InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FCC warns gateway provider not to transmit “illegal” robocalls
On October 18, the FCC issued a public notice to all US-based voice service providers regarding a cease and desist letter that it had sent to a “gateway” telecommunications provider instructing it to halt transmission of apparently unlawful foreign robocalls in the US. The FCC stated that the calls impersonate financial institutions and deceive recipients into providing sensitive information.
The FCC warned the gateway provider that it is unlawful to call cell phone numbers using prerecorded messages without prior express consent or an emergency purpose. It instructed the gateway provider to mitigate the illegal traffic within 48 hours or potentially face permissive and mandatory blocking of all its traffic and removal from the Robocall Mitigation Database, which would compel all intermediate and terminating voice service providers to cease accepting the gateway provider’s calls. In parallel, the FCC instructed US-based voice service providers that if the gateway provider failed to mitigate the apparently illegal traffic in a timely manner, voice service providers may block voice calls or cease to accept traffic from the gateway provider, without liability.
The FCC took these actions after the gateway provider failed to provide evidence of consent for these calls or dispute their illegality. The cease and desist letter detailed five specific calls transmitted by the gateway provider that contained prerecorded messages claiming to be from bank customer support centers and warning of fraudulent transactions. The FCC emphasized that such calls exploit consumer fears and undermine legitimate financial institutions’ efforts to protect their customers.
DDC tosses case challenging constitutionality of FDIC imposing civil penalties
On October 11, the U.S. District Court for the District of Columbia (DDC) denied an individual plaintiff’s motion for a temporary restraining order (TRO) and granted the FDIC’s motion to dismiss in a case seeking to enjoin an FDIC enforcement proceeding. In an administrative proceeding, the FDIC had alleged that the plaintiff engaged in misconduct while managing his investment firm and sought to prohibit him from further participation in the banking industry. The FDIC’s case was scheduled to be heard by an administrative law judge on October 15.
As previously covered by InfoBytes, the plaintiff filed suit the FDIC, its heads, board members and an administrative law judge for allegedly subjecting the plaintiff to an “endless and unlawful administrative process” during its proceedings. The individual plaintiff previously filed two separate actions to enjoin the FDIC’s enforcement proceeding, both of which were dismissed for lack of subject matter jurisdiction. The court ruled that issue preclusion barred the plaintiff from relitigating the jurisdictional issue, as it had already been decided in the previous cases.
The court also addressed the plaintiff’s argument that the US Supreme Court decision in Jarkesy v. SEC “repudiated” longstanding precedent allowing administrative agencies to try common law claims. However, the court found that Jarkesy did not affect the applicability of issue preclusion in this case. Furthermore, the court rejected the plaintiff’s argument that the statute authorizing the FDIC to enter prohibition orders and impose civil penalties is unconstitutional, holding that the individual plaintiff could still seek judicial review after the FDIC’s final order.
CFPB survives challenge based on improper funding as court denies plaintiff’s motion to dismiss
On October 17, the U.S. District Court for the Central District of California denied a peer-to-peer lending platform’s motion to dismiss a lawsuit brought by the CFPB. The Bureau had filed a First Amended Complaint alleging the platform engaged in deceptive advertising, provided deceptive disclosures and documents, violated UDAAP by servicing and collecting loans that were allegedly uncollectable under state laws, and violated the FCRA when it purportedly failed to enact reasonable measures to ensure the accuracy of prospective borrowers’ company specific scores. The lending platform moved to dismiss, arguing that the Bureau’s funding was improper and that its claims lacked merit.
The court addressed the platform’s argument that the CFPB’s funding from the Fed was illegitimate due to the Fed’s current lack of surplus funds, which the platform argued violated the Appropriations Clause. However, the court rejected this argument, noting that “the [c]ourt need not determine how to interpret [the statute of the funding mechanism]… since [the platform] has not persuaded the court that the Bureau’s source of funding—even if illegitimate—is grounds for dismissal.”
In evaluating the plausibility of the CFPB’s claims, the court found the Bureau had sufficiently alleged the platform’s advertising of “no interest” loans were misleading, as borrowers typically paid tips and donations, which the Bureau alleged functioned as finance charges. Additionally, the court refused to dismiss the Bureau’s claims that the platform violated state licensing requirements and usury caps, and that the platform failed to ensure the accuracy of consumer credit information in violation of the FCRA.
