InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Illinois reissues and extends several Covid-19 executive orders
On February 5, the governor of Illinois issued Executive Order 2021-04, which extends several executive orders through March 6, 2021 (previously covered here, here, here, here, and here). Among other things, the order extends: (i) Executive Order 2020-07 regarding in-person meeting requirements, (ii) Executive Order 2020-23 regarding actions by individuals licensed by the Illinois Department of Financial and Professional Regulation engaged in disaster response, (iii) Executive Order 2020-25 regarding garnishment and wage deductions (previously covered here), (iv) Executive Order 2020-30 regarding residential evictions (previously covered here), and (v) Executive Order 2020-72 regarding the residential eviction moratorium (previously covered here and here).
Virginia legislature advances privacy bill
Recently, the Virginia Senate and House advanced identical bills (see SB 1392 and HB 2307), which would establish a framework for controlling and processing consumers’ personal data in the Commonwealth. Highlights of the bill include:
- Applicability. The bill will apply to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” Notably, financial institutions, data governed by federal regulations, nonprofit organizations, and certain protected health information are exempt from coverage.
- Consumers’ rights. Under the bill, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
- Controllers’ responsibilities. Data controllers under the bill will be responsible for (i) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (ii) not processing data for reasons incompatible with the specified purpose; (iii) securing personal data from unauthorized access; (iv) not processing data in violation of state or federal anti-discrimination laws; (v) obtaining consumer consent in order to process sensitive data; (vi) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (vii) providing clear and meaningful privacy notices.
- Data processing agreements/data protection assessments. The bill requires controllers to enter into data processing agreements with data processors that outline instructions for processing personal data and require the deletion or return of personal data once a service is concluded. Controllers must also conduct data protection assessments for all processing activities that involve targeted advertising, the sale of personal data, certain profiling activities, sensitive data, and any processing activities that present a heightened risk of harm to consumers.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law and seek penalties of no more than $7,500 per violation. The attorney general may also recover reasonable expenses, including attorney fees, for any initiated action.
- Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the data controller written notice. The data controller then has 30 days to cure the alleged violation before the attorney general can file suit.
The two bills next move to a reconciliation process, and if passed and signed into law, the bill will take effect January 1, 2023.
OFAC amends Venezuela-related general license
On February 2, the U.S. Treasury Department’s Office of Foreign Assets Control issued Venezuela-related General License (GL) 30A, which authorizes certain necessary to port and airport operations that would otherwise be prohibited by Executive Order (E.O.) 13884, as incorporated into the Venezuela Sanctions Regulations. (See previous InfoBytes coverage here.) Effective February 2, G.L. 30A replaces G.L. 30, which was issued in August of 2019.
DFPI issues first enforcement action against student debt-relief company
On February 3, the California Department of Financial Protection and Innovation (DFPI) announced the first-ever enforcement action under its new structure against a student loan debt-relief company and an investigation into others. According to the order, DFPI alleges, among other things, that an Irvine-based debt-relief company violated the Telemarketing Sales Rule (TSR) and the California Consumer Financial Protection Law (CCFPL) by charging consumers fees ranging from $2,100 to $26,510 to “‘wipe away’ their student loans by getting them ‘dismissed’ or ‘discharged,’” which the company could not achieve. Moreover, consumers often financed the payment of the company’s fees, resulting in more debt and the company refused to issue refunds when requested by some consumers. DFPI alleges the company’s actions constitute unlawful and deceptive practices under the CCFPL and violated the TSR’s prohibition of charging fees before performing services. Lastly, DFPI alleges the company was required to obtain a license under the state’s Student Loan Servicing Act (SLSA) because its actions constitute “servicing” student loans under the statute. The order requires the company to refund the fees collected from 18 consumers by March 15 and to pay a civil penalty of $45,000.
DFPI also announced it issued subpoenas to four other student loan debt-relief companies to determine whether the companies engage in or have engaged in any unlawful, unfair, deceptive, or abusive acts or practices and whether their activities require a license. Responses to the subpoenas are due in March.
Court denies tech company's second request for COPPA claim dismissal
On February 2, the U.S. District Court for the District of New Mexico granted a technology company’s motion for reconsideration in part, but denied dismissal of the New Mexico attorney general’s action alleging the company designed and marketed mobile gaming applications (apps) targeted towards children that contain illegal tracking software in violation of the Children’s Online Privacy Protection Act (COPPA). As previously covered by InfoBytes, the attorney general filed a lawsuit against a group of technology companies, alleging that the companies’ data collection and sharing practices did not comply with COPPA’s specific notice and consent requirements, while the apps’ embedded software development kits (SDKs) allow the apps to communicate directly with the advertising companies that analyze, store, use, share, and sell the data to other third-parties to build “increasingly-detailed profiles of child users” in order to send highly-targeted advertising. In April 2020, the court denied in part a motion to dismiss by one of the companies, concluding the attorney general plausibly alleged that the company “had actual knowledge of the child-directed nature” of the apps, and under COPPA, “ad networks may be held liable for the collection of personal information from child app users only if they have ‘actual knowledge’ that the apps in which their (SDKs) are embedded are ‘directed to children.’” The company moved for reconsideration, arguing that the court improperly held whether “children were the ‘primary target audience’ of the app was not relevant to the ‘actual knowledge’ determination.”
Upon reconsideration, the court agreed with the company that its April 2020 opinion “misapprehended the significance of the mixed-audience exception to the actual knowledge determination,” but concluded that there is no basis to dismiss the COPPA claim because the attorney general still “adequately alleged actual knowledge on the part of [the company].”
State AGs oppose proposed settlement in FDCPA processing fees class action
On January 29, a coalition of state attorneys general from 32 states and the District of Columbia, led by the New York AG, filed an amicus brief in the U.S. District Court for the Southern District of Florida opposing a proposed settlement in a class-action FDCPA suit against a mortgage servicer that allegedly charged “processing fees” or “convenience fees” for mortgage payments made over the phone or online. The plaintiffs filed the lawsuit last March claiming the defendant did not charge processing fees if borrowers made payments by check or signed up for automatic monthly debits from their bank accounts. They further argued that the processing fees were “illegal and improper because neither the mortgages themselves nor applicable statutes authorize such fees.” The parties agreed to mediation in April, and a motion for preliminary approval of a settlement was filed in August.
In their brief, the AGs outlined concerns with the proposed settlement, including that (i) the relief provided to class members violates various state laws, and that the defendant seeks to ratify fees in an “unwritten, mass amendment” that violates state laws and regulations; (ii) the class members only receive an “inadequate” one-time payment, while the defendant may continue to charge excessive fees for the life of the loan; and (iii) low- and moderate-income borrowers are not treated equitably under the proposed settlement. Additionally, the AGs emphasized concerns “about the speed with which this case was settled,” arguing that entering into the proposed settlement quickly during the Covid-19 pandemic has deprived the court and the AGs “of the ability to determine the adequacy, fairness and reasonableness of the settlement.”
FTC provides annual ECOA summary to CFPB
On February 3, the FTC announced it recently provided the CFPB with its annual summary of work on ECOA-related policy issues, focusing specifically on the Commission’s activities with respect to Regulation B during 2020. The summary discusses, among other things, the following FTC research and policy development initiatives:
- The FTC submitted a comment letter in response to the CFPB’s request for information on ways to provide additional clarity under ECOA (covered by InfoBytes here). Among other things, the FTC noted that Regulation B explicitly incorporates disparate impact and offered suggestions should the Bureau choose to provide additional detail regarding its approach to disparate impact analysis. The FTC also urged the Bureau to remind entities offering credit to small businesses that ECOA and Regulation B may apply based “on the facts and circumstances involved” and that entities cannot avoid application of these statutes based solely on how they characterize a transaction or the benefits they claim to provide.
- The FTC hosted the 13th Annual FTC Microeconomics Conference, which focused on the use of machine-learning algorithms when making decisions in areas such as credit access.
- The FTC’s Military Task Force continued to work on military consumer protection issues, including military consumers’ “rights to various types of notifications as applicants for credit, including for adverse action, and information about the anti-discrimination provisions, in ECOA and Regulation B.”
