InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FHA issues RFI on Title I Manufactured Housing Programs
On August 11, FHA and Ginnie Mae issued FHA INFO 2022-76, which seeks public feedback on their Title I Manufactured Housing Programs. According to the request for input, FHA and Ginnie Mae are seeking input on, among other things: (i) opportunities to improve the use and effectiveness of the Title I manufactured housing program; (ii) Title I lender eligibility requirements; and (iii) how to make the programs more competitive in the primary and secondary markets. Responses are due by September 26.
Democrats ask OCC to rescind crypto guidance
On August 10, four U.S. Democratic Senators sent a letter to acting Comptroller of the Currency Michael Hsu urging the OCC to rescind November 2021 guidance permitting national banks to engage in certain cryptocurrency activities. According to the letter, the Senators “are concerned that the OCC’s actions on crypto may have exposed the banking system to unnecessary risk, and ask that [Hsu] withdraw existing interpretive letters that have permitted banks to engage in certain crypto-related activities.” The letter noted that the OCC unilaterally released interpretive letters related to cryptocurrencies in July 2020 (Interpretive Letter 1170), October 2020 (Interpretive Letter 1172), and January 2021 (Interpretive Letter 1174). In the letters, the Senators noted, the OCC determined that banks were permitted to engage in certain crypto-related activities, which include, among other things: (i) “providing cryptocurrency custody service for customers”; (ii) “holding deposits that serve as reserves for certain stablecoins”; and (iii) “operating independent node verification networks [] and stablecoins for payment activities.” The Senators argued that the letters “granted banks unfettered opportunity to engage in certain crypto activities and remain problematic” after the OCC issued another interpretive letter (Interpretive Letter 1179) under Hsu attempting to limit the risks posed by the policies set forth in the earlier letters. The Senators asked Hsu to provide information so that they can “better understand banks’ exposure to the crypto market” by August 24. The Senators also urged Hsu to work with the Fed and FDIC on replacing his agency’s existing crypto guidance with a more “comprehensive approach.”
Chopra considers banking to be “under threat”
On August 10, CFPB Director Rohit Chopra discussed the digital market before the 2022 National Association of Attorneys General Presidential Summit. In his remarks, Chopra first discussed the evolution of advertising models over time, describing how the persuasion of advertising continues to be used to target an individual based on “voluminous amounts of personal data.” Chopra also discussed HUD’s 2019 complaint against a social media platform, stating that it “illustrates the stark differences between traditional advertising and today’s digital marketing.” According to Chopra, the social media platform “helped advertisers limit the audience for ads and enabled advertisers to target specific groups of people to the exclusion of protected classes.” Chopra further noted that “state attorneys general have already begun to recognize that these platforms are not passive advertisers.” Chopra also noted that the CFPB recently issued an interpretive rule explaining that the service provider exemption for “time or space” will typically not apply to the digital marketing services offered by major platforms (covered by InfoBytes here). Chopra described that though “they may be providing space for ads, these firms are commingling many other features that go well beyond the exemption.” To conclude, Chopra expressed that “banking is under threat.” He described that “sensitive data is viewed as more valuable to firms than our actual selves,” and that “advances in technology should help our economy and society advance, rather than incentivizing a rush to seize our sensitive financial data and to allow tech giants to evade existing laws that other firms must comply with.”
CFPB: Digital marketing providers/big tech liable for UDAAP violations
On August 10, the CFPB issued an interpretive rule addressing when the CFPA’s UDAAP provisions cover digital marketing providers that commingle the targeting and delivery of advertisements to consumers with the provision of advertising “time or space.” Currently, traditional marketing firms are exempt from the CFPA provided they allow banks and other financial institutions “time and space” in traditional media outlets such as television and newspapers to advertise products. The Bureau stated, however, that digital marketers go beyond this approach when they harvest large amounts of information about consumers and use this data to shape their marketing content strategy.
Under the interpretive rule, this exception does not apply to firms that are materially involved in the development of content strategy. Due to the different nature of the services provided, behavioral marketing and advertising for financial institutions could subject marketers to legal liability depending on how those practices are designed and implemented, the Bureau said. Because “[d]igital marketing providers are typically materially involved in the development of content strategy when they identify or select prospective customers or select or place content in order to encourage consumer engagement with advertising,” the Bureau explained that digital marketers “engaged in this type of ad targeting and delivery are not merely providing ad space and time,” and therefore do not qualify under the “time or space” exception. The interpretive rule noted, among other things, that while a covered person may specify certain parameters of the intended audience for a financial product, the digital marketers’ ads and delivery algorithms “identify the audience with the desired characteristics and determine whether and/or when specific consumers see an advertisement.”
