InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California’s privacy agency initiates formal CPRA rulemaking
On July 8, the California Privacy Protection Agency (CPPA) initiated formal rulemaking procedures to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), a law amending and building on the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during a February meeting that the rulemaking process will extend into the second half of the year.
The July proposed regulations modify definitions in the CCPA regulations; outline restrictions on the collection and use of personal information; provide disclosure and communications requirements; describe requirements for submitting CCPA requests and obtaining consumer consent; amend required privacy notices; provide instructions for the Notice of Right to Limit Use of Sensitive Personal Information; amend methods for handling consumer requests to delete, correct, and know; set forth requirements for opt-out preference signals; and address consumer requests for limiting the use and disclosure of sensitive personal information. Comprehensive details of the modified provisions and proposed regulations are available in previous InfoBytes coverage here.
The CPPA stated in its notice of proposed rulemaking that the proposed regulations serve three primary purposes: to (i) “update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA”; (ii) “operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law”; and (iii) “reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.” The CPPA emphasized that the proposed regulations are designed to factor in privacy laws in other jurisdictions and “implement compliance with the CCPA in such a way that it would not contravene a business’s compliance with other privacy laws, such as the General Data Protection Regulation (GDPR) in Europe and consumer privacy laws recently passed in Colorado, Virginia, Connecticut, and Utah.” This design, the CPPA said, will simplify compliance for businesses operating across jurisdictions and avoid unnecessary confusion for consumers who may not understand which laws apply to them.
A hearing on the proposed regulations is scheduled for August 24 and 25. Comments are due August 23.
Treasury solicits comments on digital assets
On July 12, the U.S. Treasury Department released a notice seeking public comment regarding potential opportunities and risks presented by digital assets. According to the announcement, Treasury is requesting input that will inform its work in carrying out its mandate under Executive Order 14067, Ensuring Responsible Development of Digital Assets, which directs Treasury, in consultation with the Secretary of Labor and other relevant agencies, to report to President Biden on the implications of development and adoption of digital assets and changes in financial market and payment infrastructures. The notice also seeks feedback from the public on potential risks associated with digital asset markets and how digital assets may benefit or pose risk to vulnerable populations. Comments must be received by August 8.
FHA revises appraisal validity period
On July 12, FHA released FHA INFO 2022-71, announcing the publication of Mortgagee Letter (ML) 2022-11, Revised Appraisal Validity Periods, which applies to Single Family Title II Forward and HECM programs. The ML increases the FHA initial appraisal validity period from 120 days to 180 days and extends the appraisal update validity period to one year. As a result of the ML, FHA will implement modifications to the appraisal-related functionality in FHA Connection (FHAC). For all case numbers assigned on or after September 6, the Appraisal Effective Date field on the FHAC Appraisal Logging screen will no longer be editable. Appraisal Logging for this field is automatically pre-filled with the information submitted from the electronic appraisal report. The updates outlined in ML 2022- 11 will be incorporated under the Single-Family Housing Policy Handbook 4000.1.
District Court orders CFPB to issue Section 1071 rulemaking by March 31
On July 11, the U.S. District Court for the Northern District of California issued an order setting March 31, 2023 as the deadline for the CFPB to issue a notice of proposed rulemaking (NPRM) on small business lending data. As previously covered by InfoBytes, the Bureau is obligated to issue an NPRM for implementing Section 1071 of the Dodd-Frank Act, which requires the agency to collect and disclose data on lending to women and minority-owned small businesses. The requirement was established as part of a stipulated settlement reached in 2020 with a group of plaintiffs, including the California Reinvestment Coalition (CRC), who argued that the Bureau’s failure to implement Section 1071 violated two provisions of the Administrative Procedures Act, and harmed the CRC’s ability to advocate for access to credit, advise organizations working with women and minority-owned small businesses, and work with lenders to arrange investment in low-income and communities of color (covered by InfoBytes here).
Find continuing Section 1071 coverage here.
