FDIC Signals Strong Support for De Novo Bank Formations

FDIC Signals Strong Support for De Novo Bank FormationsThe FDIC over the past few years has taken meaningful steps to facilitate and promote the formation of de novo banks. Late last week, the agency made several significant moves to bolster that effort. In separate actions, the FDIC:

  • issued a request for information seeking comments on how to improve the deposit insurance application process;
  • issued an update to its publication entitled Applying for Deposit Insurance – A Handbook for Organizers of De Novo Institutions and issued its Deposit Insurance Applications Procedures Manual in final form;
  • established a process to allow prospective organizers the option to request FDIC review of a draft deposit insurance proposal prior to filing an official application; and
  • republished its timeframe guidelines for processing deposit insurance applications for de novo banks and other filings.

These actions leave little doubt that regulatory conditions are more receptive to bank startups than at any time since the financial crisis, which should be welcome news for interested organizers and investors. For more information on the application process, including our own experiences, see our recent article De Novo Banks on the Rise.

Financial Institutions Targeted by “London Blue” Hackers Group

Financial Institutions Targeted by “London Blue” Hackers GroupA cyber threat detection company has identified a Nigerian-based hacking group that is engaging in a spearphishing campaign against financial institutions. Spearphishing is a directed email phishing campaign that is typically aimed at those with responsibilities relating to financial transactions. In this case, the group in question has compiled a list of over 35,000 CFOs working at financial institutions, with over half of them in the U.S. While the existence of this group, “London Blue,” and this list of CFOs is new, the scam the group is perpetrating, referred to as business email compromise, is not new. In fact, it is a progression of social engineering scams perpetrated in large part by Nigerians. The “Nigerian prince” email scam has been around almost as long as email, originating from a scam using written letters that dates back to the 1800s. The Nigerian prince scam typically identifies some wealthy individual that needs help transferring money with promises of riches in exchange for assistance. But first the mark has to contribute a small amount of money to facilitate the big payday. The Nigerians, having honed their social engineering skills with that scam, have now turned to the more organized and lucrative business email compromise scam.

What Is Business Email Compromise?

There is a reasonably high likelihood that your corporate email accounts are besieged by phishing emails with those handling financial transactions receiving more particularized treatment. Hopefully, all of it is being caught before it reaches your inbox. But if not, you may encounter several variants. Some try to trick you into entering your credentials into a fake login screen, allowing the perpetrator to capture your username and password. Others induce you to open a file or click a link that installs malware. This constant probing has been going on for years, but most people may not know what happens when the perpetrators succeed. Well, as we have seen in the news, there are all sorts of dangers that can spawn from such an attack. It can be the entry point for ransomware, an active ongoing attack (referred to as an advance persistent threat), or it could just be used passively to monitor until the time is right. But perhaps the most likely purpose is to gain access to perpetrate business email compromise.

The typical business email compromise involves the scenario where a party is duped into transferring money to a fraudulent account through email correspondence. While there are innumerable scenarios as to how it can play out, the typical scenario is that one or both parties to a transaction have their business email accounts compromised, and the perpetrator uses the compromised accounts to trick one party into wiring money to a fraudulent account.  This is often done by either intercepting a legitimate invoice and altering the details, or sending a follow up to an original invoice informing the payee that payment details have changed.

Fallout

These scams are particularly damaging because they often result in the loss of large sums of money and both parties to the transaction feeling aggrieved. One is out the money, and the other has not been paid for goods or services. They also leave victims feeling completely helpless when they finally figure out something went wrong. The responsibility often appears to fall to one or two people who, in hindsight, could have identified the attempt and avoided the transfer. But companies need to look beyond just one person’s actions. There are many layers of policies, procedures, and controls that can prevent business email compromise from succeeding.

What Can Be Done?

If you have gotten this far, you have taken the first and most important step of starting to educate yourself. First, you need to understand and accept that this is very common. The FBI has tracked over 40,000 incidents totaling over $5 billion in a three-year period ending in December 2016, and this number is only growing. Business email compromise was the No. 1 internet crime reported to the FBI in 2017 as ranked by victim loss. If you are involved in the transfer of money or managing those that do, you are one of the prime reasons that hackers are sending waves of phishing emails, and groups such as London Blue are using more and more sophisticated spearphishing means. They may specifically target you, or they may seek you out once they have already infiltrated your corporate network. In any case, the best assumption you can make is that every email that contains wire transfer instructions was not written by the person it purports to be from and the account numbers are not legitimate. In other words, trust emailed money transfer instructions at your own peril. Whatever convenience businesses may achieve from relying on emailed wire instructions is almost certainly offset by the huge risk created by the practice.

