Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 23, the U.S. Court of Appeals for the Eleventh Circuit affirmed a lower court’s dismissal of an FCRA case where a furnisher (defendant) allegedly failed to conduct a reasonable investigation in response to materials that the plaintiff had sent to two credit reporting agencies (CRAs), which was then forwarded to the furnisher. According to the opinion, the plaintiff had submitted a letter to each CRA requesting they remove a dispute notation on her credit report with respect to her account with the furnisher because the account in question was no longer being disputed. The CRAs forwarded the plaintiff’s request to the furnisher, who then investigated and notified the CRAs that the account was still being disputed. The plaintiff did not otherwise directly tell the furnisher that she no longer disputed the tradeline. After discovering that the account was still reported as disputed, the plaintiff filed suit under the FCRA against the furnisher for failing to investigate the dispute and failing to direct the CRAs to remove the notation of account in dispute. The district court granted the defendant’s motion to dismiss for the plaintiff’s failure to state a claim.
On appeal, the 11th Circuit found that the letter sent by the plaintiff to the CRAs failed “to make anything clear” to the furnisher. The appellate court explained that the plaintiff “could have written a better letter: one that made clear that she was attempting to revoke her dispute for the first time or, better yet, one addressed to the bank itself. But that is not the letter on which she premised her lawsuit.” The appellate court also noted that, although the furnisher could have contacted the plaintiff directly, the FCRA does not require the furnisher to do so. In effect, “[w]hat [the plaintiff] wants [the bank] to do — either (1) to intuit that she no longer disputed the tradeline from her report to the CRAs or (2) to reach out to her directly to clarify and confirm that she no longer wished to dispute the tradeline — goes beyond what FCRA reasonableness requires,” the appellate court explained in its ruling. The appellate court therefore found that it was reasonable for the furnisher to review its official records, which indicated that the tradeline was still in dispute, and retain the dispute notation on the plaintiff’s credit report.
On January 6, NYDFS issued a comment letter responding to the CFPB’s Notice of Proposed Rulemaking (NPRM), “Small Business Lending Data Collection under the Equal Credit Opportunity Act (Regulation B).” The NPRM—mandated under Section 1071 of the Dodd-Frank Act—would require a broad swath of lenders to collect data on loans they make to small businesses, including information about the loans themselves, the characteristics of the borrower, and demographic information regarding the borrower’s principal owners. This information would be reported annually to the Bureau, and eventually published by the Bureau on its website, with some potential modifications. According to the Bureau, the statute’s stated intent is to “facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities of women-owned, minority-owned, and small businesses.” (Covered by a Buckley Special Alert.)
In its comment letter, NYDFS discussed its responsibilities for examining state-chartered banking institutions’ compliance with the New York Community Reinvestment Act (NYCRA), New York Banking Law § 28-b, which NYDFS noted largely mirrors the current federal Community Reinvestment Act (CRA). Additionally, NYDFS stated that it examines regulated institutions for compliance with state fair lending requirements and agreed with the Bureau that “collecting critical information about minority- and women-owned businesses (MWOBs) to address fair lending concerns and allow financial institutions to identify gaps in the market” is an important goal. To that end, NYDFS is in the process of implementing its own MWOB data collection regulation under the NYCRA, which would require New York state-chartered banking institutions to start collecting MWOB-related data. (Covered by InfoBytes here.) Due to similarities between the proposed regulation and the Bureau’s NPRM, and to avoid imposing an undue burden on institutions covered by both regulations, NYDFS’s proposed regulation includes language that would “permit, but not obligate, NYDFS to treat compliance with the CFPB’s rule implementing Section 1071 as compliance with the NYCRA’s MWOB-related data collection regulation.”
Two specific issues were raised in response to the Bureau’s NPRM. First, NYDFS expressed concerns about the NPRM’s silence as to whether the Bureau intends to share more detailed data with state regulators to help states identify fair lending violations and enforce anti-discrimination laws, even if this information is not made available to the public. NYDFS urged the Bureau to include specific language stating it “may share all data submitted by financial institutions with state regulators in accordance with information sharing agreements between the CFPB and the state regulators.” Second, NYDFS asked the Bureau to reconsider its proposal to require data collection only for MWOBs with a threshold of $5 million or less in gross annual revenue. In particular, NYDFS warned of the risk of “dissimilarity in data collected by lenders for submission to the CFPB and the NYDFS” as NYDFS’s proposed regulation “requires evaluation of MWOB lending without respect to size.” NYDFS stressed that this dissimilarity “may prevent the NYDFS from deeming compliance with the CFPB regulation sufficient to comply with the NYDFS regulation.”
