InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Luetkemeyer accuses DOJ of incomplete BSA/AML data
On February 1, Representative Blaine Luetkemeyer (R-MO) sent a letter to Attorney General Merrick Garland asking for an explanation as to why the DOJ has not complied with a provision in the 2021 National Defense Authorization Act (2021 NDAA), which requires the Department to report metrics on its use of Bank Secrecy Act (BSA) data to the Treasury Department. According to Luetkemeyer, section 6201 of the 2021 NDAA requires the DOJ to also report “on the use of data derived from financial institutions reporting under the [BSA]” in order to increase transparency on the usefulness of BSA data filed with FinCEN from financial institutions and ensure bad actors are not using the U.S. financial system to fund illicit activities.
Specifically, the DOJ is required by the 2021 NDAA to examine how often the reported data contains actionable information, the number of legal entities and individuals identified within the reported data, and information on investigations resulting from the reported data that are conducted by state and federal authorities, the letter said. Citing a Government Accountability Office report (which found that the DOJ’s report failed to “include new statistics on the use and impact of BSA reports, including the summary statistics required under the act”), Luetkemeyer claimed the lack of transparency “begs the question if the burdensome reporting is worthwhile” and prevents “FinCEN and Congress from determining the effectiveness of the U.S. anti-money laundering regime.” Luetkemeyer asked the DOJ for an explanation as to why it failed to provide the required information.
FTC bans health vendor from sharing consumer info with advertiser
On February 1, the DOJ filed a complaint on behalf of the FTC against a telehealth and prescription drug discount provider for allegedly violating the FTC Act and the Health Breach Notification Rule by failing to notify consumers that it was disclosing their personal health information to third parties for advertising purposes. As a vendor of personal health records, the FTC stated that the company is required to comply with the Health Breach Notification Rule, which imposes certain reporting obligations on health apps and other companies that collect or use consumers’ health information (previously covered by InfoBytes here).
According to the complaint filed in the U.S. District Court for the Northern District of California, the company—which allows users to keep track of their personal health information, including saving, tracking, and receiving prescription alerts—shared sensitive personal health information with advertisers and other third parties for years, even though it allegedly promised users that their health information would never be shared. The FTC maintained that the company also monetized users’ personal health information and used certain shared data to target its own users with personalized health- and medication-specific advertisement on various social media platforms. The company also allegedly: (i) permitted third parties to use shared data for their own internal purposes; (ii) falsely claimed compliance with the Digital Advertising Alliance principles (which requires companies to obtain consent prior to using health information for advertising purposes); (iii) misrepresented its HIPAA compliance; (iv) failed to maintain sufficient formal, written, or standard privacy or data sharing policies or procedures to protect personal health information; and (v) failed to report the unauthorized disclosures.
Under the terms of the proposed court order filed by the DOJ, the company would be required to pay a $1.5 million civil penalty, and would be prohibited from engaging in the identified alleged deceptive practices and from sharing personal health information with third parties for advertising purposes. The company would also be required to implement several measures to address the identified violations, including obtaining users’ affirmative consent before disclosing information to third parties (the company would be prohibited from using “dark patterns,” or manipulative designs, to obtain consent), directing third parties to delete shared data, notifying users about the breaches and the FTC’s enforcement action, implementing a data retention schedule, and putting in place a comprehensive privacy program to safeguard consumer data.
Agencies remind banks of HMDA reporting changes on closed-end mortgages
On February 1, the OCC reminded banks and OCC examiners that the loan origination threshold for reporting HMDA data on closed-end mortgages has changed due to a court decision issued last year, which addressed challenges made by a group of consumer fair housing associations to changes made in 2020 by the CFPB that permanently raised coverage thresholds for collecting and reporting data about closed-end mortgage loans and open-end lines of credit under HMDA (covered by InfoBytes here.) Due to a court order vacating the 2020 HMDA Final Rule as to the loan volume reporting threshold for closed-end mortgage loans, the OCC explained that the loan origination threshold for reporting HMDA data on closed-end mortgage loans reverted to the threshold established by the 2015 HMDA Final Rule.
According to Bulletin 2023-5, the threshold for reporting HMDA data is now 25 closed-end mortgage loans originated in each of the two preceding calendar years rather than the 100-loan threshold set by the 2020 HMDA Final Rule. “Banks that originated at least 25 closed-end mortgage loans in each of the two preceding calendar years but fewer than 100 closed-end mortgage loans in either or both of the two preceding calendar years (referred to collectively as affected banks) may need to make adjustments to policies and procedures to comply with reporting obligations,” the OCC said. The agency added that it does not plan to assess penalties for failures to report closed-end mortgage loan data on reportable transactions conducted in 2022, 2021 or 2020 for affected banks that meet other coverage requirements under Regulation C.
The FDIC and Federal Reserve Board also issued similar guidance (see FIL-06-2023 and CA 23-1).
CFPB proposal targets late fees on cards
On February 1, the CFPB issued a notice of proposed rulemaking (NPRM) to amend Regulation Z, which implements TILA, and its commentary to better ensure that late fees charged on credit card accounts are “reasonable and proportional” to the late payment as required under the statute, the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act). The NPRM would (i) adjust the safe harbor dollar amount for late fees to $8 for any missed payment—issuers are currently able to charge late fees of up to $41—and eliminate a higher safe harbor dollar amount for late fees for subsequent violations of the same type (a company would be able to charge above the immunity provision provided it could prove the higher fee is necessary to cover the incurred collection costs); (ii) eliminate the automatic annual inflation adjustment for the immunity provision amount (the Bureau would instead monitor market conditions and make adjustments as necessary); and (iii) cap late fees at 25 percent of the consumer’s required minimum payment (issuers are currently able to potentially charge a late fee that is 100 percent of the cardholder’s minimum payment owed).
The NPRM also seeks feedback on other possible changes to the CARD Act regulations, including “whether the proposed changes should apply to all credit card penalty fees, whether the immunity provision should be eliminated altogether, whether consumers should be granted a 15-day courtesy period, after the due date, before late fees can be assessed, and whether issuers should be required to offer autopay in order to make use of the immunity provision.” Comments on the NPRM are due by April 3, or 30 days after publication in the Federal Register, whichever is later.
According to the CFPB, the Federal Reserve Board “created the immunity provisions to allow credit card companies to avoid scrutiny of whether their late fees met the reasonable and proportional standard.” As a result, the CFPB stated that immunity provisions have risen (due to inflation) to $30 for an initial late payment and $41 for subsequent late payments, resulting in consumers being charged approximately $12 billion in late fees in 2020. Based on CFPB estimates, the NPRM could reduce late fees by as much as $9 billion per year. CFPB Director Rohit Chopra issued a statement commenting that the current immunity provisions are not what Congress intended when it passed the CARD Act.
The Bureau also released an unofficial, informal redline of the NPRM to help stakeholders review the proposed changes, as well as a report titled Credit Card Late Fees: Revenue and Collection Costs at Large Bank Holding Companies, which documents findings on the relationship between late fee revenue and pre-charge-off collection costs for certain large credit card issuers. According to the report, “revenue from late fees has consistently far exceeded pre-charge-off collection costs over the last several years.”
The NPRM follows several actions initiated by the Bureau last year, including a request for comments on junk fees, a research report analyzing credit card late fees, and an advance notice of proposed rulemaking that solicited information from credit card issuers, consumer groups, and the public regarding credit card late fees and late payments, and card issuers’ revenue and expenses (previously covered by InfoBytes here and here).
Senators exploring bank’s dealings with collapsed crypto exchange
On January 30, Senators Elizabeth Warren (D-MA), John Kennedy (R-LA), and Roger Marshall (R-KS) sent a follow-up letter to a California-based bank asking for additional responses to questions related to the bank’s relationship with several cryptocurrency firms founded by the CEO of a now-collapsed crypto exchange. As previously covered by InfoBytes, the senators pressed the CEO for an explanation for why the bank failed to monitor for and report suspicious transactions to the Financial Crimes Enforcement Network, and asked for information about how deposits it was holding on behalf of the collapsed exchange and related firm were being handled. The senators stressed that the bank has a legal responsibility under the Bank Secrecy Act to maintain an effective anti-money laundering program that may have flagged suspicious activity.
In the letter, the senators accused the bank of evading their previous questions in its December response, writing that while the bank’s answers confirm the extent of its failure to monitor and report suspicious financial activity, it failed “to provide key information needed by Congress to understand why and how these failures occurred.” The bank’s “repeated reference to ‘confidential supervisory information’” as a justification for its refusal to provide the requested information “is simply not an acceptable rationale,” the senators said. They also noted that the bank’s recent advance from the Federal Home Loan Bank of San Francisco—intended “to ‘stave off a further run on deposits’”—has introduced additional crypto market risks into the traditional banking system, especially should the bank fail. The bank was asked to explain how it plans to use the $4.3 billion it received.
The senators further commented that additional findings have revealed that neither the Federal Reserve nor the bank’s independent auditors were able to identify the “extraordinary gaps” in the bank’s due diligence process. The senators asked the bank to provide responses to questions related to its risk management policies, as well as how many safety and soundness exams were conducted, and whether any of the bank’s executives were “held accountable” for the failures related to the collapsed exchange, among other things.
Biden administration presents roadmap for mitigating crypto risks
On January 27, the Biden administration presented a roadmap for mitigating cryptocurrency risks to ensure that cryptocurrencies do not undermine financial stability, investors are protected, and bad actors are held accountable. At President Biden’s direction, the administration previously laid out a comprehensive framework for developing digital assets in a safe, responsible way that also identifies clear risks. (Covered by InfoBytes here.) The administration identified clear risks taken by some crypto entities, such as ignoring applicable financial regulations and basic risk controls, misleading consumers, having conflicts of interest, failing to provide adequate disclosures, or committing fraud. The roadmap also outlined actions taken by the federal banking agencies, including a recently issued joint interagency statement that highlighted key risks banks should consider when choosing to engage in crypto-related services and a notice of proposed rulemaking issued by the FDIC warning companies against making false or misleading claims about digital assets being insured by the agency (covered by InfoBytes here and here). The administration also noted that agencies across the government are developing public-awareness programs to help consumers understand the risks associated with digital assets.
The administration stressed, however, that further action is needed. Priorities for digital asset research and development will be unveiled in the coming months, the administration said, adding that Congress should also step up efforts in this space. This includes expanding regulators’ powers to prevent misuses of customers’ assets, “strengthen[ing] transparency and disclosure requirements for cryptocurrency companies so that investors can make more informed decisions about financial and environmental risks,” “strengthen[ing] penalties for violating illicit-finance rules and subject cryptocurrency intermediaries to bans against tipping off criminals,” and limiting crypto risks to the financial system by following steps outlined in a recent Financial Stability Oversight Council report (covered by InfoBytes here), the administration said.
FHA expands Covid-19 loss mitigation options
On February 13, HUD issued Mortgagee Letter 2023-03, which makes technical corrections to Mortgagee Letter 2023-02 issued in January that expanded and enhanced loss mitigation options for borrowers struggling to make payments on FHA-insured mortgages. The enhancements extend FHA’s Covid-19 loss mitigation options to all eligible borrowers, including non-occupant borrowers, who fall behind on mortgage payments, regardless of the cause of delinquency. Mortgage servicers must use FHA’s Covid-19 recovery loss mitigation “waterfall” of options to assess all borrowers who are in default (or at risk of imminent default). The enhancements also raise the maximum partial claim amount from 25 percent of the mortgage’s unpaid principal balance to the maximum 30 percent allowed by statute to help increase home retention. Mortgage servicers can also offer loss mitigation options to borrowers who qualified for or used homeowner assistance funds who may no longer technically be delinquent but require further assistance to avoid redefault. Additionally, the enhancements provide incentive payments to mortgage servicers when Covid-19 recovery options are successfully completed.
The availability of FHA’s Covid-19 loss mitigation options are extended for 18 months beyond the April 30 mandatory effective date for servicers to remove “uncertainties associated with the timing of the end of the National Emergency,” HUD explained, adding that “FHA is temporarily suspending the use of its FHA-Home Affordable Modification (FHA-HAMP) options concurrent with [Mortgagee Letter 2023-02]” in order to simplify loss mitigation options. Mortgage servicers may begin offering these options to borrowers immediately.
