Under the new Democratic Majority in the House of Representatives, Congresswoman Maxine Waters chairs the Financial Services Committee. Over the past several months, she has moved swiftly to hold Congressional hearings and pass legislation to address issues she identified as priorities for Democrats in the 116th Congress, including consumer protection legislation, H.R. 1500, the Consumers First Act. On March 28, all 34 Democrats on the committee voted in support of H.R. 1500 and all 26 Republicans voted no. The bill is intended to reverse various actions taken by Mick Mulvaney during his tenure as Acting Director of the Consumer Financial Protection Bureau (CFPB). While it is possible the bill will come to the House floor for a vote this year, it is unlikely to be brought up for a vote in the Senate, and will therefore remain purely a messaging piece for Democrats to rally behind.
Just over 100 days into the new Congress, we can expect to see additional consumer protection legislation and oversight of the CFPB under Chairwoman Waters' leadership. The CFPB has been and continues to be a point of contention between many Democrats and Republicans. The current political dynamic and its impact on consumer financial services is the subject of our recent podcast featuring Timothy Jenkins, partner in Ballard Spahr's federal lobbying and government relations team, and Alan S. Kaplinsky, co-leader of the firm's Consumer Financial Services Group.
FDIC Issues Guidance on Service Technology Service Provider Contracts
On April 2, 2019, the FDIC issued Financial Institution Letter FIL-19-2019 to remind financial institutions about certain contractual provisions and other requirements pertaining to technology service provider contracts. Apparently, during recent routine examinations, the FDIC found several technology service provider contracts that were inadequate under existing guidance. These contracts were missing or inadequately addressed key terms, such as:
- requiring the service provider to maintain a business continuity plan;
- establishing recovery standards;
- specifying the institution's remedies if the service provider misses a recovery standard,
- requiring the service provider to respond to security incidents by, among other things, notifying the institution; and
- defining key terms in the contracts relevant to business continuity and/or incident response.
As noted in the FDIC letter, the Interagency Guidelines Establishing Information Security Standards, which were promulgated pursuant to the Gramm-Leach-Bliley Act and incorporated into the FDIC's Rules and Regulations as Appendix B to Part 364, establish standards for safeguarding customer information. Such guidelines set the FDIC's expectations for managing technology service provider relationships through contractual terms and ongoing monitoring, and financial institutions must account for these requirements in their contracts with technology service providers. For the reasons described above, the contracts the FDIC saw during its examinations apparently failed to meet those expectations.
Finally, the letter highlights that depository institutions are obligated pursuant to Section 7 of the Bank Service Company Act (12 U.S.C. 1867) to report to their respective federal bank regulatory agencies those contracts with technology service providers that provide certain types of services to the bank, as enumerated in Section 3 of the act, and includes an FDIC-developed form as an unofficial aid in complying with that notification requirement.
The letter serves as timely examination feedback and a good reminder to the industry that the FDIC believes that third-party providers of technology-related services can create special risks to depository institutions that need to be properly addressed in their service contracts with such entities, particularly in areas such as business continuity and incident response. The FDIC indicated that it plans to hold the board and senior management of financial institutions accountable for controlling those risks in accordance with the requirements of law and its existing regulatory guidance.
The Letter also reminds institutions that the FDIC's Guidance for Managing Third-Party Risk, FIL-44-2008, discusses contract provisions the FDIC believes should be addressed in technology service provider agreements (at a level of detail consistent with the scope and risks associated with the relationship), including those that were missing in the actual contracts the FDIC reviewed. The FDIC goes on to highlight other sources of guidance and resources available to assist bank personnel in understanding the requirements and regulatory expectations in this area.
The FDIC expects institutions to take steps to mitigate the risks posed by such gaps by getting new contract terms from vendors or modifying the institution's own business continuity program to account for the gaps.
- Theodore R. Flo & Glen P. Trudel
New York Passes Sweeping Legislation Affecting Student Loan Servicers
On April 1, 2019, New York enacted Article 14-A, governing servicers of student loans owed by New York residents, in connection with New York's fiscal year 2020 budget. Though sweeping legislation has been anticipated for some time, awareness of its extensive provisions are critical for student loan servicers nationwide.
