InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FCC proposes new data breach notification requirements
On January 6, the FCC announced a notice of proposed rulemaking (NPRM) to launch a formal proceeding for strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI). FCC Chairwoman Jessica Rosenworcel noted that “given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements.” She commented that the “new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.” The NPRM, which seeks to improve alignment with recent developments in federal and state data breach laws covering other sectors, would require telecommunications providers to notify impacted customers of CPNI breaches without unreasonable delay, thus eliminating the current seven business day mandatory waiting period for notifying customers of a breach.
Among other things, the FCC requests feedback on whether to establish a specific timeframe (e.g. a requirement to report breaches of customers’ data within 24 or 72 hours of discovery of a breach) or whether a disclosure deadline should vary based on a graduated scale of severity. The FCC also seeks comments on whether a carrier should “be held to have ‘reasonably determined’ a breach has occurred when it has information indicating that it is more likely than not that there was a breach,” and whether the Commission should publish guidance on what constitutes a reasonable determination or adopt a more definite standard. Feedback is also solicited on topics such as threshold triggers, what should be included in a security breach notification, the delivery method of these notifications, and whether to expand the definition of a data breach to also include inadvertent disclosures. Comments are due 30 days after publication in the Federal Register.
FHA seeks feedback on changing reconsideration of valuation requests
Recently, FHA published a draft mortgagee letter (ML) proposing policy changes to its requirements for processing and documenting reconsideration of valuation (ROV) requests, specifically when requests are initiated by a borrower for the review of appraisal results. According to the ML, FHA provided proposed guidance to improve the process when prospective borrowers applying for FHA-insured Title II forward or Home Equity Conversion Mortgages (HECM) request an ROV on a property if the initial valuation is lower than expected, or that there is indication of illegal bias, that Fair Housing regulations have been violated, or that there may be unlawful discrimination. The draft also proposed updated appraisal review standards, which are intended to provide mortgagees and appraisers with clarifying guidance on the quality of an appraisal report and the ROV process and responsibilities. Public comments are due by February 2.
NYDFS revises proposed amendments to third-party debt collection rules
In December, NYDFS released revised proposed amendments to 23 NYCRR 1, which regulates third-party debt collectors and debt buyers. NYDFS first issued a proposed amendment to 23 NYCRR 1 in December 2021 (covered by InfoBytes here), which factored in findings from NYDFS investigations that revealed instances of abusive and deceptive debt collection practices, as well as consumer debt collection complaint data. The first proposed amendment, among other things, is intended to enhance consumer protections by increasing transparency, requiring heightened disclosures, reducing misleading statements about consumer debt obligations, and placing stricter limits on debt collection phone calls than those currently imposed under federal regulations. The revised proposal, among other things, also include the following requirements:
- A debt collector must send written notification within five days after the initial communication with a consumer that clearly and conspicuously contains validation information as required under Regulation F. Debt collectors are prohibited from using the charge-off date as the itemization date for the alleged debt unless it is a revolving or open-end credit account. Instead, debt collectors should use the last payment date as the itemization date if available.
- Written notifications must be clear and conspicuous and also include the following, in addition to validation information: (i) the reference date relied upon to determine the itemization date; (ii) for revolving or open-end credit accounts, an account number (or a truncated version of the account number) associated with the debt on the last payment date or the last statement date if no payment has been made; (iii) the merchant brand, affinity brand, or facility name, if any, associated with the debt; (iv) the date and amount of the last payment or a statement noting that no payment was made, if available; (v) the applicable statute of limitations expressed in years for debt that has not been reduced to judgment; (vi) information on a debt that has been reduced to a judgment, if applicable; and (vii) notice that a consumer has the right to dispute the validity of a debt and instructions on how to submit a dispute.
- Debt collectors must inform consumers of available language access services and are required to record the consumer’s language preference, if other than English, in the written notification.
- Unless affirmatively requested by the consumer, required disclosures may not be made exclusively by electronic communication. Additionally, a debt collector may communicate with a consumer exclusively through electronic communication only if: (i) the consumer has voluntarily provided contact information for electronic communication; (ii) the consumer has given revocable consent in writing to receive electronic communication from the debt collector in reference to a specific debt (electronic signatures constitute written consent); (iii) the debt collector retains the written consent for six years or until the debt is discharged, sold, or transferred (whichever is longer); and (iv) all electronic communications include clear and conspicuous disclosures regarding revoking consent.
- Communications sent in the form of a pleading in a civil action will not be considered an initial communication for the purposes of these amendments.
- Debt collectors must provide substantiation of debt within 45 days.