FDIC extends compliance deadline for amended sign and advertising requirements
On October 17, the FDIC issued a notice delaying the deadline to comply with its final rule governing its official signage from January 1, 2025, to May 1, 2025. The final rule, titled “FDIC Official Signs and Advertising Requirements, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo” was published in the Federal Register and will apply to Part 328, subpart A. The final rule, approved by the FDIC Board in December 2023, will update the FDIC’s sign and advertising requirements for insured depository institutions to reflect modern banking practices. The FDIC shared the deadline extension was granted based on feedback from financial institutions who needed additional time to implement the new regulatory requirements.
The signage requirements govern the use of the FDIC official sign, official digital sign, and other signs differentiating deposits and non-deposit products across all banking channels, including physical premises, ATMs and digital channels. Banks will be required to display a digital sign near their name on all digital platforms and certain ATMs. The rule also will modernize the display requirements for the FDIC official sign in bank branches and other physical locations to accommodate evolving designs. Additionally, the rule requires that banks establish and maintain written policies and procedures to ensure compliance with Part 328.
FDIC Chairman remarks on 2024 Small Business Lending Survey
Recently, FDIC Chairman Martin Gruenberg remarked on the 2024 Small Business Lending Survey (SBLS) report at a community banking conference. He highlighted that technological advancements have not altered the relationship-oriented nature of small business lending in a fundamental way. The SBLS report, which, as previously covered by InfoBytes, provided insights into small business lending practices based on data collected in 2022, including loan approval processes, geographic markets, competition, use of financial technology, and lending to start-ups. Gruenberg explained that the report revealed that while banks adopt more financial technologies, the underwriting and approval processes for small business loans remain staff-intensive. Only 3 percent of banks fully automate the underwriting of some loans, and only 5 percent allow borrowers to complete the loan process entirely online.
As Gruenberg explained, the SBLS report also underscored the critical role of branches and staff in maintaining relationships with small business customers. About 80 percent of banks defined their small business lending market based on branch locations, with borrowers typically found within 40 miles of these branches. Community banks leverage “soft” information, such as a loan officer’s assessment, to make credit decisions, setting them apart from larger banks. This approach enables community banks to serve a broader range of small business borrowers, including startups, without relying heavily on government-guaranteed lending programs.
FHFA releases NPRM on revising FHLBanking System governance
On October 16, the FHFA released its NPRM to revise regulations governing the boards of directors and management of the FHLBank System. The proposed rule would update and clarify regulatory requirements on director eligibility, nomination, election, removal processes, and the conducts of board and committee meetings. The rule would expand the required qualifying experience for regular independent directors to include AI, information technology and security, climate-related risk, CDFI business models, and modeling.
The proposed changes were informed by the FHLBank System at 100 Report, published in November 2023 (covered by InfoBytes here). The report laid out four regulatory actions: clarifying the qualifications for public interest independent directors, expanding the list of qualifying experience for regular independent directors, encouraging the FHLBanks to address gaps in board knowledge, and facilitating the nomination of individuals with technical subject matter expertise. Additionally, the proposed rule would require each FHLBank to conduct an annual assessment of the skills and experience possessed by its board and to take active steps to seek nominees who possess needed skills and experience. This would include prioritizing knowledge and experience relevant to the business, programs and mission of the FHLBank. Comments were opened on October 21 and must be received within 90 days after publication of the NPRM in the Federal Register.
DOJ, CFPB file complaint, propose order against mortgage company for alleged redlining
On October 15, the CFPB and DOJ announced an enforcement action against a mortgage company, alleging it engaged in redlining against majority-Black neighborhoods in the greater Birmingham, Alabama area. According to the complaint, defendant’s marketing and sales practices discouraged people from applying for mortgage loans in these neighborhoods, allegedly violating ECOA, the CFPA, and the Fair Housing Act.
Defendant allegedly concentrated its retail loan offices in majority-white areas and directed less than 3 percent of its direct mail advertising to consumers in majority-Black neighborhoods from 2018 to 2020. The complaint further states that defendant’s home mortgage lending activities was disproportionately focused on white areas, with the company generating loan applications in Black and Hispanic neighborhoods at a rate below that of its peer institutions. Despite data showing these disparities, defendant allegedly failed to take substantial steps to address the redlining risk before October 2022, other than instructing loan officers not to discriminate.
