In This Issue:
- Financial Institutions Must Assess Whether They Must Comply with CCPA Requirements for Financial Incentive Programs
- CFPB Issues TILA Guidance on Juneteenth Federal Holiday
- This Week’s Podcast: The CFPB’s Summer 2021 Supervisory Highlights: A Close Look at Credit Reporting, Debt Collection, Fair Lending and Mortgage Loan Origination and Servicing Issues
- FFIEC Issues Updated Guidance on Authentication and Access
- California Enforcement Updates and Privacy Tools Highlight Regulatory Scrutiny of Right to Opt Out
- NY Department of Financial Services Announces Initiative to Collect and Publish Diversity Data
- Federal Court Rules Constitutional Challenge Did Not Allow Stay of CFPB Order Requiring Payment of Restitution and Civil Money Penalties
- Utah Federal Court Rules Petition Clause of the First Amendment Provides Immunity from FDCPA Claims
- Fannie Mae to Consider Rental Payment History in Underwriting Decisions
- Did You Know?
- Looking Ahead
For the latest updates on the Coronavirus COVID-19 pandemic visit the Ballard Spahr COVID-19 Resource Center
Financial Institutions Must Assess Whether They Must Comply with CCPA Requirements for Financial Incentive Programs
Last month, California Attorney General Rob Bonta released a summary of his office’s enforcement activity under the California Consumer Privacy Act (CCPA). Although the summary did not include company names, the summary highlights those CCPA compliance areas which have already drawn attention and which will likely continue to be a focus for enforcement. One action that was summarized involved a business that failed to provide a Notice of Financial Incentive to consumers for participation in the business’ loyalty programs. Companies must be mindful that if they are requiring consumers to provide personal information in exchange for any type of monetary compensation or other financial benefit, then the CCPA may impose additional disclosure obligations in the form of a Notice of Financial Incentive.
Under the CCPA regulations, a “financial incentive” is defined broadly to mean “a program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information.” Cal. Code Regs. tit. 11, § 999.301(j). For example, if a financial institution engages in a marketing campaign that involves any kind of compensation to consumers in exchange for personal information, this activity would likely be considered a financial incentive program under the CCPA and would likely trigger the CCPA Notice of Financial Incentive requirements. Such financial incentive programs may include encouraging consumers to provide personal information by taking a survey, entering into a sweepstakes, or referring a friend to apply for a new loan in exchange for a gift card, account credit, loyalty rewards, or any other form of compensation.
Financial institutions generally are not required to comply with many of the CCPA requirements because of the exemption for “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act” (GLBA). However, personal information collected by a financial institution for marketing purposes or used as part of a financial incentive program may potentially fall outside the scope of the GLBA exemption and, if so, financial institutions would need to comply with the CCPA requirements. If compliance is required, a financial institution must comply with not only the financial incentive disclosure requirements, but also all other CCPA requirements regarding consumer privacy rights related to such activities. Such requirements include responding to “requests to know” and “requests to delete” with respect to personal information collected through a financial incentive program.
A Notice of Financial Incentive must include the following:
- A succinct summary of the financial incentive or price or service difference offered;
- A description of the material terms of the financial incentive or price or service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer’s data;
- How the consumer can opt-in to the financial incentive or price or service difference;
- A statement of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right; and
- An explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, including (a) a good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference; and (b) a description of the method the business used to calculate the value of the consumer’s data. Cal. Code Regs. tit. 11, § 999.307.
One of the more challenging aspects of the Notice of Financial Incentive requirements is the need to explain how the value of the financial incentive relates to the value of the personal information to the company. The CCPA regulations provide some guidance on how companies can document a reasonable and good faith method for calculating the value of the consumer’s data in order to offer a different price, rate, level, or quality of goods or services that is directly related to the value provided by the consumer’s information. Cal Civ Code § 1798.125(b)(1); Cal. Code Regs. tit. 11, § 999.337. However, in practice, few companies are assigning specific values or tracking profit generated from particular pieces of personal information, which makes compliance in this area especially challenging.