Every organization should perform a full risk assessment and implement best practices that are appropriate, but the following are some high-level considerations. Taking measures to secure email is a first step. There are many end point protection and network-level security controls that can help minimize the number of phishing emails that reach a user, prohibit a script or program from being run, or prevent a fake login screen that can be used to exfiltrate credentials. Nevertheless, even with a robust set of those controls in place, organizations should also take measures to minimize the ability of any unauthorized party that has credentials to access and use email and other aspects of the network. Many organizations use cloud hosted email services that come with huge vulnerabilities along with the convenience if they are not secured properly. Two-factor authentication is a big deterrent to unauthorized use of email. Also, restricting logins by location can help. There is no reason that merely getting a username and password should allow a hacker from another continent to login and use a corporate email account.

In addition to security controls, procedures around transferring money can all but solve this issue. It may sound simplistic but using some form of two-factor authentication for the confirmation of a wire transfer can defeat this scam in the vast majority of cases. This is typically done by voice verification, i.e., picking up the phone. This is critical because, in many cases, there is no amount of scrutinizing email correspondence itself that will eliminate the risk. It could be actually originating from the correct person’s email account, and everything could be precisely accurate except for the account number. So probably the most important takeaway is to take action today: Initiate procedures to protect your company by requiring a secondary confirmation either over the phone or some other way that is not tied to email credentials whenever a money transfer is involved.

It’s Too Late, So What Do I Do?

If you found this too late and just learned your company was victimized, you need to act very quickly. Immediately contact your bank that originated the transfer and the FBI to report it. Your bank may be able to reverse the transfer and recover some or all of the money, and the FBI has a dedicated portal for this type of activity. You will also want guidance from a trusted legal advisor to navigate these unfortunate waters. And, of course, whatever the outcome, incorporate it into lessons learned and prepare your organization to prevent future loss.

To Catch a Terrorist – Innovation, AI, and Public/Private Partnerships in the World of BSA/AML

To Catch a Terrorist – Innovation, AI, and Public/Private Partnerships in the World of BSA/AMLOn the heels of FinCen and Federal Banking Agencies releasing a joint statement “Encouraging Innovative Industry Approaches to AML Compliance,” Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker announced a new collaborative era during the American Bankers Association’s Financial Crimes Conference, and emphasized the need for private/governmental working relationships and partnerships in order to combat new and sophisticated avenues that fund terrorism and facilitate money laundering. The message is simple: As technology-enabled crime proliferates, private entities and governments alike must evolve and innovate to combat this growing threat.

The joint statement and Mandelker’s comments are tailored to build trust with financial institutions by focusing on three core principles – information, innovation, and targeted action, the focus on which, is beneficial to banks and companies who, in good faith, are working to strengthen their BSA/AML processes. The government wants financial institutions to “consider, evaluate, and where appropriate, responsibly implement” new machine learning technology to better detect suspicious activity, and regulatory bodies should, moving forward, support pilot programs for the use of emerging technology in data analytics rather than stifling good faith innovation with sometimes antiquated supervisory criticism.

Per Mandelker, the government is engaging in working groups to facilitate relationships with the industry, and it’s the government’s intent that the exchange of information about suspicious transactions and persons won’t be one-sided. The crux of machine learning and predictive intelligence relies on vast quantities of data—and organizations must be comfortable sharing that data in order to fully utilize the promise of these innovations. As a result, regulatory agencies are committing to sharing information with financial institutions. Of note, examples of the type of information the government believes essential to share with financial institutions are advisories, such as FinCen’s October 11, 2018, publication outlining red-flag activities by Iran used to exploit banking systems. Similarly, in the cryptocurrency regulatory “Wild West,” the government recently demonstrated its commitment to sharing information with private partners on a transaction-specific level by publicly sharing, for the first time, the digital currency addresses of cybercriminal co-conspirators involved in the recent SamSam malware attack that devastated cities, universities, and medical centers.

The government’s efforts to appear more approachable and enter the 21st century are welcomed by the industry as a much-needed update in the BSA/AML field, where compliance personnel find old frameworks increasingly difficult to apply to today’s real-world situations. As financial institutions invest in machine learning, blockchain and even branch into cryptocurrency (or customers who dabble in exchanges), BSA/AML protocols will continue to improve, and encouragement by the government is an overwhelming positive in the fight against terroristic financing.

Companies should consider how their current BSA/AML practices can be enhanced by current innovations and available data. A strong understanding of both the technology and the law will be essential as we move into a new age of data sharing between public enterprise and government regulators.

Canadian Confidential: Mandatory Data Breach Notifications under PIPEDA

Canadian Confidential: Mandatory Data Breach Notifications under PIPEDAWhile businesses and consumers were all agog to see the latest variation of the California Consumer Privacy Act passed earlier this year, Canada quietly introduced its latest permutation to the Personal Information Protection and Electronic Documents Act (PIPEDA), which imposes new mandatory breach notification obligations on companies engaged in the collection of Canadians’ personal information. U.S. companies engaged in business across the northern border or that collect personal information of Canadian citizens in the United States should take heed because PIPEDA’s reach is far ranging.

