InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC assesses bank $12.5 million BSA penalty
On January 29, the FDIC released a list of administrative enforcement actions taken against banks and individuals in December. During the month, the FDIC issued 10 orders consisting of “three consent orders, one termination of consent order, three section 19 orders, two removal and prohibition orders and two orders to pay civil money penalties.” Among the orders, the FDIC issued a $12.5 million civil money penalty order against a New York-based bank resolving allegations that the bank violated the Bank Secrecy Act (BSA) and its implementing regulations from April 2014 through September 2018, including failing to comply with the FDIC’s December 2015 consent order, which required the bank to strengthen its BSA/anti-money laundering oversight. The $12.5 million civil money penalty is reflective of the “the financial resources and good faith of the [bank], the gravity of the violations by the [bank], the history of previous violations by the [bank], and such other matters[.]”
Bank reaches $5.2 million settlement in ATM fee class action
On February 3, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement in the U.S. District Court for the Southern District of Ohio to resolve allegations that a national bank breached its account agreement by assessing balance inquiry fees in certain circumstances. Class members, comprised of current and former account holders, claimed that the bank assessed fees if account holders used an ATM outside of the bank’s network (non-bank ATM) to check their balances. The class also alleged that the bank assessed multiple fees if a balance inquiry was undertaken “during the same ATM visit as a cash withdrawal or other funds transfer.” As a result of the action, the bank modified its account disclosures to “better inform its customers that they could be charged a fee for a balance inquiry” at a non-bank ATM. The preliminary settlement seeks to certify class members who were assessed the contested fees from January 1, 2010 through October 31, 2018 and will not require class members to file claims to receive the settlement’s benefits. Under the preliminary settlement terms, the bank will pay $5.2 million into a common fund, and has agreed to analyze its historical transaction data to identify settlement class members and automatically credit settlement proceeds into their accounts via direct deposit.
DFPI requests comment on CCFPL regulations
On February 4, the California Department of Financial Protection and Innovation (DFPI) released an Invitation for Comments on a proposed rulemaking to implement the California Consumer Financial Protection Law (CCFPL). As previously covered by InfoBytes, in September 2020, the governor signed AB 1864, which enacts the CCFPL and established the DFPI name change from the Department of Business Oversight. The CCFPL authorizes DFPI to establish rules relating to the covered persons, service providers, and consumer financial products or services outlined in the law. The invitation for comments describes specific topics for stakeholder consideration when providing comments, but DFPI notes that commenters may provide feedback on “any potential area for rulemaking.” Highlights of the topics for comment include:
- Exemptions. Whether or not DFPI should clarify the scope of the entities exempt from CCFPL.
- Registration Requirements. What industries should be required to first register with DFPI and what rules should be established to facilitate industry oversight, including records and reporting requirements.
- Complaint Handling. What requirements DFPI should establish with regard to timely responses to consumer complaints and inquiries, including timelines and substance of response.
- Consumer UUDAAP. Description of acts or practices that stakeholders believe qualify as “unlawful, unfair, deceptive, or abusive” in consumer transactions, including suggested “requirements DFPI should adopt to prevent the act or practice.”
- Commercial UDAAP and Data Collection. Description of acts or practices that stakeholders believe qualify as unfair, deceptive, and abusive in the commercial space, and whether or not DFPI should define specific acts or practices as unfair, deceptive, or abusive. Additionally, whether or not DFPI should require the collection and reporting of commercial financing data.
- Disclosures. Whether or not DFPI should prescribe rules covering the features of consumer financing disclosures and if so, what the requirements should cover.
- California Credit Cost Limitations. Whether or not DFPI should clarify the applicability of state credit cost limitations, including rate and fee caps, to consumer financial products and services.
Comments must be submitted by March 8.
Acting director outlines future direction for CFPB
On February 4, CFPB acting Director Dave Uejio published a blog post conveying his “broad vision” for the Division of Research, Markets, and Regulations (RMR). Uejio emphasized that in order for the Bureau to respond to his previously stated policy priorities—(i) relief for consumers facing hardship and economic crisis due to the Covid-19 pandemic, and (ii) racial equity (covered by InfoBytes here)—the agency must sharpen its focus on the consumer experience. To achieve this goal, Uejio is authorizing the Bureau’s use of its 1022(c)(4) data collection authority and has asked RMR to examine “the impact of specific industry practices on consumers’ daily budget and overall bottom line in order to target effective policy interventions.” Among other things, RMR has been asked to take the following immediate steps:
- Prepare an analysis assessing housing insecurities such as mortgage foreclosures, mobile home repossessions, and landlord-tenant evictions.
- Prepare an analysis to address pressing consumer financial barriers to racial equity in order to “inform research and rulemaking priorities,” and “[e]xplicity include in policy proposals the racial equity impact of the policy intervention.”
- Resume data collections paused due to Covid-19, including HMDA quarterly reporting, CARD Act data collection, PACE data collection, and the previously completed 1071 data collection.
- Focus mortgage servicing rulemaking on Covid-19 responses “to avert, to the extent possible, a foreclosure crisis” when pandemic forbearances end in March and April.
- Explore options for preserving the status quo with respect to QM and debt collection rules. (QM rules covered by InfoBytes here and a Buckley Special Alert; debt collection rules covered by InfoBytes here and here.)
Uejio also noted that he “will be assessing regulatory actions taken by the previous leadership and adjusting as necessary and appropriate those not in line with [the Bureau's] consumer protection mission and mandate,” and that he wants to “preserve, where possible, maximum policy flexibility” for President Biden’s nominee once confirmed.
Illinois reissues and extends several Covid-19 executive orders
On February 5, the governor of Illinois issued Executive Order 2021-04, which extends several executive orders through March 6, 2021 (previously covered here, here, here, here, and here). Among other things, the order extends: (i) Executive Order 2020-07 regarding in-person meeting requirements, (ii) Executive Order 2020-23 regarding actions by individuals licensed by the Illinois Department of Financial and Professional Regulation engaged in disaster response, (iii) Executive Order 2020-25 regarding garnishment and wage deductions (previously covered here), (iv) Executive Order 2020-30 regarding residential evictions (previously covered here), and (v) Executive Order 2020-72 regarding the residential eviction moratorium (previously covered here and here).
Virginia legislature advances privacy bill
Recently, the Virginia Senate and House advanced identical bills (see SB 1392 and HB 2307), which would establish a framework for controlling and processing consumers’ personal data in the Commonwealth. Highlights of the bill include:
- Applicability. The bill will apply to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” Notably, financial institutions, data governed by federal regulations, nonprofit organizations, and certain protected health information are exempt from coverage.
- Consumers’ rights. Under the bill, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
- Controllers’ responsibilities. Data controllers under the bill will be responsible for (i) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (ii) not processing data for reasons incompatible with the specified purpose; (iii) securing personal data from unauthorized access; (iv) not processing data in violation of state or federal anti-discrimination laws; (v) obtaining consumer consent in order to process sensitive data; (vi) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (vii) providing clear and meaningful privacy notices.
- Data processing agreements/data protection assessments. The bill requires controllers to enter into data processing agreements with data processors that outline instructions for processing personal data and require the deletion or return of personal data once a service is concluded. Controllers must also conduct data protection assessments for all processing activities that involve targeted advertising, the sale of personal data, certain profiling activities, sensitive data, and any processing activities that present a heightened risk of harm to consumers.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law and seek penalties of no more than $7,500 per violation. The attorney general may also recover reasonable expenses, including attorney fees, for any initiated action.
- Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the data controller written notice. The data controller then has 30 days to cure the alleged violation before the attorney general can file suit.
The two bills next move to a reconciliation process, and if passed and signed into law, the bill will take effect January 1, 2023.
OFAC amends Venezuela-related general license
On February 2, the U.S. Treasury Department’s Office of Foreign Assets Control issued Venezuela-related General License (GL) 30A, which authorizes certain necessary to port and airport operations that would otherwise be prohibited by Executive Order (E.O.) 13884, as incorporated into the Venezuela Sanctions Regulations. (See previous InfoBytes coverage here.) Effective February 2, G.L. 30A replaces G.L. 30, which was issued in August of 2019.
DFPI issues first enforcement action against student debt-relief company
On February 3, the California Department of Financial Protection and Innovation (DFPI) announced the first-ever enforcement action under its new structure against a student loan debt-relief company and an investigation into others. According to the order, DFPI alleges, among other things, that an Irvine-based debt-relief company violated the Telemarketing Sales Rule (TSR) and the California Consumer Financial Protection Law (CCFPL) by charging consumers fees ranging from $2,100 to $26,510 to “‘wipe away’ their student loans by getting them ‘dismissed’ or ‘discharged,’” which the company could not achieve. Moreover, consumers often financed the payment of the company’s fees, resulting in more debt and the company refused to issue refunds when requested by some consumers. DFPI alleges the company’s actions constitute unlawful and deceptive practices under the CCFPL and violated the TSR’s prohibition of charging fees before performing services. Lastly, DFPI alleges the company was required to obtain a license under the state’s Student Loan Servicing Act (SLSA) because its actions constitute “servicing” student loans under the statute. The order requires the company to refund the fees collected from 18 consumers by March 15 and to pay a civil penalty of $45,000.
DFPI also announced it issued subpoenas to four other student loan debt-relief companies to determine whether the companies engage in or have engaged in any unlawful, unfair, deceptive, or abusive acts or practices and whether their activities require a license. Responses to the subpoenas are due in March.
Court denies tech company's second request for COPPA claim dismissal
On February 2, the U.S. District Court for the District of New Mexico granted a technology company’s motion for reconsideration in part, but denied dismissal of the New Mexico attorney general’s action alleging the company designed and marketed mobile gaming applications (apps) targeted towards children that contain illegal tracking software in violation of the Children’s Online Privacy Protection Act (COPPA). As previously covered by InfoBytes, the attorney general filed a lawsuit against a group of technology companies, alleging that the companies’ data collection and sharing practices did not comply with COPPA’s specific notice and consent requirements, while the apps’ embedded software development kits (SDKs) allow the apps to communicate directly with the advertising companies that analyze, store, use, share, and sell the data to other third-parties to build “increasingly-detailed profiles of child users” in order to send highly-targeted advertising. In April 2020, the court denied in part a motion to dismiss by one of the companies, concluding the attorney general plausibly alleged that the company “had actual knowledge of the child-directed nature” of the apps, and under COPPA, “ad networks may be held liable for the collection of personal information from child app users only if they have ‘actual knowledge’ that the apps in which their (SDKs) are embedded are ‘directed to children.’” The company moved for reconsideration, arguing that the court improperly held whether “children were the ‘primary target audience’ of the app was not relevant to the ‘actual knowledge’ determination.”
Upon reconsideration, the court agreed with the company that its April 2020 opinion “misapprehended the significance of the mixed-audience exception to the actual knowledge determination,” but concluded that there is no basis to dismiss the COPPA claim because the attorney general still “adequately alleged actual knowledge on the part of [the company].”
State AGs oppose proposed settlement in FDCPA processing fees class action
On January 29, a coalition of state attorneys general from 32 states and the District of Columbia, led by the New York AG, filed an amicus brief in the U.S. District Court for the Southern District of Florida opposing a proposed settlement in a class-action FDCPA suit against a mortgage servicer that allegedly charged “processing fees” or “convenience fees” for mortgage payments made over the phone or online. The plaintiffs filed the lawsuit last March claiming the defendant did not charge processing fees if borrowers made payments by check or signed up for automatic monthly debits from their bank accounts. They further argued that the processing fees were “illegal and improper because neither the mortgages themselves nor applicable statutes authorize such fees.” The parties agreed to mediation in April, and a motion for preliminary approval of a settlement was filed in August.
In their brief, the AGs outlined concerns with the proposed settlement, including that (i) the relief provided to class members violates various state laws, and that the defendant seeks to ratify fees in an “unwritten, mass amendment” that violates state laws and regulations; (ii) the class members only receive an “inadequate” one-time payment, while the defendant may continue to charge excessive fees for the life of the loan; and (iii) low- and moderate-income borrowers are not treated equitably under the proposed settlement. Additionally, the AGs emphasized concerns “about the speed with which this case was settled,” arguing that entering into the proposed settlement quickly during the Covid-19 pandemic has deprived the court and the AGs “of the ability to determine the adequacy, fairness and reasonableness of the settlement.”