Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Bank regulators respond to bankers’ motion to enjoin CRA final rule

    Courts

    On March 8, the Fed, OCC, and FDIC (the federal banking agencies, or “FBAs”) submitted a brief opposing the plaintiffs’ motion for a preliminary injunction to stop the CRA final rule from going into effect. As previously covered by InfoBytes, a group of trade, banking, and business associations filed a class-action complaint for injunctive relief against the bank regulators’ enforcement of the final rule to implement the CRA before it goes into effect on April 1. The FBAs assert that, in opposing the final rule, the plaintiffs are asking the court to “graft” two exclusions from the CRA’s purpose that are not actually in the statute: first, to exclude geographic areas where a bank conducts retail lending from the scope of the bank’s “entire community”; and second, to exclude a bank’s deposit activities from the assessment on whether a bank is meeting its entire community’s “credit needs.” The banking regulators also argued that the plaintiffs’ motion for preliminary relief should fail because the plaintiffs cannot show irreparable harm, in that they have failed to demonstrate that costs to comply with the CRA final rule, which would not apply until 2026 and 2027, were significant when considered in the context of the bank’s overall finances. Finally, the FBAs argued that the public interest and balance of equities favor allowing the final rule to proceed, as, among other factors, “the rule provides significant regulatory relief and lower compliance costs for smaller institutions by increasing the asset size thresholds that determine which performance tests apply to an institution.” 

    Courts Bank Regulatory CRA OCC FDIC Federal Reserve Agency Rule-Making & Guidance Litigation

  • CPPA releases latest draft of automated decision-making technology regulation

    State Issues

    The California Privacy Protection Agency (CPPA) released an updated draft of its proposed enforcement regulations for automated decisionmaking technology in connection with its March 8 board meeting. The draft regulations included new definitions, including “automated decisionmaking technology” which means “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking,” which expands its scope from its previous September update (covered by InfoBytes here).

    Among other things, the draft regulations would require businesses that use automated decisionmaking technology to provide consumers with a “Pre-use Notice” to inform consumers on (i) the business’s use of the technology; (ii) their right to opt-out of the business’s use of the automated decisionmaking technology and how they can submit such a request (unless exempt); (iii) a description of their right to access information; and (iv) a description of how the automated decisionmaking technology works, including its intended content and recommendations and how the business plans to use the output. The draft regulations detailed further requirements for the opt-out process.

    The draft regulations also included a new article, entitled “risk assessments,” which provided requirements as to when a business must conduct certain assessments and requirements that process personal information to train automated decisionmaking technology or artificial intelligence. Under the proposed regulations, every business which processes consumers’ personal information may present significant risk to consumers’ privacy and must conduct a risk assessment before initiating that processing. If a business previously conducted a risk assessment for a processing activity in compliance with the article and submitted an abridged risk assessment to the CPPA, and there were no changes, the business is not required to submit an updated risk assessment. The business must, however, submit a certification of compliance to the CPPA.

    The CPPA has not yet started the formal rulemaking process for these regulations and the drafts are provided to facilitate board discussion and public participation, and are subject to change. 

    State Issues Privacy Agency Rule-Making & Guidance California CPPA Artificial Intelligence

  • Business groups sue the CFPB over credit card late fee rule

    Courts

    On March 7, several business groups (plaintiffs) sued the CFPB rule in the U.S. District Court for the Northern District of Texas over its announced credit card late fee rule. As previously covered by InfoBytes, the Bureau’s new final rule limited most credit card late fees to $8, among other actions, and was met immediately with criticism from banks and legislators.

    The plaintiffs’ complaint claimed the CFPB completed the rule hastily to implement a pledge made by President Biden around his State of the Union Address to reduce credit card late fees by 75 percent. The complaint further asserted the CFPB skipped necessary steps, made economic miscalculations, and otherwise breached the Administrative Procedure Act. As alleged, the Bureau likely understated “the volatility of card issuers’ cost-to-fee ratios pertaining to late fees” and improperly relied on data which does not allow for the recovery of a “reasonable and proportional” penalty fee. On the Bureau’s use of the Y-14M data, the complaint alleged the new rule ignored peer-reviewed studies and instead opted to base the rule on an internal study using confidential data that was not available for examination during the period allocated for public comment. The plaintiffs argued the final rule would incur “substantial compliance costs” by amending printed disclosures, using the cost-analysis provisions, and notifying consumers of changes in interest rates to recoup costs, among other problems. The complaint also cited TILA’s effective-date provisions and the Bureau’s embattled funding structure to support the argument that the final rule would cause irreparable harm.

