Legal Alert

Mortgage Banking Update - May 30, 2024

May 30, 2024

May 30 – Read the newsletter below for the latest Mortgage Banking and Consumer Finance industry news, written by Ballard Spahr attorneys. In this issue, we discuss the recent SCOTUS decision on the CFPB, the FHA requiring reporting of significant cybersecurity incidents, the Opt-Out Challenge preliminary injunction hearing in Colorado, and much more.


SCOTUS Rules CFPB’s Funding Mechanism Is Constitutional

The U.S. Supreme Court, in a 7-2 decision, ruled today that the CFPB’s funding mechanism does not violate the Appropriations Clause of the U.S. Constitution.

In the Dodd-Frank Act, Congress provided that the CFPB would receive annual funding from the combined earnings of the Federal Reserve System. Each year, the Federal Reserve Board is directed to transfer to the CFPB an amount determined by the CFPB Director to be reasonably necessary to carry out the CFPB’s authorities, with that amount not to exceed 12% of the Federal Reserve’s total operating expenses as reported in 2009 (approximately $600 million) as adjusted for inflation. Among other arguments, the plaintiff trade groups argued that the Bureau’s funding mechanism is too open-ended in duration and amount to satisfy the constitutional requirement that there be an “Appropriatio[n] made by Law.”

The majority decision in CFSA v. CFPB was written by Justice Thomas. Rejecting the plaintiffs’ argument, he wrote:

Based on the Constitution’s text, the history against which that text was enacted, and congressional practice immediately following ratification, we conclude that appropriations need only identify a source of public funds and authorize the expenditure of those funds for designated purposes to satisfy the Appropriations Clause.

Justices Alito and Gorsuch joined in a dissenting opinion.

The Supreme Court’s decision has far-ranging implications, most immediately for cases involving challenges to CFPB regulations or other CFPB actions. Such cases include CFSA itself in which the Fifth Circuit invalidated the CFPB’s payday lending rule based on its conclusion that the CFPB’s funding is unconstitutional and the lawsuit challenging the CFPB’s credit card late fee rule in which the district court relied on the Fifth Circuit’s decision in CFSA to enter a preliminary injunction staying the late fee rule. We will discuss the implications of the Supreme Court’s decision in subsequent blog posts.

Alan S. Kaplinsky

Back to Top

SCOTUS CFSA Decision to Have Broad Impact; Ballard Spahr to Hold May 30 Webinar on Decision

The U.S. Supreme Court’s ruling last week in CFSA v. CFPB that the CFPB’s funding mechanism does not violate the Appropriations Clause of the U.S. Constitution removes what many observers consider to be the last remaining existential threat to the agency. The ruling will have a broad impact on the CFPB’s activities. Soon after the ruling, the CFPB announced its plans to significantly increase the size of its enforcement staff. Dozens of pending matters such as enforcement actions and petitions to modify or set aside civil investigative demands have been stayed pending the outcome in CFSA. Those matters can now move forward.

The Supreme Court’s CFSA ruling will also impact the pending lawsuits challenging CFPB regulatory actions. Indeed, in addition to the underlying lawsuit in CFSA challenging the CFPB’s payday loan rule, it has already impacted the lawsuit challenging the CFPB’s credit card late fee rule. CFSA is expected to impact these pending lawsuits as follows:

  • Late Fee Rule. We have published a separate blog discussing the fast-paced activity in the late fee case since the U.S. Supreme Court’s ruling. As discussed in our blog, because the district court in granting the plaintiffs’ motion for preliminary injunction relied on the Fifth Circuit’s CFSA decision which was reversed by the U.S. Supreme Court, the next round of activity in the case will be focused on whether the district court should continue the preliminary injunction based on the plaintiffs’ non-constitutional arguments and whether the case should again be transferred to D.D.C. Once these issues play out, the most likely scenario is that the parties will file cross-motions for summary judgment based on the plaintiffs’ non-constitutional claims although it is possible the CFPB will file a motion to dismiss.
  • Payday Loan Rule. The case is now back before the Fifth Circuit, having been remanded by the U.S. Supreme Court. In its CFSA decision, while agreeing with the plaintiffs that the CFPB’s funding mechanism was unconstitutional, the Fifth Circuit rejected the plaintiffs’ other arguments for invalidating the payday loan rule. In addition to their funding argument, the plaintiffs argued that:
  • the rule’s promulgation violated the Administrative Procedure Act (APA);
  • the rule was promulgated by a Director unconstitutionally insulated from presidential removal; and
  • the CFPB’s UDAAP rulemaking authority violates the Constitution’s separation of powers by running afoul of the nondelegation doctrine.
  • The U.S. Supreme Court’s grant of certiorari was limited to the Appropriations Clause question. On May 16, immediately following the U.S. Supreme Court’s decision, the plaintiffs submitted a letter to the Fifth Circuit in which they asserted that the Fifth Circuit panel had “erred in its disposition of the non-Appropriations Clause challenges in this case, which the U.S. Supreme Court did not review.” They also asserted that because they were the prevailing party, they did not have a prior opportunity to seek rehearing in the Fifth Circuit concerning those challenges. Accordingly, they stated their intention to file a rehearing petition following entry of any new judgment affirming the district court (which rejected their Appropriations Clause argument). In addition, to give them an opportunity to seek a rehearing, they asked the Fifth Circuit to issue its mandate upon entry of a new judgment in accordance with the default timing provisions in Federal Rule of Appellate Procedure 41, rather than immediately. In October 2021, the Fifth Circuit entered an order staying the compliance date of the payment provisions in the payday loan rule until 286 days after the trade groups’ appeal is resolved. It is possible the CFPB will soon announce a new compliance date for the payment provisions.
  • Small Business Lending Rule. In October 2023, after initially entering a preliminary injunction that was limited to the plaintiffs and their members, the Texas district court extended its preliminary injunction to apply on a nationwide basis. The court’s extended preliminary injunction:

  • stayed all deadlines for compliance with the rule for the plaintiffs and their members, parties that intervened in the lawsuit after the initial ruling and their members, and all covered financial institutions until after the Supreme Court’s CFSA decision, and;
  • required the CFPB, if the U.S. Supreme Court ruled that its funding was constitutional, to extend the deadlines for compliance with the rule to compensate for the period stayed.