On January 12, the FDIC issued FIL-05-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Washington state affected by flooding and mudslides. The FDIC acknowledged the unusual circumstances faced by institutions and their customers affected by the severe weather events in certain counties of Washington and suggested that institutions work with impacted borrowers to, among other things, (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” The FDIC noted that it will consider the unusual circumstances when examining efforts to work with borrowers in affected communities and that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements. Earlier on January 5, the FDIC also issued FIL-01-2022 and FIL-02-2022 to provide the same regulatory relief to financial institutions and help facilitate recovery in areas of Arkansas and Colorado affected by severe storms, tornados, winds, and wildfires.
On January 6, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a multinational technology company 150 million euros and a global social media company 60 million euros (approximately $170 and $68 million USD respectively) for failure to comply with the French Data Protection Act related to the companies’ process for managing cookies. (See additional press releases here and here.) According to the CNIL, the companies provide a button allowing users to immediately accept cookies but do not provide an equivalent option to allow users to easily refuse the cookies through a single click. This process, CNIL stated, “influences [a user’s] choice in favor of consent” since a user “cannot refuse the cookies as easily as they can accept them,” and constitutes an infringement of Article 82 of the French Data Protection Act. In addition to the fines, the CNIL gave the companies three months “to provide […] users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent.” Failure to comply will come with the risk of an additional daily fine of 100,000 euros per day of delay.
On January 5, FHFA announced targeted increases to the upfront fees for certain high-balance loans and second home loans sold to Fannie Mae and Freddie Mac (GSEs). Upfront fees for high-balance loans will increase between 0.25 percent and 0.75 percent, tiered by loan-to-value ratio. Upfront fees for second home loans will increase between 1.125 percent and 3.875 percent, also tiered by loan-to-value ratio. In order to continue to provide support for affordable housing, certain loans, including HomeReady, Home Possible, HFA Preferred and HFA Advantage, will not be subject to the increased fees. Additionally, “loans to first time homebuyers in high cost areas with incomes at or below 100 percent of area median income will have no specific high balance upfront fees.” The new fees will take effect April 1, to “minimize market and pipeline disruption,” FHFA stated. Acting Director Sandra Thompson said the fee increases are another step FHFA is taking to strengthen the GSEs’ safety and soundness, while also ensuring access to credit for first-time homebuyers and low- and moderate-income borrowers. “These targeted pricing changes will allow the [GSEs] to better achieve their mission of facilitating equitable and sustainable access to homeownership, while improving their regulatory capital position over time,” Thompson said.
On January 5, the FTC issued its National Do Not Call (DNC) Registry biennial report to Congress. According to the report, more than 244 million consumers have now placed their telephone numbers on the DNC Registry over the past two years. The report also highlighted that in FY 2021, the Commission received more than five million DNC complaints, the majority of which reported robocalls violations as opposed to live telemarketing. The FTC reported that the increased number of illegal telemarketing calls correlates with advancements in technology that make it easier for telemarketers to “spoof” the caller ID information accompanying a call. “[M]any telemarketers use automated dialing technology to make calls that deliver prerecorded messages (commonly referred to as ‘robocalls’), which allow violators to make very high volumes of illegal calls without significant expense,” the FTC said. Imposters posing as government representatives or legitimate business entities topped the complaint list, followed by calls related to warranties and protection plans, debt-reduction offers, and medical and prescription issues. Last month, in response to the consistently high level of impersonator scam complaints, the FTC issued an advanced notice of proposed rulemaking seeking comments on a wide-range of questions related to government and business impersonation fraud (covered by InfoBytes here). The FTC noted that these scammers are looking for information that can be used to commit identity theft or seek monetary payment and often request that funds be paid through wire transfer, gift cards, or cryptocurrency. Additionally, the FTC stated that since the beginning of the Covid-19 pandemic, it has received more than 18,000 Covid-related DNC complaints.
On January 5, the FTC announced that two defendants who allegedly participated in small business financing scheme are permanently banned from participating in the merchant cash advance and debt collection industries. As previously covered by InfoBytes, the FTC filed a complaint against two New York-based small-business financing companies and a related entity and individuals (including the settling defendants), claiming the defendants engaged in deceptive and unfair practices by, among other things, misrepresenting the terms of their merchant cash advances, using unfair collection practices, and making unauthorized withdrawals from consumers’ accounts. The defendants also allegedly violated the Gramm-Leach-Bliley Act’s prohibition on using false statements to obtain consumers’ financial information, including bank account numbers, log-in credentials, and the identity of authorized signers, in order “to withdraw more than the specified amount from consumers’ bank accounts.” Additionally, the defendants allegedly “engaged in wanton and egregious behavior, including laughing at consumer requests for refunds from [the defendants’] unauthorized withdrawals from customer bank accounts; abusing the legal system to seize the business and personal assets of their customers; and threatening to break their customers’ jaws or falsely accusing them of child molestation during collection calls.” Under the terms of the stipulated order, the settling defendants are required to pay a $675,000 monetary judgment, and must vacate any judgments against their former customers and release any liens against their customers’ property.
