InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB Proposes to Amend Annual Privacy Notice Requirement Under Regulation P
On July 1, the CFPB issued a proposed rule to amend Regulation P, which implements the Gramm-Leach-Bliley Act (GLBA) and requires, among other things, financial institutions to provide their customers with an annual notice that describes their privacy policies and procedures. The proposed amendment would implement a December 2015 statutory change in Section 75001 of the “Fixing America’s Surface Transportation Act” (FAST Act). Pursuant to the FAST Act, the GLBA was amended so that financial institutions meeting certain criteria no longer need to send annual privacy notices. The CFPB’s recently issued proposed rule would amend Regulation P to implement the GLBA amendment. The CFPB’s proposed rule would further amend Regulation P to (i) provide timing requirements for the delivery of annual privacy notices for a financial institution that may originally qualify for the annual notice exception but then later changes its policies or practices so that it no longer meets the exception criteria; (ii) remove the Regulation P provision that allows financial institutions to post privacy notices online because the CFPB “believes the alternative delivery method will no longer be used in light of the annual notice exception”; and (iii) make a technical correction to one of its definitions.
CFPB Publishes Ninth Semi-Annual Report to Congress
On June 30, the CFPB published its ninth Semi-Annual Report to Congress covering supervisory and enforcement actions, rulemaking activities, newly designed consumer tools, and published reports from October 1, 2015 through March 31, 2016. The Semi-Annual Report provides an overview of relevant topics addressed in previous CFPB reports and bulletins, including monthly Consumer Complaint reports, Supervisory Highlights, and the February 2016 compliance bulletin regarding Regulation V. The report outlines, among other things, the CFPB’s (i) efforts to monitor the effectiveness of the SAFE Act; (ii) fair lending activities, including its risk-based fair lending prioritization process and recent public enforcement actions; and (iii) ongoing efforts to define larger participants in markets for consumer financial services and products which are subject to the Bureau’s supervisory authority. According to the report, the Bureau’s supervisory actions during the six month period covered in the report provided over $44 million in compensation to over 177,000 consumers, while enforcement actions in the same time period resulted in “approximately $200 million in total relief for consumers who fell victim to various violations of consumer financial protection laws, along with over $70 million in civil money penalties.”
NYDFS Adopts Final Anti-Terrorism and Anti-Money Laundering Regulation
On June 30, the NYDFS adopted a final rule that requires regulated financial institutions to maintain a transaction monitoring program for potential BSA/AML violations and a filtering program intended to ban transactions prohibited by federal economic and trade sanctions. Further, the Board of Directors or Senior Officer(s) are required to submit annually, by April 15, a Board Resolution or Compliance Officer Finding, confirming the steps taken to ascertain compliance with the regulation and stating that, “to the best of the [Board or Officer’s] knowledge, the Transaction Monitoring and Filtering Program complies with [the regulation].” The law applies to Regulated Institutions, which include banks, trust companies, private bankers, savings banks and savings and loan associations chartered pursuant to the New York Banking Law, and all branches and agencies of foreign banking corporations licensed under the Banking Law to conduct banking operations in New York; and non-banks, which include check cashers and money transmitters licensed under the Banking Law.
Each Regulated Institution’s transaction monitoring system must be designed, reviewed, updated, and tested in accordance with the detailed parameters of the Rule. The required Filtering Program may be manual or automated, and must be “reasonably designed for the purpose of interdicting transactions that are prohibited by OFAC.” Like the Transaction Monitoring Program, the Filtering Program must also be designed, reviewed, updated, and tested in accordance with the detailed parameters of the Rule.
North Carolina Passes House Bill 289, Enacts the Money Transmitters Act
On June 30, North Carolina Governor Pat McCrory signed into law House Bill 289, submitted at the request of the Office of the North Carolina Commissioner of Banks (Commissioner).The Act, which enacts the newly revised North Carolina Money Transmitters Act, subjects certain virtual currency activities to licensure, as well as clarifies that the Act applies to activities that are for personal, family, or household purposes. Applicants seeking licensure must do so via the Nationwide Multistate Licensing System (NMLS) and in accordance with requirements set forth by the Commissioner. Regarding licensure, the “Commissioner has the discretion to require the applicant obtain additional insurance coverage to address related cybersecurity risks inherent in the applicant’s business model as it relates to virtual currency transmission and to the extent such risks are not within the scope of the required surety bond.” The Act purports to be effective as of October 1, 2015.
