InfoBytes
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed further extends temporary exception to allow bank insiders access to PPP
On February 9, the Federal Reserve Board announced the second extension of a temporary exception from the requirements of section 22(h) of the Federal Reserve Act and corresponding provisions of Regulation O to allow bank directors and shareholders to apply for Small Business Administration (SBA) Paycheck Protection Program (PPP) loans from their affiliated banks. The extension is effective immediately and goes through March 31. The Fed reiterated that any PPP loans extended to bank directors and shareholders must be consistent with SBA’s PPP lending restrictions and done without favoritism from the bank. The original extension was announced on April 17 and already extended once (covered by InfoBytes here).
NYDFS details redlining issues from nonbank lenders
On February 4, NYDFS released a report on redlining in the Buffalo metropolitan area, concluding that there is a “distinct lack of lending by mortgage lenders, particularly non-depository lenders” to majority-minority populations and to minority homebuyers in general. Among other things, the report concluded that (i) while minorities in the Buffalo region comprise about 20 percent of the population, they receive less than 10 percent of total loans made in the region; (ii) nonbank lenders lent at a lower rate in majority-minority neighborhoods than depository institutions did; and (iii) several of the nonbank mortgage lenders did not have adequate fair lending compliance programs and do not make an effort to serve majority-minority neighborhoods. The report made numerous recommendations, including a recommendation to amend the New York Community Reinvestment Act (CRA) to cover nonbank mortgage lenders and a request that the OCC and the CFPB investigate federally regulated institutions serving the Buffalo area for violations of fair lending laws.
Additionally, NYDFS announced a settlement with a nonbank lender in connection with its lending to minorities and in majority-minority neighborhoods in Buffalo and Syracuse, New York. The settlement agreement found no evidence of intentional discrimination or fair lending law violations but rather weaknesses in the lender’s compliance program. The agreement outlines efforts the lender will take to “provide more meaningful access to residential loans and financing for minorities and individuals living in majority-minority neighborhoods” in Western and Central New York. Among other things, the lender will (i) develop a compliance management plan; (ii) increase marketing to majority-minority census tracts; (iii) create a $150,000 special financing program to increase loan originations for residents of majority-minority neighborhoods; and (iv) increase annual training.
11th Circuit: Future identity theft risk does not confer standing
On February 4, the U.S. Court of Appeals for the Eleventh Circuit affirmed dismissal of a class action complaint, which raised several claims against a restaurant following a data breach that exposed customers’ financial information, for the named plaintiff’s lack of standing. According to the opinion, a restaurant chain suffered a data breach when hackers gained access to customers’ credit and debit card information through an outside vendor’s remote connection tool. The restaurant chain provided notice to customers that their information “‘may’ have been accessed.” A consumer, who made two purchases during the data breach period, cancelled the credit cards he used and filed a class action two weeks after the announcement of the breach, alleging the company was negligent in failing to safeguard the credit card data, and violated the Florida Unfair and Deceptive Trade Practices Act (FUDTPA), among others. The district court dismissed the action for lack of standing, concluding that the consumer failed to identify a “single specific, concrete injury in fact that he or anyone else [] suffered as a result of any misuse of customer credit card information.”
On appeal, the 11th Circuit affirmed the district court’s holding. The appellate court rejected the consumer’s theories of standing, which were predicated on (i) a threatened “future injury” of identity theft, and (ii) the consumer’s alleged suffering of “mitigation injuries” (i.e., lost time, lost rewards points, and loss of access to accounts). The appellate court explained that in data breach cases like this, to have Article III standing the consumer must show a “substantial risk” of harm or that harm (e.g., identity theft) is “certainly impending.” The appellate court noted that despite the consumer still carrying “some risk of future harm involving identify theft,” that risk “is not substantial and is, at best, speculative” because the consumer “immediately cancelled his credit cards following disclosure [of the breach], effectively eliminating the risk of credit card fraud in the future.” Moreover, according to the appellate court, the consumer did not sufficiently allege an actual, present injury, through “inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft.” The appellate court reasoned that “[t]o hold otherwise would allow an enterprising plaintiff to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”
OCC conditionally approves conversion of cryptocurrency trust company
On February 5, the OCC announced that it conditionally approved a Washington state-chartered trust company’s application to convert to a national trust bank. According to the OCC, the trust company—which will provide cryptocurrency custody services for clients in a fiduciary capacity—“is currently in the organizational phase of development and will have up to 18 months to meet the terms of its conditional approval before it converts to a national trust bank and begins to operate.” By receiving a national trust bank charter, the trust company will be allowed to provide nationwide services to customers through offices in Seattle, Boston, and New York, and over the internet. The trust company also intends to expand its custody services to support additional types of digital assets beyond cryptocurrencies, including certain tokens and stable coins, and plans to eventually offer, among other things, client-to-client trading and lending platforms. The OCC notes that approval of the conversion is subject to several conditions, including that the trust company “not engage in activities that would cause it to be a ‘bank’ as defined in section 2(c) of the Bank Holding Company Act.”
