Thursday, September 21, 2017

New York urges financial institutions to protect consumer data following Equifax breach

By J. Preston Carter, J.D., LL.M.

The New York Department of Financial Services (DFS) has issued guidance urging New York State chartered and licensed financial institutions to take immediate action and consider precautions to protect consumers in light of the recent cybersecurity attack at Equifax. The information accessed by hackers includes names, Social Security numbers, birth dates, addresses, and, in some cases, drivers’ license numbers. The guidance supports the DFS’s first-in-the-nation cybersecurity regulation (23 NYCRR 500), which went into effect on March 1, 2017, and requires banks, insurance companies, and other financial services institutions regulated by the DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

"The scope and scale of this cyber attack is unprecedented and DFS is prepared to take all actions necessary to protect New York’s consumers and financial markets," DFS Superintendent Maria T. Vullo said. "Given the seriousness of this breach, the potential harm to consumers and our financial institutions, and in light of the fact that a number of financial institutions have arrangements with Equifax under which financial institutions provide consumer account and debt information to Equifax and receive similar information from Equifax, DFS is issuing this guidance to ensure that this incident receives the highest level of attention and vigilance at New York’s regulated institutions."
The DFS is asking all New York State chartered and licensed financial institutions to consider the following:
  • ensure that all information technology and information security patches have been installed;
  • ensure that appropriate ID theft and fraud prevention programs are in place;
  • confirm the validity of information contained in Equifax credit reports before relying on them;
  • if appropriate, consider a customer call center for customers to call in and inform the institution if their information has been hacked; and
  • if the institution provides consumer or commercial related account and debt information to Equifax, ensure that the terms of the arrangement receive a very high level of review and attention to determine any potential risk associated with the continued provision of data.
For more information about cybersecurity for financial institutions, subscribe to the Banking and Finance Law Daily.

Wednesday, September 20, 2017

CFPB issues first no-action letter addressing alternative data for lending decisions

By Andrew A. Turner, J.D.

The Consumer Financial Protection Bureau has issued it’s first-ever no-action letter to a company that uses alternative data in making credit and pricing decisions. The company agreed to a number of conditions designed to mitigate risks to consumers. This action comes as the Bureau continues to explore the use of alternative data to help make credit more accessible and affordable for consumers who are credit invisible or lack sufficient credit history.

Under the letter, the company, Upstart Network, Inc., must regularly report lending and compliance information to the CFPB to aid the CFPB’s understanding of the real-world impact of alternative data on lending decision-making. The no-action letter signifies that the Bureau currently has no intent to initiate supervisory or enforcement actions against Upstart.

Upstart is based in San Carlos, Calif., and provides an online lending platform for consumers to apply for personal loans, including credit card refinancing, student loans, and debt consolidation. The company evaluates consumer loan applications using traditional factors such as credit score and income, as well as incorporating non-traditional sources of information such as education and employment history.

The no-action letter applies to Upstart’s model for underwriting and pricing applicants as described in the company’s application materials. The no-action letter is specific to the facts and circumstances of Upstart and does not serve as an endorsement of the use of any particular variables or modeling techniques in credit underwriting.

Sharing of information. Under the terms of the letter, Upstart will share certain information with the CFPB regarding the loan applications it receives, how it decides which loans to approve, and how it will mitigate risk to consumers, as well as information on how its model expands access to credit for traditionally underserved populations. According to the CFPB, this information will further its understanding of how these types of practices impact access to credit generally and for traditionally underserved populations, as well as the application of compliance management systems for these emerging practices.

Alternative data. The CFPB is currently exploring ways that alternative data may be used to improve how companies make lending decisions. In February, the CFPB launched an inquiry into the use of alternative data sources in order to evaluate creditworthiness and potentially expand access to credit for consumers with limited credit history. The Bureau provides examples of alternative data, including: bill payments for mobile phones and rent; electronic transactions such as deposits and withdrawals; and other information that may be less closely tied to a person’s financial conduct. This inquiry also looked at the use of emerging technologies for underwriting, such as the expanded use of machine learning to potentially identify new insights and improve decisions in the credit process.

No-Action letter policy. The goal of the CFPB’s no-action letter program is to facilitate consumer-friendly innovations where regulatory uncertainty may exist for certain emerging products or services. Under the policy, companies can apply for a statement from Bureau staff on an innovative product or service that offers the potential for significant consumer benefit where there is substantial uncertainty about whether or how specific provisions of law would be applied. The CFPB’s Project Catalyst, an initiative designed to encourage consumer-friendly developments in the consumer financial marketplace, facilitates the no-action letter program as part of its work to support marketplace innovation. 

For more information about CFPB supervision of lending issues, subscribe to the Banking and Finance Law Daily.

Tuesday, September 19, 2017

Attorney, structured settlement buyers fend off most of CFPB suit

By Richard Roth, J.D.