CFPB publishes rulemaking agenda
Recently, the Office of Information and Regulatory Affairs released the CFPB’s spring 2022 rulemaking agenda. According to the preamble, the information in the agenda is current as of April 1, 2022 and identifies regulatory matters that the Bureau “reasonably anticipates having under consideration during the period from June 1, 2022 to May 31, 2023.”
Key rulemaking initiatives include:
- Consumer Access to Financial Records. The Bureau notes that it is considering rulemaking to implement section 1033 of the Dodd-Frank Act to address the development and use of standardized formats for information made available to consumers. The Bureau will release materials in advance of convening a panel under the Small Business Regulatory Enforcement Fairness Act (SBREFA), in conjunction with the Office of Management and Budget and the Small Business Administration’s Chief Counsel for Advocacy.
- Amendments to FIRREA Concerning Automated Valuation Models. The Bureau is participating in interagency rulemaking with the Fed, OCC, FDIC, NCUA, and FHFA to develop regulations to implement the amendments made by the Dodd-Frank Act to FIRREA concerning appraisal automated valuation models (AVMs). The FIRREA amendments require implementing regulations for quality control standards for AVMs. The Bureau released a SBREFA outline in February 2022 and estimates in the agenda that the agencies will issue an NPRM in December 2022 (covered by InfoBytes here).
- Property Assessed Clean Energy Financing. The Bureau issued an ANPR in March 2019 to extend TILA’s ability-to-repay requirements to PACE transactions (covered by InfoBytes here). The Bureau is working to develop a proposed rule to implement Economic Growth, Regulatory Relief, and Consumer Protection Act section 307 in May 2023.
- Small Business Lending Data Collection Under the Equal Credit Opportunity Act. Section 1071 of the Dodd-Frank Act amended ECOA to require financial institutions to report information concerning credit applications made by women-owned, minority-owned, and small businesses, and directed the Bureau to promulgate rules for this reporting. The Bureau issued an NPRM in August 2021, and the comment period ended January 6 (covered by InfoBytes here). The agenda indicates that the Bureau estimates issuance of a final rule in March 2023.
- Adverse Information in Cases of Human Trafficking Under the Debt Bondage Repair Act. The National Defense Authorization Act amended the FCRA to prohibit consumer reporting agencies from providing reports containing any adverse items of information resulting from human trafficking. In June 2022, the CFPB issued a final rule implementing amendments to the FCRA intended to assist victims of human trafficking (covered by InfoBytes here).
CFPB advisory stresses “permissible purpose” of consumer reports
On July 7, the CFPB issued an advisory opinion to state its interpretation that under certain FCRA-permissible purpose provisions, a consumer reporting agency may not provide a consumer report to a user unless it has reason to believe that all of the information it includes pertains to the consumer who is the subject of the user’s request. The Bureau explained that “credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy,” and reminded covered entities that “FCRA section 604(f) strictly prohibits a person who uses or obtains a consumer report from doing so without a permissible purpose.”
Among other things, the FCRA is designed to ensure fair and accurate reporting and requires users who buy these consumer credit reports to have a legally permissible purpose. Specifically, the advisory opinion clarifies that (i) insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose, thus violating a consumer’s privacy rights (the Bureau explained that if a credit reporting company uses name-only matching procedures, items appearing on a credit report may not all correspond to a single individual); (ii) it is unlawful to provide credit reports of multiple people as “possible matches” (credit reporting companies are obligated to implement adequate procedures to find the correct individual); (iii) disclaimers about insufficient matching procedures will not cure a failure to take reasonable measures to ensure the information provided in a credit report is only about the individual for whom the user has a permissible purpose; and (iv) credit report users must ensure that they are not violating an individual’s privacy by obtaining a credit report when they lack a permissible purpose for doing so.
The Bureau also outlined certain criminal liability provisions in the FCRA. According to the advisory opinion, covered entities may face criminal liability under Section 619 for obtaining information on an individual under false pretenses, while Section 620 “imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully provides information concerning an individual from the agency’s files to an unauthorized person.” Violators can face criminal penalties and imprisonment, the Bureau said in its announcement.
