InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB releases 2019 Card Report
On August 27, the CFPB released its fourth biennial report on the state of the credit card market as required by Section 502 of the Credit Card Accountability Responsibility and Disclosure Act (CARD Act). The 2019 report covers the credit card market for the 2017-2018 period. In opening remarks, CFPB Director Kathy Kraninger notes that with the passage of time, it has become “increasingly difficult to correlate the CARD Act with specific effects in the marketplace that have occurred since the issuance of the Bureau’s last biennial report, and, even more so, to demonstrate a causal relationship between the CARD Act and those effects,” and therefore, future reports will focus more on overall market conditions. Key findings of the report include, (i) total outstanding credit card balances continue to grow; (ii) total cost of credit stood at 18.7 percent at the end of 2018, which is the highest overall level observed by the Bureau in its biennial reports; (iii) total credit line across all consumer credit cards reached $4.3 trillion in 2018, which is largely due to the increase in unused credit lines held by superprime score consumers; and (iv) consumers are increasingly using their cards through digital portals, including those accessed via mobile devices.
Regarding current trends, the report notes that over the last few years, the total amount of credit card spending has grown “much faster” than the total volume of balances carried on the cards. In addition, while cardholders with prime or superprime credit scores still account for most debt and spending, lower credit score consumers have been increasing their debt at a faster rate than cardholders with higher credit scores. Notably, delinquency and charge-off rates still remain lower than they were prior to the recession, even though they have slightly increased in recent years. Additionally, since the last report, issuers have lowered their daily limits on debt collection phone calls for delinquent accounts and average daily attempts remain “well below” stated limits. Issuers are also beginning to supplement communications for account servicing with email and text messages.
Democratic members ask FSOC to deem cloud providers as "systemically important"
On August 22, two members of the U.S. House of Representatives, Katie Porter (D-Calif.) and Nydia Velázquez (D-N.Y.), sent a letter to the U.S. Department of Treasury requesting that the Financial Stability Oversight Council (FSOC) consider designating the three leading providers of cloud-based storage systems for the financial industry as systemically important financial market utilities. The letter is in response to the recent data breach announcement by a national bank (covered by InfoBytes here), where an alleged former employee of the bank’s cloud-based storage system gained unauthorized access to the personal information of credit card customers and people who had applied for credit card products. According to the Congresswomen, 57 percent of the cloud services market is “cornered by” three main providers, and “a lack of substitutability for the services provided by these very few firms creates systemic risk.” The letter argues that cloud services are not currently subject to an enforced regulatory regime and, “[w]ithout a dedicated regulatory regime proportional and tailored to their very unique structure and risks, cloud comparing companies will continue to evade supervision.”
District Court allows case exploring whether cryptocurrency acquisitions are “cash-like” to proceed
On August 1, the U.S. District Court for the Southern District of New York allowed breach of contract and clear and conspicuous disclosure claims brought by a proposed class of consumers against a national bank to proceed, finding that ambiguity exists over whether credit card cryptocurrency purchases are “cash-like transactions.” The plaintiffs claimed that the bank breached their cardholder agreements when it changed the classification of cryptocurrency acquisitions from “purchases” to “cash advances” between January 23 and February 2, 2018. Plaintiffs contended that this change subjected cardholders to higher interest rates and transaction fees in violation of their cardholder agreements. Moreover, the plaintiffs claimed that the bank’s failure to clearly and conspicuously disclose the different types of transactions and varying rates, as well as its failure to provide advance notice of significant changes in its account terms and accurate disclosures in periodic account statements, violated TILA and Regulation Z.
The bank countered that no breach of contract occurred because cryptocurrency acquisitions are “cash-like transactions” that, under the cardholder agreement, are properly classified as cash advances. Specifically, the bank stated that because cryptocurrency can be a “medium of exchange, a measure of value, or a means of payment” under the definition of “cash,” it is therefore “cash-like.”
