InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California AG Releases Data Breach Report, Proposes Data Security Policy Changes
On July 1, California Attorney General Kamala Harris (AG) released a report analyzing data breaches reported to her office in 2012, the first year companies were required to report to the AG any breach involving more than 500 state residents. The report identifies 131 data breach incidents that put the personal information of 2.5 million individuals at risk. The AG noted that the report is not required by the law, but provides support for the AG’s recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved. Those policy recommendations focus on (i) data encryption, (ii) information security, (iii)notice letters, and (iv) the definition of personal information.
Specifically, the AG claimed that the information for 1.4 million Californians would have been protected if companies had encrypted data, and urges companies to encrypt digital personal information when moving or sending it out of their secure network. The AG pledged to prioritize enforcement investigations of breaches involving unencrypted personal information. The AG’s report notes that a large percentage of breaches surveyed resulted from the failure of information security controls and references requirements under state law to protect the personal information of California residents.
The AG also stated that companies should make their data breach notices to consumers easier to read, and that the state legislature should consider expanding breach notice requirements to cover breaches involving passwords. The AG highlighted a pending bill, SB 46, that would revise the notice requirement’s definition of personal information to require reporting of breaches involving information that would permit access to an online account - user name or email address, in combination with a password or security question and answer. That bill has already passed the state Senate and was approved by the Assembly’s Judiciary Committee. It is scheduled to be considered by the Assembly’s Appropriations Committee on July 3, 2013.
Spotlight on Student Lending (Part 2 of 2): Lessons Learned from CFPB Reports
In 2012 and 2013, the Consumer Financial Protection Bureau released several major reports and held field hearings focused on private student lending and servicing. In addition to recent CFPB activity, on June 25, 2013, the Senate Banking Committee held a hearing regarding private student loans at which, among other witnesses, the CFPB’s Student Loan Ombudsman Rohit Chopra testified.
The largest CFPB report, and the one most sweeping in scope, was the Bureau’s study of the private student loan market and characteristics of private student loans that was mandated by Dodd-Frank and issued in July 2012 (Private Student Loans Report). In addition, in October 2012, the Student Loan Ombudsman issued his Annual Report in which, among other things, he characterized the nature of the student loan complaints received through the CFPB’s student loan complaint portal up to that point (Annual Report of the Student Loan Ombudsman). Further, on May 8, 2013, the CFPB issued another report and held a field hearing focused on what it described as the “potential domino effect” of student loan debt on the broader economy and proposing several options to assist private student loan borrowers. Finally, testimony at the above-referenced Senate Banking Committee hearing focused largely on how to increase the low refinancing and modification activity in the private student loan (PSL) market.
Taken together the Bureau’s reports, field hearings, and Congressional testimony put student lenders and servicers on notice that the Bureau will be looking closely at servicing issues, including loan modification and debt collection practices, as well as fair lending and likely fair servicing issues going forward, i.e., consistency in loan modifications and work outs.
With respect to the Private Student Loans Report, the report made clear that, in the fair lending space, the Bureau intends to scrutinize the use of cohort default rate (a statistic calculated by the Department of Education and used to determine which schools will be eligible to participate in federal student aid programs) as an eligibility metric. Likewise, the report recommends that lenders obtain school certification of the student’s education costs to prevent over borrowing.
As for the Annual Report of the Student Loan Ombudsman, from the Bureau’s perspective, the report likely validates the agency’s growing concern over student loan servicing insofar as the three main areas of consumer complaints described in the report are all focused in that area: general servicing concerns, concerns about payment processing, and concerns about inability to obtain loan modifications. The report draws parallels between problems in student loan servicing and those in mortgage loan servicing. For example, the report describes consumer complaints focused on the misapplication of payments, untimely error resolution and consumer difficulty in contacting appropriate personnel (all areas that have been a focus in the mortgage servicing space). So evident were the similarities in the eyes of the CFPB that its student loan ombudsman, Rohit Chopra, urged the Treasury secretary, the CFPB and secretary of education to consider whether mortgage servicing program “fixes” can be applied in the student loan context.