The news release regarding Attorney General Bonta’s announcement is available here and the summary of CCPA enforcement case examples is available here.
CFPB Issues TILA Guidance on Juneteenth Federal Holiday
As previously reported, the creation on June 17, 2021 of the Juneteenth National Independence Day resulted in an important change under the Truth in Lending Act (TILA) and Regulation Z. The CFPB recently issued an interpretive rule to address certain issues based on the change.
There is a specific definition of “business day” under Regulation Z for certain purposes, including the right of rescission period, the waiting periods that apply to the TRID rule disclosures, the period after which consumers are deemed to receive TRID rule disclosures that are not delivered in person, the date that private education loan disclosures mailed to the consumer are deemed to be received, and the date that the right to cancel a private education loan expires. Under the specific definition, a “business day” is “all calendar days except Sundays and the legal public holidays specified in 5 U.S.C. 6103(a) . . . .”
The bill creating the Juneteenth holiday amended 5 U.S.C 6103(a) to add “Juneteenth National Independence Day, June 19” as a specified legal public holiday. As a result, once the bill was signed into law by President Biden on June 17, Saturday June 19 immediately switched from being a business day to being a non- business day. (Although the federal government was closed on Friday June 18 in observance of the new legal public holiday, under the specific definition of “business day” in amended 5 U.S.C. 6103(a), June 18 was a business day.)
Immediately after the bill became law, mortgage industry representatives urged the CFPB to provide guidance. On June 18, Acting CFPB Director Uejio issued a statement that first addresses the significance of the new holiday, and then addresses the TILA issue as follows:
The CFPB, along with the other Financial Institutions Reform, Recovery, and Enforcement Act (FIRREA) regulators, is aware of concerns regarding implementation of the new Juneteenth Federal holiday, particularly as it relates to mortgage lender compliance with the Truth in Lending Act and TILA-RESPA Integrated Disclosure (TRID) timing requirements. The CFPB recognizes that some lenders did not have sufficient time after the Federal holiday declaration to consider whether and how to adjust closing timelines. The CFPB understands that some lenders may delay closings to accommodate the reissuance of disclosures adjusted for the new Federal holiday. The CFPB notes that the TILA and TRID requirements generally protect creditors from liability for bona fide errors and permit redisclosure after closing to correct errors. Any guidance ultimately issued by the CFPB would take into account the limited implementation period before the holiday and would be issued after consultation with the other FIRREA regulators and the Conference of State Bank Supervisors (CSBS) to ensure consistency of interpretation for all regulated entities.
Industry members likely found the initial guidance to be unhelpful. The interpretive rule addresses the business day issue resulting from the creation of the Juneteenth holiday with regard to the right of rescission period for closed-end mortgage loans, the waiting periods that apply to the TRID rule disclosures, and the period after which consumers are deemed to receive TRID rule disclosures that are not delivered in person. The interpretive rule does not expressly address the date that private education loan disclosures mailed to the consumer are deemed to be received, and the date that the right to cancel a private education loan expires.
Business Day Version Approach
The CFPB notes that Regulation Z does not address which version of the specific “business day” definition applies if during a relevant time period that relies on the definition, the definition changes. The interpretive rule provides that the version of the definition of “business day” that applies to the right of rescission period, the TRID rule waiting periods, and the period after which the consumer is deemed to receive TRID rule disclosures that are not delivered in person depends on when the relevant time period began. If the relevant time period began on or before June 17, 2021, then Saturday June 19, 2021 was a business day. If the relevant time period began after June 17, 2021, then Saturday June 19, 2021 was a non-business day. Each period is addressed further below.
Right of Rescission Period
For closed-end mortgage loans subject to the right to rescind, the consumer has the right to rescind the loan until midnight of the third business day following the last to occur of (1) delivery of all material disclosures, (2) consummation of the loan, and (3) delivery of the notice of the right to rescind to each consumer entitled to rescind. The notice of the right to rescind must indicate that date that the right to rescind expires. The interpretive rule provides that the date that the rescission period begins to run, and the rescission period expiration date, are determined based on the version of the “business day” definition that was in effect when the rescission period began to run. Specifically, if the rescission period began to run on or before June 17, 2021, then Saturday June 19 was a business day for purposes of the right to rescind. However, because a creditor may provide the consumer with a rescission period that is longer than three business days, even if the rescission period began to run on or before June 17, a creditor that treated Saturday June 19 as a non-business day would have provided a compliant rescission period. If the rescission period began to run after June 17, 2021, the creditor had to treat Saturday June 19 as a non-business day.
TRID Rule Waiting Periods
The TRID rule requires that a creditor must deliver or place in the mail the initial Loan Estimate at least seven business days before consummation of the transaction. The TRID rule also requires that the last day that a consumer may receive a revised Loan Estimate is four business days before consummation of the transaction, and that the consumer must receive the initial Closing Disclosure at least three business days before consummation of the transaction. The interpretive rule provides that seven, four and three business day waiting periods are determined based on the version of the “business day” definition that was in effect when the creditor delivered the Loan Estimate or Closing Disclosure, or placed the applicable disclosure in the mail. For example, if a creditor delivered or placed in the mail the initial Loan Estimate on June 14, 2021 and consummation occurred on June 22, 2021, the seven business day waiting period for the initial Loan Estimate was satisfied because Saturday June 19 was a business day. However, because a creditor may provide the consumer with the initial Loan Estimate more than seven business days before consummation, if a creditor delivered or placed in the mail the initial Loan Estimate on or before June 17 and treated Saturday June 19 as a non-business day, the creditor still would have complied with the waiting period requirement. If a creditor delivered or placed in the mail a Loan Estimate or Closing Disclosure after June 17, 2021, then the creditor had to treat Saturday June 19 as a non-business day.
Mailbox Rule Period
In cases in which a creditor mails a Loan Estimate or Closing Disclosure, the consumer is deemed to receive the disclosure three business days after it is placed in the mail. This is referred to as the “mailbox rule.” The mailbox rule also applies when a creditor provides a Loan Estimate or Closing Disclosure by a means of non-personal delivery other than the mail, such as by electronic means. (While a creditor may rely on the deemed receipt of a disclosure provided by non-personal delivery under the mailbox rule, if the creditor has evidence of actual receipt of the disclosure on a date before the date of deemed receipt, the creditor may rely on the evidence of actual receipt.)
The interpretive rule provides that the three business day period under the mailbox rule is determined based on the version of the “business day” definition that was in effect on the date that the creditor placed the disclosure in the mail. For example, if a creditor placed a Loan Estimate or Closing Disclosure in the mail on June 17, 2021, the consumer is considered to have received the Loan Estimate or Closing Disclosure on June 21, 2021. However, because a creditor may deem a consumer to have received a mailed disclosure more than three business days after the disclosure was placed in the mail, if a creditor placed in the mail a Loan Estimate or Closing Disclosure on or before June 17 and treated Saturday June 19 as a non-business day for purposes of determining when the consumer received the disclosure, the creditor still would have complied with the mailbox rule. If a creditor placed in the mail a Loan Estimate or Closing Disclosure after June 17, 2021, then the creditor had to treat Saturday June 19 as a non-business day.
This Week’s Podcast: The CFPB’s Summer 2021 Supervisory Highlights: A Close Look at Credit Reporting, Debt Collection, Fair Lending and Mortgage Loan Origination and Servicing Issues
We look at the practices found to be unlawful by CFPB examiners in these markets, discuss what the findings signal for future scrutiny of these markets by the “new CFPB”, and share practical takeaways for companies operating in these markets. Issues highlighted in our conversation include the CFPB’s findings regarding “unreliable furnishers,” furnisher handling of “frivolous or irrelevant” disputes, interest accrual on debts in collection, and mortgage servicer consideration of private mortgage insurance termination dates when estimating disbursements in an annual escrow analysis.
Ballard Spahr Senior Counsel Alan Kaplinsky hosts the conversation, joined by Chris Willis, Co-Chair of the firm’s Consumer Financial Services Group, and Reid Herlihy, a partner in the firm’s Mortgage Banking Group.
Click here to listen to the podcast.
- Alan S. Kaplinsky, Christopher J. Willis & Reid F. Herlihy
FFIEC Issues Updated Guidance on Authentication and Access
The Federal Financial Institutions Examination Council (FFIEC) has issued new guidance on authentication and access titled, “Authentication and Access to Financial Institution Services and Systems” (Guidance.) The Guidance is intended to provide financial institutions with examples of effective risk management principles and practices for access and authentication.
The Guidance contains risk management principles and practices that can support a financial institution’s authentication of (1) users accessing the financial institution’s information systems, including employees, board members, third parties, service accounts, application, and devices (collectively, users) and (2) business and consumer customers (collectively, customers) authorized to access digital banking services. The Guidance, which replaces previously issued 2005 and 2011 FFIEC guidance, is not intended to serve as a comprehensive framework for identity and access management programs and does not endorse any specific security framework or standard. However, the Guidance is applicable not only to financial institutions, but also applies to any third party service provider acting on a financial institution’s behalf.
The Guidance begins with a discussion of the “threat landscape” faced by financial institutions. It observes that the evolution of new technologies and broadly-used access points has expanded the system entry or access points through which an attacker can compromise a financial institution. It also observes that certain authentication controls that were previously effective no longer provide a sufficient defense against evolving and increasingly sophisticated methods of attack.
The other topics addressed by the Guidance are:
- Risk assessment to determine appropriate authentication techniques and access management practices, including examples of effective risk assessment practices
- Layered security controls
- Multi-factor authentication as part of layered security
- Monitoring, activity logging, and reporting processes and controls
- Email systems and internet browsers
- Call center and IT help desk authentication
- Data aggregators and other customer-permissioned entities providing services to customers
- User and customer awareness and education
The Guidance includes an Appendix that lists examples of practices or controls related to access management, authentication, and supporting controls.
- Kim Phan
California Enforcement Updates and Privacy Tools Highlight Regulatory Scrutiny of Right to Opt Out
With a little over a year of enforcing the California Consumer Privacy Act (CCPA) under its belt, the Office of the California Attorney General (OAG) recently held a news conference to announce updates on its CCPA enforcement efforts and promote new tools relating to California consumers’ right to opt out of the sale of their personal information.
Enforcement updates. At the news conference, California Attorney General Rob Bonta summarized the first year of enforcement of the CCPA and provided specific examples of actions businesses have taken to rectify alleged violations following receipt of a notice of noncompliance. The notice triggers a 30-day period for the business to cure the alleged violation, which is a prerequisite to the OAG bringing an enforcement action. Examples of actions taken by businesses include:
- A social media platform that explained and updated its response processes to include timely request receipt confirmations and request responses;
Mr. Bonta noted that to date, 75% of businesses that receive a notice to cure address the CCPA violation. The other 25% are either still within their 30-day cure window or under an active investigation.
Following the news conference, the OAG also published an illustrative list of 27 enforcement case examples summarizing situations in which it sent a notice of alleged noncompliance and steps taken by the businesses in response. Although the summaries contain few identifying details, they provide additional insight into the OAG’s enforcement priorities. For instance, 17 of the 27 case examples involved non-compliant privacy policies.
Global privacy control. A number of the case summaries also focused on proper opt-out disclosures and methods, such as the use of global opt-out settings. In August 2020, the OAG finalized CCPA regulations that require businesses to honor user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information. The OAG updated its CCPA FAQs in late June 2021 to state that the Global Privacy Control (GPC), a technical standard that can automatically transmit a do-not-sell request when consumers visit a website, “must be honored . . . as a valid consumer request to stop the sale of personal information” by businesses that collect personal information from consumers online and sell personal information.
