Tag Archives: consumer protection

CFPB Looks to Expand Its Oversight of Nonbanks through Two Controversial New Registries

Posted on by

R. Andrew Arculin, R. Colgate Selden, Scott E. Wortman, Paula M. Vigo Marques, and Daniel V. Funaro

The Consumer Financial Protection Bureau (“CFPB” or “Bureau”) released two new proposals that aim to expand the Bureau’s authority over nonbank financial institutions:

  1. A “repeat offender” registry of consent orders or settlements with an array of state and federal regulators relating to compliance with consumer protection laws (“Repeat Offender Proposal”); and
  2. A public registry of the terms and conditions nonbanks use in “form contracts” that consumers typically are not able to negotiate (“Terms and Conditions Proposal”).

Assuming these registries are created as proposed and survive any ensuing legal challenges, complying with the reporting obligations should be relatively easy. The larger challenge will be managing the increased regulatory and litigation risk imposed by the registries.

Repeat Offender Proposal

On December 12, 2022, the CFPB issued a proposal to establish a “repeat offender” registry requiring certain nonbank covered entities to report all final public written orders and judgments (including any settlements, consent decrees, or stipulated orders and judgments) obtained or issued by any federal, state, or local government agency for violation of a number of enumerated consumer protection laws, including those related to unfair, deceptive, or abusive acts or practices (“UDAAPs”).

After receiving these written orders and judgments, the CFPB intends to create a database of enforcement actions that would be available online for use by the public and other regulators. The database will be limited to final settlement or consent orders, so injunctions, preliminary orders, temporary cease-and-desist, and other tentative or temporary orders would not be reportable.

In addition, the proposal would require supervised nonbanks to submit annual written statements regarding compliance with an attestation for each underlying order by an executive with “knowledge of the entity’s relevant systems and procedures for achieving compliance and control over the entity’s compliance efforts.” These entities would also be required to identify a central point of contact related to an entity’s compliance with reportable enforcement actions.

The proposed rule would only apply to certain nonbank covered entities subject to CFPB’s authority. At present, insured depository institutions and credit unions, related persons, states, natural persons, and certain other entities are excluded from registry participation requirements. However, the CFPB stated in the press release for the proposal that it “might later consider collecting or publishing the information described in the proposal from insured banks and credit unions.”

Read the full client alert on our website.

NY Department of Financial Services Enforces First-in-the-Nation Cybersecurity Rules and Fines Mortgage Lender $1.5 Million for Failure to Comply

Posted on by

Andrea M. Roberts and Diana M. Eng

In March 2017, New York State’s Department of Financial Services (“DFS”) implemented the nation’s first cybersecurity rules requiring all regulated entities, such as banks, insurers, financial businesses, and regulated virtual currency operators, to fortify their cybersecurity protocols by implementing and maintaining cybersecurity policies (the “Cybersecurity Regulation”). These protocols and policies include, among other things, establishing a detailed security plan, increasing the monitoring of third-party vendors, appointing chief information security officers, and reporting breaches to the Superintendent of the Department of Finance within 72 hours of identifying a Cybersecurity Event.[1] The Cybersecurity Regulation is codified at 23 NYCRR 500.

For the second time, DFS has fined a regulated entity for failure to comply with the Cybersecurity Regulation. In March 2020, DFS commenced an examination of Residential Mortgage Services, Inc. (“Residential”), a Mortgage Banker (as defined in the Banking Law) based in Maine and licensed in New York. The examination encompassed a general compliance, safety, and soundness review, as well as compliance with the Cybersecurity Regulation. During the review, Residential disclosed for the first time a Cybersecurity Event, which had occurred nearly 18 months earlier. Specifically, an employee, who handles sensitive personal data, received a phishing e-mail and clicked on a hyperlink to a malicious website. DFS determined that although Residential’s technical support staff was alerted to the suspicious activity, Residential’s internal investigation was inadequate since it did not conduct any further inquiry after concluding the unauthorized access was limited to the employee’s e-mail account. Further, DFS determined Residential failed to satisfy the notification requirements of the Cybersecurity Regulation, as Residential failed to (i) identify whether the employee’s mailbox contained private consumer data during the breach and which consumers were impacted; and (ii) notify the Department of Finance within 72 hours of identifying a Cybersecurity Event. Finally, DFS determined that Residential was missing a comprehensive cybersecurity risk assessment, which should have led to the periodic evaluation of controls designed to protect nonpublic information and information systems.

Continue reading

U.S. Supreme Court Holds “Autodialer” Definition under the TCPA Is Limited to Equipment Using a Random or Sequential Number Generator

Posted on by

Wayne StreibichDiana M. Eng, and Andrea M. Roberts

Financial institutions, debt collectors, and consumer-facing businesses should take note that the United States Supreme Court has ruled that the definition of an “autodialer” under the Telephone Consumer Protection Act, as written, requires that the device must use a random or sequential number generator. This narrow interpretation should shield companies from liability in current or future actions, where the consumers’ telephone numbers are known and not random or sequentially generated.

In Facebook, Inc. v. Duguid, 592 U.S. ___ (2021), the United States Supreme Court (“SCOTUS”) narrowly interpreted the definition of “autodialer” under the Telephone Consumer Protection Act (“TCPA”), holding the definition excludes equipment that does not use a random or sequential number generator. SCOTUS specifically held that an “automatic telephone dialing system” is limited to equipment that either stores a telephone number using a random or sequential number generator, or produces a telephone number using a random or sequential number generator.

Summary of Facts and Background

Plaintiff Noah Duguid (“Plaintiff”) began receiving several login-notification text messages from defendant Facebook, Inc. (“Facebook”), alerting him that someone had attempted access to the Facebook account associated with his phone number from an unknown browser. Plaintiff never had a Facebook account and had not given Facebook his phone number. As such, Plaintiff commenced a putative class action in the District Court for the Northern District of California (“District Court”) against Facebook, alleging it violated the TCPA by maintaining a database that stored phone numbers and programmed its equipment to send automated text messages to the stored phone numbers each time the person’s account was accessed by an unrecognized device or browser.

Facebook moved to dismiss, arguing that it did not violate the TCPA because Facebook did not use an automatic dialer, as its text messages were not sent to phone numbers that were randomly or sequentially generated. Rather, Facebook sent targeted, individualized texts to phone numbers linked to specific accounts. The District Court agreed with Facebook and dismissed Plaintiff’s complaint with prejudice.

Plaintiff appealed, and the United States Court of Appeals for the Ninth Circuit (“Ninth Circuit”) reversed the District Court’s order. The Ninth Circuit held that an autodialer “need not be able to use a random or sequential generator to store numbers; it need only have the capacity to ‘store numbers to be called’ and ‘to dial such numbers automatically.’” SCOTUS granted certiorari to resolve a circuit split among the Courts of Appeals regarding whether the definition of an “automatic telephone dialing system” includes equipment that can “store” and dial phone numbers, even if such equipment does not “us[e] a random or sequential number generator.”

To read the full client alert, please click here.