GAO Report Addresses Weaknesses in FDIC Information Security Controls
On June 29, the GAO published a report titled “Information Security: FDIC Implemented Controls over Financial Systems, but Further Improvements are Needed.” According to the report, notwithstanding recent efforts to implement effective information security controls to protect sensitive information and systems, the FDIC “continues to have unremediated weaknesses.” After examining the FDIC’s security systems, the GAO found that the FDIC’s user-authorization controls, although improved, remain vulnerable because the corporation failed to (i) implement an effective process for performing periodic reviews of user access rights; (ii) consistently disable inactive accounts; (iii) regularly document authorized modifications to user access; and (iv) identify authorization and recertification deficiencies. The report emphasizes that weaknesses in the user authorization controls “increase the risk that individuals may have greater access to financial data” than necessary. The report further notes that the corporation failed to fully implement, among other things, (i) encryption for all mainframe connections compliant with Federal Information Processing Standards Publications; (ii) effective audit and monitoring controls; (iii) procedures for controlling physical access to facilities; and (iv) management controls of security features for all hardware and software components to control for changes during a system’s life cycle. The GAO recommends that the FDIC improve its information security program by updating and implementing “access control procedures” and implementing additional monitoring of its “critical files.”
European Union Approves Cybersecurity Rules
On July 6, the European Union (EU) approved cybersecurity rules that will require certain businesses, including those in financial service and digital service providers, to maintain security and report cybersecurity incidents. The new laws, referred to as the Network and Information Security (NIS) Directive, are intended to establish “harmonized” security and reporting requirements for “operators of essential services,” which EU member states will identify based on certain criteria, such as whether the service is “critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service.” Certain digital service providers, such as online marketplaces, search engines, and cloud services, will also have to maintain security measures and report major incidents. The requirements are “lighter for these providers.” The NIS Directive will become effective on the twentieth day after publication in the EU Official Journal; member states “will have 21 months to transpose the directive into their national laws and six additional months to identify operators of essential services.”
SCOTUS Denies Petition for Certiorari in Securitization Case Involving State Usury Law
On June 27, the United State Supreme Court denied a debt buyer’s petition for certiorari in a Second Circuit case that raises the issue of whether New York’s state usury law is preempted by the National Bank Act (NBA) when a national bank-originated debt is purchased by a nonbank. Midland v. Madden, No. 15-610 (U.S. June 27, 2017). As previously covered in InfoBytes, the nonbank debt buyer was assigned debt owed by a New York consumer. The debt carried an interest rate in excess of that permitted by New York law but which was permitted by the law of the bank’s home state, which the bank lawfully “exported.” Facing a usury challenge, the debt buyer argued that it was able to continue charging the valid rate made by the national bank and that it did not have to abide by the consumer debtor’s state usury laws. The Second Circuit rejected the debt buyer’s argument, reasoning that the NBA did not apply to the debt buyer because it was not acting on the national bank’s behalf. The Supreme Court did not grant the debt buyer’s petition for certiorari, leaving the Second Circuit ruling in effect. Notably, at the request of the Supreme Court, the Solicitor General and the OCC filed a brief stating the position of the United States as to whether the Supreme Court should grant the petition for certiorari. Although the brief advised that the Court not grant certiorari, the Government’s brief sharply criticized the Second Circuit’s decision.
CFPB's Summer Edition of Supervisory Highlights Discloses Issues across Various Financial Markets
On June 30, the CFPB released its twelfth edition of Supervisory Highlights providing supervisory observations from its examiners in the areas of auto origination, debt collection, mortgage origination, small-dollar lending, and fair lending. In the area of auto origination, examiners determined that one or more institutions engaged in deceptive advertising practices related to the benefits of gap coverage products and the effects of payment deferrals, and failed to implement adequate compliance management systems. In the area of debt collection, examiners found that debt sellers sold thousands of debts that were unsuitable for sale because: (i) the accounts were in bankruptcy; (ii) the debts were the product of fraud; or (iii) the accounts had been paid in full. CFPB examiners further observed violations of the Fair Debt Collection Practices Act (FDCPA), determining that at least one collector falsely represented to consumers that a down payment was necessary in order to establish a repayment arrangement, when no such down payment was required by the collectors’ policies and procedures. For mortgage origination, CFPB examiners focused on compliance with provisions of CFPB’s Title XIV rules, the Truth in Lending Act (TILA), as implemented by Regulation Z, and the Real Estate Settlement Procedures Act (RESPA), as implemented by Regulation X, disclosure provisions, and other applicable consumer financial laws. According to the report, CFPB examiners found that one or more institutions violated TILA by miscalculating loan financing amounts, which resulted in a negative finance charge and an amount financed that was greater than the stated loan amount. The report also highlights (i) violations of RESPA’s prohibition against improper referral arrangements; (ii) failure to implement policies and procedures and to provide sufficient training related to the Fair Credit Reporting Act’s requirement to provide consumers with notice of any adverse action, such as denial of credit; (iii) failure to properly disclose interest on interest-only loans in violation of TILA; and (iv) weak oversight of compliance management systems. In the area of small dollar lending, CFPB examiners assessed compliance with the Electronic Fund Transfer Act (Regulation E), and found that the installment loan agreements of one or more entities failed to set out an acceptable range of amounts to be debited because they contained ambiguous or undefined terms in their descriptions of the upper and lower limits of the range. Finally, regarding fair lending, the report covers violations relating to the Home Mortgage Disclosure Act (Regulation C) and the Equal Credit Opportunity Act (Regulation B).
