Computer-Security Incident Notification Requirements for Banks Become Effective
By Rachael L. Aspery, McGlinchey Stafford, PLLC
On November 23, 2021, the Board of Governors of the Federal Reserve System (“Board”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”), jointly issued a final rule with respect to establishing notification requirements for computer-security incidents for banking organizations and bank service providers in order to promote early awareness of emerging threats and enable the agencies to react to the threats before the threats become systemic (“Final Rule”). The Final Rule went into effect on April 1, 2022, with a compliance date of May 1, 2022. The Final Rule is applicable to all banking organizations that are supervised by the Federal Reserve, OCC, and FDIC, but does not apply to designated financial market utilities under 12 U.S.C. § 5462(4).
The Final Rule defines a “notification incident,” which includes a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the bank’s operations; results in customers being unable to access their deposit and other accounts; or impacts the stability of the financial sector. The types of incidents can include major computer-system failure or a cyber-related interruption such as a ransomware attack. The Final Rule also defines a “computer-security incident” as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”
A banking organization is required to notify the Board within thirty-six hours after the bank determines the notification incident occurred. If a bank is unsure whether a notification incident occurred, it is encouraged to still contact the Board. A bank service provider is required to notify each affected bank customer’s point of contact as soon as possible once it determines that it has experienced a computer-security incident. If the bank has not appointed a point of contact, the bank service provider must notify the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals with comparable responsibilities, through any reasonable means. If a bank service provider has any doubt as to whether there is a material disruption or degradation in services that were provided to its banking organization customer for four or more hours that would cause a material adverse impact on the bank, the Board encourages the bank service provider to contact its banking organization customer or its own legal adviser.
17 State Attorneys General Express Concerns with the CFPB’s “Junk Fees” RFI
By Jaline Fenwick, McGlinchey Stafford, PLLC
On January 26, 2022, the Consumer Financial Protection Bureau (CFPB) issued a Request for Information Regarding Fees Imposed by Providers of Consumer Financial Products or Services (“RFI”). The CFPB indicated its desire to mitigate charges like credit card late fees and overdraft and non-sufficient funds fees, which it said accounted for billions of dollars in 2019. The CFPB stated that its goal is to “strengthen competition in consumer finance by using its authorities to reduce these kinds of junk fees.”
On April 11, 2022, seventeen state attorneys general submitted a comment for the RFI. Initiated by Texas and Utah, the states’ comment expressed concern that the RFI was sufficiently broad to potentially encompass a number of fees, including fees specifically authorized or regulated by state law. In their reply, the states noted that they “have carefully weighed consumer protection interests and the open and transparent operation of markets in a manner intended to deliver the maximum benefit to the interests of their states” and “are much better positioned to understand and assess the diverse interests of their states.” Additionally, the states believe that the CFPB authority is limited with respect to regulating fees and pointed out these limitations. The states also expressed their view that more federal oversight would be redundant because states already regulate many fees for consumer financial products and services. The comment goes on to explain that the states are willing to work with the CFPB to promote its statutory purpose of “ensuring that all consumers have access to markets for consumer financial products and services and that markets for consumer financial products and services are fair, transparent, and competitive.” However, the states argued consumers and consumer financial services markets are better served when federal and state entities collaborate. Therefore, the CFPB’s view that its authority may be superior to that of the states with respect to these fees is a cause for concern. The states explained that the CFPB’s “approach is especially troubling in the context of this RFI, which pointedly fails to acknowledge the significant role state law plays in many aspects of the fees implicated by the RFI. Unfortunately, the only role the CFPB contemplates for states is to provide comments to the RFI, along with consumers, consumer advocates, and industry.”
In sum, the states ask the CFPB to “abandon its apparent determination to adopt an uncooperative posture” and work with them with respect to existing state laws on fees.
CFPB Issues Report on Characteristics of Homeowners Who Remain in Forbearance as Pandemic Protections Expire
By Christopher Greenidge & Sanford Shatz, McGlinchey Stafford, PLLC
Almost eight million borrowers entered forbearance plans during the pandemic, including those plans available under the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Many borrowers have exited their forbearance plans. As a follow-up to its May 2021 report, the Consumer Financial Protection Bureau (CFPB) recently published an updated report on the characteristics of mortgage borrowers who remained under the protection of a forbearance plan as of January 2022 to help understand their demographics and financial capacity.
The CFPB’s findings include, among others:
- “The share of mortgages in forbearance fell significantly for minority and non-minority borrowers between March 2021 and January 2022. Decreases in the rate of forbearance were relatively larger for non-white than for white borrowers with the largest decreases occurring among Hispanic and other race borrowers.”
- “Black and Hispanic borrowers were overrepresented among those in forbearance. Black and Hispanic borrowers accounted for a combined 31.2 percent of forbearances, while only accounting for 18.2 percent of the overall sample of borrowers. Furthermore, Black borrowers were 2.8 times more likely and Hispanic borrowers were 1.6 times more likely to be in forbearance compared to white borrowers.”
- “Borrowers in forbearance as of January 2022 appear to have less financial capacity, on average, than borrowers in forbearance as of March 2021. Among mortgage borrowers who were pre-COVID delinquent, the rate of forbearance fell 46 percent between March 2021 and January 2022, whereas the rate of forbearance fell 74 percent over the same period for borrowers who were pre-COVID current.”
- “Mortgage borrowers with current (or mark-to-market) loan-to-value (LTV) ratios over 95 percent had significantly higher rates of forbearance compared to loans with lower LTV ratios in January 2022. However, this population of borrowers accounted for a small share of forbearances (1.0 percent).”
The borrowers identified in this report who still remain in forbearance should be monitored. Additionally, financial institutions should reach out to these persons through the end of forbearance to help them transition to performing loans.
CFPB Publishes Bulletin on Medical Billing and Collection Complaints
By Eric Mogilnicki & Ben Seymour, Covington & Burling LLP
In an April 20, 2022, bulletin, the Consumer Financial Protection Bureau analyzed consumer complaints related to medical debt that the CFPB received in 2021. The Bureau argued that consumers’ complaints demonstrate that medical debt “poses special risks to individuals and families” given the often unexpected nature of medical costs and the complexity of health insurance programs. The bulletin observed that consumers frequently submitted complaints regarding erroneous or already-paid medical debts, particularly when those debts appeared on consumers’ credit reports. Although the Bureau recognized that the three nationwide credit reporting agencies recently committed to removing most paid medical debt tradelines from consumers’ credit reports, the bulletin claimed that the volume of complaints in 2021 “raises questions . . . as to legal compliance of market participants” identified in consumers’ submissions to the Bureau. In a statement on the bulletin, Bureau Director Rohit Chopra added, “The credit reporting system should not be used as a weapon to coerce patients into paying medical bills they do not owe.”