Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Bank regulators respond to bankers’ motion to enjoin CRA final rule

    Courts

    On March 8, the Fed, OCC, and FDIC (the federal banking agencies, or “FBAs”) submitted a brief opposing the plaintiffs’ motion for a preliminary injunction to stop the CRA final rule from going into effect. As previously covered by InfoBytes, a group of trade, banking, and business associations filed a class-action complaint for injunctive relief against the bank regulators’ enforcement of the final rule to implement the CRA before it goes into effect on April 1. The FBAs assert that, in opposing the final rule, the plaintiffs are asking the court to “graft” two exclusions from the CRA’s purpose that are not actually in the statute: first, to exclude geographic areas where a bank conducts retail lending from the scope of the bank’s “entire community”; and second, to exclude a bank’s deposit activities from the assessment on whether a bank is meeting its entire community’s “credit needs.” The banking regulators also argued that the plaintiffs’ motion for preliminary relief should fail because the plaintiffs cannot show irreparable harm, in that they have failed to demonstrate that costs to comply with the CRA final rule, which would not apply until 2026 and 2027, were significant when considered in the context of the bank’s overall finances. Finally, the FBAs argued that the public interest and balance of equities favor allowing the final rule to proceed, as, among other factors, “the rule provides significant regulatory relief and lower compliance costs for smaller institutions by increasing the asset size thresholds that determine which performance tests apply to an institution.” 

    Courts Bank Regulatory CRA OCC FDIC Federal Reserve Agency Rule-Making & Guidance Litigation

  • New Hampshire enshrines a new consumer privacy law

    Privacy, Cyber Risk & Data Security

    On March 6, the Governor of New Hampshire, Chris Sununu, signed into law a sweeping consumer privacy bill. Under the act, consumers will have the right to confirm if a controller (an individual who controls personal data) is processing their personal data, a right to access that data, as well as correct inaccuracies, obtain a copy, delete, and opt-out of the processing of the data for targeted advertising purposes. The act also imposed limits on collectors, including that a controller shall (i) limit the collection of data to only what is adequate, relevant, and reasonably necessary for the intended purpose; (ii) establish and maintain administrative security practices to protect the confidentiality of consumer personal data; (iii) not process sensitive data without obtaining the consumer’s consent or, if the data concerns a known child, process the data in accordance with COPPA; (iv) provide an easy means for consumers to revoke consent; and (v) not process personal data for targeted advertising purposes without consumer consent. The bill further outlined a processor’s responsibilities and required controllers to conduct a data protection assessment for each action that may present a risk of harm to a consumer. The act will go into effect on January 1, 2025.

    Privacy, Cyber Risk & Data Security State Issues New Hampshire State Legislation Opt-Out

  • New York Attorney General sues over 25 lenders for predatory lending operation

    State Issues

    On March 5, New York Attorney General Letitia James released a verified petition against 27 lenders accusing them of a “large-scale, predatory lending” operation in which they allegedly misrepresented themselves in order to issue small businesses short-term loans at “sky-high interest rates” in violation of New York Executive Law §63(12). According to the petition, the 27 lenders (Respondents) have issued “illegal, usurious” and fraudulent loans in the form of Merchant Cash Advances (MCAs), which imposed triple-digit interest rates as high as 820 percent. The NYAG noted such rates are beyond both the maximum civil usury interest rate (16 percent) and the maximum criminal usury interest rate (25 percent). The petition also alleged the Respondents misrepresented their transactions in court, making the court an “unwitting part of their illegal scheme.”

    The petition asked the court to permanently enjoin Respondents from committing any further fraudulent or illegal practices, cease all MCA collection payments, and void and rescind all MCAs. The NYAG also will seek and order that the Respondents disgorge all profits and award civil penalties of $5,000 for each fraudulent MCA transaction and $2,000 in costs from each Respondent. 

    State Issues State Attorney General New York Fraud Lending Predatory Lending

  • Senator Warren pens letter to banking regulators to check on their regulatory commitments following 2023 bank failures

    On March 10, Senator Warren (D-MA) released a letter to Federal Reserve Vice Chair Michael Barr, FDIC Chairman Martin Gruenberg, and Acting Comptroller of the Currency Michael J. Hsu (the bank regulators) seeking information on any progress with their commitments to strengthen bank regulatory standards following the 2023 banking issues. Warren urged the bank regulators to reinstate the rules for banks with assets between $100 and $250 billion, including liquidity requirements and capital stress tests, that were rolled-back with the 2018 enactment of the “Economic Growth, Regulatory Relief, and Consumer Protection Act” (EGRRCPA). She concluded her letter by posing several questions, including asking what efforts the bank regulators are taking to strengthen rules, when these rules are expected to be announced or implemented, how many banks will be subject to these rules, if the implementation process would include a comment period, and if lobbying by large banks against the Basel III capital rule has weakened the bank regulators’ resolve to strengthen rules for banks with more than $100 billion in assets. Sen. Warren has asked for a response by March 25.

