Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 16, Democratic members of the House Financial Services Committee sent a letter to the Government Accountability Office (GAO) inquiring about the benefits and drawbacks of using alternative data in mortgage lending, as well as the federal government’s role in overseeing the use of alternative data credit reporting agencies (CRAs) and lenders. The letter notes that while alternative data can be useful in helping lenders identify creditworthy potential borrowers who cannot be scored by CRAs through traditional measures, questions remain about how the use of alternative data may affect compliance with fair lending laws, including the Equal Credit Opportunity Act and Fair Housing Act. “While some alternative data, such as rental payment history, may provide an objective measure of creditworthiness, others might enable discrimination on the basis of a protected class, or infringe upon consumer privacy,” the letter cautions. The letter asks GAO to study the use of alternative data in expanding access to credit, with a particular focus on mortgage credit, and poses the following questions:
- How have different entities used alternative data to expand access to mortgage credit? Specifically, can alternative data determine consumer creditworthiness and whether a consumer is able to repay a mortgage? Additionally, are there certain alternative data sources that are better at predicting creditworthiness or some that are more likely to raise concerns about correlations with discriminatory factors? Furthermore, what federal activity has there been in this space?
- What are the potential benefits and risks associated with using alternative data and financial technology for access to mortgage credit, and are there variations in these benefits and risks across different groups, including minorities and younger borrowers?
- What potential risks does alternative data pose to fair lending compliance, and are the regulatory and enforcement agencies that govern the credit-granting system equipped to manage and prepare for an increased use of alternative data in mortgage lending?
- How do the benefits and trade-offs of other options for expanding access to mortgage credit compare to the use of alternative data in credit scoring?
On January 16, the U.S. District Court for the Eastern District of Michigan denied a publishing company’s motion to dismiss putative class allegations that it disclosed subscribers’ personal information to third parties, ruling that the subscribers did not need to live in Michigan in order to bring claims under the state’s Personal Privacy Protection Act (PPPA). According to the plaintiff, the company allegedly disclosed magazine subscribers’ personal reading information (PRI) to data aggregators that would then supplement it with additional information (including age, gender, income, and employer names) in order to create detailed customer profiles. The company then allowed “almost any organization to rent a customer list containing numerous categories of detailed customer information,” the plaintiff alleged. The company argued, however, that the plaintiff, who resides in Virginia, lacked standing to bring claims under the PPPA because the law protects only Michigan residents. The company also contended that the plaintiff failed to demonstrate concrete injury suffered as a result of the company’s alleged disclosure of PRI to third parties without consent.
The court disagreed with both arguments, stating that the company’s argument “rests solely on the fact that a non-Michigan resident has never brought suit under the PPPA,” which is “unpersuasive and contravened by the language of the statute and case law.” The PPPA does not impose a residency requirement in order for customers to qualify for protections under the statute, the court stated, noting that “[i]f the Michigan legislature intended to limit the statute to Michigan residents, it could have done so explicitly.” Among other things, the court also concluded that the plaintiff satisfied the injury-in-fact element for Article III standing because “the alleged economic harm caused by the disclosure of PRI provides support to conclude [the plaintiff] suffered a concrete injury.”
On January 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include formal agreements, prohibition orders, and terminations of existing enforcement actions against individuals and banks. Included among the actions is a formal agreement issued against an Illinois-based bank on December 18 for alleged unsafe or unsound practices relating to, among other things, consumer compliance. The agreement requires the bank to (i) establish a compliance committee to monitor the bank’s progress in complying with the agreement’s provisions; (ii) report such progress to the bank’s board on a quarterly basis; and (iii) implement a written consumer compliance program. This program must also include a policies and procedures manual that covers all consumer protection laws, rules, and regulations to which the bank should adhere, an independent audit program, and training of bank personnel in the consumer protection laws, rules, and regulations as appropriate.
On January 16, the FDIC and the OCC announced (FDIC FIL-3-2020, OCC Bulletin 2020-5) the issuance of a joint statement on risk management of current heightened cybersecurity risks. The statement reminds supervised financial institutions to maintain preventative controls and update and test incident response and business continuity plans. It also sets out best practices in these areas for supervised financial institutions.
The bulletin lists six “key controls” including:
- Response, resilience and recovery capabilities. Maintain system backups and segment data to prevent spread of malicious activity across the network and to increase recovery capabilities. Incident and business resilience plans should set out cyber attack response and business continuity procedures and a data backup program should be set up and regularly tested. Cyber insurance coverage may further mitigate cyber risk exposure.
