On April 16, Comptroller of the Currency Thomas Curry spoke to attendees of the Consumer Electronics Show Government Conference, taking his concerns about banks’ vendor relationships and cybersecurity risks to potential third-party technology service providers. Comptroller Curry explained the banking system’s vulnerability to cyberattacks given its significant reliance on technology and telecommunications, and expressed particular concern about potential attacks on community banks. He reiterated several of the specific risk issues he recently discussed with community bankers. Comptroller Curry (i) outlined risks related to the consolidation of bank vendors; (ii) identified as a “special problem” banks’ reliance on foreign vendors, and cautioned banks to consider the legal and regulatory implications of where their data is stored or transmitted; and (iii) expressed concern about vendors’ access to important and confidential bank and customer data. He assured attendees that the OCC is not trying to discourage the use of third-party vendors, but in explaining the OCC’s particular focus on controls and risk management practices employed by vendors that provide services to banks and thrifts, Comptroller Curry advised vendors of the OCC’s authority under the Bank Service Company Act to issue enforcement actions and its authority to examine vendors designated as Technology Service Providers. He reported that banks have asked the OCC to more actively supervise critical service providers and stated that in working to protect the banking system the OCC will have to “look beyond individual financial institutions to the range of vendors and customers that have access to some part of its infrastructure and systems.”
On April 17, the CFPB issued a guide to completing the disclosure forms required by its November 2013 TILA-RESPA integrated disclosures rule, which generally applies to transactions for which a creditor or broker receives an application on or after August 1, 2015. The guide provides instructions for completing the Loan Estimate and Closing Disclosure and highlights common situations that may arise when completing the forms. The CFPB states in addition to serving as a resource to creditors, the guide also may assist settlement service providers, software providers, and other service providers. The disclosure forms guide follows the release last month of a small entity compliance guide, which summarizes the rule and highlights issues that small creditors, and their partners or service providers, might find helpful to consider when implementing the rule.
On April 15, the SEC’s Office of Compliance Inspections and Examinations announced that it will be conducting cybersecurity examinations of more than 50 registered broker-dealers and registered investment advisers. The examinations will assess each firm’s cybersecurity preparedness and collect information about the industry’s recent experiences with certain types of cyber threats. Specifically, examiners will focus on (i) cybersecurity governance; (ii) identification and assessment of cybersecurity risks; (iii) protection of networks and information; (iv) risks associated with remote customer access and funds transfer requests; (v) risks associated with vendors and other third parties; (vi) detection of unauthorized activity; and (vii) and experiences with certain cybersecurity threats. The SEC included with the announcement a sample document and information request it plans to use in this examination initiative.
On April 11, the Treasury Department submitted to the OMB’s Office of Information and Regulatory Affairs (OIRA) FinCEN’s long-awaited proposed rule to establish customer due diligence requirements for financial institutions. Under executive order, each agency is required to submit for regulatory review rules resulting from “significant regulatory actions,” and OIRA has 90 days to complete or waive the review. The public portion of the FinCEN rulemaking has been ongoing since February 2012 when FinCEN released an advance notice of proposed rulemaking to solicit comment on potential requirements for financial institutions to (i) conduct initial due diligence and verify customer identities at the time of account opening; (ii) understand the purpose and intended nature of the account; (iii) identify and verify all customers’ beneficial owners; and (iv) monitor the customer relationship and conduct additional due diligence as needed. FinCEN subsequently held a series of roundtable meetings, summaries of which it later published.
On April 10, Kentucky Governor Steve Beshear signed into law HB 232 to establish a data breach notice requirement. The new law requires any person or business that operates in the state to provide written or electronic notice to affected state residents of any breach of a security system that exposes unencrypted personally identifiable information. The law requires notification “in the most expedient time possible and without unreasonable delay” upon discovery or notification of a breach, and permits certain substitute forms of notice if the person or business subject to the breach demonstrates that the notice exceeds certain cost or scope thresholds. The law does not require separate notice to the state attorney general, nor does it apply to entities subject to Title V of the Gramm-Leach-Bliley Act or HIPPA. The bill takes effect July 14, 2014. Kentucky’s adoption of a data breach notice law leaves only three states—Alabama, New Mexico, and South Dakota—without such a statutory requirement.
Eleventh Circuit Holds Custodian Bank Has No Duty To Police Securities Transactions By Customer’s Investment Advisor
On April 14, the U.S. Court of Appeals for the Eleventh Circuit held that a custodian bank had no duty under New York or Florida law to identify or alert a customer to fraudulent transactions directed by the customer’s investment advisor. Lamm v. State Street Bank & Trust, No. 12-15061, 2014 WL 1410172 (11th Cir. Apr. 14, 2014). A bank customer sued his bank for breach of contract, breach of fiduciary duty, negligence, and several other common law claims, alleging the bank had a duty to notify him that the securities held by the bank were worthless. The court determined that, although the bank held the assets and could execute certain administrative transactions without prior authorization, transactions beyond these administrative roles were carried out at the direction of the customer’s investment advisor. Accordingly the bank had no responsibility for supervising investments and assumed no liability for losses except those it caused through negligence or willful misconduct. The court held that the customer’s breach of contract and negligence claims failed because (i) the custody agreement provided the bank no decisionmaking role in investments; (ii) the bank had contractual authority to rely on the investment advisor’s instructions; and (iii) the customer failed to demonstrate that the bank had a duty to ensure the investment instruments were valid or to verify their market value. The court further held with regard to the customer’s other claims that (i) the fact that certain securities had facial defects does not raise a plausible inference that the bank knew of the investment advisor’s wrongdoing, and cannot support a claim for aiding and abetting fraud; (ii) the custody terms established an arm’s length agreement with limited obligations and did not establish special circumstances on which a fiduciary duty claim can be made; and (iii) the customer’s negligent misrepresentation claim failed because the customer did not establish that the bank intended to induce him to rely on its alleged representations as to the validity of his securities.
On April 5, Maine Governor Paul LePage signed into law LD 1389, which expedites foreclosures on properties determined by a court to be abandoned by shortening the redemption period from 90 to 45 days. The bill also shortens the period of time within which an action can be filed to challenge the validity of a governmental taking of real property for nonpayment of property taxes from 15 to five years after the expiration of the redemption period. This shorter challenge period applies where the tax lien is recorded after October 13, 2014. The law takes effect 90 days after the legislative session adjourns.
On April 4, Tennessee Governor Bill Haslam signed into law SB 1486, which authorizes registered industrial banks, industrial loan and thrift companies, and industrial investment companies to charge a convenience fee to any borrower making payment by credit card, debit card, electronic funds transfer, electronic check, or other electronic means in order to offset actual costs incurred by the lender. The convenience fees cannot exceed the actual costs incurred by the registrant for each payment type, or the average of the actual cost incurred for the various types of electronic payments accepted by the registrant. Registrants who elect to charge a convenience fee must also allow payment by non-electronic means—check, cash, or money order—without the imposition of a convenience fee. The changes take effect July 1, 2014.
FTC Settles Suit Against Tribe-Affiliated Lenders; Dispute Over CFPB Investigation Of Tribe-Affiliated Lenders Moves To Federal Court
On April 11, the FTC announced that a tribe-affiliated payday lending operation and its owner agreed to pay nearly $1 million to resolve allegations that they engaged in unfair and deceptive acts or practices and violated the Credit Practices Rule in the collection of payday loans. The FTC alleged that the lenders illegally tried to garnish borrowers’ wages and sought to force borrowers to travel to South Dakota to appear before a tribal court, and that the loan contracts issued by the lenders illegally stated that they are subject solely to the jurisdiction of the Cheyenne River Sioux Tribe. The announced settlement payment includes a $550,000 civil penalty and a court order to disgorge $417,740. The companies and their owner also are prohibited from further unfair and deceptive practices and are barred from suing any consumer in the course of collecting a debt, except for bringing a counter suit to defend against a suit brought by a consumer.
Also on April 11, in a separate matter related to federal authority over tribe-affiliated lending, a group of tribe-affiliated lenders responded in opposition to a recent CFPB petition to enforce civil investigative demands (CIDs) the Bureau issued to the lenders. In September 2013, the CFPB denied the lenders’ joint petition to set aside the CIDs, rejecting the lenders’ primary argument that the CFPB lacks authority over businesses chartered under the sovereign authority of federally recognized Indian Tribes. The lenders subsequently refused to respond to the CIDs, which the CFPB now asks the court to enforce. The CFPB argues that the lenders fall within the CFPB’s investigative authority under the terms of the Consumer Financial Protection Act, which the CFPB argues is a law of general applicability, including with regard to Indian Tribes and their property interests. The lenders continue to assert that they are sovereign entities operating beyond the CFPB’s reach.
On April 15, Fannie Mae issued Selling Guide Announcement SEL 2014-03, which includes numerous selling policy updates. Based on a comprehensive review of its current requirements, the announcement provides a series of new or updated property eligibility and appraisal requirements, which must be implemented no later than August 1, 2014. The announcement also states that Fannie Mae is retiring its two-step ARM mortgage, as well as standard ARM plans 1030 and 1031. For mortgage loans with notes dated on or after October 15, 2014 where the lender is registered with MERS, Fannie Mae will also require the use of a new rider to modify the standard security instruments in Montana, Oregon, and Washington. The announcement includes numerous additional miscellaneous policy updates, and notes again the recent publication of the Selling Guide on Fannie Mae’s corporate website.
On March 31, Washington Governor Jay Inslee signed into law HB 2723, which amends the foreclosure mediation process established by the 2011 Foreclosure Fairness Act. The bill, which takes effect June 12, 2014, amends the meet-and-confer process to (i) require that notice of pre-foreclosure options a beneficiary or authorized agent is required to send to the borrower must be sent by first-class registered or certified mail, return receipt requested; (ii) require that in-person meetings must be held in the county where the property is located, unless the parties agree otherwise; and (iii) amend the “foreclosure loss mitigation form” to add options for describing or explaining meet-and-confer efforts. The bill also alters mediation provisions to (i) allow mediation upon agreement of the parties, even if the borrower failed to elect mediation in the required timeframe; (ii) require beneficiaries to disclose any investor restriction that prohibits the beneficiary from implementing a modification and not just the portion or excerpt of a pooling and servicing agreement that includes such a prohibition; and (iii) require mediation to take place in the county where the property is located.
Florida District Court Holds Property Buyer’s Emails With Online Auction Company Are Not An Enforceable Contract
On April 7, the U.S. District Court for the Middle District of Florida dismissed a property buyer’s breach of contract and specific performance claims based on emails from an online auction company, holding that the emails alone did not create an enforceable real estate sales contract. Rouse v. Nationstar Mortg., LLC, No. 14-497, 2014 WL 1365420 (M.D. Fla. Apr. 7, 2014). The buyer, who won an online auction to purchase a property, sued the seller after the seller determined it did not wish to proceed with the sale. The buyer alleged breach of contract and sought specific performance, arguing that an email he received from the online auction company confirming his winning bid for the property and a subsequent email from the auction company indicating that the seller agreed to the terms of the purchase agreement memorialize all of the essential terms of the sale. The court held that even if the auction company’s emails satisfy the writing requirement of the statute of frauds as proper electronically signed documents, the confirmation email specifically stated that the seller’s acceptance of the bid and the purchase of the property was contingent not only on the seller’s approval of the purchase, but also on the execution of the purchase agreement by the winning bidder. Because the purchaser offered no evidence that he executed the purchase agreement, the court dismissed without prejudice the buyer’s breach of contract and specific performance claims. The court dismissed with prejudice the buyer’s equitable estoppel claim, but declined to dismiss the buyer’s unjust enrichment claim to recoup costs associated with repairs the buyer made to the property between the time of the auction and the seller’s decision not to proceed with the sale. The court held that the latter claim is dependent upon the seller’s actual knowledge of the repairs, which cannot be determined at this stage.
On April 17, the FTC announced it is seeking additional public comments on issues explored during a 2013 forum on mobile security. The announcement includes a series of specific questions within the following categories: (i) secure platform design; (ii) secure distribution channels; (iii) secure development practices; and (iv) security lifecycle and updates. The announcement indicates that the FTC is planning a report based on the forum and this subsequent information request. Comments are due by May 30, 2014.
On March 26, Iowa Governor Terry Branstad signed into law HF 2324, which revises the state’s mortgage and consumer credit statutes to align with federal law. The bill amends the current $25,000 loan ceiling applicable to certain consumer credit transactions and replaces it with a “threshold amount” that incorporates by reference limits established under federal Truth in Lending Act. The bill also adopts the federal definition of “points and fees” for mortgage transactions and provides that if a loan is extended with points and fees higher than those specified under federal law the loan is subject to state law, including monetary limits on loan origination or processing and broker fees, a limit on the types of permissible lender charges, and a limit on fees relating to payment of interest reduction fees in exchange for a lower rate of interest. The bill also amends the definition of “finance charge” in the state’s consumer credit code to include an initial charge imposed by a financial institution for an overdrawn account. Finally, the bill adds a new section that allows banks to include in their consumer credit contracts over $25,000 a provision that a consumer is responsible for reasonable attorney fees if the bank is the prevailing party in a lawsuit arising from the transaction. The changes take effect July 1, 2014.