Take a look at the latest third-party risk updates and articles our experts recommend during the month of May to make sure you're staying on top of the latest vendor management news.
Recently Added Articles as of May 21
In this week’s news, did you know you can get a free credit report EVERY week (rather than every year) for a while now? Also, we learn about some settlement news from the CFPB as well as more instruction from the agency about how to handle the current crisis. And, the FDIC made its annual routine adjustments to the exam manual. You won’t want to miss these important updates.
First Data reaches a $40.2 million settlement with the FTC: First Data and a former executive will pay over $40.2 million to the FTC to settle laundering charges. The company and former executive committed fraud by turning a blind eye while its payment processing services were being used to scam consumers. Oh, and they won’t only be required to pay the very hefty fine. First Data is also prohibited from assisting or facilitating FTC Act violations related to payment processing.
Weekly credit reports now available: This just in. Given the current pandemic environment, more than ever many are feeling uneasy about their financial condition. To help with this, Experian, Equifax and Transunion are giving consumers weekly access to monitor their credit report, all free of charge.
FTC commissioner pushes for a federal privacy law: It’s the big debate that’s been going on for years. Should there be a federal privacy law, or shouldn’t there be? The FTC commissioner would like a federal privacy bill that prevents state law as she shared it would be incredibly helpful given the complex issues surrounding the use of data.
Equifax shells out $30.5 million in a deal with banks and credit unions: Equifax will pay over $5 million to thousands of banks and credit unions and spend $25 million, at a minimum, on these banks’ and credit unions’ data security. This is a result of claims from the massive 2017 data breach. The banks and credit unions feel their extra efforts, both time and money, to protect their consumers are a direct result of the massive breach.
CFPB statement on financial firms’ responsibilities during the pandemic: Last week, the CFPB released a statement and FAQs sharing what financial firms need to know regarding their responsibilities during the COVID-19 pandemic. It’s encouraged that firms continue to waive fees, lower minimum-balance requirements, implement changes in account terms to benefit consumers and more.
FDIC publishes updates to exam manual: The FDIC has been busy updating their exam manual. Six areas were updated, including the pre-examination planning and pre-examination information packet template sections. Check out the updates to understand changes to the pre-examination planning process.
CFPB and Monster Loans agree to an $18 million settlement: Between the years 2015 and 2017, Monster Loans violated the Fair Credit Reporting Act (FCRA) by misleading student-debt loan relief companies and consumers. The loan company obtained consumer-report data for over 7 million people with student loan debt and said that they were going to use the credit information to offer mortgage loans to the consumers. Instead, Mortgage Loans offered the reports to student-debt loan relief companies to help with marketing their services. And, they continued their deceptive behavior by creating a sham entity to unlawfully obtain even more consumer reports. It didn’t all stop in 2017, as from 2017 to 2019 they unlawfully obtained consumer reports for an additional 12 million consumers.
OCC issues Bulletin 2020-51: In response to the pandemic, and many banks considering changes to their annual meetings, the OCC issued Bulletin 2020-51 to address the inquiries. And, the bulletin addresses regulatory requirements specific to federal savings associations that could delay their annual meetings, too.
Recently Added Articles as of May 14
This week heats up with regulatory issues galore, from a UDAAP resurgence and new NSCC cybersecurity requirements, to hefty penalties for a Colorado mortgage-loan servicer. Meanwhile, while much of the world still seems to be on pause, regulators are hard at work spearheading both guidance and enforcement, while CCPA 2.0 is looking like it may indeed get its spot on the 2020 ballot. Read on for more in the headlines this week!
UDAAP reclaims seat at the regulatory table: Credit unions won’t be sleeping as easy now that the Unfair, Deceptive, and Abusive Acts and Practices (UDAPP) has risen from the depths and taken a big bite out of an unsuspecting payday lender, a company known as Cottonwood Financial, Ltd. Operating as a non-depository lender of title loans, payday loans and high-interest small dollar loans, the CFPB found that the lender’s practices, which included calling some borrowers 15 times or more in one day; calling the friends and family members, and even employers after being told that continued calls could jeopardize the borrower’s employment in violation not of fair debt collection, but something else we haven’t heard from in a while. On the surface it seems more like a Fair Debt Collection Practices violation; however, the CFPB asserted that the lender was in violation of its UDAAP powers, amounting to “unfair acts or practices.” So, watch out. The moral of the story is, even if you’re not directly subject to FDCPA, you may not be safe from UDAAP.
CCPA 2.0 gets closer to general election ballot: It seems like the California Privacy Rights Act (CPRA), a ballot imitative aimed at protecting consumers from companies that collect large amounts of personal data, is even closer to getting its spot on the November 2020 ballot. At current, 900,000 voters have signed the CPRA. However, if passed, CPRA would not go into effect until 2023 during which the California state government would need to create a new agency in order to oversee and enforce the new privacy provisions.
Colorado mortgage-loan servicer to shell out $1.275M to consumers: Colorado witnesses major mortgage servicers enforcement action with the CFPB's announcement of a settlement with Specialized Loan Serving (SLS), LLC totaling $1.275 million. The action comes in response to the servicer’s violation of the Consumer Financial Protection Act of 2010, as well as their violation of RESPA and Regulation X. The monetary relief funds will go to mortgage borrowers who were entitled to protection from foreclosure but fell victim to SLS’ prohibited foreclosure actions. The servicers also failed to send evaluation notices to mortgage borrowers who were entitled to them. This is another example of a situation where you can learn from others' mistakes.
New cybersecurity regulations in the works: This year, around 3,000 organizations, including banks, securities brokerage firms and insurance carriers, experienced a significant shift in data security laws. This new law requires National Securities Clearing Corporation (NSCC) members to have confirmation of a cybersecurity program. Additionally, any organization that reports trade data to the NSCC may also be held to the same standard. The Cybersecurity Confirmation, which officially went into effect on December 9, 2019, is a form which must be signed by the submitting entity’s designated senior executive. The hope is that cybersecurity will no longer fly under the radar as a “nice-to-have,” and will instead become a regulatory “must-have.”
Privacy regulators are still hard at work, even during the COVID crisis: Amid the pandemic, a lot of things have been left on pause, but crime is certainly not one of them. Attorneys and other legal professionals have seen a huge uptick in privacy-related incident cases, as a result of scammers using the pandemic as a convenient distraction for nefarious activities, and regulators have risen to the occasions, increasing both regulatory guidance and enforcement across a multitude of industries. However, while new privacy regulations have cropped up across the country, it seems we may still be a ways away from a federal privacy law.
Recently Added Articles as of May 7
This week brings an interesting mix of new compliance bulletins and fresh updates to both the CFPB consumer complaint database and the IRS FAQ page. Also, in the mix: some hand slapping for misappropriation of the Paycheck Protection Program funds… oh, and the accidental funding to a convicted German smuggler (we kid you not) — that and more in the news this week! Take a peek.
CFPB releases an additional compliance bulletin: Last week, the Consumer Financial Protection Bureau (CFPB) issued an additional bulletin, Bulletin 2020-02, including additional details around how to handle information during mortgage servicing transfers. This bulletin works in tandem with a 2014 bulletin which was originally designed for CFPB examiners to use in order to see if certain policies and procedures were maintained appropriately by servicers during mortgage transfers, including details around post-transfer monitoring, data standards, agreements, document retention requirements and compliance risk.
Wells Fargo continues to struggle with regulatory compliance: It seems Wells Fargo continues to stub its toe around even the most basic of regulations. This time, Wells Fargo is in hot water as the federal and state officials investigate the lender regarding its management of the Paycheck Protection Program loans. The bank is under fire for playing favorites with loan applications and is now being sued as a part of a class-action suit. This comes on the heels of Wells Fargo’s fake account scandal which cost the bank $3 billion. As a result of the settlement, the Department of Justice has the authority to pursue future criminal charges, and this recent issue is no exception.
CFPB upgrades consumer complaint database: Not only has the CFPB made moves to publicly disclose consumer complaints, they also announced this week that is has made a few tweaks to its consumer complaint database. Some of these enhancements will now allow users to select from a set of pre-defined time frames, view aggregate information about products consumers have filed complaints around, apply word searches and even view complaints complete with interactive U.S. geo-mapping. It seems even complaining has gone high-tech.
IRS clarifies CARES Act relief with a new set of FAQs: While this may be a little off the third-party risk management subject, we feel it’s important in today’s context. The IRS recently posted a new web page featuring facts around important, must-know information about Coronavirus-related relief for retirement plans. The page reviews the provisions of section 2202 of the CARES Act, which specifically reviews the special distribution options and rollover rules for both retirement plans and IRAs and includes additional loans for certain plans. We think it’s safe to say you can never really have too much information, especially when it comes to those hard-earned dollars.
Californian signatures qualify California Privacy Rights Act on November ballot: It seems the CCPA may get a sibling with the over 900,000 signatures submitted for the California Privacy Rights Act to be added to the November 2020 ballot. The California Privacy Rights Act (CPRA) gives consumers the power to take back control over our information from thousands of giant corporations and will provide a number of other protections including preventing businesses from using our sensitive personal information (such as information about our health or finances, and especially our exact location) without our consent. It also aims to protect children’s privacy and will triple 2018’s California Consumer Privacy Act fines for collecting and selling our children’s private information. It will also establish a new authority, namely the California Privacy Protection Agency which aims to increase transparency through this agency, giving consumers back control over their data.
American Express slapped with an OFAC violation: The American Express Travel Related Services Company, or better known as “Amex,” was hit with a “Finding of Violation” by the OFAC after it found the company issued a prepaid card and processed a number of transactions, totaling $35,246.82, to Gerhard Wisser, a Specialty Designated National. Wisser was part of a 2015 operation that planned to smuggle materials to make nuclear weapons into Libya. This mistake was made due to human error and screen system issues; however, Amex has made remediation efforts and notified the OFAC of the mistake. If there was ever a near-perfect compliance fable it’s gotta be this one: cross your T’s and dot your I’s so you don’t end up inadvertently supplying international criminals with cash.
COVID-19 signaling a shift to fully remote exams: COVID-19 still continues to rack up changes to the way we live and do business, bank exams included. It seems social distancing due to the pandemic has stirred talk of a permanent shift to fully remote bank exams. Quarantine measures have forced all of us to test the limits of our typical routines, and when it comes to the banks, it seems regulatory officials feel that despite challenges, examiners haven't really experienced significant limitations across their supervisory territories. The Federal Deposit Insurance Corp. has ceased on-site bank examination since mid-March. The OCC similarly has gone to virtually 100% remote exams, and according to Senior Deputy Comptroller Maryann Kennedy, even OCC examiners who typically work full time are now almost 100% remote. What do you think? Is full-time remote here to stay?
Make sure you are doing these 10 things during the current COVID-19 pandemic. Download the infographic.