Defendant issued a response to the settlement on its website, stating among other things that it was unaware of the allegations in the agencies’ complaint until after the settlement was reached; that the complaint “significantly mischaracterizes the matter at issue and appears to be intentionally inflammatory in nature”; and that certain of the language used in the complaint was “mutually rejected by the parties prior to settlement…which suggest bad faith by part of the government.”
The associated proposed consent order, if approved by the court, would require defendant to pay a $1.9 million civil penalty to the CFPB’s victims relief fund. Additionally, defendant would be required to provide $7 million for a loan subsidy program to offer affordable home purchase, refinance, and home improvement loans in the impacted areas. The program may include lower interest rates, down payment assistance, closing cost assistance, or payment of initial mortgage insurance premiums. Furthermore, defendant would be required to invest at least $1 million to open or acquire a new loan production office or full-service retail office in a majority-Black neighborhood in Birmingham. The company must also allocate at least $500,000 for advertising and outreach, at least $250,000 for consumer financial education, and at least $250,000 for partnerships with community-based or governmental organizations to serve neighborhoods previously allegedly redlined by the company. Finally, the agencies noted that defendant cooperated with the investigation.
FTC finalizes “Click-to-Cancel” Rule
On October 16, the FTC announced a final Negative Option Rule, also known as the “click-to-cancel” rule, requiring sellers to make it as easy for consumers to cancel their enrollment as it was to sign up for the goods or services in the first instance. As previously covered by InfoBytes, the FTC issued its NPRM seeking feedback to its proposed amendments to the agency’s Negative Option Rule, which is used to combat unfair or deceptive practices related to subscriptions, memberships, and other recurring-payment programs.
The FTC highlighted two major changes to the originally proposed rule, which include: (i) the exclusion of requiring sellers to provide annual reminders to consumers about the negative option feature of their subscription, so that sellers are no longer obligated to send yearly notifications to remind consumers of their ongoing subscription and its terms; and (ii) the removal of prohibiting sellers from informing consumers about plan modifications or reasons to keep their existing agreement during the cancellation process, so sellers can discuss alternative plans or reasons to stay subscribed with consumers seeking to cancel, only if the consumer agrees to hear about them first.
The FTC provided a fact sheet highlighting the objectives of the rule. The rule will take effect 180 days after publication in the Federal Register.
NYDFS issues cybersecurity guidance for AI
On October 16, NYDFS Superintendent Adrienne A. Harris issued an industry letter to assist regulated entities in meeting their existing obligations regarding cybersecurity risks arising from AI. The letter, directed at executives and information security personnel of entities regulated by NYDFS, stresses that while AI enhances threat detection and incident response, it also introduces significant new opportunities for cybercriminals.
The letter identifies key AI-related cybersecurity threats, including AI-enabled social engineering, which allows for highly personalized and sophisticated attacks, and AI-enhanced cyberattacks that amplify the scale and speed of existing threats. Additionally, the use of AI requires the collection and processing of substantial amounts of data, including nonpublic information and biometric data, increasing the risk of data exposure or theft. The reliance on third-party service providers and vendors for AI-powered tools also introduces supply chain vulnerabilities.
To combat these risks, NYDFS emphasizes the importance of adhering to New York’s cybersecurity regulation — 23 NYCRR Part 500. Covered entities are advised to conduct comprehensive risk assessments, implement robust access controls, and maintain effective data management practices by November 1, 2025. The letter also underscores the need for cybersecurity training for all personnel, including senior executives, to ensure awareness of AI-related threats and appropriate response strategies. It further states that monitoring processes should be in place to detect unauthorized access and unusual query behaviors, particularly for AI-enabled products and services.
Investment advisory firm settles with SEC for alleged record-keeping violations and avoids civil penalty
Recently, the SEC announced charges and a settlement with a Texas-based registered investment adviser (the respondent) after finding that from at least May 2018 through October 2021, its personnel allegedly failed to follow record-keeping requirements mandated by the Investment Advisers Act of 1940. Specifically, the firm’s personnel allegedly used personal devices to communicate business via personal text messages, which were not retained as required by law. This failure was discovered during a subpoena response related to another entity. Because the respondent self-reported the violations, took prompt actions and cooperated with the SEC, the SEC did not impose a civil penalty.