Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Delaware Federal Court Holds No Harm From Third-Party Cookies' Collection Of Personal Information, Dismisses Broad Consumer Privacy Suit
On October 9, the U.S. District Court for the District of Delaware dismissed a broad, consolidated action against an Internet company alleged to have circumvented an Internet browser’s cookie blocker to collect personally identifiable information (PII) from the browser’s users. In re Google Inc. Cookie Placement Consumer Privacy Litig., No. 12-2358, slip op. (D. Del. (Oct. 9, 2013). The court held that the plaintiffs lacked Article III standing because they had not sufficiently alleged an injury-in-fact The court reasoned that while plaintiffs provided some evidence that the PII at issue has some value to the individual, they did not sufficiently allege that their ability to extract that value was diminished by the alleged collection by a third party. Despite its standing holding, the court continued its analysis and dismissed each of the plaintiffs federal and state privacy claims on the merits. The court held, for example, that the plaintiffs’ claims that the collection of URLs violated the Electronic Communications Privacy Act failed because URLs are not “contents” as defined by that Act. The court also held that the plaintiffs failed to identify any impairment of the performance or functioning of their computers and could not sustain a claim under the Computer Fraud and Abuse Act.
Federal District Court Invalidates Application Of HUD Regulation Requiring Full Payment of Reverse Mortgage From Surviving Spouses
On September 30, the U.S. District Court for the District of Columbia held that a HUD regulation defining conditions under which it would insure a reverse mortgage agreement, which would have made it easier for lenders to foreclose on homes occupied by surviving spouses, contradicted the governing statute. Bennett v. Donovan, 11-498, 2013 WL 5424708 (D.D.C. Sept. 30, 2013). The surviving spouses in this case, neither of whom were legal borrowers under the reverse mortgages entered into by their spouses, sought declaratory relief that HUD’s regulations requiring that the mortgage be due and payable in full if a borrower dies and the property is not the principal residence of at least one surviving borrower violated the Administrative Procedure Act because the rule is inconsistent with the governing statute. The statute protects “homeowners,” as opposed to “borrowers,” from displacement and defines “homeowner” to include “spouse of the homeowner.” Applying the Chevron deference test, the court held that that the plain meaning of the statute is not contradicted by context or legislative history and clearly provides for the loan obligation to be deferred until the homeowner’s and the spouse’s death. The court held that the regulation as applied to the surviving spouses is invalid, and, consistent with guidance from the D.C. circuit, directed HUD to determine the appropriate relief.
On October 4, the U.S. District Court for the Central District of California denied certification of a putative class of consumers that had alleged a major retailer’s policy of requiring online customers to provide their telephone numbers or addresses in connection with credit card purchase transactions violated the Song-Beverly Credit Card Act. Leebove v. Wal-Mart Stores, Inc., No. 13-1024, slip op. (C.D. Cal. Oct. 4, 2013). The court held that the commonality requirement for class certification was not satisfied. The court explained that the relevant provision of the Act prohibits collecting certain information from a “cardholder,” which includes only “natural persons,” and held that an individualized inquiry would need to be made regarding whether the card used by each class member was issued as a consumer or business card. The court further reasoned that individual inquiries would be required to determine whether each class member’s claim was barred under an exception that allows retailers to request certain otherwise prohibited personal information for use in shipping, delivering, servicing, or installing the purchased items.
California Court Holds Website Link To Fair Usage Policy Not Conspicuous Enough To Indicate Limits to Term "Unlimited"
On October 4, the California Court of Appeal held that the disclosure of limits to an “unlimited” calling plan in a linked Fair Usage Policy was not sufficiently conspicuous to support a lower court’s judgment as a matter of law that the calling plan was not misleading. Chapman v. Skype, Inc., B241398, 2013 WL 5502960 (Cal. Ct. App. Oct. 4, 2013). The putative class action complaint alleged violations of California’s Unfair Competition Law, false advertising law, and Consumer Legal Remedies Act, in addition to common law intentional and negligent misrepresentation and unjust enrichment claims. The calling plan in question was advertised as “unlimited,” but included a link to a Fair Usage Policy that explained that the plain was limited to 6 hours per day, 10,000 minutes per month, and 50 numbers called each day. The defendant argued that it had adequately disclosed these limits, but the plaintiff claimed that the terms in the Fair Usage Policy contradicted the word “unlimited” in the plan’s description. The trial court had dismissed all claims without leave to amend. The Court of Appeal held that plaintiff had adequately alleged violations of the statutory provisions, and should be permitted to amend her complaint as to her inadequately pled common law claims. The court concluded that the plaintiff had alleged sufficient facts to create a question of fact as to whether consumers were likely to be deceived by the plan terms, noting that under the applicable laws the plaintiff did not need to show that the use of the word “unlimited” was actually false, but rather that such use was misleading. The court thus instructed the trial court to vacate its order sustaining the defendant’s demurrer as to the statutory claims, and to allow plaintiff to amend the complaint as to the common law claims.
On October 4, the CFPB and the FTC filed an amicus brief in a Fair Credit Reporting Act (FCRA) case pending in the Ninth Circuit. The brief argues that the seven-year period during which a criminal arrest can be reported starts on the date of the arrest and, contrary to the district court’s decision, is not extended by a subsequent dismissal of the charges. The brief notes that FCRA previously provided that the seven-year reporting period ran “from the date of disposition [i.e., dismissal], release, or parole,” but that Congress repealed that specific provision in 1998, replacing it with the general FCRA rule that the reporting period begins when the adverse event occurs. The brief notes that Congress prescribed a different rule from some categories of information—for example, the seven-year period for reporting that a delinquent account was placed with a collection agency begins 180 days after the commencement of the delinquency that immediately preceded the collection activity.
The brief relies heavily on the FTC’s summary of staff interpretations that it issued as part of its staff report, 40 Years of Experience with the Fair Credit Reporting Act (2011), just before the Dodd-Frank Act transferred primary enforcement authority for FCRA from the FTC and gave the CFPB general rulemaking powers under FCRA. The FTC and CFPB argue that the district court erroneously relied on the FTC’s 1990 Commentary on FCRA, which did not reflect the 1998 amendments. The extensive reliance on the 40 Years Report in the brief is significant because it reflects an endorsement of the authoritativeness of that report by the CFPB, at least as to the particular issue raised in this case.
The CFPB has decided to end its policy of sending enforcement attorneys to routine examinations of supervised financial institutions. The policy change will take effect on November 1, 2013.
The CFPB decision followed an internal review designed to streamline the examination process and make it less costly. The CFPB asserts that the change was not in response to criticism it has received from supervised institutions and others. Bank and nonbank financial service providers and their trade associations have objected to the CFPB’s policy from its start, arguing that it differs from the traditional approach taken by other federal regulators and limits the effectiveness of the examination process. Hearing those concerns, last November the CFPB Ombudsman’s Office identified the presence of enforcement attorneys at supervisory examinations as one of several “systemic issues” at the Bureau and recommended that the CFPB review its implementation of the policy. In addition, the Federal Reserve Office of Inspector General, which also serves as the CFPB’s inspector general, was in the process of reviewing the policy and was set to release its report in the coming weeks, and just recently the Bipartisan Policy Center called on the CFPB to end the policy.
On October 9, the CFPB (or Bureau) announced it had assessed civil money penalties totaling $459,000 against two financial institutions—one bank and one nonbank—after examinations identified significant data errors in mortgage loans reported pursuant to the Home Mortgage Disclosure Act (HMDA). The Bureau simultaneously issued a HMDA bulletin to all mortgage lenders regarding the elements of an effective HMDA compliance management system, resubmission thresholds, and factors the Bureau may consider when evaluating whether to pursue a public HMDA enforcement action and related civil money penalties.
According to the consent orders (available here and here), both financial institutions maintained inadequate HMDA compliance systems that resulted in the reporting of “severely compromised mortgage lending data.” The nonbank, which reported 21,015 applications in its 2011 HMDA Loan Application Register (LAR), agreed to pay a penalty of $425,000. The consent order notes previous violations identified by the state regulator and states that the Bureau sampled 32 loans and concluded that the sample error rate unreasonably exceeded the Bureau’s resubmission threshold, although the error rate was not disclosed. The investigation of the nonbank was conducted in cooperation with the Massachusetts Division of Banks, which announced its own consent order imposing a $50,000 administrative fine at the same time that the CFPB announced its order. The bank, which reported 5,785 applications in its 2011 HMDA LAR, agreed to pay a penalty of $34,000. The consent order against the bank states that the bank’s sample error rate was 38 percent but does not disclose the size of the sample. Both institutions will be required to correct and resubmit their 2011 HMDA data and develop and implement an effective HMDA compliance management system to prevent future violations. Neither of the orders reveals the specific deficiencies in the institutions’ HMDA compliance programs.