By way of background, PIPEDA is built upon a foundation of 10 fair information principles – accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance. Keen observers may note similarities with certain principles announced in the General Data Protection Regulation’s (GDPR)’s Recitals, but Canada’s 10 principles hew to the tenets set forth in the Model Care for the Protection of Personal Information, which has been recognized as a Canadian national standard since 1996. With these principles in mind, on April 13, 2000, Canadian legislators enacted PIPEDA, which was later amended by the Data Privacy Act on June 18, 2015. The Data Privacy Act set forth new mandatory breach notification obligations, but these obligations were put on hold until November 1, 2018.

All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA regardless of which province or territory they are based. Moreover, Canadian courts have ruled that U.S. companies with no operations in Canada may still be subject to PIPEDA if they collect the personal information of Canadian citizens. Even the indirect collection of Canadians’ personal information, such as through a service contract, would subject a U.S. company to PIPEDA. In short, U.S. companies should be hyper aware of any transaction that could involve the collection of Canadians’ personal information and ensure that their business practices are compliant with PIPEDA.

There are three main mandatory breach notification obligations as set forth under PIPEDA. First, an organization subject to PIPEDA must keep records of all situations involving a “breach of security safeguards,” which is defined as the loss of, unauthorized access to, or unauthorized disclosure of personal information. “Personal information” is defined quite broadly to apply to any information that can be linked to an individual and includes such mundane information as age, name, ID numbers, income, and ethnic origin, but also includes out of the ordinary information such as blood type, opinions, evaluations, comments, and social status, among others. That said, exclusions exist for businesses collecting, using, or disclosing certain business contact information of an individual solely for the purpose of communicating or facilitating communication with the individual in relation to the individual’s employment, business, or profession. A “commercial activity” is any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

Second, covered organizations must provide written notice of a breach to the Privacy Commissioner of Canada if it is reasonable to believe that the breach creates a real risk of significant harm to an individual. The report to the commissioner would need to describe the breach, when it occurred, the personal information at issue, the estimated number of individuals affected, and the steps that the organization is taking in response.

Third, covered organizations must notify affected individuals if it is reasonable to believe that the breach creates a real risk of significant harm to the individual. In addition to the information that should be provided to the commissioner, the notice to the individual would need to include information about the business’ complaints process and the individual’s rights under PIPEDA.

Additionally, businesses are obligated to keep and maintain records of every breach of security safeguards. They also must, on request, provide the commissioner with access to copies of these records. The regulations require records of breach to be maintained for 24 months after the date that the business determined that the breach occurred.

Any breach of these obligations may result in the imposition of a fine not exceeding $100,000 for each time an individual is affected by a security breach.

Unlike the notice to the commissioner that must be in writing, an organization can notify affected individuals in person, by telephone, via mail or email, or any other form of communication that a reasonable person would consider appropriate in the circumstances. In a nod to the practicalities of an organization dealing with the immediate aftermath of a breach, PIPEDA only requires notice to be provided “as soon as feasible.”

Unlike the American privacy system, which is a hodgepodge of state and federal laws, the Canadian approach is unified and comprehensive. U.S. companies should review their privacy policies and update their incident response plans to account for data of Canadian citizens. Failure to do so may result in financial damages as well as reputational loss. With these amendments to PIPEDA, Canada is cementing its position as a protector of its citizens’ privacy. Those doing business in the Great White North should engage accordingly.

De Novo Banks on the Rise

From 2000 to 2007—the seven years leading up to the recent financial crisis—the FDIC received more than 1,600 applications for deposit insurance, an average of more than 200 per year. MoreDe Novo Banks on the Rise than 1,000 new banks ultimately were formed over this same period. During and following the financial crisis, however, de novo bank formations became almost nonexistent. The reasons were understandable. De novo banks failed during the financial crisis at a higher rate than similarly sized established banks.  Regulators were more focused on problem institutions and systemic risk to the economy. Heightened regulatory oversight within the industry increased compliance costs. Low interest rates and narrow net interest margins reduced profits. And economic uncertainty dampened investor interest. Over the past two years in particular, there has been renewed interest in establishing de novo banks as general economic conditions have strengthened and ongoing consolidation within the banking industry has created a large pool of experienced banking executives and professionals.

Consistent with these favorable conditions, the FDIC has signaled its support for de novo bank formations. The FDIC has acknowledged in public statements the importance of new banks “to preserve the vitality of communities, fill important gaps in local banking markets, and provide credit services to communities that may be overlooked by other financial institutions.” The FDIC also has taken several meaningful steps to help revive de novo bank applications. These steps included reducing the heightened supervisory period for de novo banks from seven years to the pre-crisis three years, and publishing a handbook titled Applying for Deposit Insurance: A Handbook for Organizers of De Novo Institutions to assist organizers with the application process.

Since the beginning of 2017, the FDIC has approved 14 de novo applications, and two new applications currently are in process. While these numbers remain well below pre-financial crisis levels, the upward trend is clear and encouraging. Now may be the time for interested organizers who have remained on the sidelines to consider forming a de novo institution. Those moving forward with plans should be mindful of the following key considerations of the FDIC in evaluating an application for deposit insurance:

• Soundness of the Proposed Institution’s Business Plan

The business plan provides a guide for the first three years of the institution’s operations. A comprehensive, well-constructed, and well-supported business plan is required to demonstrate that the institution has a reasonable probability of success, will operate in a safe and sound manner, and will have adequate capital to support the institution’s risk profile.

• Qualifications of the Proposed Board of Directors and Senior Management

Selecting a qualified board of directors and management team is one of the organizers’ most significant responsibilities. The quality of management (including directors and officers) is the single most important contributor to the success of any institution. For this reason, it is important that candidates for director and officer positions have experience that corresponds to the proposed institution’s specific products and services, markets, and activities.

• Adequacy of the Proposed Capital

Because each proposed de novo institution is unique in terms of its business plan, management team, market competition, and local economy, the FDIC does not prescribe a minimum dollar level of capital. Instead, the FDIC and the state or federal chartering authority consider the unique factors of each proposal and set a minimum capital requirement based on an evaluation of the proposed institution’s market dynamics, anticipated size, complexity, activities, concentrations, and business model. The FDIC and the chartering authority will require higher capital if the proposal presents more than routine risk or novel characteristics. The initial capital required for applications recently approved is in the $20 million to $40 million range. Importantly, most of these banks raised capital well in excess of the minimum requirement—another indication of strong market interest.

While each application is unique, in our experience, interested organizers should expect a timeline for approval of six to eight months after filing the application. A minimum of two to three months also should be reserved for pre-filing planning and preparation.

The process of forming a de novo bank today is different in many ways from the process that existed prior to the financial crisis, and it remains a challenging and occasionally agonizing endeavor. It is clear, however, that current economic and regulatory conditions are more receptive to bank startups than at any time since the financial crisis, which should be welcome news for interested organizers and investors.

Safe Streets Alliance v. Hickenlooper Provides Good News, Bad News, and Instructions to the Cannabis Industry and the Financial Institutions Serving It

<i>Safe Streets Alliance v. Hickenlooper</i> Provides Good News, Bad News, and Instructions to the Cannabis Industry and the Financial Institutions Serving ItFor years, the “legal” cannabis industry – operating in states that have legalized cannabis under state law despite its long-standing prohibition under federal law – and the financial institutions that serve the industry have closely watched Safe Streets Alliance v. Hickenlooper. In Hickenlooper, Safe Streets Alliance, a “nonprofit organization devoted to reducing crime and illegal drug dealing,” and a family (Plaintiffs) that owned land surrounding a Colorado cannabis farm (Farm), sued the Farm and its dispensary customer (Dispensary) (collectively, Companies), alleging those entities were engaged in a racketeering operation by respectively growing and selling cannabis, which is illegal under the Controlled Substances Act (CSA). Plaintiffs alleged they were entitled to damages under the citizen-suit provision of the Racketeer Influenced and Corrupt Organization Act (RICO).

The cannabis industry breathed a sigh of relief on October 31, 2018, when a federal jury sided with the Farm, finding that Plaintiffs failed to prove the Farm’s operations damaged them. While this verdict was a clear win for the industry, Hickenlooper’s somewhat convoluted procedural history reveals potential pitfalls for cannabis businesses and the ancillary businesses providing services to them. In particular, the Tenth Circuit’s reversal of the United States District Court for the District of Colorado’s earlier dismissal of the case arguably provides a blueprint for alleging RICO claims against cannabis-related businesses that can survive a motion to dismiss, opening the door to discovery and a potential trial. This weaponized litigation is a tactic developed, and expected to be broadly used, by anti-legalization organizations like Safe Streets in an attempt to turn the tide against legalization.

This article analyzes Hickenlooper and provides several takeaways for the legal-cannabis industry and financial institutions that provide or are evaluating whether to provide financial services to the industry.

The RICO Claims

RICO provides private citizens with a federal cause of action for “injur[ies]” to their “business or property” caused by a pattern of racketeering activity. Under RICO, “racketeering activity” includes “any offense involving … the felonious manufacture, importation, receiving, concealment, buying, selling, or otherwise dealing in a controlled substance” as defined in the CSA, including cannabis.

To succeed on a RICO claim, the plaintiff must prove that (1) the defendant engaged in a pattern of racketeering activity; (2) the plaintiff’s business or property was injured; and (3) the racketeering activity caused the injury. In Hickenlooper, Plaintiffs alleged that by cultivating and selling cannabis, the Companies engaged in racketeering activity that devalued Plaintiffs’ land and interfered with their present use and enjoyment of it because the Farm invited crime, and the Farm’s “distinctive and unpleasant smell” was detectable on their land.

The District Court Grants the Companies’ Motion to Dismiss

The Companies moved to dismiss the RICO claims, arguing that Plaintiffs alleged only a “speculative injury” to their land’s value, rather than providing the “proof of a concrete financial loss” required under a heightened RICO pleading standard that the Companies argued applied. The district court agreed and granted the motion. While the court noted Plaintiffs’ allegation that the Farm’s odor invaded their land “permit[ted] a reasonable inference that” the land was devalued, it nonetheless dismissed their RICO claims because Plaintiffs “provide[d] no factual support” or “concrete evidence” to “quantify or otherwise substantiate their inchoate concerns as to the diminution in value of their property.”

The Tenth Circuit Reverses the Dismissal

The Tenth Circuit reversed the district court for improperly applying this heightened-pleading standard to dismiss adequately-pled RICO claims. Perhaps most importantly, the Tenth Circuit articulated what appears to be a per se rule that cultivating and selling cannabis is “by definition” a “racketeering activity” under RICO because, regardless of whether it is legal under the laws of the state where it occurs, it is illegal under the CSA. Further, the Tenth Circuit held that Plaintiffs adequately alleged the Farm and Dispensary formed an “association-in-fact enterprise” – an enterprise comprised of “a group of persons associated together for a common purpose of engaging in a course of conduct” – by alleging the Companies “pooled their resources, knowledge, skills, and labor” to grow cannabis on the Farm to sell at the Dispensary.

Next, the Tenth Circuit explained that Plaintiffs sufficiently pleaded that the Companies each had a part in conducting the unlawful enterprises’ affairs, noting the Companies “admit[ted] that they all ‘agreed to grow marijuana for sale’” at the Farm. The Tenth Circuit noted this same admission in holding that Plaintiffs adequately alleged the Companies were engaged in a “pattern of racketeering activity” by “plausibly stat[ing] the requisite patterns of predicate acts that present a threat of ongoing criminal activity.”

Turning back to the damages element, the Tenth Circuit held the district court erred by requiring “evidence of a ‘concrete financial loss’ (e.g., an appraisal quantifying the diminution in property value or comparator results of attempts to sell predating and postdating a RICO violation) to plausibly allege” an injury caused by the Farm’s operations. The Tenth Circuit explained it had “little difficulty” concluding that Plaintiffs “plausibly pled an injury to their property rights caused by the stench that the [Farm]’s operations allegedly produce,” and that it “need only draw an eminently reasonable inference to conclude that it is plausible that activities that interfere with one’s use and enjoyment of property diminish the value of that property.” The Tenth Circuit also noted that at the pleading stage, the district court was not “at liberty to disbelieve the [Plaintiffs] by ratifying the [Companies]’ speculation that the value of the [Plaintiffs]’ land has, perhaps, increased because of the now-booming market in Colorado for land on which to cultivate [cannabis].” Notably, the Tenth Circuit did affirm the dismissal of the RICO claims premised on other non-cognizable injuries, such as the speculative future decrease in value of Plaintiffs’ land and the alleged injuries that arose each time they viewed the Farm because it was “a constant reminder of the crimes occurring therein.”

The Tenth Circuit concluded by reversing the district court, but limited its holdings:

We are not suggesting that every private citizen purportedly aggrieved by another person, a group, or an enterprise that is manufacturing, distributing, selling, or using [cannabis] may pursue a claim under RICO. Nor are we implying that every person tangentially injured in his business or property by such activities has a viable RICO claim. Rather, we hold only that [Plaintiffs] alleged sufficient facts to plausibly establish the requisite elements of their claims against the [Companies] here.  [Plaintiffs] therefore must be permitted to attempt to prove their RICO claims.

The Companies Prevail at Trial

Plaintiffs failed to prove their claims at trial. The Farm established that its business is legal under state law, licensed by the state, and located on land zoned for agriculture. Because Plaintiffs’ land was also zoned for agriculture, the Farm argued that Plaintiffs should have expected the surrounding land would be used for that purpose. A chemical engineer testified that while he detected the Farm’s odor at a few discrete locations on Plaintiffs’ land using a Nasal Ranger detection device, the levels at each location were below the device’s lowest measurement. The jury also heard from several experts regarding the Farm’s impact on the value of Plaintiffs’ land. After trial, the jury found that Plaintiffs failed to prove damages, and judgment was entered in the Farm’s favor.

Takeaways

Hickenlooper is a blessing and a curse for the cannabis industry and the financial institutions that serve it. The cannabis industry obviously celebrates the jury verdict, which provides potential cannabis defendants with a roadmap of sorts for defeating the damages element of a RICO claim based on the alleged nuisance created by a cannabis business.

On the other hand rests the Tenth Circuit’s published decision establishing that – at least in Colorado, Kansas, New Mexico, and Oklahoma – “the manufacture, distribution, and sale of [cannabis] is, by definition, racketeering activity under RICO,” a holding that appears well supported by RICO’s plain language. The Tenth Circuit also seemed to set a low bar for pleading that several entities are part of an “association-in-fact enterprise” in this particular context, and courts have held that banks can be part of an association-in-fact enterprise in RICO suits arising in other contexts. To be part of such an enterprise, however, the Tenth Circuit explained that an entity “must have some part in directing the enterprise’s affairs” – “simply provid[ing], through its normal course of business, goods and services that ultimately benefit the enterprise” is not enough.

Fully mitigating the legal risk of transacting with cannabis-related businesses is not possible so long as cannabis remains illegal at the federal level under the CSA. Financial institutions that choose to do so may mitigate that risk by avoiding covenants that provide the institution with the ability to direct any part of the cannabis-related business’s operations to avoid being deemed an “association-in-fact enterprise” with that business in a RICO suit. To balance this concern with their standard business practices, financial institutions should consult outside counsel familiar with lending issues unique to the cannabis industry before entering this space.

Court Stays Compliance Date for BCFP’s Payday Rule

Court Stays Compliance Date for BCFP’s Payday RuleOn Tuesday, the small-dollar lending industry received a favorable ruling in Community Financial Services Association of America v. CFPB. A Texas federal court reversed course by staying the August 19, 2019, compliance date for the Bureau of Consumer Financial Protection’s (BCFP) rule regarding “Payday, Vehicle Title, and Certain High-Costs Installment Loans.” The court also continued a stay on the underling litigation previously issued on June 12, 2018. This latest ruling was prompted by the BCFP’s October 26, 2018, announcement that it would revisit key portions of the rule — specifically, the ability-to-repay provisions and address the compliance date of the rule as early as January 2019. Judge Lee Yeakel had previously denied the parties’ request to stay the rule’s compliance date in June. At that time, the industry trade groups Plaintiff Community Financial Services Association of America, Ltd. and the Consumer Services Alliance of Texas were hoping to stay the compliance date for 455 days after any final judgment in the case.

Unfortunately, the court failed to specify how long the stay on the rule’s compliance date will remain in place, only finding it was “pending further order of the court.” Our best guess is that the court will keep the stay in place at least through March 1, 2019, when the parties’ next joint status report is due. By then, the BCFP’s new proposal should be issued. What is unclear is whether any parts of the existing rule, e.g., the payment provisions, will still be tied to the August 19, 2019, compliance date when the stay is lifted. The BCFP has indicated that it will address the compliance date as part of the new proposal, but that may be a hard sell to consumer advocate groups. It is certainly possible that the August 19, 2019, compliance date will still be in play for some parts of the rule. For that reason, lenders should begin focusing their attention on the payment provisions until further guidance is issued from the court or BCFP.

First Party Creditors Should Carefully Consider the Upcoming Debt Collection Rules

First Party Creditors Should Carefully Consider the Upcoming Debt Collection RulesOn October 17, 2018, the Bureau of Consumer Financial Protection (BCFP), formerly known as the CFPB, announced that it plans to issue a Notice of Proposed Rulemaking (NPRM) for the Fair Debt Collection Practices Act (FDCPA) by March 2019. The NPRM will likely have a dramatic impact on collection practices for debt collectors. But, what about first party creditors? Did the Supreme Court’s decision in Henson v. Santander Consumer USA, Inc. obviate the necessity for first party creditors to comply with the BCFP’s debt collection rules?

Impact of Henson

In mid-2017, the United States Supreme Court issued a significant decision in Henson regarding the universe of companies subject to potential liability under the FDCPA. In a unanimous decision authored by Justice Neil Gorsuch, the Supreme Court held that companies that buy defaulted debts are not “debt collectors” under the FDCPA because they are not, by definition, “collect[ing] or attempt[ing] to collect . . . debts owed or due . . . another,” under 15 U.S.C. §1692a(6).

A cursory review of Henson might suggest that first party creditors, even when buying debts in default, are not subject to the FDCPA and therefore would likely not be subject to any rulemaking under the FDCPA. The Supreme Court in Henson, however, refused to consider the plaintiffs’ arguments that Santander was a debt collector because it allegedly regularly attempts to collect debts and because it is allegedly engaged in a business “the principal purpose of which is the collection of any debts.” Since the Supreme Court’s decision in Henson in 2017, these two aspects of the definition of debt collector in the FDPCA have become the primary battleground for consumer litigation under the FDCPA. Indeed, a number of courts over the last year have held that first party creditors qualify as debt collectors under the FDCPA’s “principal purpose” prong. See, e.g., Norman v. Allied Interstate, LLC, 310 F. Supp. 3d 509, 514-15 (E.D. Pa. 2018) (“[D]ebt buyers whose principal purpose of business is debt collection . . . are debt collectors under the [FDCPA].”); Tepper v. Amos Financial, LLC, 898 F.3d 364, 370-71 (3rd Cir. 2018); but see Bank of New York Mellon Trust Co. N.A. v. Henderson, 862 F.3d 29 (D.C. Cir. 2017) (holding that Bank of New York, which regularly purchased and collected on defaulted loans, was not a debt collector under the FDCPA because there was no evidence to indicate its principal purpose was debt collection). Until the Supreme Court weighs in again on the definition of debt collectors under the FDCPA, first party creditors should not simply assume the FDCPA does not apply. Additionally, it is conceivable that the BCFP’s upcoming NPRM could provide a broad interpretation of the “principal purpose” prong that would apply the new rules to first party creditors. While this seems somewhat unlikely under the current BCFP leadership, that was presumably the BCFP’s intention under former Director Richard Cordray.

Application via Unfair, Deceptive or Abusive Acts and Practices

Even if the BCFP’s new debt collection rules do not apply directly to first party creditors under the FDCPA, first party creditors should consider the possibility of liability for unfair, deceptive or abusive acts and practices (UDAAP) before discounting the NPRM.

In the mortgage servicing space, the BCFP, under former Director Cordray’s leadership, entered into Consent Orders with one or more servicers in 2014 for conduct that violated the BCFP’s mortgage servicing rules using an exam period that predated the effective date of the servicing rules. Under a similar line of thinking, it would not take a significant logical leap for the BCFP or another regulator to interpret a violation of the standards of conduct under the FDCPA as constituting a UDAAP for a first party creditor. Indeed, portions of the FDCPA specifically define certain behaviors as abusive and unfair. See 15 U.S.C. §§ 1692d, 1692f.

While it would be easy to assume the current leadership at the BCFP would not take such a stance given the stated intention of ending “regulation by enforcement,” the BCFP’s most recent consent order sends a different message. In the BCFP’s October 2018 Consent Order with Cash Express LLC, the BCFP used its UDAAP authority to apply violations of the FDCPA to a non-debt collection company. Even if the BCFP ultimately chooses not to utilize its UDAAP authority in this manner, Section 1042 of the Dodd-Frank Wall Street Reform and Consumer Protection Act provides state attorneys general and state regulatory agencies with the ability to enforce UDAAP violations. This enforcement structure significantly complicates and expands upon the potential risks that may be present for first party creditors. As a result, first party creditors should carefully consider the potential impact of the BCFP’s upcoming NPRM to its current collection practices.

Right Consumer, Right Amount

The BCFP’s original outline of proposed debt collection rules in 2016 incorporated robust data integrity requirements for debt collectors and creditors that supply information to debt collectors. In June 2017, the BCFP, under former Director Cordray, announced that it would take a bifurcated approach to addressing the issues detailed in the outline of proposed debt collection rules. Specifically, the BCFP stated it would develop a separate rule regarding the “right consumer, right amount” aspect of the outline. Given the large percentage of complaints categorized as “attempts to collect debts not owed” in the BCFP’s recent 50-State Complaint Snapshot, the BCFP may opt to change course and address the “right consumer, right amount” aspect of the proposed rule at the same time as the other components set forth in the 2016 outline. If so, the data integrity standards would obviously carry significant importance to first party creditors that engage in debt sales.

Debt collectors, debt sellers, and creditors will have an opportunity to impact the BCFP’s debt collection rules by commenting on the draft rules when they are released in 2019.

BCFP 50-State Complaint Snapshot Contains Lesson for Debt Collection Industry

BCFP 50-State Complaint Snapshot Contains Lesson for Debt Collection IndustryEarlier this week, the Bureau of Consumer Financial Protection (BCFP) released a 50-State Complaint Snapshot. Credit reporting, debt collection, and mortgage continued to be the top three categories of complaints both nationwide and in most states. The percentage of consumer reporting complaints did increase by 11 percent from 2016 to 2017 and surpassed debt collection as the number one source of complaints, which suggest financial services companies, including debt collectors, should increase their focus on furnishing complete and accurate data to consumer reporting agencies. While the complaint snapshot was largely unremarkable, one significant trend emerged.

The highest percentage of debt collection complaints, both nationally and in every state, were categorized as “attempts to collect debts not owed.” Acting Director Mick Mulvaney has consistently emphasized the importance of complaint data in determining how to allocate the BCFP’s resources. The consistency with which consumers complain about “attempts to collect debts not owed,” and the importance of consumer complaints in the BCFP’s process may prompt the BCFP to include data integrity requirements in the upcoming debt collection rules, which are scheduled for release by March 2019.

The BCFP’s 2016 outline of proposed debt collection rules incorporated robust data integrity requirements for debt collectors and creditors supplying information to debt collectors, including pre-collection account reviews, ongoing monitoring for “red flags,” pre-litigation reviews, and requirements for ensuring the accuracy of transferred data. These requirements went well beyond the validation processes employed by many debt collection companies and would require debt collectors, creditors, and debt sellers to devote substantial resources towards validating information about the debt.

In June 2017, the BCFP, under Director Richard Cordray, announced that it would take a bifurcated approach to addressing the issues detailed in the outline of proposed debt collection rules. Specifically, the BCFP stated it would develop a separate rule regarding the “right consumer, right amount” aspect of the outline that would simultaneously address both third-party debt collectors and first-party creditors. In explaining the reason for the change of course, the BCFP noted it had received substantial feedback from the industry about the difficulties for debt collectors to comply with the “right consumer, right amount” without concurrent rulemaking to ensure first-party creditors and third-party debt collectors were working together to guarantee they were collecting the right amount from the right consumer.

Director Cordray’s announcement, however, came more than a year ago. Given the prevalence of consumer complaints categorized as “attempts to collect debts not owed,” the BCFP may opt to change course again and address the “right consumer, right amount” aspect of the proposed rule at the same time as the other components set forth in the 2016 outline. Debt collectors, debt sellers, and creditors will have an opportunity to impact the BCFP’s debt collection rules by commenting on the draft rules when they are released in 2019.

BCFP Enters into Consent Order with Small Dollar Lender

BCFP Enters into Consent Order with Small Dollar LenderOn October 24, 2018, the Bureau of Consumer Financial Protection (BCFP), formerly known as the CFPB, entered into a Consent Order with Cash Express, LLC. Cash Express is a small dollar lender based in Cookeville, Tennessee, that operates 328 retail lending outlets in Alabama, Kentucky, Mississippi, and Tennessee, and offers short-term loans and check cashing services to its customers. Cash Express agreed to a $200,000 penalty and to pay $32,000 in restitution to resolve allegations that it violated the Consumer Financial Protection Act by engaging in deceptive and abusive practices.

The Highlights

The BCFP alleged that Cash Express engaged in deceptive activity by stating or implying that it intended to take legal action on out-of-statute debts, debts that were beyond the relevant statute of limitations period, when in fact it had no intention to file a legal action on these debts. Specifically, the BCFP alleged that Cash Express sent over 19,000 letters to more than 11,000 consumers with time-barred debts but only sued five of these 11,000 consumers. In contrast, Cash Express sued thousands of borrowers whose debts were not time-barred.

The BCFP further alleged that Cash Express engaged in deceptive activity by repeatedly indicating to borrowers, in loan documents, collection letters, and other communications, that it might report delinquencies to consumer reporting agencies when, in fact, Cash Express, as an institution, did not provide information to consumer reporting agencies. Interestingly, the allegedly deceptive statements referenced in the Consent Order stated that Cash Express may or might report negative information to consumer reporting obligations.

Finally, the BCFP alleged that Cash Express engaged in abusive conduct by failing to inform customers that it would exercise a right of set-off by retaining portions of cashed checks to pay outstanding obligations owed to Cash Express. The BCFP acknowledged that Cash Express disclosed this practice to consumers as part of its application process but took issue with Cash Express’ practice of not disclosing its intent to retain a portion of the check at the time of the transaction. The Consent Order referenced training materials that instructed Cash Express employees to avoid disclosing its intent to exercise its right of set-off until after Cash Express completed the transaction.

Impacted Industries

Small dollar lenders should pay particular attention to this Consent Order. However, the order also impacts debt collectors and anyone who services consumer accounts.

What It Means

First, companies that service consumer debt should take note of the BCFP’s theory for imposing liability associated with attempts to collect on out-of-statute debt. Interestingly, the BCFP did not directly attack Cash Express’ practice of stating or implying that it might take legal action on out-of-statute debts and instead focused on the discrepancy between Cash Express’ stated intention to take legal action and failure to actually take that action. The FDCPA directly prohibits a debt collector from “threat[ening] to take any action that cannot legally be taken or that is not intended to be taken.”[1] The BCFP essentially used its UDAAP authority to extend this FDCPA requirement to a non-debt collection company. This is not the first time the BCFP used its authority in this way and recently discussed the issue in the September 2018 CFPB Supervisory Highlights when it observed entities in the payday lending industry engaging in a deceptive act or practice in their collection letters.

Second, consumer financial services companies should carefully analyze statements regarding furnishing of information to consumer reporting agencies and ensure those statements align with company practices. It may not be sufficient to simply use the words may or might when those statements do not align with a company’s actual practices. While Cash Express never furnished information to consumer reporting agencies, it is not clear how the BCFP would apply this theory to more borderline situations. For example, would the BCFP use this theory to pursue a company that includes generic credit reporting language on all loan documents but only furnishes information to consumer reporting agencies on certain types of loans? Would they pursue a company who at one point was reporting on all loans but stopped reporting for a period of time?

Third, this Consent Order may shed some light on the BCFP’s recently announced intent to better define the term abusive. In this case, the allegedly abusive behavior had a fairly direct financial impact on consumers and was allegedly a systemic company policy. The Consent Order further emphasizes the BCFP’s position on clear disclosures and transparency to consumers. Additionally, the penalty appears to be smaller than the penalties that the BCFP would have sought under former Director Richard Cordray.

[1] 15 USC 1692e(5)

LexBlog