InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC proposes climate risk disclosures
On March 21, the SEC announced a proposed rule to require registrants to disclose certain climate-related information in their registration statements and periodic reports. According to the proposed rule, a registrant must disclose, among other things, information regarding its direct and certain indirect emissions of greenhouse gas (GHG). The GHG emissions disclosure proposals “would provide investors with decision-useful information to assess a registrant’s exposure to, and management of, climate-related risks, and in particular transition risks.”
The proposed rule also establishes that accelerated filers and large accelerated filers would be required to include an attestation report from an independent attestation service provider covering certain emissions disclosures, with a phase-in over time, to promote the reliability of GHG emissions disclosures for investors. The proposed rule further noted additional disclosure requirements for registrants that have made a so-called net-zero commitment or adopted a plan to reduce their GHG footprint or exposures.
The same day, the SEC released a Fact Sheet on the proposed rule, which summarized the content of the proposed disclosure and presentation and attestation requirements, among other things. According to a statement released by SEC Chair Gary Gensler, the proposed rule will “provide investors with consistent, comparable, and decision-useful information for making their investment decisions and would provide consistent and clear reporting obligations for issuers.” However, a statement released by SEC Commissioner Hester M. Peirce took a different view, stating that the proposed amendments would “turn[] the disclosure regime on its head” and noting that some elements are “missing,” such as “[a] credible rationale for such a prescriptive framework when our existing disclosure requirements already capture material risks relating to climate change;[a] materiality limitation; [and] [a] compelling explanation of how the proposal will generate comparable, consistent, and reliable disclosures.” Treasury Secretary Janet L. Yellen also released a statement commending the proposal and the SEC, calling the effort “an important step to protect investors and strengthen the overall resilience of the financial system.”
Comments on the proposal are due 30 days after publication in the Federal Register, or 60 days after the date of issuance and publication on sec.gov, whichever period is longer.
Indiana enacts data breach disclosure requirements
On March 18, the Indiana governor signed HB 1351, which provides that in the event of the discovery of a data breach, persons are required to disclose or provide notification “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” The bill provides for specific reasonable delays, including circumstances that are “necessary to restore the integrity of the computer system” or “to discover the scope of the breach,” or in certain instances where the attorney general or a law enforcement agency states that disclosure of the breach will impede a criminal or civil investigation or jeopardize national security. The statute amends an existing provision of Indiana law, IC-24-4.9.3-3, by making clear that notification must be within 45 days. HB 1351 takes effect July 1.
SEC proposes amendments to cybersecurity risk management
On March 9, the SEC announced proposed amendments to its standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed amendments would require, among other things, “current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.” Specifically, firms would be required to describe their policies and procedures for the identification and management of cyber risks, provide information about the board’s oversight of and management’s role in cybersecurity risk, and disclose if a member of the board has expertise in cybersecurity. According to the SEC, “[t]he proposed amendments are intended to better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.” Comments are due 60 days after publication in the Federal Register.
The same day, the SEC published a fact sheet clarifying, among other things, how the amendments are applied and what is required. SEC Chair Gary Gensler issued a statement stating he was “pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” According to a dissenting statement issued by SEC Commissioner Hester M. Peirce, the proposed amendments “flirt[] with casting us as the nation’s cybersecurity command center, a role Congress did not give us,” and argued that the “precise disclosure requirements look more like a list of expectations about what issuers’ cybersecurity programs should look like and how they should operate.”
9th Circuit affirms judgment for defendant in FCRA suit
On March 1, the U.S. Court of Appeals for the Ninth Circuit affirmed dismissal in favor of a consumer reporting agency (defendant). The suit accused the defendant of violating the FCRA by failing to disclose certain information about a consumer. The plaintiffs were originally part of a class action alleging FCRA disclosure violations against the defendant, but that case was dismissed. Instead of appealing the suit, three plaintiffs brought a separate proposed class action. The defendant removed the case to federal court and filed a motion to dismiss based on a failure to state a claim. Though the case was again dismissed, the plaintiffs were granted leave to amend their complaint. In their First Amended Complaint, the plaintiffs argued that under the FCRA, the disclosures they received from the defendant did not include, among other things: (i) behavioral data; (ii) “soft inquiries” not initiated by the consumer; (iii) the identity of parties procuring consumer reports; and (iv) the date on which employment data was reported. The district court found that the defendant was not obligated to include the behavioral data in its disclosure since the information alleged to have not been disclosed was not part of the consumer’s “file” under the FCRA and was not information that was or might be furnished in a consumer report.
