Legal Alert

Mortgage Banking Update - August 18, 2022

August 18, 2022
In This Issue:

Ballard Spahr Launches Ballard360 Licensync Tracker

To help financial services companies manage the federal approvals, state licenses, and foreign “doing business” registrations they are required to maintain—and avoid penalties for non-compliance—Ballard Spahr has launched Ballard360 LicenSync. LicenSync was created by the firm’s Client Value and Innovation Team working in partnership with the firm’s Consumer Financial Services Group.

The project management tool is customizable to financial services companies—from start-ups and digital innovators to established institutions—handling residential and commercial mortgages; student, consumer, and solar loans; retail installment contracts; cryptocurrencies; money transmission; and other matters.  It contains:

  • A Go-to-Market Checklist that provides support in applying for new licenses, reporting changes of control, surrendering licenses, developing policies, and managing examination responses.
  • A list of all federal approvals, state licenses, and foreign “doing business” registrations held—or applied for—by the company, along with information such as approval date and license/registration number.
  • An interactive calendar that tracks upcoming regulatory reporting obligations for approvals, licenses, and registrations maintained in the tool (e.g., Mortgage Call Reports, Money Services Business Call Reports, annual renewals, periodic reporting obligations, financial statement submissions, examination or application response deadlines) and sends automatic email reminders about upcoming filing obligations.
  • A document library that serves as a historical record of all filings and other important information involving approvals, licenses, and registrations maintained in LicenSync.
  • A section that tracks important information about surety bonds held by the company, including the approval, license, or registration; the amount; and the expiration date.

A standard LicenSync tool is offered free to Ballard Spahr clients. While attorneys and licensing specialists working on specific engagements do charge legal fees, clients can choose to manage their own licensing portfolios for free, using their internal regulatory compliance teams.

LicenSync is completely customizable. Companies receive reminders and updates at the time of their choosing. Bespoke legislative tracking programs can be created to alert companies to upcoming federal and state legislative or regulatory measures, along with helpful summaries. Companies also can work directly with the firm’s Client Value and Innovation Team to create new sections to address their specific business needs.

To learn more about LicenSync, contact Lisa Lanham ( Lisa is a CFS partner and co-leader of the firm’s Fintech and Payment Solutions team who spearheaded the technology effort with the Client Value and Innovation Team.

- Lisa Lanham

Back to Top

FHFA Announces Mortgage Servicer Requirements for Maintaining Fair Lending Data

The FHFA announced that Fannie Mae and Freddie Mac will require mortgage servicers to maintain certain fair lending data elements, including the borrower’s age, race, ethnicity, gender, and preferred language. The fair lending data must be stored in a searchable format, and must transfer with servicing throughout the loan term.

On the topic, Freddie Mac issued Bulletin 2022-17, and Fannie Mae issued Servicing Guide Announcement SVC-2022-06. These issuances specify that that data elements must be maintained and transferred, if obtained during the origination process, for loans originated on or after March 1, 2023. The issuances also note that servicers may, but are not required to, update the data elements in the event of a subsequent transfer of ownership or assumption of the loan.

While the effective date is March 1, 2023, servicers may implement the changes sooner. We note that the Fannie Mae issuance states that servicers are “encouraged to implement these policy changes immediately”.

As previously reported, when the FHFA announced that Fannie Mae and Freddie Mac would require mortgage lenders to request a mortgage applicant’s language preference for applications taken on or after March 1, 2023, the CFPB advised that such a request does not violate the Equal Credit Opportunity Act (ECOA). It would be helpful if the CFPB addressed the permissibility under ECOA of a Fannie Mae and Freddie Mac requirement that mortgage servicers maintain certain fair lending data elements.  ECOA and Regulation B expressly require that creditors collect certain applicant demographic data in connection with mortgage loan applications to be secured by a primary residence. ECOA and Regulation B do not expressly address the maintenance of such data by mortgage servicers. 

Back to Top

FTC Proposes Substantive Revisions to Advertising Guidelines

The Federal Trade Commission (FTC) is seeking public comment on proposed changes to its guides concerning the use of endorsements and testimonials in advertising. FTC guides are advisory in nature and intended to assist businesses in complying with laws administered by the FTC. 

Endorsements and advertisements are defined broadly to mean any advertising message that a consumer is likely to believe reflects the opinions, beliefs, findings, or experiences of a third-party. 16 CFR § 255.0. Currently, FTC guides provide that endorsements must reflect the honest opinions, findings, beliefs, or experiences of the endorser. 16 CFR § 255.1. Endorsements may not contain any representations that would be deceptive or that could not be substantiated. Id. If the endorser’s experience is not generally representative, the advertisement should clearly and conspicuously disclose what the generally expected performance should be. 16 CFR 255.2. And when there is a connection between the endorser and the advertiser, that connection must be fully disclosed. 16 CFR 255.5.

Many of the proposed changes are simply clarifications or changes to illustrative examples. Other changes establish principles not previously present in the guidelines. The FTC has proposed the following noteworthy changes to its guides:

  • Revise the definition of endorsement to include marketing and promotional messages. Tags on social media may also be considered endorsements under the proposed guidelines;
  • change the definition of “product” to include “brand;”
  • clarify that a “clear and conspicuous” disclosure means a disclosure that “is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers;”
  • add that endorsements in advertisements addressed to children may be of special concern because of the character of the audience. Practices that would not ordinarily be questioned in advertisements to adults might be questioned in advertisements directed at children;
  • note that when a claim in an advertisement is visual, required disclosures should be at least visual. When the claim is audible, the disclosures should be at least audible;
  • explain that endorsers and not just advertisers may be liable for their statements such as when they make representations they know or should know to be deceptive;
  • provide that using the likeness of a person that is not the actual endorser is deceptive if it misrepresents a material attribute; and
  • clarify that disclosures of the connection between advertisers and endorsers must be “clear and conspicuous;”

Comments regarding the proposed amendments must be received on or before September 26, 2022. Comments captioned “Endorsement Guides P204500” may be submitted at

For more information on recent FTC activity impacting advertising and endorsements, please consider listening to our May 5, 2022 podcast with Guest Malini Mithal, Associate Director of the FTC Division of Financial Practices.

Elliot Johnson

Back to Top

CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice

On August 11, the CFPB published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. However, the lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.

Pursuant to the Gramm-Leach-Bliley Act, the FTC and federal banking agencies have promulgated rules and interagency guidelines requiring financial institutions to establish appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of customer information. Such safeguards include restricted access to customer information, encryption of information, and periodic reports on the information security program to the board of directors, among other requirements. In the circular, the CFPB stated that failure to comply with these specific requirements may also be an unfair act or practice under the CFPA in certain circumstances, but “while these requirements often overlap, they are not coextensive.” This leaves open the question of what exact security measures companies would need to implement in order to avoid an unfairness violation under the CFPA.

The CFPA defines an unfair act or practice as an act or practice: (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, (3) where the substantial injury is not outweighed by countervailing benefits to consumers or competition. The CFPB explained that inadequate data security measures can cause substantial injury, such as significant harm to a few consumers who become the victims of targeted identity theft or harm to potentially millions of consumers in the event of large customer-base-wide data breaches. The agency stressed that actual injury is not required to meet the substantial injury prong, as a significant risk of harm is also sufficient. This means that even practices that are merely likely to cause substantial injury, such as inadequate data security measures that have not yet resulted in a data breach, can still satisfy this prong of unfairness.

With respect to the second prong of unfairness, the CFPB explained that consumers are unable to reasonably avoid the harms caused by a firm’s data security failures as they typically do not know whether appropriate security measures are properly implemented, do not control an entity’s security measures, and lack practical means to reasonably avoid harms resulting from data security failures. As for the final prong, the CFPB noted that where companies forgo reasonable cost-efficient measures to protect consumer data, the agency expects the risk of substantial injury to consumers to outweigh any purported countervailing benefits to consumers or competition.

The circular also highlighted a number of data security-related cases brought by the FTC, wherein the agency alleged violations of its analogous prohibition against unfair practices under the FTC Act in connection with inadequate authentication practices, poor password management, failure to remediate known software security vulnerabilities, and other deficient data security practices.

The CFPB provided the following examples of conduct that increase the risk of triggering liability under the CFPA:

  • Not requiring multi-factor authentication for employees or not offering multi-factor authentication as an option for consumers accessing systems and accounts, or failing to implement a reasonably secure equivalent.
  • Not having adequate password management policies and practices. This includes failing to have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords, and using default enterprise logins or passwords.
  • Not routinely updating systems, software, and code or failing to update them when notified of a critical vulnerability. This includes using versions of software no longer actively maintained by vendors and not keeping track of which systems depend on what software to ensure that software is up to date. The CFPB highlighted its complaint against Equifax over the consumer reporting agency’s 2017 data breach. The CFPB alleged that Equifax violated the CFPA’s prohibition on unfair acts or practices by, among other things, failing to patch a known vulnerability for more than four months, which resulted in hackers gaining access to Equifax’s system and obtaining the personal information of millions of consumers.

The CFPB stressed that the prohibition on unfair practices is fact-specific and that the circular does not suggest that particular security practices are specifically required under the CFPA. Nonetheless, the CFPB is sending clear signals that it intends to use UDAAP to enforce certain standards for data security, notwithstanding that the CFPB has never adopted any substantive rules in this area prescribing particular data security practices. Financial companies and their service providers should review their information security programs and take care to implement common data security measures—such as multi-factor authentication, adequate password management, and timely software updates—to help minimize the risk of an unfairness violation.

- Doris Yuen

Back to Top

FATF Updates Risk-Based Approach Guidance for the Real Estate Sector

As we have repeatedly blogged, concerns about perceived anti-money laundering (AML) risks in the real estate industry are rising globally. Consistent with this concern, the Financial Action Task Force (FATF) has updated its AML guidance for the real estate sector in a document entitled “Guidance for a Risk-Based Approach: Real Estate Sector,” (FATF Guidance or the Updated Guidance). The FATF Guidance urges a variety of players in the real estate industry to adopt a risk-based approach (RBA) to mitigate AML risks and sets forth some high-level recommendations. The Updated Guidance notably coincides with FinCEN’s advanced notice of proposed rulemaking to impose reporting and perhaps other requirements under the Bank Secrecy Act (BSA) for persons involved in real estate transactions to collect, report, and retain information, and the  recent extension of Geographic Targeting Orders for U.S. title insurance companies.

The FATF Guidance appears to be driven, at least in part, by FATF assessments showing that the real estate sector has high AML risks, which industry players often fail to appreciate and/or mitigate. The Updated Guidance explains how various industry players can use an RBA to mitigate those risks. It identifies sector-specific risks, sets forth strategies for assessing and managing those risks, and describes challenges the industry faces in doing so. The FATF also offers specific guidance for “private sector players” and “supervisors” (e.g., countries and self-regulatory boards) for going forward. The Updated Guidance includes tools, case studies, and examples of both private sector and supervisory practices to show real estate supervisors and practitioners how to implement FATF standards in an adequate, risk-based and effective manner.

The FATF is an inter-governmental policymaking body dedicated to creating AML standards and promoting effective measures to combat money laundering (ML) and terrorist financing (TF). The FATF issued the Updated Guidance with input from the private sector, including from a public consultation with 13 private-sector representatives (including from sector specific professional associations, the legal profession, FinTech providers, and non-profit organizations) in March and April 2022. This consultation urged FinCEN, among other things, to provide greater clarity in the Updated Guidance regarding its applicability to the real estate sector and related professions (such as lawyers, notaries, and financial institutions) and extend FATF recommendations to broader real estate activities (such as property development and leasing).

Risk-Based Approach

The FATF Guidance encourages players throughout the real estate industry to adopt an RBA to anti-money landering and combatting the financing of terrorism (AML/CFT). As described further below, this approach involves identifying, assessing, and managing ML/TF risks and taking AML/CFT measures commensurate to those risks.

The FATF previously issued RBA Guidance for Real Estate Agents in 2008, in light of the growing threat of money laundering through real estate. The Updated Guidance captures changes made to FATF recommendations, industry best practices, and the FATF’s recommended RBA since the FATF issued the 2008 document. The Updated Guidance also targets real estate professionals beyond agents, including various private sector practitioners (such as lawyers, notaries, real estate developers, title insurers, and accountants), supervisors, regulators, and policy makers in the real estate industry.

Identifying Risks

The first step in the FATF’s RBA is identifying AML/CFT risks. As the Updated Guidance asserts in detail, AML/CFT risks in the real estate industry are high. Criminals can use real estate purchases to move large amounts of funds at once in a single transaction. They can obfuscate ownership by using legal entities or vehicles or make purchases. They can bypass highly regulated financial institutions by paying for real estate in cash. And they can falsely seek and repay mortgages with illicit proceeds, with no intention of purchasing properties.

The FATF stresses that, to combat these risks, real estate professionals must be aware of these risks and risks indicators. The Updated Guidance accordingly identifies several activities that may be indicative, although not conclusive of money laundering through real estate, including the use of corporate vehicles, complex structures, or unexplained cash payments. The Updated Guidance also encourages all professions involved in real estate transactions—including lawyers, bankers, lenders, investment advisers, settlement companies, insurers, and others—to consult with each other to identify other risks and indicators.