    Courts Federal Issues CFPB Litigation Credit Cards Agency Rule-Making & Guidance Fees Consumer Finance Consumer Protection

  • FHFA eliminates household income restriction on PTFCs

    Agency Rule-Making & Guidance

    On March 12, the FHFA published a final rule in the Federal Register titled “Exception to Restrictions on Private Transfer Fee Covenants (PFTCs) for Loans Meeting Certain Duty to Serve Shared Equity Loan Program Requirements,” which established an additional exception to the FHFA’s regulation proscribing Fannie Mae, Freddie Mac, and FHLBanks from “purchasing, investing in, [and] accepting as collateral” mortgages encumbered by certain types of PTFCs, or related securities, subject to certain exceptions. This new exception will allow the banking entities to engage in transactions if the loans met the equity loan program requirements for the resale restriction programs “without regard to any household income limit.” The final rule will go into effect on May 13.

    Agency Rule-Making & Guidance FHFA Freddie Mac Fannie Mae

  • VA proposes rule changes to VA-Guaranteed, IRRRLoans

    Agency Rule-Making & Guidance

    On March 7, the VA published a supplemental notice of proposed rulemaking in the Federal Register titled “Loan Guaranty: Revisions to VA-Guaranteed or Insured Interest Rate Reduction Refinancing Loans” which sought comment on whether the “date of loan issuance” should be defined as date of the note (as originally suggested) or as the date “the first payment is due.” The notice explained the VA did not receive any comments on this aspect of the proposed rule and enumerated several concerns with the initial proposed definition. The comment period for this proposed rule will close on May 6.

    Agency Rule-Making & Guidance Federal Issues Department of Veterans Affairs Loans

  • Fed issues final rule for FMUs to update risk management requirements, noting cyber and climate risks

    Agency Rule-Making & Guidance

    On March 8, the Federal Reserve Board announced a final rule that will update risk management requirements for financial market utilities (FMUs) supervised by the Fed. FMUs provide the financial infrastructure to clear and settle payments and transactions. The rule will go into effect 30 days after publication in the Federal Register, and FMUs are expected to comply with certain updates by 90 days and all updates by 180 days after publication. The Fed reported the final rule is “substantially similar” to the proposed rule and provided additional details to the exiting requirements for the following: (i) review and testing; (ii) incident management; (iii) business continuity management; and (iv) third-party risk management.

    Agency Rule-Making & Guidance Federal Issues Federal Reserve Cyber Risk & Data Security Risk Management

  • FTC updates the Telemarketing Sales Rule, proposes tech support rule

    Agency Rule-Making & Guidance

    On March 7, the FTC announced updates to the Telemarketing Sales Rule (TSR) to extend fraud protections to businesses and modernize recordkeeping requirements in response to technological advancements. These updates were part of an ongoing review of the TSR, which governs telemarketing practices and includes the Do Not Call Registry (DNC) and issued rules against telemarketing robocalls.

    The newly finalized rule broadened the scope of prohibited deceptive and abusive telemarketing practices to include business-to-business calls, which were previously exempt, except in specific cases. The rule also revised the TSR's recordkeeping requirements to reflect changes in technology and telemarketing methods, which included maintaining detailed call records and consent documentation, as well as compliance with the DNC Registry.

    In addition to these updates, the FTC proposed a rule that would enhance its ability to tackle tech support scams by extending the TSR's coverage to include inbound telemarketing calls for technical support services. This amendment addressed deceptive tech support schemes and would empower the FTC to seek stronger legal remedies such as civil penalties and consumer compensation. The Commission invited public feedback on a proposed definition of tech support scams.