On appeal, the 9th Circuit noted that “none of the information [the plaintiffs] contend [the defendant] failed to disclose is of the type that has been included in a consumer report in the past or is planned to be included in such a report in the future.” The appellate court also noted that “the date employment dates were reported can have no ‘bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal, characteristics, or mode of living.’” Since the district court found that the data that the consumers alleged the defendants failed to include in its disclosures is actually not subject to disclosure under the FCRA, the appellate court affirmed the district court’s dismissal.
Massachusetts settles with auto lender
On February 18, the Massachusetts attorney general announced that a national auto lender entered into a settlement with the Commonwealth resolving allegations that the lender did not provide sufficient disclosures to consumers related to its debt collection practices, with over 1,000 borrowers expected to be eligible for relief. According to the Assurance of Discontinuance (AOD), the lender allegedly failed to provide certain consumers with sufficient information about the calculation methods for any deficiencies remaining on their auto loans after their cars were repossessed. The AOD requires the auto lender to pay $5.6 million in restitution to eligible borrowers, and cover administration and investigation costs associated with the matter. According to Massachusetts Attorney General Laura Healey, the “settlement, which combines cash payments with debt relief and credit repair, will help many subprime borrowers in need.”
SEC proposes cybersecurity risk management rules and amendments
On February 9, a divided SEC voted to release proposed cybersecurity risk management rules and amendments to certain requirements for registered investment advisers and funds. (See SEC fact sheet here.) Commissioner Hester Peirce voted against the proposal, stressing that because “an adviser’s or fund’s system has been successfully breached should not lead us to the immediate conclusion that that adviser or fund was lax in its efforts to protect client data and funds.” She added that “[a]bsent circumstances that suggest deliberate or reckless disregard of known vulnerabilities by the firm, we should resist the temptation to pile on with an enforcement action after a breach.”
Under the proposed rules, advisers and funds would be required to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks that could harm advisory clients and fund investors. Advisers would also be required to file a confidential report for a significant cybersecurity incident to the SEC on a new form. Additionally, advisers and funds must also publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years “that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients in their brochures and registration statements.” Advisers and funds would be required to comply with new cybersecurity-related recordkeeping requirements to assist SEC inspection and enforcement capabilities. Comments on the proposal are due 60 days following publication on the SEC’s website or 30 days after publication in the Federal Register, whichever period is longer.
District Court grants SBA’s summary judgment in Covid-19 relief disclosure case
On December 13, the U.S. District Court for the District of Columbia granted summary judgment in a Freedom of Information (FOIA) case in favor of the U.S. Small Business Administration (SBA) (defendant), resolving allegations that the agency improperly withheld loan payment status and tax-identification numbers for recipients of loans under its Paycheck Protection Program (PPP). As previously covered by InfoBytes, national-news organizations filed an action against the SBA seeking disclosure of loan recipient information, after the rejection of their FOIA requests. The court previously ordered the SBA to disclose some information—loan amounts, names, addresses—but later gave the SBA a second chance to argue against disclosure of default status and tax-identification numbers.
According to the most recent opinion, the SBA ultimately satisfied Exemption 4 to FOIA (related to confidential or privileged commercial or financial information) as to the current loan status of the PPP loans by filing declarations from lenders stating that they “customarily and actually treat interim PPP loan status as confidential.” The court also concluded that disclosure would concretely cause harm to an interest protected by the FOIA exemption, accepting the agency’s arguments that identifying a delinquent borrower, even if that status is temporary or ultimately irrelevant, could “negatively impact the borrower’s reputation or creditworthiness, or adversely affect its survivability and growth,” and that “disclosure would cause ‘regulated lenders [to] lose confidence in the agency’s future ability to protect confidential information . . . creat[ing] an incentive not to participate in the agency’s programs.’” Regarding tax-identification numbers, the court accepted the SBA’s assertion that it could not separate Social Security Numbers (SSN) from Employer Identification Numbers (EIN) and only release the EINs. Withholding the identification number data set was therefore permissible under Exemption 6 to FOIA, regarding “unwarranted invasion of personal privacy.” The SBA had attempted to get the help of the IRS and Social Security Administration to differentiate the numbers, but both agencies concluded they could not legally release that information to the SBA.
11th Circuit to rehear Hunstein v. Preferred Collection & Management Services
On November 17, the U.S. Court of Appeals for the Eleventh Circuit vacated an opinion in Hunstein v. Preferred Collection & Management Services, ordering an en banc rehearing of the case. The order vacates an 11th Circuit decision to revive claims that the defendant’s use of a third-party mail vendor to write, print, and send requests for medical debt repayment violated privacy rights established in the FDCPA. As previously covered by InfoBytes, in April, the 11th Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” According to the order issued sua sponte by the 11th Circuit, an en banc panel of appellate judges will convene at a later date to rehear the case.
District Court denies EFTA safe harbor in overdraft class action
On November 8, the U.S. District Court for the District of New Hampshire denied a credit union’s motion to dismiss claims concerning its overdraft fees and policies. Plaintiffs filed a putative class action alleging that the defendant failed to properly disclose how it assessed overdrafts in violation of EFTA and implementing Regulation E. According to the plaintiffs, the defendant’s overdraft fee opt-in disclosure did not provide a “clear and readily understandable” explanation of the meaning of “enough money,” nor did it specify whether overdrafts are calculated based on the actual balance or the available balance. The defendant moved to dismiss, arguing that the opt-in disclosure should be read in conjunction with a separate membership agreement that outlines the account terms and discloses the defendant’s use of the “available balance” method to determine when an account is overdrawn. The defendant further contended that it did not violate Regulation E and that it qualifies for EFTA’s safe harbor provision. The court disagreed, ruling that the plaintiffs had plausibly alleged a violation of Regulation E, as it requires the opt-in disclosure to be “segregated from all other information.” Among other things, the court stated that “[c]ountless courts examining virtually identical language have agreed” that language similar to the phrase “enough money” can plausibly amount to a violation of Regulation E’s “clear and readily understandable” explanation of overdraft fees.
With respect to defendant’s safe harbor claim, the court observed that EFTA may provide safe harbor to banks using an appropriate CFPB model clause (15 U.S.C. § 1693m(d)(2)) or a disclosure form “substantially similar” to the Bureau’s Model Form A-9, which states “[a]n overdraft occurs when you do not have enough money in your account to cover a transaction, but we pay it anyway.” The court agreed, however, with the reasoning of several courts that using language identical to that in the A-9 does not necessarily provide safe harbor defeating plaintiffs’ claims where, as here, the plaintiffs “have plausibly stated a claim that the clause from Model Form A-9 was not ‘appropriate’ because the language did not describe [defendant’s] overdraft policy in a ‘clear and readily understandable’ way.”
DFPI issues fourth round of draft regulations for commercial financing disclosures
On November 5, the California Department of Financial Protection and Innovation (DFPI) issued a fourth draft of proposed regulations implementing the requirements of the commercial financing disclosures required by SB 1235 (Chapter 1011, Statutes of 2018). As previously covered by InfoBytes, in 2018, California enacted SB 1235, which requires non-bank lenders and other finance companies to provide written, consumer-style disclosures for certain commercial transactions, including small business loans and merchant cash advances. California released the first draft of the proposed regulations in July 2019, initiated the formal rulemaking process with the Office of Administrative Law in September 2020, and subsequently released second and third rounds of modifications in August and October of this year (covered by InfoBytes here, here, here, and here). The fourth modifications to the proposed regulations follow a consideration of public comments received on the various iterations of the proposed text. Among other things, the proposed modifications amend the term “average monthly cost” to mean the average total amount paid by the recipient (for periodic and irregular payments) over a contract’s term divided by the number of months specified in the contract. Providers may divide the number of days in the contract term by 30.4 to determine the number of months in the contract term. This calculation may also be used to determine the “estimated monthly cost.” Comments on the fourth modifications must be received by November 22.