Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 3, the House Financial Services Subcommittee on Consumer Protection and Financial Institutions held a hearing titled “Cyber Threats, Consumer Data, and the Financial System.” The hearing examined cybersecurity and consumer data protection challenges for financial institutions, discussed agencies efforts to strengthen cyber defenses for financial institutions, and reviewed the current legal framework governing data security. According to a committee memorandum, cyberattacks on banks are increasing in number. In the first half of 2021, banks and credit unions saw a 1,318 percent increase in ransomware attacks. In written testimony, one of the witnesses expressed his concern regarding the technological disparity between minority depository institutions (MDI) and large banks, observing that “cultural shifts inside the financial services industry, including the core processors and regulators, are necessary to help MDIs better orient themselves to meet new customer demands.” Another witness discussed in his written testimony support for the NCUA to obtain data security and privacy authority over third-party vendors, which is an authority currently given to other federal agencies. Among other things, the hearing addressed several bills on cybersecurity and consumer protection: (i) Safeguarding Non-bank Consumer Information Act; (ii) Strengthening Cybersecurity for the Financial Sector; and (iii) Enhancing Cybersecurity of Nationwide Consumer Reporting Agencies Act. Specifically, one of the witnesses in his written testimony recommended that Congress revise the definition of “data aggregators” in the Safeguarding Non-bank Consumer Information Act to ensure that it covers non-financial institution entities and individuals.
On November 5, CFPB Deputy Director Zixta Martinez spoke before the Bureau’s Academic Research Council (ARC) meeting, in which she discussed recent research efforts taken to inform future rulemaking and identify root causes of challenges facing consumers. Martinez highlighted Section 1022 orders recently sent to several big tech payment platforms seeking information on their products, plans, and practices (covered by InfoBytes here). She noted that the evaluation of these companies’ payments platform data will help inform the Bureau on the future of the payments system as well as potential emerging risks, and will provide insights that may impact future rulemaking under Section 1033 concerning the disclosure of consumer data by regulated entities. Among other things, Martinez also discussed the importance of small business lending research to better understand whether these businesses provide fair and equitable access to credit and referred to the Bureau’s Section 1071 notice of proposed rulemaking issued in September (covered by a Buckley Special Alert). Martinez also noted that one of the Bureau’s priorities is ensuring access to fair and affordable credit for low-income, minority, or traditionally underserved communities, and said the Office of Research will solicit “suggestions and advice for ways to integrate racial and economic equity analyses into the CFPB’s research agenda.”
On November 2, the House Financial Services Committee’s Task Force on Financial Technology held a hearing titled “Buy Now, Pay More Later? Investigating Risks and Benefits of BNPL and Other Emerging Fintech Cash Flow Products,” urging regulators to examine the BNPL industry. The committee memorandum highlighted the rise in consumers products offered by fintechs, such as BNPL, earned wage access, and overdraft avoidance products, and warned that while these products may help consumers manage their personal cash flow, they also have the potential to create unsustainable levels of debt. FSC staff noted that many lending disclosure requirements, including those under TILA, may not apply to several of these products, thus creating concerns regarding consumers’ understanding of the associated risks. Pointing out that payments made on many of these products are not reported to credit bureaus, FSC staff raised the issue of whether consumers are missing out on opportunities to build credit.
The task force heard from several industry witnesses who discussed, among other things, current federal and state consumer protection regulations that apply to BNPL products. One witness stressed the importance of “balanced and thoughtful regulation” that benefits consumers and merchants using these new payment solutions, and noted that the industry is actively working with credit bureaus on ways to share repayment data. House Financial Services Chair Maxine Waters (D-CA) also urged the CFPB to “look[ ] deeply” at these emerging products to gain a better understanding of how they may impact low- and moderate-income consumers and borrowers of color. Representative Blaine Luetkemeyer (R-MO) noted, however, that these products “allow people to purchase products, [and] pay for them in a timely manner as they can afford them.” Representative Warren Davidson (R-OH) agreed, stressing that policymakers need to “avoid punishing new products for not fitting within regulatory buckets that were already built” and “should avoid overly impairing consumer choices on how they spend money.”
On November 1, the National Community Reinvestment Coalition (NCRC) announced it had filed fair housing complaints with HUD against two mortgage lenders for allegedly engaging in discriminatory behavior against prospective Black clients. The first complaint is based on a matched-pair test conducted in the Seattle/Tacoma, Washington area, which allegedly demonstrated that lending specialists provided different lending product information to prospective borrowers based on race. NCRC also alleged that the lender’s HMDA data showed lending behaviors consistent with discriminatory practices. NCRC also conducted matched-pair testing on a second lender’s practices in the Charlotte, North Carolina area. According to the complaint, the lender also allegedly provided different information and more favorable services to White testers. An examination of the lender’s HMDA data similarly showed alleged discriminatory lending patterns.