    Agency Rule-Making & Guidance Federal Issues FTC TSR Artificial Intelligence

  • Ginnie Mae now requires issuers to disclose cybersecurity incidents within 48 hours

    Agency Rule-Making & Guidance

    On March 4, the President of Ginnie Mae released All Participants Memorandum (APM) 24-02, which set forth a new requirement applicable to all issuers, including issuers that subservice loans for others. The memo mandated that all approved issuers must notify Ginnie Mae of any significant cybersecurity incident within 48 hours of detection. Ginnie Mae defined a “Cyber Incident” as “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constituted a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the Issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.” If a Cyber Incident has occurred, issuers must it report to Ginnie Mae via a specified email address and must include (i) the date and time of the incident, (ii) a summary of the incident, and (iii) points of contact responsible for coordinating any follow-up questions regarding the incident. These requirements are also now reflected in Chapter 03, Part 18 of the Mortgage-Backed Securities Guide, 5500.3, REV-1.

    Agency Rule-Making & Guidance Ginnie Mae Mortgage-Backed Securities Cyber Risk & Data Security Disclosures

  • CFPB lowers most credit card late fees to $8, amending Regulation Z

    Federal Issues

    On March 5, the CFPB announced a final rule that will amend TILA Regulation Z and lower the typical credit card late fees from $30 to $8. According to the final rule, the CFPB determined that the Regulation Z §1026.52(b) $30 discretionary safe harbor for fees (for card issuers that together with their affiliates have at least one million open credit card accounts, i.e., “larger card issuers”) is too high, and therefore “are not consistent with TILA’s statutory requirement that such fees be reasonable [for a] violation.”

    For larger card issuers, the final rule will repeal the current safe harbor threshold amount and adopt a late fee safe harbor dollar amount of $8. It also will eliminate late fees for a higher safe harbor dollar amount for repeat violations that occur during the same billing cycle or in one of the next six billing cycles. Larger card issuers will still be able to charge fees above the safe harbor threshold for late fees if they can prove the higher fee is necessary to cover their actual collection costs.

    With respect to late fees imposed by larger card issuers, the provision on annual adjustments for the safe harbor dollar amounts (to reflect changes in the consumer price index) will not apply to the $8 safe harbor amount for those late fees. For card issuers that together with their affiliates have fewer than one million open credit card accounts for the entire preceding calendar year (“smaller card issuers”), the safe harbors revised pursuant to the annual adjustments will continue to apply to the late fees imposed by them. The final rule also amended comments and sample forms in Appendix G to revise current examples of late fee amounts to be consistent with the $8 safe harbor amount. Card issuers that meet or exceed the one million open credit card account thresholds, transforming them into larger card issuers, will have 60 days to comply with the requirements of the rule.

    Regarding annual adjustments for safe harbor threshold amounts, the rule will adjust safe harbor threshold amounts in §§1026.52(b)(1)(ii)(A) and (B) to $32, and $43 for repeat violations that will occur during the same billing cycle or in one of the next six billing cycles. These two revised threshold amounts will apply to penalty fees other than late fees for all card issuers, as well as late fees imposed by smaller card issuers. The CFPB’s final rule will go into effect 60 days after publication in the Federal Register.

    The final rule was highlighted in the White House’s Fact Sheet entitled, “President Biden Announces New Actions to Lower Costs for Americans by Fighting Corporate Rip-Offs,” which announced a new “Strike Force on Unfair and Illegal Pricing” co-chaired by the DOJ and the FTC to strengthen interagency efforts to combat high prices through anti-competitive, unfair, deceptive, or fraudulent business practices.

    Federal Issues Agency Rule-Making & Guidance CFPB TILA Regulation Z

  • FHFA announces updates for implementation of GSE credit score requirements

    Federal Issues

    On February 29, FHFA announced updates related to the implementation of new credit score requirements for single-family loans acquired by Freddie Mac and Fannie Mae (GSEs). As previously covered by InfoBytes, FHFA released a two-phase plan for soliciting stakeholder input on the agency’s proposed process for updating credit score requirements. The new process, called the FICO 10T model, will, among other things, require two credit reports (a “bi-merge” credit report) from the national consumer reporting agencies, rather than the traditional three (covered by InfoBytes here). After considering stakeholder input, FHFA expects to transition from the Classic FICO credit score model to the bi-merge credit reporting requirement in Q1 2025. The GSEs will also move up the publication of VantageScore 4.0 historical data to Q3 2024 “to better support market participants” and provide pertinent historical data before the transition. FHFA will provide more details on the timing for FICO 10T implementation once this initial process is complete.

    Federal Issues Freddie Mac Fannie Mae GSEs Credit Scores Consumer Finance Agency Rule-Making & Guidance

Pages

Upcoming Events