- Identity and access management. Implement identity and access management controls to combat phishing attacks and prevent theft of login credentials. Incorporate risk-based authentication, limit user permissions, and continually monitor user accounts.
- Network configuration and system hardening. Configure networks with appropriate security settings that are regularly updated. Update anti-malware and routinely test network technology for vulnerabilities.
- Employee training. Provide continuous training to keep cybersecurity program employees abreast of new cyber threats and evolving social engineering tactics.
- Security tools and monitoring. Maintain competent cybersecurity staff or service providers to monitor for the most current “threat and vulnerability information,” regularly review audit logs, and establish and test ability to “detect and respond to attacks.”
- Data protection. Encrypt “sensitive and critical data,” which should also be accurately classified to ensure ease in identification.
On January 16, the FHFA issued a notice requesting public comment on prospective policy changes to its residential energy retrofitting programs, or Property Assessed Clean Energy (PACE) programs. According to the request for comment, PACE programs are “financed through special state legislation enabling a ‘super-priority lien’ over existing and subsequent first mortgages.” Because the loans are only recorded in tax rolls and not in land records, they do not show up in title searches. This may potentially cause problems for prospective buyers and mortgage lenders. Additionally, the programs are not uniform across states and the GSEs cannot buy properties encumbered by PACE loans.
Comments must be received by March 16.
On December 23, 2019, the New York Department of Financial Services issued an “Industry Letter” requesting that each NYDFS-regulated institution submit the institution’s plan for addressing the transition away from Libor-based credit, derivative, and securities exposures. The NYDFS letter has spurred additional focus by financial institutions in the issue, and not only by those regulated by NYDFS. This Client Alert summarizes the current state of play in Libor transition, and outlines some key considerations for developing a Libor transition plan.
* * *
Click here to read the full special alert.
If you have any Libor-related questions please contact a Buckley attorney with whom you have worked in the past.
On January 13, the Federal Reserve Board (Fed) issued SR 20-2, “Frequently Asked Questions on the Tailoring Rules” (FAQs) applicable to bank holding companies, savings and loan companies, U.S. intermediate holding companies with $100 billion or more in total assets, and certain depository institutions. In October, as previously covered by InfoBytes, the Fed and the OCC released a jointly developed framework that set out four categories to be used to classify these banking entities for the purposes of determining regulatory capital and liquidity requirements based on risk. The FAQs provide guidance on the tailoring rules, including answers to questions about Liquidity Coverage Ratio (LCR) requirements, recognition of Accumulated Other Comprehensive Income, compliance requirements for foreign banking organizations with less than $100 billion in U.S. assets, and the interpretation of “quarterly” in relation to stress testing frequency.
On January 13, the U.S. District Court for the Northern District of Virginia issued a final order and judgment in a class action settlement between a class of consumers (plaintiffs) and a large credit reporting agency (company) to resolve allegations arising from a 2017 cyberattack causing a data breach of the company. After the company announced the breach, many consumers filed suit and were eventually joined into a proposed settlement class. As previously covered by InfoBytes, the plaintiffs alleged that the company (i) failed to provide appropriate security to protect stored personal consumer information; (ii) misled consumers regarding the effectiveness and capacity of its security; and (iii) failed to take proper action when vulnerabilities in their security system became known. The company and the plaintiffs later submitted a proposed settlement order to the court.
According to the final order and judgment, the court certified the settlement class of the approximately 147 million affected consumers, finding the class was adequately represented, and approved the “distribution and allocation plan” as fair and reasonable. In the order granting final approval of the settlement the company agreed to, among other things, pay $380.5 million into a settlement fund and potentially up to $125 million more to cover “certain out-of-pocket losses,” $77.5 million for attorneys’ fees, and approximately $1.4 million for reimbursement of expenses. Class members are eligible for additional benefits including up to 10 years of credit monitoring and identity theft protection services or cash compensation if they already have those services, as well as identity restoration services for seven years. The company also agreed to spend at least $1 billion on data security and technology in the next five years.
On January 14, NYDFS Superintendent Linda Lacewell announced that former Deputy Director of the CFPB, Leandra English, will serve as Special Policy Advisor to the Department. In her role, English will report directly to Lacewell and will manage and develop NYDFS’ policy initiatives involving consumers, financial services, and other issues. English will also be responsible for spearheading NYDFS’ policy development and analysis process, and assisting in the identification of common regulatory trends and risks across industries.