On January 4, the CFPB announced that the filing period for HMDA data collected in 2021 opened on January 1. According to the CFPB, submissions will be considered timely if received by March 1. As previously covered by InfoBytes, in September 2020, the CFPB released the Filing Instructions Guide for HMDA data collected in 2022 that must be reported in 2023. The guide states that there are no significant changes to the submission process and that the required data fields to be collected and reported have not changed. Instructions for quarterly reporting can be found in the Supplemental Quarterly Reporting Guide. According to the CFPB’s recent announcement, passwords are reset every 90 days and users will receive a confirmation email upon submission of their HMDA data. The CFPB also noted that the 2021 Beta Platform is available on an ongoing basis for filers intending to test their submissions, however, “[n]o data submitted on the Beta Platform will be considered for compliance with HMDA data reporting requirements.”
On December 31, NYDFS announced that providers’ compliance obligations under the state’s Commercial Finance Disclosure Law (CFDL) will not take effect until the necessary implementing regulations are issued and effective. The CFDL was enacted at the end of December 2020, and amended in February 2021, to expand coverage and delay the effective date to January 1, 2022. (See S5470-B, as amended by S898.) Under the CFDL, providers of commercial financing, which include persons and entities who solicit and present specific offers of commercial financing on behalf of a third party, are required to give consumer-style loan disclosures to potential recipients when a specific offering of finance is extended for certain commercial transactions of $2.5 million or less. In October 2021, NYDFS published a notice announcing a proposed regulation (23 NYCRR 600) to implement the CFDL, which provided that the compliance date for the final regulation will be six months after the final adoption and publication of the regulation in the State Register (covered by InfoBytes here). Comments on the proposed regulation were due December 19. NYDFS noted in its announcement that “[i]n light of the significant feedback received, the Department is carefully considering the comments received and intends to publish a revised proposed regulation for notice-and-comment early in the new year.”
On January 5, the New York attorney general issued a report, which highlights the results of an investigation into “credential stuffing.” The investigation discovered over 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. The report, Business Guide for Credential Stuffing Attacks, details attacks, which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services, and provides recommendations on how business can protect themselves. Through credential stuffing, which is one of the most common forms of cyberattacks, offenders utilize automated software to reuse stolen usernames and passwords, relying on the human tendency to reuse the same credentials to access various online accounts and platforms. The AG’s office launched the investigation “in light of the growing threat of credential stuffing,” and monitored several online communities dedicated to credential stuffing. According to the report, the office discovered thousands of posts that had customer login credentials that were tested by hackers in a credential stuffing attack and found that the information could be used to access other accounts. From these posts, the office compiled credentials to compromised accounts at seventeen companies, which consisted of online retailers, restaurant chains, and food delivery services, and collected credentials for over 1.1 million customer accounts, all of which seemed to have been compromised. After alerting the companies regarding the compromised accounts and urging them to investigate and take protective action, every company did so. The report recommended that businesses maintaining online accounts have a data security program, including effective safeguards for protecting customers from credential stuffing attacks in four areas: (i) defending against credential stuffing attacks; (ii) detecting a credential stuffing breach; (iii) preventing fraud and misuse of customer information; and (iv) responding to a credential stuffing incident. Specifically, three safeguards considered to be “highly effective” at defending against credential stuffing attacks were bot detection services, multi-factor authentication, and password-less authentication. The report also recommended that companies require reauthentication at the time of a purchase. Additionally, “[b]usinesses should have a written incident response plan that includes processes for responding to credential stuffing attacks” and notification to affected parties.
- Jeffrey P. Naimon to discuss “Section 1071: Small business data collection & fair lending” at the American Bar Association Consumer Financial Services Winter Meeting 2022
- Jonice Gray Tucker to discuss “Getting your company ready: Managing fair lending for IMBs” at the Mortgage Bankers Association Independent Mortgage Bankers Conference
- Lauren R. Randell to discuss “Significant legal developments in the Northeast” at the 37th Annual National Institute on White Collar Crime
- Jonice Gray Tucker to discuss “Small business & regulation: How fair lending has evolved & where it is heading?” at the Consumer Bankers Association Live program