PHH and United States Respond to CFPB’s Petition for Rehearing En Banc; PHH Seeks Leave to File Supplemental Response

PHH and the United States have filed responses with the D.C. Circuit to the CFPB’s petition for rehearing en banc. The D.C. Circuit invited the Solicitor General to file a response expressing the views of the United States and entered an order requiring both PHH and the SG to file their responses by December 22.

In PHH, the D.C. Circuit ruled that that the CFPB’s single-director-removable-only-for-cause structure violates the U.S. Constitution’s separation of powers. To remedy the constitutional defect, it severed the removal-only-for-cause provision from the Dodd-Frank Act so that the President "now has the power to supervise and direct the Director of the CFPB, and may remove the Director at will at any time." It also rejected the CFPB’s interpretation of RESPA, which departed from HUD’s prior interpretation, to prohibit captive mortgage re-insurance arrangements such as the one at issue in PHH. The court also held that even if the CFPB’s interpretation was correct, the CFPB’s attempt to retroactively apply its new interpretation violated due process.

In its petition, the CFPB argued that the panel’s constitutionality ruling conflicts with U.S. Supreme Court precedent and should therefore be reconsidered by the court sitting en banc.  It also argued that panel’s RESPA ruling should be reviewed by the court sitting en banc but observed that the panel’s retroactivity holding "is perhaps not worthy of en banc review on its own." The CFPB also did not seek en banc reconsideration of the panel’s ruling that CFPB administrative enforcement actions are subject to the same statute of limitations as would apply to a CFPB lawsuit filed in court.

In its response, PHH asserts that the panel’s constitutionality ruling is fully consistent with Supreme Court precedent "and more than two centuries of separation-of-powers jurisprudence." As a result, PHH contends the panel’s "correct application of settled constitutional principles warrants no further review." PHH argues that further review of the panel’s RESPA interpretation is also not warranted because it "is plainly correct irrespective of the separation-of-powers ruling, and it presents no conflicting authority." PHH asserts that "[o]n the contrary, the CFPB would ask the en banc Court to create a circuit split with every other court to have considered the proper scope of RESPA." (emphasis supplied.)  In addition, PHH contends that the panel’s retroactivity holding "provides another independent basis for vacating the $109 million penalty against PHH."

The United States, in its response filed by the Department of Justice, does not address the D.C. Circuit’s RESPA rulings and instead "addresses only the panel’s separation-of-powers holding." The United States argues that "the panel’s approach to resolving [the CFPB’s] constitutionality departs from the approach the Supreme Court has applied in resolving such separation-of-powers questions." According to the United States, the panel’s opinion was "premised on its view that an agency with a single head poses a greater threat to individual liberty than an agency headed by a multi-member body that exercises the same powers." The United States contends that, under relevant Supreme Court precedent, the proper inquiry is whether a removal restriction is an "impermissible intrusion on Presidential power or on the functioning of the Executive Branch," and although a removal restriction’s effect on individual liberty "may shed light on whether it constitutes [such] an impermissible intrusion…the possible impact on individual liberty has not been an independent inquiry."

PHH has filed a motion for leave in order to file a supplemental response to the petition for rehearing en banc. In the motion, PHH asserts that "the United States [in its response] argues that this Court should grant the CFPB’s petition for rehearing en banc on several grounds that were not pressed in the CFPB’s petition, and with which PHH strongly disagrees." Further asserting that "[t]he United States government has now had two rounds of briefing and taken two separate positions in this Court in support of rehearing," PHH seeks an opportunity to be heard "on the United States’ newly expressed views."

- Barbara S. Mishkin

CFPB Announces 2017 Fair Lending Priorities

In a blog post published last Friday, Patrice Ficklin, Associate Director of the CFPB’s Office of Fair Lending, outlined the CFPB’s fair lending priorities for 2017.

Ms. Ficklin wrote that, going forward, the CFPB will increase its focus in the following three areas:

  • Redlining: The CFPB "will continue to evaluate whether lenders have intentionally avoided lending in minority neighborhoods."
  • Mortgage and Student Loan Servicing: The CFPB "will determine whether some borrowers who are behind on their mortgage or student loan payments may have more difficulty working out a new solution with the servicer because of their race or ethnicity."
  • Small Business Lending: "Congress expressed concern that women-owned and minority-owned businesses may experience discrimination when they apply for credit, and has required the CFPB to take steps to ensure their fair access to credit."

