Last Week, This Morning

December 9, 2024

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)¹" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

On December 3, the Consumer Financial Protection Bureau proposed a rule to amend Regulation V, which implements the Fair Credit Reporting Act, in order to bring certain data broker practices under the purview of the FCRA. Among other changes, the proposed rule would clarify the definitions of "consumer report" and "consumer reporting agency" as follows:

• clarify that data brokers that sell certain information - specifically information about a consumer's credit history, credit score, debt payments, or income or financial tier - are consumer reporting agencies and that the information sold is a consumer report, regardless of the intended use of the information;
• clarify that a communication of consumer information is a consumer report if it is used for eligibility purposes, even if the entity providing the information did not expect it to be used for such purposes;
• treat credit header information from consumer reporting agencies, such as the consumer's name, address, date of birth, social security number, phone number, and age, as a consumer report if the information is collected for the purpose of preparing a consumer report about the consumer;
• characterize the sharing of medical information or medical payment information with an affiliate to be a consumer report if the information is used or expected to be used for eligibility purposes;
• restrict consumer reporting agencies from using consumer report information to decide which consumers should receive certain ads, treating such use as the constructive furnishing of consumer reports; and
• seek to include de-identified consumer report data within the definition of a consumer report and set forth three proposed approaches to when de-identified consumer report data should be treated as a consumer report.

The proposed rule also seeks to expand the scope of the FCRA by sweeping in different entities that obtain and process data. Importantly for data aggregators covered by the Personal Financial Data Rights final rule that implements Section 1033 of the Dodd-Frank Act, the proposed rule defines the term "assembling or evaluating" under the definition of a consumer reporting agency to include, among other things, an entity that collects information about a consumer from a consumer's bank account or assesses it, such as by grouping or categorizing it based on transaction type. Similarly, the proposed rule seeks to include entities that gather and normalize data by including the act of modifying the year date fields to reflect all four, rather than two, digits in the definition of "assembling or evaluating." The proposed rule would even sweep in such activities as verifying or validating information with external sources.

Finally, the proposed rule addresses permissible purposes under the FCRA, proposing to restrict various uses of consumer reports as follows:

• defines the activity of furnishing a consumer report to include a consumer reporting agency's use of information from a consumer report to target advertising to the consumer for financial gain;
• requires that users, in order to obtain a report under the written instructions permissible purpose, provide consumers with a clear and conspicuous disclosure of how the consumer report will be used and requires that consumers have the ability to revoke their consent. The proposed rule also limits the use of a report based on written instructions to one year from the date of authorization; and
• clarifies that users may not rely on the legitimate business interest permissible purpose to solicit consumers for a product or service that the consumer did not initiate or to otherwise market products or services to the consumer.

Comments on the proposed rule are due by March 3, 2025.

Amicus brief(ly): The CFPB continues to focus on regulating data use through the issuance of this proposed rule that expands the FCRA's reach pretty dramatically. Readers will recall the recent Personal Financial Data Rights final rule issued by the CFPB, also known as the "Open Banking" rule, that was designed to give consumers more control under federal law over what happens with their data. This proposed rule, if it continues on its current trajectory, will expand the scope of the FCRA from its roots as a law that regulates consumer reporting agencies and users of consumer reports (the definition of which is also expanding in this proposed rule). If finalized as proposed, the updates to Reg. V will give the CFPB more regulatory enforcement tools to address its concerns about consumers' personal safety and national security risks arising from data brokers' sale of sensitive personal and financial information. This rule is far from finished, as the CFPB has to digest public comments received over the next three months, but it has the potential to be very impactful. We'll keep readers apprised of developments.

On December 4, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Consumer Financial Protection Bureau, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Financial Crimes Enforcement Network, and state financial regulators issued a joint statement to provide supervised institutions with examples of risk management and other practices that can be effective in identifying, preventing, and responding to elder financial exploitation, including but not limited to:

• developing effective governance and oversight, including policies and practices to protect account holders and the institution;
• training employees on recognizing and responding to elder financial exploitation;
• using transaction holds and disbursement delays, as appropriate, and consistent with applicable law;
• establishing a trusted contact designation process for account holders;
• filing suspicious activity reports with FinCEN in a timely manner;
• reporting suspected elder financial exploitation to law enforcement, Adult Protective Services, and other appropriate entities;
• providing financial records to appropriate authorities where consistent with applicable law;
• engaging with elder fraud prevention and response networks; and
• increasing awareness through consumer outreach.

Amicus brief(ly): This development builds on state legislative efforts made over the past decade or so (as evidenced by the guidance from 13 states appended to the joint statement) to combat the financial exploitation of elders. Whereas most of the state laws on the books focus on the perpetrators of elder financial exploitation, this joint statement takes a different angle by offering and repeating risk management guidance for financial institutions that would much prefer to help identify and prevent exploitation than to become involved in the schemes of bad actors. The joint statement is replete with resources to aid financial institutions in their efforts to identify and investigate unusual account activity.

On December 2, the Federal Housing Administration issued Mortgagee Letter 2024-23 to revise the requirements for FHA-approved mortgagees to notify the Department of Housing and Urban Development when a reportable cyber incident occurs. The FHA is revising its cyber incident reporting requirements to provide additional clarity, to better align its requirements with the computer-security incident notification requirements for banking organizations and their service providers that have been established by the federal banking agencies, and in response to increased cyber incidents impacting FHA-approved mortgagees.

Mortgagee Letter 2024-23 requires FHA-approved mortgagees to notify HUD as soon as possible, but no later than 36 hours, after the mortgagee has determined that a reportable cyber incident has occurred. FHA mortgagees are encouraged to "continue the effective practice of providing same-day notification to HUD when a Reportable Cyber Incident occurs." A "Reportable Cyber Incident" is defined as "a Cyber Incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the FHA-approved Mortgagee's ability to meet its operational obligations for originating or servicing FHA-insured Mortgages."

Mortgagee Letter 2024-23 supersedes Mortgagee Letter 2024-10 (issued on May 23, 2024) and is effective immediately.

Amicus brief(ly): Mortgagee Letter 2024-10 was earnest but possibly a little unrealistic with its 12-hour notification window for cyber incidents. The 36-hour notification window provided by the new Mortgagee Letter is more attainable. As anyone who has been through a cyber incident knows, a lot happens during the investigation into that incident, and even more happens once that investigation reveals that a system or protected information has been compromised. HUD is justifiably concerned about its own systems and the potential impacts it faces from a cyber incident involving one of its approved mortgagees. This Mortgagee Letter maintains the urgency around such events, but the extra 24 hours for reporting is a welcome change.

On December 4, the Federal Housing Administration issued Mortgagee Letter 2024-24 to provide guidance for implementing the provisions of HUD's final rule entitled "Modernization of Engagement with Mortgagors in Default."

The final rule, published in the August 2 Federal Register, updated HUD's current regulation that requires mortgagees of Federal Housing Administration-insured single family mortgages to meet in person with borrowers who are in default on their mortgage payments. For most mortgages insured pursuant to 24 CFR Part 203 - Single Family Mortgage Insurance - the final rule:

• allows mortgagees to use electronic and other remote communication methods for conducting interviews with borrowers to satisfy FHA's early default intervention requirements;
• eliminates the requirement that mortgagees make at least one trip to the mortgaged property to schedule a meeting with the borrower; and
• expands the meeting requirement to include borrowers who do not reside in the mortgaged property or have a mortgaged property that is not within 200 miles of their mortgagee, its servicer, or a branch office.

On November 21, HUD extended the compliance date for certain provisions of its final rule until July 1, 2025.

This new Mortgagee Letter contains alternative interim procedures to conduct a loss mitigation interview with a borrower in default. The interim procedures are effective January 1, 2025, through June 30, 2025. The interim procedures give mortgagees the ability to maintain their current operations while working towards implementing the Mortgagee Letter's permanent provisions, which may be implemented immediately but must be implemented no later than July 1, 2025.

Amicus brief(ly): We have reported on this final rule several times in "Last Week, This Morning." This is the latest update, which provides alternative interim procedures that mortgagees can use until the provisions are fully effective on July 1 of next year. For servicers that have not been able to fully develop, test, and adopt new procedures to comply with the updated requirements, these interim procedures offer a middle step that moves towards the FHA's stated goals of modernizing the rules about mandatory borrower meetings to offer enhanced electronic communication tools while accommodating the need for more time. July 1 will be here before we know it.

New York Governor Kathy Hochul recently signed Assembly Bill 7167, which amends Section 337 of the state's Motor Vehicle Retail Leasing Act concerning the requirements for motor vehicle retail lease agreements. The amendment prohibits a motor vehicle lease from containing any provision that imposes on the lessee a turn-in fee at the expiration of the lease term that constitutes an additional fee for administrative, handling, or clerical charges. The amendment applies to leases executed on or after January 1, 2025.

Amicus brief(ly): We have a vehicle leasing development! Short and sweet, the New York law simply prohibits a lease turn-in fee charged to lessees for administrative overhead costs. The law still allows for a turn-in fee attributable to other costs or expenses, like the costs of preparing the leased vehicle for resale. For that reason, it is important for lessors that will continue charging a "turn-in" fee by that name to document what activities or services the fee covers so it is clear that the fee does not compensate the lessor impermissibly for simple administrative overhead costs.

New York Governor Kathy Hochul recently signed Assembly Bill 7939 governing actions of telemarketers, effective immediately. Under General Business Law Section 399-z, telemarketers are required to give certain information to customers at the beginning of each call, including the telemarketer's name and the person on whose behalf the solicitation is being made, if other than the telemarketer; the option to be automatically added to the seller's entity-specific do-not-call list; whether the call is being recorded; the purpose of the call; and the identity of the goods or services for which a fee will be charged. General Business Law Section 399-pp, otherwise known as the Telemarketing and Consumer Fraud and Abuse Prevention Act, requires telemarketers to provide similar information at the beginning of the call and prior to any request by the caller to release or disclose any of the customer's personal or financial information.

A.B. 7939 now requires that, under both sections, the information be given no later than 30 seconds from the commencement of the call. A.B. 7939 further amends the TCFAPA to provide that a telemarketer must disclose the address of any company on whose behalf the telemarketer is providing services on any website owned or operated by the telemarketer and on any subsequent written communication to any customer.

Amicus brief(ly): Another brief but impactful New York law, effective immediately, will require telemarketers operating in New York and subject to New York's TCFAPA and its do-not-call statute to give required disclosures at the outset of their calls. Importantly, this law does not add to the telephone disclosure requirements - it just requires telemarketers to get that required information to the person being called within the first 30 seconds of the call (the script and procedure changes should be quick and easy to make, or so suggests the immediate effective date of the changes). The new disclosure requirement (address of the company for whom the telemarketer is working) applies to websites and written communications.

---

¹ For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.