On November 3, the OCC, the Federal Reserve, and the U.S. Treasury Department released statements expressing support for the Network for Greening the Financial System (NGFS) Glasgow Declaration. OCC acting Comptroller Michael J. Hsu noted in a statement that the OCC is developing “high-level climate risk management supervisory expectations for large banks” and expects to issue the framework guidance for comment “by the end of the year.” Hsu also noted that the OCC will implement recommendations of the FSOC Climate Change Report, which was released in response to President Biden’s May executive order, and directed financial regulators to take steps to mitigate climate-related risk related to the financial system (covered by InfoBytes here). In a statement by Treasury Secretary Yellen, she discussed the importance of tackling climate change, stating that it is “the greatest economic opportunity of our time,” and noted the U.S. is “calling on the multilateral development banks to increase their efforts.” The Fed noted in a statement that it is committed to understanding and addressing climate change and, furthermore, “will address climate-related risks in an analytically rigorous, transparent, and collaborative way through our domestic work with other federal agencies including the Financial Stability Oversight Council; our international engagement through the Financial Stability Board, the Basel Committee on Banking Supervision, and the NGFS; and through our broad and transparent engagement with the private sector.”
On November 3, acting Comptroller of the Currency Michael J. Hsu spoke before the American Fintech Council’s Fintech Policy Summit 2021 and warned that “[t]he rebundling of banking services by fintechs and the fragmented supervision of universal crypto firms pose significant medium- to long-term risks to consumers, businesses, and financial stability.” Hsu also noted that large “universal” cryptocurrency firms interested in offering a wide range of financial services should “embrace comprehensive, consolidated supervision” like that given to banks. “Crypto firms today are regulated at most only partially and selectively, with no single regulator having a comprehensive view of the firm as a whole,” Hsu stated, adding “[t]his warrants greater attention as crypto firms, especially the universals, get bigger, engage in a wider range of activities and risk-taking, and deepen their interconnectedness within the crypto ecosystem and with traditional finance.” Warning that these “synthetic banking providers” (SBPs) could create a “run risk” and regulatory arbitrage, Hsu stressed the importance of removing “the disparity between the rights and obligations of banks and the rights and obligations of synthetic banking providers by holding SBPs to banking standards.” He further warned that customers’ needs must be met in a way that is reliable, consistently safe, sound, and fair, and discussed several reasons why more SBPs have not sought to become banks, including that “regulators have been unpredictable with regards to chartering new banks and approving fintech acquisitions of banks.” Establishing a clear, shared approach to the bank regulatory perimeter related to emerging technologies can address this challenge, he advised.
Hsu also announced that the OCC concluded its review of recent bank charter applications and cryptocurrency-related interpretive letters and stated that the agency will communicate its determinations and feedback to bank charter applicants in the coming weeks. Findings from a “crypto sprint” done in conjunction with the FDIC and Federal Reserve will also be communicated shortly. “The content of these communications—on the chartering decisions, interpretive letters, and the crypto sprint—will be broadly aligned with the vision for the bank regulatory perimeter laid out here today,” Hsu stated.
On November 5, the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) published a rule in the Federal Register requiring employers to develop, implement and enforce a mandatory Covid-19 vaccination policy, unless they adopt a policy requiring employees to choose between vaccination or regular testing for Covid-19 and wearing a face covering at work. The emergency temporary standard (ETS) is for “employers with 100 or more employees—firm or company-wide,” which covers two-thirds of the nation's private-sector workforce. According to OSHA’s press release, the ETS requires employers to: (i) give paid time to workers to get vaccinated; (ii) permit paid leave for employees recovering from side effects; (iii) determine the vaccination status of each employee; (iv) acquire proof of vaccination from each vaccinated employee; (v) maintain records on each employee’s vaccination status; (vi) ensure each employee who is not fully vaccinated is tested for Covid-19 at least once a week, in certain circumstance; (vii) require employees to provide prompt notice after receiving a positive Covid-19 test or diagnosis; and (viii) ensure that each employee who has not been fully vaccinated working indoors or when occupying a vehicle with another person, for work purposes, wears a face covering. The ETS is effective immediately and “employers must comply with most requirements within 30 days of publication and with testing requirements within 60 days of publication.”
The same day, the Biden administration released a fact sheet clarifying the details of OSHA’s mandate. Specifically, the fact sheet noted that though the testing requirement will not take effect until January 4, 2022, employers must be in compliance with all other requirements, such as “providing paid-time for employees to get vaccinated and masking for unvaccinated workers,” by December 5.