Although the CFPB entered into consent orders in 2015 and 2016 to settle claims of alleged redlining, by identifying redlining as a 2017 focus, Ms. Ficklin appears to be signaling a revamping of CFPB enforcement activity targeting redlining in 2017. In its Fall 2016 Supervisory Highlights issued last month, the CFPB highlighted its supervisory interest in redlining by listing the factors it considers in assessing redlining risk in examinations and describing how the CFPB conducts its analysis of redlining risk.

The CFPB has also previously signaled its interest in fair lending issues relating to mortgage and student loan servicing. In a "Mortgage Servicing Special Edition" of its Supervisory Highlights issued in July 2016, the CFPB noted that it would be conducting targeted reviews of fair lending issues for mortgage servicers. In a September 2016 blog post, the CFPB highlighted research that "underscores the disproportionate impact of student debt on communities of color."

In February 2016, the CFPB released a list of its policy priority areas for the next two years that include small business lending. That release highlighted the CFPB’s plans to build a small business lending team and begin market research and outreach for rulemaking on business lending data collection and to continue to examine small business lenders for fair lending compliance. Dodd-Frank Section 1071 amended the ECOA to require financial institutions to collect and maintain certain data in connection with credit applications made by women- or minority-owned businesses and small businesses. Such data includes the race, sex, and ethnicity of the principal owners of the business. In April 2016, the CFPB announced that it had filled the position of Assistant Director for the Office of Small Business Lending Markets, whose responsibilities including leading the CFPB’s team involved in developing rules to implement Section 1071.

In stating that Congress "has required the CFPB to take steps to ensure [women-owned and minority-owned businesses] their fair access to credit," Ms. Ficklin is presumably referring to Section 1071 rulemaking. (In its Fall 2016 rulemaking agenda, the CFPB gave a March 2017 estimated date for prerule activities related to small business lending.) We believe there is also a strong likelihood of increased CFPB supervisory and enforcement activity targeting small business lending even before the completion of Section 1071 rulemaking.

Perhaps noteworthy for its absence from the areas of fair lending focus identified by Ms. Ficklin is auto finance, which has been an area of CFPB focus for several years. In her blog post, Ms. Ficklin commented that "we have examined over a dozen of the nation’s largest auto lenders and achieved important market awareness and movement, and we believe that a wide range of supervisory compliance solutions tailored to each lender will work to secure and advance our progress in protecting consumers."

The CFPB’s approach to fair lending supervision and enforcement could be significantly impacted by the presidential election results. In particular, a new CFPB Director and/or the new Attorney General may cause the CFPB to move away from its use of the disparate impact theory of liability as a basis for alleging fair lending violations.

- Barbara S. Mishkin

FCC Denies TCPA Exemption for Mortgage Servicing Calls

The Federal Communications Commission (FCC) has denied the petition filed by the Mortgage Bankers Association (MBA) seeking an exemption from the prior express consent requirement of the Telephone Consumer Protection Act (TCPA).

The TCPA and the FCC’s rules prohibit autodialed calls to wireless telephone numbers and other specified recipients except when made:

  • For an emergency purpose;
  • Solely to collect a debt owed to or guaranteed by the United States (subject to extreme limitations);
  • With the prior express consent of the called party; or
  • Pursuant to a Commission granted exemption.

The MBA sought an exemption of the prior express consent requirement for non-marketing, mortgage servicing calls to wireless telephone numbers that were made to determine the "reasons and nature of the delinquency," and to counsel homeowners on their "obligations and potential options." 

The FCC formulated a three-part test to determine whether to grant the MBA’s petition, namely:

  • Whether the petitioner was clear that the messages would be free to the end user;
  • Whether the messages were time-sensitive or there is some other compelling public interest that supports timely receipt of these calls; and
  • Whether the caller could apply conditions to the exemption to preserve consumer privacy interests.

As for the first part, the FCC found that the MBA failed to show how its members could ensure that the called party was not charged for the call or that the call would not count against any plan limits on the consumer’s voice minutes or texts. The FCC noted that previous successful petitioners stated that financial institutions would work with wireless carriers and third-party service providers to ensure that recipients of the messages would not be charged for those messages.

In analyzing the second part, the FCC held that the need for the timely delivery of the mortgage servicing calls outlined by the MBA did not justify "setting aside a consumer’s privacy interests in favor of an exemption." The FCC focused on the necessity for the immediate communication in its prior exemption analyses concerning fraudulent transactions or identity theft. In contrast, the FCC noted that the various federal and state laws that require outbound mortgage servicing calls do not require telephone contact until a borrower is at least 20 to 36 days into the delinquency period. Ultimately, the FCC found that the mortgage servicing calls lacked the urgency of autodialed calls to alert consumers about a fraudulent transaction or a data breach.  Lastly, the FCC concluded that mortgage servicers have effective means, other than autodialed calls, to make contact with customers and that the subject calls could be made without using autodialer technology. 

Although the order denied the petition, it did reemphasize a few important items regarding prior express consent. The order stated that mortgage servicers are "free to autodial consumers without an exemption by simply relying on the prior express consent a consumer provides when including their wireless phone number on a mortgage application." Additionally, the order stated that mortgage servicers may also obtain "new consent by one of many available means, including by email." 

On December 15, 2016, the MBA filed an application for review of the November 16, 2016, order by the full Commission. The application for review is currently pending. 

- Jenny N. Perkins

CFPB Announces Annual Adjustments to HMDA/TILA Asset-Size Exemption Thresholds

The CFPB has announced annual adjustments to two asset-size exemption thresholds. First, the CFPB has made no change to the asset-size exemption threshold under HMDA/Regulation C, which is currently set at $44 million. Banks, savings associations, and credit unions with assets at or below $44 million as of December 31, 2016, will continue to be exempt from collecting HMDA data in 2017.

Second, the CFPB has increased the asset-size threshold under TILA/Regulation Z for certain small creditors operating primarily in rural or underserved areas to qualify for an exemption to the requirement to establish an escrow account for higher-priced mortgage loans (HPML). The threshold is currently set at $2.052 billion. Loans made by creditors operating primarily in rural or underserved areas with assets of less than $2.069 billion as of December 31, 2016, (including assets of certain affiliates) that meet the other Regulation Z exemption requirements will be exempt in 2017 from the escrow account requirement for HPMLs. (The adjustment will also increase the asset threshold for small creditor portfolio and balloon-payment qualified mortgages which references the HPML escrow account asset-size threshold.)

- Barbara S. Mishkin

NYDFS Revises Cybersecurity Regulation, Extends Effective Date to March 1, 2017

The New York Department of Financial Services (NYDFS) announced a revised regulation that will require all institutions subject to NYDFS supervision to establish and maintain a cybersecurity program meeting "certain regulatory minimum standards." All financial institutions under NYDFS jurisdiction—including banks, state-licensed lenders, mortgage industry companies, insurance companies, and money services businesses—should carefully assess whether existing security measures will need to be enhanced and what additional steps may need to be taken to satisfy the requirements in the proposed rules. Third party service providers to these institutions should also prepare for compliance requirements that will likely be imposed downstream from these covered entities.

The revised regulation will become final and effective on March 1, 2017 (a delay of two months from the originally proposed January 1, 2017, effective date). The first annual certification will now be due by February 15, 2018. The revised regulation also establishes tiered transition periods for covered entities to comply with the new requirements:

  • Six months: All provisions not specified in the following transition periods.
  • One year: CISO reporting to the board of directors (500.04(b)), penetration testing and vulnerability assessments (500.05), risk assessments (500.09), multi-factor authentication (500.12), and cybersecurity awareness training (500.14(a)(2)).
  • 18 months: Audit trails (500.06), application security (500.08), data retention (500.13), policies and procedures to monitor the activity of authorized users (500.14(a)(1)), and encryption (500.15).
  • Two years: Third party service provider security policy (500.11).