Assessing Risks

The second step in the FATF’s RBA is assessing AML/CFT risks. The Updated Guidance urges real estate professionals to assess these risks holistically and with input from relevant stakeholders. The FATF specifically recommends conducting a National Risk Assessment (NRA) or a mechanism that allows real estate professionals to design and implement mitigation measures based on accurate and current information. Real estate professionals can complete this assessment in various ways, including by information sharing, reviewing money laundering and criminal cases, and/or consulting with sources or experts.

The FATF also encourages real estate professionals to develop guidelines specifying which issues in real estate transactions present a high risk. In so doing, the Updated Guidance acknowledges that certain professionals (like lawyers) are generally not required to report suspicious transactions if they learn about those transactions through privileged communications. The Updated Guidance provides that this privilege should be taken into account when assessing AML risks, but that such privilege should not apply to fraudulent transactions or criminal activity. In support, the Updated Guidance describes efforts that Germany has taken to impose reporting obligations on legal advisory professionals to ensure that privilege does not impede suspicious transaction reporting.

Managing Risks

The final step in the FATF’s RBA is managing and mitigating AML/CFT risks. As noted above, the Updated Guidance urges real estate professionals to take mitigation measures commensurate with the assessed level of AML/CFT risk, including enhanced measures where ML/TF risks are higher and potentially less stringent measures in lower risk situations. The FATF encourages those looking to apply simplified measures to conduct an assessment to determine if certain categories of customers, clients or products present lower risks.

The Updated Guidance further provides that real estate players should retain professionals with AML/CFT knowledge or experience to implement and execute AML/CFT mitigation measures, use technology to facilitate those measures, and host (or outsource) AML/CFT training programs for all real estate professionals commensurate with their responsibilities.

Challenges to Implementing an RBA

The Updated Guidance also identifies challenges to implementing an RBA to AML/CFT in the real estate sector. The Updated Guidance suggests that the greatest challenge comes from low levels of customer due diligence (CDD) and beneficial ownership verification measures across the industry. The Updated Guidance urges that these measures are essential to thwarting criminals from obfuscating the identity of property owners, the source of funding for property, and/or the purpose of the real estate transaction.

Yet, as the Updated Guidance describes in detail, the nature of the real estate industry often seems incompatible with the CDD collection process. Property sales—which are often discrete, ad hoc, and/or quick—can inhibit collection efforts. In addition, real estate professionals may not be able to collect certain CDD information from clients, particularly those who use cash to purchase properties, foreign buyers, and/or others who may simply be hesitant to share personal information with them. Real estate professionals also may be hesitant to seek more information in cases where doing so could jeopardize the deal. 

Factors like these make it difficult for the real estate industry to obtain CDD and beneficial ownership information, which are critical to identifying, assessing, and mitigating ML/TF risks. The FATF warns, however, that without such information, the real estate sector remains vulnerable to exploitation by politically-exposed persons, the purchase of luxury real estate, the use of virtual assets, the use of anonymous crime, and the use of gatekeepers as money laundering instruments. 

The Guidance also identifies other challenges to implementing an RBA in the real estate sector. These include without limitation:

  • Disparities in AML/CFT systems and suspicious transaction reporting across the globe. Different countries impose different AML/CFT obligations on real estate professionals. For instance, countries vary as to whether and which real estate professionals must submit suspicious transaction reports. Inconsistencies like these create legal loopholes that leave the industry susceptible to criminal activity.
  • Low AML/CFT reporting. Real estate transactions also involve multiple players, many of whom are subject to different, low, or no AML/CFT obligations. These inconsistent (or non-existent) obligations lead to low ML/TF reporting across the industry, which makes it difficult for professionals throughout the industry to identify, assess, and manage potential AML/CFT risks.

Guidance for Private Sector Players and Supervisors

In light of these challenges, the FATF offers guidance for both private sector players and supervisors in the real estate industry to move forward with an RBA.

Private Sector Players

The Guidance specifically encourages private sector players involved in real estate transactions to take certain steps when implementing an RBA, including but not limited to:

  • Considering the following risk categories when identifying potential AML/CFT risks:
    • Geographical risks. Considerations include, without limitation, where the seller, buyer, and property are located and countries known to have high AML/CFT risks.
    • Client risks. Considerations include, without limitation, the client’s background, whether the client comes from a high-risk area, whether the client is subject to sanctions, whether the client is using complex commercial structures, and/or whether the client expresses undue pressure or abnormal haste. The FATF Guidance notes that “lawyers may [also] consider evaluating clients using their services for real estate transactions where the involvement of a lawyer is not customary and may be seeking actual or perceived anonymity to purchase and sell real estate for nefarious purposes.”
    • Transaction risks. Considerations include, without limitation, the use of cash, third parties, overseas accounts, virtual assets, complex loans, or unexplained or abrupt financing changes. The FATF Guidance adds that banks and mortgage lenders (if applicable) may be best positioned to assess these risks.
    • Assessing risks using a scalable approach, such as low risk, medium risk, and/or high risk, supported by a short explanation.
    • Devising, implementing, and reviewing the following due diligence measures:
    • Customer Due Diligence (CDD). These measures include, without limitation, verifying the identity of every customer and those purporting to act on their own behalf, determining the identity of the beneficial owner, fully understanding the client’s circumstances and business, and understanding the source of funds. The FATF Guidance adds that lawyers and notaries should consider applying specific checks on transaction settlement destinations, while banks and mortgage lenders should conduct CDD when onboarding clients, approving mortgages, and sending and receiving funds.
    • Simplified Due Diligence (SDD). These measures are for lower ML/TF risk situations and include, without limitation, verifying the identity of the client and beneficial owner after establishing the business relationship but before completing the transaction, and adjusting the extent, quality, or source of information required for verification.
    • Enhanced Due Diligence (EDD). These measures are for high ML/TF risk situations and include, without limitation, scrutinizing the source of funds and purpose of the real estate transaction;
  • Maintaining adequate, accurate and up-to-date beneficial ownership information.
  • Adopting appropriate internal controls to promptly identify and mitigate ML/TF risks, such as implementing risk-based CDD policies and procedures and focusing resources on business operations with higher ML/TF risks.
  • Establishing a corporate governance scheme that clearly defines and documents guidance for those with AML/CTF responsibilities, including without limitation Boards, Senior Management, and the Compliance function.
  • Developing and implementing routine AML/CFT trainings for all staff, tailored to their daily functions.

Guidance for Supervisors

The Guidance likewise encourages real estate supervisors (including countries and self-regulatory boards) to take certain steps when implementing an RBA to supervision, including the following:

  • Adopting AML/CFT frameworks that account for all professions involved in the real estate industry – such as lawyers, notaries, accountants, investment advisors, mortgage lenders, bankers, and other financial intermediaries – and sanctioning non-compliance;
  • Considering the following risk categories—in addition to geographic, client, and transactional risks—when identifying potential AML/CFT risks:
    • Service and product risk.  Considerations include, without limitation, the likelihood that services or products can be used for ML/TF.
    • Nature of services offered.
    • Risk indicators based on objective factors and experience. Considerations include, without limitation, information on a business’s compliance history, professional complaints, and internal controls.
    • Miscellaneous sources. Considerations include, without limitation, information from other government sources, whistle-blowers, or negative news reports.
  • Routinely assessing and communicating AML/CFT risks to the real estate sector.
  • Updating AML/CFT regimes based on risk, such as changing laws, regulations or other measure.
  • Allocating more supervisory resources to areas of higher ML/TF risk.
  • Educating, encouraging, and monitoring real estate professionals’ adoption of an RBA that is in line with FATF recommendations, and that is risk-appropriate.  These tasks may include, without limitation:
    • Securing and allocating adequate resources;
    • Supervising the implementation of effective controls by real estate professionals;
    • Enforcing AML/CFT obligations, including without limitation, remediation plans and proportionate and dissuasive sanctions;
  • Identifying new investigative tools to address significant ML/TF issues. The FATF Guidance notably highlights FinCEN’s Geographic Targeting Orders (a topic on which we previously have blogged extensively) as a potential example;
  • Collecting guidance, feedback, and collaboration from the private sector;
  • Developing and implementing routine trainings for supervisors, covering topics such as general AML/CFT issues, interaction among the various sub-segments of the real estate sector and financial system, and sanctions; and
  • Regularly reviewing and measuring the effectiveness of risk-based supervision strategies.

If you would like to remain updated on these issues,  click here to subscribe to Money Laundering Watch. Please click here to learn about Ballard Spahr’s Anti-Money Laundering Team.

- Laura E. Luisi Gavin

Back to Top

NYDFS Announces Draft Amendments to Cybersecurity Regulation

On July 29, 2022, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Cyber Security Regulations. The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.

The Amendments contain three significant changes relating to ransomware. First, the Amendment specifically adds “the deployment of ransomware within a material part of the covered entity’s information system” as a cybersecurity event requiring notice to the superintendent within 72 hours. Under the current regulations, 72-hour notice would only be required if the ransomware required notice to another governmental body or had a reasonable likelihood of materially harming any material part of normal operations. Second, the Amendment would also require covered entities to notify the superintendent within 24 hours of making an extortion payment. And finally, the Amendment would require covered entities to provide within 30 days a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control. If passed, this third component would represent a significant new obligation for covered entities, potentially changing the manner in which companies document ransomware responses.

In addition to the ransomware changes, the Amendments would also require, among other things: (1) multi-factor authentication for all privileged accounts, as well as for remote access to the network and enterprise and third-party applications from which nonpublic information is accessible; (2) increased expectations for board expertise; (3) significant restrictions on privileged accounts; and (4) annual independent cybersecurity audits for larger entities. The Amendments have a short comment period ending on August 8, 2022, followed by the publishing of the official proposed amendments, after which a 60-day comment period will occur.

Given the comment periods that will occur, it is premature to speculate as to the final form of the Amendments. However, based on the draft Amendments, it is safe to say that the NYDFS seems to be following the trend towards increased regulatory scrutiny.  Covered entities should start assessing how significant the changes would be to comply.

Gregory P. Szewczyk & Philip N. Yannella

Back to Top

Podcast: The U.S. Chamber of Commerce’s Campaign Against CFPB Director Chopra’s Attempt “to Radically Reshape The American Financial Services Sector” - A Discussion With Bill Hulse, Vice President, U.S. Chamber of Commerce Center for Capital Markets Competitiveness

We first review the views expressed by Director Chopra and CFPB actions taken under his leadership that led the Chamber to launch its campaign. We then discuss the campaign’s specific components, which consist of digital ads, Freedom of Information Act requests, and letters to Director Chopra. Our discussion includes an in-depth look at the basis for the Chamber’s view that the CFPB has acted unlawfully in connection with changes to its UDAAP examination procedures, revisions to its rules for administrative proceedings, rule change to make public a decision establishing risk-based supervision of a company, and its interpretive rule on enforcement of federal consumer financial protection laws by state attorney generals. We also discuss the litigation challenging the constitutionality of the CFPB’s funding.

Alan Kaplinsky, Ballard Spahr Senior Counsel, hosts the conversation.

To listen to the episode, click here.

Alan S. Kaplinsky

Back to Top

GOP Lawmakers Question CFPB’s Relationship With State Attorneys General and Take Aim at Interpretive Rule on State Enforcement Authority

Three Republican House members sent a letter to CFPB Director Chopra raising questions about the Bureau’s relationship with state attorneys general and its interpretive rule issued in May 2022 regarding the authority of state attorneys general and state regulators (State Officials) to enforce the Consumer Financial Protection Act (CFPA).

In the interpretive rule, the CFPB described the authority of State Officials under CFPA Section 1042(a) as follows:

  • Because CFPA Section 1036(a)(1)(B) makes it unlawful for a “covered person” or “service provider” to “engage in any unfair, deceptive, or abusive act or practice,” State Officials can use Section 1042(a) to bring an enforcement action against a covered person or service provider that engages in unfair, deceptive, or abusive acts or practices.
  • Because CFPA Section 1036(a)(1)(A) makes it unlawful for a “covered person” or “service provider” to “offer or provide to any consumer any financial product or service not in conformity with Federal consumer financial law,” State Officials can use Section 1042(a) to bring an enforcement action against a covered person or service provider for a violation of any Federal consumer financial law even if they cannot enforce such laws directly. In addition to the CFPA, “Federal consumer financial laws” include the 18 “enumerated consumer laws” listed in the CFPA and their implementing regulations, such as the Truth in Lending Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, the Electronic Fund Transfer Act, and the Real Estate Settlement Procedures Act. 
  • Although the CFPA (in Sections 1027 and 1029) limits the CFPB’s enforcement authority as to certain categories of covered persons (e.g. motor vehicle dealers, attorneys, persons regulated by a state insurance regulator, persons regulated by the SEC or a state securities commission), those limitations generally do not apply to State Officials exercising their enforcement authority under Section 1042.
  • State Officials can bring (or continue) actions under Section 1042 even if the CFPB is pursuing a concurrent action against the same entity.