Last week, following the U.S. Supreme Court’s decision, the CFPB announced that it plans to issue an interim final rule to extend the rule’s compliance deadlines. It also announced the new compliance dates which are based on 290 days having elapsed between the order extending the preliminary injunction and the U.S. Supreme Court’s CFSA decision. The plaintiffs and intervenors have filed a consolidated motion for summary judgment in which they have argued that the CFPB:

  • exceeded its statutory authority in imposing additional data points that are not mandated by Dodd-Frank, and;
  • acted arbitrarily and capriciously in violation of the APA in promulgating the rule. (In their summary judgment motion, the plaintiffs and intervenors only sought summary judgment on their non-constitutional claims. They did not seek summary judgment on their Appropriations Clause claim but indicated they would seek leave to amend their filings consistent with any applicable direction provided by the U.S. Supreme Court when it ruled in CFSA.) The CFPB has filed a cross-motion for summary judgment.

  • UDAAP Exam Manual. In November 2023, the CFPB filed an appeal with the Fifth Circuit from the Texas federal district order granting summary judgment to a group of trade associations in their lawsuit against the CFPB challenging the changes made to its UDAAP Exam Manual in March 2022. Those changes provided that unfair acts or practices encompassed discriminatory conduct, even in circumstances to which federal fair lending laws, such as the Equal Credit Opportunity Act, did not apply. The Fifth Circuit subsequently entered an order staying further proceedings pending the Supreme Court’s CFSA decision. In granting summary judgment to the trade associations, the district court concluded that the manual changes were invalid because the CFPB’s funding was unconstitutional under the Appropriations Clause, and relying on the Supreme Court’s “major questions doctrine,” the changes exceeded the CFPB’s UDAAP authority. With the Supreme Court having ruled that the CFPB’s funding does not violate the Appropriations Clause, the Fifth Circuit will need to decide whether the district court’s ruling based on the “major questions doctrine” was correct.

The U.S. Supreme Court’s CFSA decision means that the Appropriations Clause argument rejected by the U.S. Supreme Court will not be available as a basis for challenging future CFPB final rules. We note, however, that in an opinion published in today’s Wall Street Journal, Harvard Professor Emeritus Hal Scott calls the CFPB’s victory in CFSA, “pyrrhic” and opines that another Appropriations Clause challenge is available to litigants seeking to challenge CFPB rules based on the fact that the CFPB, under Dodd-Frank, may only receive payments from the Federal Reserve out of “earnings” and the Federal Reserve has lost money since September 2022. Plaintiffs will still be able to challenge future final rules on non-constitutional grounds, such as APA violations.

  • The CFPB has proposed several rules that could be finalized this year. In fact, the CFPB is likely to seek to issue as many final rules as possible within the next month to avoid Congressional Review Act challenges during the next Congress. The proposed rules consist of:
  • rules that would create two registries, one for nonbanks subject to certain enforcement orders and another that would establish a system for the registration of nonbanks subject to CFPB supervision that use “certain terms or conditions that seek to waive consumer rights or other legal protections or limit the ability of consumers to enforce their rights” with arbitration provisions among the terms that would trigger registration;
  • a rule to supervise nonbank companies that qualify as larger participants in a market for “general-use digital consumer payment applications,”
  • a rule restricting overdraft fees, and;
  •  a rule prohibiting NSF fees on certain declined transactions. The CFPB is expected to soon issue a proposed rule on personal financial data rights to implement Section 1033 of Dodd-Frank.

On May 30, 2024, from 12:00 PM to 1:30 PM ET, Ballard Spahr will hold a webinar: “Supreme Court: CFPB Funding Mechanism is Constitutional. What Do Banking Leaders Need to Know?” For more information and to register, click here.

Alan S. Kaplinsky

Back to Top

CFPB Responds to SCOTUS Decision; Extends 1071 Small Business Lending Rule Compliance Dates

On May 16, 2024, the U.S. Supreme Court, in a 7-2 decision, ruled that the CFPB’s funding mechanism does not violate the Appropriations Clause of the U.S. Constitution. That ruling is discussed here.

Shortly after the ruling, the CFPB issued a statement about the decision. It stated that “The U.S. Supreme Court has rejected [the] radical theory that would have devastated the American financial markets. The Court repudiated the arguments of the payday loan lobby and made it clear that the CFPB is here to stay.” The CFPB also stated that, “This ruling upholds the fact that the CFPB’s funding structure is not novel or unusual, but in fact an essential part of the nation’s financial regulatory system, providing stability and continuity for the agencies and the system as a whole.”

Today, the CFPB held a virtual press conference to address industry questions regarding the status of pending matters. The CFPB noted that multiple rules are still under challenge in different courts, including the payday lending rule, credit card late fee rule, and the 1071 small business lending rule. There are also 14 enforcement matters that have been stayed pending the U.S. Supreme Court’s CFSA decision. The CFPB stated that it will file for motions to lift stays for any matter that was paused in anticipation of the CFSA decision. However, the CFPB notes that in each of the stayed matters, opposing parties have raised arguments aside from the constitutional argument, and they will need to resume litigation efforts to fight these matters on the merits. Additional rulings in the rule challenge cases, whether on further preliminary injunction requests, on the merits or otherwise, could further impact the compliance dates or ultimate requirements for challenged rules.

The CFPB also noted, in its press conference, that it anticipated a favorable outcome from the U.S. Supreme Court and that it is “firing on all cylinders,” to get enforcement staff hired, trained, and in the field. The CFPB remarked that it is expanding the enforcement department and is prepared to continue to work on behalf of consumers.

Additionally, the CFPB has issued informal guidance, and will issue an interim final rule, regarding the extension of the 1071 small business lending rule compliance dates. Based on the 290-day period that elapsed between the initial preliminary injunction issued in the Rio Bank lawsuit in Texas to the May 16, 2024 ruling of the Supreme Court, the CFPB extended the compliance dates from the original dates. For Tier 1 institutions, the compliance date is extended from October 1, 2024 to July 18, 2025, with the initial filing being required by June 1, 2026. For Tier 2 institutions, the compliance date is extended from April 1, 2025 to January 16, 2026, with the initial filing required by June 1, 2027. For Tier 3 institutions, the compliance date is extended from January 1, 2026 to October 18, 2026, with the initial filing required by June 1, 2027.

Addressing the ruling, Mortgage Bankers Association President and CEO Bob Broeksmit, CMB, stated:

“MBA is relieved that the Supreme Court avoided a ruling that would have disrupted the housing and mortgage markets and harmed the economy and consumers. While we frequently disagree with the Bureau on how they interpret or enforce particular rules, a decision that would have invalidated the Bureaus’ previous rules could have had severe consequences for single-family and multifamily mortgage markets.”

We will continue to monitor and report updates on the lawsuits that stem from CFPB rule challenges, and any further guidance from the CFPB.

Loran Kilson

Back to Top

Was it a Pyrrhic Victory for the CFPB in the U.S. Supreme Court in CFSA v. CFPB?

On May 16, Justice Thomas issued the majority opinion in which the U.S. Supreme Court held, by a 7-2 vote, that the CFPB’s funding mechanism comported with the Appropriations Clause of the Constitution which states, in relevant part, in Article I, Section 9, Clause 7:

“No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law…”

Specifically, Justice Thomas held:

“Under the Appropriations Clause, an appropriation is simply a law that authorizes expenditures from a specified source of public money for designated purposes. The statute that provides the Bureau’s funding meets these requirements.”

That resolves the constitutional challenge. Left untouched by the U.S. Supreme Court is the statutory question of whether the CFPB and the Federal Reserve Board complied with the requirements of Dodd-Frank in connection with the CFPB’s funding. The Dodd-Frank Act generally provides that the CFPB is funded through requested draws from the Board of Governors of the Federal Reserve System in an amount the agency’s director deems “reasonably necessary to carry out” the agency’s duties, subject to a statutory cap tied to the Federal Reserve System’s operating expenses.

Significantly, the Act only authorizes such draws to be made from “earnings” of the Federal Reserve System. Specifically, the relevant text of the Dodd-Frank Act is clear:

“Each year (or quarter of such year) . . . the Board of Governors shall transfer to the [Consumer Financial Protection] Bureau from the combined earnings of the Federal Reserve System, the amount determined by the Director to be reasonably necessary . . .”

On May 20, Professor Emeritus Hal Scott from Harvard Law School, wrote an op-ed in the Wall Street Journal entitled: “The CFPB’s Pyrrhic Victory in the Supreme Court” and on May 21, Alex J Pollock wrote an article which was published on The Federalist Society website entitled: “The Fed has no earnings to send to the CFPB,” Professor Scott and Mr. Pollock stated that Federal Reserve System started incurring losses in September 2022, that such losses continue to the present day and that the Fed is projected to incur losses until 2027.

It would thus appear that any draws made by the CFPB after August 2022 were ultra vires or just plain unlawful.

This conclusion, which seems correct to me, raises a host of questions like:

  • What is the remedy if it is determined that certain draws were made to the CFPB when the Federal Reserve System was losing money? Does it mean that all regs and proposed regs worked on or defended on or after that date in litigation challenging them are invalid?
  • Is it too late for CFSA to raise this claim with the Fifth Circuit upon remand from the Supreme Court? Will CFSA need to file a separate lawsuit to tee up this issue or has CFSA waived its right to assert this claim. Does it matter that the payday lending rule became final but not effective before September 2022? CFSA’s lawsuit was initiated well before that date.
  • Can all pending enforcement actions challenging final regulations be dismissed?
  • How else can this issue be litigated? A direct lawsuit against the Fed and/or the CFPB? Who would have standing?
  • Would the CFPB need to stop all ongoing regulatory, supervisory, and enforcement activity until the CFPA gets amended to provide an alternative source(s) of funding?
  • Why did the Federal Reserve System all of a sudden start losing money in September 2022? Was it caused by mark-to-market accounting or simply a negative gap between its interest earning assets and interest bearing liabilities?
  • Might consent orders entered into after September 2022 be nullified?
  • Should the Fed seek disgorgement from the CFPB based on draws paid out to the CFPB after September 2022?
  • Must Rohit Chopra be required to resign from the FDIC Board?
  • Can the CFPB continue to pay its employees out of unlawful draws? Must the CFPB seek disgorgement from its employees of amounts that can be traced to unlawful draws?
  • When is it projected that the Fed will start earning money again?

Ballard Spahr will hold a webinar on May 30 to discuss the CFSA v. CFPB opinion and all of its implications. Please register here.

Alan S. Kaplinsky

Back to Top

FTC Webinar Provides Additional Guidance on Final Rule Banning Noncompete Agreements

As we previously reported, here, the Federal Trade Commission (FTC) voted to issue a final rule (the “Rule”) that would prevent most employers from enforcing noncompete agreements against workers, with only limited exceptions for existing noncompetes with senior executives and noncompetes made in connection with the bona fide sale of a business. Briefly, the Rule makes it unlawful for employers to:

  • enter into, or attempt to enter into, a noncompete with a worker;
  • maintain a pre-existing noncompete except for existing noncompetes with senior executives; or
  • represent to a worker that the worker is subject to a noncompete.

The Rule also requires that employers provide notice to current and former employees that their noncompete agreements are no longer enforceable.

Earlier this week, the FTC hosted a Noncompete Rule Compliance Webinar in which the FTC gave an overview of the requirements and prohibitions of the Rule and addressed some provisions in greater detail. Most notably, the FTC highlighted that:

  • The Rule does not apply to noncompetes between a buyer and seller of a business. A seller can enter into a noncompete individually, but not on behalf of any employees.
  • The Rule does not void existing noncompetes with senior executives, which the Rule defines as a worker who received compensation of at least $151,164 in the preceding year (either in total or on an annualized basis) and who holds a policy-making position. The FTC provided clarification on each prong of this test:
    • First, compensation can include salary, commissions, performance bonuses, equity compensation, and any other compensation agreed to that the worker can expect. It does not include benefits, like healthcare or retirement contributions, or lodging.
    • Second, a policy-making position includes a President, CEO, or other individual who has policy-making authority for the company. It would not include the head of a division within a business if their policy-making authority only extends to their division.
  • Note that, while the Rule does not void existing noncompetes with senior executives, it does prevent employers from entering into new noncompete agreements with senior executives after the Rule’s effective date.
  • The Rule does not apply to franchisor/franchisee agreements.
  • The FTC explained that a noncompete is a term or condition of employment that:
    • Explicitly prohibits a worker from seeking or accepting work or starting their own business; e.g., a standard noncompete agreement;
    • Penalizes a worker from seeking or accepting work or starting their own business; e.g., a forfeiture for competition agreement or a severance agreement conditioned on an employee refraining from taking a competing job or starting a competing business; or
    • Functions to prevent a worker from seeking or accepting work or starting their own business; e.g., other restrictive covenants or conditions that prevent such a broad scope of activity that they function to prevent a worker from competing. By way of specific example, the FTC cited a non-disclosure agreement preventing an employee from disclosing in a future job any information that is usable in, or relates to, the industry in which the employee works as a provision that would function as a noncompete and violate the Rule.
  • Garden leave arrangements will not run afoul of the Rule if the worker remains employed and receives the same total annual compensation and benefits on a pro rata basis during the garden leave period.
  • The Rule does not apply to a provision that prohibits an employee from seeking or accepting work with a competitor or starting a competing business outside the United States. Consequently, businesses can continue to use noncompete agreements that prevent workers from accepting work or starting a competing business in another country.
  • Notice to workers must be provided by the effective date of the Rule. Employers who use the model language in the Rule (available on the FTC’s website) to communicate the notice by the effective date will be in compliance with the notice requirement of the rule. Notice may be provided by hand delivery, by mail at last known personal address, by email (including through a mass email to all employees), or by text message.
  • Employers can continue to protect confidential information through appropriately tailored non-disclosure agreements and trade secrets laws and prevent employees from soliciting customers or employees through appropriately tailored non-solicitation agreements.
  • Employers can protect their investments in employee training by entering into agreements with employees for a fixed period of employment as appropriate to the training.

The effective date of the Rule is September 4, 2024. On that date, subject to limited exceptions, noncompetes with workers other than senior executives will no longer be enforceable and employers may not then enter, or attempt to enter, into noncompete agreements with any worker. There are lawsuits currently pending in federal courts in Texas and Pennsylvania challenging the FTC’s authority to issue the Rule and seeking to enjoin the Rule from becoming effective while the legal challenges play out.

Denise M. Keyser, Brian D. Pedrow, Jason A. Leckerman, Leslie E. John & Karli Lubin Talmo

Back to Top

Treasury Issues Broad National Strategy for Combatting Illicit Financing

Strategy Touts Regulations on Beneficial Ownership, Real Estate and Investment Advisers, but Bemoans Lack of Supervisory Resources for Non-Bank Financial Institutions

The U.S. Department of the Treasury has issued its 2024 National Strategy for Combatting Terrorist and Other Illicit Financing (“Strategy”). It is a 55-page document which, according to the government’s press release, “addresses the key risks from the 2024 National Money Laundering, Terrorist Financing, and Proliferation Financing Risk Assessments. . . and details how the United States will build on recent historic efforts to modernize the U.S. anti-money laundering/countering the financing of terrorism (AML/CFT) regime, enhance operational effectiveness in combating illicit actors, and embrace technological innovation to mitigate risks.”

The Strategy discusses an enormous list of topics. Given the breadth of its scope, the Strategy generally makes only very high level comments regarding any particular topic. This post accordingly is extremely high level as well, and offers only a few select comments.

The Strategy identifies four “Priorities” and 15 “Supporting Actions” to support the Priorities. The most efficient way to describe them is to simply set forth this graphic from the Strategy:

Focusing on Priority 1, the Strategy stresses the (evolving) roll-out of the Corporate Transparency Act, as well as AML regulations proposed by the Financial Crimes Enforcement Network (FinCEN) for the residential real estate industry and investment advisers.

