InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Crypto platform reaches $100 million settlement to resolve alleged compliance failures
On January 4, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of New York virtual currency, anti-money laundering, transaction monitoring, and cybersecurity regulations. According to the consent order, in 2020, NYDFS found significant deficiencies across the respondent’s compliance program, including its Know-Your Customer/Customer Due Diligence (KYC/CDD) procedures, Transaction Monitoring System (TMS), OFAC screening program, and AML risk assessments. As a result of these findings, the respondent agreed to improve its BSA/AML and OFAC compliance programs, including engaging an independent consultant to develop a remediation plan and improve its compliance program.
In 2021, NYDFS launched an investigation to determine whether the respondent’s compliance deficiencies had resulted in any legal violations. The investigation found “substantial lapses in [the respondent’s] KYC/CDD program, its TMS, and in its AML and OFAC sanctions controls systems, as well as issues concerning [the respondent’s] retention of books and records, and with respect to meeting certain of its reporting obligations to the Department.” NYDFS noted that in late 2020 and 2021, the respondent took steps to remediate the issues identified by the Department and the independent consultant; however, substantial weaknesses remained, and its compliance system was inadequate to handle the growing volume of the respondent’s business.
Under the terms of the consent order, the respondent must pay a $50 million civil penalty to NYDFS and invest $50 million in its compliance program. Additionally, an independent third party will continue to work with the respondent for another year, which may be extended at the Department’s sole discretion. NYDFS noted that the respondent has already taken steps to build a more effective and robust compliance program under the supervision of NYDFS and the NYDFS-appointed independent monitor. According to the respondent’s press release, the company “has taken substantial measures to address these historical shortcomings” and “remains committed to being a leader and role model in the crypto space, including partnering with regulators when it comes to compliance and other areas.”
Arizona AG: Earned wage access products are not loans
Recently, the Arizona attorney general issued an opinion confirming that earned wage access (EWA) products are not considered consumer loans under Arizona law, and that persons who make, procure, or advertise an EWA product are not subject to licensure as a consumer lender by the Arizona Department of Insurance and Financial Institutions. The opinion concluded that an EWA product offered as a no-interest, no-fee, non-recourse product does not fall within the definition of “consumer loan” under Arizona Revised Statutes § 6-601(7).
First, a fully non-recourse EWA product “represents a payment of wages already earned by the employee” and “does not allow recourse against the employee in the event the provider is unable to recoup all or some portion of the advance,” the opinion explained. The opinion added that a fully non-recourse EWA product is one in which “the provider obtains no legal or contractual right to repayment against the employee, does not engage in any debt collection activities with regard to any unpaid balance, does not sell or assign any unpaid balance to a third party, and does not report non-payment to any consumer credit reporting agency.”
Second, and independently, the AG opined that an EWA product is not a consumer loan so long as the provider does not impose a “finance charge,” as that term is defined by A.R.S. § 6-601(11). Specifically, “a non-recourse EWA product that requires repayment only of the principal balance is not a 'loan.'” While the Consumer Lenders Act (CLA) “does not expressly state that the obligation to repay principal is not a “finance charge,” requiring repayment of principal is self-evidently not an amount payable incident to or as a condition of a consumer lender loan.”
The opinion noted, however, that a provider “may also receive revenue through services ancillary to providing an EWA product without converting the EWA product into a “loan” under the CLA, such as by requesting a voluntary gratuity, charging a fee for expedited transfer of an EWA payment, or earning interchange revenue for processing a card payment. As long as the provider does not condition the provision of an EWA product on the “receipt of any such ancillary revenue” or impose fees or charges that fall within the CLA’s definition of “finance charge,” the EWA product will not meet the CLA’s definition of a “consumer loan.”
The opinion referred to guidance issued by other regulators who have drawn similar conclusions that an EWA product is not a loan so long as the program meets specific criteria. Such references include the 2020 CFPB advisory opinion on EWA products. As previously covered by InfoBytes, the Bureau’s advisory opinion addressed uncertainty as to whether EWA providers that meet short-term liquidity needs that arise between paychecks “are offering or extending ‘credit’” under Regulation Z, which implements TILA. The advisory opinion stated that “‘a Covered EWA Program does not involve the offering or extension of ‘credit,’” and noted that the “totality of circumstances of a Covered EWA Program supports that these programs differ in kind from products the Bureau would generally consider to be credit.” The Arizona AG opinion highlighted the Bureau’s conclusion that EWA products do not involve debt because “a Covered EWA Program facilitates employees’ access to wages they have already earned, and to which they are already entitled, and thus functionally operate[] like an employer that pays its employees earlier than the scheduled payday.”
