Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
The Department of Housing and Urban Development earlier this month issued a final disparate impact regulation under the Fair Housing Act (Final Rule). HUD’s new Final Rule is intended to align its disparate impact regulation, adopted in 2013 (2013 Rule), with the Supreme Court’s 2015 ruling in Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc. (Inclusive Communities). While the new Final Rule is a notable development, the relatively recent Supreme Court decision makes it unclear to what extent courts and federal agencies will look to the rule for guidance.
On September 16, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned two Russian nationals who were allegedly involved in phishing campaigns targeting virtual asset service providers in 2017 and 2018, resulting in losses of at least $16.8 million. Specifically, the Russian nationals spoofed web domains of legitimate virtual currency exchanges to steal customers’ login information and gain access to their real accounts. According to OFAC, they used a “variety of methods to exfiltrate their ill-gotten virtual currency” and subsequently laundered the money to a personal account, attempting to “conceal the nature and source of the funds by transferring them in a layered and sophisticated manner through multiple accounts and multiple virtual currency blockchains.” OFAC designated the individuals pursuant to Executive Order 13694, which targets “malicious cyber-enabled activities, including those related to the significant misappropriation of funds or personal identifiers for private financial gain.”
OFAC emphasized that anti-money laundering and countering the financing of terrorism regimes “pose a critical chokepoint in countering and deterring” this type of cybercriminal activity. As a result, all property and interests in property belonging to the designated individuals subject to U.S. jurisdiction are blocked, and “U.S. persons generally are prohibited from dealing with them.”
On September 16, NYDFS filed a statement of charges against a debt collector for allegedly failing to honor consumers’ requests for substantiation of debt. This is the first enforcement action alleging violations of New York’s Debt Collection Regulation, 23 NYCRR Part 1, which was promulgated in 2015. New York law dictates that substantiation must be provided within 60 days after receiving a request, and specifies what documentation must be provided to substantiate the debt. Charges filed against the company allege that requests made by consumers for information proving the validity of the debt and the company’s right to collect the debt were not honored in several ways, such as failing to provide (i) any substantiation to dozens of consumers; (ii) sufficient substantiation to hundreds of consumers, for example, by omitting a complete chain of title or underlying transaction documents; and (iii) substantiation within the required timeframes. NYDFS maintains that the company’s actions violate 23 NYCRR Part 1, Section 1.4, and that such violation carries civil penalties of up to $1,000 per offense under state law. Additionally, NYDFS claims that “each failure to provide any substantiation, timely substantiation, or sufficient substantiation of debt constitutes an independent offense.” A hearing is scheduled for January 12, 2021 before a hearing officer to be appointed by the Superintendent of Financial Services.
On September 15, the U.S. Court of Appeals for the Second Circuit affirmed the district court’s denial of arbitration, concluding that a national sandwich chain’s website did not provide sufficient notice of the terms and conditions. According to the opinion, a consumer filed a TCPA action against the sandwich chain relating to unsolicited text messages he received after he entered his phone number on a promotional page of the company’s website in order to receive a free sandwich at his next visit. After entering his number, the consumer clicked a button stating “I’M IN,” which the sandwich chain argued “constituted assent to the terms and conditions contained on a separate webpage that was accessible via a hyperlink on the promotional page.” The terms and conditions included an agreement to arbitrate. The sandwich chain moved to compel arbitration of the consumer’s TCPA action and the district court denied the motion, finding that no arbitration agreement existed because “the terms and conditions were not reasonably clear and conspicuous on the promotional page itself.”
On appeal, the 2nd Circuit agreed with the district court, noting that the webpage “was relatively cluttered.” Specifically, the appellate court noted that the webpage lacked language “informing the user that by clicking ‘I’M IN’ the user was agreeing to anything other than the receipt of a coupon.” Moreover, the appellate court held that the link to the terms and conditions was not conspicuous to a reasonable user as it was in small font at the bottom of the page and was “introduced by no language other than the shorthand ‘T & Cs.’” Because the company did not provide sufficient evidence demonstrating the consumer’s knowledge of the terms and conditions, the appellate court affirmed the denial of arbitration.
