Last Week, This Morning

October 15, 2024

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)^[1]" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

CFPB and Federal Reserve Announce TILA and CLA Thresholds for 2025

The Consumer Financial Protection Bureau and the Federal Reserve Board recently announced that they are increasing the dollar thresholds in Regulation Z (Truth in Lending) and Regulation M (Consumer Leasing) for exempt consumer credit and lease transactions. The Dodd-Frank Act provides that the dollar amount thresholds for TILA and the CLA must be adjusted annually by any annual percentage increase in the Consumer Price Index. Based on the annual percentage increase in the CPI as of June 1, 2024, the protections of TILA and the CLA generally will apply to consumer credit transactions and consumer leases of $71,900 or less in 2025. However, private education loans and loans secured by real property (such as mortgages) are subject to TILA regardless of the loan amount.

Amicus brief(ly): Compliance professionals should have this CFPB and FRB announcement on their annual watch lists (it is on ours). The thresholds dictate whether a consumer transaction will be subject to the substantive requirements and limitations of TILA or the CLA based on the amount financed or, in the case of a consumer lease, the total contractual obligation (i.e., the total of payments). A number of states also tie the applicability of their consumer credit laws to these thresholds as well, so the impact of these dollar amount adjustments goes beyond federal law to state law in states like Iowa, Maine, and several others. It is important to know these threshold amounts not just as an affirmative compliance measure, but also as a defensive measure for litigation, or threatened litigation, involving transactions with dollar amounts that exceed the thresholds.

CFPB Publishes Special Edition of Supervisory Highlights Concerning Auto Financing

On October 7, the Consumer Financial Protection Bureau published a special edition of Supervisory Highlights that focuses on auto financing. The report highlights CFPB examiner findings of unfair, deceptive, and abusive acts or practices in the auto financing market for examinations completed between November 1, 2023, and August 30, 2024.

According to the report, examiners found that "loan originators engaged in deceptive acts or practices through service providers when the service providers mailed prescreened advertisements marketing rates 'as low as' specified APR rates to consumers who in fact had no reasonable chance of qualifying for or being offered rates at or near that level." Examiners also found that "auto-loan originators violated ... Regulation Z because their disclosures did not accurately reflect the terms of the prepayment penalty. ... The TILA disclosure states 'Prepayment - if you pay early, you may have to pay a penalty.' In contrast, the associated retail installment sales contract stated that there was no finance charge if the loan is paid early."

Next, the report details examiners' findings with respect to vehicle repossession activities. Examiners found that "servicers engaged in unfair acts or practices when they erroneously repossessed consumers' vehicles (a) when their representatives or service providers failed to cancel orders to repossess vehicles, or act on those cancellations, when consumers had made payments or obtained extensions that should have prevented repossessions; and (b) when consumers had requested, or the servicer had approved, a COVID-19 related loan deferment or loan modification, consumers had otherwise made timely payments, or consumers made arrangements to pay an amount sufficient to cancel the repossession." Examiners also found that "servicers engaged in unfair acts or practices when they failed to record liens and then repossessed vehicles without a valid lien. When assigning vehicles for repossession, servicers did not verify that they had a valid lien. As a result, they repossessed vehicles from consumers who did not have any prior affiliation with the servicers."

The report goes on to address other general issues related to servicing practices, including "applying borrowers' auto-loan payments to post-maturity loans in a different order than that disclosed to consumers on their websites, which resulted in borrowers having to pay late fees," and failing to timely provide consumers with the title to a vehicle after a payoff or when consumers requested the title in connection with transferring vehicle registrations to a different state.

CFPB examiners also found multiple law violations in connection with add-on products. Examiners found that auto finance companies, among other things, charged consumers for optional add-on products that consumers did not agree to purchase, failed to provide refunds of unearned premiums after early termination of a contract, financed certain add-on products for vehicles that were not eligible because they had salvage titles, imposed onerous requirements on consumers to cancel contracts for add-on products, and failed to honor consumers' cancellation requests.

Finally, CFPB examiners found that auto finance companies and servicers furnished inaccurate information to credit reporting agencies.

Amicus brief(ly): Any issue of the CFPB's Supervisory Highlights is important to read, and this one is no different. The CFPB lets us know what it's thinking about and what it sees in its examinations that is troubling. Compliance professionals can take useful information from these publications, both to confirm that their companies are not engaged in any of the activities noted by the Bureau as unlawful, but also to enhance auditing and testing protocols to look for these activities and make any necessary policy adjustments. In this special vehicle finance edition of Supervisory Highlights, the CFPB reviews its observations from a one-year period that reads like a recap of its concerns from the past 10 years or so: repossessions occurring after events that should have led to cancellation of the repossession order (e.g., payments made or payment due date extensions granted); issues with the marketing and sale of vehicle protection products and other add-on products; and data furnishing. While the CFPB tends to overstate the frequency with which these events occur, its observations serve as useful reminders for financial services providers to stay vigilant, test policies and procedures, and proactively work to prevent consumer harm.

FTC and State Attorneys General Resolve Charges of Inadequate Data Security Practices by Hotel Chains and Require $52 Million Payment to States

On October 9, the Federal Trade Commission announced a settlement with a multinational hotel chain and its subsidiary, resolving allegations that the companies made deceptive statements in their privacy policies about their data security practices and failed to provide reasonable and appropriate security for the personal information they collected about consumers. Specifically, the complaint alleged that the companies failed to: implement appropriate password controls, access controls, firewall controls, or network segmentation; patch outdated software and systems; adequately log and monitor network environments; and deploy adequate multifactor authentication. These alleged data security failures apparently led to three separate data breaches compromising the personal information of millions of consumers.

In a parallel investigation, a coalition of attorneys general from 49 states and the District of Columbia resolved similar data security allegations against the companies, imposing $52 million in penalties. The FTC noted in its press release that it does not have legal authority to obtain civil penalties in this case.

According to the FTC's press release, the proposed settlement order prohibits the companies from misrepresenting how they collect, maintain, use, delete, or disclose consumers' personal information and the extent to which they protect the privacy, security, availability, confidentiality, or integrity of personal information. The proposed order also requires the companies to:

implement a policy to retain personal information for only as long as is reasonably necessary to fulfill the purpose for which it was collected, as well as share the purpose behind collecting personal information and the specific business need for retaining it;
establish, implement, and maintain a comprehensive information security program, which must contain robust safeguards and undergo an independent, third-party assessment every two years, and certify compliance to the FTC annually for 20 years;
provide a method for consumers to request review of unauthorized activity in their loyalty rewards program accounts and restore any loyalty points stolen by malicious actors; and
provide a link for consumers to request deletion of personal information associated with an email address and/or a loyalty rewards program account number.

The terms of the settlement with the state AGs are similar to the FTC's settlement terms.

Amicus brief(ly): This is an important consent order for all companies that collect, maintain, use, or disclose "individually identifiable information from or about an individual consumer" to take note of, regardless of their size and regardless of whether they are a "financial institution" subject to the Safeguards Rule. Companies of any size might consider using the elements identified in the order as clues to investigate their own information security programs - what aligns and what needs improvement? Notably, the order requires the hotel chain to post a clear and conspicuous link on its website that allows consumers to request deletion of their personal information associated with an email address and/or loyalty program number. If the 20-year compliance requirements are not enough to get your attention, the FTC highlighted that 49 states and the District of Columbia also settled claims to the tune of $52 million to resolve issues similar to those cited in the FTC's order, noting that the FTC did not have the authority to collect civil penalties. Don't be the next example; now is the time to ensure that your information security program is in tip-top shape.

Kansas Revises Loan Document Requirements for State Banks for Certain Real Estate Loans

The Kansas Office of the State Bank Commissioner recently adopted amendments to loan document requirements for state banks chartered in Kansas for certain real estate loans. Section 17-11-18 of the Kansas Administrative Regulations is amended to change the requirements for state banks' maintenance of loan documents. Amendments to subsection (b)(1)(C) applicable to non-governmental-guaranteed non-purchase-money real estate loans of $250,000 or less provide that state banks can maintain a written verification that they conducted a lien search on the property as the minimum documentation requirement. Amendments to subsection (b)(1)(A) applicable to non-governmental-guaranteed purchase-money real estate loans of $250,000 or less provide that state banks can maintain a written title opinion or title insurance policy as a minimum documentation requirement.

K.A.R. 17-11-21, which requires maintenance of an appraisal or evaluation of real estate mortgages, is amended to change the threshold where two officers or directors of a bank or a qualified individual who is independent of the transaction may conduct an evaluation of real estate. If the loan is secured by a single one- to four-family residential property, an evaluation of the real estate may be conducted for a mortgage to secure principal debt of $400,000 or less. If the loan is not secured by a single one- to four-family residential property, an evaluation of the real estate may be conducted for a mortgage to secure principal debt of $500,000 or less. If the loan is to be secured by multiple properties, the estimate of value of each individual property will determine whether an appraisal or evaluation is required. This amendment also sets forth the minimum standard for an appraisal and an evaluation.

The rule amendments are effective October 18, 2024.

Amicus brief(ly): These safety-and-soundness regulations are focused on a pretty specific subset of mortgage loans typically made and retained by small community banks. With the recent federal focus on appraisal integrity, it appears that the Kansas State Bank Commissioner wants to make sure that if a state-chartered bank is making these mortgage loans and keeping them on the books, the bank has done its diligence on the borrower and the real property that serves as its security. That is good practice, but the impact of this development is limited to Kansas-chartered banks.

Ohio Amends Short-Term Loan Act Rules

The Ohio Department of Commerce, Division of Financial Institutions, recently revised its Short-Term Loan Act rules concerning definitions, recordkeeping, advertising, licensing, and license renewal, effective October 14, 2024.

The amendments revise the definitions section to define "borrower" as a person with either an active or inactive loan; define "payable in substantially equal installments" as payable in installments of substantially equal amounts according to a payment schedule in which the first payment is due no later than one month and 15 days from origination, with subsequent payments due at substantially consistent time intervals ranging from weekly to monthly; and define the time periods involved in calculating interest or fees: one month equals 1/12 of a year, each one-month period ends as described in section 1.45 of the Revised Code, one day equals 1/365 of one year when a calculation is made for a fraction of a month, and "year" has the same meaning as in section 1.44 of the Revised Code.

The amendments revise the recordkeeping requirements section to replace the loan statement requirement in 1301:8-11-02(A)(2) with a requirement that the information be kept in a sortable electronic spreadsheet containing the same information as required under the current rule except that the amendments remove the check collection charge, if any, that may be levied and the types and amounts of any credit-related insurance and add the following:

whether the borrower or a dependent is on active duty in the U.S. armed forces;
whether the loan is new or a refinance;
amount financed;
loan term;
for a refinanced loan, the prior loan number;
frequency of payments;
payment due dates;
contractual rate of interest;
total scheduled amount of interest charges;
origination fee;
total scheduled amount of maintenance fees;
nonsufficient funds fees;
check cashing fee, if any;
loan status;
most recent date of payment; and
amount of most recent payment.

Additional changes to recordkeeping requirements include adding an option that signed loan agreements and other loan documents may be identified by account number in addition to loan number; removing the requirement to maintain an alphabetical index of all borrowers, co-makers, guarantors, and other obligors identified by account number with respect to all persons obligated for interest in excess of the current usury rate; and adding a requirement that the record of loans in litigation be maintained in a sortable electronic spreadsheet containing the same information as required under the current rule except that the amendments remove all original litigation records and documents, all credit life claim records, and histories of nonpublished indices used to establish interest rates for variable rate loans and add the following:

account or loan number;
principal borrower's residential address;
court or jurisdiction in which litigation was filed;
case number; and
status of litigation.

Also with regard to recordkeeping, the amendments remove the requirement that a licensee separate loan records from the records of any other business and require the maintenance of any final judgments or settlement agreements.

The amendments revise the advertising section to remove the requirement to maintain a record of all advertising. The amendments revise the licensing section to remove the provision requiring that a new license be obtained prior to conducting business at a new location. Finally, the amendments revise the renewal license section to specify that a renewal application must be received by December 31 and to allow a licensee to continue to act as a licensee while the renewal application is pending.

Amicus brief(ly): In an otherwise quiet legislative period when most states are not in session but are gearing up to pre-file for next year, we focus our attention on the regulators' rulemakings that are not seasonal. Ohio's amendments to its Short-Term Loan Act regulations are largely focused on recordkeeping for licensees and cleaning up the regulations around licensing, but they do not expand, contract, or otherwise change licensing requirements under the Act. Curiously, the regulator struck a fairly straightforward prohibition on false, misleading, or deceptive advertising by licensees under the Act (we doubt that licensees will require a reminder that such advertising is still not a good idea). There are important updates in this rulemaking for Short-Term Loan Act licensees, but no game changers.

¹ For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.