This regular publication by DLA Piper lawyers focuses on helping clients navigate the ever-changing consumer finance regulatory landscape.

Enforcement actions

Federal

OCC, CFPB and DOJ announce $5 million settlement with bank relating to allegations of racial discrimination in lending. The Office of the Comptroller of the Currency (OCC) issued a consent order – and the Consumer Financial Protection Bureau (CFPB) and US Department of Justice (DOJ) filed a joint complaint and proposed consent order – concerning alleged violations of the Fair Housing Act based on discriminatory home mortgage lending practices. The agencies alleged that the bank had denied residents of majority-minority and high-minority neighborhoods in the Memphis area equal access to mortgage loans. Among other things, the agencies alleged that the bank had generated only 10 percent of applications and 8.3 percent of loans from majority-Black and Hispanic neighborhoods, as compared to a peer group that had generated 24 percent of applications and 19 percent of loans from majority-Black and Hispanic neighborhoods. In addition to a cumulative $5 million in monetary penalties payable to the agencies, the settlement requires the bank to open a new lending office in a majority-Black and Hispanic neighborhood in Memphis and fund $200,000 in targeted advertising per year to generate applications for mortgage loans in majority-Black and Hispanic neighborhoods.

CFPB announces $1.27 million settlement with reverse-mortgage lender for deceptive practices. The CFPB filed a complaint and proposed consent order in the Central District of California against a nationwide reverse-mortgage lender for alleged unfair, deceptive, or abusive acts or practice (UDAAP) violations. The CFPB alleged that the lender had incorporated deceptive statements into its advertising materials by (i) using inflated estimated home values; (ii) stating that it made “every attempt to ensure the home value information provided is reliable,” when in fact the lender allegedly made no attempt to ensure the reliability of home valuations; and (iii) violating a 2016 consent order prohibiting deceptive marketing materials promulgated by the lender. Under the settlement, the lender would pay $1.1 million in civil penalties and $173,400 in consumer redress.

OCC issues consent order against mortgage subservicer for poor risk management practices. The OCC issued a consent order against a large federal savings bank, acting as a mortgage subservicer, for failure to implement internal control procedures and risk management practices appropriate for its size. The OCC alleged that the bank had failed to timely or adequately respond to previously identified deficiencies in the bank’s mortgage subservicing practices. The consent order requires the bank to establish a board-level compliance committee to develop and, subject to OOC approval, implement a new substantial internal monitoring and controls system for the bank’s subservicing operations and information technology systems, as well as enhanced board-level monitoring obligations.

FTC announces $27.5 million settlement with payment processor for facilitating unlawful student loan debt relief scheme. The Federal Trade Commission (FTC) announced an order against a payment processor for allegedly knowing, or having consciously avoided knowing, that the debt relief provider was engaged in unlawful conduct. The FTC alleged that the payment processor deliberately ignored warning signs including (i) high return rates, (ii) frequent name changes, (iii) consumer complaints and (iv) warnings from the payment processor’s controller. Under the settlement, the payment processor is required to implement new internal controls and client monitoring policies, and $27 million of the judgment was suspended for inability to pay.

Regulatory developments

Federal

CFPB seeks information on tech giants regarding payments systems. The CFPB announced that it has issued a series of orders requiring tech companies to produce information relating to their payment systems, use of personal payment data and management of data access by users. The CFPB stated that, in additional to general consumer protections, it was specifically interested in (i) data harvesting/monetization practices and (ii) access restrictions/user choice limitations imposed on consumers.

CFPB announces advisory opinion on identity matching practices. The CFPB announced an advisory opinion stating that companies may violate the Fair Credit Reporting Act (FCRA) by matching consumer records solely through the matching of names. Under the FCRA, companies must utilize “reasonable procedures to assure maximum possible accuracy of the information about whom the report relates.” The advisory opinion also states that “multiple additional elements beyond names may often be required” to meet that standard, although it does not provide guidance on what may constitute a reasonable procedure.

FTC announces updates to data security rules for financial institutions. The FTC announced several changes to rules promulgated under the Gramm-Leach-Bliley Act (GLBA) intended to strengthen the data security safeguards. First, the FTC has changed the Safeguard Rule to include more specific criteria on what safeguards financial institutions must implement as part of their information security programs, such as limiting who can access consumer data and using encryption to secure such data. Under the rule, institutions must explain their information sharing practices – specifically the administrative, technical, and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, use, transmit, dispose of or otherwise handle customers’ secure information. In addition, financial institutions will be required to designate a single qualified individual to oversee their information security program and report periodically to the organization’s board of directors, or a senior officer in charge of information security.

The FTC is also seeking public comment on possible additional changes to the Safeguard rule that would require financial institutions to report certain data breaches and other security events to the FTC. This supplemental notice of proposed rulemaking was published on October 27, 2021, and the public will have until December 26, 2021 to submit comments to the FTC. The FTC also announced that it has adopted changes to another GLBA rule, which will require financial institutions to inform customers about their information-sharing practices and allow customers to opt out of having their information shared with certain third parties.