InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Defendant obligated to indemnify bank in data breach suit
On May 10, the U.S. District Court for the Southern District of Texas ordered a defendant hospitality company to reimburse a national bank and its payment processor (collectively, “plaintiffs”) for $20 million in assessments levied against the plaintiffs by two payment brands following a data breach announced by the defendant in 2015. An investigation into the data breach determined that the defendant failed to require two-factor authentication on its remote access software, which contributed to the data breach and violated the payment brands’ security guidelines. The bank paid roughly $20 million to the payment brands and asked the defendant to indemnify it for the assessments. The defendant refused, arguing that its agreement with the bank was not breached because the payment brands’ rules “distinguish between actual and potential data comprises.” Moreover, the defendant stressed that “[b]ecause no evidence indicates that the attackers used the cardholder information” it was not obligated to indemnify the bank. However, the plaintiffs claimed that under the agreement, the defendant agreed to indemnify the bank “if its failure to comply with the brands’ security guidelines, or the compromise of any payment instrument, results in assessments, fines, and penalties by the payment brands.” The plaintiffs filed suit and moved for partial summary judgment on a breach of contract claim. In granting the plaintiffs’ motion for partial summary judgment, the court determined that the hospitality company is contractually obligated to cover the costs, ruling that actual data compromise is not necessary to trigger the agreement’s indemnification guidelines and that the bank does not need to show that the attackers used the payment information.
OCC updates Credit Card Lending booklet
On April 29, the OCC issued Bulletin 2021-22 announcing the revision of the Credit Card Lending booklet of the Comptroller’s Handbook. The booklet rescinds OCC Bulletin 2015-14 and replaces version 1.2 of the “Credit Card Lending” booklet that was issued on January 6, 2017. Among other things, the revised booklet (i) discusses the adoption of current expected credit loss methodology and the increased use of such modeling in credit card origination and risk management; (ii) reflects changes to OCC issuances; (iii) includes refining edits regarding supervisory guidance, sound risk management practices, and legal language; and (iv) includes revisions for clarity.
CFPB rolls back last year’s Covid-19 flexibilities
On March 31, the CFPB rescinded, effective April 1, the following policy statements, which provided temporary regulatory flexibility measures to help financial institutions work with consumers affected by the Covid-19 pandemic:
- A March 26, 2020, statement addressing the Bureau’s commitment to taking into account staffing and related resource challenges facing financial institutions related to supervision and enforcement activities.
- A March 26, 2020, statement postponing quarterly HMDA reporting requirements. (Covered by InfoBytes here.)
- A March 26, 2020, statement postponing annual data submission requirements related to credit card and prepaid accounts required under TILA, Regulation Z and Regulation E. (Covered by InfoBytes here.)
- An April 1, 2020, statement on credit reporting agencies and furnishers’ credit reporting obligations under the Fair Credit Reporting Act and Regulation V during the Covid-19 pandemic. The Bureau notes that the rescission “leaves intact the section entitled “Furnishing Consumer Information Impacted by COVID-19” which articulates the CFPB’s support for furnishers’ voluntary efforts to provide payment relief and that the CFPB does not intend to cite in examinations or take enforcement actions against those who furnish information to consumer reporting agencies that accurately reflect the payment relief measures they are employing.” (Covered by InfoBytes here.)
- An April 27, 2020, statement affirming that the Bureau would not take supervisory or enforcement action against land developers subject to the Interstate Land Sales Full Disclosure Act and Regulation J for delays in filing financial statements and annual reports of activity. (Covered by InfoBytes here.)
- A May 13, 2020, statement providing supervision and enforcement flexibility for creditors to resolve billing errors during the pandemic. (Covered by InfoBytes here.)
- A June 3, 2020, statement providing temporary flexibility for credit card issuers regarding electronic provision of certain disclosures during the Covid-19 pandemic in accordance with the E-Sign Act and Regulation Z. (Covered by InfoBytes here.)
The rescission also withdraws the Bureau as a signatory to the April 7, 2020, Interagency Statement on Loan Modifications and Reporting for Financial Institutions Working with Customers Affected by the Coronavirus (covered by InfoBytes here), and the April 14, 2020, Interagency Statement on Appraisals and Evaluations for Real Estate Related Financial Transactions Affected by the Coronavirus (covered by InfoBytes here).
Additionally, the Bureau issued Bulletin 2021-01 announcing changes to how it communicates supervisory expectations to institutions. Bulletin 2021-01 replaces Bulletin 2018-01 (covered by InfoBytes here), which previously created two categories of findings conveying supervisory expectations: Matters Requiring Attention (MRAs) and Supervisory Recommendations (SRs). Under the revised Bulletin, the Bureau notes that examiners “will continue to rely on [MRAs] to convey supervisory expectations” but will no longer issue formal written SRs, as the agency believes that MRAs will more effectively convey its supervisory expectations. The Bulletin further states that “Bureau examiners may issue MRAs with or without a related supervisory finding that a supervised entity has violated a Federal consumer financial law.”