More generally, the Strategy states that, in regards to the AML risks associated with so-called “gatekeepers” not currently subject to “comprehensive” AML/CFT measures, “Treasury . . . continues to conduct risk assessments on several professions, sectors, and arrangements . . . , including accountants, attorneys, investment advisers, and trusts. Further, Treasury continues to monitor illicit finance risks related to art and antiquities markets and has analyzed risks related to certain payment processors; precious metals, stones, and jewels . . . dealers; and other entities[.]”

Not surprisingly, the Strategy also states that Treasury is focused on virtual asset service providers, or VASPs, and is “considering potential updates to the U.S. AML/CFT regulatory framework for virtual assets to effectively mitigate illicit finance risks.” As we have blogged, these potential “updates” include a notice of proposed rulemaking by FinCEN that identified international convertible virtual currency mixing as a class of transactions of “primary money laundering concern” pursuant to authority under Section 311 of the USA PATRIOT Act.

Finally – and much more could be said regarding the Strategy – Treasury frankly acknowledges the lack of government resources in regards to supervising non-bank financial institutions, particularly given their increasing importance in light of quickly-evolving technology:

Resource constraints at FinCEN, the IRS, and state and territorial financial regulators can affect the supervision and examination of certain classes of non-bank financial institutions (NBFIs). Supervisory resources must keep pace with the growth and innovation of new products and services to mitigate ML/TF risks to the U.S. financial system.

For example, . . . Treasury recently assessed that the recent growth of online gaming activity has raised the risk profile for U.S. casinos and gaming activity in the United States, especially as an increasing number of state, tribal, and territorial jurisdictions have legalized and operationalized gaming activity. The resourcing and level of training and expertise of regulatory and supervisory regimes for casinos and card clubs varies considerably across federal, state, tribal, and territorial levels and may not have kept pace with the growth of these sectors. For example, the IRS’s Small Business/Self-Employed Division (SB/SE), whose staff is responsible for conducting BSA examinations under delegated examination authority from FinCEN, continues to lack sufficient resourcing to carry out its mission of examining a variety of NBFIs, including casinos and money service businesses (MSBs)—a growing category that includes VASPs. Therefore, Treasury, in partnership with the relevant federal functional regulators, should seek increased resources for FinCEN and the IRS to enhance AML/CFT supervision and examination of higher-risk non-bank financial institutions.

Addressing these challenges will require FinCEN, IRS, and certain other federal, state, and territorial regulators to be appropriately resourced for supervision and enforcement. Additionally, the explosion of new payment channels and financial service providers, including VASPs, over the last decade, have stretched thin the limited supervisory resources historically applied to more traditional MSBs. The existing system of MSB supervision must continue to derive efficiencies from initiatives such as the Nationwide Multistate Licensing System & Registry (NMLS) data reporting system and multistate and state-federal supervision cooperation in the face of resource demands and the complexity of transactions in the rapidly growing virtual asset sector. However, marshaling additional resources at the federal level is necessary to supervise NBFIs such as MSBs, including VASPs; casinos; dealers in precious metals, stones, and jewels; and financial technology companies.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

Peter D. Hardy

Back to Top

FHA Requiring Reporting of Significant Cybersecurity Incidents

In Mortgagee Letter 2024-10, FHA announced a requirement for FHA-approved lenders to notify the U.S. Department of Housing and Urban Development (HUD) of Significant Cybersecurity Incidents. The Mortgagee Letter, which is dated May 23, 2024, provides that the requirement is effective immediately.

For purposes of the reporting requirement, a Significant Cybersecurity Incident (Cyber Incident) is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.”

FHA lenders that experience a suspected Cyber Incident must report the Cyber Incident to HUD’s FHA Resource Center at and HUD’s Security Operations Center at within 12 hours of detection. Reports must include the following information:

  • Lender name
  • Lender ID
  • Name, email address, and phone number of lender’s point of contact for Security Operations Center follow-up activities;
  • Description of the Cyber Incident, including the following, if known:
    • Date of Cyber Incident
    • Cause of Cyber Incident
    • Impact to Personally Identifiable Information
    • Impact to login credentials
    • Impact to Information Technology (IT) system architecture
  • List of any impacted subsidiary or parent companies
  • Description of the current status of the lender’s Cyber Incident response, including whether law enforcement has been notified

The Mortgagee Letter does not include a definition of “Personally Identifiable Information.” The HUD Privacy Handbook provides that pursuant to “the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” The HUD Privacy Handbook sets forth a non-exclusive list of information that may constitute PII on its own or in combination with other information.

Richard J. Andreano, Jr.

Back to Top

Former CFPB Director Kraninger Calls Out the CFPB for Manipulating Data to Serve a Partisan Agenda

Florida Bankers Association President and CEO and former Director of the Consumer Financial Protection Bureau (CFPB) Kathy Kraninger wrote an editorial in the May 14, 2024 American Banker titled “CFPB Must Stop Manipulating Data to Support Its Policy Preferences.” Kraninger served as Director of the CFPB from December 2018 to January 2021. In the editorial, Kraninger cited to the data the CFPB relied upon for its credit card late fee rule and the CFPB’s February 2024 report on credit card pricing. See our previous blog on the February report and our most recent blog on the credit card late fee rule.

With respect to the February report, she explained that the CFPB’s assertion that “larger banks are engaged in anti-competitive and anti-consumer behavior” defies common sense given that there are almost 4,000 credit card issuers. Kraninger asserted that by including credit unions whose rates are capped, the CFPB’s analysis distorted the gap between large and small banks. Kraninger said, “In its February ‘report,’ the bureau went even further — distorting a healthy market to lay the groundwork for an ill-supported late fee rulemaking that will raise costs for the millions of credit card customers who pay on time and reduce access to those most in need of credit products.”

With respect to the credit card late fee rule, Kraninger criticized the CFPB’s use of non-public Y-14 data, which data she called unfit to be used for this purpose. She further noted the CFPB’s failure to conduct the required cost-benefit analysis. Kraninger stated:

The CFPB knows all of this and chose not to address these shortcomings because the information would not advance its agenda. Instead, just in time for President Biden’s State of the Union address in March, the CFPB issued a misguided rule instituting a confusing two-tier system for credit card late fees that is currently being challenged in court. It doesn’t have to be this way.

Kraninger concluded that the CFPB can do better to carry out its mission to stand with consumers and educate them on financial choices. She said, “Manipulating data and misleading the public in pursuit of a policy preference is contrary to that mission. Instead, the agency should play it straight and recommit to only sharing relevant and accurate information. Anything less does a disservice to consumers and only bolsters those who question why the CFPB exists at all.”

We agree with Former Director Kraninger and have previously commented on the CFPB’s actions to carry out the Biden Administration’s political agenda.

Kristen E. Larson

Back to Top

Senate Group’s ‘Roadmap’ is Call-to-Action on AI Innovation

The Bipartisan Senate AI Working Group, led by Senate Majority Leader Chuck Schumer (D-NY) released a comprehensive Roadmap for AI policy entitled, “Driving U.S. Innovation in Artificial Intelligence.” The wide-ranging Roadmap is a call-to-action to Congress, federal agencies, and the private sector to foster advancements in, and address risks posed by, artificial intelligence.

The Roadmap is the culmination of more than 50 hearings and nine Insight Forums with input from over 150 industry experts (including Bill Gates, Elon Musk, Mark Zuckerberg, NVIDIA CEO Jensen Huang, and OpenAI CEO Sam Altman, among others) focused on addressing the potential impacts of AI.

Key Takeaways include:

  • Increased funding for AI research and development
  • Bipartisan collaboration on AI legislation
  • Minimized job displacement due to advances in AI
  • Maintaining and advancing US superiority in AI technologies for national security
  • Maintaining election integrity in the face of AI
  • Protecting children from harms posed by AI and social media

At the outset, the Roadmap calls for robust investment in AI research and development, setting a goal for the Executive Branch and the Senate Appropriations Committee to reach “as soon as possible,” the $32-billion-dollar per year spending level for non-defense AI innovation proposed by the National Security Commission on Artificial Intelligence (NSCAI). The Roadmap is broken down into eight primary sections that lay the groundwork for future legislation and private industry action.

Supporting U.S. Innovation in AI: The Roadmap calls for increased federal spending to fund “a cross-government AI research and development (R&D) effort, including relevant infrastructure that spans the Department of Energy (DOE), Department of Commerce (DOC), National Science Foundation (NSF), National Institute for Standards and Technology (NIST), National Institutes of Health (NIH), National Aeronautics and Space Administration (NASA), and all other relevant agencies and departments.” This spending includes fully funding the CHIPS and Science Act (P.L. 117-167) as well as the DOC, DOE, NSF, and Department of Defense to support semiconductor R&D specific to cutting-edge AI software and hardware.

AI and the Workforce: The Roadmap recognizes “workers across the spectrum, ranging from blue collar positions to C-suite executives, are concerned about the potential for AI to impact their jobs…including potential displacement of workers.” Thus, the Roadmap calls on committees of jurisdiction to “make certain that American workers are not left behind” by developing legislation related to “training, retraining, and upskilling the private sector workforce to successfully participate in an AI-enabled economy.”

High Impact Uses of AI: The Roadmap identifies high impact uses of AI and acknowledges, concern around AI “black-boxes” that “raise questions about whether companies with such systems are appropriately abiding by existing laws.” One area of concern, as discussed in our previous alert in relation to Senate Bill 5351, is covered entities that incorporate artificial intelligence systems into decision-making processes. The Working Group “believes that existing laws, including related to consumer protection and civil rights, need to consistently and effectively apply to AI systems and their developers, deployers, and users.” Thus, the Roadmap encourages committees to “consider identifying any gaps in the application of existing law to AI systems that fall under their committees’ jurisdiction and, as needed, develop legislative language to address such gaps.” The Roadmap also highlights the particular vulnerability of children and the risks posed by AI and social media. The Working Group encourages committees to “develop legislation to address online child sexual abuse material (CSAM), including ensuring existing protections specifically cover AI-generated CSAM,” and particularly encourages consideration of legislation to address issues surrounding so called “deepfakes.”

Elections and Democracy: The Working Group recognizes the risks AI poses to election integrity. During the 2020 and 2024 election cycles, voters complained of rampant AI robocalls impersonating candidates. For example, in the 2024 New Hampshire primary, an AI-generated representation of President Joe Biden called voters encouraging them to “save your vote,” and thus not vote in the primary. Thus, the Roadmap “encourages the relevant committees and AI developers and deployers to advance effective watermarking and digital content provenance as it relates to AI-generated or AI-augmented election content.” The Roadmap calls on AI deployers and content providers to “implement robust protections in advance of the upcoming election to mitigate AI-generated content that is objectively false, while still protecting First Amendment rights.”

Privacy and Liability: Acknowledging that rapid technological advancement and varying degrees of autonomy in AI systems present challenges in assigning liability to AI companies and users, the Working Group encourages “relevant committees to consider whether there is a need for additional standards, or clarity around existing standards, to hold AI developers and deployers accountable if their products or actions cause harm to consumers, or to hold end users accountable if their actions cause harm.”

