InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fannie Mae adds new entities to fake-employer list
On January 29, Fannie Mae issued a new fraud alert to mortgage lenders warning them of 15 new potentially fictitious employers that have recently been appearing on mortgage applications. As previously covered in InfoBytes, Fannie Mae’s mortgage fraud program has issued several prior alert bulletins to the mortgage industry regarding active and potentially fraudulent schemes, all of which have identified fake employers in California. This new alert adds 15 additional California companies to that list, which now includes 65 potentially fake companies. The GSE alert offers “red flags” for lenders to be aware of when processing loan applications, including high starting salaries and paystubs that lack common withholdings for such things as health insurance and 401(k). Additionally, the alert bulletin suggests that lenders verify the existence of employers listed on borrower applications, and practice careful due diligence in the entire application process.
OFAC, shipping company settle sanctions violations for $1.1 million
On January 27, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $1,125,000 civil settlement with a Marshall Islands shipping company (respondent) with headquarters in the U.S. for 36 apparent violations of the Burmese Sanctions Regulations (BSR). According to OFAC, between 2011 and 2014, the respondent had dealings in the property of a Burma-related company (company) that is included on the Specially Designated Nationals (SDN List), and provided shipping services that benefited the designated company, which were apparent violations of the BSR.
According to the settlement agreement, OFAC considered various aggravating factors in reaching the settlement amount, including that (i) the apparent violations “conferred significant economic benefits to Burma’s military regime”; (ii) the respondent “demonstrated reckless disregard for U.S. sanctions requirements by ignoring” the license denial letters it received from OFAC; (iii) the respondent’s former president knew about and participated in the transactions that comprise the apparent violations; and (iv) the respondent is a “commercially sophisticated shipping company” that is familiar with international shipping transactions. OFAC determined that the apparent violations represent an egregious case.
OFAC also considered various mitigating factors, including that (i) the respondent is under new management, which self-disclosed the apparent violations and cooperated with the investigation; (ii) OFAC has not issued a violation against the respondent in the five years preceding the earliest date of the transactions at issue; and (iii) the respondent undertook extensive remedial measures in response to the alleged violations, including implementing a formal compliance program.
CFTC adopts NIST Privacy Framework
On January 28, the CFTC announced that it has adopted the National Institute of Standards and Technology (NIST) Privacy Framework, making it the first federal agency to do so. The September NIST release of a preliminary draft of the framework described it as “[a] Tool for Improving Privacy through Enterprise Risk Management,” covered by InfoBytes here. Among other things, the privacy framework, which advances guidance to mitigate cybersecurity risk, describes processes to mitigate risks associated with data processing and privacy breaches and to assess current privacy risk management measures. According to the announcement, the CFTC will utilize the framework to “better manage and communicate privacy risk throughout the agency,” making them a leader in the data privacy protection arena.
Payday lender settles with North Carolina AG for $825,000
On January 27, the North Carolina attorney general announced that a Florida-based payday lender (lender) agreed to pay $825,000 to settle allegations of usury, lending without a license, unlawful debt collection and unfair and deceptive practices in violation of state consumer protection laws. According to the announcement, though the lender was not licensed in the state, it advanced “more than 400 loans online to financially distressed North Carolina consumers at interest rates between 78 to 252 percent,” which is markedly higher than the state interest rate limit of 30 percent. The AG claimed that the lender tried to skirt North Carolina laws by requiring some borrowers to collect their loan funds outside of the state. The AG also alleged that the lender required borrowers to secure the loans with their vehicle titles, which enabled the lender to repossess and sell the borrowers’ vehicles when they defaulted or were late on payments. In the settlement, without admitting to the AG’s allegations, the lender agreed to return to North Carolina borrowers (i) all fees and interest paid on the loans by the borrowers; (ii) all the auction proceeds exceeding the loan principal to borrowers whose vehicles were repossessed and sold at auction; and (iii) cars owned by borrowers that were repossessed but not sold at auction. Among other things, the lender will also be permanently barred from making loans to, and collecting payments from, North Carolina borrowers, and is prohibited from putting liens on and repossessing vehicles owned by borrowers.
Court approves $7 million robocall class action settlement
On January 27, the U.S. District Court for the District of Minnesota, granted final approval of a $7.05 million class action settlement between consumers and a large national retailer for allegedly making robocalls. The lead plaintiff filed a proposed class action suit in 2016 against the retailer claiming that it used an automated dialing system to place collection calls to his cell phone in violation of the TCPA. The suit additionally asserted that some plaintiffs were charged by their cellphone service providers for these collection calls.
