created a statutory entitlement to loan relief for borrowers who are defrauded by their school—a process known as “borrower defense”—to “ensure that victimized students are not unfairly saddled with federal student loans.” The amici brief argues that the 2019 Rule “reject[ed] longstanding agency practice and positions going back 25 years to the first borrower defense rule” and “makes it all but impossible for defrauded borrowers to successfully obtain loan relief.” The states argue that the Department’s 2019 Rule is thus arbitrary and capricious under the Administrative Procedure Act and request that the Second Circuit reverse the district court’s holding to the contrary.
As previously covered by InfoBytes, in July 2020, state attorneys general from 22 states and the District of Columbia filed a complaint in U.S. District Court for the Northern District of California against Secretary of Education Betsy DeVos and the Department of Education, also asking the court to vacate the Department’s 2019 final rule.
CFPB, Arkansas AG settle FCRA violations
On August 4, in an action brought by the CFPB and the Arkansas attorney general, the U.S. District Court for the Eastern District of Arkansas entered a stipulated final judgment and order against a Utah-based home-security and alarm company (defendant) for allegedly failing to provide proper notices under the FCRA. As previously covered by InfoBytes here, according to the complaint, the company extended credit to its customers by allowing them to defer payment for alarm and security-system equipment over the life of a long-term contract. In extending credit to its customers, the company allegedly obtained and used consumers’ credit scores to determine the amount of activation fees it would charge for its products and services and then charged higher fees to consumers who had lower credit scores, without providing those consumers with required risk-based pricing notices in accordance with the FCRA and Regulation V. Under the terms of the order, the company is required to submit a compliance plan and pay a $600,000 civil money penalty, of which $100,000 will be offset if it pays that amount to settle related litigation with the State of Arkansas that is pending in state court. The company will also be required to provide proper risk-based pricing notices as required under the FCRA.
District Court: Online payment processor must face data collection class action claims
On July 28, the U.S. District Court for the Northern District of California granted in part and denied in part an online payment processor’s motion to dismiss class claims concerning several alleged violations of various state privacy and wiretapping laws and related claims. The plaintiffs alleged that the defendant “secretly track[ed], collect[ed], and stor[ed] the personal data and web activity of visitors to merchants’ website[s],” and created a software code allowing merchants to integrate the company’s payment platform into merchants’ applications. The complaint alleged that most consumers making online purchases were unaware that their transactions were processed by the defendant and instead believed to be communicating directly with the merchants. Specifically, the defendant allegedly (i) obtained or stored consumers’ sensitive information (such as financial information, location, IP addresses, and purchasing information); (ii) correlated all payments consumers made across the defendant’s entire payment processing platform and provided much of it to other merchant clients without informing the consumers; and (iii) installed cookies on consumers’ computers and mobile devices to track purchasing behavior across the defendant’s payment network. This allowed merchants to see a consumer’s purchasing history of all transactions processed by the defendant and obtain a transaction-level risk score from the defendant.
The court denied the motion to dismiss as to plaintiffs’ claims of invasion of privacy and intrusion under California’s Constitution and common law, finding that the plaintiffs have sufficiently alleged the plaintiffs did not consent to the defendant’s disclosure of their information to its merchants and customers. The court was precluded from finding that plaintiffs had no reasonable expectation of privacy because the language in the defendant’s privacy policy limited the sharing to information with third parties to assist with the prevention or detection of fraud or for processing services only.
In dismissing the wiretap claims, the court reviewed the “sign-in wrap” agreement presented to consumers at the purchase checkout page, which required plaintiffs to agree to the defendant’s terms of service and privacy policy whenever they placed an order. While the plaintiffs argued that the privacy policy “does not provide sufficient notice that [the defendant] would collect the information that it did,” the court pointed out that the policy contained provisions disclosing that third parties like the defendant “may obtain not only credit card data, but also ‘identifiers, demographic information, commercial information, relevant order information, internet activity, geolocation data, sensory information, and inferences,’” and that partners may also “use various technologies’ to ‘collect information about [consumer] online activity over time and across different websites or online services.’” Among other things, the court reasoned that the disclosures were binding on the consumers, even though they were provided by the defendant and not the merchants.
The court dismissed in part the plaintiffs’ claims under California’s Unfair Competition Law (UCL) and California Consumer Privacy Act (CCPA), in part because the CCPA “has no private right of action” and “consumers may not use the CCPA as a basis for a private right of action under any statute.” The court also dismissed the plaintiffs’ fraud prong of the UCL, but allowed the plaintiffs’ unfair competition prong under the UCL to proceed.
NYDFS to start collecting and publishing board diversity data
On July 29, NYDFS announced in an industry letter that it will start collecting gender, racial, and ethnic board and management composition data as of December 31, 2019 and 2020 from state-regulated (i) banking institutions with over $100 million in assets; (ii) non-depository financial institutions with over $100 million in gross revenue; and (iii) entities authorized to engage in virtual currency business activities. Citing its authority under Banking Law 37(3) to “require any banking organization to make special reports to her at such times as she may prescribe,” the Superintendent stated NYDFS plans to collect data over late summer and will publicly publish findings on an aggregate basis in the first quarter of 2022. The results will be categorized by institution type and other relevant factors to “allow firms to assess where they stand relative to their peers” and hopefully “raise the bar for the entire industry.” In the future, the NYDFS would consider collecting and disclosing similar information, “including on a more granular basis.” The letter also set out the NYDFS’ expectation that institutions would (i) make the diversity of their leadership “a business priority and integrate it into their corporate governance”; (ii) “pay close attention to their talent pipeline of future diverse leaders, in addition to the diversity of its affiliates”; and (iii) “view diversity like other strategic priorities.”
DFPI releases report on CRMLA
On August 2, the California Department of Financial Protection and Innovation released a report examining residential mortgage lending, rates, consumer complaints, foreclosures, and other data elements during 2020. The DFPI compiled data submitted by licensed non-bank mortgage lenders under the California Residential Mortgage Lending Act (CRMLA). According to the report, “nonbank residential mortgage loans doubled from 2019 to 2020 as more Californians refinanced or obtained new loans in response to lower interest rates despite the economic downturn that resulted from the COVID-19 pandemic.” The report also noted that there was an approximate 68 percent decrease in foreclosures in response to Covid-19 moratoriums meant to protect consumers and an almost 19 percent decline in complaints. Other key findings include that (i) the number of mortgage loans originated increased by 100.5 percent; (ii) the number of loans brokered increased by 52.7 percent; and (iii) the aggregate average amount of loans serviced by licensees each month increased by 12.4 percent compared to 2019.
District Court grants Georgia regulator default judgment against unauthorized bank
On July 26, the Georgia Department of Banking and Finance (Department) announced that the Superior Court of DeKalb County entered an order granting default judgment against defendants for unauthorized banking activities and the unapproved use of the word “bank.” Under Georgia law, it is unlawful to conduct, advertise, or be affiliated with a banking business in the state without a bank charter. Georgia law also prohibits the use of the words “bank” and/or “trust” in any entity’s name without permission from the Department. In 2020, the Department issued a cease and desist order against the defendants after the Department determined that it had no records of the entity and had not approved it or the individual defendant to organize a bank and/or conduct a banking business in or from Georgia. Nor had the Department granted the entity defendant the ability to use the word “bank” in its name. The Department later discovered that the defendants violated the cease and desist order by continuing to engage in unauthorized banking activities and continuing to advertise using the word “bank” without approval. The court ordered the defendants to comply with the cease and desist order and permanently enjoined them from, among other things, using bank nomenclature and advertising or providing financial products or services from within Georgia without written authorization from the Department.