“When Big Tech firms use sophisticated behavioral targeting techniques to market financial products, they must adhere to federal consumer financial protection laws,” CFPB Director Rohit Chopra said in the announcement. “The CFPB, states, and other consumer protection enforcers can sue digital marketers to stop violations of consumer financial protection law: Service providers are liable for unfair, deceptive, or abusive acts or practices under the Consumer Financial Protection Act. When digital marketers act as service providers, they are liable for consumer protection law violations,” the Bureau added.
FHFA to require servicers to maintain fair lending data
On August 10, the FHFA announced that Fannie Mae and Freddie Mac will start requiring servicers to obtain and maintain borrowers’ fair lending data on their loans. Data must transfer with servicing throughout the mortgage term, the announcement states, adding that beginning March 1, 2023, servicers will be required to collect borrower data including age, race, ethnicity, gender, and preferred language. The update follows an announcement issued in May (covered by InfoBytes here), which requires lenders to collect information on the borrower’s language preference, and on any homebuyer education or housing counseling that the borrower received, so that lenders can increase their understanding of borrowers’ needs throughout the home buying process. To facilitate the upcoming changes, Freddie Mac issued servicing Bulletin 2022-17, which outlines servicing requirements and notes that data elements must be stored in a format that can be searched, queried, and transferred. Simultaneously, Fannie Mae issued SVC-2022-06 to incorporate the new fair lending data requirements into its Servicing Guide. “Having fair lending data travel with servicing will help servicers do the important work of providing assistance to borrowers in need, helping to further a sustainable and equitable housing finance system,” FHFA Director Sandra Thompson said, adding that this need arose from the foreclosure crisis and Covid-19 response.
CFPB: Financial services companies must safeguard consumer data
On August 11, the CFPB released Circular 2022-04 to reiterate that financial services companies may violate the CFPA’s prohibition on unfair acts or practices if they fail to safeguard consumer data. The Circular explained that, in addition to other federal laws governing data security for financial institutions, such as the Safeguards Rules issued under the Gramm-Leach-Bliley Act (which was updated in 2021 and covered by InfoBytes here), “covered persons” and “service providers” are required to comply with the prohibition on unfair acts or practices in the CFPA. Examples of when firms can be held liable for lax data security protocols are provided within the Circular, as are examples of widely implemented data security practices. The Bureau explained that inadequate data security measures may cause significant harm to a few consumers who become victims of targeted identity theft as a result, or may harm potentially millions of consumers if a large customer-base-wide data breach occurs. The Bureau reiterated that actual injury is not required to satisfy the unfairness prong in every case. “A significant risk of harm is also sufficient,” the Bureau said, noting that the “prong of unfairness is met even in the absence of a data breach. Practices that ‘are likely to cause’ substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.”
While the circular does not suggest that any of the outlined security practices are specifically required under the CFPA, it does provide examples of situations where the failure to implement certain data security measures might increase the risk of legal liability. Measures include: (i) using multi-factor authentication; (ii) ensuring adequate password management; and (iii) implementing timely software updates. “Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB Director Rohit Chopra said in the announcement. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
FTC probes cryptocurrency exchange operators
On August 9, the FTC issued an order denying a petition to quash a civil investigative demand (CID) against the operators of a cryptocurrency exchange regarding allegations of a December 2021 data breach. According to the order, the FTC “is investigating potential law violations arising out of [the company’s] operation and marketing of [the company], and whether Commission action to obtain monetary relief would be in the public interest.” The agency issued a virtually identical CID to the company on May 11 seeking details on what the company disclosed to consumers regarding the security of their crypto assets and how they have handled customer complaints. The FTC noted that investigation includes inquiries regarding the company’s “representations concerning its advertised exchange services; allegations that consumers have been denied access to their accounts; and concerns about the security of customer accounts especially in light of a publicly reported 2021 security breach that resulted in consumer loss of more than $200 million in cryptocurrency.” Among other things, the FTC is seeking to determine if the business practices of the operation in marketing and operating the company “constituted ‘unfair [or] deceptive . . . acts or practices . . . relating to the marketing of goods and services,’ or ‘[m]anipulative [c]onduct,’ ‘on the Internet’ (Resolution No. 2123125); constituted “deceptive or unfair acts or practices related to consumer privacy and/or data security’ in violation of Section 5 of the FTC Act (Resolution No. 1823036); or violated the GLB Act, its implementing rules, or Section 5 regarding ‘the privacy or security of consumer [financial] information.”
CFPB fines fintech for algorithm-induced overdraft charges
On August 10, the CFPB announced a consent order against a California-based fintech company for allegedly using an algorithm that caused consumers to be charged overdrafts on their checking accounts when using the company’s personal finance-management app. According to the Bureau, the app promotes automated savings with a proprietary algorithm, which analyzes consumers’ checking-account data to determine when and how much to save for each consumer. The app then automatically transfers funds from consumers’ checking accounts to accounts held in the company’s name. The Bureau asserted, however, that the company engaged in deceptive acts or practices in violation of the CFPA by (i) causing consumers’ checking accounts to incur overdraft charges from their banks even though it guaranteed no overdrafts and represented that its app never transferred more than a consumer could afford; (ii) representing that it would reimburse overdraft charges (the Bureau claims the company has received nearly 70,000 overdraft-reimbursement requests since 2017); and (iii) keeping interest that should have gone to consumers even though it told consumers it would not keep any interest earned on consumer funds. Under the terms of the consent order, the company is required to provide consumer redress for overdraft charges that it previously denied and must pay a $2.7 million civil penalty.
FTC charges healthcare company with fraud
On August 8, the FTC announced it has taken action against a healthcare company, two subsidiaries, and the former CEO and former vice president of sales (collectively, “defendants”) for allegedly misleading consumers about their health insurance plans and using deceptive lead generation websites. According to the complaint, the defendants, along with their third-party partners, allegedly engaged in deceptive sales practices in violation of the FTC Act, the Telemarketing Sales Rule, and the Restore Online Shoppers Confidence Act (ROSCA). These practices included allegedly (i) lying to consumers about the nature of their healthcare plans; (ii) bundling and charging junk fees for unwanted products that were typically not clearly disclosed (consumers were often charged for these additional products after they cancelled their core healthcare plans); and (iii) making it difficult for consumers to cancel their plans. The FTC further alleged that the company (which sells association memberships and other healthcare-related products to consumers, often through telemarketing companies and lead generators), as well as the former CEO and former vice president of sales, were aware of the agents’ misconduct but allegedly “took steps to disguise and further the deception” instead of stopping the deceptive practices.
The FTC stated that the company and two of its subsidiaries have agreed to a proposed court order, which requires the payment of $100 million in consumer redress. The proposed order also requires the company to contact current customers and allow them to cancel their enrollment. The company is also required to send refunds to consumers who cancel right after their order is entered. Additionally, the proposed order prohibits the company from misleading consumers about their products, requires the disclosure of total costs and limitations prior to purchase, and requires consumers to provide express informed consent before they are billed. The company must also provide a simple and easy-to-use cancellation method and closely monitor other companies that sell its products.
The FTC also filed separate proposed court orders against the individual defendants (see here and here), which impose similar prohibitions and permanently bans them from playing any role in the sale or marketing of any healthcare-related product or service. The proposed orders also prohibit the former CEO from engaging in deceptive or abusive telemarketing practices, and bans the former vice president of sales from participating in any telemarketing whatsoever in the future.
DOJ resolves SCRA violations with landlords
On August 8, the DOJ announced a settlement with two landlords resolving allegations that they violated the Servicemembers Civil Relief Act (SCRA) by obtaining unlawful court judgments against military tenants. The DOJ explained that, under the SCRA, if a landlord files a civil lawsuit against a tenant and the tenant does not appear in court, the landlord must file an affidavit with the court stating whether the tenant is in the military before seeking a judgment. The DOJ further noted that if the affidavit states that the tenant is in military service, the court cannot enter judgment until an attorney is appointed to represent the servicemember. The court must also postpone the case for at least 90 days. According to the DOJ’s complaint, which was filed in the U.S. District Court for the Eastern District of Virginia, the property owners allegedly filed false affidavits stating that the servicemembers were “not in military service” and failed to file affidavits of military service, as required by the SCRA, prior to obtaining default judgments against numerous servicemembers. The DOJ further alleged that the property owners had information in their files that would have allowed them to easily verify their tenants’ military status.
The consent decree requires the property owners to pay $162,971 to affected servicemembers and a $62,029 civil penalty to the U.S. The order also requires the property owners to, among other things, vacate the eviction judgments, repair the servicemembers’ credit, and provide SCRA training to their employees. The property owners must also reimburse affected servicemembers for any amounts collected pursuant to an unlawful judgment.