According to the settlement approval order, the settlement class includes individuals who received debt collection calls on their cell phones from the retailer between March of 2012 and May of 2018. Additionally, the court determined that, among other things, (i) the notice plan is the best plan practicable and provides sufficient notice to class members; (ii) the settlement is “fair, reasonable, and adequate”; and (iii) the class was adequately represented in the settlement negotiations. The court approved attorneys’ fees and costs of nearly $2 million, and an incentive award of $10,000 to the lead plaintiff, both to be paid out of the funds of the settlement.
Otting defends OCC’s CRA proposal
On January 29, OCC Comptroller Joseph Otting testified at a hearing held by the House Financial Services Committee to discuss the OCC’s Community Reinvestment Act (CRA) modernization proposal. (See Buckley Special Alert covering the joint notice of proposed rulemaking issued last December by the OCC and FDIC.) Committee Chairwoman Maxine Waters (D-CA) expressed concerns with the NPR, arguing that the proposal “runs contrary to the purpose of the CRA and would lead to widespread bank disinvestment from low- and moderate-communities throughout the country.” Waters cited additional concerns with the NPR, including what she believes are efforts by the OCC “to deregulate megabanks” and “greenlight rent-a-bank schemes that allow lenders to skirt state usury caps.”
In his written testimony, Otting reiterated that the NPR is intended to strengthen and modernize CRA regulations and that the proposal does not permit redlining. “Nothing in this proposal changes the agencies’ authority to enforce fair lending laws to prevent discrimination and redlining. The regulations implementing the Fair Housing Act and the Equal Credit Opportunity Act prohibit discrimination and redlining,” Otting stressed in his oral statement. “These regulations are not changed in any way by this proposal.” (Emphasis in the original.) Otting also defended several of the proposed amendments that would, among other things, (i) remove uncertainty that discourages investments; (ii) focus on a bank’s sustained commitment to meeting a community’s credit needs and rewarding long-term investment; and (iii) accommodate banks of different sizes and business models by allowing small banks with less than $500 million in total assets to choose between the existing and the proposed revised framework for their evaluations. During the hearing, Otting also refuted the perception that the NPR employs the use of a single metric to determine a bank’s CRA rating, stating “there is no one ratio in this proposal. . .the average regional bank will have 502 measurement points so every community would be measured by units and dollars and at the top of the house it would be dollars.”
When Congressman Brad Sherman (D-CA) asked about the OCC’s recent request for bank-specific data to inform the NPR (previously covered by InfoBytes here) questioning why the agencies “want to adopt a rule on such a quick timetable when [they] still don’t have the information,” Otting responded that the additional information requested from the banks is meant to help validate the OCC’s analysis and conclusions. However, when the discussion turned to whether Congress could access the data and analysis used to create the NPR, Otting stated that he would be happy to discuss the data and analysis in person but that the information should not be publicly distributed. Waters stated Congress would subpoena the information if necessary. Otting also confirmed that the 60-day comment period of the NPR (which closes March 9) would not be extended, and that the goal would be to finalize the rule within 60 to 70 days after the comment period ends. With respect to the Federal Reserve’s decision not to join in the notice of proposed rulemaking, Otting said, “We have thousands of rules, regulations and guidance that differ amongst the agencies. So no…I do not see it as an impediment at all.” As previously covered by InfoBytes, earlier this month Federal Reserve Governor Lael Brainard discussed the Fed’s approach to the CRA modernization process and explained why the Fed chose not to join in the NPR.
National bank settles overdraft fee MDL
On January 24, the U.S. District Court for the District of South Carolina entered final judgment for the approval of a $43 million settlement between a national bank and consumers to resolve multidistrict litigation (MDL) concerning overdraft charges. According to the settlement, since 2013, several groups of consumers have filed putative class action complaints against the bank in multiple jurisdictions alleging improper assessment and collection of overdraft fees, including claims that class members incurred overdraft fees as a result of the bank’s alleged practice of assessing fees based on an account’s available balance rather than its ledger balance. Other claims include allegations that the bank assessed overdraft fees for an ATM or one-time debit card transaction, assessed sustained overdraft fees, or assessed overdraft fees on ride-sharing transactions. In 2015 the Judicial Panel for Multi-District Litigation consolidated the actions for pretrial purposes.
In 2018, as previously covered by InfoBytes, the court dismissed one of the complaints in the MDL action, which alleged that the bank’s $20 overdraft fee is an interest charge on credit and therefore exceeds usury limits under the National Bank Act (NBA). The court noted that it had previously rejected a materially identical usury claim in December 2015 and that no new evidence or authority had been brought to light that would change its decision. In addition, the court concluded that “the law is still clear that sustained overdraft fees are not interest, and that assessing such fees cannot violate the usury provision of the NBA.” In 2019, the parties agreed to settle the action in its entirety, without any admission of liability by the bank. Under the terms of the settlement agreement, six classes of consumers will receive payouts or overdraft fee forgiveness, which will include $27 million “in the form of reductions to the outstanding balances of [class members] whose accounts were closed with amounts owed to the [bank].”
