CURRENT MONTH (August 2021)
FFIEC Issues New Guidance on Authentication and Access to Financial Services and Systems
By Eric Mogilnicki & Uttara Dukkipati, Covington & Burling LLP
On August 11, 2021, the Federal Financial Institutions Examination Council (“FFIEC”) issued guidance to provide financial institutions with examples of effective risk management principles and practices for access and authentication. As described by the FFIEC, “These principles and practices address business and consumer customers, employees, and third parties that access digital banking services, and financial institution information systems.” The guidance acknowledges “significant risks associated with the cybersecurity threat landscape,” including increased remote access, that reinforce the need for financial institutions to effectively authenticate users and customers to protect information systems, accounts, and data. The guidance emphasizes the importance of the financial institution’s risk assessment to determine appropriate access and authentication practices.
The guidance indicates that appropriate access and authentication practices could include the adoption of layered security and multi-factor authentication or controls of equivalent strength. The guidance also includes examples of other authentication controls and a list of government and industry resources and references to assist financial institutions with authentication and access management.
CFPB Argues in Court for Reinstatement of Short-Form Fee Disclosure Requirements of Prepaid Rule
By Eric Mogilnicki & Graves Lee, Covington & Burling LLP
On August 16, 2021, the Consumer Financial Protection Bureau (“CFPB” or the “Bureau”) filed a brief in ongoing litigation over portions of its 2016 Prepaid Rule. The Rule, which implements parts of the Electronic Funds Transfer Act (“EFTA”) and the Truth in Lending Act, imposes requirements on prepaid cards and digital wallets, including by prescribing detailed disclosure requirements for account fees and other information, in both short- and long-form formats. Following the rule’s effective date, PayPal sued in federal court in 2019, seeking to have the short-form rules struck down as inconsistent with EFTA. PayPal also sought to strike down a provision of the Rule imposing a 30-day waiting period before a newly registered account can be linked to a line of credit on the basis that it was a substantive restriction that could not be based in the disclosure provisions of the Truth in Lending Act.
Late last year, a federal judge in Washington, D.C. granted summary judgment to PayPal, invalidating both the short-form rules and the credit linking waiting period. Since then, the Bureau sought review in the U.S. Court of Appeals for the D.C. Circuit of only the decision to invalidate the short-form disclosure rules (but not the credit linking waiting period). This new brief urges the D.C. Circuit to reverse the district court ruling, arguing that the short-form fee disclosures do not run afoul of EFTA’s model clause provisions because the Prepaid Rule does not mandate any specific clauses, but instead states the type of information to be disclosed and provides optional model language. Oral argument in the case has not yet been scheduled.
Bureau Releases Report on Mortgage Servicers’ COVID-19 Pandemic Responses
By Eric Mogilnicki & Uttara Dukkipati, Covington & Burling LLP
On August 10, 2021, the Bureau released a report, “Mortgage Servicing COVID-19 Pandemic Response Metrics: Observations from Data Reported by Sixteen Servicers” and a blog post, “Mortgage Servicers’ Pandemic Response Varies Significantly.” Both highlighted the Bureau’s finding that some servicers struggled to assist borrowers. For example, while certain servicers managed to handle high call volume with an average hold time below three minutes, others kept borrowers waiting for as long as 26 minutes. The Bureau asked that servicers compare the report’s findings to their internal metrics to “identify opportunities for, and demonstrate concrete efforts toward, improvement.” Acting Director Uejio also said, “Today’s report should inform servicers’ own data reviews as they determine whether they are doing enough for borrowers. Servicers who find themselves at the bottom of the pack should immediately take corrective steps. The CFPB will hold accountable those servicers who cause harm to homeowners and families.”
In addition to call metrics, the CFPB indicated that it is monitoring: pandemic forbearance exit metrics; delinquency metrics; borrower profile metrics (to determine how servicers track borrowers’ race and limited English proficiency status); and pandemic assistance enrollment metrics. The blog post also reminded servicers of the amended Mortgage Servicing Rules that take effect August 31, 2021.
Seventh Circuit Reverses Dismissal of TCPA Claim Founded on Agency and Holds That Agent’s Conduct Subjects Principal to Personal Jurisdiction
By Jim Morrissey, Pilgrim Christakis LLP
In Bilek v. Federal Insurance Company, the Seventh Circuit reversed the dismissal of claims under the Telephone Consumer Protection Act (“TCPA”) and Illinois Automatic Telephone Dialing Act and found that the plaintiff sufficiently alleged that “lead generators” who placed the calls were the defendants’ actual agents. Specifically, the plaintiff alleged that “Federal Insurance Company contracted with Health Insurance Innovations to sell its insurance; Health Insurance Innovations hired lead generators to effectuate telemarketing; and the lead generators made the unauthorized robocalls.”
Regarding Federal Insurance Company, the plaintiff claimed that it “authorized the lead generators, through Health Insurance Innovations, to use its approved scripts, tradename and proprietary information to solicit and advertise its health insurance.” Notably absent is any suggestion that Federal Insurance Company directly contacted the lead generators or that it “controlled the timing, quantity, and geographic location” of the calls. Although the court noted that actual authority requires that the agent act “in accordance with the principal’s manifestations to the agent,” it nonetheless found that the “minute details of the parties’ business relationship are not required to allege a plausible agency claim.” And since the allegations suggested that the lead generators placed the calls “on Federal Insurance Company’s behalf,” the plaintiff plausibly alleged that it had “authorized the lead generators to act on its behalf and subject to its control.”
For the same reasons, the court found that the lead generators were also agents of Health Insurance Innovations. And as a matter of first impression, the court “explicitly held” that an agent’s conduct is attributable to the principal for purposes of specific personal jurisdiction. Hence, the plaintiff’s claim that the lead generators called him in Illinois was sufficient to subject Health Insurance Innovations to personal jurisdiction in Illinois.
California DFPI Proposes Regulations Governing Providers of Small Business Finance
By Catherine M. Brennan & Katherine C. Fisher, Hudson Cook, LLP
On August 18, 2021, the California Department of Financial Protection and Innovation (“DFPI”) released draft regulations and an invitation for comments under the California Consumer Financial Protection Law (“CCFPL”). The CCFPL gives the DFPI authority to define and enforce a new “abusive” standard against providers of small business finance. The proposed regulations would require providers of small business finance to annually report the cost of financing to the DFPI. Section 90009.2(b) of the proposed regulations states:
(b) Each person engaged in the business of offering or providing commercial financing or other financial products or services to a small business, nonprofit, or family farm shall report the following information regarding activity within this state for the calendar year preceding the due date of the report.
(1) The person’s contact and organization identification information.
(2) By type of commercial financing or other financial products or services, the person’s total number and total dollar amount of transactions in this state for the prior calendar year with small businesses, nonprofits, and family farms.
(3) By type of commercial financing or other financial products or services, the person’s total number transactions in this state for the prior calendar year with small businesses, nonprofits, and family farms for financing over $100,000, over $50,000 but under $100,000, over $25,000 but under $50,000, over $10,000 but under $25,000, and at or less than $10,000.
(4) On or after the operative date for the regulations under Financial Code section 22804, for the commercial financing data reported under paragraph (3) of this subdivision, the minimum, maximum, average, and median total dollar cost of the financing at each interval set forth in paragraph (3).
Because commercial loans made by a CFL licensed lender and revenue-based finance transactions have no statutory interest rate limit, the DFPI may be gearing up to make the argument that high-cost financing products are “abusive.”
Comments on the proposed regulations are due by September 17, 2021.
What Does New Orleans’ Proof of Vaccination Requirement Mean for Employers?
By Christine Tenley, McGlinchey Stafford, PLLC
On August 12, 2021, New Orleans became one of the first cities nationwide to implement a proof of COVID-19 vaccine mandate effective August 16, 2021. The New Orleans mandate requires individuals to show proof of vaccination (or recent negative COVID test) before they can enter various establishments, including bars, restaurants, concert venues, and sports arenas.
Implicit in this mandate is a requirement for employees working in these various businesses to show proof of vaccination to continue work.
New Orleans Mayor LaToya Cantrell has also advised that enforcement of the new mandate will begin one week after its effective date on August 23, 2021, and that any attempts to provide false documentation will be dealt with swiftly and harshly.
The deadly Delta variant and rising coronavirus cases in New Orleans have led to this mandate, which adds yet another layer of compliance to already strained service industry businesses.
Businesses are now required to properly train employees and assign employees to screen patrons at the door before they are allowed to enter the establishment. Businesses should also prepare compliance procedures in the event that employees encounter patrons who refuse to comply with the proof of vaccine mandate. Business owners have a legal obligation to keep employees safe. They now have the added legal obligation to ensure everyone who is in their establishment has shown proof of vaccination.
These are certainly challenging times for service industry businesses as they recover from the impact of the 2020 lockdowns and maintain full staffing levels.