To this end, the Bureau has been sharpening its focus on repayment options in the private student loan market, with signals pointing perhaps to possible new rules setting student loan servicing standards. However, in the meantime, the Bureau has taken some notable steps. First, on February 21, it issued a notice and request for information on policy options to “increase the availability of affordable payment plans for borrowers with existing private student loans. Over 30,000 comments have been received. In addition, on May 8, as mentioned earlier, the Bureau proposed several policy “solutions” to assist student loan borrowers, such as providing “refi relief” for borrowers who have made timely payments, providing a “road to recovery” for borrowers by allowing their loans to be restructured, and providing a “credit clean slate” for borrowers who satisfy the terms of a workout plan. Importantly, though, the Bureau conceded that there are still significant accounting and operational impediments to implementing these “solutions” that require further consideration.
In light of the Bureau’s reports, field hearings, and other public statements, we advise private student lenders focus now on tightening internal controls with respect to fair and responsible lending issues as well as servicing and debt collection practices as those will areas of primary focus by the Bureau in examinations and otherwise going forward.
Questions regarding the matters discussed above may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Andrew R. Louis, (202) 349-8061, alouis@buckleyfirm.com
- Jeffrey P. Naimon, (202) 349-8030, jnaimon@buckleyfirm.com
- Aaron C. Mahler, (202) 349-8024, amahler@buckleyfirm.com
- Sasha Leonhardt, (202) 349-7971, sleonhardt@buckleyfirm.com
CFPB Announces Debt Collection Field Hearing
On June 26, the CFPB announced that its next field hearing will focus on debt collection and will be held in Portland, Maine on July 10, 2013. The event, which is open to members of the public who RSVP, will feature remarks from CFPB Director Richard Cordray, as well as testimony from consumer groups and industry representatives. In the past, the CFPB has made policy announcements in connection with field hearings, and this time may announce, among other things, that it will begin accepting debt collection complaints through its public complaint database.
CFPB Finalizes Rule to Supervise Nonbanks That Pose Risks to Consumers
On June 26, the CFPB issued a final rule outlining new procedures for establishing supervisory authority over nonbanks that it has “reasonable cause” to believe pose “risks to consumers” with regard to consumer financial products or services. The rule outlines the procedures by which the CFPB will notify nonbanks that they are being considered for supervision and how they can respond to the CFPB’s notice. The CFPB’s determination regarding whether and when to issue a “Notice of Reasonable Cause” will be based on complaints collected by the Bureau or on information from other sources, including judicial opinions and administrative decisions. Once supervised, a nonbank is subject to the CFPB’s authority to require reports and conduct examinations, but can petition to end the supervision after two years and annually thereafter. The final rule takes effect 30 days after its publication in the Federal Register.
Bipartisan Group of Senators Propose Housing Finance Reform Bill
On June 25, Senators Mark Warner (D-VA) and Bob Corker (R-TN) announced the introduction of a new bill to reform the secondary mortgage market. The bill, known as the Housing Finance Reform and Taxpayer Protection Act, has bipartisan support from several other members of the Senate Banking Committee. The bill is designed to draw private capital back into the secondary mortgage market by providing a limited government guarantee to qualifying mortgage-backed securities (MBS). It would replace over a period of time Fannie Mae and Freddie Mac and in their stead establish the Federal Mortgage Insurance Corporation (FMIC), which would oversee a variety of secondary market utility functions, many of which are similar to those under development by the FHFA. Under the new system, the FMIC would insure MBS securitized by FMIC-approved issuers, provided that the MBS place in the first loss position a private investor with at least 10 cents in equity capital for every dollar of risk. FMIC-insured MBS also would be required to be collateralized by “eligible mortgages” – mortgages that, among other things, meet the CFPB’s ability to pay requirements, have a down payment of at least five percent, and are below the conforming loan limit. The FMIC also would have responsibility for approving bond guarantors to provide credit enhancement, servicers eligible to service loans in MBS pools, and private mortgage insurance companies to insure mortgages with a loan-to-value ratio above 80 percent. The bill also would establish an affordable housing fund subsidized through fees on securitized loans and would grant the FMIC authority to back the entire MBS market for a limited period of time in emergencies.
