Jenner & Block

Consumer Law Round-Up

August 19, 2019 Regulators Continue to Focus on the Use of Alternative Data

By: Michael W. Ross

In an article published last month in Law360 (and reprinted in our Consumer Finance Observer periodical), our lawyers highlighted the increasing focus of government enforcement Consumer Law Blog - August 2019authorities on how companies are using “alternative data” in making consumer credit decisions. For example, the article highlighted that – as stated in a June 2019 fair lending report from the CFPB – “[t]he use of alternative data and modeling techniques may expand access to credit or lower credit cost and, at the same time, present fair lending risks.” Regulators have continued to focus on this area, including on the benefits and risks of using alternative data in lending decisions.

Earlier this month, the CFPB posted a widely reported-on blog entry on the benefits of using alternative data in lending decisions. The CFPB blog post provided an update to the public on the agency’s first and only no-action letter, issued to Upstart Network, Inc. in 2017. In that letter, the CFPB stated it had no intention of taking action against Upstart under the Equal Credit Opportunity Act (ECOA), which prohibits discrimination in lending, for using certain alternative data sources – particularly information about a borrower’s education and employment history – to make credit decisions. To obtain that letter, Upstart committed to implementing a risk management and compliance plan that included a process for analyzing the potential risk that its use of alternative data could lead to impermissible discrimination against protected classes of consumers.

The CFPB’s blog post reported on the results of Upstart analyzing almost two years of data from its risk management process. Its data showed that Upstart’s model approved 27 percent more applicants than would have been approved by a traditional underwriting model (i.e., one that did not use alternative data and machine learning), and led to 16 percent lower average APRs for approved loans. The CFPB also reported that expansion of credit occurred “across all tested race, ethnicity, and sex segments,” and resulted in particular increases in approval among applicants under twenty-five, those with incomes under $50,000, and those with “near prime” credit scores.[1] These results hearken back to a report by the Philadelphia Federal Reserve in 2017 concluding that the use of alternative data in credit decisions (in that case, relying on data from another FinTech lender, Lending Club) expanded access to credit in underserved areas at a lower cost than would otherwise be available.

The news of Upstart’s results was widely reported, as the use of alternative data in consumer lending remains a hot topic that regulators and legislators are continuing to watch closely.

 

[1] Government agencies and legislators also continue to focus on the potential risks of alternative data. In June, for example, Senators Warren and Jones wrote a letter to various government regulators highlighting concerns that using algorithms in underwriting decisions could lead to unlawful discriminatory.

CATEGORIES: FinTech

August 15, 2019 5 Best Practices to Avoid TCPA Wrong-Number Claims

MobileIn an article published by Law360, Jenner & Block Partner Amy M. Gallegos provides five best practices to help businesses minimize Telephone Consumer Protection Act (TCPA) wrong-number claims in the wake of Wells Fargo’s recent $17.85 million TCPA settlement.  Penalties against companies that make wrong-number calls can be substantial, and the article highlights the importance of a strong and thorough TCPA compliance program. 

To read the full article, please click here.

August 14, 2019 Second Circuit Asks: Will New York Recognize Cross-Jurisdictional Class Action Tolling?

 

By: Gabriel K. Gillett and Katherine Rosoff

Banana plantationOn August 7, 2019 the Second Circuit certified two questions to the New York Court of Appeals with broad implications for multi-jurisdictional class actions.  First, “whether New York recognizes ‘cross-jurisdictional class action tolling,’ i.e., tolling of a New York statute of limitations by the pendency of a class action in another jurisdiction.”  Chavez v. Occidental Chem. Corp., -- F.3d. --, 2019 WL 3673190, *1 (2d Cir. Aug. 7, 2019).  Second, “whether non-merits dismissal of class certification can terminate class action tolling” when dismissal included a “return jurisdiction” clause allowing the plaintiffs to renew their claims if they were unable to find an adequate forum in their home countries.  Id. 

The case was brought by agricultural workers from Costa Rica, Ecuador and Panama, alleging they suffered adverse health effects from a pesticide used on banana plantations.  The parties agree that their claims accrued no later than August 1993 and are subject to New York’s 3-year statute of limitations in personal injury actions.  However, the parties dispute whether plaintiffs’ claims were tolled by related actions filed in other jurisdictions.

Judge Sack, writing for Judges Raggi and Carney, found no clear case law on whether New York State would recognize cross-jurisdictional class action tolling.  The panel explained that, although New York has adopted the federal rule from American Pipe Construction Co. v. Utah, 414 U.S. 538 (1974) that allows for class-action tolling, New York state courts have not determined whether New York would apply that rule to class actions in other jurisdictions.  Courts within the Second Circuit that have been tasked with predicting New York’s ruling on the issue are split.  See, e.g., Chavez, 2019 WL 3673190, at *7 n.5.  So too, the Second Circuit recognized, are courts in other states that have faced the same issue.  Id. 

Faced with a thorny question of state law, the Second Circuit asked the New York Court of Appeals to weigh in.  See Second Circuit Local Rule 27.2; 22 NYCRR § 500.27.  The Court of Appeals will decide whether to accept the question, and if it does, it may order briefing and argument on the merits consistent with the court’s rules.

CATEGORIES: Decisions of Note

August 7, 2019 New York SHIELD Act Expands Data Security and Breach Notification Requirements

By: Kara K. Trowell

ShieldOn July 25, 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which significantly amended the state’s data breach notification law to impose additional data security and data breach notification requirements on covered entities.

Expanded Definitions.

Under the new law, the definitions of “private information” and “breach of the security system” have been revised in ways that broaden the circumstances that qualify as a data “breach” and could trigger the notification requirements.  First, private information has been expanded to include:

  • (a) financial account numbers that can be used alone to access a financial account;
  • (b) biometric data used to authenticate an individual’s identity;
  • (c) standalone data such as a user name or email address in combination with a password or security question and answer that would permit access to an online account; and
  • (d) unsecured protected health information covered under HIPAA.

These changes effectively expand the types of situations covered by the law that could result in a breach of system security and trigger the notification requirements.

Second, the circumstances that qualify as a “breach” have been expanded to now include incidents that involve “access” to private information, regardless of whether they resulted in “acquisition” of that information.

Expanded Coverage.

Moreover, the SHIELD Act also expanded its data breach notification requirements to mandate compliance by any person or business that owns or licenses computerized data that includes the private information of New York residents, regardless of whether the person or business conducts business in New York.  It provides for exemptions under certain circumstances, such as when the “exposure of private information” was an “inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”  Additionally, while businesses that are already regulated by and comply with data breach notice requirements under certain state and federal cybersecurity laws, such as HIPAA, GLBA and NY DFS Reg. 500, must also notify the state Attorney General, Department of State Division of Consumer Protection and Division of the State Police, they need not further notify affected New York residents.

New “Reasonable” Data Security Requirements.

The SHIELD Act also enacted requirements for covered entities to implement reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of sensitive data, and the law itself provides examples of “reasonable practices.”  Again, compliance is presumed for businesses that are already in compliance with applicable laws such as HIPAA and the GLBA.  Notably, there is a limited exemption to the requirement for small businesses, which are defined as any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets.

Enforcement and Penalties for Non-Compliance.

The SHIELD Act does not provide consumers with a private right of action, but instead permits an attorney general to bring an action to enjoin violations of the law and obtain civil penalties.  For data breach notification violations that are neither reckless nor knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice including consequential financial losses.  For reckless or knowing violations, a court may impose increased penalties of the greater of $5000 dollars or up to $20 per instance for a maximum of $250,000.  For violations of the reasonable safeguard requirements, a court may impose penalties of not more than $5,000 per violation.  The time for commencing an action under the law has also been increased from two to three years from the date on which the attorney general became aware of the violation, or the date that the covered entity provide notice of the breach.  No action may be brought after six years from the date the breach was discovered unless the company took steps to hide the breach.

The SHIELD Act takes effect on March 21, 2020.

CATEGORIES: Privacy Data Security

PEOPLE: Kara K. Trowell

August 6, 2019 Second Circuit Creates Split on Investment Company Act Private Right of Action

By: Gabriel K. Gillett and Howard S. Suskin

New-Development-IconIn a decision issued on August 5, 2019, the US Court of Appeals for the Second Circuit created a split with other courts, including the Third Circuit, on the issue of whether there is a private right of action for rescission under the Investment Company Act (ICA).  The Second Circuit held that, based on the text of the statute and its legislative history, “ICA § 47(b)(2) creates an implied private right of action for a party to a contract that violates the ICA to seek rescission of that violative contract.”  Oxford University Bank v. Lansuppe Feeder Inc., No. 16-4061 (2d Cir. Aug. 5, 2019), Slip op. 23.  In so holding, the court acknowledged that it was creating a circuit split:

We note that the Third Circuit and several lower courts have reached the opposite result.  In Santomenno ex rel. John Hancock Trust v. John Hancock Life Ins. Co., 677 F.3d 178 (3d Cir. 2012), the Third Circuit found plaintiffs lacked a private right of action to seek rescission under § 47(b).  Plaintiffs in Santomenno alleged violations of ICA § 26(f), which makes it unlawful to pay ‘fees and charges’ on certain insurance contracts that exceed what is ‘reasonable,’ id. at 187, and sought rescission (in addition to monetary damages).  The court in Santomenno found that plaintiffs did not have a cause of action.  We do not find the reasoning in Santomenno persuasive. 

Slip op. 21-22.

Litigators should watch to see how other courts weigh in, and whether the Supreme Court ultimately takes up the issue to resolve the split.

Gabriel Gillett is an Associate in Jenner & Block’s Appellate & Supreme Court Practice in Chicago.   Howard Suskin is a Partner and Co-Chair of the Securities Litigation Practice Group at the firm.

CATEGORIES: Decisions of Note

PEOPLE: Howard S. Suskin, Gabriel K. Gillett

August 5, 2019 FinCen Issues Report on Business Email Scams

By: David P. Saunders

Data securityAt the risk of stating the obvious, everyone uses email. It has become a central component of both our daily lives and, of course our businesses.  As we transform into a fully digital,
corporate world, there are those who have sought to exploit the growing reliance on email.  Spammers, hackers, and of course, phishers.  No, not the people who go to those really long concerts; we are talking about email scammers who purport to tell you that your UPS package has arrived, but all you need to do is click a link and enter some information.  These scams can cripple a business, and trying to prevent these scams is difficult because in many ways, the solution relies on removing human error.

Enter the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury Department that collects and analyzes information about financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes.  FinCEN recently held a forum aimed at discussing ways to identify and curtail business email scammers.  The forum, held in New York City, analyzed the trends in business email scams.  At the forum, FinCEN released a report indicating that reporting of business email scams had more than doubled between 2016 and 2018.  The report also detailed that fake invoice scams grew as a methodology, and that manufacturing and construction businesses were top targets.

While knowledge and preparation are critical to defending a business from email scams, the reality of today’s world is that it is inevitable that a scam will succeed from time to time.  And that is where FinCEN’s Rapid Response Program comes in.  The program was established in 2014 to assist businesses seeking to report and attempt to recover the loss of funds resulting from, among other things, e-mail scams.  It has helped to recover more than $500 million in funds.  According to FinCEN, “[u]nder the program, when U.S. law enforcement receives a [scamming] complaint from a victim or a financial institution, the relevant information is forwarded to FinCEN, which moves quickly to track and recover the funds.  The program utilizes FinCEN’s ability to rapidly share information with counterpart Financial Intelligence Units (FIU) in more than 164 jurisdictions, and leverages these relationships to encourage foreign authorities to intercede and hold funds or reverse wire transfers.”  See https://www.fincen.gov/news/news-releases/fincen-exchange-forum-counters-business-email-compromise-scams.  This is an important tool in a business’ toolbox when it comes to remediating the harm of an email scam.  For information about the program, businesses can contact RRPinfo@fincen.gov.

PEOPLE: David P. Saunders

July 30, 2019 Crypto Corner – Updates on Cryptocurrency

By: Michael W. Ross

CryptoIn the first half of 2019, the “crypto-winter” that had set in during 2018 appeared to see signs of a thaw, albeit with new regulatory developments and controversy continuing to characterize the space.  On the regulatory front, the Securities and Exchange Commission (SEC) issued more detailed guidelines for companies seeking to sell digital tokens.  The 13-page “Framework for ‘Investment Contract’ Analysis of Digital Assets” provides a detailed analysis of the factors relevant to the Howey test that the SEC uses to determine the existence of a security (and all that designation entails).  At the same time, the SEC issued a no-action letter for a company that had represented it would not be using its tokens to fund the development of the token network, and that the tokens would be immediately usable—underscoring two key factors of the SEC’s assessment.  In another development, the Financial Action Task Force (FATF)—a global inter-governmental organization focused on fighting money-laundering—issued new guidelines on cryptocurrency companies operating in its 37 member countries, including requirements about collecting user information.  FINRA has also decided to continue a reporting initiative it announced last year.

On the news-making front, much industry attention was paid to the SEC’s suit against a Canadian messaging company called Kik Interactive, alleging that Kik propped up its failing business by pivoting to an unregistered token offering through which it raised $100 million.  Some have viewed the case as one to watch to see whether courts will view digital tokens the same way as the SEC has.  More recently, focus on developments at the SEC have been overtaken by news of Facebook’s anticipated Libra token.  Built on a permissioned blockchain network overseen by a litany of household names, and backed by a basket of traditional assets, the Libra token met early news of its potential to change the game for cryptocurrency.  More recent weeks have seen a flurry of commentary by regulators and legislators focused on the need to analyze the token under existing financial services laws, as well as concerns about money-laundering, consumer protection and privacy.  For those interested in the space, it will be worth monitoring further developments as they unfold.

 

PEOPLE: Michael W. Ross

July 29, 2019 Facebook’s Libra Prompts Federal Draft Legislation

By: Jeffrey A. Atteberry

CryptocurrencyIn June, Facebook publicly launched an initiative to develop a cryptocurrency called Libra in partnership with 27 other technology and finance companies including Visa, PayPal and Uber.  According to Facebook, consumers will be able to buy Libra anonymously and then use the currency to buy things online, send money to people, or cash out at physical exchange points such as grocery stores.  The blockchain technology behind Libra is meant to be open-source and not controlled exclusively by Facebook, but by an association of its founding companies, each of which has already invested at least $10 million into the venture. 

Facebook’s announcement triggered a rapid response from federal legislators, and on July 15 the House Financial Services Committee introduced draft legislation aimed at preventing large tech companies from creating digital currencies such as Libra.  Entitled “Keep Big Tech Out of Finance Act,” the draft legislation would apply only to tech companies with over $25 billion in annual global revenue that primarily operate online marketplaces or social platforms.  Such companies would be prohibited from using blockchain or distributed ledger technology to create or operate “a digital asset that is intended to be widely used as a medium of exchange, unit of account, store of value, or any other similar function.”  The draft legislation would further prohibit such tech companies from being or affiliating with “a financial institution.” 

The draft legislation is just the latest indication that federal legislators and regulators are increasingly focused on the growing linkages between technology, particularly in the form of social media and online marketplaces, and more traditional consumer finance industries.

CATEGORIES: FinTech

PEOPLE: Jeffrey A. Atteberry

July 26, 2019 The Consumer Finance Observer

CFO-ATBi_600x285Jenner & Block has recently launched The Consumer Finance Observer or CFO, a newsletter providing analysis of key consumer finance issues and updates on important developments to watch.  In this issue, consumer finance lawyers David BitkowerKali BraceyJeremy M. CreelanJoseph L. NogaMichael W. Ross and Damon Y. Smith and Associate William S.C. Goldstein discuss how enforcement authorities are zeroing in on alternative data; the NY District Court’s block of a fintech charter; the CFPB’s proposed debt collection rules; the Saga of Madden v. Midland Funding; news from the CFPB’s UDAAP Symposium; updates on cryptocurrency; the FDIC’s consumer compliance supervisory highlights; and Texas’s enactment of new consumer finance laws. 

To read the full newsletter, click here.

July 22, 2019 Eighth Circuit Reminds: The First Principle of Arbitration Is Get Consent

By: Gabriel K. Gillett

6a01310fa9d1ee970c0240a482f2c4200dIn recent years, the Supreme Court has issued many decisions about arbitration, including the enforceability of arbitration agreements and employment agreements that bar classwide arbitration.  Last week, the Eighth Circuit issued a decision in a case involving those issues, holding that an employment agreement’s arbitration clause mandating individual arbitration was unenforceable.  Shockley v. PrimeLending, -- F.3d. --, 2019 WL 3070502 (8th Cir. 2019).  The arbitration clause provided that the employee and the company agree to “resolve the covered dispute exclusively through final and binding arbitration,” that both parties waive “the right to initiate a class, collective, representative or private attorney general action,” and that “[a]ll Covered Disputes will be settled by binding arbitration, on an individual basis.”  The court did not find that belt-and-suspenders language defective in any way.  Rather, the court reasoned that a valid agreement to arbitrate had not been formed because the employer had provided the employee with a link to the agreement, but there was no evidence the employee had clicked the link or otherwise assented to the agreement. 

The Eighth Circuit’s decision does not provide gloss on the Supreme Court’s arbitration jurisprudence—it does not even cite many of the Court’s recent cases.  The Eighth Circuit’s decision also does not discuss a novel legal theory or break new ground in the arbitration space.  Nor does it address one of the many open and often litigated issues related to arbitration.  Still, the holding is notable because it serves as an important reminder: even the best, clearest language in an arbitration clause (or any contract for that matter) is enforceable only if the parties actually agreed to it.  See, e.g., Lamps Plus, Inc. v. Varela, 139 S. Ct. 1407, 1415 (2019) (“‘[T]he first principle that underscores all of our arbitration decisions’ is that ‘[a]rbitration is strictly a matter of consent.’” (citations omitted)).

CATEGORIES: Arbitration

PEOPLE: Gabriel K. Gillett

July 10, 2019 British Airways: To Fly. To [be] Serve[d with a huge fine]

By: Kelly Hagedorn and Oliver J. Thomson

AirplaneThe UK Information Commissioner’s Office (ICO) on 8 July 2019 issued a notice of its intention to fine British Airways £183.39 million for infringements of the General Data Protection Regulation (GDPR).  Such a fine, if levied, would represent around 1.5% of British Airways’ worldwide turnover for 2017, and would be approximately 367 times larger than the next largest fine that the ICO has imposed.

Background

The proposed fine relates to a data breach notified to the ICO by British Airways in September 2018.  In late August and early September 2018, British Airways customers attempting to use the British Airways website or app were redirected to a fraudulent website, which then gathered the customers’ personal data.  This personal data gathered included payment card information, booking details, and name and address information.  The breach affected around 500,000 British Airways customers.

In a statement, the UK’s Information Commissioner Elizabeth Denham said “when you are entrusted with personal data, you must look after it.  Those that don’t will face scrutiny from [the ICO] to check they have taken appropriate steps to protect fundamental privacy rights.”

Fining regime

The proposed fine represents a new record for financial penalties related to breaches of data protection law in the UK.  As we note above, the fine is roughly 367 times larger than the previous record: the £500,000 fine imposed on Facebook relating to the Cambridge Analytica affair in July 2018.  That fine, which was for the maximum amount available to the ICO at the time, was made under powers contained in the Data Protection Act 1998.  The proposed fine against British Airways would be levied under the UK Data Protection Act 2018, which implements the GDPR into national law.  The Data Protection Act 2018 empowers the ICO to fine a company up to 4% of its worldwide turnover for the previous year, meaning British Airways could have received a fine of around £500 million.[1]

The knowledge that it avoided an even higher sum will be of little comfort to British Airways, which said that it was “surprised and disappointed” by the decision.  British Airways purportedly cooperated with the ICO’s investigation and has since made a number of improvements to its processes and systems.  Willie Walsh, chief executive of IAG (British Airways’ parent company), said that the company “intends to take all appropriate steps to defend the airline’s position… including making any necessary appeals.”

British Airways will now have a period within which to make representations to the Information Commissioner as to why it contests the size of the proposed fine.  The Information Commissioner will consider these representations, possibly alongside a panel of non-executive advisors[2], following which she will issue a penalty notice.  After confirmation of the size of the penalty, British Airways could choose to appeal the decision to the First-tier Tribunal (General Regulatory Chamber).  The company may appeal the size of the penalty notice or the notice itself.[3]

Comment

This is a substantial fine by any standards, but particularly for a penalty in the arena of data protection.  Many expected the ICO to ease into the use of its new powers more gradually, but today’s announcement charts a bold course for the Information Commissioner, Elizabeth Denham.  When the penalty notice is issued, it will be interesting and useful to consider the full range of factors that the ICO took into account when determining the size of fine to impose on British Airways.

What is clear in the wake of this announcement is that the ICO will not hold back from issuing substantial penalties when it determines that there has been a serious breach of data protection law.  This announcement may be seen as a statement of intent on the part of the ICO, and executives and board members may wish to look once more at their companies’ data protection compliance programme.  The stakes have just been raised dramatically.

 

[1] s.157, Data Protection Act 2018, implementing Article 83, GDPR.

[2] The ICO’s Regulatory Action Policy states that, “For very significant penalties (expected to be those over £1M) a panel comprising non-executive advisors to the Commissioner’s Office may be convened by the Commissioner to consider the investigation findings and any representations made, before making a recommendation to the Commissioner as to any penalty level to be applied.  It will be the Commissioner’s final decision as to the level of penalty applied.  The panel may comprise technical experts in areas relevant to the case under consideration.”

[3] s.162, Data Protection Act 1998.

June 19, 2019 What Securities Pros Need to Know About SEC Data Analytics

CodeIn an article published by Law360, Partner Charles D. Riely and Associate Danielle Muniz explore the publicly available information about the US Securities and Exchange Commission’s use of data analytics to detect and pursue violators.  The authors discuss why understanding the SEC’s data analytics concepts is important for lawyers and other professionals responsible for supervision and compliance at investment advisers and broker-dealers. 

To read the full article, please click here

CATEGORIES: Securities

May 20, 2019 SDNY Decision Blocks National Bank Charters for FinTech

By William S. C. Goldstein

FintechEarlier this month, a federal district court in New York handed a win to the New York State Department of Financial Services (DFS) in its long-running, closely watched suit seeking to block the Office of the Comptroller of the Currency (OCC) from issuing national bank charters to non-bank financial technology (FinTech) companies that don’t receive deposits.  Judge Victor Marrero denied most of OCC’s motion to dismiss and found the agency’s interpretation of the National Bank Act, 12 U.S.C. § 21 et seq., to be unpersuasive.  Vullo v. Office of the Comptroller of the Currency, No. 18-cv-8377, 2019 WL 2057691, at *18 & n.13 (S.D.N.Y. May 2, 2019).  DFS’s suit has significant stakes for the FinTech industry: under the United States’ dual banking system, nationally chartered banks are regulated primarily by OCC and avoid the application of most state laws and regulations through federal preemption, while financial institutions without national bank charters are generally subject to state oversight—and non-bank institutions are often regulated by multiple states. Id. at *8.  Judge Marrero’s decision casts doubt on whether comprehensive, uniform regulation of FinTech companies can be achieved without congressional action.

The OCC allegedly first began considering whether to accept applications from FinTech companies for special purpose national bank (SPNB) charters in early 2016, pursuant to a 2003 regulation authorizing such charters for entities engaged in “at least one” core banking function: receiving deposits, paying checks, or lending money. Id. at *2 (quoting 12 C.F.R. § 5.20(e)(1)(i)).  DFS first sued OCC in 2017, arguing that the National Bank Act (NBA) prohibits charters from issuing to entities that don’t receive deposits and that to issue them would violate the Tenth Amendment of the Constitution.  That suit was dismissed without prejudice in December of 2017 on justiciability grounds after Judge Naomi Reice Buchwald found that DFS had not suffered an injury in fact and that its claims were not ripe. Id. at *3.  After OCC announced in July of 2018 that it would begin accepting applications from non-depository FinTech companies for SPNB charters, DFS sued again, under the Administrative Procedure Act (APA) and the Tenth Amendment, to prevent OCC from issuing any charters and to invalidate the underlying regulation.  OCC moved to dismiss this past February, arguing that DFS lacked standing, its claims weren’t ripe or timely, and that on the merits it failed to state a claim. Id. at *4.  Judge Marrero issued a decision on OCC’s motion on Thursday, May 2.

Judge Marrero first addressed OCC’s justiciability arguments.  He found that DFS had standing based on two distinct alleged harms: i) the loss of “critical financial protections” for the citizens of New York that would result if non-depository financial institutions were no longer subject to DFS regulation; and ii) direct financial harm to DFS due to the loss of assessments levied on institutions it licenses and regulates. Id. at *8.  As to constitutional ripeness, the Court found that OCC “has the clear expectation of issuing SPNB charters,” and thus that “DFS has demonstrated a ‘substantial risk that harm will occur,’” making its claims ripe. Id. at *9 (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.15 (2013)).  Judge Marrero also rejected OCC’s argument that, insofar as DFS was challenging the validity of the underlying regulation authorizing SPNB charters—issued in 2003—its claims were untimely. Id. at *10-11.  The Court noted that DFS’s claims “cannot be both unripe and untimely,” and that to hold otherwise would allow agencies to insulate their actions from judicial review by promulgating rules and then waiting out the limitations period before taking any actions under those rules. Id. at *10.  The Court also invoked several administrative law doctrines and decisions allowing review of agency action where an agency claims broad new authority derived from an older regulation. Id. at *10-11.  OCC is free to re-raise its timeliness defense on a more fully developed record. Id. at *11.

On the merits, OCC’s chief argument was that the scope of the phrase “business of banking” in the National Bank Act is ambiguous, and thus that OCC’s interpretation is entitled to Chevron deference. Id. at *13.  The Court was not persuaded by this argument, concluding instead that the text, structure, purpose, and history of the statute all supported a conclusion that the NBA “unambiguously requires receiving deposits as an aspect of the business.” Id. at *13-16.  The original version of the NBA “is replete with provisions predicated upon a national bank’s deposit-receiving power,” and was based heavily on New York’s experience with a state banking law, under which deposit-receiving was always a core, unchallenged power of banks. Id. at *15.  The Court emphasized that OCC had never before chartered a non-depository institution in reliance on the “business of banking” clause; rather, the previous two times OCC began issuing national charters to such institutions, it acted in reliance on congressional amendments to the NBA explicitly authorizing it do so. Id.  The Court was reluctant to find a broad new agency power, with the potential to significantly disrupt the banking industry, in 140-year-old statutory language—the “Congress doesn’t hide elephants in mouse holes” canon. Id. at *16.  Judge Marrero acknowledged a significant line of authority finding ambiguous the “outer bounds” of the “business of banking,” but found those cases inapposite to determining what the necessary core activities of banking are, what he called the “threshold requirements” or “inner limits” of banking. Id. at *17.  In light of all these and other “interpretive clues,” the Court concluded that only depository institutions are eligible for national charters under the NBA’s “business of banking” clause, and that OCC cannot issue such charters to non-depository institutions without specific statutory authorization. Id. at *18.  Accordingly, DFS’s arguments that OCC’s plan to charter FinTech companies would violate the National Bank Act stated claims under the APA. Id. at *18.  However, the Court did dismiss DFS’s Tenth Amendment claim.  DFS argued that OCC violated the Tenth Amendment by exceeding its statutory authority and acting contra to congressional intent. Id.  The Tenth Amendment allows litigants to object to exercises of federal authority that exceed “the National Government’s [constitutionally] enumerated powers.” Id. at *19 (citation and quotations omitted).  The authority to regulate national banks has long been recognized as within the scope of the powers granted to Congress by the Constitution’s Commerce and Necessary and Proper Clauses. Id. at *18.  The court observed that DFS did not allege that it would “categorically lie beyond federal authority” for Congress to authorize OCC to issue national bank charters to non-depository institutions. Id. at *19.  DFS therefore did not state a Tenth Amendment claim. Id.

CATEGORIES: FinTech

May 20, 2019 SDNY Decision Blocks National Bank Charters for FinTech

By William S. C. Goldstein

FintechEarlier this month, a federal district court in New York handed a win to the New York State Department of Financial Services (DFS) in its long-running, closely watched suit seeking to block the Office of the Comptroller of the Currency (OCC) from issuing national bank charters to non-bank financial technology (FinTech) companies that don’t receive deposits.  Judge Victor Marrero denied most of OCC’s motion to dismiss and found the agency’s interpretation of the National Bank Act, 12 U.S.C. § 21 et seq., to be unpersuasive.  Vullo v. Office of the Comptroller of the Currency, No. 18-cv-8377, 2019 WL 2057691, at *18 & n.13 (S.D.N.Y. May 2, 2019).  DFS’s suit has significant stakes for the FinTech industry: under the United States’ dual banking system, nationally chartered banks are regulated primarily by OCC and avoid the application of most state laws and regulations through federal preemption, while financial institutions without national bank charters are generally subject to state oversight—and non-bank institutions are often regulated by multiple states. Id. at *8.  Judge Marrero’s decision casts doubt on whether comprehensive, uniform regulation of FinTech companies can be achieved without congressional action.

The OCC allegedly first began considering whether to accept applications from FinTech companies for special purpose national bank (SPNB) charters in early 2016, pursuant to a 2003 regulation authorizing such charters for entities engaged in “at least one” core banking function: receiving deposits, paying checks, or lending money. Id. at *2 (quoting 12 C.F.R. § 5.20(e)(1)(i)).  DFS first sued OCC in 2017, arguing that the National Bank Act (NBA) prohibits charters from issuing to entities that don’t receive deposits and that to issue them would violate the Tenth Amendment of the Constitution.  That suit was dismissed without prejudice in December of 2017 on justiciability grounds after Judge Naomi Reice Buchwald found that DFS had not suffered an injury in fact and that its claims were not ripe. Id. at *3.  After OCC announced in July of 2018 that it would begin accepting applications from non-depository FinTech companies for SPNB charters, DFS sued again, under the Administrative Procedure Act (APA) and the Tenth Amendment, to prevent OCC from issuing any charters and to invalidate the underlying regulation.  OCC moved to dismiss this past February, arguing that DFS lacked standing, its claims weren’t ripe or timely, and that on the merits it failed to state a claim. Id. at *4.  Judge Marrero issued a decision on OCC’s motion on Thursday, May 2.

Judge Marrero first addressed OCC’s justiciability arguments.  He found that DFS had standing based on two distinct alleged harms: i) the loss of “critical financial protections” for the citizens of New York that would result if non-depository financial institutions were no longer subject to DFS regulation; and ii) direct financial harm to DFS due to the loss of assessments levied on institutions it licenses and regulates. Id. at *8.  As to constitutional ripeness, the Court found that OCC “has the clear expectation of issuing SPNB charters,” and thus that “DFS has demonstrated a ‘substantial risk that harm will occur,’” making its claims ripe. Id. at *9 (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.15 (2013)).  Judge Marrero also rejected OCC’s argument that, insofar as DFS was challenging the validity of the underlying regulation authorizing SPNB charters—issued in 2003—its claims were untimely. Id. at *10-11.  The Court noted that DFS’s claims “cannot be both unripe and untimely,” and that to hold otherwise would allow agencies to insulate their actions from judicial review by promulgating rules and then waiting out the limitations period before taking any actions under those rules. Id. at *10.  The Court also invoked several administrative law doctrines and decisions allowing review of agency action where an agency claims broad new authority derived from an older regulation. Id. at *10-11.  OCC is free to re-raise its timeliness defense on a more fully developed record. Id. at *11.

On the merits, OCC’s chief argument was that the scope of the phrase “business of banking” in the National Bank Act is ambiguous, and thus that OCC’s interpretation is entitled to Chevron deference. Id. at *13.  The Court was not persuaded by this argument, concluding instead that the text, structure, purpose, and history of the statute all supported a conclusion that the NBA “unambiguously requires receiving deposits as an aspect of the business.” Id. at *13-16.  The original version of the NBA “is replete with provisions predicated upon a national bank’s deposit-receiving power,” and was based heavily on New York’s experience with a state banking law, under which deposit-receiving was always a core, unchallenged power of banks. Id. at *15.  The Court emphasized that OCC had never before chartered a non-depository institution in reliance on the “business of banking” clause; rather, the previous two times OCC began issuing national charters to such institutions, it acted in reliance on congressional amendments to the NBA explicitly authorizing it do so. Id.  The Court was reluctant to find a broad new agency power, with the potential to significantly disrupt the banking industry, in 140-year-old statutory language—the “Congress doesn’t hide elephants in mouse holes” canon. Id. at *16.  Judge Marrero acknowledged a significant line of authority finding ambiguous the “outer bounds” of the “business of banking,” but found those cases inapposite to determining what the necessary core activities of banking are, what he called the “threshold requirements” or “inner limits” of banking. Id. at *17.  In light of all these and other “interpretive clues,” the Court concluded that only depository institutions are eligible for national charters under the NBA’s “business of banking” clause, and that OCC cannot issue such charters to non-depository institutions without specific statutory authorization. Id. at *18.  Accordingly, DFS’s arguments that OCC’s plan to charter FinTech companies would violate the National Bank Act stated claims under the APA. Id. at *18.  However, the Court did dismiss DFS’s Tenth Amendment claim.  DFS argued that OCC violated the Tenth Amendment by exceeding its statutory authority and acting contra to congressional intent. Id.  The Tenth Amendment allows litigants to object to exercises of federal authority that exceed “the National Government’s [constitutionally] enumerated powers.” Id. at *19 (citation and quotations omitted).  The authority to regulate national banks has long been recognized as within the scope of the powers granted to Congress by the Constitution’s Commerce and Necessary and Proper Clauses. Id. at *18.  The court observed that DFS did not allege that it would “categorically lie beyond federal authority” for Congress to authorize OCC to issue national bank charters to non-depository institutions. Id. at *19.  DFS therefore did not state a Tenth Amendment claim. Id.

CATEGORIES: FinTech

PEOPLE: William S. C. Goldstein (Billy)

May 10, 2019 The CFPB Rolls Out New Regulations for Debt Collection

By Amy Egerton-Wiley

CallDebt collectors have for years sought guidance on how and when digital messages could be sent to contact consumers.  On Tuesday, the Consumer Financial Protection Bureau (CFPB) announced a notice of proposed debt collection regulations that would provide that guidance.  The new regulations would expand the potential avenues by which debt collectors could contact consumers and would establish a host of other regulations that would alter debt collection practices.  The proposed rulemaking announced by the CFPB is more than 500-pages long and would be the first substantive rules to interpret the Fair Debt Collection Practices Act, which regulates the debt collection industry. 

The CFPB identified several main highlights that the proposed rulemaking would achieve, including establishing a bright-line rule limiting call attempts and telephone conversations, clarifying consumer protection requirements for certain consumer-facing debt collection disclosures, clarifying how debt collectors can communicate with consumers, prohibiting suits on time barred debts, and requiring communication before credit reporting. 

The new regulations would allow debt collectors to expand methods of communicating with consumers, such as exploring WhatsApp or other online models.  They also, however, restrict the abilities of debt collectors to contact consumers.  For example, the proposed rules would cap the number of times a debt collector could call a consumer to seven times in one week, and once the debt collector reached the consumer, it would not be able to contact the individual again for another week.  The bureau cited increased clarity and modernizing the legal regime as its goal for the new regulations. 

The CFPB’s statement and proposed rules can be found here.

CATEGORIES: Decisions of Note