Three related companies that bought structured settlements from consumers, three individuals who controlled the companies, and an associated attorney have convinced a U.S. district judge to dismiss four of the Consumer Financial Protection Bureau’s five claims that their business activities included unfair, deceptive, or abusive acts or practices. However, the judge rejected their argument that state-court litigation and a state regulatory scheme called for the federal court to decline jurisdiction and left standing one abusive acts or practices claim against the companies and controlling individuals (CFPB v. Access Funding, LLC).

The CFPB sued Access Funding, LLC, its holding company Access Holding, LLC, and the funding company’s successor Reliance Funding, LLC, (referred to as “Access”) claiming that the companies’ structured settlement factoring activities used unfair, deceptive, or abusive acts or practices to induce consumers to sell their structured settlements for lump-sum payments. The Bureau’s specific charges include that the companies misrepresented that advances paid to consumers obligated them to complete the sales and that the attorney was giving them independent professional advice.

The Bureau’s allegations about the attorney’s conduct perhaps are particularly disturbing. According to the judge’s summary of the charges, the attorney was held out as an independent professional advisor, while his services in fact were arranged and paid for by Access. Access would tell the attorney when to call each consumer and instruct him to place the call on a prepaid cell phone that Access arranged to have delivered to the consumer. The attorney’s independent professional advice consisted of little more than reading the contract to the consumer and then asking the consumer if he understood. The attorney then sent each consumer an affidavit for signature stating that the consumer had been advised to seek independent professional advice, had done so, and chose to proceed with the sale. Access paid Smith $200 for each transaction, the CFPB claims.

The Bureau’s complaint included three counts against Smith, one each alleging unfair practices, deceptive practices, and abusive practices. The fourth count charged that Access and the individuals who controlled the companies substantially assisted the attorney. The final count alleged that Access and the controlling individuals used abusive practices to coerce consumers to complete sales.

Jurisdiction. The judge’s first task was to decide whether he had jurisdiction over the Bureau’s suit. Access and the individuals raised three objections to the judge’s jurisdiction, but he rejected all three.

First, the judge said it was not appropriate for him to abstain from exercising jurisdiction due to the state of Maryland’s activities. Abstention is appropriate in a limited number of situations under Burford v. Sun Oil, 319 U.S. 315 (1943), the judge said, but those situations were not present.

The case did not present any difficult questions about Maryland state law; in fact, it presented no state law questions at all. Neither would the case interfere with Maryland’s efforts to “establish a coherent policy with respect to a matter of substantial public concern,” the judge said. The Bureau’s suit would not interfere with the state’s law on the sale of structured settlements. Enforcing the Consumer Financial Protection Act’s UDAAP provisions was consistent with state law.

Second, prior Maryland court decisions about the attorney’s activities and the fairness of the structured settlement sales did not bind the federal court under the issue preclusion doctrine, the judge said. The state court decisions were not binding on the CFPB because it was neither a party nor in privity with a party and therefore had never had a fair chance to be heard.

Third, because the Bureau was not in privity with a party to the state court litigation, its suit was not a prohibited collateral attack on the state court decisions, the judge decided.

Was attorney subject to the act? The Consumer Financial Protection Act does not apply to everyone. Rather, it applies to a “covered person.” The Act defines a “covered person” as one who “engages in offering or providing a consumer financial product or service,” and the attorney met that criterion, the judge determined.

Under the plain language of the CFPA, Smith was a covered person because he provided financial advisory services to consumers on individual financial matters. Whether to exchange structured settlement payments for a lump sum was an individual financial matter, and Smith advised consumers to complete the sales. The consumers’ affidavits swore that he acted as an independent professional advisor, the judge added.

Attorney exclusion. However, the CFPA excludes from coverage an attorney who was engaged in the practice of law, the judge continued. That shielded the attorney from the Bureau’s suit.

Smith’s activities, as described by the CFPB, were acting as an independent professional advisor. That included telling consumers about the legal implications of selling their structured settlements. The Bureau conceded that he was a licensed attorney. As a result, he was protected by the practice of law exclusion.

The Bureau’s claims about the perfunctory nature of Smith’s services were relevant to their quality, not their nature. “Bad legal advice is still legal advice,” the judge noted.

Neither of the two exceptions from the practice of law saved the CFPB’s case, the judge continued. The financial advice the attorney offered was at least incidental to his legal advice, and it was within the scope of an attorney-client relationship.

Since Smith was protected by the practicing attorney exclusion, none of his activities could have violated the CFPA, the judge concluded. That meant the companies and the controlling individuals would not have violated the CFPA by assisting him.

Advances and abusive practices. The Bureau’s remaining claim was that Access and the controlling individuals engaged in abusive practices by giving consumers advances against their buyouts and then using the resulting debt to coerce the consumers into completing the transactions. The Bureau’s complaint did adequately describe how that could have been abusive, the judge determined.

According to the companies, there was nothing abusive about expecting a consumer who changed his mind about the sale to repay the advance. However, the Bureau had alleged more than that, the judge observed. Consumers who changed their minds but could not repay advances were told they were obligated to complete the sale even if they believed it was not in their best interests. The CFPB also claimed that consumers did not understand the nature of the advances or that they actually were not obligated to complete the sales. If proved, that would be abusive, the judge said.

For more information about CFPB enforcement activities, subscribe to the Banking and Finance Law Daily.

Monday, September 18, 2017

Congress looks for hearings, documents on Equifax data breach

By Colleen M. Svelnis, J.D.

Democrats and Republicans from both the House of Representatives and the Senate are calling for investigations into the massive data breach revealed by Equifax, and proposed legislation is introduced into the Senate that intends to address issues arising from the breach. According to Equifax, the breach lasted from mid-May through July and compromised the personal information of up to 143 million Americans. The potential information accessed primarily included names, Social Security numbers, birth dates, addresses, and driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, may have been accessed. Equifax discovered the unauthorized access on July 29, 2017.

A bipartisan group of 37 senators are calling on key federal agency leaders to investigate reports that senior Equifax officials sold over $1.5 million in the company’s securities within days of its announcement of a cybersecurity breach. The letter was addressed to Securities and Exchange Commission Chairman Jay Clayton, U.S. Attorney General Jeff Sessions, and Acting FTC Chairman Maureen Ohlhausen. “We need answers, and I’m calling on leaders of the SEC, FTC, DOJ, and Senate Banking Committee to do just that. If there’s sufficient evidence to warrant criminal prosecution, it’s necessary to hold these executives accountable to the fullest extent of the law. Cybercrimes and identity theft are frightening and we also need to do everything we can to prevent such breaches to keep families safe,” stated Sen. Heidi Heitkamp (D-ND), one of the Senators who signed the letter.

Risk for further breaches?
Senator Elizabeth Warren (D-Mass) has launched a broad investigation into the causes of the breach, the response by Equifax, and possible next steps to address problems at credit reporting agencies and better protect consumers. Warren sent a letter expressing her concerns to Equifax, as well as the other major credit reporting agencies TransUnion and Experian. Warren wrote that Equifax failed to provide information describing exactly how the breach happened, and exactly how Equifax security systems failed. She lamented that Equifax’s “initial efforts to provide customers information did nothing to clarify the situation and actually appeared to be efforts to hoodwink them into waiving important legal rights.” In her letters to TransUnion and Experian, Warren asked for answers to questions to provide consumers “with clarity on the danger of identity theft in the aftermath of the Equifax breach,” and the public with information “about the risk of further data breaches, and to address concerns about the credit ratings industry as a whole.”

Warren has also sent a letter to the Federal Trade Commission and the Consumer Financial Protection Bureau on oversight actions prior to and following the breach; and to the Government Accountability Office to request a thorough investigation into consumer data security. In her letter to the FTC and CFPB, Warren requested details regarding when the agencies were informed of the breach, whether the credit reporting agencies were obligated “to report any information to your agencies, either prior to the public notice or after the public notice was sent,” what steps were taken to protect consumers, the number of inquiries of complaints the agencies received related to the breach, the investigative authority each agency has, and whether each agency has regulatory authority over credit reporting agencies.

Warren expressed concern in her letter to the GAO about the actions of credit reporting agencies, pointing out that Equifax obtains and uses “massive troves of data on millions of consumers, but consumers have little to no power over how this data is collected, how it is used, or how it is kept safe.” Warren requested that the GAO investigate the oversight of credit reporting agencies and provide an analysis of potential impact on major federal programs.

Wants hearing scheduled. Heitkamp and nine other Democratic senators on the Senate Banking, Housing and Urban Affairs Committee also sent a letter to Committee Chairman Mike Crapo (R-Idaho) requesting that the Banking Committee hold immediate hearings on the Equifax breach. The letter described the “additional issues” that have come to light that “further underscore the need for the committee’s attention,” including Equifax Chief Financial Officer selling nearly $2 million of stock five days after discovering the data breach, and the extreme delay between when Equifax discovered the breach, on July 29, and its public announcement of the breach, on September 7. The letter also mentioned the initial requirement that possible victims of the breach must waive their right to participate in class-action lawsuits in order to receive access to Equifax’s credit monitoring product, which has since been rescinded.

According to the letter, the magnitude of the breach “merits a thorough investigation and comprehensive review” by the committee. “We should accept nothing less than a full and transparent explanation of what went wrong, who is responsible, how to fix it, and how to prevent such catastrophes in the future.”

Documents requested by committee members. House Oversight and Government Reform Committee Chairman Trey Gowdy (R-SC) and House Science, Space, and Technology Committee Chairman Lamar Smith (R-Texas) have sent a letter to Richard Smith, Chairman and Chief Executive Officer of Equifax Inc., requesting documents and a briefing related to the recent data breach, which the letter states likely affected nearly half of the American population. The letter also noted that the breach “potentially exposes federal employees’ personally identifiable information” because Equifax helps conduct background checks and security clearances for government workers. The committee chairs requested a briefing by Equifax by September 28 in order to “better understand the ramifications of the breach for consumers and the federal government, the delay by Equifax in publicizing the breach, and any mitigating steps being taken by Equifax.” 