- Debt collectors may not communicate or attempt to communicate excessively with a consumer. Specifically, debt collectors are limited to one completed phone call and three attempted phone calls per seven-day period per alleged debt. Telephone calls more than these limits may be permitted when required by federal or state law, or when made in response to the consumer’s request to be contacted and in the manner indicated by the consumer, if any.
Comments are due February 13. The amendments are scheduled to take effect 180 days after the notice of adoption is published in the State Register.
FHFA issues model risk management guidance
On December 21, FHFA issued guidance to Freddie Mac, Fannie Mae, the Federal Home Loan Banks (FHLBanks), and the Office of Finance on its model risk management framework. According to the bulletin, the purpose of the guidance—formatted as Frequently Asked Questions—“is to provide supplemental guidelines that will address some of the gaps in [FHFA’s 2013 Model Risk Management guidance] prompted by changes in model-related technologies and questions generated from the expanded use of complex models by the FHLBanks.” “The supplemental guidance also addresses model documentation, the communication of model limitations, model performance tracking, on-top adjustments, challenger models, model consistency, and internal stress testing.”
DFPI modifies proposed regulations for complaints and inquiries under the CCFPL
On December 22, the California Department of Financial Protection and Innovation (DFPI) released modifications to proposed regulations for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. As previously covered by InfoBytes, DFPI issued a notice of proposed rulemaking (NPRM) last May to implement Section 90008 subdivisions (a) and (b) of the CCFPL, which authorize DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and DFPI concerning consumer complaints and inquiries, as well as subdivision (d)(2)(D), which “permits covered persons to withhold nonpublic or confidential information, including confidential supervisory information, in response to a consumer request to the covered person for information regarding a consumer financial product or service.”
After considering comments received on the NPRM, changes proposed by the DFPI include the following:
- Amended definitions. The proposed regulations will not apply to, in addition to consumer reporting agencies and student loan servicers, a person or entity already exempt from the CCFPL under Section 90002. The definition of “complaint” is amended to include “an oral or written expression of dissatisfaction from a complainant regarding a specific issue or problem with a financial product or service.” Additionally, “complainant” is amended to also provide that a consumer must have been a resident of California at the time of the act, omission, decision, condition, or policy giving rise to the complaint. The proposed regulations also outline several categories that are not included in the definition of “complaint” or “inquiry.”
- Complaint procedure updates. The proposed regulations outline requirements for covered persons related to consumer disclosures and written communications covering the complaint process. The proposed regulations also require covered persons to accept all complaints, whether written or oral, provided the complaint includes a reason for filing the complaint and sufficient information to identify the complainant.
- Restrictions. Covered persons shall not (i) “[r]equest personal identifying information beyond what is reasonably necessary to identify the complainant and to send correspondence”; (ii) “[r]equest financial information unrelated to the specific complaint of the consumer:” or (iii) impose a time limit for filing a complaint that is shorter than one year from the time the complainant discovers the act, omission, decision, condition, or policy that is the subject of the complaint (if a time limit is imposed it must be stated in the required consumer disclosures).
- Complaint acknowledgements. For every complaint received, covered persons must send the complainant a written acknowledgement of receipt that is postmarked or otherwise shows that acknowledgement was sent within five business days after receiving the complaint. Within 15 business days after receiving a complaint, a covered person must provide a final decision on all issues. If additional time is required, a covered person must provide the complainant with a written update within three business days after the initial 15-business day period ends.
- Inquiry response requirements. Covered persons are required to develop and implement written policies and procedures to implement the regulations’ inquiry requirements, and must also respond to all issues raised by an inquiry within 10 business days. Covered persons must retain copies of all written inquiries and written responses for at least three years from the time the written response was issued.
- Reporting requirements. Covered persons must submit an annual complaint report to DFPI for each financial product or service offered or provided that will be made available to the public with limited exceptions. Each report shall include information regarding all complaints received by the covered person during the reporting period, and must be filed electronically with the Consumer Financial Protection Division no later than 60 business days after the end of each calendar year.
Comments on the proposed modifications are due January 20 (extended from January 13).
Colorado releases second draft of Colorado Privacy Act rules
On December 21, the Colorado attorney general released a second set of draft rules for the Colorado Privacy Act (CPA). As previously covered by a Buckley Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The first set of draft rules was issued last September and published by the Secretary of State on October 10 (covered by InfoBytes here).