Last January, CFPB General Counsel Seth Frotman issued a letter in response to concerns raised by consumer advocates (covered by InfoBytes here), stressing that the CFPB’s 2020 advisory opinion “is limited to a narrow set of facts—as relevant here, earned wage products where no fee, voluntary or otherwise, is charged or collected.” Frotman noted, however, that due to “repeated reports of confusion caused by the advisory opinion due to its focus on a limited set of facts,” he planned to recommend that the CFPB director consider ways to provide greater clarity on these issues. He emphasized that the advisory opinion did not purport to interpret whether covered EWA products would be “credit” under other statutes other than TILA, such as the CFPA or ECOA, or whether they would be considered credit under state law.
NYDFS revises proposed amendments to third-party debt collection rules
In December, NYDFS released revised proposed amendments to 23 NYCRR 1, which regulates third-party debt collectors and debt buyers. NYDFS first issued a proposed amendment to 23 NYCRR 1 in December 2021 (covered by InfoBytes here), which factored in findings from NYDFS investigations that revealed instances of abusive and deceptive debt collection practices, as well as consumer debt collection complaint data. The first proposed amendment, among other things, is intended to enhance consumer protections by increasing transparency, requiring heightened disclosures, reducing misleading statements about consumer debt obligations, and placing stricter limits on debt collection phone calls than those currently imposed under federal regulations. The revised proposal, among other things, also include the following requirements:
- A debt collector must send written notification within five days after the initial communication with a consumer that clearly and conspicuously contains validation information as required under Regulation F. Debt collectors are prohibited from using the charge-off date as the itemization date for the alleged debt unless it is a revolving or open-end credit account. Instead, debt collectors should use the last payment date as the itemization date if available.
- Written notifications must be clear and conspicuous and also include the following, in addition to validation information: (i) the reference date relied upon to determine the itemization date; (ii) for revolving or open-end credit accounts, an account number (or a truncated version of the account number) associated with the debt on the last payment date or the last statement date if no payment has been made; (iii) the merchant brand, affinity brand, or facility name, if any, associated with the debt; (iv) the date and amount of the last payment or a statement noting that no payment was made, if available; (v) the applicable statute of limitations expressed in years for debt that has not been reduced to judgment; (vi) information on a debt that has been reduced to a judgment, if applicable; and (vii) notice that a consumer has the right to dispute the validity of a debt and instructions on how to submit a dispute.
- Debt collectors must inform consumers of available language access services and are required to record the consumer’s language preference, if other than English, in the written notification.
- Unless affirmatively requested by the consumer, required disclosures may not be made exclusively by electronic communication. Additionally, a debt collector may communicate with a consumer exclusively through electronic communication only if: (i) the consumer has voluntarily provided contact information for electronic communication; (ii) the consumer has given revocable consent in writing to receive electronic communication from the debt collector in reference to a specific debt (electronic signatures constitute written consent); (iii) the debt collector retains the written consent for six years or until the debt is discharged, sold, or transferred (whichever is longer); and (iv) all electronic communications include clear and conspicuous disclosures regarding revoking consent.
- Communications sent in the form of a pleading in a civil action will not be considered an initial communication for the purposes of these amendments.
- Debt collectors must provide substantiation of debt within 45 days.
- Debt collectors may not communicate or attempt to communicate excessively with a consumer. Specifically, debt collectors are limited to one completed phone call and three attempted phone calls per seven-day period per alleged debt. Telephone calls more than these limits may be permitted when required by federal or state law, or when made in response to the consumer’s request to be contacted and in the manner indicated by the consumer, if any.
Comments are due February 13. The amendments are scheduled to take effect 180 days after the notice of adoption is published in the State Register.
