On October 17, the FTC released the agenda for its upcoming FinTech forum, which is the second in an ongoing event series. The FTC’s half day event will take place on October 26 in Washington, DC from 1:00 to 4:30 pm. The event will consist of panel discussions relating to (i) peer-to-peer payment systems, which allow consumers to exchange money electronically; and (ii) crowdfunding, which is the use of online platforms to fund a project or venture by raising money from a large number of people.
On October 19, the FDIC, the OCC, and the Federal Reserve, issued an Advanced Notice of Proposed Rulemaking (ANPR) to further the “development of enhanced cyber risk management standards for the largest and most interconnected entities under their respective supervisory jurisdictions, and those entities’ service providers.” These standards, according to the ANPR, are intended to “increase the operational resilience” of supervised entities and their service providers and, based on the interconnectedness of these entities, “reduce the impact on the financial system in case of a cyber event experienced by one of these entities.” The ANPR proposes organizing enhanced cyber standards into the following categories: (i) cyber risk governance; (ii) cyber risk management; (iii) internal dependency management; (iv) external dependency management; and (v) incident response. The ANPR further explains that the banking agencies “are considering implementing the enhanced standards in a tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector.” Comments on the ANPR, which would not apply to community banks, are due January 17, 2017.
On October 17, the CFPB Student Loan Ombudsman (Ombudsman) released a report on student loan complaints related to debt collection and servicing issues submitted to the CFPB between September 1, 2015 and August 31, 2016. During the period covered in the report, the CFPB received approximately 5,500 private student loan- and 2,300 debt collection-related complaints. Following an August 18 CFPB report that focused primarily on student loan complaints regarding income-driven repayment (IDR) plans, the Ombudsman’s recently issued report emphasizes alleged breakdowns in the “rehabilitation” process: “The majority of borrowers who cure a default and seek to enroll in IDR do so by first rehabilitating their defaulted debt. However, these borrowers describe a range of communication, paperwork processing, and customer service breakdowns at every stage of the default-to-IDR transition.” According to the report, borrowers attempting to enroll in IDR plans face issues such as: (i) delays, do-overs, and dead ends when working with debt collectors to establish and verify income-driven rehabilitation payment amounts; (ii) communication gaps between debt collectors and servicers when transferring a borrower out of default and into an IDR plan; and (iii) servicers failing to “proactively take the steps necessary to help them understand how to access IDR and quickly enroll,” in some cases leading to subsequent delinquency and re-default. The report recommends that policy makers and industry stakeholders reform the default-to-IDR transition process by, among other things, (i) streamlining and simplifying its structure; (ii) improving borrower communication; and (iii) reevaluating the economic incentives currently in place for debt collectors and student servicers to encourage long-term borrower success, rather than focusing on short-term borrower outcomes.
On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.
On October 11, the CFPB issued a consent order to a Virginia-based federal credit union to resolve allegations that its debt collection activities were unfair and deceptive in violation of the Dodd-Frank Wall Street Reform and Consumer Protection Act. According to the CFPB’s consent order, the credit union failed to implement adequate compliance controls and employee training on debt collection communications. The credit union’s actions involved employees who sent letters to “hundreds of thousands” of consumers containing various misrepresentations regarding the handling of consumer debt. The consent order alleged that these debt collection letters falsely threatened legal action, wage garnishment, and contacting servicemembers’ commanding officers for failure to remit payments. The consent order also noted that the same threats were made via telephone. The CFPB further contends that the credit union (i) sent approximately 68,000 letters misrepresenting the credit consequences of falling behind on a loan, alleging that members would “find it difficult, if not impossible, to obtain additional credit because of [their] present unsatisfactory credit rating” (internal quotations omitted); and (ii) restricted consumers’ electronic account access and electronic accounts services – without providing adequate notice – once their accounts became delinquent. Pursuant to the consent order, the credit union must (i) pay $23 million in consumer redress; (ii) pay a $5.5 million civil money penalty; and (iii) establish a comprehensive compliance plan regarding its policies and procedures on consumer debt collection communications and electronic account restrictions.