InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Updated Washington State Privacy Act re-introduced
On January 5, the Washington State Privacy Act, SB 5062, (referred to as “2021 WPA” or “bill”) was re-introduced for the 2021-22 state legislative session with some notable changes from the 2020 version. (InfoBytes coverage of the 2020 Washington Privacy Act, SB 6281, available here.) Highlights of the 2021 WPA include:
- Applicability. The bill will apply to legal entities that conduct business or produce products or services that are targeted to Washington consumers that also (i) control or process personal data for at least 100,000 consumers; or (ii) derive more than 25 percent of gross revenue from the sale of personal data, in addition to processing or controlling the personal data of at least 25,000 consumers (the 2020 version included a 50 percent gross revenue threshold). State and local governments, municipal corporations, certain protected health information, personal data governed by state and federal regulations, and employment records continue to be exempt from coverage. Additionally, the bill adds nonprofit corporations, air carriers, and institutions of higher education to the exemption list.
- Consumer rights. Consumers will be able to exercise the following rights concerning their personal data: access; correction; deletion; access in a portable format; and opt-out rights, including the right to opt out of the processing of personal data for targeted advertising and the sale of personal data.
- Controller responsibilities. Controllers required to comply with the bill will be responsible for (i) transparency in a privacy notice; (ii) limiting the collection of data to what is required and relevant for a specified purpose; (iii) ensuring data is not processed for reasons incompatible with a specified purpose; (iv) securing personal data from unauthorized access; (v) prohibiting processing that violates state or federal laws prohibiting unlawful discrimination against consumers; (vi) obtaining consumer consent in order to process sensitive data; and (vii) ensuring contracts and agreements do not contain provisions that waive or limit a consumer’s rights. Controllers must also conduct data protection assessments for all processing activities that involve personal data. Notably, the 2021 WPA removes the requirement from the 2020 legislation that controllers conduct additional assessments each time a processing change occurs that materially increases the risk to consumers.
- State attorney general. The bill explicitly precludes a private right of action but permits the state attorney general to bring actions and impose penalties of no more than $7,500 per violation. The bill removes the 2020 requirement that the AG submit a report evaluating the liability and enforcement provisions by 2022, but requires the AG to work in concert with the state’s office of privacy and data protection on a technology review report to be submitted to the governor by December 2022.
- Right to cure. The bill includes a new 30-day right to cure any alleged violation after a warning letter is sent by the AG identifying the specific provisions believed to have been violated.
- Preemption. Similar to the 2020 WPA, the bill would preempt local laws, ordinances, and regulations, but includes an exception for any laws, ordinances or regulations “regarding the processing of personal data by controllers or processors” that were adopted prior to July 1, 2020.
FinCEN reaches $390 million settlement with bank for BSA violations
On January 15, the Financial Crimes Enforcement Network (FinCEN) announced a $390 million civil money penalty against a national bank for allegedly violating the Bank Secrecy Act and its implementing regulations. The settlement resolves an investigation into the bank’s alleged failure to maintain an effective anti-money laundering (AML) program. According to FinCEN, the bank’s check-cashing business unit failed to file thousands of suspicious activity reports (SARs) and currency transaction reports (CTR). As a result, suspicious transactions were not reported in a timely and accurate manner. FinCen noted that while the bank was allegedly aware of several compliance and money laundering risks associated with its check-cashing business unit, its process for investigating suspicious transactions was insufficient. The bank also allegedly failed to file SARs even though it had actual knowledge of criminal charges against specific customers and continued to process transactions for these customers’ businesses. In determining the penalty, FinCEN considered the bank’s significant remediation efforts—including taking remedial measures related to its SARs and CTR filing systems and enhancing its AML program over the past several years—as well as its cooperation with the agency’s investigation.
OFAC sanctions Cuban Ministry of the Interior for human rights abuse
On January 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against the Cuban Ministry of Interior and the Minister of Interior for his alleged connection to serious human rights abuses. According to OFAC, the sanctions are taken pursuant to Executive Order 13818, which implements the Global Magnitsky Human Rights Accountability Act and “targets perpetrators of serious human rights abuse and corruption.” As a result of the sanctions, all of the individual’s property and interests in property that are blocked pursuant to the Cuban Assets Control Regulations continue to be blocked, as well as any of the individual’s property and interests in property in the United States or possessed or controlled by U.S. persons. Additionally, OFAC regulations prohibit U.S. persons from participating in transactions with the individual unless exempt or otherwise authorized by an OFAC general or specific license.