On January 15, Paul Clement, the lawyer selected by the U.S. Supreme Court to defend the leadership structure of the CFPB, filed a brief in Seila Law LLC v. CFPB arguing that Seila Law’s constitutionality arguments are “remarkably weak” and that “a contested removal is the proper context to address a dispute over the President’s removal authority.” First, Clement stated that “there is no ‘removal clause’ in the Constitution,” and that because the “constitutional text is simply silent on the removal of executive officers” it does not mean there is a “promising basis for invalidating an Act of Congress.” Moreover, the Constitution leaves it to Congress to decide “all manner of questions about the organization and structure of executive-branch departments and officers,” Clement wrote. Second, Clement disagreed with the argument that Congress cannot impose modest restrictions on the President’s ability to remove executive officers, so long as the President is the one exercising the removal powers. Third, Clement noted that in the past, the Court has repeatedly upheld the ability to place permissible restrictions on a President’s removal authority.
Clement further contended, among other things, that the dispute in Seila is “not just unripe, but entirely theoretical.” He referenced the Bureau’s brief filed last September (covered by InfoBytes here), in which the CFPB argued that the for-cause restriction on the President’s authority to remove the Bureau’s single director violates the Constitution’s separation of powers, and noted that “[w]hatever was true when this suit was first filed, the theory of the unitary executive appears alive and well in the Director’s office.” Rather, Clement stated, the Court should wait for an instance where a CFPB director has been fired for something short of the “inefficiency, neglect of duty, or malfeasance in office” threshold that Congress set for dismissing a CFPB director in Dodd-Frank before ruling on the question. Clement also emphasized that “text, first principles and precedent” all “strongly support” upholding the U.S. Court of Appeals for the Ninth Circuit’s decision from last May, which deemed the CFPB to be constitutionally structured and upheld a district court’s ruling enforcing Seila Law’s compliance with a 2017 civil investigative demand.
As previously covered by InfoBytes, the 9th Circuit held that the for-cause removal restriction of the CFPB’s single director is constitutionally permissible based on existing Supreme Court precedent. The panel agreed with the conclusion reached by the U.S. Court of Appeals for the D.C. Circuit majority in the 2018 en banc decision in PHH v. CFPB (covered by a Buckley Special Alert) stating, “if an agency’s leadership is protected by a for-cause removal restriction, the President can arguably exert more effective control over the agency if it is headed by a single individual rather an a multi-member body.”
The parties in Seila filed briefs last December. While both parties are in agreement on the CFPB’s single-director leadership structure, they differ on how the matter should be resolved. Seila Law argued that the Court should invalidate all of Title X of Dodd-Frank, whereas the Bureau contended that the for-cause removal provision should be severed from the rest of the law in accordance with Dodd-Frank’s express severability clause. Oral arguments are scheduled for March 3. (Previous InfoBytes coverage here.)
- Andrew W. Schilling to moderate "Expectations of in-house counsel from their law firm partners" at the ACI's 7th Annual Advanced Forum on False Claims and Qui Tam
- Sasha Leonhardt to discuss "Cybersecurity basics for compliance staff" at a NAFCU webinar
- Buckley Webcast: Tips for navigating changes to the FHA recertification process
- Daniel P. Stipano to discuss "A 20/20 view on 2020’s legislative and regulatory outlook" at the ACAMS Anti-Financial Crime and Public Policy Conference
- Kari K. Hall and Michelle L. Rogers to discuss "Overdrafts and regulatory trends" at the CLE Alabama Banking Law Update
- Kathryn L. Ryan to discuss "Industry open forum session on NMLS usage" at the NMLS Annual Conference & Training
- Kathryn L. Ryan to discuss "Regulating innovative consumer lending products" at the NMLS Annual Conference & Training
- Daniel P. Stipano to moderate "Washington update" at the 17th Puerto Rican Symposium of Anti Money Laundering 2020 conference
- Melissa Klimkiewicz to discuss "Private flood insurance updates" at the MBA's Servicing Solutions Conference & Expo 2020
- APPROVED Checkpoint Webcast: CFL overview
- Sasha Leonhardt to discuss "MLA & SCRA" on a NAFCU webinar
- Daniel P. Stipano to discuss "Pathway of the SARs: Tracking trajectories of suspicious activity reports from alerts to prosecution" at the ACAMS moneylaundering.com 25th Annual International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Which bud’s for you? A deep-dive into evolving marijuana laws" at the ACAMS moneylaundering.com 25th Annual International AML & Financial Crime Conference