National bank to pay $2 million in mortgage fee violation class action
On December 19, the U.S. District Court for the Central District of California granted final approval of a settlement in a $2 million class action resolving allegations that a national bank violated California’s Rosenthal Fair Debt Collection Practices Act (RFDCPA) and Unfair Competition Law (UCL). According to the order for preliminary approval, the plaintiff class alleged that the bank improperly charged and collected transaction fees when processing mortgage payments. The district court certified the class, which included “all persons who have or had a California address, and at any time between June 1, 2016 and the date of the Court’s order preliminarily approving the settlement, paid at least one transaction fee to [the defendant] for making a payment on a residential mortgage loan serviced by [the defendant] by telephone, IVR, or the internet.” The district court determined that the settlement agreement was “reasonable and adequate.” The two class representatives who filed the suit were awarded $1,500 each, and their attorneys were awarded $499,000 in fees.
FCC proposes $300 million fine against auto warranty scam robocaller
On December 21, the FCC announced a nearly $300 million fine against an auto warranty scam robocall campaign for TCPA and Truth in Caller ID Act violations, “which is the largest robocall operation the FCC has ever investigated.” According to the announcement, the two individuals in charge of the operation ran a complex robocall sales lead generation scheme, which was designed to sell vehicle service contracts that were deceptively marketed as car warranties. This “scheme made more than 5 billion robocalls to more than half a billion phone numbers during a three-month span in 2021, using pre-recorded voice calls to press consumers to speak to a ‘warranty specialist’ about extending or reinstating their car’s warranty.” As previously covered by InfoBytes, in July, the FCC took initial action by ordering “phone companies to stop carrying traffic regarding a known robocall scam marketing auto warranties.” The FCC noted that the operation is also the target of an ongoing investigation by the FCC’s Enforcement Bureau and a lawsuit by the Ohio attorney general. The Ohio AG filed a complaint against multiple companies for participating in an alleged unwanted car warranty call operation (covered by InfoBytes here). The complaint, filed in the U.S. District Court for the Southern District of Ohio, alleged that the 22 named defendants “participated in an unlawful robocall operation that bombarded American consumers with billions of robocalls.” In addition to the fine, among other things, the individuals who allegedly ran the operations are prohibited from making telemarketing calls pursuant to FCC actions.
DFPI modifies proposed regulations for complaints and inquiries under the CCFPL
On December 22, the California Department of Financial Protection and Innovation (DFPI) released modifications to proposed regulations for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. As previously covered by InfoBytes, DFPI issued a notice of proposed rulemaking (NPRM) last May to implement Section 90008 subdivisions (a) and (b) of the CCFPL, which authorize DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and DFPI concerning consumer complaints and inquiries, as well as subdivision (d)(2)(D), which “permits covered persons to withhold nonpublic or confidential information, including confidential supervisory information, in response to a consumer request to the covered person for information regarding a consumer financial product or service.”
After considering comments received on the NPRM, changes proposed by the DFPI include the following:
- Amended definitions. The proposed regulations will not apply to, in addition to consumer reporting agencies and student loan servicers, a person or entity already exempt from the CCFPL under Section 90002. The definition of “complaint” is amended to include “an oral or written expression of dissatisfaction from a complainant regarding a specific issue or problem with a financial product or service.” Additionally, “complainant” is amended to also provide that a consumer must have been a resident of California at the time of the act, omission, decision, condition, or policy giving rise to the complaint. The proposed regulations also outline several categories that are not included in the definition of “complaint” or “inquiry.”
- Complaint procedure updates. The proposed regulations outline requirements for covered persons related to consumer disclosures and written communications covering the complaint process. The proposed regulations also require covered persons to accept all complaints, whether written or oral, provided the complaint includes a reason for filing the complaint and sufficient information to identify the complainant.
- Restrictions. Covered persons shall not (i) “[r]equest personal identifying information beyond what is reasonably necessary to identify the complainant and to send correspondence”; (ii) “[r]equest financial information unrelated to the specific complaint of the consumer:” or (iii) impose a time limit for filing a complaint that is shorter than one year from the time the complainant discovers the act, omission, decision, condition, or policy that is the subject of the complaint (if a time limit is imposed it must be stated in the required consumer disclosures).
- Complaint acknowledgements. For every complaint received, covered persons must send the complainant a written acknowledgement of receipt that is postmarked or otherwise shows that acknowledgement was sent within five business days after receiving the complaint. Within 15 business days after receiving a complaint, a covered person must provide a final decision on all issues. If additional time is required, a covered person must provide the complainant with a written update within three business days after the initial 15-business day period ends.
- Inquiry response requirements. Covered persons are required to develop and implement written policies and procedures to implement the regulations’ inquiry requirements, and must also respond to all issues raised by an inquiry within 10 business days. Covered persons must retain copies of all written inquiries and written responses for at least three years from the time the written response was issued.
- Reporting requirements. Covered persons must submit an annual complaint report to DFPI for each financial product or service offered or provided that will be made available to the public with limited exceptions. Each report shall include information regarding all complaints received by the covered person during the reporting period, and must be filed electronically with the Consumer Financial Protection Division no later than 60 business days after the end of each calendar year.
Comments on the proposed modifications are due January 20 (extended from January 13).
Colorado releases second draft of Colorado Privacy Act rules
On December 21, the Colorado attorney general released a second set of draft rules for the Colorado Privacy Act (CPA). As previously covered by a Buckley Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The first set of draft rules was issued last September and published by the Secretary of State on October 10 (covered by InfoBytes here).
The second set of draft rules seeks to address concerns raised through public comments as well as feedback received during three stakeholder sessions. The AG seeks specific input on questions related to (i) clarifications to definitions; (ii) the use of IP addresses to verify consumer opt-out requests; (iii) implementation of a universal opt-out mechanism; (iv) controller obligations related to meaningful privacy notices; and (v) bona fide loyalty programs. Among other things, the modifications would:
- Clarify definitions. The modifications add, delete, and amend several definitions, including those related to “biometric identifiers,” “commercial product or service,” “controller,” “employee,” “employer,” “employment records,” “noncommericial purpose,” “personal data,” “process,” “processor,” “profiling,” and terms involving automated processing.
- Amend purpose-based privacy notices. The modifications remove the requirement that privacy notices be purpose-based, and will instead require that the processing purpose and type of personal data processed be connected in a way that provides consumers a meaningful understanding of how their personal data will be used. The AG seeks feedback on ways the draft rules can “be made interoperable with California’s privacy notice requirements, while still considering the CPA’s purpose specification, secondary use requirements, and ensuring that a consumer has a meaningful understanding of the way their personal data will be used when they interact with a controller.” Feedback is also requested on whether controllers “who have updated their privacy policies to comply with California’s privacy notice requirements anticipate making a separate policy for Colorado, updating a California specific privacy notice to include Colorado or other state requirements, or revising the main privacy policy/notice to meet Colorado and other non-California state requirements[.]”
- Update universal opt-out mechanism. The modifications grant controllers six months from the date a universal opt-out mechanism is recognized by the AG to begin complying with that new mechanism. An initial public list of approved opt-out mechanisms will be published no later than January 1, 2024, and will be updated periodically.
- Clarify security measures and duty of care. The modifications provide additional details about the duty to safeguard personal data, and will require controllers to, among other things, consider “[a]pplicable industry standards and frameworks,” and the sensitivity, amount, and original source of the personal data when identifying reasonable and appropriate safeguards. The modifications also include provisions related to the processing of sensitive data inferences and specifies deletion requirements.
- Reduce data protection assessment requirements. The modifications reduce the information that must be included in a controller’s data protection assessment.
- Clarify privacy notice changes. The modifications clarify when a controller must notify a consumer of “substantive or material” changes to its data processing that trigger updates to its privacy notice. The modifications emphasize that disclosure of a new processing purpose in a privacy policy alone does not constitute valid consent.
- Address refreshing of consumer consent. The modifications provide that consumer consent must be refreshed when a consumer has not interacted with the controller in the last 12 months, and (i) the controller is processing sensitive personal information; or (ii) is processing personal data for secondary data use that involves profiling for a decision that could result “in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.” However, controllers will not be required to refresh consent in situations where consumers have the ability to update their own opt-out preferences at any time.
Comments on the second set of draft rules are due February 1. If the formal rulemaking hearing on the proposed rules (scheduled for February 1) extends beyond that date, comments must be received on or before the last day of the hearing.
