Last Week, This Morning

May 20, 2024

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an “Amicus Brief(ly)1” comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters – CARLAW®, HouseLaw®, InstallmentLaw™, PrivacyLaw®, and BizFinLaw™ – provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or

Supreme Court Upholds CFPB Funding Structure, Clears Way for Payday Lending Rule Implementation

This was big news on Thursday, May 16. By a 7-2 vote, the U.S. Supreme Court rebuffed a challenge to the constitutionality of the Consumer Financial Protection Bureau’s funding structure, lifting a cloud that threatened the agency’s enforcement and rulemaking efforts and clearing the way for final implementation of the Payday Lending Rule.

The issue in the case centered on the manner in which Congress decided to fund the CFPB when it created the agency as part of the Dodd-Frank Act in 2010. The agency is organized under the Federal Reserve System and is not subject to Congress’s annual appropriations process. Instead, the CFPB director requests operating funds from the Federal Reserve each year up to a statutory cap of 12% of the Federal Reserve’s overall budget. The Federal Reserve, in turn, is funded mainly through assessments imposed on financial firms and certain interest income on investments; it, too, is not subject to regular Congressional appropriations.

As part of their lawsuit challenging the Payday Lending Rule, trade associations representing payday lenders argued that the CFPB’s funding mechanism violates the constitutional requirement that “[n]o Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law.” By removing the CFPB from the more typical annual Congressional funding process, the trade associations argued, Congress ran afoul of its own appropriations power by essentially delegating it to the executive branch. While that argument was rejected by a federal district court, it found favor with the U.S. Court of Appeals for the Fifth Circuit, which ruled in 2022 that the funding arrangement was unconstitutional and that, as a result, the Payday Lending Rule must be vacated.

The Supreme Court reversed the Fifth Circuit’s decision. Justice Thomas wrote the majority opinion, joined by all three of the traditionally liberal Justices (Kagan, Sotomayor, and Jackson) as well as Justices Kavanaugh and Barrett and Chief Justice Roberts. The Court stressed that “an appropriation is simply a law that authorizes expenditures from a specified source of public money for designated purposes” and that the CFPB’s funding scheme “fits comfortably” within that framework, consistent with historical practice. The Court highlighted two founding-era agencies—the Customs Service and the Post Office—and described how their fee-based standing appropriations serve as precedent for the CFPB’s funding structure. Also important for the Court was the statutory cap on the agency’s spending, which it likened to the common historical practice of Congressional appropriations for a “sum not exceeding” a specified amount.

The ruling removes a disability from the CFPB and provides the agency a freer hand in pursuing its rulemaking and enforcement agenda. Several CFPB investigations and enforcement actions were stayed pending resolution of this case, and the CFPB is poised now to push those matters forward (as the agency suggested in its own statement after the decision).

On Capitol Hill, the chair of the House Financial Services Committee, Patrick McHenry, issued a statement vowing to revisit the CFPB’s authority through reform legislation.

While the ruling all but assures that the Payday Lending Rule eventually will go into effect, it will not happen immediately. The case will now be remanded to the lower courts. Before the Supreme Court took up the final appeal, the Fifth Circuit stayed the rule’s effective compliance date until 286 days after resolution of the appeal. It remains to be seen whether and how the Fifth Circuit will revisit that timeline in the wake of the Court’s decision.

Amicus brief(ly): Suffice it to say that this was not the result the industry was hoping for. But the Supreme Court has spoken, and we’ll understand if you are skeptical that the reform legislation referenced by Rep. McHenry will go anywhere. Expect the CFPB to be invigorated by the decision (Director Chopra said Friday: “The CFPB is here to stay” and “will … forge ahead with our law enforcement work,” which it did by filing a new lawsuit against a fintech company on Friday) and pursue with confidence not only the path to making the Payday Lending Rule effective after six years of litigation, but also other rulemakings and enforcement actions. This decision is a big deal – time to dust off that copy of the Payday Lending Rule and brace for impact.
Financial Stability Oversight Council Releases Report on Nonbank Mortgage Companies

On May 10, the Financial Stability Oversight Council released a report and recommendations on the financial stability risks posed by nonbank mortgage companies (“NMCs”). The report examines the regulatory framework for NMCs and the increased presence of NMCs in the mortgage market with respect to mortgage origination and servicing, as well as their role as mortgage servicers for loans guaranteed by Fannie Mae, Freddie Mac, and Ginnie Mae. The report identifies key vulnerabilities that can impair NMCs’ ability to carry out their servicing functions and how those vulnerabilities can pose risks to the mortgage market and broader financial system. The report states that “because NMCs focus almost exclusively on mortgage-related products and services, shocks to the mortgage market can lead to significant deterioration in NMC income, balance sheets, and access to credit simultaneously. NMCs rely heavily on financing that can be repriced or canceled by the lender at times when the NMC is under financial stress. In addition to these liquidity and leverage vulnerabilities, NMCs face significant operational risk because mortgage servicing is complex and encompasses third-party and cybersecurity risks.” According to the report, these vulnerabilities may result in disruptions in the servicing of mortgages, a reduction in the availability of mortgage credit, and losses to Fannie Mae, Freddie Mac, and Ginnie Mae. The FSOC makes several recommendations to address the risks posed by NMCs identified in the report.

Notably, in a related statement on the FSOC’s report, CFPB Director Rohit Chopra asserts that consideration should be given to “whether any large [NMCs] meet the statutory threshold for enhanced supervision and regulation by the Federal Reserve Board” and that the CFPB is considering a proposed rule that would strengthen foreclosure protections for borrowers.

Amicus brief(ly): This report appears to be fair in its observations, but it is just a report that focuses on a big “what if” that might haunt servicers that lived through the foreclosure crisis beginning in 2007. While the mortgage lending world is different from its pre-crisis state, the vulnerability of a market where non-banks (which, importantly, are not subject to the safety-and-soundness requirements that apply to banks) own the servicing rights to more than half of the pool of existing mortgage balances can be unnerving. The idea that such servicers will self-fund a form of bailout for servicers that fail seems far-fetched given the taxpayer-funded bank bailouts that happened during the recession, but it’s an idea that the FSOC proposed to Congress at the end of the report, so we’ll see. The report focuses on financial stress and risk for non-banks, but it is not a regulatory compliance analysis. Watch for the rejuvenated CFPB to be the first to act on the report, as suggested by the statement from Director Chopra.
Maryland Commissioner of Financial Regulation Settles Charges Against FDIC-Insured Non-Maryland State Bank and Its Non-Bank Service Providers for Lending Without State License

The Maryland Commissioner of Financial Regulation and The Bank of Missouri recently entered into a settlement agreement following the administrative charge letter the commissioner filed in January 2021. Among other things, the letter alleged that the bank and its non-bank service providers, Atlanticus Services Corporation and Fortiva Financial, LLC, violated Maryland laws by lending to Maryland residents without a license.

The bank engaged Atlanticus and Fortiva to assist it in originating loans with an APR of 36% or less to Maryland consumers, including in-store retail credit financing and store-branded credit card accounts. According to the settlement agreement, the bank retained ownership of the accounts after origination.

In the settlement agreement, the commissioner dismissed the licensing charges against the bank. The commissioner determined that the bank need not obtain a license to continue providing open-end lines of credit to Maryland residents. In addition, the commissioner dismissed the allegation that the non-bank service providers failed to obtain a Maryland Credit Services Business Act (“MCSBA’) license. Pursuant to the agreement, the non-bank service providers agreed that they do not and will not engage in the activities prohibited by the MCSBA. The commissioner also dismissed the claim that the non-bank service providers are bound by the requirements of the Maryland Collection Agency Licensing Act. The service providers agreed to cause a corporate affiliate to apply for a license to do business as a collection agency in Maryland in order to clearly delineate between the affiliate and the service providers. Lastly, the bank and its third-party providers agreed to clearly and conspicuously provide the bank’s name and contact information in all advertisements, solicitations, notices, correspondence, and other communications related to the bank’s offer and issuance of credit to Maryland consumers.

The settlement agreement did not affect the validity or enforceability of any of the loans at issue. Consistent with the nature of the agreement, the regulators did not impose any penalties. Instead, the non-bank service providers agreed to pay a $50,000 investigation fee and a $225,000 administrative payment.

Amicus brief(ly): State-chartered banks not located in Maryland: Please note that the state initially charged the state bank in this case with violations of Maryland law involving licensing for banks, claiming that the out-of-state state-chartered bank should have had a license to make loans to Maryland residents. The final agreement does not tell us what “relevant information” the commissioner received after filing the charges that caused the state to drop the licensing claims against the bank, but the outcome underscores that, in Maryland, banks should undertake a licensing analysis to ensure that they are complying with applicable laws or are exempt – because there is no clear, broad exemption from lender licensing for an out-of-state state-chartered bank in the statutes. Maryland does, in some cases, really expect certain state banks to have a license to make loans (open-end or closed-end) to Maryland residents, even though those banks are chartered as a bank in another state and subject to some oversight by federal regulators. It’s just the way the laws in Maryland are written, and state banks do not have the same federal preemption authority as national banks. Servicers: Maryland really does want you to have a collection agency license even to service performing accounts. The penalties imposed here are not that significant, but the reminders are there – it’s different in Maryland. The settlement agreement tells us that Maryland is still serious about its licensing laws and that the Commissioner of Financial Regulation will enforce those laws as written.
New York DFS Develops Model Template to Assist Licensees with Compliance with Cybersecurity Regulation

On May 13, the New York State Department of Financial Services issued an industry letter announcing a model Cybersecurity Program Template, a resource to assist DFS-regulated entities with developing a cybersecurity program that complies with the requirements of the agency’s Cybersecurity Regulation, 23 NYCRR Part 500. The Cybersecurity Regulation requires covered entities to maintain a cybersecurity program designed to identify and assess cybersecurity risks; protect nonpublic information (such as confidential customer information or sensitive business information) and the computers, phones, and other electronic devices storing such information from unauthorized access and other malicious acts; detect, respond to, and recover from cybersecurity events; and comply with applicable regulatory reporting obligations.

According to the industry letter, the Cybersecurity Program Template “prompts licensees to carefully consider and address the core concepts of a cybersecurity program in order to help create a program that complies with the requirements of the Cybersecurity Regulation. The template also includes frameworks for developing and tracking asset inventories, risk assessments, multi-factor authentication exceptions, and third-party service providers. [The] template is not a substitute for independently evaluating any business, legal, or other issues, and completion does not assure compliance with the Regulation.”

Amicus brief(ly): This industry letter goes in the category of developments where a government agency is trying to help with a compliance requirement. When that happens, we all ought to pay attention. New York’s Cybersecurity Regulation is seven years old and has been amended twice, and there have been a number of public enforcement actions issued under the regulation. The DFS issued this latest guidance to insurance agents and mortgage loan originators, framed as a small business compliance aid. But that does not mean that other “covered entities” subject to the regulation can’t have a look and see what the DFS is recommending, with respect to risk assessment and otherwise, that they might not already have in place.
Maryland Enacts Laws Relating to Prohibited Information in Consumer Credit Reports

On May 9, Maryland Governor Wes Moore approved three bills concerning information that consumer reporting agencies are prohibited from including in a consumer credit report. Section 14-1203 of the Commercial Law Article of the Annotated Code of Maryland prohibits CRAs from making a consumer credit report that contains certain old information: (1) bankruptcies that predate (note: the bill says “antedate,” but we are paraphrasing) the report by more than 10 years; (2) suits and judgments that predate the report by more than seven years or until the governing statute of limitations has expired, whichever period is longer; (3) paid tax liens that predate the report by more than seven years; (4) accounts placed for collection or charged to profit and loss that predate the report by more than seven years; (5) records of arrest, indictment, or conviction of a crime that predate the report by more than seven years; and (6) any other adverse item of information that predates the report by more than seven years. Currently, exceptions to these prohibitions exist, including in the case of any consumer credit report to be used in connection with a credit transaction involving, or which may reasonably be expected to involve, a principal amount of $50,000 or more. House Bill 262 and Senate Bill 41, which are identical, raise the threshold for the credit transaction exception from $50,000 to $150,000.

In addition, House Bill 622 prohibits a CRA from including in a consumer credit report the following records and from relying on information contained in the following records to make a determination regarding the creditworthiness of a consumer: (1) any record of a criminal proceeding concerning a consumer: (a) in which the consumer was falsely accused, acquitted, or exonerated; (b) in which a nolle prosequi was entered as to a charge concerning the consumer; or (c) that did not result in a guilty verdict for or a guilty plea by the consumer, or (2) any criminal records concerning the consumer that have been expunged.

The bills are effective on October 1, 2024.

Amicus brief(ly): Data furnishers and CRAs should note these changes to Maryland law, with only four months to update systems and technology before the October 1 effective date. But the clear impact is on CRAs that will be subject to these laws, especially to the extent the Maryland laws are not preempted by the Fair Credit Reporting Act. The CFPB issued guidance on the extent and limitations of that preemption in 2022, and that guidance is worth a read for CRA lawyers, as states may continue to pass legislation limiting the information that can appear on a consumer credit report.

1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.