InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Colorado enacts Colorado Nonbank Mortgage Servicers Act
On July 12, Colorado enacted HB 1282, which creates the Colorado Nonbank Mortgage Servicers Act under Article 21 and provides additional consumer protections through the regulation of mortgage servicers. Under the act, a mortgage servicer does not include, among others: supervised financial organizations; certain regulated mortgage loan originators; a federal agency or department; a collection agency whose debt collection business involves collecting on defaulted mortgage loans; agencies, instrumentalities, or political subdivisions of the state; supervised lenders that do not service residential mortgages; servicers that service fewer than 5,000 residential mortgage loans annually; nonprofit organizations; government agencies; originators or servicers using a subservicer that does not act under their direction; and persons servicing loans held for sale. The act stipulates that on or after January 31, 2022, a person may not act as a mortgage servicer without providing notice to the administrator and paying the required fees within 30 days after it begins servicing in the state, and on or before January 31 annually thereafter. The act also outlines provisions related to renewal requirements, record retention, and compliance with federal laws and regulations. Under specified administrator powers and duties, the administrator is allowed to bring an enforcement action against a mortgage servicer, seek restitution and civil money penalties, and request an injunction. While the act provides a four-year statute of limitations, an additional one-year extension may be granted if it is proven that a mortgage servicer engaged in calculated conduct to delay commencement of the action. The act, however, does not create a private right of action or “affect[] any remedy that a borrower may have pursuant to law other than this Article 21.”
Connecticut incentivizes businesses to adopt cybersecurity standards
On July 6, the Connecticut governor signed HB 6607, which is intended to incentivize businesses to adopt cybersecurity standards. Among other things, the act provides a complete defense to punitive damages for a cause of action founded in tort claiming a business’ failure to “implement reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.” The defense is available when an action is brought under Connecticut law or in Connecticut state court and where a business’ cybersecurity program conforms to an “industry recognized cybersecurity framework,” including the National Institute for Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity and the Payment Card Industry Data Security Standard. A business can also take advantage of the defense if it is regulated by the state or federal government and is subject to, and conforms its cybersecurity program to, current versions of the following federal laws: (i) HIPAA; (ii) Title V of the Gramm-Leach-Bliley Act; (iii) the Federal Information Security Modernization Act; or (iv) the Health Information Technology for Economic and Clinical Health Act. Additionally, should one of the identified frameworks or provided laws be amended, a business has six months after publication to conform to the revisions. The act requires a business’ cybersecurity program to, among other things, protect both “restricted information” and “personal information,” and be based on a business’ size and complexity, the nature and scope of its conducted activities, the sensitivity of the protected information, and the cost and availability of tools to improve information security measures and reduce vulnerabilities. The defense will not apply if a business’ “failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct.” The act takes effect October 1.
Virginia expands military service member housing protections
On July 1, the Virginia governor signed SB 1410, which, among other things, amends the state’s anti-discrimination statutes to prohibit discrimination in public accommodations, employment, and housing based on military status. The bill amends the Virginia Fair Housing Law to prohibit discrimination in the sale or rental of dwellings by any person or entity, and prohibit discrimination by “any person or other entity, including any lending institution, whose business includes engaging in residential real estate-related transactions.” The bill also provides that “the term ‘residential real estate-related transaction’ means any of the following: [t]he making or purchasing of loans or providing other financial assistance (i) for purchasing, constructing, improving, repairing, or maintaining a dwelling or (ii) secured by residential real estate; or [t]he selling, brokering, insuring, or appraising of residential real property.” The bill is effective immediately.
Colorado limits credit and debit card surcharges
On July 7, the Colorado governor signed SB 91, which, among other things, repeals a prior ban on surcharges for credit or debit card transactions. The bill limits the maximum surcharge amount per transaction to 2 percent of the payment amount or the actual fee. Merchants are required to display a specified notice regarding the surcharge on their premises or, for online purchases, before a customer’s completion of the transaction. The act becomes effective July 1, 2022.
Massachusetts regulator allows work from home for some entities
On July 12, the Division of Banks of the Massachusetts Office of Consumer Affairs and Business Regulations (Division) issued guidance that authorizes its licensees and registrants to continue permitting their personnel to operate remotely from non-licensed locations subject to certain conditions and restrictions. Among other things, the licensee or registrant: (i) cannot hold the unlicensed location out to the public as a place of business; (ii) must ensure that the individual working remotely only engages in activities that can be completed safely and in compliance with all applicable laws, regulations, and Division guidance; (iii) must ensure that the individual working remotely is strictly prohibited from engaging in any in-person customer interactions at the remote location; (vi) must have established security protocols to securely access systems through a virtual privacy network or other secure system; (v) must have policies and procedures to protect data; (vi) must protect sensitive customer information; and (vii) must ensure adequate supervision of remote personnel. The guidance also notes that the work location for mortgage loan originators (MLOs) has been the subject of various inquiries over the years and clarifies that MLOs are not required to live within a certain distance of a branch office and that “the Division will look to determine that the [branch] manager is able to provide adequate supervision for the given number and location of MLOs under his/her supervision.” The guidance replaces any previous guidance issued by the Division regarding telework and will continue, unless modified or withdrawn.
District Court preliminarily approves autopay class action settlement
On June 28, the U.S. District Court for the District of New Jersey granted preliminary approval of a settlement in a class action against a national bank alleging breach of contract and violations of the New Jersey Consumer Fraud Act by, among other things, misleading cardholders about their autopay options. According to the plaintiff’s memorandum of law requesting preliminary approval of the class action settlement, the bank presented cardholders with several payment options when setting up automatic online monthly payments. The plaintiff filed a putative class action alleging the “Amount Due” option, which he selected, “was misleading since customers who selected it likely intended to pay the total ‘amount due’ each month, leaving no balance to carry over and incur interest, but instead found themselves paying only the minimum amount due, thereby leaving a balance that was subject to interest charges.” This option, the plaintiff contended, was duplicative of the “Minimum Amount Due” option, which allowed cardholders to pay the minimum amount owed on their most recent credit card statement and carry the remaining balance (thus, incurring interest) to the following month. Plaintiff claimed this created potential confusion for cardholders “who intended to pay off their entire monthly credit card balance and instead ended up paying the minimum amount and accruing interest they were trying to avoid.” The parties agreed to stay the case pending mediation and reached a settlement, under which the bank agreed to pay $5.95 million to establish a settlement fund. The fund will cover approximately 100,000 class members who enrolled in the bank’s eBill autopay, “selected the ‘Amount Due’ payment option before March 7, 2021,” and “switched their payment option from ‘Amount Due’ to ‘Account Balance’ after making an ‘Amount Due’ payment and being assessed interest” during the identified time period.
Groups ask Education Dept. to stop preempting states on student lending
On July 7, the Conference of State Bank Supervisors (CSBS) and the North American Collection Agency Regulatory Association (NACARA) sent a letter to Department of Education Secretary Miguel Cardona urging the Department to rescind recent policies “claiming preemption or otherwise impairing state regulation of federal student loan servicers and debt collectors.” The letter acknowledges steps taken by the Department to facilitate coordination and collaboration with state financial regulators but notes that additional action is required to accomplish a shared mission of protecting student borrowers. Among other things, the letter discusses several Department actions taken over the years, including the Department’s 2018 position that state regulation of servicers of loans made under the William D. Ford Federal Direct Loan Program and the Federal Family Education Loan Program is preempted by federal law. The letter urges the Department “to rescind the 2018 preemption notice and formally recognize that state oversight and regulation is fully applicable to federal student loan servicers and debt collectors, entirely appropriate, and not in conflict with the purpose of the [Higher Education Act].” The letter also discusses revised guidance issued in May concerning the handling of outside requests for Department records and data. As previously covered by InfoBytes, the revised guidance supersedes the Department’s 2017 guidance and creates a “streamlined and expedited process” for reviewing information requests made by any state or federal authority for information pertaining to companies engaged in student loan lending or collections. However, CSBS and NACARA emphasize that the Department should “recognize that state financial regulators are independently authorized to access records in possession of the federal student loan servicers and debt collectors subject to state regulation.” Additionally, the letter requests, among other things, that the Department take additional action deemed necessary to “fully return” to a policy of collaboration for protecting student loan borrowers, pointing out that timing is important as most federal student loan repayments resume in October.
Special Alert: Colorado enacts comprehensive consumer privacy law
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became the first state to put in place significant consumer data privacy measures under the California Consumer Privacy Act (covered by a Buckley Special Alert), and earlier this year in March, Virginia enacted the Consumer Data Protection Act (covered by InfoBytes here).
Highlights of the CPA include:
District Court approves $6.02 million settlement in student debt-relief action
On July 1, the U.S. District Court for the Central District of California entered a stipulated final judgment and order against two defendants in a 2019 action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney, which alleged a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint alleged that the defendants violated the Consumer Financial Protection Act, the Telemarketing Sales Rule, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. In addition, the complaint asserted the defendants engaged in deceptive practices by misrepresenting (i) the purpose and application of fees they charged; (ii) their ability to obtain loan forgiveness; and (iii) their ability to actually lower borrowers’ monthly payments.
The finalized settlement issued against the two relief defendants, who neither admit nor deny the allegations except as specifically stated, requires the payment of $3.98 million by one defendant and $2.04 million by the other. However, based on the defendant’s inability to pay, full payment of the $2.04 million will be suspended. The finalized settlement also ordered the paying relief defendant to disgorge any funds held in accounts in excess of the $3.98 million, “including any income such as interest, dividends, and capital gains, as of the date the funds are transferred.” Moreover, both relief defendants are required to grant all rights and claims of identified assets to the Bureau, as well as any assets “currently in the possession, custody, or control of the Receiver.”
The court previously entered final judgments against several of the defendants, as well as a default judgment and order against two other defendants (covered by InfoBytes here, here, and here). Orders have yet to be entered against the remaining defendants.
NYDFS issues ransomware guidance
On June 30, NYDFS announced new guidance for preventing ransomware attacks. In the guidance, NYDFS identified cybersecurity controls that decrease the risk of a ransomware attack. In examining ransomware incidents reported by its regulated entities over the past year and a half, NYDFS observed that incidents follow a similar pattern where “hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.” Following guidance from the Federal Bureau of Investigation, NYDFS recommended that companies avoid making ransomware payments if their networks are compromised. NYDFS also urged all regulated entities to prepare for a ransomware attack by implementing measures such as: (i) training employees in cybersecurity awareness; (ii) implementing a vulnerability and patch management program; (iii) utilizing multi-factor authentications and strong passwords; (iv) using monitoring and response to detect intruders; (v) and having a ransomware-specific incident response plan. NYDFS Superintendent Linda A. Lacewell noted that “[c]ybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry.”