As noted above, the Bureau also issued a bulletin regarding HMDA compliance along with HMDA resubmission guidelines. The bulletin discusses the components of an effective HMDA compliance management system, including: (i) comprehensive policies, procedures, and internal controls; (ii) comprehensive and regular internal, pre-submission HMDA audits; (iii) a process for reviewing regulatory changes; (iv) reporting systems commensurate with lending volume; (v) one or more individuals responsible for oversight, data entry, and data updates, including timely and accurate reporting; (vi) appropriate, sufficient, and periodic employee training on HMDA, Regulation C, and reporting requirements; (vii) a process for effective corrective action in response to deficiencies identified; and (viii) appropriate board and management oversight.
In addition, the bulletin announces the Bureau’s new HMDA Resubmission Schedule and Guidelines, which sets forth thresholds that will apply when determining whether resubmission is required when errors are discovered in a HMDA data integrity examination. The new resubmission schedule creates a two-tier system in which resubmission thresholds are lower for institutions reporting fewer than 100,000 entries on the HMDA LAR. Under the guidance, institutions that report 100,000 or more entries on their LAR should correct and resubmit their entire HMDA LAR if the error rate exceeds four percent of the total sample (or two percent in any individual data field), while institutions with fewer than 100,000 entries on their LAR should correct and resubmit their LAR if the error rate exceeds ten percent in the total sample (or five percent in any individual data field). The guidance states that resubmission for error rates below the applicable thresholds may be called for if “the errors prevent an accurate analysis of the institution’s lending.” Under the Bureau’s current standards, institutions, regardless of size, must resubmit a corrected LAR if any “key fields” have an error rate of five percent, or if at least ten percent of the institution’s records have an error in at least one of the key fields. The new resubmission schedule and guidelines will apply to all HMDA data integrity reviews initiated on or after January 18, 2014.
Finally, the bulletin provides a non-exclusive list of factors the Bureau may consider when evaluating whether to pursue a public HMDA enforcement action, including: (i) size of the institution’s HMDA LAR and observed error rates; (ii) whether errors were self-identified and independently corrected outside of an examination; and (iii) history of previous HMDA errors that exceed the permissible threshold. In addition, the guidance states that the Bureau may seek civil money penalties for HMDA violations depending on such factors as (i) size of financial resources and good faith effort of compliance by the institution; (ii) gravity of the violations or failure to pay; (iii) severity of harm to consumers; (iv) history of previous violations; and (v) such other matters as justice may require.
These recent CFPB announcements reinforce BuckleySandler’s experience to date that the CFPB is stepping up scrutiny of HMDA practices both at banks and nonbanks. These examination and enforcement initiatives dovetail with the CFPB’s other recent HMDA-related activities. The CFPB recently launched new tools to allow the public—including consumer and housing advocates—to leverage HMDA data to attempt to identify lending patterns. The CFPB also has started internally drafting a proposed rule to implement changes to HMDA data collection requirements, as required by the Dodd-Frank Act. Though a final rule is a distant prospect, once finalized the CFPB may require institutions to report, among other things: (i) ages of loan applicants and mortgagors; (ii) the difference between the annual percentage rate associated with the loan and benchmark rates for all loans; (iii) the term of any prepayment penalty; (iv) the term of the loan and of any introductory interest rate for the loan; (v) the origination channel; and (vi) the credit scores of applicants and mortgagors.
All of these developments suggest bank and nonbank mortgage originators should review their HMDA practices and processes to ensure they are reporting data that are accurate or at least within the CFPB’s revised tolerances.
On October 3, the CFPB finalized the trial disclosure policy proposed in December 2012 as part of Project Catalyst, which allows companies to apply for a waiver to test potential disclosure improvements on a trial basis. The Bureau did not make substantive changes to the final policy but clarified certain aspects based on the public comments.
Most comments to the proposed policy concerned the approval process for trial disclosure programs. First, the Bureau clarified that it would welcome collaboration and cost-sharing among participants, so long as all entities involved are specifically identified. Second, the Bureau clarified that potential participants may use ProjectCatalyst@cfpb.gov as a point of contact to request a preliminary discussion of a potential trial disclosure prior to submitting an application. Third, the Bureau clarified that the policy is intended to accommodate iterative testing of disclosures and that, in cases where subsequent iterations are appropriate, it will follow a staggered approach to waiver approval.