The letter also requested the following documents:

1) All documents and communications referring or relating to the breach(s) of personally identifiable information announced on Sept. 7, 2017, including, but not limited to, documents and communications to and from members of Equifax's corporate leadership.

2) All documents and communications referring or relating to the NIST Framework or other cybersecurity standards used by Equifax.

3) All documents and communications regarding federal contracts for credit and identity verification services and information technology security plans related to these contracts for the last three fiscal years.

4) All documents and communications referring or relating to the website “equifaxsecurity2017.com.”

5) All documents and communications referring or relating to Equifax’s decision to publicize the data breach, the timing thereof, or any intervening actions the company took in response to or relating to the data breach between July 29, 2017, and Sept. 7, 2017.

For more information about data breaches, subscribe to the Banking and Finance Law Daily.

Thursday, September 14, 2017

Equifax removes arbitration clause from identity theft protection services

By Katalina M. Bianco, J.D.


Equifax has removed forced arbitration clauses from TrustedID, the company’s free credit monitoring and identity protection services offered to customers. The removal of the clauses comes in the wake of a data security breach that spurred heated response from legislators and consumer groups. Equifax announced on Sept. 7, 2017, that the breach occurred from mid-May through July and put millions of Americans at risk for identity theft.

Senator Sherrod Brown (D-Ohio), Ranking Member of the Senate Committee on Banking, Housing, and Urban Affairs, on September 8 had urged Equifax to remove the clauses. He responded to the removal of the clause by stating that while it is "a step in the right direction," Equifax’s corporate and affiliated websites still contain forced arbitration language and the company’s overall policy on arbitration "remains unclear." Equifax needs to clarify the terms of use for credit monitoring and identity theft services provided to data breach victims as well as clarifying their arbitration clause, the senator said.

"The fact that it took a public shaming to force Equifax to drop forced arbitration from TrustedID, is further proof why the Consumer Financial Protection Bureau’s rule is needed," Brown said. The CFPB’s final arbitration rule bans mandatory predispute arbitration clauses in consumer financial product contracts if those clauses prevent class actions.

Letter to Equifax. Sens. Catherine Cortez Masto (D-Nev) and Al Franken (D-Minn) and 18 of their colleagues, including Brown, on September 11 sent a letter to Equifax CEO Richard Smith "pressuring" him to "drop support for and use of forced arbitration agreements." The lawmakers also requested that Equifax explain its stance on the CFPB’s arbitration rule and the Republican-sponsored S.J. Res. 47, a resolution to repeal the rule. They noted in their letter that the company "presumably" is lobbying the Senate to reverse the rule and limit its liability through the resolution.

Hatch and Wyden requests. Senate Finance Committee Chairman Orrin Hatch (R-Utah) and Ranking Member Ron Wyden (D-Ore) have requested that Equifax respond to the data breach reports. In a letter to Smith, the legislators asked for details on the breach and information on what Equifax is doing to mitigate its effects on consumers.

SECURE Act reintroduced. Senator Brian Schatz (D-Haw) has reintroduced the Stop Errors in Credit Use and Reporting (SECURE) Act, legislation intended to make it easier for consumers to catch and resolve identity theft, fraud, and errors in their credit reports. In addition to Sen. Schatz, the legislation is supported by Sens. Elizabeth Warren (D-Mass), Claire McCaskill (D-Mo), Richard Blumenthal (D-Conn), Bernie Sanders (I-Vt), and Jeff Merkley (D-Ore). The reintroduction follows Schatz’s calls for Equifax to do more to assist consumers affected by the breach.


For more information about the Equifax data breach and forced arbitration, subscribe to the Banking and Finance Law Daily.

CFPB claims $14 million consumer relief in first half of 2017

By Katalina M. Bianco, J.D.


The Consumer Financial Protection Bureau’s newest issue of Supervisory Highlights reports that the Bureau recovered $14 million in restitution for consumers in the first six months of 2017. More than 100,000 consumers benefitted, according to the Bureau. Separate supervisory actions resulted in an additional $2.9 million in consumer remediation or civil penalties, the CFPB said.

The Summer 2017 Supervisory Highlights issue points out a number of supervision focuses. The CFPB draws attention to examiner findings that consumers were:
  • given incorrect information about when bank checking account service fees would be waived or what transactions were covered by overdraft protection;
  • not told about the cost of making credit card account payments by telephone as opposed to less-expensive payment methods;
  • subjected to car repossessions that should have been cancelled;
  • victimized by improper debt collection practices related to short-term, small-dollar loans, including collectors attempting to collect debts owed by a different person or contacting third parties about consumers’ debts;
  • given incorrect information about short-term, small-dollar credit application or approval processes;
  • charged mortgage loan application fees or closing fees that are prohibited by the Bureau’s mortgage disclosure rules; and
  • denied the opportunity to take full advantage of the mortgage loss mitigation options for which they might have qualified.
Frozen accounts. The CFPB also criticizes how at least one bank responded to suspected suspicious activity in consumer accounts. According to the Bureau, "one or more institutions engaged in unfair acts or practices by placing hard holds on customer accounts to stop all activity when the institution(s) observed suspicious activity." These hard holds were unnecessarily harsh, depriving consumers of access to their funds for as long as two weeks and causing payments to be dishonored.

The problem was aggravated by poor communication with the affected consumers about the hard holds, the Bureau adds.

For more information about Supervisory Highlights, subscribe to the Banking and Finance Law Daily.

Tuesday, September 12, 2017

ICBA President says Wells Fargo scandal illuminates ‘double standard’ for regulation, enforcement

By Thomas G. Wolfe, J.D.

In a September 2017 release, Independent Community Bankers of America President and CEO Camden R. Fine asserts that “federal regulators have taken no meaningful action against the board and senior managers who were supposedly responsible for the ethical, moral, and legal conduct” of Wells Fargo. According to Fine, “no community bank would have been given this kind of regulatory deference. There is not supposed to be a double standard for regulation and enforcement in this nation, but the wrongdoings of Wells Fargo show us that apparently one exists for too-big-to-fail banks.” As observed by the ICBA’s release, Fine’s remarks come in the wake of a Wells Fargo report indicating that there are many more “fake customer bank and credit card accounts than previously realized.”

Recent report. The ICBA president’s reaction is based, at least in part, on a recent Wells Fargo report about the completion of a “third-party review” of Wells Fargo retail banking accounts “dating back to the beginning of 2009.” An Aug. 31, 2017, release by Wells Fargo summarizing the report states that the third-party review included a “data analysis methodology that errs on the side of customers.”

Originally, approximately “2.1 million potentially unauthorized accounts” were identified in the Wells Fargo scandal. Now that the latest report uses a different methodology and includes retail banking accounts opened at Wells Fargo from January 2009 through September 2016, “a new total of approximately 3.5 million potentially unauthorized consumer and small business accounts” has been identified.

The ICBA points out that the Wells Fargo report follows “news last month” that Wells Fargo allegedly “was caught charging 800,000 people for auto insurance they did not want or need.”

Remove Wells Fargo executives. Fine states that federal regulators “haven’t even given them [Wells Fargo] a good slap on the wrist.” According to Fine, “Had this been a community bank board and senior managers, not only would they all have been removed from the bank months ago, but they would also be facing prosecution.” Fine also notes that the Wells Fargo scandal has produced the side effect of “tarring the good reputations of thousands of community banks and bankers.”

From Fine’s perspective, the Wells Fargo board “should be replaced, and so should its senior management. End of story.” Similarly, in August 2017, based on the cumulative evidence in the Wells Fargo scandal, Senator Elizabeth Warren (D-Mass) renewed her call for the Federal Reserve Board to remove all Wells Fargo directors who served on the board between May 2011 and July 2015 (see Banking and Finance Law Daily, Aug. 17, 2017).

For more information about regulatory and enforcement actions affecting community banks, subscribe to the Banking and Finance Law Daily.

Thursday, September 7, 2017

Yellen credits Wall Street reforms for stronger, more resilient economy

By Colleen M. Svelnis, J.D.

Ten years after the start of the financial crisis, Federal Reserve Board Chair Janet Yellen discussed the financial crisis and reforms put into place, both in the United States and around the world, to improve financial regulation and help prevent any similar occurrence in the future. The speech, “Financial Stability a Decade after the Onset of the Crisis,” was delivered at a symposium sponsored by the Kansas City Fed. Yellen declared that because of “the reforms that strengthened our financial system, and with support from monetary and other policies, credit is available on good terms, and lending has advanced broadly in line with economic activity in recent years, contributing to today’s strong economy.”

According to Yellen, research shows that the reforms put in place “have substantially boosted resilience without unduly limiting credit availability or economic growth.” However, she acknowledged that there is limited research, many reforms have been implemented recently, and the markets continue to adjust.

In Yellen's view, today, 10 years after the start of the financial crisis:
  • banks are safer;
  • the risk of runs owing to maturity transformation is reduced;
  • efforts to enhance the resolvability of systemic firms have promoted market discipline and reduced the problem of too-big-to-fail; and
  • a system is in place to more effectively monitor and address risks that arise outside the regulatory perimeter.
Yellen discussed the U.S. and global response to the financial crisis. The United States responded by laying out steps to increase the loss-absorbing capacity of banks, regulations to limit both maturity transformation in short-term funding markets and liquidity mismatches within banks, and new authorities to facilitate the resolution of large financial institutions and to subject systemically important firms to more stringent prudential regulation, stated Yellen. Globally, many foreign governments undertook aggressive measures to support the functioning of credit markets, including large-scale capital injections into banks, expansions of deposit insurance programs, and guarantees of some forms of bank debt, Yellen said.

Yellen cited the following reforms as necessary to increasing the loss-absorbing capacity of global banks.
  1. Quantity and quality of capital required relative to risk-weighted assets have been increased substantially.
  2. A simple leverage ratio provides a backstop, reflecting the lesson imparted by past crises that risk weights are imperfect and a minimum amount of equity capital should fund a firm’s total assets.
  3. Both the risk-weighted and simple leverage requirements are higher for the largest, most systemic firms, which lowers the risk of distress at such firms and encourages them to limit activities that could threaten financial stability.
  4. The largest U.S. banks participate in the annual Comprehensive Capital Analysis and Review—the stress tests.
Yellen also discussed regulatory reforms outside the regulated banking sector, such as those affecting the shadow banking sector, along with Congress’s creation of the Financial Stability Oversight Council.

Industry associations respond. The American Bankers Association responded with a statement by Rob Nichols, ABA president and CEO. Nichols stated that the ABA agrees “that the financial system is more resilient today and banks are safer thanks to post-crisis changes made by policymakers and bankers.” However, the statement welcomed the “acknowledgment that not all those rules are working as intended.” Nichols stated, that in order “to accelerate economic growth and make sure Americans get access to the credit they deserve, we urge that those fixes be made sooner rather than later.”

Public Citizen released a statement by Bartlett Naylor, a Financial Policy Advocate in Public Citizen’s Congress Watch Division. Naylor stated that Yellen “understands that human damage from financial sector recklessness caused the most severe financial panic and recession since the Great Depression. New reforms, from greater corporate capital requirements to enhanced supervision through the Financial Stability Oversight Council, contribute to a safer system. We can’t return to the days when Goldman Sachs and JP Morgan’s profit opportunities determine financial policy.”

For more information about financial reforms, subscribe to the Banking and Finance Law Daily.

Wednesday, September 6, 2017

Tax prep service settles FTC charges of privacy and security violations

By J. Preston Carter, J.D., LL.M.

TaxSlayer, LLC, a Georgia-based online tax preparation service agreed to settle Federal Trade Commission charges that it violated the Gramm-Leach-Bliley Act financial privacy and security rules. The FTC alleged that TaxSlayer violated the Safeguards Rule (16 CFR Part 314), which requires financial institutions to protect the security, confidentiality, and integrity of customer information, and the Privacy Rule (12 CFR Part 1016), which requires financial institutions to deliver privacy notices to customers.

In its complaint, the FTC alleged that hackers gained access to nearly 9,000 TaxSlayer accounts between October 2015 and December 2015 and used the information they accessed to engage in tax identity theft, which allowed them to obtain tax refunds by filing fraudulent tax returns, according to the complaint.

Safeguards Rule violations. According to the FTC, TaxSlayer failed to: develop a written comprehensive security program until November 2015; conduct a risk assessment to identify reasonably foreseeable internal and external risks to security; implement information security safeguards that would help prevent a cyber attack; implement adequate risk-based authentication measures; and require consumers to choose strong passwords.

Privacy Rule violations. The FTC also alleged that the company violated the Privacy Rule by failing to provide its customers with a clear and conspicuous initial privacy notice and to deliver it in a way that ensured that customers received it.

Settlement. As part of the settlement with the FTC, the company is prohibited from violating the Privacy Rule and the Safeguards Rule for 20 years. Consistent with several past cases involving violations of Gramm-Leach-Bliley Act Rules, the company is required to obtain biennial third-party assessments of its compliance with these rules for 10 years.

"Tax preparation services are responsible for very sensitive information, so it’s critical they implement appropriate safeguards to protect that information," said Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection. "TaxSlayer didn’t have an adequate risk assessment plan, and hackers took over user accounts and committed identity theft."

Pahl added that the case "also demonstrates the importance of password protection. Hackers took advantage of people who re-used passwords from other sites, and the attack ended when TaxSlayer eventually required people to use multi-factor authentication."

For more information about financial privacy and cybersecurity, subscribe to the Banking and Finance Law Daily.

Tuesday, September 5, 2017

Debt collector’s sue-and-dismiss tactic could violate debt collection law

By Richard A. Roth, J.D.

A debt collecting law firm’s alleged practice of filing collection suits and then delaying or dismissing them if the consumer appeared for trial could violate the Fair Debt Collection Practices Act, the U.S. Court of Appeals for the Eighth Circuit has decided. The appellate court reinstated the consumer’s FDCPA suit against the Gurstel Chargo law firm and its client in an opinion that, point by point, rejected multiple legal decisions by a U.S. district judge (Demarais v. Gurstel Chargo, P.A.).

State court collection suit. Gurstel Chargo sued the consumer on behalf of a client, RAzOR Capital, which claimed to own a charged-off credit card account the consumer originally owed to Citibank. The suit demanded more than $25,000, including $5,000 in interest the consumer alleged was added after Citibank charged off the account.

The consumer never answered the state court complaint; however, Gurstel Chargo did not ask for a default judgment. Instead, the firm asked the judge to set a trial date. According to the consumer, the firm routinely did this because if a consumer did not appear for trial the firm could ask for a judgment on that basis and avoid onerous requirements that Minnesota law places on default judgments in consumer debt collection suits.

To the law firm’s probable surprise, the consumer and his attorney appeared on the scheduled trial date. Gurstel Chargo had no witnesses or evidence available—which the consumer alleged also was the firm’s normal practice—and obtained a continuance.

On the new trial date, Gurstel Chargo again was unprepared to proceed. The firm then dismissed the suit with prejudice.

Nearly three weeks after the case was dismissed, Gurstel Chargo sent discovery and admission requests to the consumer’s attorney. The cover letter noted it was a communication from a debt collector and an attempt to collect a debt, and it demanded a response within 30 days. Notably, before the continued trial date, the consumer’s attorney had served discovery requests on RAzOR that essentially were ignored.

FDCPA suit. Four months after the collection suit was dismissed, the consumer sued both Gurstel Chargo and RAzOR in federal court for FDCPA claimed violations. The district judge dismissed the suit after deciding that any claim for violations based on the second trial date were barred by the statute of limitations, the firm had engaged only in “permissible litigation tactics,” and the tardy discovery cover letter was not likely to deceive either the consumer or his attorney.

Standing to sue. As has become common in suits under consumer financial protection laws, the appellate court began its analysis by considering whether the consumer had described a concrete injury in fact that gave him standing to sue. The court decided that, under Spokeo, Inc. v. Robins, he had standing to assert all of his FDCPA claims.

To begin with, while the letter that accompanied the tardy discovery items did not cause any tangible harm, it nevertheless caused an injury in fact, the court said. Congress wanted the FDCPA to address the intangible harm of being subjected to baseless legal claims, and that harm was comparable to a common law tort of unjustifiable litigation. The letter, with its express compliance deadline and debt-collection language, easily could cause mental distress or other harms.

It was irrelevant that the letter was sent to the consumer’s attorney rather than to the consumer, the court added. It was a matter of routine that the demands would come to the consumer’s attention.

The events of the first trial date, when Gurstel Chargo obtained a continuance and new trial date, clearly described an injury in fact, the court continued. The consumer hired an attorney, served discovery requests, and prepared for and appeared for the trial. These steps would have cost the consumer both time and money, and could have caused mental distress as well.

Statute of limitations. Although only four months passed between the first trial date and the date the consumer filed his suit, the district court judge concluded the FDCPA’s one-year statute of limitations had run. This was because the judge believed that communications at the time of the first trial date simply related back to the original complaint and did not constitute a new FDCPA violation that would have a new limitation period.

That was wrong, the appellate court said. It was irrelevant that a violation might restate an earlier violation. Each violation would be an individual violation with a separate statute of limitations.

Continuance request. The consumer asserted that Gurstel Chargo’s request for a continuance at the first trial date was a misrepresentation under the FDCPA because the firm was threatening an action it did not intend to take—trying the case. The district judge said the request constituted “permissible litigation tactics and not actionable false assertions.”

Wrong again, the appellate court said. The consumer had plausibly claimed that the firm threatened to go to trial, on both trial dates, yet never intended to do so. Not only an unsophisticated consumer but a competent attorney would believe that Gurstel Chargo intended to go to trial when it asked for a continuance for that very purpose.

Gurstel Chargo could have made a threat with making an affirmative representation, the court continued. What mattered was what the consumer would have been likely to believe.

The court also accepted that the consumer had alleged facts showing the firm never intended to go to trial. He claimed that continuances and dismissals were Gurstel Chargo’s regular tactic, going so far as to provide the docket numbers of comparable court cases. The firm’s actions in his own case—failing to respond to his discovery requests and appearing unprepared at the second trial date—were additional relevant facts.

An ordinarily “permissible litigation tactic” could violate the FDCPA, the court added. Attorneys in litigation must comply with the act.

Tardy discovery request. According to the consumer, the discovery requests that Gurstel Chargo sent after the collection suit was dismissed with prejudice amounted to an attempt to collect a debt that was not owed. That was a violation of the FDCPA ban on unfair or unconscionable collection practices, he claimed.

The district judge said there could be no violation because the consumer’s claims “do not show that anyone was likely to be misled, deceived, or otherwise duped . . .”

Wrong yet again, the appellate court pronounced. Seizing on the judge’s language, the appellate court emphasized that “There is no ‘misled, deceived, or duped’ requirement” in the plain language of the FDCPA ban on unfair or unconscionable debt collection practices. Misleading representations are explicitly prohibited by a dedicated section of the FDCPA, the court pointed out, so there was no reason to infer an implicit prohibition in the ban on unfair practices.

The court’s summary of the district judge’s errors merits consideration. In the court’s own words:
The attempted collection of debts not owed harms consumers not just by inducing the payment of false claims. It also forces consumers to spend time and money addressing the false claims—even if they know they do not actually owe the claimed debt. Being subjected to attempts to collect debts one knows he or she does not owe can disrupt marriages, impair performance on the job, and cause public embarrassment—the very harms motivating Congress to pass the FDCPA. 
For more information about debt collection practices, subscribe to the Banking and Finance Law Daily.

Friday, September 1, 2017

CFPB publishes new TILA/RESPA mortgage disclosure guidance

By Katalina M. Bianco, J.D.
 