1st Circuit: Statute of limitations starts on loan closing
On January 17, the U.S. Court of Appeals for the First Circuit affirmed the dismissal of claims against a mortgage holder and a loan servicer (defendants), concluding the allegations were barred on statute-of-limitations grounds. In 2018, ten years after the borrower defaulted on her loan, she filed a suit against the defendants “alleging that the loan was predatory because at its inception the lender knew or should have known that she would not be able to repay it.” The borrower alleged first that the defendants violated the Massachusetts Consumer Protection Act (MCPA) by committing unfair and deceptive practices when trying to enforce a “predatory mortgage loan,” and second that the defendants violated the Massachusetts Fair Debt Collection Practices Act (MFDCPA) by collecting or attempting to collect on the loan in an unfair, deceptive, or unreasonable manner. The district court dismissed the first claim as time-barred, stating that the four-year statute of limitations period began when the borrower closed on the loan in 2005. The district court also ruled that Chapter 93, Section 49 of the MDFCPA does not provide a private right of action for the second claim.
The 1st Circuit affirmed on appeal, determining that, with respect to the borrower’s MCPA claim, the four-year limitations period “began to run on the signing date when interest began to accrue,” and that the borrower failed to show that any of the defendants’ later collection actions triggered a new limitations period. Concerning the borrower’s MFDCPA claim that the collection efforts were “unfair because they constituted enforcement of inherently unfair and deceptive loan terms,” the appellate court concluded it was unnecessary to decide the issue of whether the borrower held a private right of action under the MFDCPA because the borrower’s claim is time-barred.
SEC reports cybersecurity and resiliency observations
On January 27, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of a report entitled Cybersecurity and Resiliency Observations, compiled from an assessment of prior examinations. The report provides best practices for regulated entities to increase readiness and awareness related to cybersecurity. Echoing themes from the OCIE’s risk-based exam priorities, previously covered by InfoBytes here, the report also emphasizes risk management. Some of the highlights of the report include:
- Governance and Risk Management. OCIE lists senior level engagement as an important factor in an effective cybersecurity program. Also important is a thorough program risk assessment as well as the application of policies and procedures based on the assessment. Additionally, the cybersecurity program should continuously evolve, and provide for constant testing and monitoring.
- Access Rights and Controls. OCIE emphasizes the need for controls to limit access to certain data only to authorized users. Organizations should set out policies and procedures to monitor for unauthorized users, require periodic password changes for users, and review systems for changes that are not approved.
- Data Loss Prevention. Many firms protect sensitive data by using vulnerability scanning as well as perimeter security to monitor network traffic. Firms may utilize technology that can monitor for and detect network threats and insider threats. Also, encrypting data as it moves into and out of the network, and segmenting data for use only by authorized systems are key data loss prevention measures.
- Mobile Security. Firms that use mobile devices and applications may require enhanced security policies including the use of multi-factor authentication, limiting firm information that can be extracted from devices, and enabling the firm to remotely clear content when devices are lost or stolen. Training is also an important practice.
- Incidence Response and Resiliency. Effective risk-based incident response plans developed by firms focus on detection and corrective actions. The plans include business continuity as well as regular testing and reassessment of the plan.
- Vendor Management. OCIE promotes proper due diligence of vendors as well as effective management of vendors including monitoring and testing to ensure security requirements are continually met.
- Training and Awareness. OCIE notes that many firms incorporate effective policies and procedures into training, periodically re-evaluate training programs, and ensure employee participation.
Michigan establishes provisions for credit services organizations
On January 27, the Michigan governor signed HB 4411, which establishes provisions for credit service organizations. Among other things, HB 4411 prohibits persons engaged in credit service activities from (i) charging or receiving money from a buyer seeking a loan, extension of credit, or other valuable consideration before closing; (ii) charging a buyer or receiving from a buyer money or other valuable consideration before completing all agreed upon services, or “for referral to a retail seller that will or may extend credit to the buyer if the credit that is or may be extended to the buyer is substantially the same as that available to the general public”; (iii) making or using false or misleading representations, or engaging in a fraudulent or deceptive act or practice connected with the offer or sale of a credit services organization, stating that the organization has the ability to delete adverse credit history, or guaranteeing that the organization can obtain an extension of credit regardless of the buyer’s credit history; (iv) failing to perform the agreed upon services within 90 days after the contract is signed by the buyer; (v) advising a buyer to make untrue or misleading statements to certain entities, including a consumer credit reporting agency; (vi) assisting in the removal of adverse credit information that is accurate and not obsolete, or assisting a buyer in creating a new credit record using alternative personal information; and (vii) submitting buyer disputes to consumer credit reporting agencies without a buyer’s knowledge. The act is effective immediately.