CURRENT MONTH (November 2022)
CFPB Director Chopra Questions Large Bank Living Wills in FDIC Statement
On November 22, 2022, Consumer Financial Protection Bureau Director Rohit Chopra issued a statement in his capacity as an FDIC board member regarding the living wills of some of the country’s largest financial institutions. Director Chopra opined that “[i]t is highly unlikely that any of these institutions, as currently constituted, could be resolved in a rapid and orderly manner under the bankruptcy code.” Chopra also questioned:
- “whether there are adequate safeguards to ensure the board members at these institutions will file for bankruptcy at the appropriate time”;
- whether the institutions “would be able to obtain adequate financing for an orderly court-supervised bankruptcy due to their size, complexity, and the magnitude of their short-term financing needs”; and
- whether “the unprecedented strategy of self-financing the bankruptcy would be successful.”
In light of these concerns, Director Chopra called on the FDIC to evaluate the institutions’ 2023 plans “using the appropriate legal standard and with sufficient rigor.”
Repercussions of the Fifth Circuit’s Decision to Vacate the CFPB’s Payday Lending Rule as Unconstitutional
In Community Financial Services Association of America Ltd. (CFSA) v. Consumer Financial Protection Bureau (CFPB), the Fifth Circuit held that the CFPB’s independent funding mechanism is unconstitutional and, thus, vacated its payday lending rule. The Fifth Circuit ruled that the CFPB’s independent funding mechanism was Congress giving up its power under the Appropriations Clause of the Constitution, thus violating this clause and the separation of powers doctrine. The CFPB recently petitioned the Supreme Court for a writ of certiorari to appeal this decision, but in the meantime, this opinion has had an immediate impact on other federal actions involving the CFPB.
One such action is CFPB v. Populus Financial Group, Inc., d/b/a ACE Cash Express. The CFPB seeks damages, injunctive relief, and other penalties against ACE, a payday lender, for alleged unfair and deceptive practices. After CFSA, the District Court in ACE stayed the action until the Fifth Circuit issued a mandate following its decision. Both parties agreed to a stay following the decision because it controls the issue of the appropriateness and constitutionality of the CFPB’s independent funding mechanism raised by ACE’s motion to dismiss. The District Court intends to resume this case after the mandate, as it ordered the parties to report within forty-five days on how the parties will proceed.
The Fifth Circuit’s decision also impacted Integrity Advance v. CFPB, an appeal in which the Tenth Circuit had affirmed a $38.4 million order against Integrity. The Tenth Circuit rejected Integrity’s argument that the CFPB’s structure was unconstitutional, holding that even if it was, Integrity did not point to any harm from this structure. Integrity submitted the CFSA decision as supplemental authority for its petition for rehearing, arguing it showed that the CFPB’s suit should have been dismissed. The CFPB responded that Integrity was barred from raising CFSA and that CFSA was mistaken, as the funding for the CFPB was not in violation of the Appropriations Clause. The Tenth Circuit, in a short order, denied Integrity’s petition for rehearing without deciding the issue posed by CFSA.
CFPB Issues Advisory Opinion on Credit Reporting Facially False Data
The CFPB recently issued an Advisory Opinion, “Fair Credit Reporting; Facially False Data,” to remind consumer reporting agencies (“CRAs”) that the failure to maintain reasonable procedures to screen for and eliminate logical inconsistencies, to prevent the inclusion of facially false data in consumer reports, is a violation of their FCRA obligation to “follow reasonable procedures to assure maximum possible accuracy.” The CFPB expressed concern about high rates of inaccuracies on consumer reports. The CFPB provided examples of information that it believes should be removed from consumer reports, including:
- Accounts with a paid in full status with a balance due
- Accounts with an “Original Loan Amount” that increases over time
- Derogatory information being reported on an account, although that derogatory information predates an earlier report that did not include the derogatory information
- Illogical reporting of a date of first delinquency
- A date of first delinquency reported for an account whose records reflect no delinquency, such as through activity reflecting a current account (complete history of timely payments, $0 amount overdue)
- A date of first delinquency that postdates a charge-off date
- A date of first delinquency, or date of last payment, that predates the account open date (for non-collection accounts)
- Impossible information about consumers—for example, an individual account that predates that consumer’s listed date of birth
- Information such that one piece of information must be inaccurate—for example, if every other tradeline is reporting ongoing payment activity, while one tradeline contains a “deceased” indicator
The CFPB noted that CRAs risk liability for a willfully violating the FCRA if they fail to provide reports incorporating the findings of this Advisory Opinion, regardless of whether the CRAs were previously liable for willful violations prior to its issuance.
CFPB Launches Section 1033 Rulemaking
By Dailey Wilson, Hudson Cook, LLP
On October 27, 2022, the Consumer Financial Protection Bureau officially launched its Section 1033 rulemaking process. Section 1033 of the Dodd-Frank Act gives consumers the right to access their financial information and requires the CFPB to adopt a rule regarding such data access. The CFPB began the rulemaking process by issuing an Outline of Proposals and Alternatives Under Consideration for the rulemaking on personal financial data rights. The CFPB is soliciting feedback from small entity representatives on various topics, including:
- coverage of data providers who would be subject to the proposals under consideration;
- recipients of information, including consumers and authorized third parties;
- the types of information that would need to be made available;
- how and when information would need to be made available, including information made available to consumers directly and to third parties authorized to access information on their behalf;
- third party obligations;
- record retention obligations; and
- implementation period.
The CFPB will seek feedback from small entities on the outline. Input received from the small entities will be considered as the CFPB develops a proposed rule. Other stakeholders may submit written feedback on the CFPB’s outline no later than January 25, 2023.
Bureau and New York Reach Settlement Regarding 9/11 First Responder Victim Compensation Fund Cash Advances
On November 23, 2022, the Consumer Financial Protection Bureau and the New York Attorney General announced a proposed settlement of a 2017 lawsuit against RD Legal Funding, associated entities, and its founder. The Bureau and New York had alleged that the defendants engaged in deceptive and abusive practices related to high-interest cash advances. These advances were issued to, among others, claimants from victim settlement funds established for first responders to the September 11, 2001, terror attack.
The settlement resolves allegations that the defendants misrepresented, in violation of the Consumer Financial Protection Act prohibition on deceptive acts and practices,
- that their contracts with consumers were valid and enforceable assignments;
- that their services would speed up the disbursement of a consumer’s settlement award; and
- when consumers would receive funds from defendants.
In addition, Defendants allegedly collected on contracts that were void under state law and violated New York usury and consumer protection laws.
Under the terms of the proposed settlement, the defendants will provide debt relief of more than $600,000, pay a $1 civil money penalty, and be barred from future dealings with certain victim compensation funds. This Thanksgiving-eve settlement was a quiet end to a case that took more than five years to resolve, and began with then-CFPB Director Richard Cordray alleging that the Defendants “scammed 9/11 heroes with cancer and other illnesses out of millions of dollars.”
Carrington Mortgage Services Pays $5.25 Million Fine for Violating CARES Act Mortgage Protections
On November 17, 2022, the CFPB entered into a consent order with Carrington Mortgage Services (“Carrington”) regarding the company’s alleged violations of pandemic-era housing protections established by the 2020 CARES Act. Under the CARES Act, homeowners with federally backed mortgage loans who encountered financial hardship as a result of the COVID-19 pandemic were entitled to request up to 180 days of forbearance on their mortgage payments. The Bureau alleges that, in violation of the CARES Act, Carrington wrongly collected late payments from homeowners during their forbearance period, provided homeowners false information about CARES Act protections, and furnished information to consumer reporting agencies suggesting that homeowners in forbearance were delinquent on their payments. The Order requires Carrington to pay redress to affected consumers, establish internal controls intended to prevent future violations of the CARES Act, and pay a $5.25 million civil monetary penalty to be deposited into the CFPB’s victims relief fund.
This was the first CFPB enforcement action in a month, and Carrington Mortgage Services is the first company to agree to a CFPB Consent Order since the Fifth Circuit ruled that the Bureau’s funding mechanism was unconstitutional in CFSA v. CFPB.
CFPB Issues Fall Supervisory Highlights Report
On November 16, 2022, the CFPB issued its Fall Supervisory Highlights Report. The Report outlines patterns of allegedly illegal activity the Bureau discovered during the first half of 2022 while examining companies within its supervisory jurisdiction. The Bureau reported the following concerns:
- consumer reporting agencies failing to report the outcome of consumer complaints regarding inaccuracies in their credit reports to the CFPB;
- furnishers failing to correct known inaccuracies in information provided to consumer reporting agencies;
- mortgage servicing companies collecting phone payment fees when accepting homeowners’ mortgage payments without the homeowner’s knowledge or consent; and
- auto lenders failing to provide refunds due in connection with optional “add-on” products.
The Report highlights remedial efforts the Bureau required the companies to take, including paying consumers restitution and revamping policies and procedures to align their practices with relevant legal requirements.
CFPB Issues Reports on Issues with Tenant Screening Companies
On November 15, 2022, the CFPB issued a press release that summarizes the findings of two new reports on the tenant background screening industry. The press release highlights the Bureau’s five key takeaways from the reports, including that, according to the CFPB, tenant background check content has questionable relevance for landlords, and that renters generally pay for the background checks but frequently do not see them and have difficulty getting errors corrected. In remarks accompanying the release, CFPB Director Rohit Chopra noted that the agency is “taking steps to ensure these reports do not contain false information.”
CFPB Director Rohit Chopra Bearish on Crypto
On November 17, 2022, CFPB Director Rohit Chopra delivered a speech to the Financial Literacy and Education Commission outlining his views on the FTX bankruptcy and crypto’s impact on consumers. The speech pointed to FTX’s failure as an example of the types of harms cryptocurrency poses to consumers, and it noted that several other crypto-asset firms have frozen customer assets and failed. Chopra also noted that cryptocurrency is being increasingly used in financial fraud.
Although Chopra recognized that most of the crypto-asset ecosystem involves speculative trading that sits outside of the Bureau’s regulatory jurisdiction, he indicated that the CFPB is closely monitoring the crypto industry, through consumer complaints in particular, given the potential for stablecoins and other digital assets to make inroads into consumer payments.
CFPB Publishes Final Rule on the Supervision of Nonbank Entities
On November 10, 2022, the Bureau issued a Final Rule describing the process by which it will expand and exercise its supervisory authority over nonbanks. Under the Consumer Financial Protection Act (“CFPA”), the Bureau may decide to supervise nonbank entities that the Bureau reasonably determines are engaging, or have engaged, in conduct that poses a risk to consumers through the offering or provision of consumer financial products or services. The Bureau’s new procedural rules, codified at 12 CFR part 1091, will govern the Bureau’s determinations as to whether a nonbank entity should be subject to the Bureau’s supervision under the CFPA.
In April of 2022, the Bureau amended these procedural rules to allow the CFPB Director to make public, in whole or in part, the Bureau’s decision to supervise a nonbank entity. The Bureau took the position that this amendment was not subject to the notice-and-comment requirements of the Administrative Procedure Act, and therefore became effective upon publication. However, the Bureau invited public comments on the amendment after it became effective.
The Final Rule, which became effective upon publication in the Federal Register, makes a few changes to the amendment in light of public comments. For example, the Final Rule confirms that the Bureau will not release information that falls within the Freedom of Information Act’s exemptions for confidential commercial information and personal information. Additionally, the Final Rule extends to ten business days the amount of time that respondents in such proceedings have to object to, or provide input on, the CFPB Director’s decision to make public the Bureau’s determination to supervise a nonbank entity.
CFPB Releases Circular on Investigation Practices by Consumer Reporting Companies
On November 10, 2022, the Bureau released a Consumer Financial Protection Circular on the Reasonable Investigation of Consumer Reporting Disputes. The Circular focuses on two topics. The first topic is whether consumer reporting agencies and furnishers may require, as a precondition to investigating a dispute, that consumers submit documentation that is not required under current law, such as a recent copy of the consumer’s credit report or a proprietary dispute form. The Bureau asserts that these practices do not comply with the duty of consumer reporting agencies and furnishers under the Fair Credit Reporting Act to investigate disputes, adding that “[e]nforcers may consider bringing an action” in this context.
The second topic is the degree to which consumer reporting agencies are required to provide furnishers with copies of documents that a consumer attached to their dispute. Noting that consumer reporting agencies increasingly rely on electronic communication systems to send information about disputes to furnishers, the Bulletin reminds consumer reporting agencies that they have a statutory obligation to promptly provide furnishers with “all relevant information” regarding a dispute, and that this obligation might require that a consumer agency send copies of documents attached to a dispute to a furnisher. The Bureau notes that an attached document (e.g., a bill) might convey information about the veracity of a dispute that data alone would not capture.
In a news release accompanying the Circular, CFPB Director Chopra added, “One wrong piece of information on a person’s credit report can have destructive consequences that follow a consumer for years. . . . Companies that fail to properly address consumer disputes in accordance with the law may face serious consequences.”
FTC Extends Effective Date of Safeguards Rule Amendments to June
The Federal Trade Commission (FTC) has announced that the effective date for the new substantive information security requirements in the revised Safeguards Rule has been extended from December 9, 2022, to June 9, 2023. The FTC extended the deadline after receiving feedback that financial institutions have a shortage of qualified personnel to implement the required information security programs. In addition, the FTC recognized that supply chain issues may lead to delays in covered entities obtaining the equipment necessary to upgrade security systems and implement the changes.
New requirements under the amended rule that have caused covered entities particular implementation issues are those related to multi-factor authorization and protecting customer information through encryption. Because of these challenges, the FTC stated that the circumstances “may make it difficult for financial institutions, especially small ones, to come into compliance by the deadline.”
By way of background, the Safeguards Rule generally requires non-banking financial institutions to implement, maintain, and develop a security program to safeguard customer information. The Safeguards Rule amendments build on the requirements under the original rule with respect to the following areas:
Qualified Responsible Individual and Periodic Reports. A covered entity must designate a qualified individual responsible for overseeing, implementing, and enforcing its information security program. The qualified individual may be employed by the covered entity, an affiliate, or a service provider. The entity must also require its qualified individual to submit a written report, regularly and at least annually, to the entity’s board of directors or equivalent governing body, with certain required information.
Risk Assessments. A covered entity must base its information security program on a written risk assessment that includes certain required elements. An entity must also periodically perform additional risk assessments that reexamine reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.
In addition, an entity must design and implement specific safeguards to control the identified risks, including by: (1) implementing and reviewing access controls; (2) identifying data, personnel, and other factors that enable the entity to achieve business purposes; (3) protecting all customer information by encryption (or if encryption is not feasible, through effective alternative controls); (4) adopting secure development practices; (5) implementing multi-factor authentication (or if not feasible, reasonably equivalent controls); (6) developing procedures for the secure disposal of customer information generally no later than two years after the last date the information is used; (7) adopting procedures for change management; and (8) implementing policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of information by such users.
Testing and Monitoring of Safeguards. A covered entity must regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. Information system monitoring and testing must include continuous monitoring or periodic penetration testing and vulnerability assessments.
Policies and Procedures. A covered entity must implement policies and procedures to ensure that personnel are able to enact the entity’s information security program by: (1) providing personnel with security awareness training; (2) using qualified information security personnel; (3) providing information security personnel with security updates and training; and (4) verifying that key information security personnel take steps to maintain current knowledge of changing threats.
Overseeing Service Providers. The amendments add a requirement related to periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards.
Incident Response Plan. A covered entity must establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in the entity’s control. The incident response plan must include a number of different requirements as listed in the amended rule.
Overall, while the amended rule imposes additional requirements and presents implementation burdens, it also provides covered entities with more guidance regarding how to develop and implement specific aspects of their overall security program.
White Collar Crime
Theranos Founder Elizabeth Holmes Sentenced for Scheme to Defraud
By Joseph Mayo, LL.M. Candidate at New York University School of Law
Theranos, Inc., a private health care and life science company founded by Elizabeth Holmes in 2003 and operated by Holmes, claimed that Theranos had developed a technology for collecting and analyzing critical blood tests, using only a tiny drop of blood from the patient’s finger, and running it through the company’s Sample Processing Unit known as a miniLab or Analyzer.
According to the third superseding indictment filed against Holmes and Ramesh “Sunny” Balwani on July 28, 2020, Holmes and Balwani, who had served in various roles at Theranos, including as a member of its Board of Directors, as its President, and as its Chief Operating Officer, made false statements toward potential investors. In one instance, Holmes announced that the Theranos technology could “run any combination of tests, including sets of follow-on tests” very quickly, from a single micro-sample, without disclosing the company’s Analyzer had significant accuracy problems. In other instances, Holmes and Balwani presented financial models by which Theranos would generate $1 billion in revenue by 2015, while in fact, it would roughly generate modest hundreds of thousands.
On January 3, 2022, Holmes was found guilty for her part of the scheme on one count of conspiracy to commit wire fraud and three counts of wire fraud, all concerning more than $140 million invested by three investors—healthcare investor Brian Grossman, former U.S. Education Secretary Betsy DeVos, and estate lawyer Daniel Mosley.
On November 18, 2022, U.S. District Judge Edward Davila sentenced Holmes to eleven years and three months in prison, and an additional three years of supervision following release from prison. A hearing to determine the restitution amount to be paid by Holmes is yet to be scheduled. No fine was assessed.
Balwani was found guilty of all twelve charges against him, and a sentencing hearing is scheduled for December 7, 2022.