FTC Obtains Settlement Regarding Marketing of Mortgage Refinancing Services to Servicemembers; Announces First Settlements in "Cardholder Services" Robocalls Sweep
On June 27, the FTC announced that a mortgage broker will pay a $7.5 million civil penalty to resolve alleged violations of the agency’s Telemarketing Sales Rule (TSR) and Mortgage Acts and Practices – Advertising Rule (MAP Rule). The broker allegedly violated the TSR by calling more than 5.4 million telephone numbers listed on the National Do Not Call Registry to offer home loan refinancing services to current and former U.S. military consumers and by failing remove consumers from its call list upon demand. The broker also allegedly violated the MAP Rule by misleading consumers about its affiliation with the Department of Veterans Affairs and leading consumers to believe that it was offering low interest, fixed rate mortgages with no costs, when in reality it was offering adjustable rate mortgages with closing costs. In the same announcement, the FTC stated that it had obtained the first settlements in cases related to a 2012 sweep of telemarketers alleged to have placed automated calls to consumers to make deceptive “no-risk” offers to substantially reduce the consumers’ credit card interest rates in exchange for an upfront fee. According to the FTC, the telemarketers claimed to be calling from the consumers’ credit card company, or otherwise used the generic “Cardholder Services” title to suggest a relationship with a bank or credit card company.
Insurance Trades Challenge HUD Disparate Impact Rule
On June 26, two insurance associations filed a lawsuit challenging a rule promulgated earlier this year by HUD that authorizes so-called “disparate impact” or “effects test” claims under the Fair Housing Act. The rule provides support to private or governmental plaintiffs challenging housing or mortgage lending practices that have a “disparate impact” on protected classes of individuals, even if the practice is facially neutral and non-discriminatory and there is no evidence that the practice was motivated by a discriminatory intent. The rule also permits practices to be challenged based on claims that the practice improperly creates, increases, reinforces, or perpetuates segregated housing patterns. The insurance associations allege that the rule violates the Administrative Procedures Act because it contradicts the plain language of the relevant portion of the Fair Housing Act, which prohibits only intentional discrimination. The complaint also alleges that the rule, if applied to homeowners’ insurance, would require insurers “to consider characteristics such as race and ethnicity and to disregard legitimate risk-related factors,” thereby forcing insurers “to provide and price insurance in a manner that is wholly inconsistent with well-established principles of actuarial practice and applicable state insurance law.”
Freddie Mac Changes Low Activity Fee to No Activity Fee
On June 25, Freddie Mac announced in Bulletin 2013-12 that, based on industry feedback, it is changing its recently-announced “low activity fee” to a “no activity fee.” In May, Freddie Mac announced that, effective January 1, 2014, a seller/servicer would be charged a $7,500 fee if the seller/servicer did not either (i) sell mortgages to Freddie Mac with an aggregate unpaid principal balance greater than $5 million during the immediately preceding calendar year, or (ii) service, or act as a servicing agent for, mortgages for Freddie Mac with an aggregate unpaid principal balance of at least $25 million as of December 31 of the immediately preceding calendar year. Under the revised policy, seller/servicers can avoid the fee if they (i) sell to Freddie Mac during the immediately preceding 36 months, or (ii) service, or act as a servicing agent for, a mortgage portfolio for Freddie Mac as of December 31 of the immediately preceding calendar year. In addition, new seller/servicers are exempt from the fee until they have been approved by Freddie Mac for three years.
FTC Updates Guidance for Search Engines on Advertising
On June 25, the FTC announced updated guidance for the search engine industry on distinguishing paid search results from natural search results. The updated guidance was in the form of letters sent to seven general purpose search engines and 17 high traffic specialized search engines. The FTC noted that the principles of its original 2002 guidance still apply, but that changes in the search industry and requests from industry and consumer groups led the agency to issue the revised guidance. The guidance states that the failure to clearly and prominently distinguish advertising from natural search results, such as through visual cues, labels, or other techniques, could constitute a deceptive practice. The FTC also noted that the principles of the guidance should be applied to new means used by consumers to search for information, such as social media, mobile applications and voice assistants on mobile devices.
NIST Issues Mobile Device Security Guidelines
On June 25, the National Institute of Standards and Technology (NIST) released a mobile device management guide to help federal agencies centrally manage the security of mobile devices. While the NIST document was developed for use by federal agencies, the device management principles may be applicable to other organizations facing similar security concerns. The guide focuses on smart phones and tablets and provides recommendations for selecting, implementing, and using centralized management technologies. It also explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles. The recommendations aim to address security issues related to both organization-provided and personally-owned (“bring your own device”) mobile devices.