Many of the requirements set forth in the initial version of the proposed regulation, released on September 13, 2016, (summarized in our prior alert available here), remain unchanged. NYDFS made some significant concessions, however, in response to more than 150 public comments that were submitted. NYDFS released an "Assessment of Public Comments" with the revised regulation, providing some insight into the changes made in response to the public comments. Some of the most pertinent revisions include:

  • Small business exemption: Creation of a "limited" small business exemption for covered entities that have less than 10 employees, $5 million in gross annual revenue, or $10 million in year-end total assets.
  • Risk-based assessments: Clarification that the revised regulation was intended to be linked to a covered entity’s risk assessment, such as the encryption and multi-factor authentication mandates. However, NYDFS cautions that a risk assessment should not be used to justify a cost-benefit analysis of acceptable losses related to cybersecurity risks. The term "risk assessment" has been added as a new defined term in the revised regulation. The revised regulation requires that risk assessments be performed "periodically," instead of annually (as originally proposed).
  • Audit trails: Reduction in the level of prescriptive requirements related to maintaining audit trails, including reducing the covered period from six to five years and focusing on material cybersecurity events.
  • Nonpublic information: Significant narrowing of the definition to conform more closely to the definition in the New York breach notification statute. The revised regulation provides an exemption for any covered entity that does not directly or indirectly control, own, access, generate, receive, or possess any nonpublic information.
  • Chief Information Security Officer (CISO): Clarification that so long as a covered entity has designated a qualified individual to perform the functions of a CISO, no individual is required to have this specific title or be dedicated exclusively to CISO activities. The designated individual now must provide a written, more narrowly focused, annual (not bi-annual) cybersecurity report to the board of directors or governing body.
  • Third party service providers: Amendment of the proposed regulation to clarify that any requirements on third party service providers should be based on the covered entity’s risk assessment. Thus, covered entities will not be required to audit the systems of all third party service providers. The language requiring certain "preferred provisions" to be added to vendor contracts has been removed and replaced with a requirement to establish relevant guidelines and/or contractual protections. The term "third party service provider" has been added as a new defined term in the revised regulation.
  • Affiliates: Authorization of covered entities to satisfy the requirements of the revised regulation if covered by the cybersecurity program of an affiliate, including the affiliate’s CISO.
  • Cybersecurity event reporting: Retention of the 72-hour reporting timeframe for notifying NYDFS of a "cybersecurity event." Addition of a "materiality" qualifier to those provisions related to responding to and reporting of cybersecurity events. The revised notification requirement applies only to:
  • Cybersecurity events of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body, and
  • Cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the covered entity.

Importantly, the revised regulation includes new language addressing the confidentiality of any reporting submitted to NYDFS about cybersecurity events.

Public comments may be filed on the revised regulation for 30 days from today’s publication date. NYDFS will consider as part of its final review any new comments that were not previously raised during the original comment period, which ended on November 14, 2016. As NYDFS has proven receptive to making changes based on public comments, financial institutions should carefully consider whether to file comments during the next 30 days.

Ballard Spahr will host a webinar on the revised rules on January 12, 2017. Click here to register.

- Kim Phan 

Civil Rights Groups Voice Support for Director Cordray

Earlier this month, we blogged about reports that Director Cordray has no plans to leave the CFPB before his term expires in July 2018. Yesterday, several national civil rights groups issued a joint statement applauding the CFPB’s work and expressing support for Director Cordray "as he continues to lead the CFPB in the fourth year of his five-year tenure." The groups are the Leadership Conference on Civil and Human Rights, NAACP, National Council of La Raza, and National Urban League.

In their statement, the groups express their view that under Director Cordray’s leadership, the CFPB "has significantly improved the lives of people across the country, especially in our diverse communities" and warn that "any effort to weaken the agency or undermine its leadership would risk severe impacts on our communities—including communities of color and low-income families who are most vulnerable to financial abuse." The groups tout the CFPB’s recovery of "more than $11 billion for 27 million consumers harmed by illegal, predatory financial schemes" and the CFPB’s efforts to fight "against discriminatory practices in the financial marketplace, including bringing enforcement actions to enforce fair lending laws that protect consumers of color from being charged more for a mortgage, auto loan, or credit card."

- Barbara S. Mishkin

Did you know?

by Wendy Tran

California Adopting MSB Call Report

The California Department of Business Oversight will adopt the NMLS Money Services Business (MSB) Call Report beginning with Q1 2017 reporting, totaling 18 state agencies adopting the NMLS MSB Call Report in NMLS in the first quarter of 2017. The initial report will be due 45 days after the end of the first quarter (May 15, 2017). More information can be found here.

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.