NYDFS issues Cybersecurity Insurance Risk Framework
On February 4, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance. The new Cyber Insurance Risk Framework provides guidance for effectively managing cyber insurance risk and is the first guidance released by a U.S. regulator on this topic. In recognizing the growing risk and the challenges insurers face when trying to manage that risk, NYDFS advised insurers to “establish a formal strategy for measuring cyber insurance risk that is directed and approved by its board or other governing entity[.]” According to the guidance, the insurer’s strategy should be proportionate to the insurer’s risk and take into account “the insurer’s size, resources, geographic distribution, and other factors.” NYDFS also advised insurers to:
- Eliminate exposure to “silent” cyber insurance risk resulting from a cyber incident that an insurer is obligated to cover even though its policy “does not explicitly mention cyber incidents.”
- Evaluate systemic risk, including how catastrophic cyber events impact third-party vendors.
- Measure and assess potential cybersecurity gaps and vulnerabilities through a data-driven approach.
- Educate insureds and insurance producers on the value of cybersecurity measures, as well as the uses and limitations of cyber insurance.
- Recruit and hire employees with cybersecurity experience.
- Include a requirement in cyber insurance policies that victim-insureds notify law enforcement when a cyber attack occurs.
Wyoming executive order instructing cooperation with federal agencies to implement Emergency Rental Assistance Program
On February 8, the governor of Wyoming issued Executive Order 2021-02, which instructs the Wyoming Department of Family Services (WDFS) to prepare for the implementation of the federal Emergency Rental Assistance Program (ERAP.) Section (b) specifically charges WDFS to enter into “formal or informal” cooperative agreements with any necessary federal agency, including the Department of Housing and Urban Development, for “information-sharing, planning, and technical assistance” related to rolling out ERAP.
FDIC assesses bank $12.5 million BSA penalty
On January 29, the FDIC released a list of administrative enforcement actions taken against banks and individuals in December. During the month, the FDIC issued 10 orders consisting of “three consent orders, one termination of consent order, three section 19 orders, two removal and prohibition orders and two orders to pay civil money penalties.” Among the orders, the FDIC issued a $12.5 million civil money penalty order against a New York-based bank resolving allegations that the bank violated the Bank Secrecy Act (BSA) and its implementing regulations from April 2014 through September 2018, including failing to comply with the FDIC’s December 2015 consent order, which required the bank to strengthen its BSA/anti-money laundering oversight. The $12.5 million civil money penalty is reflective of the “the financial resources and good faith of the [bank], the gravity of the violations by the [bank], the history of previous violations by the [bank], and such other matters[.]”
Bank reaches $5.2 million settlement in ATM fee class action
On February 3, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement in the U.S. District Court for the Southern District of Ohio to resolve allegations that a national bank breached its account agreement by assessing balance inquiry fees in certain circumstances. Class members, comprised of current and former account holders, claimed that the bank assessed fees if account holders used an ATM outside of the bank’s network (non-bank ATM) to check their balances. The class also alleged that the bank assessed multiple fees if a balance inquiry was undertaken “during the same ATM visit as a cash withdrawal or other funds transfer.” As a result of the action, the bank modified its account disclosures to “better inform its customers that they could be charged a fee for a balance inquiry” at a non-bank ATM. The preliminary settlement seeks to certify class members who were assessed the contested fees from January 1, 2010 through October 31, 2018 and will not require class members to file claims to receive the settlement’s benefits. Under the preliminary settlement terms, the bank will pay $5.2 million into a common fund, and has agreed to analyze its historical transaction data to identify settlement class members and automatically credit settlement proceeds into their accounts via direct deposit.
DFPI requests comment on CCFPL regulations
On February 4, the California Department of Financial Protection and Innovation (DFPI) released an Invitation for Comments on a proposed rulemaking to implement the California Consumer Financial Protection Law (CCFPL). As previously covered by InfoBytes, in September 2020, the governor signed AB 1864, which enacts the CCFPL and established the DFPI name change from the Department of Business Oversight. The CCFPL authorizes DFPI to establish rules relating to the covered persons, service providers, and consumer financial products or services outlined in the law. The invitation for comments describes specific topics for stakeholder consideration when providing comments, but DFPI notes that commenters may provide feedback on “any potential area for rulemaking.” Highlights of the topics for comment include:
- Exemptions. Whether or not DFPI should clarify the scope of the entities exempt from CCFPL.
- Registration Requirements. What industries should be required to first register with DFPI and what rules should be established to facilitate industry oversight, including records and reporting requirements.
- Complaint Handling. What requirements DFPI should establish with regard to timely responses to consumer complaints and inquiries, including timelines and substance of response.
- Consumer UUDAAP. Description of acts or practices that stakeholders believe qualify as “unlawful, unfair, deceptive, or abusive” in consumer transactions, including suggested “requirements DFPI should adopt to prevent the act or practice.”
- Commercial UDAAP and Data Collection. Description of acts or practices that stakeholders believe qualify as unfair, deceptive, and abusive in the commercial space, and whether or not DFPI should define specific acts or practices as unfair, deceptive, or abusive. Additionally, whether or not DFPI should require the collection and reporting of commercial financing data.
- Disclosures. Whether or not DFPI should prescribe rules covering the features of consumer financing disclosures and if so, what the requirements should cover.
- California Credit Cost Limitations. Whether or not DFPI should clarify the applicability of state credit cost limitations, including rate and fee caps, to consumer financial products and services.
Comments must be submitted by March 8.
Acting director outlines future direction for CFPB
On February 4, CFPB acting Director Dave Uejio published a blog post conveying his “broad vision” for the Division of Research, Markets, and Regulations (RMR). Uejio emphasized that in order for the Bureau to respond to his previously stated policy priorities—(i) relief for consumers facing hardship and economic crisis due to the Covid-19 pandemic, and (ii) racial equity (covered by InfoBytes here)—the agency must sharpen its focus on the consumer experience. To achieve this goal, Uejio is authorizing the Bureau’s use of its 1022(c)(4) data collection authority and has asked RMR to examine “the impact of specific industry practices on consumers’ daily budget and overall bottom line in order to target effective policy interventions.” Among other things, RMR has been asked to take the following immediate steps:
- Prepare an analysis assessing housing insecurities such as mortgage foreclosures, mobile home repossessions, and landlord-tenant evictions.
- Prepare an analysis to address pressing consumer financial barriers to racial equity in order to “inform research and rulemaking priorities,” and “[e]xplicity include in policy proposals the racial equity impact of the policy intervention.”
- Resume data collections paused due to Covid-19, including HMDA quarterly reporting, CARD Act data collection, PACE data collection, and the previously completed 1071 data collection.
- Focus mortgage servicing rulemaking on Covid-19 responses “to avert, to the extent possible, a foreclosure crisis” when pandemic forbearances end in March and April.
- Explore options for preserving the status quo with respect to QM and debt collection rules. (QM rules covered by InfoBytes here and a Buckley Special Alert; debt collection rules covered by InfoBytes here and here.)
Uejio also noted that he “will be assessing regulatory actions taken by the previous leadership and adjusting as necessary and appropriate those not in line with [the Bureau's] consumer protection mission and mandate,” and that he wants to “preserve, where possible, maximum policy flexibility” for President Biden’s nominee once confirmed.