InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Chopra discusses open banking and standard-setting
On March 13, the Director of the CFPB, Rohit Chopra, delivered prepared remarks at the Financial Data Exchange Global Summit and discussed advancing the U.S. towards open banking. Chopra outlined the current efforts and considerations surrounding the development of industry standards that would help transition consumers with switching financial products. The CFPB had been finalizing rules on Section 1033 of the CFPA which would grant consumers the right to access their financial data and would aim to protect sensitive personal financial information while promoting open banking (covered by InfoBytes here).
Chopra highlighted the importance of creating industry standards for data sharing and communication protocols, drawing parallels with existing standards in electronics and financial services. While the CFPB's proposal acknowledged the role of standards, Chopra noted that it intentionally avoided being overly “prescriptive” to avoid stifling innovation, among other things.
The speech also addressed the potential for anticompetitive behavior in the standard-setting process. Chopra noted historical instances of anticompetitive behavior, a concern that the CFPB had been monitoring closely. The Bureau will be working with the DOJ to prevent such practices.
The Bureau sought to codify what standard-setting organizations must demonstrate to be recognized under the proposed rule, then invite those organizations to begin the process of receiving formal recognition from the CFPB. Based on the comments received on the proposed rule, Chopra expects that by this fall, the final rule will “identify the areas where standards are relevant to the requirements of the final rule.” Chopra also noted the CFPB considered whether standard-setting organizations should be balanced so no entity or group of entities can “dominate[] decision making.” He noted that the Bureau will investigate the makeup of entities’ standard-setting/modification groups and funding structure, warning if an entity’s composition or funding suggests favoritism, then “that will be a problem.” Chopra noted that if the CFPB cannot identify standard-setting organizations, it is prepared to implement more detailed guidance.
FHFA eliminates household income restriction on PTFCs
On March 12, the FHFA published a final rule in the Federal Register titled “Exception to Restrictions on Private Transfer Fee Covenants (PFTCs) for Loans Meeting Certain Duty to Serve Shared Equity Loan Program Requirements,” which established an additional exception to the FHFA’s regulation proscribing Fannie Mae, Freddie Mac, and FHLBanks from “purchasing, investing in, [and] accepting as collateral” mortgages encumbered by certain types of PTFCs, or related securities, subject to certain exceptions. This new exception will allow the banking entities to engage in transactions if the loans met the equity loan program requirements for the resale restriction programs “without regard to any household income limit.” The final rule will go into effect on May 13.
VA proposes rule changes to VA-Guaranteed, IRRRLoans
On March 7, the VA published a supplemental notice of proposed rulemaking in the Federal Register titled “Loan Guaranty: Revisions to VA-Guaranteed or Insured Interest Rate Reduction Refinancing Loans” which sought comment on whether the “date of loan issuance” should be defined as date of the note (as originally suggested) or as the date “the first payment is due.” The notice explained the VA did not receive any comments on this aspect of the proposed rule and enumerated several concerns with the initial proposed definition. The comment period for this proposed rule will close on May 6.
Fed issues final rule for FMUs to update risk management requirements, noting cyber and climate risks
On March 8, the Federal Reserve Board announced a final rule that will update risk management requirements for financial market utilities (FMUs) supervised by the Fed. FMUs provide the financial infrastructure to clear and settle payments and transactions. The rule will go into effect 30 days after publication in the Federal Register, and FMUs are expected to comply with certain updates by 90 days and all updates by 180 days after publication. The Fed reported the final rule is “substantially similar” to the proposed rule and provided additional details to the exiting requirements for the following: (i) review and testing; (ii) incident management; (iii) business continuity management; and (iv) third-party risk management.
FTC updates the Telemarketing Sales Rule, proposes tech support rule
On March 7, the FTC announced updates to the Telemarketing Sales Rule (TSR) to extend fraud protections to businesses and modernize recordkeeping requirements in response to technological advancements. These updates were part of an ongoing review of the TSR, which governs telemarketing practices and includes the Do Not Call Registry (DNC) and issued rules against telemarketing robocalls.
The newly finalized rule broadened the scope of prohibited deceptive and abusive telemarketing practices to include business-to-business calls, which were previously exempt, except in specific cases. The rule also revised the TSR's recordkeeping requirements to reflect changes in technology and telemarketing methods, which included maintaining detailed call records and consent documentation, as well as compliance with the DNC Registry.
In addition to these updates, the FTC proposed a rule that would enhance its ability to tackle tech support scams by extending the TSR's coverage to include inbound telemarketing calls for technical support services. This amendment addressed deceptive tech support schemes and would empower the FTC to seek stronger legal remedies such as civil penalties and consumer compensation. The Commission invited public feedback on a proposed definition of tech support scams.
Ginnie Mae now requires issuers to disclose cybersecurity incidents within 48 hours
On March 4, the President of Ginnie Mae released All Participants Memorandum (APM) 24-02, which set forth a new requirement applicable to all issuers, including issuers that subservice loans for others. The memo mandated that all approved issuers must notify Ginnie Mae of any significant cybersecurity incident within 48 hours of detection. Ginnie Mae defined a “Cyber Incident” as “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constituted a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the Issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.” If a Cyber Incident has occurred, issuers must it report to Ginnie Mae via a specified email address and must include (i) the date and time of the incident, (ii) a summary of the incident, and (iii) points of contact responsible for coordinating any follow-up questions regarding the incident. These requirements are also now reflected in Chapter 03, Part 18 of the Mortgage-Backed Securities Guide, 5500.3, REV-1.
FHFA announces updates for implementation of GSE credit score requirements
On February 29, FHFA announced updates related to the implementation of new credit score requirements for single-family loans acquired by Freddie Mac and Fannie Mae (GSEs). As previously covered by InfoBytes, FHFA released a two-phase plan for soliciting stakeholder input on the agency’s proposed process for updating credit score requirements. The new process, called the FICO 10T model, will, among other things, require two credit reports (a “bi-merge” credit report) from the national consumer reporting agencies, rather than the traditional three (covered by InfoBytes here). After considering stakeholder input, FHFA expects to transition from the Classic FICO credit score model to the bi-merge credit reporting requirement in Q1 2025. The GSEs will also move up the publication of VantageScore 4.0 historical data to Q3 2024 “to better support market participants” and provide pertinent historical data before the transition. FHFA will provide more details on the timing for FICO 10T implementation once this initial process is complete.
FTC proposes two actions to combat AI impersonation fraud
On February 15, the FTC announced its supplemental notice of proposed rulemaking relating to the protection of consumers from impersonation fraud, especially from any impersonations of government entities. The first action from the FTC was a final rule that prohibited the impersonation of government, business, and their officials or agents in interstate commerce. The second action was a notice seeking public comment on a supplemental proposed rulemaking that would revise the first action and add a prohibition on, and penalties for, the impersonation of individuals for entities who provide goods and services (with the knowledge or reason to know that those goods or services will be used in impersonations) that are unlawful. In tandem, these actions sought to prohibit the impersonation of government and business officials.
The FTC notes that these two actions come from “surging complaints” on impersonation fraud, specifically from artificial intelligence-generated deep fakes. The final rule will expand the remedies and provide monetary relief, whereas the FTC stated this rule will provide a “shorter, faster and more efficient path” for injured consumers to recover money. The rule would enable the FTC to seek monetary relief from scammers that use government seals or business logos, spoof government and business emails, and impersonate a government official or falsely imply a business affiliation.
FCC adopts rule on robocalls and robotexts, includes NPR on TCPA applicability
On February 15, the FCC adopted a rule to protect consumers from robocalls and robotexts. According to the rule, robocallers and robotexters must honor do-not-call and consent revocation requests within 10 business days from receipt. In addition, the rule will allow consumers to revoke consent under the TCPA through any unreasonable means and will clarify that the TCPA would not be violated when a one-time text message is sent confirming a consumer’s request that no further text messages be sent if the confirmation text only confirms the opt-out request and does not include marketing information.
The new rule clarified that revocation of consent can be made via automated methods such as interactive voice responses, key press activation on robocalls, responding with “stop” or similar messages to text messages, or using designated website or phone numbers provided by the caller all will constitute reasonable means to revoke consent. If a called party uses any of these designated methods to revoke consent, it will be considered definitively revoked, and future robocalls and robotexts from that caller must cease. The caller cannot claim that the use of such a mechanism by the called party is unreasonable. Any revocation request made through these specified means will be considered “absolute proof” of the called party's reasonable intent to revoke consent. Furthermore, when a consumer uses a method other than those discussed in the rule to revoke consent, “doing so creates a rebuttable presumption that the consumer has revoked consent when the called party satisfies their obligation to produce evidence that such a request has been made, absent evidence to the contrary.”
The Commission also included a notice of proposed rulemaking, seeking comment on “whether the TCPA applies to robocalls and robotexts from wireless providers to their own subscribers and whether consumers should have the ability to revoke consent and stop such communications.” The rule will go into effect 30 days after publication in the Federal Register, except for certain amendments that will not be effective until six months following OMB review.
FCC ruling determines AI calls are subject to TCPA regulations
On February 8, the FCC announced the unanimous adoption of a declaratory ruling that recognizes calls made with AI-generated voices are “artificial” under the Telephone Consumer Protection Act (TCPA). The declaratory ruling notes that the TCPA prohibits initiating “any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without the prior express consent of the called party” unless certain exceptions apply. The TCPA also prohibited “any non-emergency call made using an automatic telephone dialing system or an artificial or prerecorded voice to certain specified categories of telephone numbers including emergency lines and wireless numbers.”
The ruling, effective immediately, deemed voice cloning and similar AI technologies to be artificial voice messages under the TCPA, subject to its regulations. Therefore, prior express consent from the called party is required before making such calls. Additionally, callers using AI technology must provide identification and disclosure information and offer opt-out methods for telemarketing calls.
This ruling provided State Attorneys General nationwide with additional resources to pursue perpetrators responsible for these robocalls. This action followed the Commission’s November proposed inquiry for how AI could impact unwanted robocalls and texts (announcement covered by InfoBytes here).