InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS, mortgage lender reach $1.5 million cyber breach settlement
On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A July 2020 examination revealed that the cyber breach involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also claimed that the lender allegedly failed to implement a comprehensive cybersecurity risk assessment as required by 23 NYCRR Part 500. Under the terms of the consent order, the lender will pay a $1.5 million civil monetary penalty, and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged that the mortgage lender had controls in place at the time of the cyber incident and implemented additional controls since the incident. NYDFS also acknowledged the mortgage lender’s “commendable” cooperation throughout the examination and investigation and stated that the lender had demonstrated its commitment to remediation.
SBA allows self-employed filers to use gross income to calculate PPP loan amounts
On March 4, the Small Business Administration (SBA) issued an interim final rule (IFR) to implement recent changes to the Paycheck Protection Program (PPP) calculation for IRS Form 1040, Schedule C filers. Self-employed individuals who file Schedule C will now be able to calculate their maximum loan amount using gross income. This calculation change only applies to loans approved after March 4, 2021, and borrowers that have already had their loans approved cannot increase their PPP loan amount based on the new maximum loan formula. SBA also notes that a previously provided safe harbor presumption of making “the statutorily required certification concerning the necessity of the loan request in good faith” will not apply to Schedule C filers that elect to calculate their First Draw PPP loan using gross income if they report more than $150,000 in gross income. These borrowers will be subject to additional SBA review as they will most likely have additional sources of liquidity to support business operations. The IFR further removes eligibility restrictions that prohibit businesses owned at least 20 percent by individuals (i) who have a non-financial fraud felony conviction in the last year, or (ii) who are delinquent or in default on their federal student loans. These changes apply to both First Draw and Second Draw PPP loans.
To assist borrowers, SBA released the following revised forms: First Draw application form and Schedule C gross income form, Second Draw application form and Schedule C gross income form, and lender applications for First Draw and Second Draw loans. The IFR takes effect March 4.
CFPB sues payment processor for fraudulent practices
On March 3, the CFPB filed a complaint against an Illinois-based third-party payment processor and its founder and former CEO (collectively, “defendants”) for allegedly engaging in unfair practices in violation of the CFPA and deceptive telemarketing practices in violation of the Telemarketing Sales Rule. According to the complaint, the defendants knowingly processed remotely created check (RCC) payments totaling millions of dollars for over 100 merchant-clients claiming to offer technical-support services and products, but that actually deceived consumers—mostly older Americans—into purchasing expensive and unnecessary antivirus software or services. The tech-support clients allegedly used telemarketing to sell their products and services and received payment through RCCs, the Bureau stated, noting that the defendants continued to process the clients’ RCC payments despite being “aware of nearly a thousand consumer complaints” about the tech-support clients. According to the Bureau, roughly 25 percent of the complaints specifically alleged that the transactions were fraudulent or unauthorized. The Bureau noted that the defendants also responded to inquiries from police departments across the country concerning consumer complaints about being defrauded by the defendants. Further, the Bureau cited high return rates experienced by the tech-support clients, including an average unauthorized return rate of 14 percent—a “subset of the overall return rate where the reason for the return provided by the consumer is that the transaction was unauthorized.” The Bureau is seeking an injunction, as well as damages, redress, disgorgement, and civil money penalties.
CFPB appeals ruling vacating mandatory disclosures and 30-day credit linking restriction in Prepaid Accounts Rule
On March 1, the CFPB filed a notice to appeal a December 2020 ruling, in which the U.S. District Court for the District of D.C. vacated two provisions of the Bureau’s Prepaid Account Rule: (i) the short-form disclosure requirement “to the extent it provides mandatory disclosure clauses”; and (ii) the 30-day credit linking restriction. As previously covered by InfoBytes, the court concluded that the Bureau acted outside of its statutory authority by promulgating a short-form disclosure requirement (to the extent it provided for mandatory disclosure clauses). The court noted that it could not “presume—as the Bureau does—that Congress delegated power to the Bureau to issue mandatory disclosure clauses just because Congress did not specifically prohibit them from doing so.” The court further determined that the Bureau also read too much into its general rulemaking authority when it promulgated a mandatory 30-day credit linking restriction under 12 CFR section 1026.61(c)(1)(iii) that limited consumers’ ability to link certain credit cards to their prepaid accounts. The court first determined that neither TILA nor Dodd-Frank vest the Bureau with the authority to promulgate substantive regulations on when consumers can access and use credit linked to prepaid accounts. Second, the court deemed the regulatory provision to be a “substantive regulation banning a consumer’s access to and use of credit” under the disguise of a disclosure, and thus invalid.
Court grants interlocutory appeal in CFPB student loan servicing action
On February 26, the U.S. District Court for the Middle District of Pennsylvania granted a student loan servicer’s request for interlocutory appeal as to whether questions concerning the CFPB’s constitutionality stopped the clock on claims that it allegedly misled borrowers. The court’s order pauses a 2017 lawsuit in which the Bureau claimed the servicer violated the CFPA, FCRA, and FDCPA by allegedly creating obstacles for borrower repayment options (covered by InfoBytes here), and grants the servicer’s request to certify a January 13 ruling. As previously covered by InfoBytes, the servicer argued that the Supreme Court’s finding in Seila Law LLC v. CFPB (covered by a Buckley Special Alert—which held that that the director’s for-cause removal provision was unconstitutional but was severable from the statute establishing the CFPB)—meant that the Bureau “never had constitutional authority to bring this action and that the filing of [the] lawsuit was unauthorized and unlawful.” The servicer also claimed that the statute of limitations governing the CFPB’s claims prior to the decision in Seila had expired, arguing that Director Kathy Kraninger’s July 2020 ratification came too late. The court disagreed, ruling, among other things, that “[n]othing in Seila indicates that the Supreme Court intended that its holding should result in a finding that this lawsuit is void ab initio.”
The court’s order sends the ruling to the 3rd Circuit to review “[w]hether an act of ratification, performed after the statute of limitations has expired, is subject to equitable tolling, so as to permit the valid ratification of the original action which was filed within the statute of limitations but which was filed at a time when the structure of the federal agency was unconstitutional and where the legal determination of the presence of the structural defect came after the expiration of the statute of limitations.” Specifically, the court explained that this particular “question does not appear to have been addressed by any court in the United States. . . .Not only is there a lack of conflicting precedent, there is no supporting precedent; indeed, no party has identified any comparable precedent.” Further, “[i]f this court erred in applying the doctrine of equitable tolling, it would almost certainly lead to a reversal on appeal and dismissal of this action,” the court noted.
OFAC sanctions Russian officials
On March 2, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order (E.O.) 13661 against seven Russian government officials in connection with the “poisoning and subsequent imprisonment of [a] Russian opposition figure.” One of the designated individuals is also being sanctioned pursuant to E.O. 13382 “for acting or purporting to act for or on behalf of, directly or indirectly, the Federal Security Service.” In conjunction with OFAC’s sanctions, the Department of State also designated several entities and persons pursuant to E.O. 13882 for “having engaged, or attempted to engage, in activities or transactions that have materially contributed to, or pose a risk of materially contributing to, the proliferation of weapons of mass destruction or their means of delivery” by Russia. As a result of the sanctions, all of the property and interests in property of the designated persons that are in the United States or in the possession or control of U.S. persons, as well as any entities that are owned 50 percent or more by the designated persons, are blocked and must be reported to OFAC. Additionally, OFAC regulations generally prohibit U.S. persons from participating in transactions with the designated persons unless exempt or otherwise authorized by an OFAC general or specific license. OFAC further warned that “any foreign person who knowingly facilitates a significant transaction or transactions for or on behalf of one of these persons risks being sanctioned.”
New York warns of “extreme risk” with cryptocurrency trading
On March 1, the New York attorney general issued two alerts warning investors about the “extreme risk” facing New Yorkers investing in virtual or “crypto” currency. The first investor alert directs investors to take caution when investing in virtual currencies because, among other reasons, virtual currency trading platforms provide limited protection from fraud as “[m]ost platforms are subject to little or no oversight.” The second industry alert is directed towards broker-dealers, salespersons, and investment advisors, and provides a reminder that “people and entities dealing in virtual or ‘crypto’ currencies that are commodities or securities in the state of New York, and who do not qualify for an exemption, must register with the Office of the Attorney General,” and that failing to do so will expose them to both civil and criminal liability. The alerts follow an agreement entered last month (covered by InfoBytes here) between the AG and the operators of a virtual currency trading platform and a “tether” virtual currency issuer, along with their affiliated entities, which resolved allegations that the companies deceived clients by overstating available reserves and hiding $850 million in co-mingled client and corporate funds.
OFAC sanctions key Yemeni military leaders
On March 2, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against two individuals associated with the Ansarallah militia. The sanctions are taken pursuant to Executive Order 13611, which authorizes “blocking property of persons threatening the peace, security, or stability of Yemen.” As a result of the sanctions, all of the property and interests in property of the designated individuals that are in the United States or in the possession or control of U.S. persons, as well as any entities that are owned 50 percent or more by the designated individuals, are blocked and must be reported to OFAC. Additionally, OFAC regulations prohibit U.S. persons from participating in transactions with the designated individuals unless exempt or otherwise authorized by an OFAC general or specific license. OFAC specifies that the “prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person or the receipt of any contribution or provision of funds, goods, or services from any such person.”
Virginia enacts comprehensive consumer data privacy framework
On March 2, the Virginia governor enacted the Consumer Data Protection Act (VCDPA), which establishes a framework for controlling and processing consumers’ personal data in the Commonwealth. Virginia is now the second state in the nation to enact a comprehensive consumer privacy law. In 2018, California became the first state to put in place significant consumer data privacy measures (covered by a Buckley Special Alert). As previously covered by InfoBytes, under the VCDPA, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The VCDPA also outlines controller responsibilities, including a requirement that, among other things, controllers must enter into data processing agreements with data processors that outline instructions for processing personal data and require the deletion or return of personal data once a service is concluded. While the VCDPA explicitly prohibits a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of no more than $7,500 per violation. Additionally, upon discovering a potential violation of the VCDPA, the attorney general must give the data controller written notice and allow the data controller 30 days to cure the alleged violation before the attorney general can file suit. The VCDPA takes effect January 1, 2023.
5th Circuit: Conveying information about a debt collector is different from conveying information about a debt
On February 26, the U.S. Court of Appeals for the Fifth Circuit affirmed a district court’s dismissal of a consumer’s FDCPA claims against a collection agency, concluding that “conveying information about a debt collector is not the same as conveying information about a debt.” According to the opinion, the collection agency (defendant) attempted to contact the plaintiff via telephone concerning an unpaid debt. When the plaintiff failed to answer the call, the defendant contacted the plaintiff’s sister and asked to speak to the plaintiff. During the call, a representative working for the defendant provided her own name and that of the collection agency, and provided her number so the plaintiff could return the call. The plaintiff filed suit, alleging the defendant violated FDCPA § 1692c(b) when the representative left a message with the plaintiff’s sister and asked her to have the plaintiff contact the defendant. Under § 1692c(b), a debt collector “‘may not communicate, in connection with the collection of any debt, with any person other than the consumer’ or certain other prescribed parties to the debt ‘without the prior consent of the consumer.’” An exception is provided under § 1692b for a debt collector who communicates with a third party to acquire location information about the consumer. The district court granted the defendant’s motion to dismiss, which the plaintiff appealed, arguing that the defendant’s conduct “went beyond the scope of a permissible call for the purposes of obtaining location information.”
On appeal, the 5th Circuit first reviewed whether the call violated Section 1692c(b). The appellate court noted that it was first called to address the “threshold issue” as to “whether the alleged conversation qualifies as a ‘communication’” as defined by the FDCPA. Under § 1692a(2), a “communication” refers to “the conveying of information regarding a debt directly or indirectly to any person through any medium.” In this instance, the appellate court wrote, there was nothing in the call between the defendant and the plaintiff’s sister that conveyed information regarding the existence of a debt. “[T]o indirectly convey information regarding a debt, a conversation or message would need to, at the very least, imply that a debt existed. Knowing the name of a debt collector does not imply the existence of a debt.” The 5th Circuit further concluded, among other things, that “[e]ven if the average consumer recognized the company’s name and identified it as a debt collector, receiving a phone call from a debt collector does not suggest any information about an underlying debt.” As such, the 5th Circuit determined the plaintiff failed to adequately plead facts suggesting a plausible violation of the FDCPA.