Last Week, This Morning

April 15, 2024

Happy Tax Day! (Is there such a thing?) Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an “Amicus Brief(ly)1” comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters – CARLAW®, HouseLaw®, InstallmentLaw™, PrivacyLaw®, and BizFinLaw™ – provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

Draft, Bipartisan Federal Data Privacy Bill Released

On April 7, U.S. Senator Maria Cantwell (D-WA), chair of the Senate Committee on Commerce, Science, and Transportation, and U.S. Representative Cathy Rodgers (R-WA), chair of the House Committee on Energy and Commerce, released draft federal data privacy legislation titled the American Privacy Rights Act.

According to the joint press release by Cantwell and Rodgers, the APRA would establish uniform data privacy rights for individuals; preempt existing state comprehensive data privacy laws; minimize the personal data that companies can collect, store, and use to what those companies actually need to provide individuals with products and services; give individuals control over their personal data, including the ability to prevent the transfer or sale of their data; require affirmative express consent before sensitive data can be transferred to a third party; require companies that collect personal data to let individuals access, correct, delete, and export their data; allow individuals to opt out of targeted advertising; and disallow mandatory arbitration for claims involving minors, a substantial privacy harm, or specific physical or mental harms. The APRA would allow individuals to opt out of a company’s use of algorithms to make decisions about, among other things, housing, employment, healthcare, credit, education, and insurance. The APRA would also require companies subject to the Act to implement data security standards. Individuals would have a private right of action for violations of the Act, and the Federal Trade Commission and the states would be authorized to enforce the Act. Small businesses, as defined, would be exempt from the APRA.

Amicus brief(ly): If this federal effort gets legs, its preemption provision will displace the state privacy legislation adopted in California, Colorado, Connecticut, Oregon, Utah, and Virginia, among other states. (Several similar privacy bills are currently pending in yet other states.) We typically like that result, so a single set of rules applies to any national privacy program. In light of states’ continued focus on data security and information privacy, with a heightened interest in allowing consumers to better control how companies use and share their data, a single federal standard should simplify matters, even if we don’t love the final product. We will track this development in our legal reporters (subscribers should, too) with our fingers crossed for a productive result.
Spring Edition of CFPB’s Supervisory Highlights Focuses on Credit Reporting and Furnishing

On April 8, the Consumer Financial Protection Bureau issued a new edition of Supervisory Highlights, which focuses on the Bureau's findings from recent examinations of consumer reporting agencies ("CRAs") and furnishers concerning their obligations under the Fair Credit Reporting Act and its implementing Regulation V. The spring edition of the publication covers certain examinations in connection with credit reporting and furnishing that were completed from April to December 2023.

CFPB examiners found several deficiencies in CRAs' compliance with the requirements of the FCRA and Reg. V. Specifically, examiners found that CRAs:

  • automatically refused to implement identity theft blocks upon receipt of the requisite documentation based on "overbroad disqualifying criteria" and without making an individualized determination that there was no statutory basis to decline the block;
  • failed to give timely and compliant notices to consumers after declining to implement an identity theft block or after rescinding an identity theft block;
  • failed to provide identity theft victims with the required identity theft summary of rights;
  • violated Reg. V's new human trafficking rule by failing to timely block, or in some cases failing to block whatsoever, adverse items of information identified by the consumer as resulting from human trafficking; and
  • failed to maintain procedures designed to ensure maximum possible accuracy with respect to oversight of furnishers. Specifically, examiners found that CRAs failed to adequately monitor dispute metrics that would suggest a furnisher may not be an accurate source of reliable and verifiable information. CRAs also failed to implement procedures to assure the accuracy of information reported by unreliable furnishers.

The CFPB required the CRAs to revise their internal policies and procedures to address the issues cited above as well as revise template notices to confirm that the required information is included.

The spring edition of Supervisory Highlights also addresses FCRA compliance issues that CFPB examiners uncovered during examinations of furnishers. Notably, examiners found that furnishers:

  • failed to promptly correct and update furnished information after determining that the information was incomplete or inaccurate, sometimes for several months or years;
  • failed to investigate direct disputes that did not satisfy the furnisher's enhanced identity verification requirements (despite satisfying the statutory identity verification requirements);
  • deleted tradelines upon receipt of disputes rather than conducting investigations;
  • inaccurately reported dates of first delinquency. For example, furnishers of information concerning auto financing often reported the date of first delinquency as the first day of the statement cycle following the consumer's missed payment rather than 30 days after the missed payment due date;
  • failed to promptly send corrections or updates to CRAs after determining that accounts were paid in full, particularly in the case of auto leases; and
  • continued to furnish information identified in a consumer's identity theft report to CRAs before knowing or being informed by the consumer that the information was accurate.

As with the CRAs, the CFPB required furnishers with the above-referenced deficiencies to update their policies and procedures to address the issues cited and to engage in lookbacks to correct the furnishing of inaccurate information.

Amicus brief(ly): The Supervisory Highlights reports are useful checkpoints for a compliance management system because they allow a company to ensure that its policies and procedures are designed to avoid the activities or omissions the CFPB identifies as deficient in its report. It is almost always the case that the CFPB requires a lookback and remediation when it identifies compliance deficiencies. When a company self-identifies a compliance slip-up, it is useful to consider a lookback as part of any remediation the company does. If that event turns up in an examination (with any regulator, not just the CFPB), that step will almost always yield a more favorable examination report.
Kentucky Expands Provisions Governing Amendment of Recorded Mortgages

On April 9, Kentucky enacted House Bill 488, which relates to the amendment, renewal, modification, or extension of a recorded mortgage. Prior to the enactment of HB 488, Kentucky Revised Statutes 382.297 allowed the amendment of a recorded mortgage through a recorded affidavit of amendment. HB 488 expands KRS 382.297 by providing that any amendment, renewal, modification, or extension of a recorded mortgage must: (1) be in writing; (2) contain: (a) the name and mailing address of each mortgagor and the mortgagee, (b) the book and page number where the original mortgage is recorded, (c) a description of the amendment, renewal, modification, or extension in conformity with KRS 382.330 and, for an extension, the time period of the extension and the amount of indebtedness remaining due, (d) an endorsement stating the name and address of the individual who prepared the instrument and containing the signature of the individual, (e) the address to which the recorded instrument is to be delivered, and (f) the signature of each mortgagor and the mortgagee, acknowledged before a notary; and (3) be recorded in the county clerk’s office where the original mortgage is located. HB 488 further notes that a county clerk’s receipt for recording of a document that does not comply with this section does not prevent the record of filing of the instrument from becoming notice as otherwise provided by law and does not impair the admissibility of the record as evidence.

HB 488 also amends KRS 413.100 governing the extension of the time for the enforceability of a mortgage lien. The new law provides that no act will operate as an extension of the time within which the lien may be enforced as against purchasers or creditors unless, before the expiration of 15 years after the cause of action accrues for written contracts executed on or before July 15, 2014, the lienholder records an extension of a lien secured by a recorded mortgage or, for liens secured by a recorded deed, a memorandum notice of the extension containing the book and page number where the deed is recorded, a statement that the debt is extended, the time period of the extension, the amount of indebtedness remaining due, and the signature of each promisor and the holder of the lien, acknowledged before a notary. The law then reduces that time to 10 years after the cause of action accrues for written contracts executed after July 15, 2014.

Amicus brief(ly): This amendment reduces the potential effective period of an extended mortgage by five years, but it also imposes a more significant written requirement for the recording that memorializes the extension (current law requires a simple margin note on the recorded instrument, attested by the clerk). Mortgage lenders and servicers doing business in Kentucky, please take note.
Wisconsin Revises Laws Governing Licensed Financial Services Providers

On April 4, Wisconsin enacted Senate Bill 668. The law makes extensive changes to the Department of Financial Institutions’ regulation and oversight of most (non-mortgage) licensed financial services providers in the state. The majority of these changes are administrative in nature. Specifically, the DFI is authorized to expand its use of the Nationwide Multistate Licensing System and Registry for licensing, renewal, and other required regulatory filings for licensed installment lenders (also known as “loan companies”), collection agencies, money transmitters (currently known as “sellers of checks”), payday lenders, community currency exchanges, sales finance companies, adjustment service companies, and insurance premium finance companies. In addition to these administrative changes, the new law makes the following substantive changes to the Wisconsin Licensed Lenders law, Collection Agencies law and related DFI rules, and Seller of Checks law:

  • Licensed Lenders Law. The Wisconsin Licensed Lenders Law applies to non-bank consumer loans of $25,000 less with rates exceeding 18% per year. However, the WLLL has never expressly defined “consumer loan”. The new law defines the term in a manner similar to the Wisconsin Consumer Act. It also clarifies what activities trigger licensing by defining what it means to do “business” under the WLLL. These activities include: (1) making a consumer loan that has a finance charge in excess of 18% per year; (2) taking an assignment of a consumer loan in which a customer is assessed a finance charge in excess of 18% per year; or (3) directly collecting payments from or enforcing rights against a customer relating to a consumer loan in which a customer is assessed a finance charge in excess of 18% per year.

    In addition to the existing exemption from the WLLL for most depository institutions and their affiliates, the law creates new licensing exemptions for special purpose vehicles, payment processors, and licensed collection agencies. There is also a new exemption for an individual or entity who, in connection with a securitization, private placement, collateral financing, or other type of investment or financing transaction, lends against or purchases “consumer loans,” as defined, or any portion of the outstanding balances of “consumer loans,” subject to certain conditions. The new law also adds a servicer exception, which authorizes a WLLL licensee to contract with a person that is not licensed under the WLLL to service a consumer loan on its behalf. The licensed lender generally is responsible for violations of law committed by the contracted party with respect to such servicing activities.

    Finally, the law expressly authorizes a nonrefundable prepaid finance charge in connection with all consumer loans subject to the WLLL (not just those secured by real estate) and caps the amount of such fixed finance charges using a sliding scale based on the loan amount.

  • Collection Agencies Law and DFI Rules. The new law revises the definition of the term “collector” or “solicitor” in the Collection Agencies law and eliminates the requirement that a collector or solicitor hold a license separate and apart from the collection agency that employs the collector or solicitor. However, a collection agency is responsible for, and must supervise the acts of, its collectors and solicitors and any other person who acts on its behalf. The new law also revises the definition of “collection agency” to add exceptions for licensed mortgage bankers and credit unions and to delete the exception for “express companies.”

    The law makes clear that a separate collection agency license is required for each place of business from which a collection agency or any collector or solicitor engages in collection activity. However, if an employee of a licensed collection agency works from home, a collection agency license is not required for the employee’s residence, provided the employee’s resident address is not presented to the public as a location or office of the collection agency and collection agency records are not maintained there. The new law makes additional revisions regarding use of an alias by a collector or solicitor, use of trade names by collection agencies, changing business locations, and maintenance of trust accounts.

  • Seller of Checks Law. The new law repeals the Seller of Checks law in its entirety and replaces it with model legislation known as the Money Transmission Modernization Act. The MTMA generally requires a person to be licensed by the DFI to engage in the business of money transmission. “Money transmission” means any of the following: (1) selling or issuing payment instruments to a person located in Wisconsin; (2) selling or issuing stored value to a person located in Wisconsin; or (3) receiving money for transmission from a person located in Wisconsin. The law includes exemptions for federally insured financial institutions, government agencies, registered securities broker-dealers, certain agents of a payee that collect and process payments on behalf of the payee, electronic funds transfers of governmental benefits by government contractors, and certain employees and authorized delegates of licensed money transmitters.

The new law takes effect January 1, 2025.

Amicus brief(ly): This is a busy new law. But it is mostly productive in that, without imposing further restrictions on credit products, it brings the Licensed Lenders Law more in line with traditional UCCC licensing/notification requirements, leaves useful exemptions in place (e.g., the out-of-state collector exemption from the collection agency licensing requirement), adds useful, industry-aware exemptions from licensing for investment vehicles, and codifies work-from-home rules for debt collectors (subject to the usual conditions on such arrangements). It also eliminates the outdated Seller of Checks law in favor of the more current Money Transmission Modernization Act. Not bad, Wisconsin.
Iowa Authorizes Remote Work by Mortgage Loan Originators

On April 10, Iowa enacted House Bill 2392, which, among other things, authorizes a mortgage banking licensee to allow employees or independent contractors to work at a remote location if certain requirements are satisfied. Under the new law, “remote location" means “a physical location in the United States, other than a licensee's principal place of business or a branch office, where a licensee's employee or an independent contractor of the licensee is authorized by the licensee to engage in business as a mortgage banker or mortgage broker.”

A licensee may authorize work at a remote location subject to all of the following requirements:

  • in-person customer interaction does not occur at the residence of an employee or an independent contractor;
  • the licensee's physical records are not maintained at a remote location;
  • the licensee establishes, supervises, and enforces written policies and procedures to ensure that all employees and independent contractors working from a remote location comply with all applicable state and federal laws and rules;
  • the licensee maintains the computer system used to enable employees and independent contractors to work from a remote location, and all customer information is maintained in accordance with the licensee's written information technology security plan and all applicable state and federal laws and rules;
  • employees and independent contractors who work from a remote location only access the licensee's secure systems directly from an out-of-office device using a virtual private network or comparable system that requires a password or other form of authentication to access and ensures a secure connection;
  • the licensee has the ability to remotely lock or erase the licensee-related contents of any out-of-office device or otherwise remotely limit access to the licensee's secure systems;
  • the licensee ensures the installation and maintenance of all appropriate security updates, patches, or other alterations to the security of all devices used at remote locations to access the licensee's computer system;
  • the licensee ensures that all customer interactions and communications regarding customers comply with federal and state information security requirements;
  • the licensee annually certifies that all employees and independent contractors working from a remote location comply with these requirements; and
  • the record of a mortgage loan originator working from a remote location that is contained in the Nationwide Multistate Licensing System and Registry designates a licensed location as the mortgage loan originator's official work location.
Amicus brief(ly): This is the list of requirements and limitations financial service providers looking to formalize a remote work policy (for a mortgage lending operation or otherwise) have been waiting for. It is thorough and careful, and it is hard to argue with the requirements and limitations in the overall context of the federal and state regulatory environment for financial service providers. It is nice to have the clarity and statutory “permission” for a remote work option for mortgage loan originators, as long as providers and their employees and contractors can check each box on that list.
1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.