EDITOR'S NOTE
Call us "Hobbits" if you will, Senator McCain, but expect more Dodd-Frank mirth. July 21, 2011, marked the first birthday and look how it's grown! We can hardly wait for Dodd-Frank to stop burping up formula, start crawling around, knocking things over, and screaming, "Mine!" Can we child-proof the banks?
Speaking of which, there is nothing funny about Basel III (we wish), unless your interests tend toward fingernails on chalkboard. As we report here, a lot has happened on the banks of the Rhine since we last met. We also report on Dodd-Frank, hostilities over debit interchange and mortgage loan-mods, privacy, and those wacky post-Concepcion decisions that are bulldozing aside the remaining obstacles to consumer arbitration—that, and much more.
Until next time, we'll leave our closing remarks to Texas Governor Rick Perry, who in June 2005 was overheard saying at the close of an interview while the broadcast feed was still live: "Adios, mofo."
William Stern, Editor-in-chief
ARBITRATION REPORT
Hello Arbitration! Living in a Post-Concepcion World
Following the Supreme Court's recent decision in AT&T Mobility v. Concepcion, 131 S. Ct. 1740 (U.S. 2011), courts across the country have been bulldozing aside class action waivers as well as other remaining obstacles to consumer arbitration. The Third and the Eleventh Circuits, in particular, have taken the lead.
In Cruz v. Cingular Wireless, LLC, 2011 U.S. App. LEXIS 16811 (11th Cir. Aug. 11, 2011), the panel held that plaintiffs in a putative consumer protection class action against AT&T Mobility's predecessor, Cingular Wireless, must arbitrate their claims under the Florida Deceptive and Unfair Trade Practices Act ("FDUTPA") on a non-class basis. And in Litman v. Cellco Partnership, No. 08-4103 (3d Cir. Aug. 24, 2011), the Third Circuit agreed, upholding a class action waiver in the first federal appeals court decision to apply Concepcion to a non- AT&T arbitration agreement.
The plaintiffs in Cruz argued on appeal that the class action waiver in the arbitration provision of their wireless service agreement was unenforceable because it "hindered the remedial purposes of the FDUPTA by effectively immunizing ATTM from liability for unlawful business practices, in violation of public policy." That argument was a nonstarter after Concepcion and was readily rejected by the Eleventh Circuit. Like Concepcion, the plaintiffs did not allege any defects in the formation of the contract, aside from its adhesive nature. Further, the panel held that the Florida law is preempted by the Federal Arbitration Act to the extent it would require classwide arbitration "simply because the case involves numerous small-dollar claims by consumers against a corporation, many of which will not be brought unless the Plaintiffs proceed as a class."
The Third Circuit decision in Litman is notable because, just a few weeks earlier, a New Jersey state appellate court refused to enforce a class action waiver, finding the provisions "too confusing, too vague, and too inconsistent." See NAACP of Camden County East v. Foulke Management Corp., No. A-1230-09T3, 2011 N.J. Super. LEXIS 151, *2 (App. Div. Aug. 2, 2011). This schism is one we've seen in other states (read, California). Apparently, some state judges have a hard time with the Supremacy Clause.
Many district courts have similarly enforced class action waivers, and have rejected the usual bag of tricks employed to defeat motions to compel arbitration, such as waiver (see, e.g., Estrella v. Freedom Fin., 2011 U.S. Dist LEXIS 71606 (N.D. Cal. July 5, 2011) (rejecting argument that defendants waived their right to arbitrate by litigating the case for over two years)) and the lack of arbitration discovery (see, e.g., Hopkins v. World Acceptance Corp., 2011 U.S. Dist. LEXIS 79770 (N.D. Ga. June 29, 2011) (rejecting argument that limited discovery in arbitration prohibited full vindication of rights)). Even courts in California, where the original hostility to class action waivers was born, have been enforcing class action waivers in consumer agreements. Meanwhile, consumer groups have been screaming like the monkeys in Angry Birds, demanding a legislative end to Concepcion. Congress has obliged by reintroducing the Arbitration Fairness Act. The bill, first introduced in 2007, would ban forced arbitration clauses in employment, consumer, and civil rights cases. It is hard to imagine the bill being passed by this particular Congress, but stay tuned.
For more information, please contact Rebekah Kaufman at rkaufman@mofo.com.
BELTWAY REPORT
FinCEN Finally Issues Prepaid Access Rule
After significant pressure from Congress and pursuant to a CARD Act mandate, on July 29, FinCEN published a rule amending the Bank Secrecy Act regulations to address "prepaid access." As a result, non-bank "providers" and "sellers" of prepaid access may have to register with FinCEN as an MSB and may have to maintain a money laundering program, file suspicious activity reports, retain records, and collect customer identification information at the point of sale. A "prepaid program" is defined broadly to include most prepaid cards, but there are numerous exemptions, including exemptions for certain open-loop cards under $1,000 and certain closed-loop cards under $2,000. The rule becomes effective on September 27, 2011, but "providers" can register on January 29, 2012.
For more information, please contact Rick Fischer at lfischer@mofo.com, Obrea Poindexter at opoindexter@mofo.com or Sean Ruff at sruff@mofo.com, or visit our website at http://www.mofo.com/files/Uploads/Images/110805-FinCEN-Access-Rule.pdf .
OCC Issues Guidance on Prepaid Products
With prepaid products becoming more sophisticated, federal and state regulators are asking banks that offer such products to develop comprehensive risk-management policies and procedures to guard against potential fraud and money laundering. On June 29, the Office of the Comptroller of the Currency ("OCC") released national bank guidance on prepaid access. The bulletin provides guidance to banks to ensure they develop and implement a comprehensive risk management program that reflects the nature and complexity of prepaid access products. The OCC states its belief that the risks increase when the prepaid access program has more advanced functionality, such as international funds transfers, card-to-card funds transfers, Internet transfers, and mobile phone banking.
For more information, please contact Rick Fischer at lfischer@mofo.com or Obrea Poindexter at opoindexter@mofo.com.
Who is Larger?
The Bureau of Consumer Financial Protection ("CFPB") requested comment with respect to the CFPB's authority to establish a supervisory program for nonbanks covered by the Dodd-Frank Act. Specifically, the Act provides the CFPB with the ability to supervise "any covered person who . . . is a larger participant of a market [sector] for other consumer financial products or services," and to issue a final rule determining when a covered person is a larger participant of a market sector. The CFPB asked for comment on how to define markets, how to determine who is a larger participant in that market, and what data the CFPB should use. Comments were due on August 15. Following the CFPB's review of comments, the CFPB is expected to issue a proposal specifically defining the criteria for determining who is a larger participant. For more information, please contact Andrew Smith at andrewsmith@mofo.com or Obrea Poindexter at opoindexter@mofo.com.
GSE Reform
We are now three years into the federal takeover of Fannie Mae and Freddie Mac, with a promise at that time of a 1-2 year conservatorship, but we are still no closer to a succession plan than we were in September 2008. Regularly over the course of the last few years, we have been asked by clients to update them on the status of GSE reform, and sometimes asked to predict when we will see significant progress toward GSE reform. Currently, there are more than 20 distinct bills that address Fannie Mae and Freddie Mac, and more have been proposed but not yet formally introduced. The bills are diverse—some call for discrete changes, while others call for winding down the GSEs or merging the GSEs into a single FHFA-regulated corporation without profits or shareholders. It may be too early yet to offer any informed guesses as to which of these bills will gain support, especially given the election cycle that is now underway. A summary of the bills can be found at http://www.mofo.com/files/Uploads/Images/110725-GSE-Reform.pdf.
For more information, please contact Jerry Marlatt at jmarlatt@mofo.com or Kenneth Kohler at kkohler@mofo.com.
New Regulatory Scheme for Remittance Transfers
As required by the Dodd-Frank Act, the Federal Reserve Board ("FRB") published a proposed rule setting forth an entirely new regulatory scheme for companies, including banks, that provide remittance transfers, i.e., electronic transfers of money from U.S. consumers to recipients in foreign countries. The FRB's proposal would: (1) require that specific disclosures be given to each "sender" of a remittance transfer showing how much money will be received by the recipient of the transfer in local currency; (2) enable senders to dispute errors for up to 180 days following a remittance transfer; and (3) impose vicarious liability on remittance transfer providers for the acts or omissions of their agents. The comment period closed on July 22. The CFPB is now responsible for the rulemaking and is expected to issue a final rule in coming weeks.
For more information, please contact Ezra Levine at elevine@mofo.com, Andrew Smith at andrewsmith@mofo.com or Sean Ruff at sruff@mofo.com, or visit our website at http://www.mofo.com/files/Uploads/Images/110523-Federal-Reserve-Board-Proposes-New-Regulatory-Scheme-for-Remittance-Transfers.pdf .
Business Roundtable Pounds Table
Are the flood gates open with respect to challenges to Dodd-Frank after the D.C. Circuit's decision in Business Roundtable v. SEC, No. 10-1305 (D.C. Cir. Jul. 22, 2011), which struck Rule 14a-11 because it failed to assess economic consequences? Industry representatives have begun to explore legal challenges to the Securities and Exchange Commission's ("SEC") latest corporate whistle-blower program and a provision surrounding the extraction of oil and natural gas from foreign countries. In addition, industry representatives are also challenging the Commodity Futures Trading Commission's plan to curb speculative trading.
Lurking behind these challenges is the Business Roundtable decision. The legal challenges are based on a 1996 law that requires the SEC to promote "efficiency, competition and capital formation." The law enabled the financial industry to build lawsuits around the economic costs of a rule, regardless of its merits.
For more information, please contact Dwight C. Smith at dsmith@mofo.com.
MORTGAGE REPORT
Federal Reserve Issues Proposed Ability-to-Repay Rule
On April 19, 2011, the FRB issued a proposed rule to implement the ability-to-repay requirements for closed-end residential loans. The proposed rule is designed to implement Section 1411, Section 1412, and part of Section 1414 of the Dodd-Frank Act. This was the subject of our prior client alert, which provides background information, summarizes the proposed rule, and offers some commentary. The client alert can be found at http://www.mofo.com/files/Uploads/Images/110428-Federal-Reserve-Issues-Proposed-Ability-to-Repay-Rule.pdf.
For more information, please contact Joe Gabai at jgabai@mofo.com.
Does Anyone Really Know What Time It Is?
Remember that top ten hit by "Chicago"? As I was walking down the street one day (July 28, to be exact), the Chicago City Council passed a sweeping "lender responsibility law" to go after lenders for routine upkeep on vacant homes before foreclosure proceedings are completed. The ordinance attempts to make lenders responsible by changing the municipal code to include a mortgagee in the definition of property owner, even though mortgagees cannot assume possession under state law. Lenders' purported responsibilities can include boarding up entrances, responding to complaints, landscaping, shoveling snow, and mitigating nuisances. The ordinance was opposed by lenders and federal officials who argued the measure conflicts with state law and places ownership burdens on lenders during the foreclosure process when a lender has no legal title to the property. The ordinance may face a constitutional challenge on the grounds it violates lenders' Fourteenth Amendment right to equal protection. As the lads said, "We've all got time enough to cry."
For more information, please contact Michael Agoglia at magoglia@mofo.com.
CFPB Collects More Feedback on Mortgage Disclosures
In August, the CFPB introduced a proposed two-page document to combine the Truth In Lending Act mortgage disclosure form with the Good Faith Estimate disclosure form from the Real Estate Settlement Procedures Act. The CFPB is trying to preserve the ability of borrowers to shop around and know the type of loan they are getting early on in the origination process. In this third round of public commentary and consumer testing, the agency said the streamlined document, among other things, balances fees itemization with a simpler, concise presentation. The CFPB had said it would spend the next months accelerating its work on regulations concerning the proposed mortgage disclosure forms.
For more information, please contact Joe Gabai at jgabai@mofo.com.
Proposed Class Settlement for Servicemembers
The parties in Rowles, et al. v. Chase Home Finance, LLC, in the United States District Court for the District of South Carolina, reached a proposed class settlement, which was preliminarily approved by the court earlier this year. The proposed settlement seeks to resolve allegations that Chase violated the Servicemembers Civil Relief Act ("SCRA") by failing to provide certain protections to servicemembers' mortgage loans, home equity loans, and lines of credit while they were on active duty or for some period following active duty. The parties will be back in court in the fall for the Fairness Hearing, where the court will consider whether the proposed settlement is fair, reasonable, and adequate.
In May, the U.S. Department of Justice announced separate settlements with BAC Home Loans Servicing LP and Saxon Mortgage Service, Inc. to resolve claims that each violated the SCRA via wrongfully foreclosing upon active duty servicemembers. BAC is to pay $20 million to resolve a lawsuit alleging that it improperly foreclosed on 160 servicemembers. Additionally, BAC is required to implement numerous corrective measures to ensure future SCRA compliance. Saxon is to pay $2.35 million to resolve a lawsuit alleging it wrongfully foreclosed on 17 servicemembers. Saxon has also agreed to take numerous measures to ensure its SCRA compliance.
For more information, contact Michael Agoglia at magoglia@mofo.com.
Loan-Mod Lit Moves and Stalls
The wave of HAMP litigation continues to shift as new theories are struck down by the courts. In what should serve as a final blow to the original challenges, the district court in Edwards v. Aurora Loan Services, LLC issued a thorough decision dismissing plaintiffs' claims for breach of the Servicer Participation Agreement ("SPA"), breach of the implied covenant of good faith and fair dealing based on the SPA, and due process violations. See 2011 U.S. Dist. LEXIS 62462 (D.D.C. June 14, 2011) (concluding that that "the significant discretion built into the Aurora SPA and the HAMP Guidelines precludes a finding that plaintiffs could have reasonably relied on receiving a loan modification").
Cases continue to be filed pursuing the theory that the initial version of the HAMP Trial Period Plan ("TPP") qualifies as a contract. "A contract for what?" remains an open question, even under the theories advanced, but some of the formulations by plaintiffs would require that the servicer guarantee a permanent modification based only the borrower's submission of the required documentation and the trial payment. Almost all of the plaintiffs entered into trial plans under unverified stated-income programs at the outset of HAMP, and with a TPP notice no longer in use. But even as to these TPPs, courts have reached a very different conclusion about whether or not plaintiffs' claims can survive a motion to dismiss, with a majority now concluding that the plaintiffs do not allege viable theories for breach of contract, unfair practices, or misrepresentation. See, e.g., Morales v. Chase Home Finance LLC, 2011 U.S. Dist. LEXIS 49698 (N.D. Cal. Apr. 11, 2011); Wigod v. Wells Fargo Bank, N.A., 2011 U.S. Dist. LEXIS 7314 (N.D. Ill. Jan. 25, 2011); Senter v. JPMorgan Chase Bank, N.A., Case. No. 11-60308-WPD (S.D. Fla. August 9, 2011).
Dismissals are now on appeal in the Seventh and Ninth Circuits. The pace of filings has led to renewed MDL attempts in cases involving Chase and Citi, which will be heard this September by the JPML. There are also a number of cases in the HAMP litigation that actually pertain to non- HAMP repayment and forbearance plans or alternative programs, which involve different documentation, protocols, and conditions from HAMP.
For more information, please contact Michael Agoglia at magoglia@mofo.com.
OPERATIONS REPORT
The Risk Remains the Same
The federal banking agencies quickly issued guidance in the wake of Standard & Poor's recent downgrade of the U.S. long-term credit rating. The agencies stated that for risk-based capital purposes, the risk weights for Treasury securities and other securities issued or guaranteed by the U.S. government, government agencies, and government-sponsored entities will not change.
For more information, please contact Oliver Ireland at oireland@mofo.com.
Yippee! Basel III
The Basel Committee on Banking Supervision ("BCBS") has not been laying idle at the beach this summer. It has issued three papers of some consequence: (i) loss absorbency, (ii) remuneration, and (iii) bilateral counterparty credit risk, and none of it is a light "beach read." Let's dig in.
Loss Absorbency
BCBS recently published a paper that sets out proposals for an assessment methodology for determining whether a banking institution should be regarded as a globally systemically important bank ("G-SIB") and the additional capital requirements that G-SIBs should be subject to. In a related paper, the Financial Stability Board ("FSB") sets out proposals for a framework for the resolution of failing institutions.
For more information, please contact Peter Green at pgreen@mofo com or Jeremy Jennings-Mares at jjenningsmares@mofo.com, or visit our website at http://www.mofo.com/files/Uploads/Images/110812-Loss-Absorbency-Requirements.pdf .
Remuneration
In its supplemental Pillar 2 (supervisory review process), the BCBS offered guidance addressing perceived weaknesses that were revealed in some banks' risk management processes during the recent financial turmoil. The guidance included a set of "Principles for Sound Compensation Practices," which had been published in April 2009 by the FSB. One of these principles was that "[f]irms must disclose clear, comprehensive and timely information about their compensation practices." The FSB, however, has noted that there are significant variances in compensation-related disclosure across different jurisdictions. This prompted the FSB to recommend that detailed disclosure requirements be incorporated into Pillar 3 (of Basel II) in order to be more prescriptive and engender greater uniformity across the different jurisdictions.
As a result, the BCBS recently published its proposed Pillar 3 disclosure requirements for remuneration. BCBS believes the proposed requirements will "allow market participants to assess the quality of the compensation practices and the quality of support for a firm's strategy and risk posture."
For more information, please contact Lewis Lee at lewislee@mofo.com or Jeremy Jennings-Mares at jjenningsmares@mofo.com, or visit our website at http://www.mofo.com/files/Uploads/Images/110729-Basel-Pillar-3.pdf .
Bilateral Counterparty Credit Risk
Earlier this summer, the BCBS finished its review of the Basel III capital treatment for counterparty credit risk in bilateral trades. Following the review, it has made a minor change to the credit valuation adjustment, which is the measure of the risk of loss caused by changes in the credit spread of a counterparty due to changes in its credit quality. The existing Basel II regime addressed counterparty default and credit migration risk, but not the risk of mark-to-market losses caused by credit valuation adjustments.
For more information, please contact Peter Green at pgreen@mofo.com or Nimesh Christie at nchristie@mofo.com, or visit our website at http://www.mofo.com/files/Uploads/Images/110622-Basel-Committee-revises-Basel-III.pdf .
Blow Out the Candles: Dodd-Frank at One Year
One year ago, President Obama signed into law the Dodd-Frank Act. While the Act focuses principally on changes to the financial regulatory system, several corporate governance, compensation, and disclosure provisions of the Act specifically target public companies of all types. In particular, in the past year, the SEC has adopted rules implementing the Say-on-Pay, Say-on-Frequency, and Say-on-Golden Parachute requirements of the Dodd-Frank Act. Final rules have also been adopted prohibiting broker discretionary voting on executive compensation matters. In addition, the SEC has proposed rules regarding compensation committee independence and the use of compensation consultants and other advisers, but has not yet adopted any final rules. Further, the SEC has proposed rules implementing the Specialized Corporate Disclosure provisions, but has not yet adopted final rules. Final action on these proposed rules and expected rules is planned for later this year.
For more information, please contact David Lynn at dlynn@mofo.com, or visit our website at http://www.mofo.com/files/Uploads/Images/110721-Dodd-Frank-One-Year-Later.pdf .
Dodd-Frank: The Disorderly Orderly
The FDIC Board approved a final rule on the orderly liquidation process, which was the culmination of a series of rulemaking efforts begun earlier this year. The rule implements several provisions of Title II of the Dodd-Frank Act. Title II establishes an "orderly liquidation authority" (the "OLA") through which the FDIC can be appointed as receiver and liquidate a covered financial company, such as a bank holding company, whose failure threatens to have serious adverse effects on financial stability in the U.S. An in-depth understanding of the final rule and its various potential effects is critical not only for financial companies who may fall under Title II's umbrella, but also the creditors of, potential investors in, and senior executives employed by such financial companies.
For more information, please contact Dwight C. Smith at dsmith@mofo.com or Alexandra Steinberg Barrage at abarrage@mofo.com, or visit our website at http://www.mofo.com/files/Uploads/Images/110711-Dodd-Frank-Rulemaking-Update.pdf .
PLASTIC REPORT
Debit Interchange
On July 20, the FRB issued its highly anticipated final rule ("Regulation II") to implement the debit interchange and exclusivity and routing limitations of the so-called "Durbin Amendment." The Durbin Amendment and Regulation II provide that the amount of any interchange fee that a debit card issuer may receive for a debit transaction must be "reasonable and proportional" to the issuer's cost for the transaction. Regulation II specifies that an issuer complies with this interchange limitation if it receives an interchange fee that is no more than the sum of $0.21 plus 5 basis points of the transaction value. In addition, an interim final rule issued by the FRB on the same day provides that an issuer may receive an additional $0.01 fraud adjustment (i.e., increase to interchange) for the transaction if the issuer complies with the FRB's fraud standards. These interchange limitations will become effective on October 1, 2011.
In addition to its interchange fee limitations, Regulation II prohibits both payment card networks and issuers from limiting: (1) the number of networks on which debit transactions may be processed to less than two unaffiliated networks; and (2) the ability of merchants to route debit transaction for processing over any network that may process such transactions. As a result, an issuer will be required to enable at least two unaffiliated networks on its covered debit cards and then permit merchants to route transactions over either of these networks. In general, these exclusivity and routing requirements will become effective for issuers on April 1, 2012.
For more information, please contact Oliver Ireland at oireland@mofo.com or Nathan Taylor at ndtaylor@mofo.com.
TCF Litigation
On June 29, the Eighth Circuit declined to impose a temporary injunction to keep Regulation II from going into effect, agreeing with the lower court, which issued a similar denial. In its ruling, the Eighth Circuit indicated that TCF Financial had failed to show that Regulation II would dictate the maximum price for a good or service set below the cost of production, the heart of what is known as a confiscatory-rate claim. In this regard, TCF had argued that the rules were unconstitutional. The Eighth Circuit's decision may represent the industry's last opportunity to impact the implementation of Regulation II before it takes effect.
For more information, please contact Oliver Ireland at oireland@mofo.com or Nathan Taylor at ndtaylor@mofo.com.
Shall We Try That Again?
In Chase Bank USA, N.A. v. McCoy, 131 S. Ct. 171 (2011), the Supreme Court reversed a Ninth Circuit decision and held that TILA and the then-applicable version of Regulation Z did not require contemporaneous notice of a default rate increase where the triggering events and maximum default rate were stated in the customer agreement. On remand, the Ninth Circuit panel reconsidered its ruling on the remaining state law claims. McCoy v. Chase Manhattan Bank, USA, 2011 U.S. App. LEXIS 17217 (9th Cir. Aug. 19, 2011). The panel recognized that its ruling that Delaware banking law did not expressly authorize the challenged practice was contrary to decisions in two other circuits and the view of the Delaware legislature, which enacted a clarifying amendment directed specifically to the panel's ruling. In light of these "significant legal developments," the panel withdrew its earlier decision and affirmed the district court's dismissal of the complaint. This decision should put an end to all remaining challenges to default rate practices followed by many credit card issuers before the CARD Act took effect in August 2009.
For more information, please contact Bob Stern at rstern@mofo.com.
PREEMPTION REPORT
Stick to Your Guns
The OCC issued a final rule implementing several Dodd-Frank provisions, including revisions to its preemption and visitorial powers regulations. The OCC's final rule codifies its view that Dodd-Frank did not create a new "prevents or significantly interferes" preemption standard, and instead adopts the broader conflict preemption standard and all of the supporting reasoning applying that standard in Barnett Bank. The OCC refused calls to repeal the regulations, rejecting arguments that the regulations applied a field preemption standard and that the Dodd-Frank requirement of case-by-case preemption determinations applied to regulations issued long before the Act's effective date.
The OCC adopted its proposal to eliminate the "obstruct, impair, or condition" language from the regulations. In doing so, the OCC reconsidered its position concerning precedent relying on this standard, explaining cases that relied exclusively on that phrase "would need to be reexamined" to ensure the ruling was consistent with the conflict preemption analysis.
The final rule also implements the Dodd- Frank provisions making federal thrifts subject to national bank preemption standards, including the OCC regulations.
For more information, please contact Nancy Thomas at nthomas@mofo.com.
Not So Fast
Avid readers will recall that in our last issue we discussed the Eleventh Circuit's decision in Baptista v. JP Morgan Chase Bank, N.A., 2011 U.S. App. LEXIS 9568 (11th Cir. May 11, 2011), holding a state par value statute and common law claim based on the same theory were preempted by the National Bank Act and OCC regulations. However, a district court held that this ruling did not require reconsideration of its decision holding state law challenges to national bank's payment posting practices were not preempted. In re Checking Account Overdraft Litigation, 2011 WL 2746171 (S.D. Fla. July 13, 2011). The court stuck with its conclusion that state laws must be in irreconcilable conflict with federal law, and the challenged state law must specifically target banking practices for preemption to apply.
For more information, please contact Nancy Thomas at nthomas@mofo.com.
Discrimination Visitation
In what the court referred to as a "case of first impression," a district court in Pennsylvania held a state agency's investigation of a discrimination complaint filed with HUD based on a federal saving bank's rejection of a loan application was not preempted by Office of Thrift Supervision regulations or an impermissible exercise of visitorial powers. USAA Fed. Savings Bank v. Pennsylvania Human Relations Commission, 2011 U.S. Dist. LEXIS 94982 (E.D. Pa. Aug. 23, 2011). The court reasoned that the Fair Housing Act expressly authorizes HUD to delegate investigative authority in state agencies, so the investigation was an exercise of federal authority and not preempted by federal law.
For more information, please contact Nancy Thomas at nthomas@mofo.com.
PRIVACY REPORT
Federal Privacy and Data Security Bills
There has been a litany of federal privacy and data security bills introduced this Congress. Although the privacy debate and the issue of data security have seemed to receive significant scrutiny in this Congress, it is not clear whether any of the bills are actually capable of passing. In general, these bills tend to fall into one or more of three categories. First, there has been a group of traditional privacy bills introduced that would provide consumers with control over how information about them is collected, used, stored, and disclosed, including, for example, an omnibus privacy bill introduced by Senators Kerry (D-MA) and McCain (R-AZ). The second group of privacy bills focuses on mobile privacy issues related to the collection and sharing of geolocation data, including, for example, companion bills introduced by Senators Wyden (D-OR) and Representative Chaffetz (R-UT) that would prohibit the collection and sharing of geolocation data without express consent. Finally, the last group of bills focuses on creating federal standards for data security and security breach notification, including several bills that have been reintroduced from prior sessions, such as a bill introduced by Representative Rush (D-IL) that would, among other things, direct the FTC to issue regulations requiring businesses to implement information security policies and procedures.
For more information, please contact Nathan Taylor at ndtaylor@mofo.com.
CFPB Privacy Rules
On July 28, the CFPB issued an interim final rule establishing its procedures for, among other things, the disclosure by, and the confidential treatment of, information obtained by the CFPB in connection with exercising its authority under the consumer financial laws. The interim final rule provides for the confidential treatment of various types of information, including examination and compliance reports and covered person communications with the CFPB regarding supervision. The interim final rule, however, provides for the mandatory and discretionary disclosure of confidential information to other federal and state agencies. In addition, the CFPB retains the general authority to disclose confidential information to third parties as permitted by law. Comments on the interim final rule are due September 26.
Also, on August 1, 2011, the CFPB issued notices of the establishment of six separate systems of records ("SORs") under the Privacy Act. As required by the Privacy Act, the notices highlight, among other things, the purpose for the creation of each SOR (e.g., there is one relating to enforcement activities) and the routine uses of records maintained in each SOR. Comments on the notices were due August 31.
For more information, please contact Nathan Taylor at ndtaylor@mofo.com.
FRB and FTC Issue Final Credit Score Disclosure Rules
The Dodd-Frank Act amended the Fair Credit Reporting Act ("FCRA") to require companies that use credit scores to include those scores, and related information, in consumer adverse action and risk-based pricing notices. On July 15, the FRB and the Federal Trade Commission ("FTC") issued two final rules to implement these provisions: (1) an FRB rule amending its sample adverse action notices under Regulation B to provide for the additional disclosure of credit scores; and (2) an FRB and FTC rule amending their risk-based pricing rule to provide for the additional content required by the amended FCRA. Highlights of the rules include: (a) no proposed changes to the "Credit Score Exception Notices" under the risk-based pricing rule, allowing lenders to continue to use existing notices following the effective date of the new requirements; and (b) new credit score disclosure language for the Regulation B sample adverse action notices, which could in some cases require the disclosure of up to nine reason codes in adverse action notices.
For more information, please contact Andrew Smith at andrewsmith@mofo.com.
FTC Rescinds FCRA Commentary
On July 20, the FTC withdrew its FCRA Commentary. In addition, the FTC released a staff report, which, among other things, compiles and updates the FTC's interpretations from the Commentary. The FTC withdrew its Commentary and issued its staff report one day before the "Designated Transfer Date," the appointed day on which the Consumer Financial Protection Act became effective, and authority to enforce and administer the various consumer credit protection laws, including the FCRA, transferred to the CFPB.
The Commentary historically provided broad guidance on how the FTC believed that the FCRA should be interpreted, and for twenty years has served as a critical source of guidance for practitioners, courts, and regulators. The FTC apparently removed the Commentary because the FTC believed it had "become partially obsolete" due to the passage of time and multiple FCRA amendments. The FTC's Commentary, whether properly authorized or not, has been the only substantial source of regulatory guidance under the FCRA since the statute's inception.
For more information, please contact Andrew Smith at andrewsmith@mofo.com or Nathan Taylor at ndtaylor@mofo.com.
FTC, FCRA Enforcement Action
On June 24, the FTC reached a proposed consent judgment with a consumer reporting agency in which the agency agreed to pay $1.8 million to end the FTC's enforcement action relating to the agency's disclosure of information for marketing purposes. The consumer reporting agency allegedly created a database of information from its credit reporting business and sold information from this database to third parties for marketing purposes. The FTC's action alleged that the marketing lists that the consumer reporting agency sold to third parties were "consumer reports" under the FCRA and that the consumer reporting agency violated the FCRA by selling these reports because marketing "is not a permissible purpose under the FCRA."
For more information, please contact Nathan Taylor at ndtaylor@mofo.com.
FFIEC Issues Supplemental Guidance on Internet Banking Authentication
On June 28, the Federal Financial Institutions Examination Council ("FFIEC") issued its long-awaited guidance on how banks should protect against cybersecurity threats, supplementing the authentication guidance issued in 2005. The guidance notes that there have been significant changes in the nature and scope of cybercrime since 2005 and expresses concern that customer authentication methods and controls implemented in response to the 2005 guidance have "become less effective."
The updated guidance states that "financial institutions should implement more robust controls as the risk level of the transactions increases" and that they "should not rely solely on any single control for authorizing high-risk transactions, but rather institute a system of layered security." For example, a layered approach may include security controls, such as the use of dual customer authorization through different access devices, the use of out-of-band verification for transactions and IP reputation-based tools to block connections to banking servers from IP addresses known or suspected to be associated with fraudulent activities. For more information, please contact Nathan Taylor at ndtaylor@mofo.com.
Texas Amends
On June 17, the Texas Governor signed into law H.B. 300, which, among other things, amended the state's security breach notification law. Effective September 1, 2011, H.B. 300 will provide that the notice requirements of the state's security breach notification law apply with respect to covered personal information relating to Texas residents and to residents of any other state if such state does not require a person to notify individuals of a breach. Nonetheless, providing notice to a resident of another state under that state's law will satisfy the requirements of the Texas law.
For more information, please contact Nathan Taylor at ndtaylor@mofo.com.
And Illinois Does Too
On August 22, the Illinois Governor signed into law H.B. 3025. H.B. 3025 amends the state's security breach notification requirement to, among other things, establish content requirements for security breach notices that must be provided to consumers. In addition, H.B. 3025 creates a requirement that businesses appropriately dispose of materials that include sensitive types of personal information, such as an individual's name in combination with SSN. The provisions of H.B. 3025 will become effective on January 1, 2012.
For more information, please contact Nathan Taylor at ndtaylor@mofo.com.
Nevada Encrypts
On June 13, the Nevada Governor signed into law S.B. 267, amending the encryption requirements of the Nevada data security law. Before its amendment, the Nevada law, in pertinent part, prohibited (and continues to prohibit) a business from moving any "data storage device" containing personal information beyond the physical controls of the business or its data storage contractor, unless the information is encrypted. The term "data storage device" is broadly defined as any device that stores information from any electronic or optical medium, including, but not limited to, computers, cell phones, magnetic tape, and computer drives.
S.B. 267 amended this requirement to clarify that a business is also prohibited from moving a "multifunctional device" containing personal information beyond the physical controls of the business, its data storage contractor, or a person who has assumed the business's obligation to protect personal information, unless the information is encrypted. In this regard, the term "multifunctional device" is defined as a machine that incorporates the functionality of devices, including, but not limited to, a printer, copier, scanner, or fax machine.
For more information, please contact Nathan Taylor at ndtaylor@mofo.com.
Michaels Rows Its Breach Ashore
In May, Michaels Stores reported that PIN terminals at Michaels Stores in at least 20 states showed evidence of having been tampered with. Reportedly, the fraudsters may have actually replaced the PIN pads at various stores in order to skim debit card numbers and PIN numbers. Not surprisingly, class actions have been filed in response to these reports. Specifically, at least two (seemingly duplicative) class actions have been filed in a district court in Illinois, alleging, among other things, that Michaels failed to take "commercially reasonable" steps to protect its customers' financial information.
For more information, please contact Nathan Taylor at ndtaylor@mofo.com.
Massachusetts AG Brings It
On July 28, the Massachusetts Attorney General ("AG") entered into an Assurance of Discontinuance with a Massachusetts bank (in lieu of an enforcement action) regarding alleged violations of the state's data security regulations, in which the bank agreed to comply with the regulations, as well as to pay a penalty of $7,500. According to the AG's press release, a bank employee left an unencrypted backup tape containing sensitive personal information on a desk at the end of the day, rather than storing the tape in a vault. Reportedly, the backup tape then was thrown away by the bank's cleaning crew and then was likely to have been "incinerated" by the bank's disposal company. The AG alleged that this incident involved two violations of the state's data security regulations: (1) maintaining personal information on unencrypted backup data tapes; and (2) the bank's failure to follow its written information security program, resulting in the improper handling and loss of the backup tape.
For more information, please contact Nathan Taylor at ndtaylor@mofo.com.
Gazing at Clouds and Mobiles
In June, the PCI Security Standards Council separately issued guidance on how the PCI Standards should be applied to protect payment card data used to conduct transactions virtually (e.g., in the cloud) and using mobile payment applications. First, the virtualization guidance describes how the PCI Standards apply to virtual environments, including identifying practical methods and concepts for the deployment of virtualization in payment card environments and suggested controls and best practices for meeting the requirements of the PCI Standards in those environments. In addition, the mobile payment application guidance separates mobile payment acceptance applications into three separate categories based on the type of underlying platform and its ability to support PCI compliance. Importantly, the guidance identifies payment applications that operate on a consumer electronic handheld device (e.g., smart phone) that is not solely dedicated to payment acceptance for transaction processing as a category of application that will not be evaluated for validation under the Payment Application Data Security Standard until further guidance and standards can be developed.
For more information, please contact Nathan Taylor at ndtaylor@mofo.com
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved
