Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Iowa Amends Mortgage, Consumer Credit Laws

    Consumer Finance

    On March 26, Iowa Governor Terry Branstad signed into law HF 2324, which revises the state’s mortgage and consumer credit statutes to align with federal law. The bill amends the current $25,000 loan ceiling applicable to certain consumer credit transactions and replaces it with a “threshold amount” that incorporates by reference limits established under federal Truth in Lending Act. The bill also adopts the federal definition of “points and fees” for mortgage transactions and provides that if a loan is extended with points and fees higher than those specified under federal law the loan is subject to state law, including monetary limits on loan origination or processing and broker fees, a limit on the types of permissible lender charges, and a limit on fees relating to payment of interest reduction fees in exchange for a lower rate of interest. The bill also amends the definition of “finance charge” in the state’s consumer credit code to include an initial charge imposed by a financial institution for an overdrawn account. Finally, the bill adds a new section that allows banks to include in their consumer credit contracts over $25,000 a provision that a consumer is responsible for reasonable attorney fees if the bank is the prevailing party in a lawsuit arising from the transaction. The changes take effect July 1, 2014.

    Mortgage Origination Consumer Lending

  • N.D. Cal. Validates Forum Selection Clause In Website's Hyperlinked Terms Of Use

    Fintech

    On April 11, the U.S. District Court for the Northern District of California held that the forum selection clause within a website’s terms of use provisions, which an online customer had to accept in order to proceed with the transaction, is valid and supports a transfer of the case to another forum. Moretti v. Hertz Corp., No. 13-2972, 2014 WL 1410432 (N.D. Cal. Apr. 11, 2014). An online customer filed a putative class action in California state court against a car rental company and a travel website over a price disclosure dispute. The companies removed the action to federal court and sought to transfer the case to Delaware based on a forum selection clause included in the terms of use provisions on the travel website through which the car rental was arranged. In support of the motion to transfer, the travel website provided employee declarations establishing that the terms of use included a forum selection clause, and that the transaction could not have been completed unless the customer clicked a box to accept the terms of use. The court held that even though the terms of use were provided through a hyperlink on the site, in the absence of affirmative denial from the customer that he did not click to accept the terms of use, the customer had notice and consented to the terms and the forum selection clause contained therein. The court granted the defendants’ transfer motion and ordered the case transferred to the District Court of Delaware.

    Class Action Internet Commerce

  • CFPB Proposes Remittance Rule Amendments

    Fintech

    On April 15, the CFPB issued a proposed rule and request for comment to extend a temporary exception to Regulation E’s requirement that remittance transfer providers disclose certain fees and exchange rates to consumers. Pursuant to Regulation E, as amended to implement section 1073 of the Dodd-Frank Act, insured depository institutions are permitted to estimate certain third-party fees and exchange rates in connection with a remittance transfer until July 21, 2015, provided the transfer is sent from the sender’s account with the institution, and the institution is unable to determine the exact amount of the fees and rates due to circumstances outside of the institution’s control. The CFPB is proposing to exercise its statutory authority to extend this exception for an additional five years, until July 21, 2020. The agency explained that, based on its outreach to insured institutions and consumer groups, allowing the initial temporary exception to lapse would negatively affect the ability of insured institutions to send remittance transfers. Comments on the proposed rule are due within 30 days of its publication in the Federal Register.

    The proposed rule also includes several clarifications and technical corrections to the CFPB’s final remittance rule and official commentary, which were subsequently amended or delayed—including in August 2012 and January 2013—leading to a May 2013 revised final rule. In this latest round of proposed amendments, the CFPB is seeking to address concerns about the remittance rule’s applicability to U.S. military installations abroad. Because the rule does not expressly address transfers to such installations, the CFPB now seeks (i) comments on whether to treat locations on U.S. military installations abroad as being located within a State or a foreign country for the purposes of the rule, (ii) data on the relative number of transfers sent to and from individuals and/or accounts located on U.S. military installations abroad, and (iii) comments on the appropriateness of extending any clarification regarding U.S. military installations to other U.S. government installations abroad, such as U.S. diplomatic missions.

    With respect to transfers from accounts (as defined under Regulation E), the CFPB is also proposing amendments to make clear that whether a transfer is for personal, family, or household purposes—and thus, whether the transfer could be a remittance transfer subject to the rule—is determined by ascertaining the purpose for which the account was established, rather than the purpose of the particular transfer. The proposed amendments would therefore clarify that the rule does not apply to, e.g., transfers from an account that was established as a business or commercial account or an account owned by a business entity. In addition, the proposed rule seeks to clarify that faxes are considered writings for purposes of the remittance rule, and that, in certain circumstances, a remittance transfer provider may give oral disclosures after receiving a written remittance inquiry from a consumer. The CFPB is also proposing to revise the rule’s error resolution requirements, including with regard to errors based on the sender’s provision of incorrect or insufficient information. Specifically, the proposed amendment would clarify that, where such errors occur, the remittance transfer provider may not deduct its own fee from the amount refunded or applied towards a new transfer.

    CFPB Dodd-Frank EFTA Remittance Money Service / Money Transmitters Agency Rule-Making & Guidance

  • FFIEC Advises Financial Institutions On "Heartbleed" Risks

    Privacy, Cyber Risk & Data Security

    On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.

    Vendors FFIEC Privacy/Cyber Risk & Data Security

  • House Committee Members Express Concerns About Operation Choke Point

    Fintech

    On April 8 the House Financial Services Committee held a hearing with the general counsels of the federal banking agencies regarding, among other things, Operation Choke Point, the federal enforcement operation reportedly intended to cut off from the banking system certain lenders and merchants allegedly engaged in unlawful activities. Numerous committee members from both sides of the aisle raised concerns about Operation Choke Point, as well as the federal government’s broader pressure on banks over their relationships with nonbank financial service providers, including money service businesses, nonbank lenders, and check cashers. Committee members asserted that the operation is impacting lawful nonbank financial service providers, who are losing access to the banking system and, in turn, are unable to offer needed services to the members’ constituents. The FDIC’s Richard Osterman repeatedly stated that Operation Choke Point is a DOJ operation and the FDIC’s participation is limited to providing certain information and resources upon request. Mr. Osterman also asserted that the FDIC is not attempting to, and does not intend to, prohibit banks from offering products or services to nonbank financial service providers operating within the law, and that the FDIC’s guidance is clear that banks are neither prohibited from nor encouraged to provide services to certain businesses, provided they properly manage their risk. Similarly, the OCC's Amy Friend stated that the OCC wants to ensure that banks conduct due diligence and implement appropriate controls, but that the OCC is not prohibiting banks from offering services to lawful businesses. She stated the OCC has found that some banks have made a business decision to terminate relationships with some nonbank providers rather than implement additional controls.

    FDIC Payday Lending OCC Check Cashing U.S. House Payment Processors

  • Illinois AG Licensing Enforcement Actions Target Payday Loan Lead Generator, Lenders

    Consumer Finance

    On April 7, Illinois Attorney General (AG) Lisa Madigan sued a payday loan lead generator to enforce a 2012 cease and desist order issued by the state’s Department of Financial and Professional Regulation. The regulator and the AG assert that the state’s Payday Loan Reform Act (PLRA), which broadly defines “lender” to include “any person or entity . . . that . . . arranges a payday loan for a third party, or acts as an agent for a third party in making a payday loan, regardless of whether approval, acceptance, or ratification by the third party is necessary to create a legal obligation for the third party,” required the lead generator to obtain a license before operating in Illinois. The AG claims that the lead generator violated the state’s Consumer Fraud and Deceptive Business Practices Act by offering and arranging payday loans in knowing violation of the PLRA’s licensing and other requirements. The suit also alleges that the lead generator knowingly matched Illinois consumers with unlicensed members of the generator’s payday lender network. The AG is seeking a permanent injunction and a $50,000 civil penalty. On the same day, the AG also announced it filed suits against four online payday lenders for failing to obtain a state license, making payday loans with interest rates exceeding state usury caps, and otherwise violating state payday loan limitations. Those suits ask the court to permanently enjoin the lenders from operating in Illinois and declare all existing payday loan contracts entered into by those lenders null and void, with full restitution to borrowers.

    Payday Lending State Attorney General Lead Generation Internet Lending

  • New Jersey Federal Court First To Uphold FTC's UDAP Authority To Enforce Data Security

    Privacy, Cyber Risk & Data Security

    On April 7, the U.S. District Court for the District of New Jersey denied a hotel company’s motion to dismiss the FTC’s claims that the company engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act by failing to maintain reasonable and appropriate data security for customers’ personal information. FTC v. Wyndham Worldwide Corp., No. 13-1887, 2014 WL 1349019 (D.N.J. Apr. 7, 2014). The company moved to dismiss the FTC’s suit, arguing that the FTC (i) lacks statutory authority to enforce data security standards outside of its explicit data security authority under statutes such as the Gramm-Leach-Bliley Act (GLBA) and FCRA; (ii) violated fair notice principles by failing to first promulgate applicable regulations; and (iii) failed to sufficiently plead certain elements of the unfairness and deception claims. The court rejected each of these arguments. First, the court held that the FTC does not need specific authority under Section 5 to enforce data security standards. The court reasoned that the data-security legislation the followed the FTC Act, such as GLBA and FCRA, provide the FTC additional data security tools that complement, rather than preclude, the FTC’s general authority under Section 5. Second, the court held that, to bring a Section 5 data security claim, the FTC is not required to provide notice of reasonable standards by issuing a new regulation because regulations are not the only means of providing sufficient fair notice. According to the court, industry standards, past FTC enforcement actions, and FTC business guidance provided sufficient notice of what constitutes reasonable security measures. Third, the court held that the FTC properly pled its unfairness and deception claims under the FTC Act.

    FTC Privacy/Cyber Risk & Data Security UDAAP

  • Federal Reserve Board Announces Volcker CLO Conformance Period Extension

    Consumer Finance

    On April 7, the Federal Reserve Board issued a statement that it intends to exercise its authority to give banking entities two additional one-year extensions to conform their ownership interests in, and sponsorship of, certain collateralized loan obligations (CLOs) covered by federal regulations implementing Section 619 of the Dodd-Frank Act, the so-called Volcker Rule. Section 619 generally prohibits insured depository institutions and their affiliates from engaging in proprietary trading and from acquiring or retaining ownership interests in, sponsoring, or having certain relationships with a hedge fund or private equity fund. The Board previously adopted rules for the conformance period for covered funds—including CLOs—and at that time extended the conformance period for all activities and investments by one year, to July 21, 2015. But to ensure effective compliance, the Board plans to grant banking entities two additional one-year extensions, until July 21, 2017. These extensions only apply to CLOs that were in place as of December 31, 2013 and do not qualify for the exclusion in the final rule for loan securitizations. The Board’s decision was challenged during a House Financial Services Committee hearing the following day, in which several lawmakers argued that Congress never intended for the Volcker Rule to cover securitizations, including CLOs. The lawmakers urged the Federal Reserve to address the issue by amending the rule to exclude or grandfather in CLOs, rather than by extending the conformance period.

    Federal Reserve Volcker Rule

  • Prudential Regulators Finalize Leverage Ratio Rule For Largest Institutions

    Consumer Finance

    On April 8, the Federal Reserve Board, the FDIC, and the OCC adopted a final rule, effective January 1, 2018, requiring certain top-tier U.S. bank holding companies (BHCs) to maintain a minimum supplementary leverage ratio buffer of 2% above the minimum supplementary leverage ratio requirement of 3%. The final rule applies to BHCs with more than $700 billion in total consolidated assets or more than $10 trillion in assets under custody (Covered BHCs), and to insured depository institution subsidiaries of those BHCs (Covered Subsidiaries). A Covered BHC that fails to maintain the supplemental leverage buffer would be subject to restrictions on capital distributions and discretionary bonus payments. Covered Subsidiaries must also maintain a supplementary leverage ratio of at least 6% to be considered “well capitalized” under the agencies’ prompt corrective action framework. The final rule is substantially similar to the rule the agencies proposed in July 2013. Concurrent with the final rule, the agencies also (i) proposed a rule that would modify the denominator calculation for the supplementary leverage ratio in a manner consistent with recent changes agreed to by the Basel Committee, which would apply to all internationally active banking organizations, including those subject to the enhanced supplementary leverage ratio final rule; and (ii) proposed a technical correction to the definition of “eligible guarantee” in the agencies’ risk-based capital rules. The agencies are accepting comments on both proposals through June 13, 2014. Separately, the FDIC Board adopted as final its Basel III interim final rule, which is substantively identical to the final rules adopted by the Federal Reserve Board and the OCC in July 2013.

    FDIC Federal Reserve OCC Capital Requirements

  • FDIC Reissues Technology Outsourcing Resources, Urges Use of Cyber Resources

    Privacy, Cyber Risk & Data Security

    On April 7, the FDIC reissued, as attachments to FIL-13-2014, three technology outsourcing resources. The documents, which the FDIC describes as containing “practical ideas for banks to consider when they engage in technology outsourcing” are titled: (i) Effective Practices for Selecting a Service Provider; (ii) Tools to Manage Technology Providers' Performance Risk: Service Level Agreements; and (iii) Techniques for Managing Multiple Service Providers. The FDIC advises that the resources are informational only and do not substitute for official examination guidance. On April 10, the FDIC urged financial institutions to utilize existing resources to identify and help mitigate potential cyber-related risks. The FDIC advised institutions to ensure that their information security staff are aware of and subscribe to reliable and recognized resources that can help quickly identify emerging cyber risks, including the following governmental resources: (i) the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT); (ii) U.S. Secret Service Electronic Crimes Task Force (ECTF); (iii) FBI InfraGard; (iv) financial services sector regional coalitions; and (v) Information Sharing and Analysis Centers (ISACs).

    FDIC Vendors Privacy/Cyber Risk & Data Security

Pages

Upcoming Events