In their letter, the lawmakers stated that it has come to their attention that the CFPB “may be colluding with states contrary to the [CFPA].” They asserted that while “state attorneys general may enforce the CFPA in cases where the CFPB has not,” the CFPA “does not allow for a state attorney general to become a party to an existing CFPB enforcement action.”  According to the lawmakers,”[i]t is therefore inappropriate for the CFPB to recruit a state attorney general that is not otherwise investigating a company, to pursue enforcement as a means of intimidation.”

The lawmakers asserted that the effect of the interpretive rule is “different from solely enforcing the law” and instead “is more akin to deputizing state attorneys general to enforce the CFPA on behalf of the CFPB—something Congress did not authorize.” They also asserted that the interpretative rule allows the CFPB to “forum shop across the country to find friendly attorneys general willing to bring cases on behalf of the Bureau, rather than the process that Congress intended, whereby attorneys general bring a case to the CFPB when appropriate.” The lawmakers’ letter included a series of questions to which they requested responses by August 12.

In our view, the interpretive rule has the practical effects of allowing the CFPB to expand its enforcement staff and increasing the burden on an investigation target, both in terms of document production and the production of witnesses, who may be required to testify in more than one proceeding. (Both the states and the CFPB routinely ask for copies of deposition transcripts in other enforcement matters, which creates the potential for a witness to be impeached with prior testimony on the same subject matter.) Beyond allowing the CFPB to add State Officials to its enforcement staff, the interpretive rule can further expand the CFPB’s resources to include organizations that have a close relationship with State Officials. For example, the Consumer Protection Division of the Massachusetts Attorney General’s Office has a close relationship with the Harvard Legal Aid Bureau. Finally, the interpretive rule allows states to inquire into areas where the CFPB has no enforcement authority, thereby attempting to ensure that even where the CFPA has limited the CFPB, enforcement activity nevertheless will occur.

On the other hand, the interpretive rule may lead to some unintended consequences. By encouraging State Officials to conduct parallel investigations, and to the extent those investigations lead to litigation, the CFPB is inviting litigation by different agencies that may pursue different litigation priorities and achieve different and inconsistent results in court. Further, parallel investigations may make global resolution—including any state conducting an investigation—an imperative, to avoid the overpayment that would occur by settling sequentially with the CFPB and then the states.

Given that collaboration between the CFPB and State Officials can be expected to increase, it is imperative that companies facing potential enforcement activity consult counsel with the experience needed to navigate both the CFPB and the offices of State Officials.  

- John C. Grugan

Back to Top

Unfairness and Disparate Effects: A Reply to Professor Jeff Sovern

In a blog post published on July 30 on Consumer Law and Policy Blog, Professor Jeff Sovern discusses comments from CFPB officials that the Bureau will not use the disparate effects or impact test to determine if discrimination has occurred when using its UDAAP authority. In those comments, Director Rohit Chopra and Assistant Director Eric Halperin indicated that “unfair” for purposes of the CFPB’s UDAAP authority has its own test and that the Bureau will use that test rather than the disparate effects test when using its UDAAP authority to determine if a discriminatory practice is unfair.

For starters, it is unlikely that the CFPB does not intend to use disparate impact to determine if a practice is discriminatory. When the CFPB announced the change to the UDAAP section of its examination manual, as an example of discrimination that it could target as unfair, it used a bank not allowing people of color to open a deposit account. Since this would be an instance of intentional discrimination or disparate treatment, a disparate impact analysis is not necessary to determine if the bank’s practice is discriminatory. 

But how would the CFPB approach a bank policy that was race neutral on its face but resulted in a high number of people of color not being allowed to open deposit accounts? Unless, contrary to prior statements, the CFPB only intends to target intentional discrimination as a UDAAP violation, it would presumably argue that the bank’s policy was discriminatory because of its disparate impact on people of color. And once having made that determination, it would then decide if the policy is unfair using the UDAAP standard. Indeed, one of the changes made to the examination manual directs examiners, when identifying areas for potential transaction testing, to determine whether “the entity uses decision-making processes in its eligibility determinations, underwriting, pricing, servicing or collections that result in discrimination.   

Assuming this would be the CFPB’s approach, one might say the CFPB wants to have its cake and eat it too—meaning use disparate impact to establish discrimination but replace the safeguards of the next step in a disparate impact analysis with the unfairness standard. As discussed in the white paper about the UDAAP change sent to the CFPB by four leading industry trade groups, the CFPB’s approach ignores a number of the safeguards that the U.S. Supreme Court, in its Inclusive Communities decision, said must be observed to sustain a disparate impact claim. Those safeguards prevent disparate impact liability from attaching unless the policy or practice at issue creates “artificial, arbitrary, and unnecessary barriers,” a standard that the Supreme Court found necessary to ensure that defendants “must not be prevented from achieving legitimate objectives.” Most significantly, when determining whether a company’s policy has a legitimate business justification, the Supreme Court recognized the importance of considering “practical business choices and profit-related decisions that sustain a vibrant and dynamic free-enterprise system.”

In contrast, under the UDAAP unfairness standard, a policy is unfair if (1) it causes or is likely to cause substantial injury to consumers, (2) the injury is not reasonably avoidable by consumers, and (3) the injury is not outweighed by countervailing benefits to consumers or to competition. Once a policy is found to have a disparate impact, it would seem to be a foregone conclusion that the CFPB would find the first two prongs of the unfairness standards to be present. And it seems likely the CFPB would give little or no weight to “practical business choices and profit-related decisions” in applying the third prong.

According to Professor Sovern, the outcome is likely to be the same whether the CFPB uses the unfairness standard or a disparate impact test—namely the policy would be unlawful under either analysis. However, without the safeguards required by the Supreme Court’s decision, it seems much more likely that a company’s policy would be deemed unlawful when the unfairness standard is used than when a disparate impact analysis is used. We do not see any reasoned basis for finding that a company has engaged in unlawful discrimination in connection with non-credit transactions when the same policy, if used in connection with credit transactions, would be found to be lawful under a disparate impact analysis. Professor Sovern may be right that a policy that would fail the disparate impact test is likely to also be unfair. But instead of wondering how often conduct will fail the disparate impact test but not be unfair, we think Professor Sovern should be wondering how often conduct might PASS the disparate impact test but nevertheless be deemed unfair. 

Putting aside the disparate impact issue, I continue to take issue with the underlying premise of Professor Sovern’s blog post – namely, that the CFPB can use the “unfairness “ prong of UDAAP to target discrimination in connection with credit and non-credit consumer financial products and services. Moreover, even if the CFPB’s interpretation of “unfairness “is correct, hopefully, Professor Sovern would agree with me that this is the type of major pronouncement that should be accomplished through a notice-and-comment UDAAP rulemaking rather than by unilaterally amending the CFPB’s examination manual (which technically only applies to certain mega-banks and non-banks). All stakeholders (consumers and industry alike) should have been given the opportunity to comment on such an important change in the law. 

Alan S. Kaplinsky

Back to Top

Third Circuit Uses ‘Reasonable Reader’ Standard to Determine Credit Reports Were Not Inaccurate or Misleading Under FCRA

The U.S. Court of Appeals for the Third Circuit has ruled that in determining whether a credit report is accurate or misleading under the Fair Credit Reporting Act’s “maximum possible accuracy” requirement, a district court should apply a “reasonable reader” standard. Ballard Spahr attorneys are currently representing clients in cases involving this legal issue.

Bibbs v. Trans Union LLC was one of three district court cases consolidated on appeal in which the plaintiff alleged that Trans Union had violated the FCRA requirements (1) in 15 U.S.C. Sec. 1681e(b) for a consumer reporting agency (CRA) to “assure maximum possible accuracy” in its credit reports, and (2) in 15 U.S.C. Sec. 1681i(a) for a CRA to “conduct a reasonable reinvestigation to determine whether [information disputed by the consumer] is inaccurate.” The plaintiffs in each of the three cases had obtained student loans, with two of the plaintiffs having obtained their loans from the same lender. Following nonpayment by each of the plaintiffs, their respective lenders closed their accounts and transferred them. Once the loans were transferred, their account balances with the lenders immediately went to zero and all of their payment obligations were transferred. Each plaintiff’s credit report contained the same negative pay status notation: “Account 120 Days Past Due Date.”

It was undisputed that (1) the plaintiffs failed to make timely payments on their loans, (2) Trans Union accurately reported their accounts as late until the dates they were closed and the balances were transferred, and (3) the plaintiffs owed no balance to their previous creditors once the accounts were transferred. The plaintiffs argued that the negative pay status notations on their credit reports were inaccurate and could mislead prospective creditors to incorrectly assume that the plaintiffs were currently more than 120 days past due. The plaintiffs’ lawyers sent letters to Trans Union disputing the accuracy of the credit reports in which they stated that it was impossible for the plaintiffs’ current status to be listed as late when they owed no money to the previous creditors. After investigating the disputes, Trans Union sent each plaintiff a report with the results of its investigation in which it explained that for accounts that have been closed and paid, the pay status represented the last known status of the account. Trans Union did not update or correct the disputed information and instead stated that the reports were correct. 

The district court in each case granted Trans Union’s motion for judgment on the pleadings and dismissed the case without ordering further discovery. On appeal, the Third Circuit first considered whether it was correct for the district courts to use a “reasonable creditor” standard to determine whether Trans Union’s credit reports were misleading. The plaintiffs argued that even if the reports would not mislead a “reasonable creditor,” other less sophisticated users could be misled. After looking at the FCRA’s definition of “creditor” which includes “any person” who engages in the activities described, the Third Circuit found it “unreasonable to assume that Congress, in requiring ‘maximum possible accuracy’ and allowing individuals and entities other than sophisticated creditors to use credit reports to make decisions, drafted the FCRA with the intention that only sophisticated creditors should understand the information that these reports contain.” (emphasis included)

Despite finding that the “reasonable creditor” standard  did not exclude unsophisticated individuals and entities, the Third Circuit nevertheless concluded that the term “reasonable creditor” did not accurately reflect the FCRA’s intent because the FCRA does not limit the permissible use of consumer reports to creditors and contemplates a range of permissible users. To account for these possibilities, the Third Circuit adopted a “reasonable reader” standard. It characterized the “reasonable reader” standard as “run[ning]the gamut to include sophisticated entities like banks and less sophisticated individuals such as local landlords.” According to the Third Circuit:

“A court applying the reasonable reader standard to determine the accuracy of an entry in a report must make such a determination by reading the entry not in isolation, but rather by reading the report in its entirety. On the other hand, if an entry is inaccurate or ambiguous when read both in isolation and in the entirety of the report, that entry is not accurate under Sec. 1681e(b).”

Applying the “reasonable reader” standard to Trans Union’s credit reports, the Third Circuit concluded that the reports were not inaccurate or misleading. Trans Union argued that when read in the entirety of the reports, the pay statuses were clearly historical notations. It asserted that since each report also indicated in two places that the account was closed and listed a $0 loan balance, the past due status could not create ambiguity regarding a plaintiff’s financial obligations. 

While stating that “perhaps Trans Union could have made the reports even clearer,” the Third Circuit nevertheless found the reports to be clear as is. It acknowledged that despite the “goal” of maximum possible accuracy set by Sec. 1681e(b), “the possibility of further clarity is not an indication of vagueness; just because a report could potentially be a bit clearer does not mean that it is not very clear at present.” Agreeing with Trans Union, the Third Circuit found that a reasonable interpretation of Trans Union’s reports in their entirety was that the pay status of a closed account was historical information. As a result, the Third Circuit held that the reports were accurate under Sec 1681e(b).

In affirming the district courts’ grants of summary judgment to Trans Union, the Third Circuit also ruled that the district courts had correctly dismissed the plaintiffs’ claims that Trans Union violated Sec. 1681i(a) by failing to conduct a good faith investigation. It considered the plaintiffs’ claims under 1681i(a) to be foreclosed by its holding that the pay status notations were neither inaccurate nor misleading to a reasonable reader.

Finally, the Third Circuit rejected the plaintiffs’ argument that discovery was necessary to determine whether the pay status notations would mislead a creditor and whether creditors were likely to make adverse credit decisions against the plaintiffs based on the lower credit scores caused by the notations. Because it considered the reasonable reader standard to be an objective and not a subjective standard, the Third Circuit deemed the credit reports to be accurate under 1681i(a) as matter of law, thereby making discovery unnecessary. The Third Circuit noted that even if the pay status notations reduced the plaintiffs’ credit scores, “this sort of adverse historical notation and consequence” was permissible under Sec. 1681e(b) and that while the reduced credit scores could lead creditors to make adverse credit decisions, “it would be within their right to do so because [the plaintiffs’] credit reports are accurate.”

Daniel JT McKenna & Joel E. Tasca

Back to Top

CFPB Publishes Report on Impact of Medical Debt Reporting Changes

The CFPB recently published a report analyzing how certain actions announced earlier this year by the three largest national consumer reporting agencies—Equifax, Experian, and TransUnion—will affect people who have allegedly unpaid medical debt on their credit reports. The new report is the CFPB’s third report issued this year on medical debt.

As previously reported, Equifax, Experian, and TransUnion announced that, starting July 1, 2022, the time before unpaid medical collections can appear on a consumer’s report would increase from 180 days to one year, and paid medical collections would no longer appear on consumer reports at all. Additionally, beginning in 2023, they will no longer report medical debt when the amount owed is less than $500.

Some key findings from the CFPB’s report:

  • About half of consumers with medical collections appearing on their credit reports will continue to see them there even after the changes fully go into effect.
  • The removal of collections under $500 likely will result in a majority of individual medical collections tradelines being removed from credit reports. However, in terms of dollar amounts, the majority of reported medical collection balances will likely remain.
  • The removal of paid collections is less likely to have a substantial effect as very few medical collection tradelines are ever marked paid.
  • Consumers who have medical collections that are likely to be removed are disproportionately more likely to live in states in the north and east of the country.  However, consumers residing in West Virginia likely will have a much greater share of medical collections removed compared to residents of any other state.
  • Although consumers with medical collections are significantly more likely to reside in neighborhoods that are majority Black or Hispanic and have lower median income, consumers who are likely to have all their medical collections removed due to this change are slightly more likely to live in neighborhoods that are majority white and higher income.

In March 2022, the CFPB issued a report titled “Medical Debt Burden in the United States” that took aim at medical debt collections. In April 2022, the CFPB issued a report titled “Medical billing and collection issues described in consumer complaints” that analyzed debt collection and credit or consumer reporting complaints submitted to the CFPB in 2021 that involved medical debt. When it issued the March 2022 report, the CFPB indicated that it intended to “determine whether policies should be implemented to eliminate unpaid medical billing data on credit reports altogether.” The agency reaffirmed its intention to “determine whether unpaid medical billing data should be included in credit reports” when it issued the April 2022 report. And in remarks made in April 2022, CFPB Deputy Director Zixta Martinez called the change announced by TranUnion, Equifax, and Experian “a first step, but it is not enough.” 

The CFPB concludes the new report with the statement that it “shows that a substantial share of medical collections currently reported on consumer credit reports likely qualify to be removed” under the change announced by the national credit reporting companies. While the CFPB’s previous comments strongly suggested that the agency was headed in the direction of taking steps to block or limit the reporting of medical debt, perhaps the findings in the new report will cause the CFPB to question whether such action is needed.

Doris Yuen

Back to Top

CFPB Addresses Application of CFPA to Digital Marketing Providers in New Interpretive Rule

The CFPB has issued an interpretive rule that addresses when digital marketing providers are “service providers” subject to the Consumer Financial Protection Act, including the CFPA’s prohibition on unfair, deceptive, or abusive acts or practices. 

The CFPB describes digital marketing providers as businesses that use data obtained from an array of sources to offer targeted advertising services. For example, they analyze and use data collected from individual consumers to segment consumers by different characteristics such as age, location, or interests. These consumer categories can be used by firms that engage digital marketing providers to select or exclude certain types of customers. Digital marketing providers can also target advertisements at specific times based on the content that a user is currently viewing. The CFPB states:

“Ultimately, the digital marketer may decide which group(s) the consumer belongs in and which financial services companies desire to advertise to that group, and may select the specific ad to display to that consumer and/or when to display the ad based on other factors (e.g. the amount a firm is willing to pay to display the ad). Accordingly, many digital marketing providers are materially involved in the development of “content strategy” by identifying or selecting prospective customers and/or selecting or placing content to affect consumer engagement, including purchasing or adoption behavior. These activities go well beyond the activities of traditional media sources, such as print newspapers or radio, that solely passively provided airtime or physical space for advertisements.”

The CFPA defines a “service provider” as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” A “service provider” includes, but is not limited to, a person that “participates in designing, operating, or maintaining the consumer financial product or service” or “processes transactions relating to the consumer financial product or service.” A “service provider” does not include a person “solely by virtue of such person offering or providing to a covered person [either] a support service of a type provided to businesses generally or a similar ministerial service [or] time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.” 

According to the CFPB, digital marketing providers typically provide a “material service” when they “are materially involved in the development of content strategy.” Describing a “material service” as one that is “significant or important,” the CFPB considers digital marketing providers to be providing a “significant” service to covered persons when they “identify or select prospective customers and/or select or place content to affect consumer engagement.” In finding digital marketing providers to be providing a “material service,” the CFPB also relies on its characterization of the involvement of digital marketing providers as more similar to the function traditionally performed by a covered person’s own customer acquisition or marketing group than a traditional media source (e.g. lead generation, marketing analysis, or strategy).

The CFPB states that the reference to “solely” providing “time or space for an advertisement” in the “time or space” exception means that digital marketers that do more than provide airtime or physical space for advertisements fall outside the exception. It also states that the “time or space” exception should be interpreted along with the exception for “a support service of a type provided to businesses generally or a similar ministerial service.” According to the CFPB, firms that provide a “ministerial service” to a financial institution “are not materially involved in the marketing or distribution of the consumer financial product or service; they are not typically involved in the identification or selection of prospective customers, nor do they select or place content to affect consumer engagement.” The CFPB also interprets the reference to “electronic media” in the “time or space” exception to refer to offering advertising in a manner similar to how advertising was offered by traditional “print” media sources, which typically operated as passive conduits of information provided by their customers.

The CFPB indicates that there may be circumstances under which the conduct of digital marketing providers does fall within the “time or space” exception. One circumstance would be where a digital marketing provider is only minimally involved in identifying or selecting prospective consumers or selecting or placing content to affect consumer engagement, such as where the marketer only offers covered persons the ability to choose to run an advertisement on a particular webpage or application of the covered person’s choosing, with advertisements seen by any user of that page or application.

The CFPB makes clear however that a digital marketing provider would not fall within the “time or space’ exception if:

  • It targets and delivers advertisements to users with certain characteristics, even if those characteristics are specified by the covered person. In these circumstances, it is the digital marketer’s ad targeting and delivery algorithms that identify the specific audience that sees the advertisement. (The CFPB notes the Department of Housing and Urban Development’s action against Facebook for alleged violations of the Fair Housing Act in connection with Facebook’s targeted advertising program.)
  • A covered person identifies particular users by name and the digital marketer targets and delivers the advertisements to those users at specific times to increase or maximize engagement. (The CFPB notes that although a traditional media source might have provided basic information to customers about when to air particular ads, the business purchasing the ad generally made the decision about when and where to place the ad).
  • It plays an even more significant role in determining which consumers see advertisements, such as by suggesting or determining to the covered person which users are the most appropriate audience for the covered person’s advertisements (rather than receiving such direction from the covered person.)  

In its press release, the CFPB warns that “digital marketers acting as service providers can be held liable by the CFPB or other law enforcers for committing unfair, deceptive, or abusive acts or practices as well as other consumer financial protection violations.” In the interpretive rule, the CFPB references the recent change to its Examination Manual to provide that discrimination can constitute an unfair act or practice, perhaps sending a message to digital marketing providers that a UDAAP violation can arise in connection with the marketing of both credit and non-credit transactions.  

The interpretive rule is yet another example of a change that the CFPB should make with input from stakeholders rather than by administrative fiat.

John L. Culhane, Jr. & Michael R. Guerrero

Back to Top

CFPB Enters Into Consent Order With Fintech Company to Resolve Alleged UDAAP Practices Arising From Use of Algorithm

The CFPB announced that it has entered into a consent order with Hello Digit, LLC (Digit) to settle the CFPB’s claims that Digit engaged in deceptive acts and practices in connection with an automated savings tool it offered to consumers. The settlement requires Digit to pay a $2.7 million civil money penalty and at least $68,145 in consumer redress.

Digit is a fintech company that offers a personal-finance-management app that includes an automated savings tool. When signing up for the service, Digit requires consumers to grant Hello Digit access to their checking accounts. Using its own proprietary algorithm, Digit analyzes consumers’ checking account data to determine how much a consumer should save. It then initiates automatic electronic fund transfers (“autosaves”) to transfer money from consumers’ checking accounts to interest-bearing “for the benefit of” accounts held in Digit’s name at third-party institutions (Digit Savings Accounts). Consumers are charged a $5 monthly subscription fee for this service.

The CFPB found that despite using “messaging themes to consumers” that the automated savings tool saved “the perfect amount” and that there were “no overdrafts,” Digit knew from its inception that (1) its algorithms had limitations that hampered Digit’s ability to precisely predict an appropriate amount to withdraw from consumers’ checking accounts, and (2) the autosaves routinely caused overdrafts, resulting in overdraft fees charged by consumers’ banks. Digit also represented to consumers that if it did cause an overdraft through an autosave, it would reimburse any overdraft fees a consumer incurred. However, Digit did not reimburse consumers for all overdrafts and received complaints about overdrafts on a daily basis. It also retained significant interest income earned on the funds held in the Digit Savings Accounts but represented to consumers that it did not collect interest revenue.

The CFPB found that Digit engaged in deceptive acts or practices in violation of the CFPA by misrepresenting that its service would save the “perfect amount” and have “no overdrafts,” that it would reimburse consumers for all overdrafts fees caused by autosaves, and that it did not collect revenue from interest earned on Digit Savings Accounts. The consumer redress that Digit is required to pay under the Consent Order is intended to reimburse consumers for all unreimbursed overdraft fees caused by autosaves. The Consent Order also prohibits Digit from continuing to make misrepresentations about its automated savings tool.

In addition to serving as a reminder to companies of the need not to “over promise” in their marketing materials and to be responsive to consumer complaints, the settlement highlights two ongoing CFPB themes: a focus on overdrafts and reservations about algorithms. With regard to algorithms, the CFPB has previously expressed concerns about fair lending risks created by the use of algorithms. The CFPB’s prominent and repeated references to Digit’s use of algorithms in its press release appears intended to paint the use of algorithms in a negative light even outside of the fair lending context.

- Michael Gordon & Michael R. Guerrero

Back to Top

On August 9, 2022, the Conference of State Bank Supervisors (CSBS) made available two new cybersecurity exam programs for optional use by nonbank financial security companies which may help such entities self-assess their preparedness to guard against cyber-attacks and/or for cybersecurity examinations and help “improve their cybersecurity posture.”

They are:

These are information technology and cybersecurity exam programs created by state regulators for examinations of nonbank institutions, with procedures providing a high-level (Baseline Program) or in-depth (Enhanced Program) risk evaluation of the four critical components of the Uniform Rating System for Information Technology which include Audit, Management, Development and Acquisition, and Support and Delivery (developed by the Federal Financial Institutions Examination Council to evaluate the information technology function at banking institutions), the primary purpose of which is to “evaluate the examined institution's overall risk exposure and risk management performance and determine the degree of supervisory attention necessary to ensure that weaknesses are addressed and risks are properly managed.”

The Baseline Program is identified for use at “smaller, noncomplex, low risk institutions. The program is targeted for use by examiners with or without specialized IT and cybersecurity knowledge,” while the Enhanced Program “should be used to provide a more in-depth review for larger, more complex institutions or for those where concerns are raised during the exam. The program is targeted for use by examiners with specialized knowledge of IT and cybersecurity.”

The release of these tools is part of a larger initiative by CSBS and state regulators to help provide supervisory clarity and safeguards to nonbank institutions licensed by state entities; in its press-release, CSBS reported that it intends to provide additional tools to address the needs of smaller nonbank financial institutions in the coming months, and it noted that also provides nonbanks with a Ransomware Self-Assessment Tool and a Cybersecurity 101 Guide for Executives.

- Stacey L. Valerio

Back to Top

RESPRO | How to Survive a CFPB or State Exam

Webinar | August 25, 2022, 2:00-3:00 p.m.

Speakers: Richard Andreano, Lisa Lanhamand Michael Gordon

MBA Human Resources Symposium

Arlington, VA | September 8-9, 2022

Legal Session #1: Work in the Current Economic and Mortgage Market Environment

Speaker: Meredith S. Dante

Legal Session #3: Other Top Legal Issues That HR Managers at Mortgage Companies Should Know About 

Speaker: Richard Andreano                                                                                            

MBA's Regulatory Compliance Conference

Washington, DC | September 18-20, 2022

Key Updates Track: CFPB Updates                                    

Speaker: Michael Gordon

Purchase Market Compliance Consideration Track: How To Do LO Comp Right—and Be Competitive

Speaker: Richard Andreano

State of the States Track: State Licensing and NMLS Challenges

Speaker: Stacey L. Valerio

State of the States: Key State Trends for Compliance Professionals

Speaker: John D. Socknat

RESPRO Fall Seminar

Savannah, GA | September 26-27, 2022

Redlining. Think Again! CFPB Is Changing What It Means and You Need to Be Ready & the Continued Focus on Fair Lending, Fair Servicing, and Related Matters

Speaker: Richard Andreano

Back to Top

Subscribe to Ballard Spahr Mailing Lists

Get the latest significant legal alerts, news, webinars, and insights that affect your industry. 

Copyright © 2024 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.