As previously covered by InfoBytes, the Bureau finalized its Advisory Opinions Policy in 2020. Under the policy, entities seeking to comply with existing regulatory requirements are permitted to request an advisory opinion in the form of an interpretive rule from the Bureau (published in the Federal Register for increased transparency) to address areas of uncertainty.
Agencies release customer relationship and due diligence guidance
On July 6, the FDIC, Federal Reserve Board, FinCEN, NCUA, and OCC issued a joint statement concerning banks’ risk-based approach for assessing customer relationships and conducting customer due diligence (CDD). Specifically, the joint statement reinforces the agencies’ “longstanding position that no customer type presents a single level of uniform risk or a particular risk profile related to money laundering (ML), terrorist financing (TF), or other illicit financial activity.” Banks are reminded that they must apply a risk-based approach to CDD and adopt appropriate risk-based procedures for conducting ongoing CDD when developing risk profiles of their customers. Because customer relationships present varying levels of ML, TF, and other illicit financial activity risks, the agencies advised banks to, among other things, (i) understand the nature and purpose of customer relationships; and (ii) “conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.”
Additionally, banks that comply with applicable Bank Secrecy Act/anti-money laundering (BSA/AML) legal and regulatory requirements and effectively manage and mitigate risks related to the unique characteristics of customer relationships, “are neither prohibited nor discouraged from providing banking services to customers of any specific class or type,” the agencies said, adding that “as a general matter” they will not direct banks to open, close, or maintain specific accounts as they “recognize that banks choose whether to enter into or maintain business relationships based on their business objectives and other relevant factors, such as the products and services sought by the customer, the geographic locations where the customer will conduct or transact business, and banks’ ability to manage risks effectively.” Banks are encouraged “to manage customer relationships and mitigate risks based on customer relationships, rather than decline to provide banking services to entire categories of customers.”
The joint statement is applicable to all customer types referenced in the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual, as well as to those not specifically addressed in the manual. These include “independent automated teller machine owners or operators, nonresident aliens and foreign individuals, charities and nonprofit organizations, professional service providers, cash intensive businesses, nonbank financial institutions, and customers the bank considers politically exposed persons.” The agencies reiterated that the joint statement does not alter existing BSA/AML legal or regulatory requirements, nor does it establish new supervisory expectations. Moreover, the FFIEC BSA/AML Examination Manual does not establish requirements for banks, nor should the inclusion of sections on specific customer types be interpreted as a signal that certain customer types present uniformly higher risk.
Louisiana proposes virtual currency business licensing rules
On June 20, the Louisiana Office of Financial Institutions (OFI) published proposed rules in the Louisiana Register to implement the Louisiana Virtual Currency Business Act (VCBA), which governs the licensing process for businesses or individuals who are currently operating, or intend to soon begin operating, a virtual currency business in the state. As previously covered by InfoBytes, the Act (HB 701), which took effect August 1, 2020, provides for the licensing and regulation of virtual currency businesses in the state. Subject to certain exceptions, the bill establishes licensing and registration requirements, and, among other things, (i) authorizes reciprocity of licensure with other states; (ii) specifies that licensee applications must be submitted through the Nationwide Multi-State Licensing System; (iii) adds provisions related to licensee examinations; (iv) outlines licensee surety bond requirements “based on the nature and extent of risks in the applicant’s virtual currency business model”; (v) provides the state’s office of financial institutions with enforcement authority; and (vi) prohibits licensees from engaging in unfair, deceptive, or fraudulent practices.
The proposed rules are intended to enable OFI to achieve its regulatory goals and supervision and oversight of such persons included within the scope of the VCBA in an efficient, effective manner. OFI also proposes to implement a fee structure to cover regulatory and supervisory costs in order for the agency to effectively ensure compliance with the VCBA, and allow for licensure and registration of covered persons. Among other things, the proposed rules:
- Outline various definitions, including terms related to control, net worth, unfair or deceptive acts or practices, and unfair or unsound acts or practices.
