InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FHA extends temporary partial waivers for specific HECM policies
On November 28, FHA announced FHA INFO 2022-98 to extend two temporary partial waivers to its Home Equity Conversion Mortgage (HECM) loss mitigation policies for senior borrowers impacted by the Covid-19 pandemic who continue to experience significant financial difficulties. The first temporary partial waiver concerns Mortgagee Letter 2015-11. FHA notes that the waiver “allows mortgagees to offer repayment plans to HECM borrowers with unpaid property charges regardless of their total outstanding arrearage.” The second waiver—concerning Mortgagee Letter 2016-07—“permits mortgagees to seek assignment of a HECM immediately after using their own funds to pay property taxes and insurance on or after March 1, 2020, by temporarily eliminating the three-year waiting period for such assignments.” Both waivers were set to expire at the end of December, but are now effective through December 31, 2023.
CFPB sets 2023 FCRA asset threshold
On November 22, the CFPB announced the annual adjustment to the maximum amount that consumer reporting agencies are permitted to charge consumers for making a file disclosure to a consumer under the FCRA. According to the rule, the ceiling on allowable charges under Section 612(f) of the FCRA will increase to $14.50, which is a $1.00 increase from the ceiling on allowable charges for 2022. The rule is effective January 1, 2023.
FCC says consent is required for ringless voicemails
On November 21, the FCC issued a declaratory ruling that entities using ringless voicemail products must first obtain a consumer's consent prior to using the product to leave voicemails. According to the FCC, it receives “dozens of consumer complaints annually related to ringless voicemail.” The unanimous ruling establishes that ringless voicemails are “calls” that require consumers’ prior express consent, and further clarifies that a ringless voicemail is a form of a robocall, and therefore subject to the TCPA robocall prohibition, which prohibits making any non-emergency call with an automatic telephone dialing system or an artificial or prerecorded voice to a wireless telephone number without the prior express consent of the called party.
The FCC’s declaratory ruling denied a 2017 petition filed by a company that distributes technology that permits voicemail messages to be delivered directly to consumers’ voicemail services. The petitioner argued that ringless messages, and the process by which the ringless voicemail is deposited on a carrier’s platform, is neither a call made to a mobile telephone number nor a call for which a consumer is charged and, therefore, is a service that is not regulated. The FCC rejected the petitioner’s argument that ringless voicemail is not a TCPA call because it does not pass through a consumer’s phone line and that the TCPA protects only calls made directly to a wireless handset, and does not result in a charge to the consumer for the delivery of the voicemail message. The ruling noted that “consumers cannot block these messages and consumers experience an intrusion on their time and their privacy by being forced to spend time reviewing unwanted messages in order to delete them.” The ruling also noted that a “consumer’s phone may signal that there is a voicemail message and may ring once before the message is delivered, which is another means of intrusion. Consumers must also contend with their voicemail box filling with unwanted messages, which may prevent other callers from leaving important wanted messages.” According to a statement by FCC Chairwoman Jessica Rosenworcel, the rule makes it “crystal clear" that ringless voicemails are subject to the TCPA and that the Commission's rules "prohibit[] callers from sending this kind of junk without consumers first giving their permission to be contacted this way.”
FHA to accept private flood insurance for FHA-insured mortgages
On November 21, FHA published a final rule in the Federal Register to allow homeowners with FHA-insured mortgages to obtain flood insurance policies that meet FHA requirements from private insurance providers. Specifically, the Acceptance of Private Flood Insurance for FHA-Insured Mortgages final rule updates agency regulations to give borrowers the option to purchase a comparable private insurance policy that conforms to FHA requirements in lieu of a National Flood Insurance Program (NFIP) policy for FHA-insured mortgages secured by properties located in FEMA-designated special flood hazard areas (SFHAs). Previously, only flood insurance obtained through the NFIP was accepted. The final rule applies to all FHA-insured single family Title II mortgages, including home equity conversion mortgages, and loans insured under FHA Title I programs. Lenders should refer to Mortgagee Letter 2022-18 for guidance on implementing the final rule’s requirements, which are effective December 21.
Concurrently, HUD issued a press release stating that beginning December 21, “FHA will require lenders to provide detailed flood insurance coverage information when electronically submitting mortgages for FHA insurance on properties in SFHAs.” According to HUD, “[t]his data collection is an objective included in HUD’s Climate Action Plan and will allow FHA to capture and analyze flood insurance information on mortgages in its portfolio at a more granular level than has been possible previously.”
FTC seeks feedback on possible changes to Business Opportunity Rule
On November 17, the FTC announced it is soliciting public comments on possible modifications to the Business Opportunity Rule. According to the FTC’s advance notice of proposed rulemaking (ANPR), the Commission is seeking feedback on the rule’s effectiveness, whether it is necessary, and whether it should be expanded to cover other types of money-making opportunities, such as coaching or mentoring programs, e-commerce opportunities, or investment opportunities. The Business Opportunity Rule prohibits the use of deceptive statements when selling business opportunities, and requires sellers to make several key disclosures to potential buyers, including: (i) the seller’s identifying information; (ii) information supporting claims about possible earnings or profits; (iii) disclosures about whether the seller, its affiliates, or key personnel have been included in certain legal actions; (iv) information on whether the seller has a cancellation or refund policy and any applicable policy terms; and (v) a list covering the past three years of consumers who have purchased the business opportunity. The FTC will also require sellers who conduct business in languages other than English to provide disclosures in the language in which the sale is conducted.
The ANPR also asks commenters to address whether business opportunity practices “disproportionately target or affect certain communities or groups, including but not limited to people living in lower-income communities, communities of color, or other historically underserved communities,” and requests feedback on suggested amendments to address any negative effects. Comments on the ANPR are due 60 days after publication in the Federal Register.
FTC extends compliance on some Safeguards provisions
On November 15, the FTC announced that covered financial institutions now have until June 9, 2023, to comply with certain updated Safeguards Rule requirements. The Commission issued this extension based on reports, including a letter from the SBA’s Office of Advocacy, that a shortage of qualified personnel to implement financial institutions’ information security programs and supply chain issues could delay security system upgrades.
As previously covered by InfoBytes, in October 2021, the FTC issued a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. Among other things, the final rule added specific criteria financial institutions and other entities, such as mortgage brokers, motor vehicle dealers, and payday lenders, must undertake when conducting a risk assessment and implementing an information security program. Among other requirements, these include implementing provisions related to access controls, data inventory and classification, authentication, encryption, disposal procedures, and incident response. The final rule also added measures to ensure employee training and service provider oversight are effective and expanded the definition of “financial institution” to include “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.” Included in the definition are “finders” (i.e. companies that bring together buyers and sellers of products or services that fall within the scope of the Safeguards Rule). While many provisions of the Safeguards Rule became effective 30 days after publication in the Federal Register, certain other provisions, including requirements applicable to covered financial institutions, were set to take effect December 9, 2022.
CFPB finalizes nonbank supervisory rule
On November 10, the CFPB announced a final rule finalizing changes to a nonbank supervision procedural rule issued in April. As previously covered by InfoBytes, the Bureau announced earlier this year that it was invoking a “dormant authority” under the Dodd-Frank Act to conduct supervisory examinations of fintech firms and other nonbank financial services providers based upon a determination of risk. Specifically, the Bureau said it intends to use a provision under Section 1024 of Dodd-Frank that allows it to examine nonbank financial entities, upon notice and an opportunity to respond, if it has “reasonable cause” to determine that consumer harm is possible. Concurrently, the Bureau issued a request for public comment on an updated version of a procedural rule that implements its statutory authority to supervise nonbanks “whose activities the CFPB has reasonable cause to determine pose risks to consumers,” including potentially unfair, deceptive, or abusive acts or practices. Provisions outlined in the procedural rule would exempt final decisions and orders by the Bureau director from being considered confidential supervisory information, thus allowing the Bureau to publish the decisions on its website. Subject companies would be given an opportunity seven days after a final decision is issued to provide input on what information, if any, should be publicly released, the Bureau said.
After reviewing public comments received on the procedural rule, the Bureau incorporated certain changes to clarify the standard that the agency will apply when deciding what information is appropriate for public release, in whole or in part. The Bureau explained that information falling within Freedom of Information Act Exemptions 4 and 6 (which protect confidential commercial information and personal privacy) will not be published. Additionally, the Bureau said it may also choose to withhold information if the director determines there is other good cause to do so. The final rule also extends the deadline from seven to ten business days for nonbanks to submit input about what information should be released. The final rule will take effect upon publication in the Federal Register.
Notably, the Bureau emphasized that the “amended procedures only relate to the initial decision to extend supervision to a nonbank entity” and “do not affect the confidentiality of any ensuing supervisory examination or any other aspect of the supervisory process.”
FTC looks to Section 5 in enforcing “unfair” competition
On November 10, the FTC issued a policy statement announcing that it would “rigorously enforc[e] the federal ban on unfair methods of competition.” According to the announcement, the FTC intends to make wider use of the FTC Act to police companies that use unfair tactics to try to gain a competitive advantage. “When Congress created the FTC, it clearly commanded us to crack down on unfair methods of competition,” FTC Chair Lina M. Khan said. “Enforcers have to use discretion, but that doesn’t give us the right to ignore a central part of our mandate. Today’s policy statement reactivates Section 5 and puts us on track to faithfully enforce the law as Congress designed.” In enacting Section 5, Congress purposely introduced the phrase “unfair methods of competition” in the statute to distinguish the FTC’s authority from the definition of “unfair competition” at common law, the policy explained, adding that Section 5 was designed to extend beyond the reach of antitrust laws. However, recognizing that a static definition would become outdated, Congress afforded the FTC flexibility to adapt to changing circumstances. The policy statement lays out the FTC’s approach for policing unfair methods of competition, and will allow the Commission to, among other things, sue companies under its mandate to protect consumers from fraudulent practices, price discrimination, exclusive deals and loyalty rebates, and misleading business practices such as commercial bribery and false or deceptive advertising.
CFPB tells CRAs, furnishers to investigate disputes
On November 10, the CFPB issued Circular 2022-07 to outline how federal and state consumer protection enforcers can bring claims against companies that fail to investigate and resolve consumer report disputes. According to the Bureau, consumer reporting agencies (CRAs) and some furnishers have failed to conduct reasonable investigations of consumer disputes. The Circular affirmed that CRAs and furnishers must reasonably investigate all disputes that they have not reasonably determined to be frivolous or irrelevant, and may be liable under the Fair Credit Reporting Act if they fail to do so. Additionally, the Circular noted that claims can be pursued by both state and federal consumer protection enforcers and regulators. The Circular also described that enforcers can “bring a claim if a consumer reporting agency fails to promptly provide to the furnisher ‘all relevant information’ regarding the dispute that the consumer reporting agency receives from the consumer.” On the topic of whether CRAs need to forward to furnishers consumer-provided documents attached to a dispute, the Circular noted that “[i]t depends.” The Circular then explained that even “[w]hile there is not an affirmative requirement to specifically provide original copies of documentation submitted by consumers, it would be difficult for a consumer reporting agency to prove they provided all relevant information if they fail to forward even an electronic image of documents that constitute a primary source of evidence.”
NYDFS amends cybersecurity regs
On November 9, NYDFS proposed expanded amendments to the state’s cybersecurity regulation (23 NYCRR 500) to strengthen the Department’s risk-based approach for ensuring cybersecurity risk is integrated into regulated entities’ business planning, decision making, and ongoing risk management. NYDFS’ cybersecurity regulation took effect in March 2017 (covered by InfoBytes here) and imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. NYDFS is proposing the new amendments via a data-driven approach to ensure regulated entities implement effective controls and best practices to protect consumers and businesses. “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Superintendent Adrienne A. Harris said in the announcement. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”
Some changes within the proposed amended regulation include:
- New Obligations for Larger Companies. The proposed amended regulation adds a new subcategory of larger covered entities called “Class A companies,” which would be subject to additional security and external auditing requirements in addition to the general requirements that apply to all covered entities. This includes, among other things, a requirement to have an external audit of a Class A company’s cybersecurity program annually. Class A companies are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years (generated from the business operations of a covered entity and its affiliates in New York) that have either (i) more than 2,000 employees averaged over the last two fiscal years (includes both the covered entity and all affiliates despite the location); or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years (generated from all business operations of a covered entity and all of its affiliates).
- Cybersecurity Governance. The proposed amended regulation provides several enhancements to the Part 500 governance requirements including:
- The chief information security officer (CISO) must have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
- The CISO must present an annual written report to the covered entity’s senior governing body that addresses the covered entity’s cybersecurity program as well as five topics described in the regulation and the company’s plans for remediating material inadequacies.
- The CISO must timely report to the senior governing body material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cyber events.
- If the covered entity has a board of directors or equivalent, the board or an appropriate committee shall have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyber risk management.
- Notice of Compliance. The annual certification of compliance must be signed by the covered entity’s highest-ranking executive and its CISO. The proposed amended regulation would allow a covered entity to choose to alternatively provide written acknowledgement that a covered entity did not fully comply with the regulation by describing the areas of noncompliance, including areas, systems, and processes that require material improvement, updating, or redesign, and a remedial plan and timeline for their implementation.
- Requirements for Resiliency, Business Continuity, and Disaster Recovery Plans. The proposed amended regulation adds significant documentation and technical requirements for business continuity and disaster recovery plans, including: (i) designation of essential data and personnel; (ii) communication preparations; (iii) back-up facilities; and (iv) identification of necessary third parties.
- Risk Assessments. The proposed amended regulation expands the definition of risk assessment. A covered entity’s risk assessment shall be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. Class A companies are required to use external experts to conduct a risk assessment at least once every three years.
- Technology. The proposed amended regulation adds several significant mandatory security control requirements, including:
- Asset Inventory: Each covered entity will be required to implement written policies and procedures to ensure a complete, accurate, and documented asset inventory. At a minimum, the policies and procedures should include a method to track key information for each asset, including, as applicable, the owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
- Privilege Management: The proposed amended regulation introduces additional standards for privilege management, including, among other things, that covered entities must (i) limit privileged accounts to only those that are necessary and to conduct only specific functions; (ii) conduct access reviews on at least an annual basis; (iii) disable or securely configure remote access protocols; and (iv) promptly terminate access privileges for departing users.
- Multi-Factor Authentication: The proposed amendment expands the type of accounts and access types that require multi-factor authentication, to include all privileged accounts.
- Vulnerability Management: Cybersecurity programs must now, through policies and procedures, explicitly address internal and external vulnerabilities, remediate issues in a timely manner, and report material issues to senior management.
- Reporting Requirements. The proposed amended regulation contains provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or “deployment of ransomware within a material part of the covered entity’s information system.” This timeframe also applies to cybersecurity events that occur at a third-party service provider. Entities would also be directed to provide the superintendent within 90 days of the notice of the cybersecurity event “any information requested regarding the investigation of the cybersecurity event.” Additionally, entities would also be directed to alert the Department within 24 hours of making a ransom payment. Within 30 days, entities must also explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations, including federal sanctions implications.
- Small Business Exemption. NYDFS noted in its announcement that based on industry feedback as well as the operating realities facing small businesses, it is proposing to raise the exemption threshold for small companies. If adopted, limited exemptions will be provided to covered entities with (i) fewer than 20 employees, including any of the entity’s independent contractors or its affiliates located in the state or that are responsible for the business of a covered entity; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of a covered entity and its affiliates in the state; and (iii) less than $15 million in year-end total assets, including the assets of all affiliates.
The proposed amended regulation is subject to a 60-day comment period beginning on November 8th upon publication in the State Register. NYDFS stated it looks forward to receiving feedback on the proposed amended regulation during this comment period. As the comment period ends, NYDFS will then review received comments and either repropose a revised version or adopt the final regulation. Covered entities will have 180 days from the effective date to comply except as otherwise specified.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.