InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DFPI modifies proposed regulations for complaints and inquiries under the CCFPL
On December 22, the California Department of Financial Protection and Innovation (DFPI) released modifications to proposed regulations for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. As previously covered by InfoBytes, DFPI issued a notice of proposed rulemaking (NPRM) last May to implement Section 90008 subdivisions (a) and (b) of the CCFPL, which authorize DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and DFPI concerning consumer complaints and inquiries, as well as subdivision (d)(2)(D), which “permits covered persons to withhold nonpublic or confidential information, including confidential supervisory information, in response to a consumer request to the covered person for information regarding a consumer financial product or service.”
After considering comments received on the NPRM, changes proposed by the DFPI include the following:
- Amended definitions. The proposed regulations will not apply to, in addition to consumer reporting agencies and student loan servicers, a person or entity already exempt from the CCFPL under Section 90002. The definition of “complaint” is amended to include “an oral or written expression of dissatisfaction from a complainant regarding a specific issue or problem with a financial product or service.” Additionally, “complainant” is amended to also provide that a consumer must have been a resident of California at the time of the act, omission, decision, condition, or policy giving rise to the complaint. The proposed regulations also outline several categories that are not included in the definition of “complaint” or “inquiry.”
- Complaint procedure updates. The proposed regulations outline requirements for covered persons related to consumer disclosures and written communications covering the complaint process. The proposed regulations also require covered persons to accept all complaints, whether written or oral, provided the complaint includes a reason for filing the complaint and sufficient information to identify the complainant.
- Restrictions. Covered persons shall not (i) “[r]equest personal identifying information beyond what is reasonably necessary to identify the complainant and to send correspondence”; (ii) “[r]equest financial information unrelated to the specific complaint of the consumer:” or (iii) impose a time limit for filing a complaint that is shorter than one year from the time the complainant discovers the act, omission, decision, condition, or policy that is the subject of the complaint (if a time limit is imposed it must be stated in the required consumer disclosures).
- Complaint acknowledgements. For every complaint received, covered persons must send the complainant a written acknowledgement of receipt that is postmarked or otherwise shows that acknowledgement was sent within five business days after receiving the complaint. Within 15 business days after receiving a complaint, a covered person must provide a final decision on all issues. If additional time is required, a covered person must provide the complainant with a written update within three business days after the initial 15-business day period ends.
- Inquiry response requirements. Covered persons are required to develop and implement written policies and procedures to implement the regulations’ inquiry requirements, and must also respond to all issues raised by an inquiry within 10 business days. Covered persons must retain copies of all written inquiries and written responses for at least three years from the time the written response was issued.
- Reporting requirements. Covered persons must submit an annual complaint report to DFPI for each financial product or service offered or provided that will be made available to the public with limited exceptions. Each report shall include information regarding all complaints received by the covered person during the reporting period, and must be filed electronically with the Consumer Financial Protection Division no later than 60 business days after the end of each calendar year.
Comments on the proposed modifications are due January 20 (extended from January 13).
Colorado releases second draft of Colorado Privacy Act rules
On December 21, the Colorado attorney general released a second set of draft rules for the Colorado Privacy Act (CPA). As previously covered by a Buckley Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The first set of draft rules was issued last September and published by the Secretary of State on October 10 (covered by InfoBytes here).
The second set of draft rules seeks to address concerns raised through public comments as well as feedback received during three stakeholder sessions. The AG seeks specific input on questions related to (i) clarifications to definitions; (ii) the use of IP addresses to verify consumer opt-out requests; (iii) implementation of a universal opt-out mechanism; (iv) controller obligations related to meaningful privacy notices; and (v) bona fide loyalty programs. Among other things, the modifications would:
- Clarify definitions. The modifications add, delete, and amend several definitions, including those related to “biometric identifiers,” “commercial product or service,” “controller,” “employee,” “employer,” “employment records,” “noncommericial purpose,” “personal data,” “process,” “processor,” “profiling,” and terms involving automated processing.
- Amend purpose-based privacy notices. The modifications remove the requirement that privacy notices be purpose-based, and will instead require that the processing purpose and type of personal data processed be connected in a way that provides consumers a meaningful understanding of how their personal data will be used. The AG seeks feedback on ways the draft rules can “be made interoperable with California’s privacy notice requirements, while still considering the CPA’s purpose specification, secondary use requirements, and ensuring that a consumer has a meaningful understanding of the way their personal data will be used when they interact with a controller.” Feedback is also requested on whether controllers “who have updated their privacy policies to comply with California’s privacy notice requirements anticipate making a separate policy for Colorado, updating a California specific privacy notice to include Colorado or other state requirements, or revising the main privacy policy/notice to meet Colorado and other non-California state requirements[.]”
- Update universal opt-out mechanism. The modifications grant controllers six months from the date a universal opt-out mechanism is recognized by the AG to begin complying with that new mechanism. An initial public list of approved opt-out mechanisms will be published no later than January 1, 2024, and will be updated periodically.
- Clarify security measures and duty of care. The modifications provide additional details about the duty to safeguard personal data, and will require controllers to, among other things, consider “[a]pplicable industry standards and frameworks,” and the sensitivity, amount, and original source of the personal data when identifying reasonable and appropriate safeguards. The modifications also include provisions related to the processing of sensitive data inferences and specifies deletion requirements.
- Reduce data protection assessment requirements. The modifications reduce the information that must be included in a controller’s data protection assessment.
- Clarify privacy notice changes. The modifications clarify when a controller must notify a consumer of “substantive or material” changes to its data processing that trigger updates to its privacy notice. The modifications emphasize that disclosure of a new processing purpose in a privacy policy alone does not constitute valid consent.
- Address refreshing of consumer consent. The modifications provide that consumer consent must be refreshed when a consumer has not interacted with the controller in the last 12 months, and (i) the controller is processing sensitive personal information; or (ii) is processing personal data for secondary data use that involves profiling for a decision that could result “in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.” However, controllers will not be required to refresh consent in situations where consumers have the ability to update their own opt-out preferences at any time.
Comments on the second set of draft rules are due February 1. If the formal rulemaking hearing on the proposed rules (scheduled for February 1) extends beyond that date, comments must be received on or before the last day of the hearing.
CFPB adjusts annual dollar amount thresholds under TILA, HMDA regulations
On December 21, the CFPB released a final rule revising the dollar amounts for provisions implementing TILA and its amendments that impact loans under the Home Ownership and Equity Protection Act of 1994 (HOEPA) and qualified mortgages (QM). The Bureau is required to make annual adjustments to dollar amounts in certain provisions in Regulation Z, and has based the adjustments on the annual percentage change reflected in the Consumer Price Index for Urban Wage Earners and Clerical Workers (CPI-W) in effect on June 1, 2022. The following thresholds are effective January 1, 2023:
- For open-end consumer credit plans under TILA, the threshold for disclosing an interest charge will remain unchanged at $1.00;
- For HOEPA loans, the adjusted total loan amount threshold for high-cost mortgages will be $24,866, and the adjusted points-and-fees dollar trigger for high-cost mortgages will be $1,243;
- For qualified mortgages under the General QM loan definition, the thresholds for the spread between the annual percentage rate and the average prime offer rate will be: “2.25 or more percentage points for a first-lien covered transaction with a loan amount greater than or equal to $124,331; 3.5 or more percentage points for a first-lien covered transaction with a loan amount greater than or equal to $74,599 but less than $124,331; 6.5 or more percentage points for a first-lien covered transaction with a loan amount less than $74,599; 6.5 or more percentage points for a first-lien covered transaction secured by a manufactured home with a loan amount less than $124,331; 3.5 or more percentage points for a subordinate-lien covered transaction with a loan amount greater than or equal to $74,599; or 6.5 or more percentage points for a subordinate-lien covered transaction with a loan amount less than $74,599”; and
- For all QM categories, the adjusted thresholds for total points and fees will be “3 percent of the total loan amount for a loan greater than or equal to $124,331; $3,730 for a loan amount greater than or equal to $74,599 but less than $124,331; 5 percent of the total loan amount for a loan greater than or equal to $24,866 but less than $74,599; $1,243 for a loan amount greater than or equal to $15,541 but less than $24,866; and 8 percent of the total loan amount for a loan amount less than $15,541.”
With respect to credit card annual adjustments, the Bureau noted that its 2023 annual adjustment analysis on the CPI-W in effect on June 1, did not result in an increase to the current minimum interest charge threshold (which requires “creditors to disclose any minimum interest charge exceeding $1.00 that could be imposed during a billing cycle”).
The Bureau also issued a final rule adjusting the asset-size threshold under HMDA (Regulation C). Under HMDA, institutions with assets below certain dollar thresholds are exempt from collection and reporting requirements. The final rule increases the asset-size exemption threshold for banks, savings associations, and credit unions from $50 million to $54 million, thereby exempting institutions with assets of $54 million or less as of December 31, 2022, from collecting HMDA data in 2023.
FCC affirms three-call limit but permits oral consent
On December 21, the FCC issued an order on reconsideration and declaratory ruling under the TCPA, affirming a three-call limit and opt-out requirements for exempted residential calls. According to the FCC, the ruling is in response to requests from industry trade groups related to a 2020 order implementing portions of the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act). The ruling upheld the three-call-limit for exempt calls made using automated telephone dialing systems to residential lines but revised the 2020 order’s requirement for “prior express written consent” to allow callers to obtain consent orally or in writing if they wish to make more calls than allowed. The FCC also granted a request to confirm that “prior express consent” for calls made by utility companies to wireless phones applies equally to residential landlines. The FCC noted that “limiting the number of calls that can be made to a particular residential line to three artificial or prerecorded voice calls within any consecutive thirty-day period strikes the appropriate balance between these callers reaching consumers with valuable information and reducing the number of unexpected and unwanted calls consumers currently receive.”
NCUA proposal looks to promote CU-fintech partnerships
On December 15, the NCUA issued a proposed rule seeking input on amendments to the agency’s regulations on the purchase of loan participations and the purchase, sale, and pledge of eligible obligations and other loans, including notes of liquidating credit unions. Among other things, the proposed rule would remove certain prescriptive limitations and other qualifying requirements to provide federal credit unions with additional flexibility to purchase eligible obligations of their members and engage with advanced technologies and other opportunities presented by fintechs. Improved flexibility and individual autonomy will allow federal credit unions “to establish their own risk tolerance limits and governance policies for these activities, while codifying due diligence, risk assessment, compliance and other management processes that are consistent with the Board’s long-standing expectations for safe, sound, fair and affordable lending practices,” the NCUA said. Comments on the proposed rule are due 60 days after publication in the Federal Register.
“As I have emphasized before, credit unions should recognize and harness the potential opportunities fintechs may offer them,” NCUA Chairman Todd Harper said. “However, we must also acknowledge the potential risks they pose to credit unions, their members, and the system and develop appropriate guardrails. This proposed rule strikes that balance. It provides flexibility, safety, and tailored relief to credit unions while fostering greater innovation.”
GSEs must seek FHFA preapproval for new products
On December 20, FHFA announced a final rule requiring Fannie Mae and Freddie Mac to provide advance notice of new activities and to obtain prior approval before launching new products. (See also fact sheet here.) Among other things, the final rule establishes that FHFA will determine which new activities merit public notice and comment and would be treated as new products subject to prior approval. Specifically, the final rule establishes that once a Notice of New Activity is deemed received, FHFA has 15 calendar days to determine if the new activity is a new product that merits public notice and comment. Additionally, the final rule establishes a public disclosure requirement for FHFA to publish its determinations on new activity and new product submissions. Among other things, if the agency “determines that a new activity is a new product, the final rule requires FHFA to publish a public notice soliciting comments on the new product for a 30-day period.” The final rule is effective 60 days after publication in the Federal Register.
HUD seeks public input on disaster recovery funds
On December 20, HUD released two new requests for information (RFIs) seeking public input on how to simplify, modernize, and more equitably distribute critical disaster recovery funds. According to HUD, the RFIs are a broader element of HUD’s newly published Climate Action Plan, “which emphasizes both equity and resilience in disaster recovery, as well as the Biden-Harris Administration’s commitment to strengthening low- and moderate-income communities.” HUD noted that the Community Development Block Grant Disaster Recovery and Mitigation focus on long-term recovery and resilience efforts, targeted to families with low- and moderate-incomes in the most impacted and distressed areas. HUD also noted that both funds are “unique” from other federal disaster assistance programs by FEMA and the SBA, as well as private insurance, because it is the only federal resource with the primary purpose of benefiting low- and moderate-income communities. HUD further noted that the RFIs will inform the policy that will tear down barriers and eliminate unnecessary administrative burden, as to provide better and quicker assistance to those affected.
Agencies release annual CRA asset-size threshold adjustments
On December 19, the Federal Reserve Board, FDIC, and OCC announced (see here and here) joint annual adjustments to the CRA asset-size thresholds used to define “small bank” and “intermediate small bank,” which are not subject to the reporting requirements applicable to large banks unless they choose to be evaluated as one. A “small bank” is defined as an institution that, as of December 31 of either of the prior two calendar years, had less than $1.503 billion in assets. An “intermediate small” bank is defined as an institution that, as of December 31 of both of the prior two calendar years, had at least $376 million in assets, and as of December 31 of either of the past two calendar years, had less than $1.503 billion in assets. The joint final rule takes effect on January 1, 2023.
OCC rescinds FDCPA section of booklet
On December 15, the OCC announced that the Federal Financial Institutions Examination Council’s Task Force on Consumer Compliance adopted revised examination procedures for the FDCPA and its implementing regulation, Regulation F. Among other things, the revised interagency examination procedures incorporate the CFPB's 2020 and 2021 FDCPA that went into effect in November 2021. The announcement noted that the agency is rescinding the “Fair Debt Collection Practices Act” section of the “Other Consumer Protection Laws and Regulations” booklet of the Comptroller's Handbook. The revised interagency examination procedures address, among other things: (i) determinations of whether a bank is a debt collector under the FDCPA and Regulation F; (ii) prohibitions on certain communications with consumers in connection with debt collection; and (iii) requirements for a reasonable and simple method that consumers can use to opt out of additional communications and attempts to communicate.
FHA announces pandemic assistance on reverse mortgages
On December 15, FHA published Mortgagee Letter 2022-23, COVID-19 Home Equity Conversion Mortgage (HECM) Property Charge Repayment Plan, which provides requirements for a new property charge repayment plan option for senior homeowners with HECMs who have gotten behind on their property charge payments as a result of the Covid-19 pandemic. The eligibility policies of the new repayment plan include, among other things:
- Making the plan available to borrowers who have applied for Homeowner Assistance Fund (HAF) assistance, if the HAF funds combined with the borrower’s ability to repay will satisfy the servicer’s advances for the delinquent property charges;
- Permitting the Covid-19 HECM Repayment Plan regardless of whether the borrower has been unsuccessful on a prior repayment plan and whether the borrower owes over $5,000 in property charge advances; and
- Requiring a verbal attestation from the borrower that they have been impacted by Covid-19.
Additionally, borrowers may receive a repayment plan regardless of the dollar amount of property charge payments owed. Further, servicers can offer homeowners a repayment plan of up to five full years (60 months) regardless of whether a prior repayment plan has been used.