NYDFS finds credit card underwriting showed no evidence of wrongdoing
In March, NYDFS released a report detailing the findings of an investigation into whether a global technology company and a New York state-chartered bank allegedly discriminated against women when making underwriting decisions for a co-branded credit card. According to the report, in 2019, allegations were made that the bank offered lower credit limits to women applicants and unfairly denied women accounts. NYDFS launched a fair lending investigation into the allegations and reviewed underwriting data for nearly 400,000 New Yorker residents, but ultimately found no evidence of unlawful disparate treatment or disparate impact. Among other things, the report noted that the bank “had a fair lending program in place for ensuring its lending policy—and underlying statistical model—did not consider prohibited characteristics of applicants and would not produce disparate impacts.” The bank also identified the factors it used when making the credit decisions, including credit scores, indebtedness, income, credit utilization, missed payments, and other credit history elements, all of which, NYDFS stated, appeared to be consistent with its credit policy.
Court says Kansas credit card surcharge ban is unconstitutional
On February 25, the U.S. District Court for the District of Kansas granted in part and denied in part a plaintiff’s motion for summary judgment in an action concerning whether a state statute that bans credit card surcharges violates the First Amendment. Kansas law prohibits merchants from imposing a surcharge on customers who pay with credit cards instead of cash, and allows merchants to offer discounts to consumers who pay with cash. The plaintiff, a payment processing technology company, provides “software that allows merchants to display prices, including cost surcharges on purchases made by credit card,” which “allows consumers to comparison shop among payment types.” The plaintiff challenged the constitutionality of the law, claiming it is an unconstitutional restriction on commercial speech since it “effectively limits” what the plaintiff and merchants “can treat as the ‘regular price’ of an item and the corresponding information about prices and credit card fees that can be conveyed to consumers.” The Kansas attorney general—who has the authority to enforce the state’s no-surcharge statute—countered, among other things, that the statute furthers substantial state interests by (i) encouraging merchants to charge lower prices to customers who pay with cash; (ii) lowering the amount of consumer credit card debt through the use of cash discounts; and (iii) providing benefits to merchants by encouraging cash purchases, thereby allowing them to receive immediate payments, avoid credit card fees, and incur lower costs.
The court disagreed, ruling that none of the AG’s arguments advanced a substantial state interest—a requirement in order to not be considered a violation of the First Amendment. “Plaintiff's desire to display a single price while informing customers that credit card purchasers will be charged an additional fee would logically tend to support whatever interest the state may have in encouraging lower prices for cash customers,” the court wrote. “The statute nevertheless effectively prohibits this type of disclosure. Clearly, this restriction on speech is more extensive than necessary to further the asserted state interest.” Moreover, the court noted that “‘surcharges and discounts are nothing more than two sides of the same coin; a surcharge is simply a ‘negative’ discount, and a discount is a ‘negative’ surcharge.”
FTC settles with credit card laundering defendants
On February 10, the FTC announced settlements with several defendants that allegedly violated the FTC Act and the Telemarketing sales Rule by assisting an operation responsible for laundering millions of dollars in credit card charges through fraudulent merchant accounts. As previously covered by InfoBytes, the defendants engaged in a credit card laundering scheme with the operation to process credit card charges through merchant accounts set up by the operation under fictitious company names instead of processing charges through a single merchant account under the operation’s name. According to the FTC’s complaint, the defendants purportedly (i) underwrote and approved the operation’s fictitious companies; (ii) set up merchant accounts with its acquirer for the fictitious companies; (iii) used sales agents to market processing services to merchants; (iv) processed nearly $6 million through credit card networks; and (v) transferred sales revenue from the transactions to companies controlled by the defendants.
The settlements (see here, here, and here) permanently ban three of the defendants from payment processing and telemarketing or acting as independent sales organizations or sales agents in the payment processing industry. A previously issued settlement against a fourth defendant banned him from payment processing or acting as an independent sales organization or sales agent in the payment processing industry. Monetary judgments totaling more than $10.7 million collectively have been suspended due to the defendants’ inability to pay.
States reach $4.2 million settlement to resolve credit card interest overcharges
On February 8, state attorneys general from Pennsylvania, Iowa, Massachusetts, New Jersey, and North Carolina entered into an assurance of voluntary compliance with a national bank to resolve allegations that it overcharged credit card interest for certain consumers. According to the investigating states, between February 2011 and August 2017, the bank allegedly failed to properly reevaluate and reduce the annual percentage rate (APR) for certain consumer credit card account holders who were entitled to a reduction, as required by the CARD Act and state consumer protection laws. The announcement follows a 2018 CFPB settlement, in which the bank agreed to provide $335 million in restitution to affected consumers (covered by InfoBytes here). At the time, the Bureau noted that it did not assess civil monetary penalties due to efforts undertaken by the bank to self-identify and self-report violations to the Bureau. The states also acknowledged that the bank self-identified issues with its APR reevaluation process through an internal compliance program. The bank denied liability or that it violated the states’ consumer protection laws and has agreed to pay $4.2 million to approximately 25,000 current and former affected consumers, which will be limited to consumers who received a payment of $500 or more in restitution from the bank for the original violation.