The second set of draft rules seeks to address concerns raised through public comments as well as feedback received during three stakeholder sessions. The AG seeks specific input on questions related to (i) clarifications to definitions; (ii) the use of IP addresses to verify consumer opt-out requests; (iii) implementation of a universal opt-out mechanism; (iv) controller obligations related to meaningful privacy notices; and (v) bona fide loyalty programs. Among other things, the modifications would:
- Clarify definitions. The modifications add, delete, and amend several definitions, including those related to “biometric identifiers,” “commercial product or service,” “controller,” “employee,” “employer,” “employment records,” “noncommericial purpose,” “personal data,” “process,” “processor,” “profiling,” and terms involving automated processing.
- Amend purpose-based privacy notices. The modifications remove the requirement that privacy notices be purpose-based, and will instead require that the processing purpose and type of personal data processed be connected in a way that provides consumers a meaningful understanding of how their personal data will be used. The AG seeks feedback on ways the draft rules can “be made interoperable with California’s privacy notice requirements, while still considering the CPA’s purpose specification, secondary use requirements, and ensuring that a consumer has a meaningful understanding of the way their personal data will be used when they interact with a controller.” Feedback is also requested on whether controllers “who have updated their privacy policies to comply with California’s privacy notice requirements anticipate making a separate policy for Colorado, updating a California specific privacy notice to include Colorado or other state requirements, or revising the main privacy policy/notice to meet Colorado and other non-California state requirements[.]”
- Update universal opt-out mechanism. The modifications grant controllers six months from the date a universal opt-out mechanism is recognized by the AG to begin complying with that new mechanism. An initial public list of approved opt-out mechanisms will be published no later than January 1, 2024, and will be updated periodically.
- Clarify security measures and duty of care. The modifications provide additional details about the duty to safeguard personal data, and will require controllers to, among other things, consider “[a]pplicable industry standards and frameworks,” and the sensitivity, amount, and original source of the personal data when identifying reasonable and appropriate safeguards. The modifications also include provisions related to the processing of sensitive data inferences and specifies deletion requirements.
- Reduce data protection assessment requirements. The modifications reduce the information that must be included in a controller’s data protection assessment.
- Clarify privacy notice changes. The modifications clarify when a controller must notify a consumer of “substantive or material” changes to its data processing that trigger updates to its privacy notice. The modifications emphasize that disclosure of a new processing purpose in a privacy policy alone does not constitute valid consent.
- Address refreshing of consumer consent. The modifications provide that consumer consent must be refreshed when a consumer has not interacted with the controller in the last 12 months, and (i) the controller is processing sensitive personal information; or (ii) is processing personal data for secondary data use that involves profiling for a decision that could result “in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.” However, controllers will not be required to refresh consent in situations where consumers have the ability to update their own opt-out preferences at any time.
Comments on the second set of draft rules are due February 1. If the formal rulemaking hearing on the proposed rules (scheduled for February 1) extends beyond that date, comments must be received on or before the last day of the hearing.
CFPB adjusts annual dollar amount thresholds under TILA, HMDA regulations
On December 21, the CFPB released a final rule revising the dollar amounts for provisions implementing TILA and its amendments that impact loans under the Home Ownership and Equity Protection Act of 1994 (HOEPA) and qualified mortgages (QM). The Bureau is required to make annual adjustments to dollar amounts in certain provisions in Regulation Z, and has based the adjustments on the annual percentage change reflected in the Consumer Price Index for Urban Wage Earners and Clerical Workers (CPI-W) in effect on June 1, 2022. The following thresholds are effective January 1, 2023:
- For open-end consumer credit plans under TILA, the threshold for disclosing an interest charge will remain unchanged at $1.00;
- For HOEPA loans, the adjusted total loan amount threshold for high-cost mortgages will be $24,866, and the adjusted points-and-fees dollar trigger for high-cost mortgages will be $1,243;
- For qualified mortgages under the General QM loan definition, the thresholds for the spread between the annual percentage rate and the average prime offer rate will be: “2.25 or more percentage points for a first-lien covered transaction with a loan amount greater than or equal to $124,331; 3.5 or more percentage points for a first-lien covered transaction with a loan amount greater than or equal to $74,599 but less than $124,331; 6.5 or more percentage points for a first-lien covered transaction with a loan amount less than $74,599; 6.5 or more percentage points for a first-lien covered transaction secured by a manufactured home with a loan amount less than $124,331; 3.5 or more percentage points for a subordinate-lien covered transaction with a loan amount greater than or equal to $74,599; or 6.5 or more percentage points for a subordinate-lien covered transaction with a loan amount less than $74,599”; and
- For all QM categories, the adjusted thresholds for total points and fees will be “3 percent of the total loan amount for a loan greater than or equal to $124,331; $3,730 for a loan amount greater than or equal to $74,599 but less than $124,331; 5 percent of the total loan amount for a loan greater than or equal to $24,866 but less than $74,599; $1,243 for a loan amount greater than or equal to $15,541 but less than $24,866; and 8 percent of the total loan amount for a loan amount less than $15,541.”
With respect to credit card annual adjustments, the Bureau noted that its 2023 annual adjustment analysis on the CPI-W in effect on June 1, did not result in an increase to the current minimum interest charge threshold (which requires “creditors to disclose any minimum interest charge exceeding $1.00 that could be imposed during a billing cycle”).
The Bureau also issued a final rule adjusting the asset-size threshold under HMDA (Regulation C). Under HMDA, institutions with assets below certain dollar thresholds are exempt from collection and reporting requirements. The final rule increases the asset-size exemption threshold for banks, savings associations, and credit unions from $50 million to $54 million, thereby exempting institutions with assets of $54 million or less as of December 31, 2022, from collecting HMDA data in 2023.
FCC affirms three-call limit but permits oral consent
On December 21, the FCC issued an order on reconsideration and declaratory ruling under the TCPA, affirming a three-call limit and opt-out requirements for exempted residential calls. According to the FCC, the ruling is in response to requests from industry trade groups related to a 2020 order implementing portions of the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act). The ruling upheld the three-call-limit for exempt calls made using automated telephone dialing systems to residential lines but revised the 2020 order’s requirement for “prior express written consent” to allow callers to obtain consent orally or in writing if they wish to make more calls than allowed. The FCC also granted a request to confirm that “prior express consent” for calls made by utility companies to wireless phones applies equally to residential landlines. The FCC noted that “limiting the number of calls that can be made to a particular residential line to three artificial or prerecorded voice calls within any consecutive thirty-day period strikes the appropriate balance between these callers reaching consumers with valuable information and reducing the number of unexpected and unwanted calls consumers currently receive.”
NCUA proposal looks to promote CU-fintech partnerships
On December 15, the NCUA issued a proposed rule seeking input on amendments to the agency’s regulations on the purchase of loan participations and the purchase, sale, and pledge of eligible obligations and other loans, including notes of liquidating credit unions. Among other things, the proposed rule would remove certain prescriptive limitations and other qualifying requirements to provide federal credit unions with additional flexibility to purchase eligible obligations of their members and engage with advanced technologies and other opportunities presented by fintechs. Improved flexibility and individual autonomy will allow federal credit unions “to establish their own risk tolerance limits and governance policies for these activities, while codifying due diligence, risk assessment, compliance and other management processes that are consistent with the Board’s long-standing expectations for safe, sound, fair and affordable lending practices,” the NCUA said. Comments on the proposed rule are due 60 days after publication in the Federal Register.
“As I have emphasized before, credit unions should recognize and harness the potential opportunities fintechs may offer them,” NCUA Chairman Todd Harper said. “However, we must also acknowledge the potential risks they pose to credit unions, their members, and the system and develop appropriate guardrails. This proposed rule strikes that balance. It provides flexibility, safety, and tailored relief to credit unions while fostering greater innovation.”
California privacy agency holds public meeting on CPRA
On December 16, the California Privacy Protection Agency (CPPA) Board held a public meeting to discuss the ongoing status of the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here). The CPPA stated it anticipates conducting additional preliminary rulemaking in early 2023. After public input is received, the CPPA will discuss proposed regulatory frameworks for risk assessments, cybersecurity audits, and automated decisionmaking.
During the board meeting, the CPPA introduced sample questions and subject areas for preliminary rulemaking that will be provided to the public at some point in 2023, and finalized and approved at a later meeting. The questions and topics relate to, among other things, (i) privacy and security risk assessment requirements, including whether the CPPA should follow the approach outlined in the European Data Protection Board’s Guidelines on Data Protection Impact Assessment, as well as other models or factors the agency should consider; (ii) benefits and drawbacks for businesses should the CPPA accept a business’s risk assessment submission that was completed in compliance with GDPR’s or the Colorado Privacy Act’s requirements for these assessments; (iii) how the CPPA can ensure cybersecurity audits, assessments, and evaluations are thorough and independent; and (iv) how to address profiling and logic in automated decisionmaking, the prevalence of algorithmic discrimination, and whether opt-out rights with respect to a business’s use of automated decisionmaking technology differ across industries and technologies. The CPPA said it is also considering different rules for businesses making under $25 million in annual gross revenues.