According to the report, the CFPB’s supervisory resolutions from January 2016 through April 2016 resulted in more than 257,000 consumers receiving approximately $24.5 million in restitution.
CFPB and DOJ Take Action Against Bank over Mortgage Lending Practices
On June 29, the CFPB announced a joint action with the DOJ against a regional bank with operations in Memphis, Tennessee for allegedly engaging in discriminatory mortgage lending practices in violation of the Equal Credit Opportunity Act (ECOA) and the Fair Housing Act (FHA). According to the CFPB’s and the DOJ’s complaint, between January 1, 2011 and December 31, 2015, the bank (i) engaged in redlining practices in the Memphis area by structuring its business to meet the credit needs of majority-White neighborhoods while ignoring the credit needs of individuals in majority-minority neighborhoods; (ii) discriminated against African American borrowers by allowing its employees to practice discretion in making credit decisions on mortgage loans, which ultimately resulted in African Americans being denied certain mortgages at significantly greater rates than similarly situated white applicants; (iii) charged African Americans, on average, 30 basis points more for first lien and 64 basis points more for second lien mortgage loans than similarly situated white borrowers; and (iv) implemented a policy under which loan officers were advised to deny minority applicants more quickly than other applicants and to deny credit assistance to “borderline” applicants. The complaint further alleges that a series of matched-pair tests at Memphis branches “revealed that the Bank treated African American testers less favorably than similarly situated white testers.”
Subject to approval, the proposed consent order would require the bank to take several remedial actions to improve its allegedly discriminatory mortgage lending practices, among which include: (i) allocating $4 million to a loan subsidy program that offers mortgage loans on a more affordable basis to applicants in majority-minority neighborhoods; (ii) spending at least $300,000 on a targeted advertising and outreach campaign that considers the results of a credit needs assessment performed by an independent third-party auditor, advertises the loan subsidy program, and generates mortgage loan applicants from qualified residents in majority-minority neighborhoods; (iii) spending $500,000 on local partnerships that provide education, credit repair, and other assistance in majority-minority neighborhoods; (iv) opening an additional branch or loan production office in a high-minority neighborhood; (v) extending credit offers to African American consumers who were denied mortgage loans as a result of the bank’s allegedly discriminatory underwriting policy; and (vi) implementing policies that ensure employees provide equal assistance to mortgage loan applicants, regardless of race or other prohibited characteristics. Under the proposed consent order, the bank would pay $2.78 million in consumer redress and a $3 million civil penalty. The CFPB’s proposed consent order notes that the bank has “recently taken a number of steps to improve its compliance management system, reduce its fair lending risk, and increase its lending in minority areas.”
CFPB Monthly Complaint Snapshot Highlights Consumer Loan Complaints
On June 28, the CFPB released its monthly complaint report focusing on consumer loans, including vehicle loans and leases, installment loans, title loans, and pawn loans. According to the report, of the 906,400 consumer complaints across all products the CFPB has received as of June 1, 2016, approximately 38,500 were in the consumer loans category. Findings regarding consumer loan complaints highlighted in the report include: (i) just over half of consumer loan complaints pertain to vehicle loans, with installment loans following at 31 percent; (ii) consumers most often complain about issues related to servicing the loan, lease, or line of credit; and (iii) additional common consumer loan complaints include encountering problems when shopping for a loan, when taking out a loan, and when consumers are unable to repay a loan.
This month’s report includes a “sub product spotlight” to highlight complaints specific to auto lending, which make up 60 percent of the 38,500 consumer loan complaints the CFPB has received since July 21, 2011. Consumer loan complaints specific to auto lending include, but are not limited to: (i) payment processing issues, such as consumers not having their accounts debited timely and correctly; (ii) confusion over fees and interest rates; (iii) repossession of vehicles without notification; (iv) misleading advertising at “Buy Here Pay Here” dealerships; and (v) insufficient warranty coverage, with consumers alleging that they believed they were required to purchase warranties that did not end up covering basic repairs as they expected.
In addition to a focus on consumer loan complaints, the report identifies Arkansas as its geographical spotlight. As of June 1, Arkansas consumers have submitted 4,200 of the 906,400 total complaints across all products. According to the report, mortgage-related complaints make up 19 percent of complaints from Arkansas, lower than the national average of 26 percent, while debt collection complaints account for 29 percent of Arkansas complaints, higher than the national average of 27 percent.