The legislation requires certain servicers to obtain licensure from the New York Department of Financial Services (DFS) in order to service student loans owed by New York residents. Servicers of federal student loans are automatically deemed as licensed under the new law to service federal loans. To the extent a servicer services both federal and non-federal student loans, the servicer is required to obtain licensure. Banking organizations, foreign banking corporations, national banks, federal savings associations, federal credit unions, certain banks and other financial institutions organized under the laws of states other than New York, and private nonprofit or public postsecondary educational institutions are exempt from licensure requirements and certain other requirements of the new legislation. However, even servicers that are exempt from licensure or are deemed as licensed are required to provide notice of their loan servicing to the DFS and to comply with some provisions of the law, including those pertaining to nonconforming payments, credit reporting, prohibited practices, and recordkeeping.
The law requires student loan servicers to inquire of a borrower how to apply a borrower's nonconforming payment, unless otherwise provided by federal law or the applicable loan agreement. Nonconforming payments are those that are either more or less than the required student loan payment. A borrower's instructions on how to apply nonconforming payments remains in effect for future nonconforming payments until the borrower provides different directions. The requirements for nonconforming payments are particularly noteworthy, as misapplying payments is considered a prohibited practice under the new law. The law also requires servicers who regularly report information to a consumer reporting agency to accurately report a borrower's payment performance to at least one nationwide consumer reporting agency.
Additional prohibited practices under the law include, but are not limited to:
- misapplying payments to the outstanding balance of any student loan, related interest or fees;
- providing inaccurate information to a consumer reporting agency;
- refusing to communicate with a borrower's authorized representative;
- misrepresenting or omitting any material information including the terms and conditions of the loan or the borrower's obligations thereunder;
- defrauding or misleading a borrower; and
- failing to respond within fifteen days to communications from the department.
Failure to comply with the law subjects servicers to the risk of hefty penalties and litigation. For each violation, the superintendent may require a servicer to pay the state a sum not to exceed the greater of $2,000 or twice the economic gain attributable to the violation for non-willful violations and, for willful violations, a sum not to exceed $10,000 or twice the economic gain attributable to the violation. These penalties are in addition to any liability or penalties available under other state or federal law.
- Sarah E. Pruett
Ginnie Mae Considering Non-Bank Safety and Soundness Standards
According to a Financial Times report, Ginnie Mae is considering proposals that would create federal safety and soundness standards for nonbank mortgage lenders that are similar to those that apply to banks. Specifically, the report cites comments made by Maren Kasper, Ginnie Mae's acting president, that the proposals would provide for stress testing to assess a lender's liquidity and include a requirement that lenders have a "living will" that describes how the lender would wind down its operations in the event of financial distress or the lender's failure.
The proposals appear to stem from a white paper, "Ginnie Mae 2020: Roadmap for sustaining low-cost homeownership." Counter-party risk will be a topic of discussion at the Ginnie Mae Summit scheduled for June 13-14, 2019.
- Richard J. Andreano, Jr.
Revised HMDA Examination Guidelines Issued
The CFPB recently posted on its website revised Home Mortgage Disclosure Act (HMDA) examination guidelines.
The revised guidelines address the exemption adopted in the Economic Growth, Regulatory Relief, and Consumer Protection Act (also known as S.2155) applicable to the new HMDA data categories added by Dodd-Frank and the HMDA rule adopted by the CFPB in October 2015. The exemption is available for insured depository institutions and insured credit unions that originate mortgage loans below certain thresholds and meet certain Community Reinvestment Act rating criteria. We previously reported on the exemption and a related interpretive rule issued by the CFPB in September 2018.
The Office of the Comptroller of the Currency also issued Bulletin 2019-19 that addresses the revised examination guidelines.
- Richard J. Andreano, Jr.
NMLS Ombudsman Meeting Summary Available
A summary of the Ombudsman Meeting held during the 2019 NMLS Annual Conference & Training is now available on the NMLS resource center home page.
- Stacey L. Valerio
LO Comp: Something Has to Give
Atlanta, GA | April 24-27, 2019
Panelist: Richard J. Andreano, Jr.
CE: Loan Originator Compensation - Guidance and Q&A
An MBA webinar | April 30, 2019
Speakers: Richard J. Andreano, Jr. & Meredith S. Dante
MBA Legal Issues and Regulatory Compliance Conference
New Orleans, LA | May 5-8, 2019
Ongoing Compliance Challenges of Social Media
Speaker: Meredith S. Dante
Regulatory Developments Track: TCPA Legal and Compliance Developments
Speaker: Daniel JT McKenna
Applied Compliance Track: Implementing LO Compensation
Speaker: Richard J. Andreano, Jr.
Compliance Conversations: State Examination/Enforcement Trends
Speaker: John D. Socknat
The Conference Super Session
Speaker: Reid F. Herlihy
Copyright © 2019 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.