    Bank Regulatory Basel FDIC OCC Federal Reserve EGRRCPA Dodd-Frank

  • Banking associations petition District Court for summary judgment against CFPB’s Final Rule on small business lending

    Courts

    On March 1, several banking associations (plaintiffs) petitioned a district court under a motion for summary judgment in an ongoing case against CFPB’s Final Rule in §1071, claiming that the Final Rule goes beyond the scope of the CFPB’s rulemaking authority. (For rule, see 88 Fed. Reg. 35150 from May 31, 2023). As previously covered by InfoBytes, the Court last ordered granting motions for a preliminary injunction against the CFPB and its small business loan rule. The rule expanded the number of data points to 81 so certain lenders––including women-owned, minority-owned, and small businesses––would be required to disclose to covered financial institutions. The plaintiffs argued that the Final Rule would be a “fruitless attempt to capture the complexity of small business lending” given the number of extraneous data fields and would not fulfill the underlying purpose of the rule set forth by ECOA. That purpose would be to “facilitate enforcement of fair lending laws and enable communities, government entities, and creditors to identify business and community development needs and opportunities for credit for women-owned, minority-owned, and small businesses.”

    In their argument, the banking associations alleged that the CFPB had exceeded its statutory authority by requiring the extra data disclosures, that the data would not provide any tangible benefit, and that implementation of the rule is arbitrary and capricious as it ignores the significant costs that will be incurred by requiring lenders to provide such a large amount of extra information. The plaintiffs emphasized that while Congress granted the CFPB the power to add data points to information a lender might be expected to disclose, the CFPB exceeded its authority in adopting the Final Rule and that its only consequence “will be the imposition of a staggering compliance burden on lenders” and ultimately reduce opportunities for small businesses.

    Courts CFPB Small Business Section 1071 ECOA Congress

  • FDIC Vice Chair delivers remarks on tokenization

    On March 11, FDIC Vice Chairman Travis Hill delivered prepared remarks on “Banking’s Next Chapter? Remarks on Tokenization and Other Issues.” The speech addressed the evolution of money and payment systems, focusing on the recent innovation of tokenizing commercial bank deposits and other assets and liabilities. Hill distinguished tokenization from assets like Bitcoin and Ether: “tokenization involves a representation of ‘real-world assets’ on a distributed ledger, including… commercial bank deposits, government and corporate bonds, money market fund shares, gold and other commodities, and real estate.” Hill highlighted the potential benefits of tokenization, such as improved efficiency in payments and settlements, 24/7/365 operations, programmability, atomic settlement (the settlement, or the act of transferring ownership of an asset from seller to buyer, combining instant and simultaneous settlements) and the creation of an immutable audit trail. He also mentioned that these innovations could streamline complex processes like cross-border transactions and bond issuances, offering notable advantages over traditional banking systems.

    The speech also acknowledged challenges and risks associated with tokenization, including technical, operational, and legal uncertainties. Questions remain about the structure of the future financial system, interoperability between different blockchains, and the legal implications of transferring ownership via tokens, Hill added.

    Regarding the regulatory approach to digital assets and tokenization, Hill expressed the need for as much clarity as possible, even in areas whether the technology is evolving quickly. For example, Hill noted that “it would be helpful to provide certainty that deposits are deposits, regardless of the technology or recordkeeping deployed, and if there are reasons to distinguish some or all tokenized deposits from traditional deposits for any regulatory, reporting, or other purpose, the FDIC should… explain how and why.”

    Bank Regulatory Federal Issues Digital Assets Bank Supervision Payments Federal Reserve

  • HUD sued for allegedly failing to refund mortgage insurance premiums for early-terminated FHA-insured mortgages

    Courts

    On March 12, a putative class action complaint was filed against the Department of Housing and Urban Development (HUD) for allegedly denying homeowners their Mortgage Insurance Premium (MIP) refunds upon the early termination of their FHA-insured mortgages. According to the complaint, HUD must refund unearned MIPs, but has refused to refund homeowners by creating “unnecessary bureaucratic hurdles.” The plaintiffs alleged that the OIG had confirmed “the validity of complaints regarding HUD’s handling of MIP refunds.”

    Citing HUD regulations, the plaintiffs alleged that when an FHA mortgage is terminated early, within seven years of the purchase of the refinancing of the property, there is an overpayment of the MIP which should be refunded by HUD. According to the plaintiffs it is a “widespread practice” for HUD not to automatically refund MIPs, but instead require a burdensome, lengthy process which hindered the prompt refund of fees in multiple ways. The 2022 OIG report cited by plaintiffs allegedly found, among other things, that HUD did not have adequate controls in place to ensure that refunds were appropriately tracked, monitored, and issued. The plaintiffs alleged that Floridians are owed over $21.7 million in refunds.

    The plaintiffs are seeking injunctive and declaratory relief and a return of all unfairly retained refunds “together with damages in the amount of the total earned interest and other investment monies accrued by Defendant with Plaintiff’s and Class Members’ monies.” 

    Courts Federal Issues HUD Class Action OIG FHA

  • Wyoming amends its open banking provisions

    State Issues

    On March 8, the Wyoming governor signed HB 145 (the “Act”) related to open banking, making two changes. First, the amendment updated the definition of a “customer” as a natural person or an agent, trustee, or representative acting on behalf of a natural person. Second, and for banks already participating in open banking, the Act limited the release of consumer data to third-party financial service providers to data that is only necessary for the consumer to receive the third-party product or service. The Act will go into effect on July 1. 

    State Issues State Legislation Wyoming Open Banking

  • CPPA releases latest draft of automated decision-making technology regulation

    State Issues

    The California Privacy Protection Agency (CPPA) released an updated draft of its proposed enforcement regulations for automated decisionmaking technology in connection with its March 8 board meeting. The draft regulations included new definitions, including “automated decisionmaking technology” which means “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking,” which expands its scope from its previous September update (covered by InfoBytes here).

    Among other things, the draft regulations would require businesses that use automated decisionmaking technology to provide consumers with a “Pre-use Notice” to inform consumers on (i) the business’s use of the technology; (ii) their right to opt-out of the business’s use of the automated decisionmaking technology and how they can submit such a request (unless exempt); (iii) a description of their right to access information; and (iv) a description of how the automated decisionmaking technology works, including its intended content and recommendations and how the business plans to use the output. The draft regulations detailed further requirements for the opt-out process.

    The draft regulations also included a new article, entitled “risk assessments,” which provided requirements as to when a business must conduct certain assessments and requirements that process personal information to train automated decisionmaking technology or artificial intelligence. Under the proposed regulations, every business which processes consumers’ personal information may present significant risk to consumers’ privacy and must conduct a risk assessment before initiating that processing. If a business previously conducted a risk assessment for a processing activity in compliance with the article and submitted an abridged risk assessment to the CPPA, and there were no changes, the business is not required to submit an updated risk assessment. The business must, however, submit a certification of compliance to the CPPA.

    The CPPA has not yet started the formal rulemaking process for these regulations and the drafts are provided to facilitate board discussion and public participation, and are subject to change. 

    State Issues Privacy Agency Rule-Making & Guidance California CPPA Artificial Intelligence

  • District Court sides with bank in class-action suit against foreign currency swap overcharges

    Courts

    On March 5, the U.S. District Court for the Eastern District of Virginia dismissed a purported class action complaint in which plaintiffs alleged the defendant banks used “fictional” foreign exchange rates that deviated from those incorporated into plaintiffs’ agreements with the defendants. Specifically, the plaintiffs asserted that defendants charged the plaintiffs “fictional” rates imposed by credit card companies, and in so doing, breached their relevant contracts with the plaintiffs and violated several state consumer protection laws.

    In dismissing the complaint, the court concluded that although the plaintiffs had standing to sue, their breach of contract claim failed as a matter of law because the complaint failed to identify any specific promises regarding exchange rates in the relevant contracts, and a singular reference to credit card companies’ rules did not incorporate such rules into the relevant contracts. The court further rejected the plaintiffs’ argument that an agency relationship existed between the credit card companies and defendants, reasoning that the plaintiffs failed to plausibly demonstrate defendants had any ability to control the rates. 

    The court similarly dismissed all the plaintiffs’ consumer protection law claims, concluding that the relevant laws did not permit for a breach of contract to serve as the basis for an unfair or deceptive trade practice.

    Courts Virginia Standing Consumer Protection Data Breach

Pages

Upcoming Events