In response to requests for clarification on the scope of the safe harbor provision, the Bureau clarified that entities approved for a waiver will generally be shielded from private litigation under federal law by consumers and generally from enforcement proceedings by other federal regulators, so long as their conduct accords with the terms of approval. The Bureau will work to coordinate with state regulators. Entities will be given an opportunity to dispute a potential revocation of a waiver before it is issued.
The Bureau declined requests by consumer groups to subject proposed disclosures to full notice and comment, to make qualitative testing an absolute requirement for test approval, to provide consumers notice and the chance to opt out of testing, and to make test results public.
Recently, the DOJ released information regarding three fair lending actions, all three of which included allegations related to wholesale lending programs. On September 27, the DOJ announced separate actions—one against a Wisconsin bank and the other against a nationwide wholesale lender—in which the DOJ alleged that the lenders engaged in a pattern or practice of discrimination on the basis of race and national origin in their wholesale mortgage businesses. The DOJ charged that, during 2007 and 2008, the bank violated the Fair Housing Act and ECOA by granting its mortgage brokers discretion to vary their fees and thus alter the loan price based on factors other than a borrower’s objective credit-related factors, which allegedly resulted in African-American and Hispanic borrowers paying more than non-Hispanic white borrowers for home mortgage loans. The bank denies the allegations but entered a consent order pursuant to which it will pay $687,000 to wholesale mortgage borrowers who were subject to the alleged discrimination. The allegations originated from an FDIC referral to the DOJ.
The DOJ charged the California-based wholesale lender with violations of the Fair Housing Act and ECOA, alleging that over a four-year period, the lender’s practice of granting its mortgage brokers discretion to set the amount of broker fees charged to individual borrowers, unrelated to an applicant’s credit risk characteristics, resulted in African-American and Hispanic borrowers paying more than non-Hispanic white borrowers for home mortgage loans. The lender did not admit the allegations, but agreed to enter a consent order to avoid litigation. Pursuant to that order the lender will pay $3 million to allegedly harmed borrowers. The order also requires the lender to take other actions including establishing race- and national origin-neutral standards for the assessment of broker fees and monitoring its wholesale mortgage loans for potential disparities based on race and national origin.
Finally, on September 30, the DOJ announced that a national bank agreed to resolve certain legacy fair lending claims against a thrift it acquired several years ago, which the bank and the OCC identified as part of the acquisition review. Based on its own investigation following the OCC referral, the DOJ alleged that, between 2006 and 2009, the thrift allowed employees in its retail lending operation to vary interest rates and fees, and allowed third-party brokers as part of its wholesale lending program to do the same, allegedly resulting in disparities between the rates, fees, and costs paid by non-white borrowers compared to similarly-situated white borrowers. The bank, which was not itself subject to the DOJ’s allegations, agreed to pay $2.85 million to approximately 3,100 allegedly harmed borrowers to resolve the legacy claims and avoid litigation.
On September 27, the FDIC issued Financial Institution Letter FIL-43-2013, which is intended to clarify the FDIC’s policy and supervisory approach related to financial institutions that facilitate payment processing services—directly or through a third party—for merchant customers engaged in “higher-risk activities.” The letter states that banks that perform these services for merchants engaged in activities that “tend to display a higher incidence of consumer fraud or potentially illegal activities” are expected to perform proper risk assessments, conduct due diligence to determine the merchants are operating in accordance with applicable law, and maintain systems to monitor the relationships with payment processors and merchants. Institutions that properly manage payment processing relationships and risks are not prohibited or discouraged from providing such services to businesses operating in compliance with applicable law. The FDIC intends to assess whether institutions are adequately overseeing these activities and addressing related risks. The FDIC’s statement follows concerns raised by certain banks, their representatives in Congress, and third-party payment processors about the scope of the governmental scrutiny of online lenders, payment processors, and their relationships with banks.
- Daniel R. Alonso to discuss "When can trial lawyers take their case to the public? The Harvey Weinstein case and beyond" at a New York City Bar Association webcast
- Jonice Gray Tucker to discuss "Fair servicing in wake of Covid-19" at an American Bar Association webinar
- APPROVED Webcast: Maximizing vendor value
- Daniel P. Stipano to discuss "Cram for the exam: Best prep strategies for a regulatory examination" at an ACAMS webinar
- Melissa Klimkiewicz to discuss "Flood insurance basics" at the NAFCU Virtual Regulatory Compliance School
- Sasha Leonhardt to discuss "Privacy laws clarified" at the National Settlement Services Summit (NS3)