Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 28, the CFPB issued an interpretive rule addressing states’ authority to pass consumer-reporting laws. Specifically, the Bureau clarified that states “retain broad authority to protect people from harm due to credit reporting issues,” and explained that state laws are generally not preempted unless they conflict with the FCRA or “fall within narrow preemption categories enumerated within the statute.” Under the FCRA, states have flexibility to enact laws involving consumer reporting that reflect challenges and risks affecting their local economies and residents and are able to enact protections against the abuse and misuse of data to mitigate these consequences.
Stating that the FCRA’s express preemption provisions have a narrow and targeted scope, the Bureau’s interpretive rule provided several examples such as (i) if a state law “were to forbid consumer reporting agencies [(CRA)] from including information about medical debt, evictions, arrest records, or rental arrears in a consumer report (or from including such information for a certain period of time), such a law would generally not be preempted; (ii) a state law that prohibits furnishers from furnishing such information to a CRA would generally not be prohibited; and (iii) if a state law requires a CRA to provide information required by the FCRA at the consumer’s requests in a language other than English, such a law would generally not be preempted. The interpretive rule is effective upon publication in the Federal Register.
The issuance of the interpretive rule arises from a notice received by the Bureau from the New Jersey attorney general concerning pending litigation that involves an argument that the FCRA preempted a state consumer protection statute. The Bureau stated that it “will continue to consider other steps to promote state enforcement of fair credit reporting along with other parts of federal consumer financial protection law,” including “consulting with states whenever interpretation of federal consumer financial protection law is relevant to a state regulatory or law enforcement matter, consistent with the State Official Notification Rule." As previously covered by InfoBytes, the Bureau issued an interpretive rule last month, clarifying states’ authority to bring enforcement actions for violations of federal consumer financial protection laws, including the CFPA.
On June 28, industry groups and the U.S Chamber of Commerce (collectively, “groups”) released a White Paper, Unfairness and Discrimination: Examining the CFPB’s Conflation of Distinct Statutory Concepts, urging the CFPB to rescind the recently released unfair, deceptive and abusive acts or practices (UDAAP) examination manual. As previously covered by a Buckley Special Alert, in March, the CFPB announced significant revisions to its UDAAP exam manual, in particular highlighting the CFPB’s view that its broad authority under UDAAP allows it to address discriminatory conduct in the offering of any financial product or service. The White Paper, among other things, explained the groups’ position that the Bureau’s UDAAP authority cannot be used to extend the fair lending laws beyond the limits of existing statutory law. The White Paper stated that the Bureau “conflated” concepts of “unfairness” and “discrimination” “by announcing, via a UDAAP exam manual ‘update,’ that it would examine financial institutions for alleged discriminatory conduct that it deemed to be ‘unfair’ under its UDAAP authority.” The groups stated that the agency has “taken the law into its own hand” arguing that “the Bureau did not follow Administrative Procedure Act requirements for notice-and-comment rulemaking.” The groups said the change in the examination manual is “contrary to law and subject to legal challenge” as well as legislative repeal under the Congressional Review Act. Additionally, the groups argued that the Bureau’s interpretation exceeds the agency’s statutory authority, and that the Bureau’s “action should be held unlawful and set aside.” The groups further stated that “[c]hanges that alter the legal duties of so many are the proper province of Congress, not of independent regulatory agencies, and the CFPB cannot ignore the requirements of the Administrative Procedures Act and Congressional Review Act. The CFPB may well wish to fill gaps it perceives in federal antidiscrimination law. But Congress has simply not authorized the CFPB to fill those gaps.”
In a letter sent to CFPB Director Rohit Chopra, the groups conveyed that Congress did not intend for the Bureau to “fill gaps” between the clearly articulated boundaries of antidiscrimination statutes with its UDAAP authority. The groups urged Director Chopra to rescind the exam manual update and stated that “[s]hould [he] believe additional authority is necessary to address alleged discriminatory conduct, we stand ready to work with Congress and the CFPB to explore that possibility and to ensure the just administration of the law.
On June 28, CFPB Deputy Director Zixta Martinez spoke before the FDIC Meeting of the Advisory Committee on Economic Inclusion to discuss expanding access to affordable payments, credit, and other financial products and services. In her remarks, Martinez first discussed electronic payments, which she considers to be “quickly supplanting cash and are now an essential part of the economy.” She then discussed the role of banks, noting that they have an “obligatory and leading role” in expanding electronic payments. Martinez stated that with “their obligations to increase banking access and reduce banking and financial inequities, banks can play a key role, for example, in reducing the persistent and growing homeownership gap between Black and white families and closing the economic gap between the banked and the under- and un-banked.” She also stated that having access to electronic payments will “low[er] monthly fees and further reduc[e] the cost of overdraft and non-sufficient fund fees” and will service banking deserts in rural areas and within communities of color. Martinez further discussed actions to build out banking access and described a recent proposal to update the Community Reinvestment Act’s (CRA) regulatory framework (covered by InfoBytes here). Martinez stated that the proposal will; (i) take steps to address problems with grade inflation on CRA exams (i.e., meaning that “almost every bank” passes”); (ii) “rely upon small business lending data, which will allow for a more in-depth understanding of small business lending issues,” race, and ethnicity; (iii) “increase incentives for banks to finance community development projects in areas experiencing persistent poverty”; and (vi) “recognize banks that assist low- and moderate-income communities with clean energy transition and climate resiliency.” Additionally, Martinez noted that the Bureau “is working to ensure that banking access and access to credit is not unfairly affected by algorithmic models.” In conclusion, she said the Bureau’s recently released guidance “confirm[s] that it is unlawful to use black box models that do not allow for clear understanding of adverse actions, such as denial of credit.” (Covered by InfoBytes here.)
On June 28, the FTC filed a complaint against a national retailer for allegedly allowing its money-transfer services to facilitate fraud. The complaint alleges the retailer knew about the role money transfer services play in scams but failed to properly secure the services offered at its stores, thus allowing money to be sent to “domestic and international fraud rings.” According to the FTC, at least 226,679 complaints totaling more than $197 million were received by several money transfer services companies about fraud-induced money transfers that were sent from or received at one of the retailer’s stores between January 1, 2013 and December 31, 2018. An investigation by the FTC purportedly revealed that the retailer’s practices allegedly harmed consumers by, among other things, (i) allowing the payout of suspicious money transfers, which allowed scammers to retrieve fraud proceeds at one of the retailer’s stores; (ii) failing to have in place a written anti-fraud policy or consumer protection program until November 2014; (iii) allowing cash pickups for large payments, often through the use of fake IDs; (iv) failing to display or provide materials warning consumers about potential frauds; (v) failing to effectively train or retrain employees; and (vi) allowing money transfers to be used for telemarketing purchases, which are prohibited under the Telemarketing Sales Rule (TSR) due to the high risk of fraud.
According to the complaint, the retailer “is well aware that telemarketing and other mass marketing frauds, such as ‘grandparent’ scams, lottery scams, and government agent impersonator scams, induce people to use [the retailer’s] money transfer services to send money to domestic and international fraud rings. Nevertheless, [the retailer] has continued processing fraud-induced money transfers at its stores—funding telemarketing and other scams—without adopting policies and practices that effectively detect and prevent these transfers.”
The complaint seeks a permanent injunction, monetary relief, civil penalties, restitution, and other relief for each violation of the FTC Act and the TSR. The FTC also requests the “rescission or reformation of contracts, the refund of money, the return of property, the payment of damages, public notification, or other relief necessary to redress injury to consumers damages.”
The retailer issued a press release following the FTC’s announcement, stating that it considers the agency’s claims to be “misguided and legally flawed,” and that the civil lawsuit “was approved by the FTC by the narrowest of margins after Chair Lina Khan refused [the retailer] the due process of hearing directly from the company.” The retailer noted that the FTC’s decision comes after DOJ declined to pursue the case in court. Among other thing, the retailer contended that because it maintains robust anti-fraud measures there is no need for injunctive relief requiring the retailer to change its practices. The retailer pointed to the U.S. Supreme Court’s ruling in AMG Capital Management LLC v. FTC, which limited the FTC’s ability to obtain monetary relief in federal court (covered by InfoBytes here), to argue that the FTC “pivoted their focus in this case after AMG to a distorted interpretation of the TSR to effectively try and hold [the retailer] strictly liable for money transfers that third-party criminals reportedly persuaded some consumers to send.” The retailer added that “[s]witching their main legal theory to the TSR is an obvious attempt to get around the Supreme Court’s ruling in AMG.”
On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.
The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).
On June 24, the U.S. District Court for the Central District of California granted final approval of a $2.5 million class action settlement resolving claims that an auto dealer group and marketing director (collectively, “defendants”) violated the TCPA by sending “prerecorded telemarketing messages” to consumers’ cell phones without receiving consumers’ express written consent. According to the second amended complaint, the plaintiff sued the defendants after he allegedly received unsolicited prerecorded text messages advertising one of the auto group’s dealerships. Under the terms of the agreement, class members (comprised of consumers who were sent prerecorded messages from the defendants, auto dealerships managed by the defendant, or anyone acting on the defendant’s behalf, including employees, agents, third-party contractors, and sub-contractors) will receive a portion of the $2.5 million settlement. The settlement amount also provides for up to $625,700 in attorneys’ fees, nearly $12,600 for costs, and $125,000 for the settlement administrator. The class representative will be given a $5,000 service award. Additionally, the defendants and dealerships are required to “adopt policies and procedures regarding compliance with the TCPA and the National Do Not Call Registry.”
On June 24, the U.S. District Court for the Eastern District of New York granted final approval of a $38.5 million settlement in a class action against a national gas service company and other gas companies (collectively, defendants) for allegedly violating the TCPA in connection with calls made to cell phones. As previously covered by InfoBytes, the plaintiff’s memorandum of law requested preliminary approval of the class action settlement. The settlement establishes a settlement class of all U.S. residents who “from March 9, 2011 until October 29, 2021, received a telephone call on a cellular telephone using a prerecorded message or artificial voice” regarding several topics including: (i) the payment or status of bills; (ii) an “important matter” regarding current or past bills and other related issues; and (iii) a disconnect notice concerning a current or past utility account. Under the terms of the settlement, the defendants will provide monetary relief to claiming class members in an estimated amount between $50 and $150. The settlement will additionally require the companies to implement new training programs and procedures to prevent any future TCPA violations. The settlement permits counsel for the proposed class to seek up to 33 percent of the settlement fund to cover attorney fees and expenses.
On June 27, the Federal Reserve Board announced the final timeline and implementation details for the adoption of the International Organization for Standardization’s (ISO) 20022 message format for its Fedwire Funds Service—a real-time gross settlement system owned and operated by the Federal Reserve Banks that enables businesses and financial institutions to quickly and securely transfer funds. (See notice here.) The final details are “broadly similar” to the Fed’s proposal issued last October (covered by InfoBytes here). The Fed confirmed that ISO 20022 will be adopted on a single day as previously proposed instead of in three separate phases. Additionally, the Fed extended the implementation timeframe from a target date of November 2023 to March 10, 2025, based on comments received in response to the initial proposal. The Fed also provided information concerning its revised testing strategy and backout strategy, as well as other details concerning the implementation of the new message format.
On June 27, the OCC released its quarterly mortgage metrics report, which presents performance data for the first quarter of 2022 for loans that reporting banks own or service for others as a fee-based business. The first-lien mortgages included in the OCC’s quarterly report comprise 22 percent of all residential mortgage debt outstanding in the U.S., or approximately 12.2 million loans totaling $2.6 trillion in principal balances. The report, among other things, found that the performance of first-lien mortgages in the federal banking system improved during the first quarter of 2022. According to the report, 96.9 percent of mortgages were current and performing at the end of the quarter. The percentage of seriously delinquent mortgages was 1.8 percent in the first quarter of 2022, compared to 2.3 percent in the prior quarter. However, foreclosures increased compared to the prior quarter and a year earlier as pandemic-related accommodations wound down, with servicers initiating 19,524 new foreclosures in the first quarter of 2022.
On June 24, the FDIC released a list of 14 public enforcement actions taken against banks and individuals in May. These orders consist of “two consent orders, one modification of an 8(e) prohibition order, three orders to pay civil money penalty, three orders of prohibition, two section 19 orders, and one order of prohibition from further participation and order to pay, one order terminating amended supervisory prompt corrective action directive, and one order of termination of insurance.” Included is an order to pay a civil money penalty imposed against a Texas-based bank related to alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank failed “to obtain flood insurance or obtain an adequate amount of insurance coverage, at or before loan origination, for all structures in a flood zone, including multiple structures,” and failed “to force-place flood insurance, after loan origination, when the insurance on buildings securing the loan” was insufficient or nonexistent. The order assessed a $2,000 civil money penalty.
The FDIC also issued a consent order against a Utah-based bank based on alleged unsafe or unsound banking practices relating to the Bank Secrecy Act. The bank neither admitted nor denied the alleged violations but agreed to, among other things, “increase its oversight of the Bank's compliance with the BSA” and “conduct a comprehensive assessment of BSA/AML staffing needs.”
- Buckley Webcast: State supervision, enforcement, and multistate coordination
- Benjamin W. Hutten to discuss “Latest on AML regulations and impact of economic sanctions” at a Mortgage Bankers Association webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar