Consumer Financial Services Law

New California Laws for Financial Institutions

As the California legislative session wound down, Governor Jerry Brown signed multiple bills into law that will impact financial institutions.

What happened

Financial institutions in California should prepare themselves for several changes, thanks to multiple bills enacted by the State Legislature and recently signed by the Governor. Below are highlights of the new laws.

  • Senate Bill 777 tweaked the California Finance Lenders Law (CFLL) to reenact a prior de minimis exemption. The prior exemption was amended in 2014 to exempt from licensure under the CFLL persons making five or fewer commercial loans in a 12-month period if the loans are “incidental” to the business of the person relying on the exemption. Although intended to liberalize the exemption by increasing the number of loans from one to five, the “incidental” wording created uncertainty with respect to a special purpose entity making a single loan, which was covered by the prior exemption. To address this concern, SB 777 retained the current exemption for five or fewer loans if “incidental to a person’s business,” and restored the exemption for a single commercial loan in a 12-month period without the “incidental” qualifier. The change takes effect on January 1, 2017. However, the restored single-loan exemption is currently set to expire January 1, 2022.
  • Another measure, Senate Bill 657, broadened the definition of a “lender” under the California Residential Mortgage Lending Act (CRMLA). As the statute currently reads, an individual is generally prohibited from engaging in the business of making or servicing residential mortgage loans without first obtaining a license from the Department of Business Oversight (DBO), with licensees required to maintain a minimum tangible net worth of $250,000. “Lender” was previously defined as a person who is an approved lender for various agencies, including the Federal Housing Administration (FHA) and the Veterans Administration, for example, who directly makes residential mortgage loans and makes the credit decision in the loan transactions. Pursuant to the changes to the CRMLA, the DBO Commissioner is authorized to increase the minimum net worth requirement above $250,000 as long as it doesn’t exceed the net worth required of an approved lender under the FHA. In addition, the definition of a lender now encompasses “a person, other than a natural person, and a natural person who is also an independent contractor, who engages in the activities of a loan processor or underwriter for residential mortgage loans, but does not solicit loan applicants, originate mortgage loans, or fund mortgage loans.”
  • A third piece of legislation established a new regulatory regime for student lending. Assembly Bill 2251, the Student Loan Servicing Act, mandates that student loan servicers in the state—and those located elsewhere servicing student loans made to California residents—obtain a license from the DBO, comply with new regulatory requirements, and refrain from delineated prohibited activities as of July 1, 2018. The new statute exempts state and federally chartered banks, trust companies, industrial loan companies, savings and loan associations, savings banks, credit unions, and public or private postsecondary educational institutions servicing a student loan that it made. Pursuant to the law, entities must provide borrowers, free of charge on a website, with information or links to information about available repayment and loan forgiveness options; ask the borrower how an overpayment should be applied; and provide written notice with prescribed information in the event of a transfer of servicing. Prohibited by the new Act: engaging in any “unfair or deceptive” practice, misrepresenting or omitting material information (including “the amount, nature, or terms of any fee or payment”), and misapplying payments, among other activities. Licensees will be examined by the Commissioner at least once every 36 months. The DBO was invested with enforcement authority to assess civil penalties up to $2,500 for violations of the law, issue cease and desist orders, and file an enforcement action in state court.
  • Finally, while not a legislative change, financial institutions should be aware of a new regulation from the DBO amending the CFLL and CRMLA implementing regulations that eliminates the use of a licensing exemption for subsidiaries and affiliates of exempt institutions simply on the basis of the nature of their association. Prior Commissioner opinions adopted an expansive reading of the statutes to include an exemption for the subsidiaries of exempt financial institutions. To eliminate the exemption for subsidiaries and affiliates engaged in lending and/or brokering consumer loans (commercial loans are not impacted by the change), the DBO adopted the new regulation which took effect on September 28.

To read SB 777, click here.

To read SB 657, click here.

To read AB 2251, click here.

Why it matters

Financial institutions with a California presence and those industries which are engaged in traditional financial activities, such as commercial lending, should take a close look at the new laws and regulations to ensure compliance with the changing requirements.

back to top

DOJ Drives ECOA Settlement With Bank Over Vehicle-Secured Loans

Acting on a referral from the Federal Deposit Insurance Corporation, the Department of Justice pursued a case against Charter Bank, asserting the financial institution violated the Equal Credit Opportunity Act by discriminating based on national origin when making vehicle-secured loans.

What happened

To settle allegations that the bank violated the Equal Credit Opportunity Act (ECOA) with respect to non-purchase money loans secured by a consumer’s vehicle, Texas-based Charter Bank agreed to a proposed consent order with the Department of Justice (DOJ).

Pursuant to bank policy in place for more than five years between January 2009 and June 2014, loan officers at the bank had discretion to deviate up or down from the interest rates listed on the bank’s rate sheets by roughly three percentage points. The result, according to the DOJ: Hispanic borrowers paid higher prices than similarly situated non-Hispanic borrowers, on average 108 basis points more. A lender does not collect demographic information on borrowers in connection with automobile loans, and the DOJ instead based its claim on a “proxy methodology” using geography-based and name-based probabilities.

The alleged problem was raised during an examination by the Federal Deposit Insurance Corporation (FDIC) that ended in June 2014 with the regulator reaching out to the DOJ.

The disparity in lending rates was “statistically significant, and the difference is based on national origin and not based on creditworthiness or other objective criteria related to borrower risk,” according to the DOJ’s complaint. Charter ran afoul of the ECOA by instituting a policy providing loan officers with “broad subjective discretion” in setting interest rates with a disparate, detrimental impact on Hispanic borrowers that was not justified by business necessity or legitimate business interests that could not be reasonably achieved as well by means less disparate in their impact on Hispanic borrowers, the agency told the court.

Charter failed to properly instruct loan officers with regard to the ECOA and how to treat prospective consumers without regard to national origin, the DOJ alleged. In addition, the bank neglected to supervise or monitor the performance of its officers to ensure fair lending compliance, the agency said.

Further, the bank’s policy constituted intentional discrimination, the agency alleged, because the challenged pattern or practice was “implemented with reckless disregard for the rights of Hispanic borrowers.”

To settle the suit, the bank agreed to pay $165,820 as monetary damages for affected borrowers, provide ECOA training to bank employees, and display a notice of nondiscrimination. Charter, which revised its policy in August 2014 to prohibit discretionary rate setting by loan officers, must also maintain its current pricing policy that does not permit loan officer discretion as well as a monitoring program designed to detect disparities in interest rates and pricing adjustments for the bank’s loan products.

To read the complaint in U.S. v. Charter Bank, click here.

To read the proposed consent order, click here.

Why it matters

The DOJ action offers a warning for lenders about the risks involved in discretionary pricing, and further evidence that the DOJ continues to use its controversial proxy methodology in non-home loan situations where no direct demographic information is gathered by the lender. Charter Bank’s prior policy permitting officers to deviate from standard pricing caught the attention of the FDIC, which tipped off the DOJ to bring the action. Lenders who permit such discretionary pricing should review their policies and procedures to ensure they are in compliance with the ECOA and other fair lending laws.

back to top

Should Banks Be Held to Higher Standard in Data Breach Cases?

In a cautionary tale for banks, a federal court judge in Illinois dismissed a lawsuit filed by Community Bank of Trenton after concluding the bank’s sophisticated business dealings required a higher standard than consumer data breach suits.

What happened

Between December 2012 and March 2013, Schnuck Markets, Inc., fell prey to a major data breach, with information about approximately 2.4 million consumers compromised. Payment card numbers and expiration dates were allegedly held in unencrypted format on the grocer’s computers while cards were awaiting approval by third-party payment processors, in violation of industry standards.

A group of financial institutions led by Community Bank of Trenton filed suit against the grocer asserting a panoply of 13 different legal claims, including allegations of violations of the Racketeer Influenced and Corrupt Organizations Act (RICO), the Illinois Consumer Fraud and Deceptive Business Practices Act, as well as claims based on tort and breach of contract theories. The plaintiffs challenged Schnuck’s lax data security practices, alleging that the company “fell far short of industry standards” by capturing consumer data in its computer system in an unencrypted format, leaving it vulnerable to hackers. Schnuck knew its data security procedures were outdated and ineffective, the plaintiffs added, and failed to implement preventative measures such as antivirus and firewall software or a risk management system. Schnuck moved to dismiss the suit.

Granting the motion, U.S. District Court Judge Michael J. Reagan distinguished the case as from prior litigation brought by consumers against retailers in the wake of a data breach, such as the suits against Home Depot and Target.

“In the cases brought by consumers, parties have effectively illustrated plausible claims for relief under various theories by appealing to the common life experience of a consumer walking into a merchant to buy a sandwich or a book,” the court said. “The concrete fraud charges on customer payment cards and the familiar expectations of a store customer make the claims in those cases hold together to illustrate a plausible story.”

By contrast, the allegations of harms sustained by the financial institution plaintiffs were too “general,” the court said. “The Complaint alleges that Plaintiffs have incurred and will continue to incur costs to: cancel and reissue cards; close and reopen accounts; notify customers; and, investigate and monitor for fraud. Plaintiffs allege that they may also lose profits if customers use payment cards less frequently.”

Working its way through all 13 counts of the plaintiffs’ complaint, the court found the RICO claims based on wire fraud stretched “the arms of the fraud statutes too far.” He dismissed the bank’s contention that Schnuck engaged in fraud by making misrepresentations, as “[m]erchants are not in the common practice of posting signs by the register assuring data security, so surely there cannot be a misrepresentation or omission there, nor is there any kind of data safety guarantee transmitted across the wires from a merchant to processors when a card is swiped.”

Broad statements that “everyone assumes that merchants and VISA and [other card] participants practice good data security” are insufficient, the court said, distinguishing other data breach cases like the one against Home Depot, where the merchant received numerous warnings that its data security was insufficient but declined to take action, purportedly to save money. “[T]he same degree of intentionality or purpose is not evidence in Schnucks’s alleged conduct,” the court wrote.

Similarly, bank fraud claims failed to provide the basis for the RICO counts as the plaintiffs did “not specify what scheme or artifice was faulty or how it was directed to defrauding them.”

Judge Reagan tossed the bank’s breach of fiduciary duty allegations, rejecting the idea that Schnuck was the dominant party in the relationship. “The Plaintiffs as financial institutions, and Schnucks as a mid-sized grocer, are both ‘sophisticated’ parties who participated in a mutually beneficial business arrangement that allowed individuals to use electronic payment cards to purchase their groceries,” the court said.

The fact that Schnuck participated in the payment networks did not provide the basis for a negligent misrepresentation claim that the grocer took certain data security measures, the judge added.

“The loose assertion seems to be that all parties who interact with VISA and [other card issuers] are assumed to be in compliance with VISA and [their respective organization]’s security protocol, and that compliance with said protocol would successfully protect individual cardholders’ data from security breaches—but these intangible assumptions and the associated abstract reliance on the notion that compliance with the protocol would have prevented data breaches are not pled with sufficient particularity to state a claim nor do they suggest that Schnucks made a misrepresentation or provided patently false information,” the court wrote.

Contract claims did nothing to sway the court, which again distinguished the relationship between a cardholder and a merchant and a merchant and a financial institution. “It is easier to see how a contract might be implied between a cardholder and a merchant where the cardholder provides payment and walks away with tangible goods such as groceries, and in exchange the merchant receives electronic payment thus giving them value for the goods,” the court said. “This elementary transaction much more clearly contains the basic principles of a contract than the relationship between financial institutions and merchants.”

Further, the existence of explicit contracts governing certain aspects of the payment network implied that participants anticipated the need to allocate certain risks and entered into the contracts they saw fit to address the situation, Judge Reagan wrote. He also found it “implausible” to “conceptualize how the Plaintiffs would have done something additional on their end if they knew of the data security issues.”

The court dismissed the complaint in its entirety, albeit only with prejudice for the negligence claims, allowing the plaintiffs to file an amended complaint with greater specificity.

To read the memorandum and order in Community Bank of Trenton v. Schnuck Markets, Inc., click here.

To read the Complaint, click here.

Why it matters

The court acknowledged that “the parties are charting relatively new territory in the data breach context by presenting a case between financial institutions and a merchant,” but appeared to suggest that the presence of a “sophisticated” party such as a bank required a higher standard than a suit brought by a consumer. Significantly, a consumer class action brought by Schnuck customers over the data breach survived a motion to dismiss before the parties reached a settlement last year. Financial institutions should keep the Schnuck litigation in mind and be aware that they may face an uphill battle in data breach cases.

back to top

Payday Lender Pays $3.5M to Illinois AG

Keeping regulator focus on payday lending alive, Illinois Attorney General Lisa Madigan announced a $3.5 million settlement with a lender accused of violating the state’s cap on interest rates.

What happened

In 2014, Illinois Attorney General Lisa Madigan filed suit against All Credit Lenders, accusing the company of working around the 36 percent interest rate limit set by the Illinois Financial Services Development Act (FSDA) for small revolving credit loans.

The AG alleged that to avoid the interest rate limitation, All Credit labeled its charges as an “account protection” fee. According to the AG, this misled borrowers about the true nature of the charges, and thus the lender engaged in deceptive practices in violation of the state’s Consumer Fraud and Deceptive Business Practices Act as well as the federal Dodd-Frank Wall Street Reform and Consumer Protection Act.

Madigan alleged that All Credit’s “account protection” fees (about $11-$15 for every $50 in outstanding balance, charged biweekly) operated as a disguised interest rate that in some cases could reach 500 percent. According to the complaint, the revolving credit loan product with the account protection fee was also “unfair, abusive and designed to place consumers in an endless cycle of debt.”

To settle the suit, All Credit agreed to immediately stop offering the revolving line of credit and to waive and deem paid in full all loans that included the fee. The lender will pay a total of $3.5 million; $200,000 has already been paid in restitution to borrowers who were unemployed or receiving Social Security at the time they received their loan, as well as borrowers who filed complaints with the AG’s office.

The AG’s office also reached agreements with five other unidentified lenders in the state that offered similar loan products who are also required to stop offering the product and cease collecting on such loans.

“These are egregious violations of the payday reform law we fought to put in place to protect consumers from outrageously expensive loans,” Madigan said in a statement. “All Credit Lenders and these other operators concoct illegal fees and costs, then fail to disclose them, and as a result, consumers end up owing enormous amounts outlawed by our reforms.”

To read the final judgment and consent decree in Illinois v. CMK Investments, Inc., click here.

Why it matters

While announcing the settlement, Illinois AG Madigan also took the opportunity to indicate her support for the Consumer Financial Protection Bureau’s (CFPB) proposed payday lending rules. In her comments filed with the Bureau, Madigan praised the establishment of a nationwide minimum standard for small loan lenders as well as the creation of a nationwide database of such lenders. The Illinois action serves as a reminder that payday lenders remain in the crosshairs of both state and federal regulators.

back to top

manatt-black

ATTORNEY ADVERTISING

pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved