InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Chopra testifies on CFPB direction
On October 27, newly sworn in CFPB Director Rohit Chopra appeared for the first time before the House Financial Services Committee to offer some of the first insights into his priorities at the Bureau. Chopra’s opening remarks focused on concerns regarding “Big Tech” and its control over the flow of money in the economy (these comments followed the issuance of information requests to six technology companies, covered by InfoBytes here). Chopra also focused on a need to ensure robust competition in financial markets and listen to local financial institutions and nascent players about obstacles they face when seeking to challenge dominant incumbents. Chopra also stressed the importance of holding “repeat offenders” accountable, highlighted an intent to coordinate efforts with federal and state regulators, and indicated a preference for scrutinizing larger market participants over smaller entities. He noted, however, potential leniency for companies that self-identify their own issues and violations. Additional highlights of the hearing include the following:
Enforcement. Chopra noted that “markets work well when rules are easy to follow and easy to enforce.” He also expressed his view that the CFPB should focus its resources on larger industry participants and “repeat offenders” rather than “strong-arming” small businesses into settlements to create law. Chopra also expressed a preference for setting regulatory guidelines through enforcement, indicating that “markets work well when rules are easy to follow, and easy to enforce.”
Section 1033 of Dodd-Frank. With respect to implementing this set of requirements, which deals with consumers’ rights to access information about their financial accounts, Chopra indicated a desire to “unlock more competition,” but warned that there also needs to be assurance that “banks and nonbanks are operating under the same set of rules” and that there is “not regulatory arbitrage.” While Chopra did not specify a timeline for promulgating the final rule implementing this section, he noted that the process is underway and that the Bureau is consulting with various experts. (Issuance of the ANPR was covered by InfoBytes here.)
Abusive acts and practices. Chopra said that he agreed with former acting Director Dave Uejio’s decision to rescind a policy statement on “abusive” conduct issued by former Director Kathy Kraninger. Chopra stated he has “huge aspirations to create durable jurisprudence” regarding the definition of “abusive” in Dodd-Frank. He noted that “it could be a mix” of judicial decisions and “how the CFPB may use rules and guidance to help articulate those standards.”
Cryptocurrency and stablecoins. Chopra expressed concerns about the potential for big payment platforms to process stablecoins—cryptocurrencies pegged to stable commodities or currencies like the dollar. However, Chopra clarified that it is not his intention to use his regulatory authority to ban or limit the use of cryptocurrency or blockchain technology. Regarding the CFPB’s role in cryptocurrency, Chopra claimed that depending on the laws implicated, there is a “fact-based determination as to any sort of law that cryptocurrencies or digital currencies have to comply with.” He further described that this is “something that the CFPB is working with the other regulators on,” and emphasized that “where digital payments [are] involved, the Electronic Fund Transfer Act is a key law with key consumer protections.”
QM Rule. When asked about the postponement of the mandatory compliance date of the General Qualified Mortgage final rule to October 2022 (covered by InfoBytes here), Chopra said he is eager “to hear of places where it needs to be changed” but emphasized that the postponement was before his time and that the rule has gone into effect. He also stated that “QM is a key part of the mortgage market and the mortgage regulatory guidelines.” Therefore, he wants to ensure that the CFPB is always looking at it to make sure the objectives that Congress laid forward in Dodd-Frank are being carried out. When asked about his support of the proposed change in the QM rule, Chopra said he did not know but wants “to make sure he understands the full basis of it.”
Chopra echoed such sentiments in his October 28 testimony before the Senate Banking Committee.
FTC updates Safeguards Rule for financial institutions
On October 27, the FTC announced a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. The final rule follows a 2019 notice of proposed rulemaking (covered by InfoBytes here) and makes the following modifications to the existing rule:
- Adds specific criteria financial institutions must undertake when conducting a risk assessment and implementing an information security program, including provisions related to access controls, data inventory and classification, authentication, encryption, disposal procedures, and incident response, among others. The final rule also adds measures to ensure employee training and service provider oversight are effective.
- Requires financial institutions to designate a single qualified individual to oversee the information security program. Periodic reports must also be made to an institution’s board of directors or governing bodies.
- Provides an exemption from requirements related to written risk assessments, incident response plans, and annual reporting to the board of directors, for financial institutions that collect information on fewer than 5,000 consumers.
- Expands the definition of “financial institution” to include “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.” Included in the definition are “finders” (i.e. companies that bring together buyers and sellers of products or services that fall within the scope of the Safeguards Rule).
- Adds several definitions and related examples into the Safeguards Rule itself instead of incorporating them through a reference from a related FTC rule.
Provisions of the final rule under Section 314.5 are effective one year after the date of publication in the Federal Register. The remainder of the provisions are effective 30 days following publication.
Additionally, the FTC issued a supplemental notice of proposed rulemaking seeking comments on a proposal to further amend the Safeguards Rule to require financial institutions to report security events to the Commission where a determination has been made that consumer information has been misused, or is reasonably likely to be misused, in an event affecting at least 1,000 consumers. Comments are due 60 days after publication in the Federal Register.
The FTC also announced a final rule adopting largely technical changes to its authority under the Privacy of Consumer Financial Information Rule (Privacy Rule) under the Gramm-Leach-Bliley Act, which requires financial institutions to inform consumers about their information-sharing practices and allow consumers the ability to opt out of having their information shared with certain third parties. The Privacy Rule is amended to revise the rule’s scope, modify the definitions of “financial institution” and “federal functional regulator,” and update requirements pertaining to annual customer privacy notices. The FTC noted that these changes align the Privacy Rule with changes made under Dodd-Frank and the FAST Act.
CFTC awards $200 million to whistleblower
On October 21, the CFTC announced an approximately $200 million whistleblower award to a claimant who reported “specific, credible, and timely” information that contributed to an already open investigation, which led to a successful Commodity Exchange Act (CEA) enforcement action, as well as to the success of two related actions by a U.S. federal regulator and a foreign regulator. The associated order notes that the claimant voluntarily provided original information that led the CFTC to important, direct evidence of wrongdoing. According to the announcement, “to qualify for an award, a whistleblower who significantly contributed to the success of an enforcement action must demonstrate that there is a ‘meaningful nexus’ between the information provided and the CFTC’s ability to successfully complete its investigation, and to either obtain a settlement or prevail in a litigated proceeding.” The Commission determined the whistleblower met this standard. However, because the whistleblower’s information was never shared with the state regulator, the claim associated with a third related action by the state regulator was denied. In a statement released by CFTC Commissioner Dawn D. Stump, the Commissioner expressed her disagreement with the Commission’s award to the claimant with respect to the foreign regulator’s action. She concluded that there needs to be “an especially close look at cases where a whistleblower asks the Commission to tap its limited Customer Protection Fund for an award relating to an action by a foreign futures authority to address harm outside the United States.”
The CFTC has awarded approximately $300 million to whistleblowers since the enactment of its Whistleblower Program under Dodd-Frank, and whistleblower information has led to nearly $3 billion in monetary relief.
CFPB adjusts annual dollar threshold for Regulation Z, CLA
On October 25, the CFPB announced the annual dollar threshold adjustments that govern the application of Regulation Z (Truth in Lending Act). The final rule revises the dollar amounts, where appropriate, for provisions implementing TILA and amendments to TILA, including under the CARD Act, the Home Ownership and Equity Protection Act of 1994 (HOEPA), and Dodd-Frank. Each year the thresholds must be readjusted based on the annual percentage increase in the Consumer Price Index for Urban Wage Earners and Clerical Workers (CPI-W), which took effect June 1. Effective January 1, 2022, the threshold that triggers requirements to disclose minimum interest charges for open-end consumer credit plans under TILA will remain unchanged at $1.00. The adjusted dollar amount for a safe harbor for a first violation penalty fee will increase to $30 in 2022, and the adjusted dollar amount for a safe harbor for a subsequent violation penalty fee will increase to $41 for open-end consumer credit plans under the CARD Act amendments to TILA. With respect to HOEPA, the adjusted total loan amount threshold for high-cost mortgages in 2022 will be $22,969, whereas the adjusted points and fees dollar trigger for high-cost mortgages will be $1,148. The final rule also specifies 2022 pricing thresholds for the spread between a qualified mortgage’s annual percentage rate and the average prime offer rate, and identifies points and fees limits for all categories of qualified mortgages.
Additionally, the Bureau and the Federal Reserve Board finalized the annual dollar threshold adjustment that governs the application of the Consumer Leasing Act (Regulation M), as required by the Dodd-Frank Act. The exemption threshold for 2022, based on the annual percentage increase in the CPI-W, will increase from $58,300 to $61,000.
FSOC directs regulators to take measures to mitigate climate-related financial risks
On October 21, the Financial Stability Oversight Council (FSOC) released a new report in response to President Biden’s May executive order, which directed financial regulators to take steps to mitigate climate-related risk related to the financial system. The Report on Climate-Related Financial Risk (see also FSOC’s fact sheet) identified more than 30 specific recommendations for member agencies, including that members should: (i) expand capacity and efforts “to define, identify, measure, monitor, assess, and report on climate-related financial risks and their effects on financial stability,” including through “investments in staffing, training, expertise, data, analytic and modeling methodologies, and monitoring”; (ii) promptly conduct an internal inventory of currently available data and develop plans for acquiring necessary additional data to fill climate-related data and methodological gaps; (iii) review existing public disclosure requirements and consider updating public reporting requirements in a way that would build on the work of the Task Force on Climate-Related Financial Disclosures; and (iv) continue to assess and mitigate climate-related risks to financial stability, including through scenario analysis, and evaluate whether revised or new regulations or guidance is necessary to clarify expectations for regulated or supervised institutions. The report also called for enhanced coordination across member agencies, and said a Climate-related Financial Risk Committee will be formed to “identify priority areas for assessing and mitigating climate-related risks to the financial system and serve as a coordinating body to share information, facilitate the development of common approaches and standards, and foster communication across FSOC members.” A Climate-related Financial Risk Advisory Committee will also be formed to help gather information and analysis from stakeholders on climate-related financial risks. Treasury Secretary Janet Yellen warned that FSOC has a responsibility under the Dodd-Frank Act “to respond to emerging threats to the stability of the United States financial system” and to “ensure the resilience of the financial system to the future impacts of climate change.”
SEC reopens comment period on listing standards for recovery of erroneously awarded compensation
On October 14, the SEC reopened the comment period on proposed rules for listing standards for the recovery of erroneously awarded compensation. According to the notice, the reopened comment period allows for the submission of comments and data on rule amendments first proposed in 2015, and requests comments in response to questions being raised by the SEC now in its reopening release. Among other things, the proposed rules would prohibit national security exchanges and national securities associations to list any issuer of any security unless the issuer adopts a compensation recovery policy that meets certain standards applicable to recovering incentive-based compensation awards based on erroneously reported financial results that are later restated to correct material errors to previously issued financial statements. According to a statement in support of the re-opened comment period on the Dodd-Frank Act rule regarding clawbacks of erroneously awarded incentive-based compensation, SEC Chair Gary Gensler stated that this is “an opportunity to strengthen the transparency and quality of corporate financial statements as well as the accountability of corporate executives to their investors.” Comments are due 30 days after publication in the Federal Register.
District Court: Maryland escrow law does not confer private right of action
On September 22, the U.S. District Court for the District of Maryland granted a national bank’s motion for summary judgment in an action claiming the bank allegedly failed to pay interest on mortgage escrow accounts. The plaintiff filed a putative class action asserting various claims including for violation of Section 12-109 of the Maryland Consumer Protection Act (MCPA), which requires lenders to pay interest on funds maintained in escrow on behalf of borrowers. In response, the bank filed a motion to dismiss on the basis that the MCPA is preempted by the National Bank Act and by 2004 OCC preemption regulations. In 2020, the court denied the bank’s motion to dismiss after it determined, among other things, that under Dodd-Frank, national banks are required to pay interest on escrow accounts when mandated by applicable state or federal law. (Covered by InfoBytes here.) Citing previous decisions in similar escrow interest cases brought against the same bank in other states (covered by InfoBytes here and here), the court stated that Section 12-109 “does not prevent or significantly interfere with [the bank’s] exercise of its federal banking authority, because [Section] 12-109’s ‘interference’ is minimal, when compared with statutes that the Supreme Court has previously found were preempted.” The court further noted that state law—which “still allows [the bank] to require escrow accounts for its borrowers”—provides that the bank must pay a small amount of interest to borrowers if it chooses to maintain escrow accounts.
However, in its most recent ruling, the court held that the MCPA does not authorize the plaintiff to sue either. “[T]his court finds that § 12-109 does not confer a private right of action,” the court wrote, adding that the plaintiff’s breach of contract claim could not get around a notice-and-cure provision in her mortgage agreement that she had not complied with before suing. The plaintiff argued that these requirements did not apply because “her self-styled breach of contract claim is actually a statutory claim because the allegedly breached contractual provision is one which pledges general adherence to applicable law.” The court disagreed, stating that under the plaintiff’s theory “any claim for breach of contract, which also violated a federal or state law, would be vaulted to a privileged hybrid status. Such claims would enjoy an unlimited private right of action (regardless of whether the underlying statute created one) and. . .would be unbounded by any of the provisions or conditions precedent detailed in the contract itself.” The court also ruled that the plaintiff’s escrow statements, which “correctly reflected that her account was not accruing interest,” are themselves “not rendered deceptive by the mere fact that Plaintiff believes such interest is owed.”
FTC approves five FCRA rule changes for auto dealers
On September 8, the FTC announced it approved final revisions to rules that would implement parts of the FCRA in line with the Dodd-Frank Act. As previously covered by InfoBytes, the agency sought comment on the proposed rule changes in 2020. In separate notices, the FTC approved largely technical, non-substantive changes, clarifying five FCRA rules enforced by the FTC, which apply only to motor vehicle dealers. The changes affect the following rules:
- Address Discrepancy Rule, which requires users of consumer reports to implement policies and procedures for, among other things, handling notices of address discrepancy received from a nationwide consumer reporting agency (CRA) and furnishing an address for a consumer that a “user has reasonably confirmed as accurate to the CRA from whom it received the notice.”
- Affiliate Marketing Rule, which provides consumers the right to restrict a person from using certain information received from an affiliate to make solicitations.
- Furnisher Rule, which requires entities to implement policies and procedures regarding the accuracy and integrity of the consumer information they provide to a CRA.
- Pre-screen Opt-Out Notice Rule, which outlines requirements for those who use consumer reports to make unsolicited credit or insurance offers to consumers.
- Risk-Based Pricing Rule, which requires that persons who use information from a consumer report to offer less favorable terms are required to provide a risk-based pricing notice to consumers about the use of such data.
CFPB proposes collection of small business lending data
On September 1, the CFPB released a notice of proposed rulemaking (NPRM) and request for public comment on a proposed rule to implement Section 1071 of the Dodd-Frank Act, which requires the agency to collect and disclose data on lending to women and minority-owned small businesses. The NPRM would create a new subpart B to existing Regulation B, the implementing regulation for ECOA, in order to increase transparency in the lending marketplace. Covered financial institutions would be required to collect and report to the Bureau a broad set of data points relating to applications for several small business credit products with the stated goal of facilitating the enforcement of fair lending laws and enabling the identification of business and community development needs and opportunities for women-owned, minority-owned, and other small businesses.
The NPRM defines a covered “financial institution” as an entity that meets a specific origination threshold where at least 25 “covered credit transactions” are originated to small businesses in each of the two preceding calendar years. A “covered credit transaction” under the NPRM would include transactions that meet the definition of business credit under Regulation B, as well as loans, lines of credit, credit cards, merchant cash advances, credit transactions for agricultural purposes, and transactions covered by HMDA. The definition of a small business would be one that had less than $5 million in gross annual revenue for the preceding fiscal year. Additionally, the NPRM defines a “covered application” as “an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested.” Data points that covered financial institutions would be required to collect on a calendar-year basis to be reported by June 1 of the following year are also provided.
The Bureau proposes that an eventual final rule would become effective 90 days after publication in the Federal Register; however, compliance would not be required until approximately 18 months after publication. Additionally, the Bureau proposes certain transitional provisions that would allow covered financial institutions to begin collecting data prior to the compliance date and would permit covered financial institutions to “use either the two calendar years immediately preceding the effective date or the second and third years preceding the compliance date to determine coverage.” (See also the Bureau’s summary on the NPRM here.) Comments on the NPRM will be received for 90 days following publication in the Federal Register.
“This data will be used to support business and community development and foster fair lending,” acting Director Dave Uejio noted in a statement following the announcement of the NPRM. He added that the “rule is about providing greater transparency into which small businesses get credit and which ones do not.”
A Buckley Special Alert is forthcoming.
CFPB to issue Section 1071 NPRM by September 30
On August 23, the CFPB filed its sixth status report in the U.S. District Court for the Northern District of California as required under a stipulated settlement reached in February 2020 with a group of plaintiffs, including the California Reinvestment Coalition. The settlement (covered by InfoBytes here) resolved a 2019 lawsuit that sought an order compelling the Bureau to issue a final rule implementing Section 1071 of the Dodd-Frank Act, which requires the Bureau to collect and disclose data on lending to women and minority-owned small businesses. The newest status report follows a July court order, which requires the Bureau to issue a notice of proposed rulemaking on small business lending data by September 30 (covered by InfoBytes here). Among other things, the Bureau notes in its status report that it expects to meet the September deadline and that it “is continuing to work on the significant legal and policy issues that must be resolved to implement the Section 1071 regulations.”
Find continuing Section 1071 coverage here.