Transparency, Explainability, Intellectual Property, and Copyright: Acknowledging that advancements in AI go hand-in-hand with intellectual property, the Roadmap encourages review of existing and forthcoming reports from the U.S. Copyright Office and U.S. Patent and Trademark Office on the impact of AI on Intellectual Property Law. The Roadmap encourages committees to “take action as deemed appropriate to ensure the U.S. continues to lead the world on this front,” including consideration of “federal policy issues related to the data sets used by AI developers to train their models.”

Safeguarding Against AI Risks: The Working Group, inspired by “insights provided by experts at the forums on a variety of risks that different AI systems may present,” encourages companies to “perform detailed testing and evaluation to understand the landscape of potential harms and not to release AI systems that cannot meet industry standards.” The Roadmap further encourages committees to “investigate the policy implications of different product release choices for AI systems,” and in particular places a burden on committees to “understand the differences between closed versus fully open-source models,” and develop an analytical framework that “specifies what circumstances would warrant a requirement of pre-deployment evaluation of AI models.”

National Security: National Security is a key concern of the Working Group and the Roadmap encourages the DOD and other agencies to “develop career pathways and training programs for digital engineering, specifically in AI,” encouraging the DOD, DOE, and Office of the Director of National Intelligence to “work with commercial AI developers to prevent large language models, and other frontier AI models, from inadvertently leaking or reconstructing sensitive or classified information.”

In conclusion, the Roadmap emphasizes the need for ongoing collaboration between congressional committees and the Executive Branch, underscoring the importance of a well-coordinated approach to AI policy and legislation to ensure the United States remains at the forefront of AI innovation while managing its risks effectively.

The Roadmap emphasizes the need for ongoing collaboration between Congress and the Executive Branch, underscoring the importance of a well-coordinated approach to AI policy and legislation to ensure the United States remains at the forefront of AI innovation while managing its risks effectively.

Charley F. Brown & Jonathan Hummel

Back to Top

Preliminary Injunction Hearing in Federal Court on Colorado DIDMCA Opt-Out Challenge

On May 16, the U.S. District Court for the District of Colorado held a hearing in NAIB, et al v. Weiser, et al. on a motion filed by three financial services industry trade groups to preliminarily enjoin Colorado from enforcing Colo. Rev. Stat. § 5-13-106 (the “Opt-Out Legislation”) to the extent it purports to apply Colorado’s interest rate and fee limitations to loans made by federally insured out-of-state state-chartered banks to Colorado borrowers. As discussed in prior blog posts here and here, Section 525 of the Depository Institutions Deregulation and Monetary Control Act of 1980 (DIDMCA) allows states to enact laws opting out of DIDMCA Section 521’s preemptive effect with respect to loans “made in” the enacting state. At issue in the litigation is where a loan is made in the case of loans to Colorado residents by insured state banks located in other states. The plaintiff industry groups contend that, for purposes of Section 525, loans to Colorado residents by insured state banks located in other states should be deemed “made in” the state where the bank is located or the state where key lending functions occur. Colorado argues that, for purposes of Section 525, a loan is “made in” the borrower’s state. The FDIC, in an amicus brief in support of Colorado, argues that, for purposes of Section 525, a loan is “made in” both the state where the borrower is located and also the state where the lender is located.

The Opt-Out Legislation is due to become effective on July 1, 2024. The trade groups filed a Motion for Preliminary Injunction on April 2, 2024. In response, the two Defendants named in the lawsuit, the Colorado Attorney General and Colorado Uniform Consumer Credit Code Administrator, filed a brief in opposition, and the FDIC filed an amicus brief in support of the State of Colorado. Plaintiffs filed a reply in support of their motion. Ballard Spahr, acting on behalf of the American Bankers Association (ABA) and the Consumer Bankers Association (CBA), submitted an amicus brief in support of the trade groups.

The preliminary injunction hearing did not involve the testimony of any witnesses or introduction of evidence, but instead counsel for the Plaintiffs, the Defendants, and the FDIC presented oral argument. Counsel for the Plaintiffs provided the Court with a copy of an amicus brief filed by the FDIC in 1992 in Greenwood Trust Co. v. Massachusetts, 971 F.2d 818 (1st Cir. 1992), in which the FDIC had taken a position diametrically contrary to its current interpretation of where a loan is made for purposes of Section 525 of DIDMCA. In that prior brief, the FDIC argued that because Greenwood Trust was a Delaware state bank, its extensions of credit to its Massachusetts credit card borrowers were not “made in” Massachusetts, and “the fact that a State has countermanded under section 525 should not affect the usury preemption of section 521 for a bank not located in that state.” Counsel for the FDIC did not address this about-face at the preliminary injunction hearing.

The Court asked questions of all counsel at the hearing and stated that it would rule on the motion for a preliminary injunction before the Opt-Out Legislation is due to become effective on July 1.

Burt M. Rublin, Alan S. Kaplinsky, Matthew A. Morr, Joseph J. Schuster, Ronald K. Vaske & Catherine J. Warren

Back to Top

Minnesota Legislature Sends Privacy Bill to Governor

Minnesota becomes the latest state to move to pass legislation regulating the processing and controlling of personal data (HF 4757 / SF 4782). If signed into law by Governor Tim Walz, the Minnesota Consumer Data Privacy Act, or MCDPA, would go into effect on July 31, 2025 and provide various consumer data privacy rights and impose obligations on entities that control or process Minnesota residents’ personal data.

The MCDPA applies to entities controlling or processing personal data of 100,000 consumers or more or that derive over 25% of their revenue from the sale of personal data and process or control personal data of 25,000 consumers or more. Following in the footsteps of Texas and Nebraska, the MCDPA exempts small businesses as defined by the United States Small Business Administration. The law also contains targeted data-level exemptions for health and financial data processing, but not entity-level exemptions.