The court concluded that the plaintiffs offered a reasonable argument that purchases of cryptocurrency did not constitute cash advances. Plaintiffs argued that the contractual term “cash-like”—which was used in the cardholder agreement to describe a cash advance—referred only to financial instruments formally tied to physical, government-issued “fiat” currency, such as checks, money orders, and wire transfers. “Because, as plaintiffs plausibly allege, cryptocurrency does not imbue its holder with a legal right to any government-issued currency, acquisitions of cryptocurrency could not be classified as a cash-like transaction,” the court stated. As such, “[b]ecause plaintiffs have identified a reasonable interpretation of ‘cash-like transactions’ that would exclude purchases of cryptocurrency, the breach of contract claim survives the motion to dismiss.” The court also allowed plaintiffs’ “clear and conspicuous” disclosure claim under TILA to survive because the contract was not clear that purchases of cryptocurrency would result in cash advance fees. However, the court dismissed the plaintiffs’ remaining TILA claims, finding that (i) the bank did not change the contract terms themselves, but rather their application; and (ii) the periodic account statements did not inaccurately convey what the plaintiffs owed to the bank for those particular periods of time.
CFPB adjusts annual dollar amount thresholds under TILA regulations
On August 1, the CFPB published in the Federal Register the final rule amending Regulation Z, which implements the Truth in Lending Act (TILA), including as amended by the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act), the Home Ownership and Equity Protection Act of 1994 (HOEPA), and the Dodd-Frank Wall Street Reform and Consumer Protection Act’s ability-to-repay and qualified mortgage (ATR/QM) provisions. The CFPB is required to make annual adjustments to dollar amounts in certain provisions in Regulation Z, and has based the adjustments on the annual percentage change reflected in the Consumer Price Index in effect on June 1, 2019. The following thresholds will be effective on January 1, 2020:
- For open-end consumer credit plans under TILA, the threshold for disclosing an interest charge will remain unchanged at $1.00;
- For open-end consumer credit plans under the CARD Act amendments, the adjusted dollar amount for the safe harbor for a first violation penalty fee will increase from $28 to $29, and the adjusted dollar amount for the safe harbor for a subsequent violation penalty fee will increase from $39 to $40;
- For HOEPA loans, the adjusted total loan amount threshold for high-cost mortgages will be $21,980, and the adjusted points and fees dollar trigger for high-cost mortgages will be $1,099; and
- The maximum thresholds for total points and fees for qualified mortgages under the ATR/QM rule will be: (i) 3 percent of the total loan amount for loans greater than or equal to $109,898; (ii) $3,297 for loan amounts greater than or equal to $65,939 but less than $109,898; (iii) 5 percent of the total loan amount for loans greater than or equal to $21,980 but less than $65,939; (iv) $1,099 for loan amounts greater than or equal to $13,737 but less than $21,980; and (v) 8 percent of the total loan amount for loan amounts less than $13,737.
National bank announces data breach
On July 29, a national bank announced a data breach affecting approximately 100 million individuals in the United States and approximately six million in Canada. According to the announcement, the incident occurred on July 19 when an unauthorized individual obtained personal information of credit card customers and people who had applied for credit card products. The bank noted that no credit card account numbers or log-in credentials were compromised and over 99 percent of social security numbers were not compromised. The largest category of information accessed was consumer and small business information from applications submitted from 2005 through early 2019, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Upon discovery of the breach, the bank fixed the vulnerability that allowed for the individual to gain access and worked with the federal authorities, resulting in the arrest of the person allegedly responsible. The bank will notify and make free credit monitoring and identity protection available to those affected.
FTC, Ohio AG halt payment processor and credit card interest-reduction telemarketing operations
On July 29, the FTC and the Ohio attorney general announced temporary restraining orders and asset freezes issued by the U.S. District Court for the Western District of Texas against a payment processor and a credit card interest-reduction telemarketing operation (see here and here). According to the FTC, the payment processor defendants allegedly violated the FTC Act, the Telemarketing Sales Rule (TSR), and various Ohio laws by, among other things, generating and processing remotely created payment orders or checks that allowed merchants—including deceptive telemarketing schemes—the ability to withdraw money from consumers’ bank accounts. The FTC asserted that the credit card interest-reduction defendants deceptively promised consumers significant credit card interest rate reductions, along with “a 100 percent money back guarantee if the promised rate reduction failed to materialize or the consumers were otherwise dissatisfied with the service.” However, the FTC claimed that most customers never received the promised rate reduction, were refused refund requests, and often received collection or lawsuit threats. Additionally, the credit card interest-reduction defendants allegedly violated the TSR by charging advance fees, failing to properly identify the service in telemarketing calls, and failing to pay to access the FTC’s National Do Not Call Registry.
6th Circuit: Merchant indemnified against card breach costs
On June 7, the U.S. Court of Appeals for the 6th Circuit affirmed a lower court’s ruling that an agreement between a Texas-based merchant and a payment processor did not require the merchant to pay millions of dollars in damage-control costs related to two card system data breaches. After the data breaches, the payment processor withheld routine payment card transaction proceeds from the merchant, asserting that the merchant was responsible for reimbursing the amount that the issuing banks paid to cardholders affected by the breaches. However, the merchant refused to pay the payment processor, relying on a “consequential damages waiver” contained in the agreement.
The payment processor argued that, under the agreement’s indemnification clause and provision covering third-party fees and charges, the merchant retained liability for assessments passed down from the card brands’ acquiring bank. The district court, however, granted summary judgment to the merchant, finding that the merchant was not liable for the card brands’ assessments. The court further ruled that the payment processor materially breached the agreement when it diverted funds to reimburse itself.
On review, the 6th Circuit agreed with the lower court that the assessments “constituted consequential damages” and that the agreement exempted consequential damages from liability under a “conspicuous limitation” to the indemnification clause. According to the 6th Circuit, the “data breaches, resulting reimbursement to cardholders, and levying of assessments, though natural results” of the merchant’s failure to comply with the Payment Card Industry's Data Security Standards, “did not necessarily follow from it.” In addition, the appellate court agreed with the district court’s holding that third-party fees and charges in the contract refer to routine charges associated with card processing services rather than liability for a data breach. The appellate court also concurred that the payment processor’s decision to withhold routine payment card transactions, constituted a material breach of the agreement.
New York settles with online retailer over data breach
On June 6, the New York Attorney General announced a $65,000 settlement with an online retailer resolving allegations that the company failed to provide notice of an online data breach to over 39,000 customers, including nearly 3,000 New Yorkers, for over three years. According to the announcement, unauthorized parties placed malicious code designed to steal credit card information in the company’s software in September 2014. The company discovered the code in November 2014, but did not remediate it until January 2015 (or February 2015, after the code was mistakenly reintroduced and permanently deleted). The Attorney General alleges that the company did not notify its affected customers until May 2018, and that, because the company did not notify New York authorities or its affected customers “in an expedient time-period, and without unreasonable delay,” it violated New York’s General Business Law § 899-aa.
The company offered potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services, which is not required by law. In addition to the penalty, the settlement requires the company to conduct trainings for appropriate employees and conduct thorough investigations of any future data security breaches involving private information to ensure compliance with state law.
Class action alleges national bank’s grace period practices breach terms of cardholder agreement
On June 3, a consumer filed a class action complaint against a national bank alleging that the bank charges interest on credit card accounts even when consumers’ balances are paid in full by the billing cycle due date, in breach of the bank’s cardholder agreement. The complaint alleges that the cardholder agreement and monthly billing statements disclose to consumers that interest will not be charged on new purchases if those new purchases are paid off by the billing cycle’s due date, but that in practice the grace period is eliminated for new purchases “[i]f a consumer leaves even $1 on her account balance after a billing period due date.” The complaint alleges that the bank’s practice of only providing a grace period on new purchases for consumers “who have paid off their balances in full for two prior months” directly contradicts the cardholder agreement and consumer disclosures. In addition to breach of contract, the consumer alleges a violation of Delaware’s Consumer Fraud Act and breach of the covenant of good faith and fair dealing. The consumer is seeking certification of a class of similarly situated consumers; damages and restitution; and injunctive relief.
Oklahoma prohibits credit, debit card surcharges
On April 30, the Oklahoma governor signed HB 1425, which, among other things, bans surcharges on credit or debit card transactions. The ban prohibits sellers from increasing the price of any sales transaction for buyers who pay with a credit or debit card instead of a check, cash, or similar means. HB 1425 takes effect November 1.