- Describe processes for the approval of a control person or approval of a change in control; licensing renewal or registration notice; determination of net worth; examination and investigation procedures; and requirements for reporting, recordkeeping, and implementation of policies and procedures.
- Stipulate that “failure to provide any disclosure or disclosures required by Subsection 1931(C) of this rule shall be an unfair or deceptive act or practice for purposes of taking enforcement action against a licensee, registrant, or person that is neither a licensee nor registrant but is engaging in virtual currency business activity or activities.” While the proposed rules do not specifically identify the required disclosures, they state that the “commissioner shall also determine, by policy, the time and form required for such disclosures. Disclosures required by this section must be made separately from any other information provided by the licensee to a person and in a clear and conspicuous manner. A licensee may propose, for the commissioner’s approval, alternate disclosures as deemed more appropriate for its virtual currency business activity with, or on behalf of, persons in Louisiana.”
- Clarify that an unsafe or unsound act or practice includes engaging in an activity “which creates the likelihood of material loss, insolvency, dissipation of the licensee’s or registrant’s assets, materially prejudices the interests of its customers, and any other set of facts and circumstances, as determined by the commissioner in his discretion.”
- Allow the commissioner to assess a civil penalty for violations of the VCBA (or any rule promulgated pursuant to the VCBA or an commissioner-issued orders) not to exceed $1,000 for each violation.
The proposed rules provide that “[n]oncompliance with any provisions of the VCBA, including but not limited to any provisions pertaining to ownership, control, security, net worth, registration, or failure to pay any fee may likewise be considered in determining whether to deny issuance or renewal of a license or notice of registration.” Once the rules are implemented, any person already engaged in virtual currency business activity or activities in the state must either apply for a license or file a notice of registration, and submit a completed application within 90 days of the effective date. Persons engaged in virtual currency business activity that fail to submit a completed licensing application or notice of registration within 90 days of the effective date of the rules shall be deemed to be conducting unlicensed or unregistered virtual currency business activity or activities and will be subject to civil and criminal penalties. Starting November 1, 2023, “all applications for renewal for all licenses and notices of registration to engage in virtual currency business activities shall begin submitting an application or notice of registration for renewal on the first day of November of each calendar year.”
Comments on the proposed rules are due July 10.
Halperin discusses invoking UDAAP under CFPA
On June 29, the American University Washington College of Law held a symposium centered in part around the CFPB’s new approach for examining institutions for unfair conduct. During the CFPB’s New Approach to Discrimination: Invoking UDAAP symposium, CFPB Assistant Director for the Office of Enforcement Eric Halperin answered questions related to updates recently made to the Bureau’s Unfair, Deceptive, or Abusive Acts or Practices Examination Manual. These updates detail the agency’s view that its broad authority under UDAAP allows it to address discriminatory conduct in the offering of any financial product or service as an unfair act or practice. (Covered by a Buckley Special Alert here.) The Bureau published a separate blog post by its enforcement and supervision heads explaining that they were “cracking down on discrimination in the financial sector,” and that the new procedures would guide examiners to look “beyond discrimination directly connected to fair lending laws” and “to review any policies or practices that exclude individuals from products and services, or offer products or services with different terms, in an unfairly discriminatory manner.”
Assistant Director Halperin’s remarks were followed by a discussion of the Bureau’s revisions to its Examination Manual by a panel that consisted of David Silberman of the Center for Responsible Lending, Kitty Ryan of the American Bankers Association, and John Coleman of Buckley LLP, which was moderated by Jerry Buckley. Topics covered included a June 28 letter that trade associations sent to the CFPB urging recission of revisions to the Examination Manual.
In his interview with American University Law School Professor V. Gerard Comizio, Halperin stated that the CFPB’s Examination Manual updates provide guidance on how examiners will implement the Bureau’s statutory authority to examine whether an act or practice is unfair because it may cause or is likely to cause substantial injury to consumers that is not reasonably avoidable and not outweighed by countervailing benefits to consumers or competition. He stressed that the update does not create a new legal standard under the three prongs of the unfairness standard. Halperin also discussed how the Bureau’s UDAAP authority interacts with laws enacted specifically to prevent discriminatory conduct such as ECOA and the Fair Housing Act, and touched on steps institutions should consider taking to ensure compliance. Notably, when asked whether the Bureau intends to pursue disparate impact claims under the CFPA, Halperin stated that disparate impact, along with disparate treatment, are wholly distinct concepts from Dodd-Frank’s prohibition on unfair acts and practices. He added that in assessing an unfair act and practice, the key is to examine the substantial injury prong and then assess the reasonable avoidability and the countervailing benefits prongs. He further explained that the unfairness test does not contain an intentional standard and noted that there have been cases brought by both the FTC and the Bureau where there was injurious conduct that was not intentional or specifically known to the party engaging in this practice. According to Halperin, substantial injury alone is not sufficient to prove unfairness and using disparate impact as the mechanism of proof is not what the Bureau uses to prove an unfairness claim.
Halperin reiterated that the CFPB Examination Manual is designed to provide transparency to financial institutions about the types of issues that examiners will be inquiring about in furtherance of determining whether there has been an unfair act or practice under the current framework, and does not extend or create new law. In terms of practical compliance implications, Halperin said most financial institutions should already have robust UDAAP compliance systems in place and should already be looking for potential unfair acts or practices and examining patterns and group characteristics to identify the root cause of any issues, and to avoid substantial injury to consumers. With respect to a white paper recently sent to CFPB Director Rohit Chopra from several industry groups and the U.S Chamber of Commerce urging the Bureau to rescind the UDAAP exam manual (covered by InfoBytes here), Halperin commented that he has not had time to fully digest the white paper in detail but hoped that some of what was discussed during the symposium, particularly on the legal principles that will be used both in the exam manual and in any supervision and enforcement actions, clarifies that the Bureau is looking for conduct that violates the unfairness test.
CFPB warns debt collectors on “pay-to-pay” fees
On June 29, the CFPB issued an advisory opinion to state its interpretation that Section 808 of the FDCPA and Regulation F generally prohibit debt collectors from charging consumers “pay-to-pay” fees for making payments online or by phone. “These types of fees are often illegal,” the Bureau said, explaining that its “advisory opinion and accompanying analysis seek to stop these violations of law and assist consumers who are seeking to hold debt collectors accountable for illegal practices.”
These fees, commonly known as convenience fees, are prohibited in many circumstances under the FDCPA, the Bureau said. It pointed out that allowable fees are those authorized in the original underlying agreements that consumers have with their creditors, such as with credit card companies, or those that are affirmatively permitted by law. Moreover, the Bureau stressed that the fact that a law does not expressly prohibit the assessment of a fee does not mean a debt collector is authorized to charge a fee. Specifically, the advisory opinion interprets FDCPA Section 808(1) to permit collection of fee only if: (i) “the agreement creating the debt expressly permits the charge and some law does not prohibit it”; or (ii) “some law expressly permits the charge, even if the agreement creating the debt is silent.” Additionally, the Bureau’s “interpretation of the phrase ‘permitted by law’ applies to any ‘amount’ covered under section 808(1), including pay-to-pay fees.” The Bureau further added that while some courts have adopted a “separate agreement” interpretation of the law to allow collectors to assess certain pay-to-pay fees, the agency “declines to do so.”
The Bureau also opined that a debt collector is in violation of the FDCPA if it uses a third-party payment processor for which any of that fee is remitted back to the collector in the form of a kickback or commission. “Federal law generally forbids debt collectors from imposing extra fees not authorized by the original loan,” CFPB Director Rohit Chopra said. “Today’s advisory opinion shows that these fees are often illegal, and provides a roadmap on the fees that a debt collector can lawfully collect.”
As previously covered by InfoBytes, the Bureau finalized its Advisory Opinions Policy in 2020. Under the policy, entities seeking to comply with existing regulatory requirements are permitted to request an advisory opinion in the form of an interpretive rule from the Bureau (published in the Federal Register for increased transparency) to address areas of uncertainty.