InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Written request for HAMP assistance resets foreclosures limitations
On December 13, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s grant of summary judgement in favor of a bank and mortgage servicer defendants in an action brought by a consumer to prevent foreclosure of his property. According to the unpublished opinion, in 2016, the consumer, who was struggling with his mortgage payments, submitted loan modification requests on three occasions. In each request, the consumer provided written acknowledgment of the original debt and expressed his desire to pay in order to keep his property. The consumer asserted that Washington state law and the FDCPA prohibited the defendants from instituting foreclosure proceedings on his mortgage because the six-year statute of limitations for filing for foreclosure had expired. On appeal, the three judge panel rejected the consumer’s argument, determining that the limitation on filing for foreclosure had not run, explaining that because the consumer had not communicated to defendants “an intent not to pay,” and each of the modification requests acknowledged the debt in writing, the foreclosure statute of limitations period was restarted each of the three times he submitted his loan modification requests.
Pennsylvania reaches settlement with travel websites over data breach
On December 13, the Pennsylvania attorney general announced a settlement with two travel websites resolving allegations that a 2018 data breach may have exposed consumer data for more than 20,000 state customers, including 880,000 affected payment cards globally. According to the state’s investigation, a hacker bypassed security detection and built malware that targeted payment cards on one of the company’s platforms. The company was also notified by a business partner of potentially fraudulent point of purchase transactions related to the data breach. Under the terms of the Assurance of Voluntary Compliance—which alleges the company violated the state’s Unfair Trade Practices and Consumer Protection Law by misrepresenting safeguards for customer data in its privacy policy and failing to fully implement data security policies—the companies have agreed to pay $110,000, including a $80,000 civil penalty and $30,000 towards future public protection and education purposes. The company must also implement a number of security requirements, such as (i) implementing a comprehensive information security program on their travel website; (ii) conducting annual risk assessments; (iii) developing a program for implementing and operating safeguards; and (iv) complying with Payment Card Industry Data Security Standards.
States recommend FTC “significantly” strengthen COPPA
On December 9, a coalition of 25 state attorneys general responded to the FTC’s request for comments on a wide range of issues related to the Children’s Online Privacy Protection Rule (COPPA). As previously covered by InfoBytes, the FTC released a notice in July seeking comments on all major provisions of COPPA, including definitions, notice and parental consent requirements, exceptions to verifiable parental consent, and the safe harbor provision. In response the AGs strongly recommend that, while the FTC should “significantly” strengthen COPPA, any changes must be flexible and evolve to meet a rapidly-changing data landscape’s needs. Specifically, the AGs state that COPPA’s definition of “web site or online service directed to children,” as well as its definition of an “operator,” need to be modified, as many first-party platforms embed third parties who allegedly engage in the majority of the privacy-invasive online tracking. By expanding the definition of an operator, the AGs claim that COPPA would require compliance by companies that use and profit from the data as well as companies that collect the data. According to the AGs, COPPA, places a lower burden on third-parties and requires them to be bound by the rule only when they have “actual knowledge” that they are tracking children, even though these entities “are arguably as well-positioned as the operators of the websites and online services to know that they are tracking and monitoring children.”
The AGs also believe that the prong that “recognizes the child-directed nature of the content” should be strengthened, because companies that are able to identify and target consumers through sophisticated algorithms are often disincentivized to use the information to affirmatively identify child-directed websites or other online services. Among other things, the AGs also discuss the need for specifying the appropriate methods used for determining a user’s age, expanding COPPA to protect minors’ biometric data, and providing illustrative security requirements.
Hospitality company's bid to dismiss data breach suit rejected
On December 13, the U.S. District Court for the District of Maryland denied an international hospitality company’s motion to dismiss a data breach suit brought by the City of Chicago. According to the city’s complaint, the company violated the Illinois Consumer Fraud and Deceptive Business Practices Act by, among other things, allegedly failing to (i) “protect Chicago residents’ personal information”; (ii) implement and maintain reasonable security measures; (iii) disclose that it did not maintain reasonable security measures; and (iv) provide “prompt notice” of the breach to Chicago residents. According to the opinion, the city had established standing to sue the company because it adequately alleged injury to its municipal interests. Additionally, the court rejected the company’s assertion that the suit is unconstitutional under the Illinois Constitution, stating that the consumer protection ordinance the company was alleged to have violated “addresses a local problem, making it a legitimate exercise of the City’s home rule authority” under the state’s constitution. The company had released a statement in November 2018, which is at the center of the city’s action, stating that the breach was discovered in September 2018, had exposed personal information from 500 million guests, and been ongoing since 2014.
FDIC issues brokered-deposits proposal
On December 12, the FDIC issued a notice of proposed rulemaking (NPRM) requesting comments on revisions to the agency’s brokered deposit regulations implementing Section 29 of the FDI Act, and also issued an associated factsheet. The regulations were originally implemented in the late 1980s, and the FDIC more recently issued guidance in the form of FAQs in 2016. The FDIC’s NPRM follows an advanced notice of proposed rulemaking issued last December (previously covered by InfoBytes here), that requested feedback on ways in which the agency could improve its brokered deposit regulation. According to the FDIC, the NPRM would modernize and establish a new framework to ensure the “classification of a deposit as brokered appropriately reflects changes in the banking system, including banks’ use of new technologies to engage and interact with their customers.” Among other things, the NPRM would: (i) revise the “facilitation” prong of the deposit broker definition so that it applies to persons who engage in specified activities; (ii) revise two exceptions under Section 29—the first would allow a wholly owned operating subsidiary to be eligible for the insured depository institution exception to the “deposit broker” definition in certain circumstances, while the second would amend the “primary purpose exception” for agents or nominees whose primary purposes are not the placement of funds with insured depository institutions for customers (the FDIC plans to establish an application process for third parties who want to take advantage of the primary purpose exception); and (iii) continue to consider an agent’s placement of brokered CDs as deposit brokering, and continue to be report such deposits as brokered. Chair McWilliams provided remarks (linked here) about brokered deposit regulation at a Brookings Institution event the day before the NPRM was adopted.
