The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation.

The new regulation became effective upon the publication of a Notice of Adoption by the NYDFS in the State Register on July 3, 2018.  Its definitions of “consumer credit report”  and “consumer credit reporting agency” closely track the definitions of, respectively, the terms “consumer report” and “consumer reporting agency” in the FCRA.  However, the term “consumer credit report” is limited to “a consumer report…bearing on a consumer’s credit worthiness, credit standing, or credit capacity.”  Similarly, the term “consumer credit reporting agency” is limited to “a consumer reporting agency that regularly engages in the practice of assembling or evaluating and maintaining [information from furnishers] for the purpose of furnishing consumer credit reports to third parties.”  The term “New York consumer” is defined as “an individual who is a resident of New York State as reflected in the most recent information in the possession of a [CCRA].”

Registration.  A CCRA must register with the NYDFS if “within the previous 12-month period, [it] has assembled, evaluated, or maintained a consumer credit report on one thousand or more New York consumers.”  Every CCRA “that is required to register…at any time between June 1, 2018 and September 1, 2018” must register by September 15, 2018.  Registration must be renewed by February 1, 2019 for the 2019 calendar year and by February 1 of each year thereafter.

The regulation prohibits a CCRA that is required to be registered and has not done so from engaging in the business of a CCRA in New York by furnishing a consumer credit report on a New York consumer to any individual or entity.  It also prohibits any “regulated person” from paying “any fee or other compensation” or transmitting any information about a New York resident to a CCRA that is required to be registered and has not done so.  A “regulated person” is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

Prohibited Practices.  A CCRA that is required to be registered is prohibited from engaging in various practices including engaging in any “unfair, deceptive, or predatory act or practice toward any consumer that is prohibited by any federal law, or by any New York State law that is not preempted by federal law,” or engaging in “any unfair, deceptive, or abusive act or practice in violation of section 1036 of the [Dodd-Frank Act].”

Cybersecurity.  A CCRA that is required to be registered must comply with specified provisions of the NYDFS cybersecurity regulation.  Except for the provisions that have a February 28, 2019 compliance date, a CCRA must comply with the specified provisions of the cybersecurity regulation by November 1, 2018.

Politico has reported that on July 19, the Senate Banking Committee will hold a hearing on President Trump’s nomination of Kathy Kraninger to serve as CFPB Director.  While we find this surprising, we continue to believe that she will not be confirmed by the full Senate until after the mid-term elections.

Politico also reported that on July 12, the Senate Banking Committee will hold a hearing on credit reporting agencies at which the witnesses will include Peggy Twohig, CFPB Assistant Director for Nonbank Supervision, and Maneesha Mithal, an Associate Director in the FTC’s Bureau of Consumer Protection.

The CFPB announced that it has entered into a consent order with Security Group Inc. and its subsidiaries (Security Group) to settle an administrative enforcement action that charged the companies with having engaged in unlawful debt collection and credit reporting practices.  The consent order requires Security Group to pay a civil money penalty of $5 million.

The consent order states that Security Group owned and operated approximately 900 locations in 20 states.  According to the consent order, certain Security Group entities were primarily in the business of making consumer loans and other entities were primarily in the business of purchasing retail installment contracts from auto dealers. The consent order concludes that Security Group engaged in debt collection practices that constituted unfair acts and practices in violation of the Consumer Financial Protection Act and credit reporting practices that violated the Fair Credit Reporting Act and Regulation V.

The consent order finds that:

  • The unlawful debt collection practices in which Security Group engaged included the following:
    • Visiting consumers’ homes and places of employment, as well as the homes of their neighbors, and visiting consumers in other public places, thereby disclosing or risking disclosure of consumers’ delinquencies to third parties, disrupting consumers’ workplaces and jeopardizing their employment, and humiliating and harassing consumers
    • Routinely calling consumers at work, sometimes calling consumers on shared phone lines and in the process speaking with co-workers or employers and thereby disclosing or risking disclosure of consumers’ delinquencies to third parties, and also calling after being told that consumers were not allowed to receive calls at work and that future calls could endanger their employment
    • Failing to heed and properly record consumers’ and third parties’ requests to cease contact or to give personnel access to cease-contact requests logged by employees in other stores, thereby resulting in repeated unlawful calls to consumers and third parties
  • The unlawful credit reporting practices in which Security Group engaged included the following:
    • Failing to establish and implement any reasonable policies and procedures regarding the accuracy and integrity of information furnished to consumer reporting agencies (CRAs)
    • Failing to address in policies and procedures how to properly code customer account information or responses to consumer disputes using the Metro 2 Guide and not ensuring that its monthly furnishing system was coordinated with its consumer dispute furnishing practices
    • Regularly furnishing information to CRAs that it had determined was inaccurate based on information maintained in its data base or other information, such as information provided by consumers as part of a credit reporting dispute or information provided to CRAs

The consent order appears to indicate that first-party collectors that engage in conduct that the FDCPA would prohibit as unfair conduct by third-party collectors continue to be at risk for violating the CFPA’s UDAAP prohibition.  It also appears to indicate that the CFPB continues to disfavor in-person debt collection activities and that companies that do so remain in great peril.  In December 2015, the CFPB issued a bulletin to provide guidance to creditors, debt buyers and third-party debt collectors about compliance with the CFPA UDAAP prohibition and the FDCPA when conducting in-person debt collection visits, such as visits to a consumer’s workplace or home.

In addition to imposing the $5 million civil money penalty, the consent order prohibits Security Group from engaging in the debt collection practices found to be unlawful, and requires it to:

  • implement and maintain reasonable written policies and procedures regarding the accuracy and integrity of the information furnished to CRAs
  • correct or update any inaccurate or incomplete information furnished to CRAs
  • provide a prescribed notice to customers affected by inaccurate information furnished to CRAs
  • update its policies and procedures to include a specific process for identifying when information furnished to CRAs is inaccurate or requires updating (which must include at a minimum the monthly examination of sample accounts and monitoring and evaluation of disputes received from CRAs and customers)
  • submit a compliance plan to the CFPB to ensure that Security Group’s credit reporting and collections comply with applicable federal consumer financial laws and the terms of the consent order (which includes a list of items that, at a minimum, must be part of the compliance plan

It is noteworthy that while the consent order imposes a $5 million civil penalty on Security Group, unlike a 2015 CFPB consent order that required the respondents to refund amounts collected through in-person visits found to be unlawful, the consent order does not require Security Group to make refunds to consumers.

In its Spring 2018 rulemaking agenda, the CFPB stated that it “is preparing a proposed rule focused on FDCPA collectors that may address such issues as communication practices and consumer disclosures.”  It estimated the issuance of a NPRM in March 2019.

The U.S. Senate on March 14 passed S.2155, the Economic Growth, Regulatory Relief, and Consumer Protection Act (the Act), by a vote of 67 to 31.  Although the Act would not make the sweeping changes to the Dodd-Frank Act found in the Financial CHOICE Act of 2017 (CHOICE Act), it, nevertheless, would provide financial institutions welcome relief from a number of specific Dodd-Frank provisions.

Representative Jeb Hensarling, Chairman of the House Financial Services Committee, has indicated that further negotiations between the House and Senate must take place before the House votes on the Act.  House Speaker Paul Ryan has taken a more conciliatory tone, commenting on the need for common sense bipartisan solutions in the final bill.  As a result, while a final bill can be expected to include changes to the Act, it is unclear how substantial those changes will be.  Assuming a final bill signed by President Donald J. Trump retains many, if not most, of the Act’s provisions, the Act should positively impact both smaller and larger financial institutions.  The Act would make a number of changes to provisions of Dodd-Frank and other federal laws regarding consumer mortgages, credit reporting, and loans to veterans and students.

On June 19, 2018, from 12 p.m. to 1 p.m. ET, Ballard Spahr attorneys will hold a webinar: Economic Growth, Regulatory Relief, and Consumer Protection Act: Anatomy of the New Banking Statute.  The webinar registration form is available here.