In addition to the right to access, rectification, erasure, portability, and opt-out of targeted advertising, sale of personal data, and profiling, under the MCDPA, consumers also would also have the novel right to question the result of a profiling decision and request additional information from a controller regarding that decision.

The MCDPA outlines several responsibilities to which controllers of data must comply, some of which are new obligations beyond what are contained in other laws. For example, the MCDPA requires that a “controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities.” The maintenance of this type of inventory is a first under U.S. state privacy law.

There are also data obligations relating to transparency in privacy notice and disclosure; limitation of the use of data in relation to processing and physical data security practices; nondiscrimination in the processing of personal data; and an obligation to appoint a chief privacy officer or privacy lead for the organization.

Enforcement would fall under the purview of the Minnesota Attorney General and businesses would have a 30-day right to cure period, which expires January 31, 2026.

Assuming it is signed into law as expected, Minnesota will join the ranks of the 17 other states (18 counting Florida) that have passed comprehensive consumer privacy acts. As with each of the other states’ acts, Minnesota’s bill shares some similarities with these other acts while also containing some unique provisions. Businesses in Minnesota would do well to start reviewing procedures and processes in preparation for the MCDPA.

Sarah B. Dannecker, Gregory P. Szewczyk & Sarah Elena De Los Santos Samaniego

Back to Top

CFPB Director Addresses Credit Report Fees Before the Mortgage Bankers Association

As part of the CFPB’s crusade against junk fees, CFPB Director Rohit Chopra, addressed credit report fees in prepared remarks at the Mortgage Bankers Association’s Secondary & Capital Markets Conference & Expo 2024. While Director Chopra began his remarks by commenting on the increasing cost of mortgage loan transactions, stating that both consumers and lenders are negatively affected, he focused most of his remarks on the increasing costs of obtaining consumer credit reports. In particular, he discussed the impact of the increasing costs on lenders and consumers, and CFPB plans to address those costs. Director Chopra explained that many lenders are concerned with the increased price of obtaining credit reports, since many lenders pull credit reports multiple times between the initial application and the time a loan is packaged and sold in the secondary market. These costs multiply when there are multiple borrowers on one loan transaction. He noted that many investors require reports from Equifax, Experian, and TransUnion, often referred to as a tri-merge report, so mortgage lenders “often end up paying for essentially the same information six or 12 times.” Director Chopra also noted that lenders must pay fees to have the reports transmitted in the correct machine-readable format to the initial purchaser of the loan, as a precursor to the loan’s securitization, and that there are also usually additional fees for things like employment verification. He explained that lenders often pass these costs to borrowers in the form of origination fees or interest rates, increasing costs across the industry.

He went on to criticize the cost model for obtaining credit reports. Specifically, Director Chopra stated that last year, a single credit report cost between $18 to $30 for an individual report, $24 to $40 for a joint report, and $40 to $60 for a tri-merge report provided by resellers. He stated that in November 2023, FICO announced that it would charge lenders a flat fee for access to FICO scores, which increased credit report costs by 400% for many lenders. Director Chopra added that credit reporting companies now pay FICO a licensing fee of $3.50 per score used, or about $10 for a tri-merge report and score bundle, which doubles if there are two borrowers on a transaction. Director Chopra also criticizes FICO’s new policy of charging the same amounts for “soft” and “hard” pulls of credit reports, despite what he refers to as a “significant difference between the two data reports.” Further, he stated that “credit reports are often rife with inaccuracies discovered by borrowers and lenders” and that the “credit reporting industry has actually devised a way to profit from those problems – it’s called the “rapid rescore.” It’s a pay-to-play service where mortgage loan officers can, for an extra fee, get consumer credit files reviewed and updated quickly.”

Director Chopra noted that the increasing costs of using credit reports adds up to significant costs for consumers, especially in addition to higher interest rates, mortgage insurance for consumers that make smaller downpayments, and other closing costs. He advises that the CFPB is “eager to hear from lenders and will look at possible rulemaking and guidance to improve competition, choice, and affordability.” The CFPB is also conducting market research related to “open-banking” and alternative channels for collection of consumer data that could be used for underwriting, at lower costs to lenders and consumers. Director Chopra noted that the Federal Housing Finance Agency (FHFA), which oversees Fannie Mae and Freddie Mac, is facilitating the use of new approaches to credit scoring, and allowing consumers greater ability to share their information with lenders. Relatedly, in October 2023, the CFPB proposed the Personal Financial Data Rights rule. According to the CFPB, under this rule, “[p]eople would have a legal right to grant third parties access to information associated with their credit card, checking, prepaid, and digital wallet accounts. This type of data can help firms provide a wide range of products and services, including cash flow-based underwriting that stands to improve pricing and access across credit markets.”

In his final remarks, Director Chopra stated, “we have a lot to do to think about how we’ll use data in ways that broadly benefit the market, rather than just give a handful of firms the ability to extract junk fees and push up costs for everyone.”

Loran Kilson & Richard J. Andreano, Jr.

Back to Top

Looking Ahead

Interest Rate Exportation Under Attack

A Ballard Spahr Webinar | June 6, 2024, 1:00 PM – 2:30 PM ET

Moderator: Alan S. Kaplinsky; John L. Culhane, Jr.; Joseph Schuster; Ronald K. Vaske; Mindy Harris; Kristen Larson

QC Now: Mortgage Compliance Hot Topics: PART I

ACES Webinar | June 6, 2024, 2:00 PM - 3:00 PM ET

Speaker: Richard J. Andreano, Jr.

Back to Top 

Subscribe to Ballard Spahr Mailing Lists

Get the latest significant legal alerts, news, webinars, and insights that affect your industry. 

Copyright © 2024 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.