InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Agencies say supervisory guidance does not have the “force and effect” of law
On September 11, five federal agencies (the Federal Reserve Board, CFPB, FDIC, NCUA, and OCC) issued a joint statement confirming that supervisory guidance “does not have the force and effect of law, and [that] the agencies do not take enforcement actions based on supervisory guidance.” The statement distinguishes the various types of supervisory guidance—interagency statements, advisories, bulletins, policy statements, questions and answers, and frequently asked questions—from laws or regulations and emphasizes that the intention of supervisory guidance is to outline agencies’ expectations or priorities. The statement highlights five policies and practices related to supervisory guidance: (i) limit the use of numerical thresholds or other “bright-line” requirements; (ii) examiners will not cite to “violations” of supervisory guidance; (iii) request for public comment does not mean the guidance has the force and effect of law; (iv) limit multiple issuances of guidance on the same topic; and (v) continue to emphasize the role of supervisory guidance to examiners and to supervised institutions.
CFPB issues updated FCRA model disclosures to implement Economic Growth, Regulatory Relief, and Consumer Protection Act amendments
On September 12, the CFPB issued an interim final rule to comply with the Economic Growth, Regulatory Relief, and Consumer Protection Act (the “Act”) (previously Senate bill S. 2155). Section 301(a)(1) of the Act amends the FCRA to add section 605A(i), which requires consumer reporting agencies to provide national security freezes free of charge to consumers. Additionally, the new section requires that whenever a consumer is provided a “summary of rights” under section 609, the summary must include a notice regarding the right to obtain a free security freeze. The Act also amends FCRA section 605A(a)(1)(A) to extend from 90 days to one year the minimum time that a credit reporting agency must include an initial fraud alert on a consumer’s file.
The interim final rule, which is effective on September 21, amends the model forms in Regulation V to comply with the Act. The interim file rule also permits various compliance alternatives to mitigate the impact of the changes to these forms, including allowing the use of the 2012 model forms so long as a separate page provided in the same transmittal contains the new information required.
Comments on the interim final rule will be due 60 days after publication in the Federal Register. Links to the English and Spanish versions of the revised Summary of Consumer Rights and revised Summary Consumer Identity Theft Rights, covered by Section 609 of the FCRA, are available here.
California governor signs amendments requiring the furnishing of customer account information associated with certain crime reports
On September 6, the governor of California signed amendments to the California Right to Financial Privacy Act to provide various state and local agencies—including the police, sheriff’s department, or district attorney in the state—the authorization to request information from financial institutions in certain circumstances associated with crime reports involving the alleged fraudulent use of drafts, checks, access cards, or other orders. Specifically, AB 3229 states that banks, credit unions, and savings associations must furnish a statement with the requested customer account information for a period of 30 days prior, and up to 30 days following, the date of the alleged illegal act’s occurrence. AB 3229 further states that financial institutions will be required to furnish account information—subject to the outlined procedures—to a DOJ special agent upon request.
New Jersey Attorney General announces settlement with data management software company over auto dealer data breach claims
On September 7, the New Jersey Attorney General announced a settlement with an Iowa-based data management software company related to an alleged data breach that exposed the personally identifiable information (PII) of auto dealership customers across the country. According to the consent order, the company—which develops and operates a dealer management system that stores and secures customer and employee data accessed by 130 auto dealerships nationwide—experienced a breach of security in 2016 that allowed unauthorized public access to unencrypted files containing PII. Following the breach, the state commenced an investigation into whether the company violated either the state’s Consumer Fraud Act (CFA) or its Identity Theft Prevention Act (ITPA). Under the terms of the settlement, the company—without admitting to the allegations—has agreed to pay a $49,420 civil money penalty, of which $20,000 will be suspended and automatically vacated after two years provided the company complies with the consent order and does not engage in any future violations of the CFA and/or the ITPA. Furthermore, the company will pay $31,365 to reimburse attorneys’ fees, and has, among other things, agreed to implement a comprehensive security program to prevent similar breaches from occurring in the future.
California updates notice requirements on time-barred debt collection efforts
On September 5, the California governor signed AB 1526, which, among other things, amends state debt collection law to require certain written notices to be included in the first written communications provided to the debtor after the debt became time-barred and after the date for obsolescence under the FCRA. If the debt is not past the date of obsolescence, the debt collector is required to include specific language in the first written communication to the debtor after the debt has become time-barred that indicates the debtor will not be sued for the debt, but the debt may be reported as unpaid to credit reporting agencies as allowed by law. If the debt is past the date of obsolescence, the debt collector is required to include specific language in the first written communication to the debtor after the date for obsolescence indicating the debtor will not be sued for the debt and the debt will not be reported to credit reporting agencies. The law also incorporates a four-year statute of limitations on the collection of debt by specifically prohibiting a debt collector from initiating a lawsuit, an arbitration, or other legal proceeding to collect the debt after the four-year period in which the action must have been commenced has ended.