The Act would also reduce the regulatory burdens on financial institutions—particularly financial institutions with total assets of less than $10 billion.  Bank holding companies with up to $3 billion in total assets would be permitted to comply with less restrictive debt-to-equity limitations instead of consolidated capital requirements.  This change should promote growth by smaller bank holding companies, organically or by acquisition.  Larger institutions should benefit from the higher asset thresholds that would apply to systemically important banks subject to enhanced prudential standards.  The higher thresholds may lead to increased merger activity between and among regional and super regional banks.

Although the banking industry can be expected to view the Act positively should it become law, it falls short of the CHOICE Act in several important respects. The CHOICE Act would:

  • reduce regulatory burdens on institutions based on capital levels irrespective of asset size
  • reduce the Financial Stability Oversight Council’s powers
  • repeal Dodd–Frank’s orderly liquidation authority, and
  • scale back the CFPB’s powers.

For a summary of some of the Act’s key provisions applicable to financial institutions, click here for our full alert.

In a new report on consumer credit trends, the CFPB looks at how recent changes to the public record data standards used by the “Big 3” consumer reporting agencies (CRAs) have affected consumers’ credit reports and  credit scores.  The data used in the report comes from the CFPB’s Consumer Credit Panel, which the report describes as “a longitudinal, nationally-representative sample of approximately five million de-identified credit records maintained by one of the three nationwide [CRAs].”

The new standards, which became effective on July 1, 2017, applied to public record data already existing on the CRAs’ credit reporting databases as well as new data.  They created new verification requirements for data on civil judgments, tax liens, and bankruptcies, such as requirements that there be minimum personal identifying information and that courthouse data be refreshed at least every 90 days.

The changes to the standards were adopted as part of the National Consumer Assistance Plan, an initiative aimed at enhancing the accuracy of credit reports and making it easier for consumers to correct credit report errors.  The Plan was the result of a settlement agreement between the “Big 3” CRAs and over 30 state attorneys general.  The new report’s findings might be seen as subtle criticism by the CFPB under Mick Mulvaney of the Plan and former Director Cordray’s CFPB.  In other words, the report’s findings could be seen to show that the concerns about the reporting of civil judgments and tax liens that drove the Plan were largely overblown.

The CFPB’s key findings include:

  • When the new standards were implemented, all civil judgments and about half of the tax liens were removed from credit reports while the number of reported bankruptcies remained virtually unchanged.
  • In June 2017, soon before the new standards were implemented, 6 percent of consumers had a civil judgment or tax lien.  As a result of the new standards, about 83 percent of these consumers lost one or more judgments or liens in July 2017.  After the new standards were implemented, only 1.4 percent of consumers had a tax lien on their credit reports.
  • About 4 percent of consumers with civil judgments or tax liens on their credit reports in June 2017 experienced an increase in their credit scores in September 2017 due to the new standards.  After the new standards were implemented, consumers who had civil judgments or tax liens generally experienced score changes that were either around zero or 15 points.
  • To evaluate whether the score changes were significant enough to affect these consumers’ access to or cost of credit, the CFPB looked at whether the score changes changed the consumers’ credit profiles.  To do this evaluation, the CFPB put a consumer’s credit scores in June and September 2017 into one of the following bands: deep subprime, subprime, near prime, prime, and super prime.  75 percent of consumers remained in the same score band.  About 6 percent of consumers who had civil judgments or liens in June 2017 had deep subprime or subprime credit scores and rose to near prime or above scores in September 2017.
  • Overall, about 4 percent of consumers with civil judgments or tax liens on their credit reports in June 2017 moved to a higher score band in September 2017.  The CFPB seems to suggest that the small effect might have been expected because consumers who had civil judgments and tax liens also had more delinquencies and more derogatory information in their credit reports.
  • The CFPB does not have sufficient data to evaluate the extent to which the new standards have affected the predictiveness of scoring models.  However, it notes that studies have been published indicating that the new standards will have a minimal effect on predictive performance and observes that although the CFPB is unable to verify such results, “the small number of consumers who had civil judgments or tax liens and experienced a score change large enough to improve their credit profile suggests that any effects on overall model predictiveness (either positive or negative) are likely minimal.”

 

 

This week, New York Governor Andrew Cuomo issued a press release directing the New York Department of State to issue a new regulation impacting consumer reporting agencies.  The new regulation was adopted on an emergency basis and went into immediate effect in order to protect consumers from identity theft and other potential economic harms that may arise following a data breach.

The regulation requires consumer reporting agencies to:

  • Identify dedicated points of contact for the Division of Consumer Protection to obtain information to assist New York consumers in the event of a data breach;
  • Respond within 10 days to information requests made on behalf of consumers by the Division of Consumer Protection;
  • File a form with certain information to the Division of Consumer Protection, including all fees associated with the purchase or use of products and services marketed as identity theft protection products as well as a listing and description of all business affiliations and contractual relationships with any other entities relating to the provision of any identity theft prevention or mitigation products or services; and
  • In any advertisements or other promotional materials, disclose any and all fees associated with the purchase or use of proprietary products offered to consumers for the prevention of identity theft, including, if offered on a trial basis, any and all fees charged for its purchase or use after the trial period and the requisites of cancellation of such continued use.

The protections appear targeted to address alleged abuses by the consumer reporting industry following the recent Equifax data breach.  Cuomo also announced that the Division of Consumer Protection will be issuing a demand letter to Equifax for information to assess the damage and risk of identity theft to New York State consumers resulting from the data breach.

Cuomo did not address the status of previously announced proposed regulations of the consumer credit reporting agencies by the New York Department of Financial Services.

Last week, members of the Senate Banking Committee announced that they had reached bipartisan agreement on “legislative proposals to improve our nation’s financial regulatory framework and promote economic growth.”  Following the announcement, Committee members released a draft of a bill (S. 2155), the “Economic Growth, Regulatory Relief, and Consumer Protection Act.”  A markup of the bill is scheduled for December 5, 2017.  Many observers believe that due to its bipartisan support, there is a strong likelihood that the bill will be enacted as part of a regulatory relief package.

Provisions of the bill relevant to providers of consumer financial services include the following:

Small Depository Qualified Mortgage (Section 101). For an insured depository institution or insured credit union, the bill would create a qualified mortgage loan entitled to the safe harbor under the ability to repay rule.  In general, the depository institution or credit union would need to hold the loan in portfolio, and the loan could not have an interest-only or negative amortization feature and would need to comply with limits on prepayment penalties.  While the creditor would need to consider and document the debt, income and financial resources of the consumer, it would not have to follow Appendix Q to the ability to repay rule.

Appraisal Exemption for Rural Areas (Section 103). The bill would provide an exemption from any appraisal requirement for a federally related transaction involving real property if (1) the property is located in a rural area, (2) the loan is less than $400,000, (3) the originator is subject to oversight by a federal financial institution regulator, and (4) no later than three days after the Closing Disclosure under the TRID rule is given to the consumer, the originator has contacted at least three state certified or licensed appraisers, as applicable, and has documented that no state certified or licensed appraiser, as applicable, is available within a reasonable period of time.  The applicable federal financial institution regulator would determine what constitutes a reasonable period of time.  The exemption would not apply to high-cost loans under the Truth in Lending Act (TILA), or when the applicable federal financial institution regulator requires the financial institution to obtain an appraisal to address safety and soundness concerns.

Home Mortgage Disclosure Act Triggers (Section 104). The bill would increase the loan volume trigger to be a reporting company under the revised Home Mortgage Disclosure Act (HMDA) rule from 25 closed-end mortgage loan originations in each of the preceding two calendar years to 500 such loans in each of the two preceding calendar years.  The 25 closed-end loan trigger went into effect in 2017 for depository institutions, and goes into effect on January 1, 2018 for non-depository institutions.

The bill also would make permanent under the revised HMDA rule a trigger of 500 open-end mortgage loan originations in each of the preceding two calendar years.  As reported previously, the revised HMDA rule provided for a trigger effective January 1, 2018 of 100 open-end mortgage loan originators in each of the preceding two calendar years, and in August 2017 the CFPB temporarily raised the trigger for 2018 and 2019 to 500 open-end mortgage loans in each of the preceding two calendar years.  The bill includes a requirement for the Comptroller General of the United States to conduct a study after two years to evaluate the impact of the amendments on the amount of data available under HMDA, and submit a report to Congress within three years.

Loan Originator Transition Authority (Section 106). Subject to various conditions, the bill would establish temporary transition authority for an individual loan originator to conduct origination activity for up to 120 days from when the individual submits an application to be licensed in a state in cases in which the individual is (1) registered and then becomes employed by a state-licensed mortgage company or (2) licensed in a state and then seeks to conduct loan origination activity in another state.

TRID Rule Provisions (Section 110). The bill includes a provision that apparently is intended to eliminate the need for a second three business day waiting period under the TILA/Real Estate Settlement Procedures Act Integrated Disclosure (TRID) rule in cases in which the annual percentage rate decreases and becomes inaccurate after the initial Closing Disclosure is provided, thus triggering the need for a revised Closing Disclosure.  Currently, the TRID rule requires both a revised Closing Disclosure and a new three business day waiting period before consummation may occur.  As drafted, however, the bill would amend the TILA timing requirements for high-cost mortgages under the Home Ownership and Equity Protection Act.  The TRID rule timing requirements are set forth in Regulation Z and not TILA.  Thus, revisions to the bill are necessary to achieve the intended goal.

The bill also includes a sense of Congress provision with regard to the TRID rule, which provides that the CFPB should endeavor to provide clearer, authoritative guidance on (1) the applicability of the rule to mortgage assumptions, (2) the applicability of the rule to construction-to-permanent home loans, and the conditions under which such loans can be properly originated, and (3) the extent to which lenders can, without liability, rely on the model disclosures published by the CFPB under the rule if recent changes to the rule are not reflected in sample TRID rule forms published by the CFPB.

Credit Report Alerts (Section 301). The bill would amend the Fair Credit Reporting Act (FCRA) to require consumer reporting agencies to keep a fraud alert requested by a consumer in the consumer’s file for at least one year and allow a consumer to have one free freeze alert placed on his or her file every year and remove that alert free of charge.  Consumer reporting agencies would also have to provide free freeze alerts requested on behalf of a minor and remove such alerts free of charge.

Credit Reports of Military Veterans (Section 302). The bill would amend the FCRA to require consumer reporting agencies to exclude from credit reports certain information relating to medical debts of veterans and would establish a dispute process for veterans seeking to dispute medical debt information with a consumer reporting agency.

Protection of Seniors (Section 303). The bill would, subject to certain conditions, provide immunity from civil or administrative liability to individuals and financial institutions for disclosing the suspected exploitation of a senior citizen to various government agencies, including state or federal financial regulators, the SEC, or a law enforcement agency.

Cyber Threats (Section 501). The bill would require the Secretary of the Treasury to submit a report to Congress on the risks of cyber threats to financial institutions and U.S. capital markets that includes an analysis of how the appropriate federal banking agencies and the SEC are addressing such risks.  The report must also include Treasury’s recommendation on whether any federal banking agency or the SEC “needs additional legal authorities or resources to adequately assess and address material risks of cyber threats.”  (We note that for several years, the FTC has been calling for such additional authority, specifically in the form of rulemaking authority.  Due to the limitations of the Banking Committee’s jurisdiction, the bill’s provision focuses exclusively on the federal banking agencies, and gives no recognition to the important role of the FTC—which is under the Senate Commerce Committee’s jurisdiction–in addressing cyber threats.

We will be publishing another blog post in the near future about other provisions of the bill that may be of interest to our blog readers.

The CFPB has published the following notices in today’s Federal Register:

  • Request for Information. Through the RFI, the CFPB seeks to learn more about consumers’ experience with access to free credit scores and the experience of companies and nonprofit credit and financial counseling providers offering their customers and the general public such access.  According to the CFPB, it will use the information gathered through the RFI to identify educational content that is providing the most value to consumers, to identify additional content the CFPB and others could develop to increase consumer understanding of credit reports and scores, and to gain a broader understanding of industry practices that best support educating consumers.  In addition to consumers and consumer advocacy groups, the interested members of the public from whom the CFPB encourages comments include credit card companies and other lenders.  Comments must be received on or before February 12, 2018 to be assured consideration.
  • Update to Free Credit Score Access List. In March 2017, the CFPB published a list of companies that had told the CFPB they offered existing credit card customers access to a free credit score.  In the notice, the CFPB states that it plans to update this list and provides criteria credit card issuers must meet to be included in the list. Companies that were included in the March 2017 list must submit a new entry to be included on the updated list.  The CFPB also states that it is considering whether to expand its list of companies offering free credit reports to include companies in other markets.  Companies that offer consumers access to free credit scores and meet the same criteria it uses for card issuers are invited to contact the CFPB if they would like to be included in a possible list.  Comments must be received on or before January 12, 2018 to be assured of consideration.

 

An Assistant Illinois Attorney General, in a letter sent to Experian’s CEO on behalf of the Illinois AG and the AGs of 35 other states and the District of Columbia, has asked Experian not to charge any credit freeze-related fees.

In the letter, which references the recent Equifax data breach, the Assistant Illinois AG notes that seven states currently prohibit consumer reporting agencies from charging fees to place a credit freeze and at least two others have introduced legislation that would require CRAs to offer free credit freezes.

In addition to Illinois, the other states joining the letter were: Arkansas, Colorado, Delaware, Florida, Hawaii, Idaho, Iowa, Kansas, Kentucky, Maine, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Utah, Vermont, Virginia, Washington, Wisconsin, and Wyoming.

 

The cities of Chicago and San Francisco and the Massachusetts Attorney General have filed the first enforcement actions against Equifax following the announcement of a data breach affecting an estimated 143 million consumers.  Equifax announced the data breach on September 7, 2017, after hackers allegedly exploited a vulnerability in open-source software used by Equifax to create its online consumer dispute portal.

The first suits were filed on September 26th by the Massachusetts Attorney General and San Francisco.  Massachusetts’s complaint was filed in Superior Court in Suffolk County and alleges that Equifax knew or should have known about the vulnerability and that hackers were attempting to exploit it, but that Equifax failed to take known and available measures to prevent the breach.  Massachusetts asserts claims for violations of the Massachusetts data privacy statute and the Massachusetts Consumer Protection Act prohibiting unfair and deceptive practices based on Equifax’s alleged failure to give timely notice of the breach, failure to safeguard personal information, and failure to take other actions that Equifax was uniquely positioned to provide that would have mitigated damages to Massachusetts consumers.  The Massachusetts Attorney General is seeking unspecified civil penalties, disgorgement of profits, restitution, costs and attorney’s fees.

San Francisco’s complaint, filed in the Superior Court of San Francisco, asserts claims under the California Business and Professions Code for unlawful, unfair or fraudulent business practices, alleging that Equifax failed to maintain reasonable security practices and procedures, failed to provide timely notice of the security breach, and failed to provide complete, plain and clear information when notice was provided.  The lawsuit seeks restitution for all California consumers, civil penalties up to $2,500 per violation of law, restitution, costs, and a court order requiring Equifax to implement and maintain appropriate security procedures in the future.

Finally, the City of Chicago filed suit on September 28th in Cook County Circuit Court and asserts claims arising under both state law and city ordinance.  Specifically, Chicago alleges Equifax violated a local ordinance prohibiting fraudulent, unfair, and deceptive business practices, as well as the Illinois Consumer Fraud and Deceptive Business Practices Act.  Chicago’s claims are based on allegations that Equifax failed to give prompt notice of the breach, failed to safeguard personal information, and deceived consumers by requiring them to waive their legal rights in exchange for credit monitoring services and by misrepresenting that the offered credit monitoring was free.  Chicago seeks civil monetary penalties in the amount of $10,000 for each day a violation has existed that involves a Chicago resident, restitution, and injunctive relief requiring Equifax to maintain adequate security measures to prevent data breaches.

These are likely just the first of many lawsuits to be filed against Equifax by state and local officials.  Further action at both the federal and state level seems all but certain.  For example, the Federal Trade Commission and Department of Justice have confirmed they are investigating the breach, and the New York Department of Financial Services confirmed that it recently issued a subpoena to Equifax for more information about the breach.  This vigorous and immediate government enforcement effort further supports our position that private class action lawsuits are an unnecessary and inappropriate tool for vindicating any harm caused by the data breach.  We will continue to follow these significant cases and update you as events unfold.