In one enforcement case example, an electronics seller failed to process consumers’ requests to opt out that were submitted via a user-enabled universal opt-out signal, such as the GPC, among other alleged compliance issues. After being notified of alleged noncompliance, the business “worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.”
Another summary described how a location data broker’s opt-out process improperly directed consumers to use their mobile device settings to effectuate their opt-out choices and failed to state whether the provided request webform allowed consumers to opt out of the sale of their personal information. After being notified of alleged noncompliance, the data broker updated its opt-out webpage and clarified that adjusting mobile device settings would limit future tracking but would not effectuate a CCPA opt-out request.
The mandate on honoring requests submitted via universal opt-outs like the GPC has generated considerable discussion. In a July 28 letter to the OAG, a coalition of advertising industry groups raised concerns about how the mandate conflicts with the approach taken in the California Privacy Rights Act (CPRA), according to which businesses “may elect” to either provide a clear and conspicuous DNS link or allow consumers to opt out via an “opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism, based on technical specifications to be set forth in regulations.” This CPRA provision becomes operative in January 2023. In the meantime, absent further guidance from the OAG, covered businesses should make sure they have processes in place to respond to requests sent via universal opt-out mechanisms like the GPC.
Consumer privacy interactive tool. During the news conference, Mr. Bonta also unveiled a new Consumer Privacy Interactive Tool (CPIT) allowing consumers to draft notices of noncompliance for businesses that they believe may have violated the CCPA’s requirement to allow consumers to opt out of the sale of their personal information. The tool asks a series of guided questions to confirm whether the business in question is subject to the CCPA, sells personal information, provides an appropriately clear and conspicuous DNS link, provides an interactive form by which consumers may submit opt-out requests, requires consumers to create an account in order to opt out, and/or requires consumers to submit more personal information than is necessary to direct the business to not sell their personal information. If the answers provided indicate that the business is not in compliance with the CCPA, the tool generates a draft notice of noncompliance that the consumer may then send to the business.
According to Mr. Bonta, and as confirmed later in a news release, this notice “may trigger” the 30-day period for the business to cure the alleged violation. If changes have not been made to the business’ alleged noncompliance after 30 days from the date the notice was sent, consumers can file a consumer complaint to the OAG. Although the CPIT is currently limited to drafting notices to businesses that do not post an easy-to-find DNS link on their website, the tool may be updated in the future to include additional potential CCPA violations.
It is not clear yet the impact the CPIT will have on future CCPA enforcement by the OAG, especially given that information can be entered into the tool anonymously and there is no accountability mechanism for ensuring the information entered is accurate. Additionally, the ability to cure violations is scheduled to go away in January 2023, when the rest of the CPRA’s updates to the CCPA enter into effect. Nevertheless, businesses should prepare for the possibility of receiving noncompliance notices generated through the CPIT and review their privacy policies and procedures to ensure such notices are addressed within the 30-day cure period.
NY Department of Financial Services Announces Initiative to Collect and Publish Diversity Data
To further its ongoing diversity, equity, and inclusion (DEI) efforts, the New York State Department of Financial Services (DFS) announced an initiative to collect and publish diversity data on the demographic makeup of NY-regulated financial institution’s boards and senior management teams. In its July 29th business industry letter, DFS emphasized that transparency around this data will help measure progress toward DEI goals, allow firms to assess where they stand relative to their peers, and increase transparency and accountability.
Relying on its authority under New York Banking Law §37(3) to require banking organizations to make special reports, DFS will collect data on the gender, racial, and ethnic composition of boards of all New York-regulated (i) banking institutions with over $100 million in assets, (ii) non-depository financial institutions with over $100 million in assets, (iii) and entities authorized to engage in virtual currency business activity. DFS will collect demographic data from 2019 and 2020 starting in late summer 2021, and will publish aggregate data in the first quarter of 2022.
In the industry letter, DFS made plain that it expects financial institutions to make DEI at the leadership level strategic business and corporate governance priorities, emphasizing the importance of developing a pipeline of diverse leaders. DFS underscored data reflecting existing gaps in gender and racial diversity across industry leadership, based in part on the U.S. House Financial Services Committee’s 2019 analysis of bank diversity data.
DFS laid out both business and social rationales for its data reporting initiative. From a business standpoint, DFS highlighted increasing industry-wide investor and government actions to advance diversity in senior management because doing so improves profitability, enhances risk management, and increases employee satisfaction. DFS further asserted that with the challenges posed by the COVID-19 pandemic, racial injustice, and climate change, it is now “paramount that the banking and financial industries have strong boards and executive teams comprised of people with diverse experiences, skills and perspectives in order to better confront evolving risks and find new opportunities.”
Ballard’s DEI Counseling team advises clients across industries on the development, implementation, and enhancement of DEI programs. Our attorneys performs assessments, develops strategic plans, advise on existing programs, develop policies and communication materials, conduct training, and facilitate the implementation of DEI programs.
Federal Court Rules Constitutional Challenge Did Not Allow Stay of CFPB Order Requiring Payment of Restitution and Civil Money Penalties
Despite the pendency in the Tenth Circuit of a constitutional challenge to a CFPB administrative order that requires a lender and its CEO to pay restitution and civil money penalties, a Kansas federal district court recently refused to stay enforcement of the order.
In CFPB v. Integrity Advance, LLC and James R. Carnes, the CFPB had initiated an administrative enforcement proceeding in 2015 against Integrity, a lender making short term loans, and Mr. Carnes alleging violations of the TILA, EFTA, and CFPA. In July 2016, a hearing was held before a Coast Guard administrative law judge (ALJ) who issued a recommended decision in favor of the CFPB. After the U.S. Supreme Court’s ruling in Lucia v. SEC that the appointment of an SEC ALJ violated the Appointments Clause of the U.S. Constitution, former CFPB Director Kraninger determined that the Coast Guard ALJ used by the CFPB had not been constitutionally appointed and remanded the matter to the CFPB’s ALJ for a new hearing. (By the time Lucia was decided, the CFPB had its own ALJ who was constitutionally appointed.)
The CFPB ALJ also issued a recommended decision in favor of the CFPB in which she recommended that the lender pay $132.5 million in restitution, that the CEO be held jointly and severally liable for $38.4 million of that amount, and that the lender and CEO pay, respectively, civil money penalties of $7.5 million and $5 million. The lender and CEO appealed that decision to former Director Kraninger who issued a decision in January 2021 (after Seila Law had been decided by the Supreme Court) reducing the total restitution amount to $34.5 million. As part of that decision, former Director Kraninger ratified the CFPB’s Notice of Charges that initiated the enforcement action.
The lender and CEO thereafter appealed former Director Kraninger’s decision to the Tenth Circuit. In the appeal, they argue that former Director Kraninger’s ratification was not effective because the applicable statute of limitations had expired before the ratification. They also argue that the Appointments Clause violation was not cured by the new hearing before a properly appointed ALJ because she did not in fact conduct a new hearing and instead relied on the existing record and routinely denied their requests to present evidence or make new arguments that were not raised in the first hearing.
Through its petition, the CFPB sought to enforce its final order issued pursuant to former Director Kraninger’s January 2021 decision. The final order directed the lender and CEO to pay the required amounts within 30 days but provided that if they appealed the decision, they could instead pay the amounts into an escrow account within 30 days. Pursuant to the CFPA, the appeal of a CFPB order to a court of appeals does not operate as a stay of the order unless a stay is specifically authorized by the appellate court. The lender and CEO did not seek a stay of the CFPB’s order from the Tenth Circuit.
In opposing the CFPB’s petition, the CEO argued that the CFPB’s final order was not valid and enforceable. While conceding that only the Tenth Circuit could address the merits of these arguments, he nevertheless asked the district court to exercise its discretion to delay its resolution of the CFPB’s petition pending the Tenth Circuit’s ruling on the appeal. The district court concluded that because the CFPA did not permit it to stay enforcement of the CFPB’s order, it could not grant the CEO’s request which it considered to be “tantamount to a request for…a stay or suspension.” Accordingly, the district court granted the CFPB’s petition and ordered the lender and CEO to comply with the final order by paying the restitution and civil money penalties.
Utah Federal Court Rules Petition Clause of the First Amendment Provides Immunity from FDCPA Claims
A Utah federal district court recently ruled in two cases that the Petition Clause of the First Amendment of the U.S. Constitution provides immunity to debt collectors from Fair Debt Collection Practices Act (FDCPA) claims. The two cases are Holmes v. Crown Asset Management, LLC and Reyes v. N.A.R. Inc. and Olson Associates, P.C. Both decisions were issued by Judge Howard C. Nielson, Jr.
In both cases, the defendants had initially filed lawsuits in Utah state court to collect the underlying debts. In Holmes, the state court ruled in favor of Crown Asset Management which had purchased the debts from a credit card issuer. In Reyes, after filing the state court action, the defendants, a debt collector hired by the creditor and a law firm hired by the debt collector, sent the plaintiff a settlement offer that included a proposed confession of judgment. The plaintiff struck the confession language and returned the settlement agreement to the defendants but the parties ultimately did not reach a settlement. The plaintiffs in both cases subsequently filed lawsuits in federal district court alleging violations of the FDCPA and Utah law.
In both cases, the court initially addressed the question whether the Petition Clause provides immunity from FDCPA claims. The Petition Clause provides that “Congress shall make no law…abridging…the right of the people…to petition the Government for a redress of grievances.” According to the court, “a lawsuit to recover a debt is a petition for redress of grievances within the meaning of Petition Clause immunity.” Thus, the court concluded that the Petition Clause provides immunity from FDCPA lawsuits based on state court collection actions except where the collection action is deemed a “sham petition.”
After reaching this conclusion, the court analyzed the facts in the two cases as follows:
- In Holmes, the plaintiffs claimed that the defendant debt buyer violated the FDCPA and state law by filing the state court lawsuits without registering under the Utah Collection Agency Act (UCAA). The court first noted that the defendant had prevailed in the state court actions and cited language from a U.S. Supreme Court decision stating that “’a winning lawsuit is by definition a reasonable effort at petitioning or redress and therefore not a sham.” The court then stated that even if the defendant had not prevailed, it would still have concluded that the state court lawsuits were not sham petitions and thus protected by the Petition Clause because the defendant could have reasonably believed it was not required to register under the UCAA to file a collection lawsuit. The court found it was unclear under the UCAA whether a business that was collecting debts on its own behalf or a business involved in collections that was not Utah-based was subject to the registration requirement. Due to the absence of clear statutory language, the court was unwilling to construe the UCAA to limit the defendant’s access to the courts. Noting that it was not deciding whether the UCAA in fact required the defendant to be registered to sue in state court, the court found that because the defendant’s lawsuits were protected by the Petition Clause, it only needed to determine if the defendant reasonably could have believed it was not required to register. Accordingly, the court dismissed the plaintiffs’ FDCPA claims and declined to exercise supplemental jurisdiction over their state law claims.
- In Reyes, the plaintiff claimed that the defendants violated the FDCPA and state law by including a percentage-based collection charge in the amount sought to be collected in the state court action and by including a confession of judgment in the proposed settlement agreement. The plaintiff argued that Utah law did not permit the defendants to recover a collection fee because the agreement creating the underlying debt did not satisfy the requirements of Utah law for charging a collection fee. After reviewing the relevant provisions of Utah law, the court found support for the defendants’ position that they had satisfied such requirements. As it did in Holmes, the court noted that it was not deciding whether they had in fact satisfied such requirements, and that because the defendants were protected by the Petition Clause, it only needed to determine whether they could have reasonably believed that they had complied with Utah law. The court concluded that the defendants could have reasonably held this belief and as a result, could have also reasonably believed that their attempt to recover collection fees did not violate the FDCPA because it was “permitted by law.” In addition, having found the defendants actions to be objectively reasonable, the court was unable to find that the defendants had used false, deceptive, or misleading means to recover the fees in state court in violation of the FDCPA. With regard to the plaintiff’s claim that the defendants violated the FDCPA by including a confession of judgment in the proposed settlement agreement, the court first indicated that it was uncertain whether Petition Clause immunity extended to a settlement offer that was not accepted nor approved by the court. The court determined that it did not need to decide this issue because the plaintiff had failed to establish that the confession of judgment was prohibited by Utah law. Accordingly, the court dismissed the plaintiff’s FDCPA claims and declined to exercise supplemental jurisdiction over her state law claims.
- Stefanie Jackman & Anthony C. Kaye
Fannie Mae to Consider Rental Payment History in Underwriting Decisions
The Federal Housing Finance Agency announced August 11 that Fannie Mae will consider a loan applicant’s rental payment history in making underwriting decisions. According to the FHFA, the change was made as a means of expanding credit access.
The FHFA’s announcement is yet another example of the growing use of alternative data by creditors in making credit decisions. In December 2019, the CFPB, OCC, Federal Reserve Board, FDIC, and NCUA issued an “Interagency Statement on the Use of Alternative Data in Credit Underwriting,” that forth the agencies’ recognition of the benefits of using alternative data in credit decisions.
California Publishes Annual Report on Residential Mortgage Lending Act Activity
The California Department of Financial Protection and Innovation (DFPI) recently released its Annual Report of Activity under the California Residential Mortgage Lending Act for the calendar year of 2020 to provide information on residential mortgage lending loans, rates, consumer complaints, foreclosures, and other data elements for 2020, which were reported by licensees.
Some key finding include:
- The number and principal amount of loans originated by licensees in 2020 increased by 100.5% from 2019, due to favorable real estate market conditions, e.g., lower interest rates;
- Licensees reported fewer consumer complaints concerning non-traditional mortgage loans, showing an 18.4% decrease from 2019;
- The number of licensed lenders and servicers decreased by 0.5% from 2019, due to company mergers; and
- The number of branch locations grew by 7.4%, resulting from an increase of mortgage loan originators (MLOs), some of which opened home-based branch locations.
Reports from prior years can be found on the DFPI’s website.
California MBA’s Q3 Legal Issues Committee Webinar
August 20, 2021 2:00 PM EST
Speakers: Richard J. Andreano, Jr. and Reid F. Herlihy
MBA’s Human Resources Virtual Symposium
Virtual | September 8-9, 2021
COVID-Related and Return-to-Work Legal Questions
Speaker: Meredith S. Dante
COVID-Related and Return-to-Work – Office Hours
Speaker: Meredith S. Dante
Mortgage-Specific and Other Legal Issues
Speakers: Richard J. Andreano, Jr. and Meredith S. Dante
MBA’s Regulatory Compliance Conference
Washington, DC | September 12 - 14, 2021
Applied Compliance Track: LO Compensation
Speaker: Richard J. Andreano, Jr.
Breakout Session: Data Privacy and Security
Speaker: Kim Phan
Breakout Session: State Law Regulatory and Enforcement Trends
Speaker: Stacey L. Valerio
Breakout Sessions: State Licensing Challenges
Speaker: John D. Socknat
Scottsdale, AZ | October 4-6, 2021
Fair Housing and Fair Lending During the Biden Administration
Speaker: Richard J. Andreano, Jr.