OCC urges court to uphold valid-when-made rule
On January 14, the OCC moved for summary judgment in an action filed by the California, Illinois, and New York attorneys general (collectively, “states”) challenging the OCC’s valid-when-made rule, arguing that the challenge is without merit and that the agency “reasonably interprets the ‘gap’ in [12 U.S.C. § 85] concerning what happens when a national bank sells, assigns, or transfers a loan.” As previously covered by InfoBytes, the OCC’s final rule was designed to effectively reverse the Second Circuit’s 2015 Madden v. Midland Funding decision and provides that “[i]nterest on a loan that is permissible under [12 U.S.C. § 85 for national bank or 12 U.S.C. § 1463(g)(1) for federal thrifts] shall not be affected by the sale, assignment, or other transfer of the loan.” The states challenged the rule, arguing that it is “contrary to the plain language” of section 85 (and section 1463(g)(1)) and “contravenes the judgment of Congress,” which declined to extend preemption to non-banks. Moreover, the states contend that the OCC “failed to give meaningful consideration” to the commentary received regarding the rule, essentially enabling “‘rent-a-bank’ schemes.”
In response, the OCC argued that not only does the final rule reasonably interpret the “gap” in section 85, it is consistent with section 85’s “purpose of facilitating national banks’ ability to operate their nationwide lending programs.” Moreover, the agency asserts that 12 U.S.C. § 25b’s preemption standards do not apply to the final rule, because, among other things, the OCC “has not concluded that a state consumer financial law is being preempted.” The final rule “addresses only the ‘substantive [ ] meaning’ of § 85” and Congress “expressly exempted OCC’s interpretations of § 85 from § 25b’s requirements.” Lastly, the OCC argued that it made an “informed and reasoned decision,” including addressing issues raised during the public comment period. Thus, the court should uphold the final rule and affirm summary judgment for the agency.
CFPB finalizes Regulation Z HPML escrow exemptions
On January 19, the CFPB issued a final rule amending Regulation Z, as required by the Economic Growth, Regulatory Relief, and Consumer Protection Act, to exempt certain insured depository institutions and credit unions from the requirement to establish escrow accounts for certain higher-priced mortgage loans (HPMLs). Under the final rule, any loan made by an insured depository institution or credit union that is secured by a first lien on the principal dwelling of a consumer would be exempt from Regulation Z’s HPML escrow requirement if (i) the institution has assets of no more than $10 billion; (ii) “the institution and its affiliates originated 1,000 or fewer loans secured by a first lien on a principal dwelling during the preceding calendar year”; and (iii) the institution meets certain existing HPML escrow exemption criteria. The final rule essentially adopts the proposed rule (covered by InfoBytes here) without change, except the end date for the exception to the prerequisite against maintaining escrows is finalized as 120 days after the date of publication in the Federal Register, instead of the 90 days as proposed.
CFPB finalizes rule stating supervisory guidance lacks force of law
On January 19, the CFPB issued a final rule codifying the Interagency Statement Clarifying the Role of Supervisory Guidance issued by the CFPB, OCC, Federal Reserve Board, FDIC, and the NCUA on September 11, 2018 (2018 Statement). As previously covered by InfoBytes, the October 2018 joint proposal amended the 2018 Statement by (i) clarifying that references in the Statement limiting agency “criticisms” includes criticizing institutions “through the issuance of [matters requiring attention] MRAs and other supervisory criticisms, including those communicated through matters requiring board attention, documents of resolution, and supervisory recommendations”; and (ii) adding that supervisory criticisms should be “specific as to practices, operations, financial conditions, or other matters that could have a negative effect on the safety and soundness of the financial institution, could cause consumer harm, or could cause violations of laws, regulations, final agency orders, or other legally enforceable conditions.”
The Bureau notes that it chose to issue a final rule that is specific to the Bureau and Bureau-supervised institutions, rather than a joint version including the five agencies as it did with the proposal. However, the final rule adopts the proposed rule without substantive change. The final rule is effective 30 days after publication in the Federal Register.
Similar announcements were issued by the OCC, FDIC, and NCUA.