FTC finalizes data-security order with ed tech provider
On January 27, the FTC finalized an order with an education technology (ed tech) provider which claimed that the provider’s lax data security practices led to the exposure of millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords. As previously covered by InfoBytes, due to the company’s alleged failure to adequately protect the personal information collected from its users and employees, the company experienced four data breaches beginning in September 2017, when a phishing attack granted a hacker access to employees’ direct deposit information. Claiming violations of Section 5(a) of the FTC Act, the FTC alleged the company failed to implement basic security measures, stored personal data insecurely, and failed to implement a written security policy until January 2021, despite experiencing three phishing attacks.
Under the terms of the final decision and order, the company (who neither admitted nor denied any of the allegations) is required to take several measures to address the alleged conduct, including: (i) implementing a data retention and deletion process, which will allow users to request access to and deletion of their data; (ii) providing multi-factor authentication methods for users to secure their accounts; (iii) providing notice to affected individuals; (iv) implementing a comprehensive information security program; and (v) obtaining initial and biennial third-party information security assessments. The company must also submit covered incident reports to the FTC and is prohibited from making any misrepresentations relating to how it collects, maintains, uses, deletes, permits, or denies access to individuals’ covered information.
FDIC issues December enforcement actions
On January 27, the FDIC released a list of administrative enforcement actions taken against banks and individuals in December. The FDIC made public nine orders, including “one order to pay civil money penalty, two consent orders, one combined personal consent order and order to pay, two Section 19 orders, four prohibition orders, and seven orders of termination of insurance.”
The actions included a civil money order against a Georgia-based bank related to violations of the Flood Disaster Protection Act. The FDIC determined that the bank had engaged in a pattern or practice of violations because it “made, increased, extended, or renewed loans secured by a building or mobile home located in a special flood hazard area or to be located in a special flood hazard area without providing timely notice to the borrower and/or the servicer as to whether flood insurance was available for the collateral.”
Additionally, the FDIC issued a consent order against a Texas-based bank alleging the bank engaged in “unsafe or unsound banking practices or violations of law or regulation relating to, among other things, weaknesses in board and management oversight of the information technology function.” The bank neither admitted nor denied the allegations but agreed, among other things, that it would develop a staffing analysis plan “to ensure sufficient resources are available with the knowledge [and] prerequisite skills commensurate with the risk profile and complexity of the Bank’s information technology [] function.”
Fed says limits on banking activities will apply regardless of insurance status
On January 27, the Federal Reserve Board issued a policy statement providing guidelines on how the agency evaluates requests from supervised uninsured and insured banks seeking to engage in novel activities, such as those involving crypto assets. Recognizing that in recent years the Fed has received numerous inquiries, notifications, and proposals from banks seeking to engage in new or unprecedented activities, the Fed clarified that when evaluating such inquiries, uninsured and insured banks supervised by the Fed would be subject to the same limitations that are currently imposed on OCC-supervised national banks, including crypto-asset-related activities. According to a board memo published the same day, the Fed said it “will presumptively exercise its authority to limit state member banks to engaging as principal in only those activities that are permissible for national banks—in each case, subject to the terms, conditions, and limitations placed on national banks with respect to the activity—unless those activities are permissible for state banks by federal law.” This “equal treatment” is intended to “promote a level playing field and limit regulatory arbitrage,” the Fed said.
The Fed reiterated that banks must be able to ensure that any activities they plan to engage in are permitted by law and conducted in a safe and sound manner. A bank should implement risk management processes, internal controls, and information systems that are “appropriate and adequate for the nature, scope, and risks of its activities,” the Fed noted. The Fed, however, explained that the policy statement does “not prohibit a state member bank, or prospective applicant, from providing safekeeping services, in a custodial capacity, for crypto-assets if conducted in a safe and sound manner and in compliance with consumer, anti-money laundering, and anti-terrorist financing laws.”
The policy statement was issued the same day the Fed denied a request from a Wyoming-based digital asset firm to become a member of the Federal Reserve System. The Fed explained that the firm—a special purpose depository institution chartered by the state of Wyoming that “proposed to engage in novel and untested crypto activities that include issuing a crypto asset on open, public and/or decentralized networks…“ presented significant safety and soundness risks.” Additionally, the Fed determined that the digital asset firm’s risk management framework failed to sufficiently address heighted risk concerns, including its ability to mitigate money laundering and terrorism financing risks.