Board member Martin Gruenberg voted against the NPRM, stating that the proposal would “significantly weaken” the rule and would narrow the scope of deposits that are considered brokered “without adequate justification and expose the banking system to significantly increased risk.”
Comments on the NPRM are due within 60 days of publication in the Federal Register.
District Court’s reversal of jury verdict in FDCPA case overturned
On December 12, the U.S. Court of Appeals for the Fifth Circuit reversed the district court’s ruling overturning a jury verdict in favor of the consumer for a debt collection company’s (company) violation of the FDCPA and the Texas Fair Debt Collection Practices Act (Texas Act). The consumer sued the company claiming that after she sent the company a letter disputing a debt, the company failed to report to the credit bureaus that the debt was “disputed.” At trial, the jury awarded the consumer $61,000 for the company’s alleged FDCPA and Texas Act violations. Afterwards, the district court granted the company’s post-trial motion for judgment as a matter of law, overturned the jury’s verdict, and dismissed the case, ruling that the consumer failed to provide evidence that the disputed debt was a consumer debt.
On appeal, the 5th Circuit held that it is within the jury’s discretion to make credibility determinations and that it was permissible for the jury to credit the consumer’s testimony about the consumer nature of the debt—a determination which cannot be disturbed unless it is impossible that the testimony is true. In addition, the appellate court noted that the jury has discretion to draw inferences and that it reasonably inferred that the disputed debt was, in fact, a consumer debt, as the consumer claimed.
Fed announces fintech initiatives
On December 17, the Federal Reserve Board (Fed) announced a new fintech website section created to engage with banks and other companies involved in fintech innovation. According to the announcement, the new section will highlight supervisory observations regarding fintech, provide a hub of information for interested stakeholders on innovation-related matters, and deliver practical tips for banks and other companies interested in engaging in fintech activity.
Additionally, on February 26, 2020 the Fed will hold the first in a series of “fintech innovation office hours” in conjunction with the Federal Reserve Bank of Atlanta. According to the Fed, they intend to host “office hours” nationwide to provide opportunities, especially “helpful to community banks and their potential fintech partners,” and to speak to well-versed Fed staff members about concepts and advancements surrounding “emerging financial technologies.” The announcement provides a link for interested parties to sign up to participate.
New Fed exam guidelines issued for FBOs
On December 12, the Federal Reserve Board (Fed) issued SR 19-15, “Revised Examination Guidelines for Representative Offices of Foreign Banks,” which is applicable to foreign banking organizations (FBOs) with U.S. representative offices (offices) subject to supervision by the Fed. According to the letter, Reserve Banks should examine offices of FBOs at least every 24 months, and ideally, at the same time as any examination of related U.S. branches or agencies. An office can be examined more often (i) based on state law examination requirements; (ii) if “supervisory concerns” exist regarding the foreign bank’s condition; and (iii) if the activities of the office are central to the FBO’s entire U.S. operations or if the office has a large number of employees. The letter provides guidelines for documentation of exam findings and for assignment of various ratings including compliance, risk management and operational controls. The Fed notes that “the type of documentation and rating should vary depending on the representative office’s activities and the significance of supervisory concerns.”
Payday lenders’ $12 million settlement approved
On December 13, the U.S. District Court for the Eastern District of Virginia granted final approval of a $12 million settlement to resolve allegations including unjust enrichment, usury, and violations of RICO against tribe-related lenders (lenders) that plaintiffs claim charged extremely high interest rates on consumer payday loans. According to the memorandum in support of the settlement, one lender’s “operation constituted a “rent-a-tribe,” where it originated high-interest loans through entities formed under tribal law in an attempt to evade state and federal laws.” The parties filed a preliminary settlement agreement in June. According to the approval order, the court found that “the settlement agreement is fair, adequate and reasonable,” reaffirmed certification of a final settlement class, and additionally found that “the class representatives have and continue to adequately represent settlement class members.” This settlement ends three separate putative class actions against the lenders.
Agencies release 2018 CRA data
On December 16, the three federal banking agency members of the Federal Financial Institutions Examination Council (FFIEC) with Community Reinvestment Act (CRA) responsibility—the Federal Reserve Board, the FDIC, and the OCC—announced the release of the 2018 small business, small farm, and community development CRA data. The analysis contains information from 700 lenders about originations and purchases of small loans (loans with original amounts of $1 million or less) in 2018, a 2.2 percent decrease from the 718 lenders that reported data in 2017. According to the analysis, the total number of originated loans increased by approximately 8 percent from 2017, with the dollar amount of originations increasing by roughly 5 percent; however, the analysis notes that the majority of this growth is attributable to one bank’s increase in originations. The analysis further notes that 615 banks reported community development lending activity totaling nearly $103 billion in 2018, an increase from $96 billion in 2017.