Last Week, This Morning

September 16, 2024

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)¹" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

National Bank Settles Allegations that it Furnished Information to CRAs in Violation of FCRA

On September 11, the Consumer Financial Protection Bureau issued a consent order against a national bank, resolving allegations that the bank furnished information to consumer reporting agencies in violation of the Fair Credit Reporting Act and the Consumer Financial Protection Act.

Specifically, the CFPB alleged that the bank furnished inaccurate or incomplete information to CRAs about consumers' credit card accounts. According to the CFPB's allegations, the bank and a third-party debt collector entered into an agreement under which the bank assigned the company the right to collect on a portfolio of charged-off credit card accounts. The debt collector sent the bank a monthly file showing the payments made by consumers, but the bank allegedly failed to enter that data into its system. As a result, according to the allegations, consumers' payments were not reflected when the bank furnished information to the CRAs concerning those accounts, including in instances in which consumers had settled or paid their accounts in full. The CFPB also alleged that the bank inaccurately reported the date of first delinquency ("DOFD") when it charged off certain credit card accounts by using the charge-off date as the DOFD, which allegedly made a delinquency on a consumer's account look as though it had occurred more recently than it had, in fact, occurred. According to the CFPB's allegations, this could result in the delinquent information staying on the consumer's report longer than it should. In addition, it is alleged that the bank inaccurately calculated the commencement of the delinquency for purposes of the DOFD based on the cycle date of the account (when a new billing cycle begins) rather than the account due date, when a customer's monthly payment is due. The CFPB also alleged that the bank inaccurately furnished the account status of certain credit card accounts that had been voluntarily closed as current and open, rather than paid or closed with zero-dollar balances, as well as inaccurately furnished the date accounts were closed.

Next, the CFPB alleged that the bank furnished inaccurate or incomplete information to CRAs about the bankruptcy status of consumers' credit card accounts. First, the bank allegedly furnished the accounts without indicating the status of the accounts in bankruptcy, such as petition filed, discharged, dismissed, or withdrawn, and failed to promptly correct the account information after it identified the issue. Second, the bank allegedly failed to accurately furnish the correct bankruptcy chapter for certain accounts that had been discharged through bankruptcy. Third, the CFPB alleged that data concerning certain credit card accounts in a discharged status was furnished repeatedly for several months, rather than only in the month in which the discharge occurred, thereby indicating to creditors or other users of the furnished information that a bankruptcy discharge occurred more recently than it, in fact, occurred.

The bank also allegedly furnished information to CRAs about deposit accounts that it knew or suspected were fraudulent and then allegedly failed to promptly correct inaccuracies in the deposit account information it furnished.

Finally, the CFPB alleged that the bank did not have sufficient processes in place to investigate consumers' disputes, failed to conduct reasonable and timely investigations of consumers' disputes, and failed to properly notify consumers after deeming a dispute frivolous or irrelevant.

The bank did not admit any of the allegations. The consent order requires the bank to pay $7.76 million in redress to affected consumers and a $20 million penalty to the CFPB's victims relief fund.

Amicus brief(ly): The CFPB's overstated announcement of this consent order frames another financial services provider as a villain. The spun-up press release distracts from some important takeaways for furnishers trying to do consumer reporting correctly. There are allegations (which, it is worth repeating here, the bank did not admit) in the consent order that the bank did not furnish certain information accurately, that its investigations of consumer disputes were slow at times, and that it did not update information submitted to the CRAs once it became aware of account-opening fraud. Among those allegations are useful compliance notes for furnishers to compare to their data furnishing accuracy-and-integrity policies in order to tighten them up. We recommend skipping the press release and diving into the allegations here for those compliance notes.

FHFA Releases Mortgage Loan and Natural Disaster Dashboard

On September 9, the Federal Housing Finance Agency released an online tool - the Mortgage Loan and Natural Disaster Dashboard - that provides financial institutions and other stakeholders with information on which areas of the country are most likely to incur greater damages from various types of natural disasters, such as hurricanes, flooding, and wildfires, and which of those areas have concentrations of properties financed with loans acquired by Fannie Mae, Freddie Mac, and the Federal Home Loan Banks. FHFA Director Sandra L. Thompson states in the agency's press release that "[p]roviding geographic information on disasters as well as concentrated exposures of loans acquired by our regulated entities can help policymakers and the industry develop solutions to better safeguard those communities from the impact of future catastrophes."

The dashboard uses data from three publicly available sources: (1) the FHFA's Public Use Database, which provides a geographic breakdown of loans acquired by FHFA's regulated entities; (2) the Federal Emergency Management Agency's National Risk Index, which identifies communities most at risk for 18 types of natural hazards; and (3) the FHFA's Duty to Serve Eligibility Data, which identifies rural areas that are characterized by a high concentration of poverty and substandard housing conditions.

Amicus brief(ly): This is a helpful tool for servicers whose servicing efforts tend to be impacted by national disasters when they occur. Federal regulators are good about announcing relief for consumers affected by such natural disasters and encouraging lenders and servicers to be accommodating. And for servicers of government-backed loans, there is typically relief from the rigorous servicing requirements imposed in connection with those government loan programs. With this tool, servicers can use the data on the high-impact areas and information about the communities living in those areas to build tailored financial hardship programs designed to help consumers manage their affairs through the difficult recovery process. This announcement is timely considering that the East Coast hurricane season is just getting started.

California Privacy Protection Agency Issues Advisory on Avoiding Dark Patterns When Offering Consumers Privacy Choices

The California Privacy Protection Agency recently issued an advisory on how businesses can avoid using "dark patterns" when designing and implementing methods for obtaining consumers' consent to use their personal information or for consumers to opt out of the sale or sharing of their personal information. The California Consumer Privacy Act and its implementing regulations use the term "dark patterns" to refer generally to user interfaces that have the substantial effect of subverting or impairing a consumer's autonomy, decision-making, or choice when asserting their privacy rights or providing consent. In the advisory, the enforcement division of the CPPA reminds businesses that, to avoid dark patterns, they should "carefully review and assess their user interfaces to ensure that they are offering symmetrical choices and using language that is easy for consumers to understand when offering privacy choices. This includes user interfaces that businesses deploy through service providers, such as consent management platforms." The advisory describes a symmetrical choice as one in which the path to exercise a more privacy-protective option is not longer, more difficult, or more time consuming than the path to exercise a less privacy-protective option. The advisory illustrates the principle of symmetrical privacy choices by providing examples found in the CCPA's regulations.

Amicus brief(ly): This enforcement advisory from the CPPA underscores its message that consumers in California need to be in control of the use of their data. There are familiar tones in the advisory reminding providers that consumers need to give their informed consent before the provider can sell or share their data, and that the CPPA will be looking over consent forms to make sure they are easy to understand and use. If there is something misleading or confusing about the consent such that it does not look like the consumer had full, clear, simple information about the consent she was providing, then the consumer may not have actually given consent. Informed consent is definitely a theme in evolving consumer privacy choice laws, and California is making its stance clear in this advisory.

CFPB Reaches $120 Million Stipulated Settlement with National Student Loan Servicer and Imposes Ban

On September 12, the Consumer Financial Protection Bureau filed a proposed stipulated judgment and order against a national student loan servicer and its corporate owner, as well as another subsidiary of the owner that principally engages in debt collection, to resolve allegations that the defendants violated the Consumer Financial Protection Act, the Fair Credit Reporting Act, and the Fair Debt Collection Practices Act. The servicer had been the servicer for federal and private student loans for more than 12 million borrowers.

The CFPB's complaint, filed on January 18, 2017, alleged that the student loan servicer and its corporate owner engaged in deceptive acts and practices in violation the CFPA by: (1) steering borrowers experiencing long-term financial hardship into forbearance instead of advising them about, and enrolling them in, income-driven repayment plans, which, according to the CFPB, is a less costly option for borrowers; (2) failing to adequately notify borrowers who enrolled in income-driven repayment plans about the requirement to annually recertify their income and family size as required under the plan; (3) misleading borrowers about the consequences of submitting an incorrect or incomplete application to recertify their income and family size under an income-driven repayment plan; (4) misleading private student loan borrowers about requirements to release their co-signer from the loan; and (5) making numerous payment processing errors, including by misallocating and misapplying borrower payments.

In addition, the CFPB alleged that the student loan servicer and its corporate owner violated the FCRA's implementing Regulation V by failing to establish and implement reasonable written policies and procedures to furnish accurate information to credit reporting agencies regarding borrowers who had received a discharge on their federal loans due to a total and permanent disability.

Finally, the CFPB alleged that the debt collector and its corporate owner engaged in deceptive acts and practices in violation of the CFPA and Fair Debt Collection Practices Act by misleading borrowers about the effect of loan rehabilitation on their credit reports and the collection fees that would be forgiven in the federal loan rehabilitation program.

The proposed stipulated judgment and order, if entered by the court, would require the defendants to pay $100 million in consumer redress and a $20 million penalty to the CFPB's victims relief fund. The order would also, among other requirements, permanently ban the servicer from servicing federal Direct Loans, prohibit the servicer from conducting consumer-facing servicing activities for Federal Family Education Loan Program loans, and permanently ban the servicer from acquiring additional FFELP loans.

Amicus brief(ly): The CFPB really got after the servicer in this settlement, following years of investigations culminating with this high-dollar settlement and rare (for a company that remains in business) permanent ban from servicing federal student loans. The CFPB has been open about its concerns related to student loan servicing, stridently pushing for eligible student borrowers to get into income-driven repayment plans that the CFPB says are better for borrowers. The stipulated consent of the servicer to permanently exit the FFELP servicing business would have been a more extraordinary development had the servicer not announced three years ago that it would no longer service federal student loans. This is a big, expensive settlement with useful compliance points for student loan servicers, but for the servicer involved it is (hopefully) the end of a long investigation and the start of its new chapter.

¹ For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.