The Consumer Financial Protection Bureau has published support material intended to assist stakeholders in implementing the Bureau's July 2017 final rule that updated the "Know Before You Owe" mortgage disclosure rule. The final rule modified the mortgage disclosure requirements under the Real Estate Settlement Procedures Act and Truth in Lending Act that are implemented in Reg. Z.
 
The support material, entitled "2017 TILA-RESPA Rule: Detailed Summary of Changes and Clarifications," provides a comprehensive summary of the 2017 TILA-RESPA rule, as well as examples of how to apply the final rule’s provisions.
 
Topics covered by the support material include:
 
  • effective date and mandatory compliance date, including an optional compliance period;
  • application of the mortgage disclosure requirements to cooperative units and trusts;
  • treatment of tolerances and good faith requirements;
  • shopping for settlement services;
  • principal curtailments;
  • total of payments disclosure;
  • simultaneous subordinate lien loans;
  • construction loans;
  • the use of positive and negative numbers for certain disclosures;
  • payoff disclosures; and
  • separation of consumer and seller information on closing disclosures.
For more information about the TILA/RESPA final rule and Bureau guidance, subscribe to the Banking and Finance Law Daily.

Bureau amends HMDA rule to ease reporting duties for small lenders

By Katalina M. Bianco, J.D.


The Consumer Financial Protection Bureau has adopted a final rule amending its October 2015 Home Mortgage Disclosure Act final rule. The 2015 rule  was intended to reduce the number of lenders required to file reports but at the same time require more data to be collected and reported. The new 2017 final rule makes technical corrections, clarifications, and changes to certain requirements adopted by the 2015 HMDA rule and generally becomes effective Jan. 1, 2018.


HMDA proposals. The final rule is based on two earlier proposals the CFPB issued in 2017. An April 2017 proposal addressed technical errors, clarified some key terms, and was intended to ease the burden of certain reporting requirements. A second proposal, issued in July 2017, sought to offer community banks and credit unions some regulatory relief by proposing a temporary 400-percent increase in the HMDA reporting threshold for home equity lines of credit.

Threshold changes. The 2017 HMDA final rule temporarily increases the threshold for collecting and reporting data with respect to open-end lines of credit from 100 to 500 for the 2018 and 2019 calendar years. Financial institutions originating fewer than 500 open-end lines of credit in either of the two preceding years will not be required to begin collecting such data until Jan. 1, 2020.

When proposed, the Bureau indicated that it was considering making the threshold increase permanent after 2020. However, it chose not to do so in the final rule. The CFPB noted it was "vitally important to begin the collection and reporting of data on the growing market for open-end lines of credit and that the increase in open-end origination volume since 2013 further demonstrates the importance of these data." The CFPB did add that the two-year period will allow time for it to decide, through an additional rulemaking, whether any adjustments to the open-end threshold are needed; and that it "intends to make that determination in sufficient time so that if institutions are covered under any permanent threshold set by the Bureau but not under the temporary threshold, those institutions will be able to resume and complete their implementation processes."

Excluded transactions. The 2017 HMDA final rule also creates a reporting exception for certain transactions related New York Consolidation, Extension and Modification Agreements (New York CEMA) transactions. Covered financial institutions generally will not be required to report any preliminary transaction where a consumer receives additional funds prior to consolidation into a New York CEMA transaction. However, financial institutions will continue to be required to report the New York CEMA transaction.

In addition, the rule clarifies two categories of transactions that are excluded as temporary financing and not reported in HMDA data: (1) a construction-only loan or line of credit that is extended to a person exclusively to construct a dwelling for sale; and (2) a loan or line of credit designed to be replaced by separate permanent financing extended by any financial institution to the same borrower at a later time.

Key terms clarified. The 2017 HMDA final rule clarifies certain key terms defined in the 2015 HMDA rule, including "multifamily dwelling," "automated underwriting system," and the meaning of income for the purpose of reporting the gross annual income relied on in making the credit decision or processing the application if a credit decision was not made.

Race and ethnicity information. Finally, the 2017 HMDA final rule clarifies three aspects of collecting and reporting race and ethnicity information. First, it states that an applicant is not required to select an aggregate race or ethnicity category as a precondition to selecting one of the race or ethnicity subcategories. Second, it clarifies that an applicant may provide a particular other ethnicity or race in the free-form field, whether or not the applicant selects the "Other" ethnicity or race subcategory. Third, it clarifies how a financial institution should report ethnicity if an applicant selects more than five ethnicity categories and subcategories combined.


Filing Instructions Guides. To assist financial institutions, the CFPB has also updated the Filing Instructions Guides for data collected in 2017 and 2018.

FFIEC guidelines. The Federal Financial Institutions Examination Council also has provided HMDA guidance, the HMDA Examiner Transaction Testing Guidelines, for all financial institutions required to report HMDA data. Beginning in 2019, examiners will use the guidelines when assessing the accuracy of the HMDA data that financial institutions record and report. The guidelines will apply to data collected beginning in 2018.

For more information about HMDA and the final rule, subscribe to the Banking and Finance Law Daily.