On November 4, the CFPB issued an advisory opinion to express its interpretation that credit reporting companies, including tenant and employment screening companies, are in violation of the FCRA if they engage in the practice of matching consumer records solely by name. According to the Bureau, the use of name-only matching procedures (without the use of other personally identifying information such as address, date of birth, or Social Security number) does not assure maximum possible accuracy of consumer information. The Bureau emphasized that there is a heightened risk of mistaken identity from name-only matching among Hispanic, Black, and Asian communities due to less surname diversity among those populations as compared to the White population. “When background screening companies and their algorithms carelessly assign a false identity to applicants for jobs and housing, they are breaking the law,” Director Rohit Chopra stated. “Error-ridden background screening reports may disproportionately impact communities of color, further undermining an equitable recovery.” The advisory opinion affirms consumer reporting companies’ obligation to use reasonable procedures to assure maximum possible accuracy, and “does not create a safe harbor to use insufficient matching procedures involving multiple identifiers.” Other practices, such as combining a name with date of birth, could also lead to cases of mistaken identity, the Bureau warned. The Bureau will work closely with the FTC to eliminate illegal conduct in the background screening industry, while the FTC may be able to take actions against unfair or deceptive conduct not covered by the CFPA. The Bureau further emphasized that violating the FCRA can lead to civil penalties, restitution, damages, and other relief.
Chopra issued a statement on the Bureau’s intention to curb false identity matching, pointing out that name-only matching is just one example of an inadequate procedure and that nothing in the advisory opinion “suggests that the responsibility to follow reasonable procedures to assure maximum possible accuracy can be met with a thoughtless application of any particular loose matching criteria, even if more than names alone are matched.” He also warned companies they should not try to evade their FCRA responsibilities “by issuing a disclaimer that their report might not be matched to the right person.” Chopra further noted that the Bureau will support the FTC in its work to monitor business models that rely on harvesting and monetizing personal data, as well as big tech companies and lesser-known data brokers that traffic data and consumer reports.
On October 27, the U.S. District Court for the Western District of New York denied a motion to dismiss an action brought by the CFPB and the New York attorney general against the operators of a debt-collection scheme, rejecting the defendants’ argument that they did not have fraudulent intent and their actions were taken for legitimate reasons. As previously covered by InfoBytes in April, the CFPB and the AG filed a complaint against the defendants for allegedly transferring ownership of his $1.6 million home to his wife and daughter for $1 shortly after he received a civil investigative demand and learned that the Bureau and the AG were investigating his debt-collection activities. The complaint further alleged that the transfer of the property was a fraudulent transfer under the FDCPA and made with the intent to defraud (a violation of the New York Debtor and Creditor Law), and that the owner-defendant “removed and concealed assets in an effort to render the Judgment obtained by the Government Plaintiffs uncollectable.” In 2019 the Bureau and the AG settled with the debt collection operation to resolve allegations that the defendants established and operated a network of companies that harassed and/or deceived consumers into paying inflated debts or amounts they may not have owed (covered by InfoBytes here).
The court denied the defendants’ motion to dismiss, concluding that the CFPB and AG raised sufficient allegations that the debtor’s transfers and mortgage on his property were knowingly fraudulent. The court determined that fraudulent intent under the FDCPA may be determined by several factors, sometimes called “badges of fraud,” including whether “‘the transfer or obligation was to an insider,’ ‘the debtor retained possession or control of the property transferred after the transfer,’ ‘before the transfer was made or obligation was incurred, the debtor had been sued or threatened with suit,’ ‘the value of the consideration received by the debtor was reasonably equivalent to the value of the asset transferred or the amount of the obligation incurred,’ and ‘the transfer occurred shortly before or shortly after a substantial debt was incurred.’” The court held it was reasonable to infer that the defendant was aware “that he would likely face civil prosecution” and judgments “would be beyond his ability to pay.” The court noted that the defendant engaged in transferring a personally significant asset—his $1.6 million residence—to two insiders for nominal consideration, which was considered to be “highly unusual.” Additionally, the defendant alleged that he continued to “’reside at and exercise control over’ the property and is now unwilling or unable to pay off the judgment,” which indicated the conveyance was also part of a sham divorce. Further, the court noted that “the complaint plausibly alleges that the mortgage ‘was not granted in good faith’ and was ‘made with the intent to make it appear that the Property was encumbered.’”
On November 2, the FDIC announced the creation of a new office to support the agency’s ongoing strategic and direct engagement with Minority Depository Institutions (MDIs), Community Development Financial Institution banks (CDFIs), and other mission-driven banks, in addition to promoting private sector investments in low- and moderate-income communities. The announcement further noted that FDIC Chairman Jelena McWilliams has initiated several programs for the FDIC’s MDI program since 2018, which include: (i) creating the Mission-Driven Bank Fund to facilitate critical capital investments in FDIC-insured MDIs and CDFIs (covered by InfoBytes here); (ii) establishing the MDI Subcommittee of the Advisory Committee on Community Banking; and (iii) adopting new processes to facilitate preservation of the minority character of an MDI in the case of a failure.