District Court grants summary judgment to bank in discriminatory lending suit
On December 19, the U.S. District Court for the Northern District of Illinois granted summary judgment in favor of a national bank with respect to discriminatory lending allegations brought by the County of Cook in Illinois (County). As previously covered by InfoBytes, the County alleged that the bank’s lending practices were discriminatory and led to an increase in foreclosures among Black and Latino borrowers, causing the County to incur financial injury, including foreclosure-related and judicial proceeding costs and municipal expenses due to an increase in vacant properties. In 2021, the court denied the bank’s motion to dismiss the alleged Fair Housing Act violations after determining that all the County had to do was show a reasonable argument that the bank’s lending practices resulted in foreclosures, and that the bank failed to dispute that the County properly alleged a financial injury sufficient to support standing.
The court explained in its December 19 order, however, that two of the County’s expert witnesses did not make valid comparisons when measuring the denial rate for minority borrowers compared to white borrowers. According to the court, the expert witnesses failed to properly account for the financial conditions of the borrowers seeking mortgage modifications, leaving the County with “no other evidentiary basis to establish that [the bank] engaged in intentionally discriminatory servicing practices that caused minority borrowers to disproportionately suffer default and foreclosure.” The court found that, accordingly, the County cannot demonstrate “intentional discrimination against minority borrowers that proximately caused the County’s injuries, and its disparate treatment claim accordingly cannot survive summary judgment.” Additionally, the court found that the County failed to cite authority for its arguments that the bank can be liable for loans it purchased “and for which it did not commit any discriminatory acts in servicing” or for loans it originated but sold and never serviced.
District Court approves $2.8 million settlement in FDCPA convenience fee class action
On December 22, the U.S. District Court for the Southern District of Florida granted preliminary approval of a $2.8 million settlement in an FDCPA class-action suit resolving allegations that convenience fees were charged when consumers made payments on their mortgages over the phone or online. According to the suit, the plaintiffs claimed the defendant did not charge processing fees if borrowers made payments by check or signed up for automatic monthly debits from their bank accounts. The plaintiffs further argued that the processing fees were “illegal and improper because neither the mortgages themselves nor applicable statutes authorize such fees.” The parties agreed to mediation in April 2022, and a motion for preliminary approval of a settlement was filed in August. A coalition of state attorneys general from 32 states and the District of Columbia, led by the New York AG filed an amicus brief in the district court opposing the original proposed $13 million settlement in the suit (covered previously by InfoBytes here). The AGs outlined concerns with the proposed settlement, including that (i) the relief provided to class members violates various state laws, and that the defendant seeks to ratify fees in an “unwritten, mass amendment” that violates state laws and regulations; (ii) class members only receive an “inadequate” one-time payment, while the defendant may continue to charge excessive fees for the life of the loan; and (iii) low- and moderate-income borrowers are not treated equitably under the proposed settlement. Under the terms of the new settlement, members of the class who do not opt out of the settlement will receive a share of the $2.8 million. The settlement also reduces the fees class members will have to pay when making payments online or via the telephone for the next two years. The defendant also agreed to add additional disclosures to its website to increase borrower awareness of alternative payment methods that could have lower fees or no fees. Defendant’s representatives will also receive additional training to ensure they provide additional information and disclosures about convenience fees when speaking with customers.
On June 16, the court granted final approval of the settlement.
Massachusetts reaches settlement in unfair debt collection and mortgage servicing matter
On December 22, the Massachusetts attorney general announced a settlement with a South Carolina mortgage servicer to resolve claims that it allegedly failed to assist homeowners avoid foreclosure and engaged in unfair debt collection and mortgage servicing practices. According to an assurance of discontinuance filed in Suffolk Superior Court, the servicer allegedly violated the Massachusetts’ Act to Prevent Unlawful and Unnecessary Foreclosures, which requires servicers to make a good faith effort to help borrowers with certain unfair loan terms avoid foreclosure. Among other things, the servicer allegedly failed to (i) properly review borrowers’ income, debts, and obligations when assessing affordable loan modifications; (ii) provide borrowers with the results of these assessments; or (iii) provide borrowers with notice of their right to present a counteroffer after being offered a loan modification. The servicer also allegedly violated the state’s debt collection regulations by failing to timely issue compliant debt validation notices, and calling borrowers more than twice in a seven-day period. While denying the allegations, the servicer agreed to pay $975,000 to the state and will undertake significant business practice changes and provide ongoing reporting to the AG to ensure compliance.