Last Week, This Morning

May 13, 2024

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an “Amicus Brief(ly)¹” comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters – CARLAW®, HouseLaw®, InstallmentLaw™, PrivacyLaw®, and BizFinLaw™ – provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

CFPB Issues Consent Order Against Fintech Company for Allegedly Failing to Refund Balances on Closed Consumer Banking Accounts in Timely Manner

On May 7, the Consumer Financial Protection Bureau imposed a total of $4.6 million in redress and fines on Chime Financial, Inc., a financial technology company, for allegedly withholding account-closure refunds from its customers for an unreasonable amount of time. The company offers checking and savings accounts primarily for personal use, held by FDIC-insured partner banks. Despite agreements stating that refunds of balances for closed accounts would be processed within 14 days, the company allegedly exceeded this timeframe on thousands of occasions, causing what the CFPB alleged as substantial harm to consumers who relied on these funds for essential expenses. The CFPB concluded that the company’s delays in returning consumer funds constituted an unfair act, in violation of the Consumer Financial Protection Act.

In response to the findings, the company and its affiliates were ordered to cease the alleged violations and ensure timely refund processing. The company must also establish a comprehensive compliance plan to rectify its post-closure refund practices, subject to CFPB review. The company’s board and executives must oversee compliance efforts and report progress to the CFPB annually. Additionally, the company must pay a civil money penalty of $3.25 million to the CFPB’s victims relief fund, with provisions to ensure full compliance and accountability for any defaults on payment obligations.

Furthermore, the consent order obligates the company to implement a redress plan, reserving $1.3 million within 10 days to compensate affected consumers. The plan outlines procedures for identifying and compensating impacted individuals, including mailing redress checks and notices within specific timeframes. The company must adhere to strict reporting and recordkeeping requirements to ensure ongoing compliance with the consent order.

Amicus brief(ly): For years now, the CFPB has focused on refunds in the consumer credit context with a flurry of activity related to refunds of unearned premiums or fees for ancillary products, like GAP coverage, upon early termination of a credit agreement. This consent order underscores that the CFPB will find consumer harm when consumers do not receive refunds to which they are entitled. There are two important takeaways from this consent order. First, it is critical to adhere to the terms of a consumer agreement, especially when you get to write them. Here, the agreement evidently called for a refund within 14 days after closing an account. That is a little fast, but it’s what the agreement called for, so there is very little room to argue about it. Second, some back-and-forth auditing between Chime and its bank partners would likely have identified this issue before the CFPB did, allowing for remediation and a potentially reduced penalty. It is critically important in this regulatory environment to ensure that somebody is tasked with auditing and testing procedures and policies to ensure that company practices reflect what is in those procedures and policies (which ought to reflect what is in the consumer agreement).

Student Loan Securitization Trusts and Loan Servicer Resolve CFPB’s Claims that They Failed to Properly Process and Respond to Borrowers’ Loan Servicing Requests

On May 6, the Consumer Financial Protection Bureau filed a complaint and two proposed stipulated final judgments to resolve its claims against the National Collegiate Student Loan Trusts, a group of 15 trusts that purchase and securitize student loans, and the Pennsylvania Higher Education Assistance Agency, which services student loans and has been the primary servicer for loans held by the trusts since at least 2006.

The CFPB alleged that, from 2015 to 2021, the trusts and the PHEAA violated the Consumer Financial Protection Act’s prohibition against unfair and deceptive acts and practices by failing to properly process and respond to student loan servicing requests from borrowers, including requests for co-signer release, extension of forbearance or deferment, loan settlement or forgiveness, Servicemember Civil Relief Act benefits, or other forms of payment or interest rate reduction. Specifically, the CFPB alleged that: (1) the defendants misrepresented that borrower requests would be answered when, in fact, they would not; (2) the trusts failed to put into effect a functioning process for deciding borrower requests; (3) the PHEAA failed to grant natural disaster forbearance in connection with the COVID-19 pandemic and mishandled borrower requests seeking forbearance extensions due to ongoing impacts from the pandemic; and (4) the PHEAA failed to inform borrowers seeking COVID-19 forbearance of available payment relief options and other key information.

If entered by the court, the stipulated final judgments will require the trusts and the PHEAA to pay $400,000 and $1.75 million in civil money penalties, respectively, and pay nearly $3 million in redress to affected consumers. The orders also would require significant non-monetary relief, including granting certain pending borrower requests, correcting credit reporting, and ceasing debt collection activities. Finally, the orders would impose injunctive relief requiring, among other things, the implementation of a functional process going forward for processing student borrower requests.

Amicus brief(ly): Student loan servicing has been in the news fairly frequently lately, with updates on student loan forgiveness and the very recent move by Navient, a servicing spinoff of Sallie Mae, to transfer the servicing of its portfolio to MOHELA – marking the end of Navient’s student loan servicing run. But these apparent servicing failures by the PHEAA seem avoidable. As with any type of credit, servicing of student loans works best when students are employed and sign up for recurring payments in some form, so the servicer does not have to do any active servicing. But student loan servicers also have to be geared up for the exceptions so they can handle SCRA cases, forbearance requests, and other borrower requests that require a response. Then the consumer reporting and other more complicated processes can flow from those basic and foreseeable consumer needs. The allegations in this complaint and the proposed stipulated judgments seem to arise from the more routine, less complicated processes. Servicers should review the allegations against their policies and procedures and hopefully not have to adjust anything to account for omissions related to these allegations.

Illinois Senate Passes Small Business Financing Transparency Act

Illinois Senate Bill 2234, the Small Business Financing Transparency Act, has passed the state Senate and will move to the state House of Representatives for its consideration. If it becomes law, the SBFTA will impose some of the nation’s strictest requirements for providers of commercial financing transactions.

The SBFTA would apply to commercial-purpose closed-end loans, commercial-purpose open-end loans, sales-based financing, factoring transactions, and other commercial financing transactions. The bill would allow a provider to make five commercial financing transactions per 12-month period without providing disclosures. The bill would exempt any transaction with an amount financed greater than $500,000.

The SBFTA would require providers to register with the Illinois Department of Financial and Professional Regulation and give the DFPR’s Division of Financial Institutions the authority to administer the SBFTA. Providers would need to renew their registrations every calendar year. Information required in the registration application would include officers’ criminal histories, samples of disclosure forms that the provider will use, and (for a renewal) information on the provider’s offers in Illinois over the previous calendar year. The SBFTA would also require a provider to submit extensive information concerning each transaction to a statewide database administered by the DFPR, including information that is not available until the end of a transaction, such as the actual (retrospective) annual percentage rate for a sales-based financing transaction.

Like other bills that require an APR disclosure, the SBFTA would provide two methods of estimating the APR for sales-based financing. The historical method would require a provider to estimate the APR based on a recipient’s recent sales volume. The underwriting method would leave the calculation method to the provider’s discretion but require annual reporting of the average difference between the estimated and actual (retrospective) APR, allowing the DFI to require the provider to use the historical method if the difference is too large. Closed-end loans, open-end loans, factoring transactions, and other commercial financing transactions would each have separate disclosure requirements different from the requirements for sales-based financing, although the requirements for other transactions would apply only if the DFI chose to adopt rules governing disclosures for other transactions. The SBFTA would require a “double dipping” disclosure where the amount financed in a renewal transaction included unpaid finance charges from the previous transaction.

The SBFTA would provide a maximum penalty of $10,000 per violation, not to exceed $50,000 for all violations resulting from one transaction. The DFPR could also order restitution or refunds and could revoke, suspend, or deny a registration. Additionally, any violation of the SBFTA would be an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act.

The SBFTA’s disclosure and registration requirements would take effect on January 1, 2025, unless the DFPR establishes a later date.

Amicus brief(ly): Sales-based financing providers and other business funders should be watching this bill with interest in case Illinois joins the growing list of states with a commercial transaction disclosure law that requires a cost disclosure. This bill is not finished in the legislature yet, so we do not know what it will look like in final form. If it passes, there will be some ramp-up time to get transaction documents updated to account for the Illinois law before the first of the year, when it goes into effect. There is a discernible trend in states moving to regulate these transactions more actively, so it is definitely worth watching for updates in this space at the state level.

Federal Agencies Issue Third-Party Risk Management Guide for Community Banks

On May 3, the Federal Deposit Insurance Corporation, the Federal Reserve Board, and the Office of the Comptroller of the Currency released a guide for community banks on third-party risk management. The guide provides potential considerations, resources, and examples to assist community banks in managing risks presented by third-party relationships. The guide notes the importance of community banks to “appropriately identify, assess, monitor, and control these risks as well as ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations. These laws and regulations include, but are not limited to, those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices) and those addressing financial crimes (such as fraud and money laundering).” The guide emphasizes that “[e]ngaging a third party does not diminish or remove a bank’s responsibility to operate in a safe and sound manner and to comply with applicable legal and regulatory requirements, including consumer protection laws and regulations, just as if the bank were to perform the service or activity itself. A community bank may engage an external party to conduct aspects of its third-party risk management. However, the bank cannot abrogate its responsibility to employ effective risk-management practices, including when using a third party to conduct third-party risk management on behalf of the bank.”

The current guide is not a substitute for the guidance issued by the agencies in June 2023 – Interagency Guidance on Third-Party Relationships: Risk Management. It is intended to be a resource for community banks to use in tandem with the June 2023 guidance. However, the agencies note that banks other than community banks may find the current guide useful.

Amicus brief(ly): Third-party risk management remains a significant concern of regulators, and all the regulators have done here is to underscore the accountability we all have for the activities of the providers we hire. The guide issued by the regulators is a useful resource for any compliance professional responsible for third-party oversight. It is important not just to have policies in place requiring third parties to comply with applicable law, but also to have audit procedures and accountability measures that allow banks to enforce agreements and (if necessary) terminate relationships with providers that do not adhere closely to what the law requires.

Florida Amends Provisions Governing GAP Products and Creates Vehicle Value Protection Agreements Act

On May 6, Florida enacted Senate Bill 902, which amends provisions in the Florida Motor Vehicle Retail Sales Finance Act governing guaranteed asset protection products and creates the Florida Vehicle Value Protection Agreements Act.

Specifically, the new law amends the definition of “guaranteed asset protection product”; requires entities to refund to the buyer all unearned portions of the purchase price of the contract for a GAP product under certain circumstances; prohibits entities from deducting more than $75 in administrative fees when providing a refund of a GAP product; authorizes GAP products to be cancelable or non-cancelable after a free-look period, which may not be shorter than 30 days; and provides that, if the termination of the GAP product occurs because of a default under the retail installment contract or contract for a loan, the repossession of the motor vehicle associated with the retail installment contract or contract for a loan, or any other termination of the retail installment contract or contract for a loan, the entity may pay any refund due directly to the holder or administrator and apply the refund as a reduction of the amount owed under the retail installment contract or contract for a loan, unless the buyer can show that the retail installment contract has been paid in full.

The new law also creates the Florida Vehicle Value Protection Agreements Act to govern the sale of vehicle value protection agreements (“VVPAs”) in the state. Among other requirements and prohibitions, the Act provides that any amount charged or financed for a VVPA is not considered a finance charge or interest and must be separately stated in the finance agreement and in the VVPA, prohibits the conditioning of credit offers or terms for the sale or lease of a motor vehicle upon a consumer’s payment for or financing of any charge for a VVPA, and authorizes discounting or giving the VVPA at no charge in connection with the purchase of other non-credit-related goods or services. The Act also requires VVPAs to include specified disclosures in writing, in clear and understandable language, and to state the terms, restrictions, or conditions governing cancellation by the provider or the contract holder. The Act also specifies requirements for notice by the provider, refund of fees, and deduction of fees in the event the VVPA is canceled.

Finally, the new law adds a provision to the MVRSFA governing excess wear and use waivers in motor vehicle lease agreements.

Amicus brief(ly): Florida is later than most states to adopt a comprehensive GAP law, but here we are, and the law tracks other GAP laws pretty closely. It is a welcome development for those who like parameters and, importantly, a clear statement from the state about whether a two-party GAP agreement is “insurance” under state law and whether a creditor has to treat premiums for GAP as a finance charge (interest) or not under state law. This update in Florida gives clearer rules about how to offer GAP, which is good for the compliance people.

¹ For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.