FTC settles with training companies that charged consumers to obtain credit cards
On January 29, the FTC announced a settlement with two Nevada companies and two individuals (collectively, “defendants”), resolving allegations that the defendants violated the FTC Act, the Telemarketing Sales Rule, the Credit Repair Organizations Act, and the Consumer Review Fairness Act by charging consumers thousands of dollars to apply for numerous personal credit cards in order to pay for real estate investment training programs offered by other companies. According to the complaint, the training companies (many of which, the FTC claims, have been the subject of FTC enforcement actions for operating deceptive training schemes) pitch the defendants’ funding services to individuals who want to participate in the training companies’ programs and coaching about starting businesses or becoming real estate investors. However, the FTC claims that, in reality, the defendants are not lenders and do not actually provide any form of financing themselves. Rather, the defendants charge $3,000 or more to apply for multiple credit cards with total credit lines of at least $50,000 on behalf of the individuals—a practice known as “credit card stacking.” In addition, the FTC claims that the defendants inflated individuals’ annual incomes on credit card applications and told individuals they could anticipate earning around $100,000 if they used the training companies’ program, which individuals often purchased using credit cards they obtained from the defendants. Because most individuals did not earn the expected money, they incurred substantial credit card debt and experienced significant credit score declines.
The proposed settlement imposes a $2.1 million monetary judgment against the defendants, and permanently bans the defendants from, among other things, selling consumer credit services, misrepresenting the financial status of any consumer to a financial institution, engaging in business connected with the offer or sale of a credit repair service, and applying for or obtaining credit cards for consumers in exchange for a fee.
CFPB issues Covid-19 supervisory highlights
On January 19, the CFPB released a special edition of Supervisory Highlights detailing the agency’s Covid-19 prioritized assessment (PA) observations. Since May 2020, the Bureau has conducted PAs in response to the pandemic in order to obtain real-time information from supervised entities operating in markets that pose an elevated risk of pandemic-related consumer harm. According to the Bureau, the PAs are not designed to identify federal consumer financial law violations, but are intended to spot and assess risks in order to prevent consumer harm. Targeted information requests were sent to entities seeking information on, among other things, ways entities are assisting and communicating with consumers, Covid-19-related institutional challenges, compliance management system changes made in response to the pandemic, and service provider data. Highlights of the Bureau’s findings include:
- Mortgage servicing. The CARES Act established certain forbearance protections for homeowners. The Bureau pointed out that many servicers faced significant challenges, including operational constraints, resource burdens, and service interruptions. Consumer risks were also present, with several servicers (i) providing incomplete or inaccurate information regarding CARES Act forbearances, failing to timely process forbearance requests, or enrolling borrowers in unwanted or automatic forbearances; (ii) sending collection and default notices, assessing late fees, and initiating foreclosures for borrowers in forbearance; (iii) inaccurately handling borrowers’ preauthorized electronic funds transfers; and (iv) failing to take appropriate loss mitigation steps.
- Auto loan servicing. The Bureau noted that many auto loan servicers provided insufficient information to borrowers about the impact of interest accrual during deferment periods, while other servicers continued to withdraw funds for monthly payments even after agreeing to deferments. Additionally, certain borrowers received repossession notices even though servicers had suspended repossession operations during this time.
- Student loan servicing. The CARES Act established protections for certain student loan borrowers, including reduced interest rates and suspended monthly payments for most federal loans owned by the Department of Education. Many private student loan holders also offered payment relief options. The Bureau noted however that servicers faced significant challenges in implementing these protections. For certain servicers, these challenges led to issues which raised the risk of consumer harm, including (i) provision of incorrect or incomplete payment relief options; (ii) failing to maintain regular call center hours; (iii) failing to respond to forbearance extension requests; and (iv) allowing certain payment allocation errors and preauthorized electronic funds transfers.
- Small business lending. The Bureau discussed the Small Business Administration’s Paycheck Protection Program (PPP), noting that when “implementing the PPP, multiple lenders adopted a policy that restricted access to PPP loans beyond the eligibility requirements of the CARES Act and rules and orders issued by the SBA.” The Bureau encouraged lenders to consider and address any fair lending risks associated with PPP lending.
The Supervisory Highlights also examined areas related to credit card accounts, consumer reporting and furnishing, debt collection, deposits, prepaid accounts, and small business lending.
CFPB releases annual college credit card report
On October 8, the CFPB released its annual report to Congress on college credit card agreements. The report was prepared pursuant to the CARD Act, which requires credit card issuers to submit to the Bureau the terms and conditions of any agreements they make with colleges, as well as certain organizations affiliated with colleges. The Bureau cited data from 2019 showing that (i) the number of college credit card agreements, as well as the number of open accounts under these agreements, “continues a general trajectory of decline,” which is anticipated to continue into 2020; (ii) payments by issuers to the educational or affiliated entities remain stable overall; and (iii) agreements with alumni associations continue to dominate the market based on most metrics. The report also highlighted a statement issued by the Bureau in March, which was intended to temporarily provide more flexibility and reduce administrative burdens on credit card issuers (covered by InfoBytes here). The complete set of credit card agreement data collected by the Bureau can be accessed here.