- The FTC continued to participate in the Interagency Task Force on Fair Lending, along with the CFPB, DOJ, HUD, and the federal banking regulatory agencies. The Commission also joined the newly formed Interagency Fair Lending Methodologies Working Group with the aforementioned agencies in order “to coordinate and share information on analytical methodologies used in enforcement of and supervision for compliance with fair lending laws, including ECOA.”
The summary also highlights FTC ECOA enforcement actions, business and consumer education efforts on fair lending issues, as well as blog posts discussing fair lending safeguards and the use of artificial intelligence in automated decision-making.
FHA issues Covid-19 measures to protect borrowers
On February 3, FHA issued a series of temporary measures in its Single Family Housing Policy Handbook, which waive provisions that, among other things, normally require in-person contact between mortgage servicers and borrowers. These waivers, FHA states, are intended to allow mortgage servicing activities to continue in a safe manner during the Covid-19 pandemic, and augment FHA’s recent extension of its foreclosure and eviction moratorium for borrowers through March 31, as well as the agency’s decision to extend the deadline for impacted borrowers to request a new forbearance (covered by InfoBytes here). Specifically, the waivers build upon previous waivers and will allow the following provisions through December 31, 2021:
- Rather than conducting face-to-face borrower interviews, the waiver will allow substitute methods (such as phone interviews, email, video calling services, and other conference technology) for servicers to conduct borrower interviews for FHA-insured forward and home equity conversion mortgages (HECM) when performing early default interventions for borrowers in danger of foreclosure.
- FHA is waiving the $5,000 property charge payment arrearages cap for HECM borrowers who are behind on their property charge payments.
- FHA is waiving the requirement for servicers to obtain a physical signature on an occupancy certification from a HECM borrower.
FTC finalizes settlement with video conferencing company
On February 1, the FTC finalized a settlement with a video conferencing provider, resolving allegations that the company violated the FTC Act by misleading users about the levels of encryption offered for securing communications during meetings. As previously covered by InfoBytes, in November 2020, the FTC announced a proposed consent order with the video conferencing provider alleging, among other things, that the company failed to implement any measures to protect users’ security, failed to monitor service providers who had access to the network, lacked a systematic process for incident response, and allegedly increased users’ risk of remote video surveillance by strangers, even though the company “touted its level of encryption as a reason for customers and potential customers to use [its] videoconferencing services.” In a 3-2 vote, the FTC finalized the proposed settlement, which (i) prohibits the company misrepresenting its privacy and security practices; (ii) includes a mandated information security program, which requires the company to assess and document security risks, develop ways to manage and safeguard against such risks, and deploy additional methods, including multi-factor authentication, to protect against unauthorized access of the network; and (iii) requires the company to obtain biennial third-party assessments of its security practices.
Acting Chairwoman Slaughter and Commissioner Chopra issued two dissenting statements, with Slaughter arguing that the final order does not adequately address the company’s privacy failings, nor does it require the company to provide any recourse to affected users, despite “widespread opposition” to the proposed settlement. Chopra argues the FTC “[r]ush[ed] to a final approval of [the] settlement,” and urges the FTC to “think beyond its status quo approach of simply requiring more paperwork, rather than real accountability relying on a thorough investigation.”
Court denies dismissal of OCC CRA rule challenge
On January 29, the U.S. District Court for the Northern District of California denied dismissal of an action brought against the OCC by two community coalitions, requesting the court block the agency’s final rule to revise the regulatory framework implementing the Community Reinvestment Act (CRA). As previously covered by InfoBytes, in June 2020, the groups filed a complaint alleging that, among other things, the OCC failed to provide for meaningful public input on key revisions to the agency’s final rule, and that the May 20 rule (covered by a Buckley Special Alert) failed to consider the impact of the Covid-19 pandemic and is in violation of the Administrative Procedures Act. The OCC moved to dismiss the action, arguing that the community groups lack standing, or in the alternative, that they do not fall within the CRA’s “zone of interests.” The district court disagreed. Specifically, the court concluded that the community groups adequately alleged standing because the members of their organizations “compete for OCC-regulated banks’ CRA dollars,” and their members “will now have to compete with investment opportunities that could not previously receive CRA credit.” Moreover, among other things, the court concluded that the community groups satisfy the “the zone-of-interests test, because they receive grants and loans for which banks obtain CRA credit, making them direct beneficiaries of the statute.”