8th Circuit holds employee failed to plead injuries in FCRA suit against employer, law firm, and credit reporting agency
On September 6, the U.S. Court of Appeals for the 8th Circuit held that an employee lacked standing to bring claims under the Fair Credit Reporting Act (FCRA) because she failed to sufficiently plead she suffered injuries. An employee brought a lawsuit against her former employer, a law firm, and a credit reporting agency (defendants) alleging various violations of the FCRA after the employee’s credit report that was obtained as part of the hiring process background check was provided to the employee in response to her records request in a wrongful termination lawsuit she had filed. The district court dismissed the claims against the employer and the law firm and granted judgment on the pleadings for the credit reporting agency. Upon appeal, the 8th Circuit, citing the Supreme Court’s 2016 ruling in Spokeo, Inc. v. Robins (covered by a Buckley Sandler Special Alert), concluded the former employee lacked Article III standing to bring the claims. The court found that the former employee authorized her employer to obtain the credit report and failed to allege the report was used for unauthorized purposes, therefore there was no intangible injury to her privacy. Additionally, the court determined that the injuries to her “reputational harm, compromised security, and lost time” were “‘naked assertion[s]’ of reputational harm, ‘devoid of further factual enhancement.’” As for claims against the law firm and credit reporting agency, the court found that the injury was too speculative as to the alleged failures to take reasonable measures to dispose of her information. Further, whether the credit reporting agency met all of its statutory obligations to ensure the report was for a permissible purpose was irrelevant, as she suffered no injury because she provided the employer with consent to obtain her credit report.
Texas bank petitions Supreme Court over CFPB constitutionality
On September 6, a Texas bank and two associations (petitioners) filed a petition for writ of certiorari with the U.S. Supreme Court challenging the constitutionality of the CFPB’s structure. Specifically, the petition asks the Court (i) whether the CFPB as an independent agency headed by a single director that can only be removed from office for cause violates the Constitution’s separation of powers; (ii) whether a 1935 Supreme Court case upholding removal restrictions on members of the FTC should be overturned; and (iii) weather the CFPB’s “perpetual, on-demand funding streams” are permitted under the Appropriations Clause. The petition results from a 2012 lawsuit challenging the constitutionality of several provisions of the Dodd-Frank Act, which resulted in the June decision by the D.C. Circuit to uphold summary judgment against the petitioners. That decision was based on the January 2018 D.C. Circuit en banc decision concluding the CFPB’s single-director structure is constitutional (covered by a Buckley Sandler Special Alert.
OCC seeks comments on notice of proposed rulemaking to enhance business flexibility for federal savings associations
On September 10, the OCC issued a notice of proposed rulemaking to implement section 206 of the Economic Growth, Regulatory Relief, and Consumer Protection Act (previously Senate bill S. 2155), which amended the Home Owners’ Loan Act to permit federal savings associations (covered savings associations) with total consolidated assets of $20 billion or less, as of December 31, 2017, to elect to operate with national bank powers. Among other things, the proposed rule would require covered savings associations to divest, conform, or discontinue nonconforming subsidiaries, assets, and activities so as not operate in a manner that would be impermissible for national banks. Covered savings associations would also be subject to the same duties, restrictions, penalties, liabilities, conditions, and limitations that would apply to a similarly located national bank without requiring a charter conversion. The OCC further noted that even if a covered savings association’s assets exceed $20 billion after it makes the election, it will continue to receive covered savings association treatment. In addition, to reduce unnecessary burdens, covered savings associations are able to using federal savings association procedures, as opposed to national bank procedures, if the application of those procedures would not result in substantively different outcomes. Comments will be accepted for 60 days following publication in the Federal Register.
OCC notifies banks of 18-month on-site examination qualifications
On September 10, the OCC notified national banks, federal savings associations, and federal branches and agencies of the interim final rule issued jointly by the OCC, Federal Reserve, and FDIC allowing qualified insured depository institutions with less than $3 billion in total assets to be eligible for an 18-month on-site examination cycle. (See previous InfoBytes coverage here.) In addition to meeting the asset threshold, qualifying banks must also (i) have a rating of one or two; (ii) be well capitalized and well managed; (iii) not be subject to a federal banking agency’s formal enforcement proceeding or order; and (iv) not have experienced a change of control within the previous 12 months. The OCC further noted that it reserves the authority to maintain more frequent examinations for banks if necessary or appropriate. The interim final rule, issued pursuant to the Economic Growth, Regulatory Relief, and Consumer Protection Act (previously Senate bill S. 2155), took effect August 29. Comments on the interim final rule must be received by October 29.
OCC provides guidance to institutions affected by Hurricane Florence
On September 11, the OCC issued a proclamation permitting OCC-regulated institutions to close their offices affected by Hurricane Florence in the Southeast and Mid-Atlantic. The OCC noted that only institutions directly impacted by potentially unsafe conditions should close, and that those offices should attempt to reopen as soon as possible to serve their customers’ banking needs. OCC Bulletin 2012-28 provides further guidance on natural disasters and other emergency conditions.
Find continuing InfoBytes coverage on disaster relief here.