Online lender settles MLA violations for $1.25 million
On January 19, the CFPB announced a settlement with a California-based online lender resolving allegations that the company violated the Military Lending Act (MLA) when making installment loans. This settlement is part of “the Bureau’s broader sweep of investigations of multiple lenders that may be violating the MLA,” which provides protections connected to extensions of consumer credit for active-duty servicemembers and their dependents. As previously covered by InfoBytes, last month the Bureau filed a complaint in the U.S. District Court for the Northern District of California alleging that since October 2016 the lender, among other things, made more than 4,000 single-payment or installment loans to over 1,200 covered borrowers in violation of the MLA. These violations included (i) extending loans with Military Annual Percentage Rates (MAPR) exceeding the MLA’s 36 percent cap; (ii) requiring borrowers to submit to arbitration in loan agreements; and (iii) failing to make certain required loan disclosures, including a statement of the applicable MAPR, before or at the time of the transaction.
Under the terms of the settlement, the company is required to pay $300,000 in consumer redress and pay a $950,000 civil money penalty. The company is also be prohibited from committing future MLA violations and from “collecting on, selling, or assigning any debts arising from Void Loans.” Furthermore, the company is required to submit a compliance plan to ensure its extension of consumer credit complies with the MLA. This plan must include, among other things, a process for correcting information furnished to credit reporting agencies about affected consumers.
FHA extends Covid-19 foreclosure and eviction moratorium
On January 21, FHA announced the extension of its foreclosure and eviction moratorium through March 31. The moratorium applies to homeowners with FHA-insured Title II Single Family forward and Home Equity Conversion (reverse) mortgages, excluding legally vacant or abandoned properties, which were previously set to expire on February 28. Additionally, FHA has also extended the public and Indian Housing (PIH) eviction and foreclosure moratorium until March 31. The extensions are reflected in HUD’s Mortgagee Letter 2021-03.
Additionally, FHA announced that it extended the date by which borrowers must engage with their servicer to obtain an initial Covid-19 forbearance to March 31 (details on the Covid-19 forbearance covered by InfoBytes here), and requires that mortgage servicers provide up to 6 months of forbearance or an additional 6 month extension of the initial Covid-19 forbearance. The extension is reflected in HUD’s Mortgagee Letter 2021-04.
CFPB issue semi-annual report to Congress
On January 21, the CFPB issued its semi-annual report to Congress covering the Bureau’s work from April 1 to September 30, 2020. The report, which is required by Dodd-Frank, addresses, among other things, the effects of the Covid-19 pandemic on consumer credit, significant rules and orders adopted by the Bureau, consumer complaints, and various supervisory and enforcement actions taken by the Bureau. In her opening letter, former Director Kathy Kraninger discusses the Bureau’s response to the Covid-19 pandemic, including measures taken to educate consumers on how to navigate relief options offered through the CARES Act and related pandemic-relief laws, as well as Paycheck Protection Program (PPP) guidance provided to small businesses. Kraninger also notes that in 2020, “the Bureau filed the second-highest number of actions in the Bureau’s history, secured approximately $875 million dollars in customer relief and penalties, and opened investigations of banks and nonbanks in all of the Bureau’s markets.”
Among other topics, the report highlights two reports published by the Bureau on the effects of Covid-19: one focusing on credit applications and credit inquires (covered by InfoBytes here), and another focusing on consumer credit outcomes (covered by InfoBytes here). Results from the Bureau’s Making Ends Meet Survey (conducted prior to the pandemic) are also discussed, as are the Bureau’s efforts to understand financial challenges facing older adults. In addition to these areas of focus, the report notes the issuance of several significant notices of proposed rulemaking related to remittance transfers, debt collection practices, the transition from LIBOR, and qualified mortgage definitions under TILA. Multiple final rules were also issued concerning HMDA reporting thresholds (of which there were two final rules); remittance transfers; and payday, vehicle, title, and certain high-cost installment loans. Several other rules and initiatives undertaken during the reporting period are also discussed.
New Jersey stops accepting temporary insurance producer applications
On January 21 the New Jersey Commissioner of Banking and Insurance issued Bulletin No. 21-02 declaring that the department will no longer accept temporary insurance producer applications after January 31 because remote producer examinations are now available. Temporary licenses previously issued will remain in force subject to certain conditions set forth in the bulletin.