On August 27, the CFPB denied a petition by an auto financing company to set aside a civil investigative demand (CID) issued by the Bureau in June. The CID requested information from the company to determine, among other things, “whether auto lenders or associated persons, in connection with originating auto loans (including marketing and selling products ancillary to such loans), servicing loans, collecting debts (including through repossessing vehicles), or consumer reporting” may have violated the Consumer Financial Protection Act’s UDAAP provisions, as well as the FCRA and TILA. The company petitioned the Bureau to set aside the CID. Among other things, the company argued that because certain aspects of the CID do not fall within a “reasonable construction of the CID’s notification of purpose,” and thus failed to provide fair notice as to what the Bureau is investigating, the CID should be “modified to strike each of these requests or clearly confine them to the enumerated topics.”
The Bureau rejected the company’s request to set aside or modify the CID, countering that (i) the particular requests that the company objects to are “all reasonably relevant to the Bureau’s inquiry as described in the notification of purpose,” and that the company cannot rewrite the CID’s notification of purpose to describe only four specific topics and then argue that the Bureau is asking for irrelevant information; and (ii) the Bureau has broad authority to seek information that may be “reasonably relevant” to an investigation, and that the Bureau’s “own appraisal of relevancy must be accepted so long as it is not obviously wrong.” According to the Bureau, the company failed to overcome this “high hurdle established in the judicial precedent.” However, the Bureau granted the company’s request for confidential treatment of its petition and attached exhibits by agreeing to redact certain proprietary business information and confidential supervisory information.
On September 17, Fannie Mae updated its Covid-19 FAQs for sellers to include a new question about whether federal student loan payments that are placed in a Covid-related forbearance should count towards a borrower’s debt-to-income ratio. Additionally, Fannie Mae updated previous questions covering the purchase of loans that are in forbearance, including whether a lender owes the loan level pricing adjustment (LLPA). Specifically, the FAQs state that if a forbearance begins any time on the sale date of the loan, lenders owe the LLPA to Fannie Mae.
On September 15, the New York attorney general announced a settlement with a national franchisor of a coffee retail chain to resolve allegations that the company violated New York’s data breach notification statute and several state consumer protection laws by failing to protect thousands of customer accounts from a series of cyberattacks. As previously covered by InfoBytes, the AG claimed that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in more than 20,000 compromised accounts and “tens of thousands” of dollars stolen. Following the attacks, the AG alleged that the company failed to take steps to protect the affected customers or to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. The settlement, subject to court approval, would require the company to (i) notify affected customers, reset their passwords, and refund any stored value cards used without permission; (ii) pay $650,000 in penalties and costs; (iii) maintain safeguards to protect against similar attacks in the future; and (iv) develop and follow appropriate incident response procedures.
On September 15, the Conference of State Bank Supervisors (CSBS) announced the launch of a single, streamlined examination for money transmitters operating nationwide (i.e., in 40 or more states), known as “MSB Networked Supervision.” The single exam—which will apply to “78 of the nation’s largest payments and cryptocurrency companies”—will be led by one state overseeing a group of examiners sourced from around the country. MSB Networked Supervision is a result of recommendations from the CSBS Fintech Industry Advisory Panel and CSBS Vision 2020 (covered by InfoBytes here).
On September 16, the Financial Crimes Enforcement Network (FinCEN) issued an Advance Notice of Proposed Rulemaking (ANPRM) soliciting comments on questions concerning potential regulatory amendments under the Bank Secrecy Act (BSA). According to the ANPRM, the proposed amendments “are intended to modernize the regulatory regime to address the evolving threats of illicit finance, and provide financial institutions with greater flexibility in the allocation of resources, resulting in the enhanced effectiveness and efficiency of anti-money laundering programs.” The ANPRM stems from FinCEN’s evaluation of recommendations received from the Bank Secrecy Act Advisory Group, which was established in 2019 to develop recommendations for strengthening the national AML regime. The ANPRM proposes, among other things, that all covered financial institutions subject to ALM program regulations would be required to maintain an “effective and reasonably designed” AML program that: (i) “assesses and manages risk as informed by a financial institution’s risk assessment, including consideration of [AML] priorities to be issued by FinCEN consistent with the proposed amendments”; (ii) “provides for compliance with [BSA] requirements”; and (iii) “provides for the reporting of information with a high degree of usefulness to government authorities.” The ANPRM also seeks comments on whether an explicit requirement for a risk assessment process should be established within the AML program regulations, as well as whether FinCEN’s director should issue a list of national AML priorities (tentatively titled “Strategic Anti-Money Laundering Priorities”) every two years. Comments are due by November 16.
On September 15, the CFPB released its “Outline of Proposals Under Consideration and Alternatives Considered” (Outline) for implementing the requirements of Section 1071 of the Dodd-Frank Act, which instructs the Bureau to collect and disclose data on lending to women and minority-owned small businesses. The detailed Outline describes the proposals under consideration and discusses other relevant laws, the regulatory process, and potential economic impacts. The Bureau also released a high-level summary of the Outline. Highlights of the proposals include:
- Scope. The Bureau is considering proposing that the data collection and reporting requirements would apply only to applications for credit by a small business. Financial institutions would not be required to collect and report data for women- and minority-owned businesses that are not considered “small,” as defined by the Small Business Act and the Small Business Administration’s (SBA) implementing regulations.
- Covered Lenders. The Bureau is considering proposing a broad definition of “financial institution” that would apply to a variety of entities engaged in small business lending, but is also considering proposing exemptions based on either a size-based (examples include $100 million or $200 million in assets), or activity-based threshold (examples range from 25 loans or $2.5 million to 100 loans or $10 million), or both.
- Covered Products. The Bureau is considering proposing exemptions from the definition of “credit” to include consumer-designated credit, leases, factoring, trade credit, and merchant cash advances.
- Application. Because an “application” would trigger requirements under Section 1071, the Bureau is considering proposing a definition that is largely consistent with Regulation B; however, the Bureau is also considering “clarifying circumstances,” such as inquiries/prequalifications, that would not be reportable.
- Data Points. The Bureau is considering a range of data points for collection, including, in addition to the mandatory data points required by Section 1071, “discretionary data points” to aid in fulfilling the purposes of Section 1071: “pricing, time in business, North American Industry Classification System (NAICS) code, and number of employees.”
- Privacy. The Bureau is considering using a “balancing test” for public disclosure of the data. Specifically, data “would be modified or deleted if its disclosure in unmodified form would pose risks to privacy interests that are not justified by the benefits of public disclosure.”
Additionally, the Bureau will convene a panel, as required by the Small Business Regulatory Enforcement Fairness Act (SBREFA), in October 2020 to “consult small entities regarding the potential impact of the proposals under consideration.” Feedback on the proposals is due no later than December 14.
- Daniel P. Stipano to discuss "High standards: Best practices for banking marijuana-related businesses" at the ACAMS AML & Anti-Financial Crime Conference
- Daniel P. Stipano to discuss "Wait wait ... do tell me! Where the panelists answer to you" at the ACAMS AML & Anti-Financial Crime Conference
- Matthew P. Previn and Walter E. Zalenski to discuss "Is valid when made ... valid?" at the Women in Housing & Finance Partner Series webinar
- Warren W. Traiger and Caroline K. Eisner to discuss "CRA modernization and the OCC final rule" at CBA Live
- Daniel R. Alonso to discuss "Transnational corruption: A chat with former U.S. federal prosecutors in New York" at Marval Live Talks
- Sherry-Maria Safchuk and Lauren Frank to discuss "New CFPB interpretation on UDAAP" at a California Mortgage Bankers Association Mortgage Quality and Compliance Committee webinar
- Daniel R. Alonso to discuss "Regional anti-corruption enforcement colloquium" at the Latin Lawyer GIR Interactive Anti-Corruption & Investigations
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute