California Sets the Bar for Privacy with the Passage of The California Consumer Privacy Act of 2018 – Part I

California Sets the Bar for Privacy with the Passage of The California Consumer Privacy Act of 2018 - Part IAs most people started to wind down for the July 4th holiday week, California was just ramping up its “as California goes” focus on data privacy. On June 28, 2018, California passed a comprehensive data privacy bill that has been touted as the strictest in the nation.

The good news first—businesses have until January 1, 2020, to revamp privacy compliance programs, update policies, procedures and processes, and operationalize the sweeping new changes passed by the California legislature. The not-so-good news for businesses, however, is that this new law proposes a significant number of restrictions to the way businesses collect, use, store, and share personal data. In addition, consumers now have a private right of action for certain disclosures or loss of personal data. While the new California Consumer Privacy Act of 2018  amends Sections 1798.100 through 1798.198 of the California Civil Code, there is still a lot of uncertainty as to what specific requirements may be revised in the next 18 months.

This initial overview provides a few high-level practical questions to help your company get a head start on determining how best to implement this new legislation. Bradley will continue its review and coverage of this law in an ongoing series devoted to state privacy law updates, so please check back here for more information.

Who Is Affected?

According to some accounts, the act will apply to more than 500,000 U.S. companies and has the potential to affect hundreds of thousands more companies worldwide. Additionally, even though the law does not apply to information already regulated under various federal laws, it does apply to entities traditionally covered by regulations such as the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, and the Health Insurance Portability and Accountability Act.

Any company that meets certain criteria and receives personal data from California residents must comply with the new statute. Note that although the act is touted as a “consumer privacy” law, California has broadly defined consumer to include “any natural person who is a California resident.”

Under the act, any company that (1) has an annual gross revenue of $25 million, (2) obtains personal information of 50,000 or more California residents, households or devices annually, or (3) derives 50 percent or more annual revenue from selling California residents’ personal information would be a covered entity under the statute. Note that parent companies and subsidiaries using the same branding are covered, even if those companies and subsidiaries do not exceed the applicable thresholds.

Why Is This Different?

In passing the act, legislators declared that it was their intent to provide Californians with specific rights to privacy, including: (1) the right to know what personal information is being collected about them; (2) the right to know whether their personal information is being sold or disclosed and to whom; (3) the right to say no to the sale of personal information; and (4) the right to access and delete their personal information.

Additionally, as currently drafted, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The broad nature of this definition encompasses data that relates not just to a single individual, but an entire household—effectively encompassing information regarding web browsing histories, IP addresses, energy consumption, or other general information—even if no individual name is associated with it.

What Can I Do Now?

First and foremost, understand what data you collect. The concept of data mapping has been recommended by privacy professionals for some time, however, this new act makes it even more pertinent that companies map and inventory data. What information does your company collect on California residents? What are those sources of data? Is the information shared with third parties and in what context? These and many other questions will need to be answered before an entity can evaluate whether the new act will apply and in what ways the company may need to alter its practices or update its policies and procedures.

In addition, companies should start to consider whether or not current systems and processes will allow compliance with the new rights afforded to consumers, such as the ability to verify the identity of persons who make requests for data deletion, access or transfer. Also, how will companies store and maintain records on consumers who have opted out of data sharing or made a request for information?

Although the implementation of the new act is still another 18 months away, companies should begin the process of assessing the act’s impact on business processes, operations and data handling practices. Additionally, anyone affected by the act should pay close attention to potential revisions and changes to the law as we move toward January 1, 2020.

Bureau of Consumer Financial Protection Once Again Deemed Unconstitutional

Bureau of Consumer Financial Protection Once Again Deemed UnconstitutionalThe Bureau of Consumer Financial Protection has once again been deemed unconstitutional, this time in an opinion issued on June 21, 2018, by Loretta A. Preska, Senior U.S. District Judge for the Southern District of New York, in Consumer Financial Protection Bureau et al. v. RD Legal Funding LLC et al. Although there are a number of interesting components to this case, the aspect of the decision that is most likely to garner headlines is the constitutionality holding. Specifically, Judge Preska determined that the Bureau’s structure as set forth in Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act violates the Constitution’s separation of powers because it attempts to create “an independent agency that exercises substantial executive power and is headed by a single Director.”

Judge Preska notes at the outset of the constitutionality discussion that, while she certainly is aware of the contrary holding from the Court of Appeals for the D.C. Circuit on January 31, 2018, in PHH v. CFPB, the Southern District of New York is not bound by decisions of the D.C. Circuit Court of Appeals. Instead of adopting the majority’s decision from the PHH case, Judge Preska instead chose to adopt Sections I-IV of the dissent that was written by Judge Brett Kavanaugh and Section II of the dissent written by Judge Karen LeCraft Henderson.

Collectively, this means that Judge Preska held that, “based on considerations of history, liberty, and presidential authority,” the Bureau’s single director structure, whereby the director can only be removed by the president for cause, is unconstitutional. According to Judge Preska, rather than simply strike the for-cause removal provision from Title X of Dodd-Frank, the appropriate remedy for this situation is to strike the entirety of Title X.

Interestingly, the opinion also sheds light on the Bureau’s attempt to rebut the constitutional question. The Bureau filed its action in this case on February 7, 2017, while Richard Cordray was still serving as the director of the Bureau. After Mick Mulvaney was appointed by the president to serve as acting director, the Bureau filed a Notice of Ratification with the court, attempting to ratify its decision to file the enforcement action. The Bureau then apparently argued that, because Acting Director Mulvaney is removable by the president at will, the defendants’ constitutional argument was mute. Judge Preska disagreed with this argument, and noted that “the constitutional issues presented by the structure of the [Bureau] are not cured by the appointment of Mr. Mulvaney. As Defendants point out, the relevant provisions of the Dodd-Frank Act that render the [Bureau’s] structure unconstitutional remain intact.”

As a result of the unconstitutionality holding, Judge Preska dismissed the Bureau’s claims because it “lacks authority to bring [the] enforcement action,” and terminated the Bureau as a party to the action. The attorney general for the state of New York, who joined the Bureau in its suit against RD Legal Funding and the other defendants, can proceed with the case. We will continue to track this case and any other developments that occur.

The Supreme Court Levels the SEC Playing Field

The Supreme Court Levels the SEC Playing FieldIn a highly anticipated decision, the United States Supreme Court ruled the practice employed for years by the Securities and Exchange Commission of choosing administrative law judges to hear SEC enforcement actions, violates the Appointments Clause of the Constitution. The Supreme Court, in Lucia v. Securities and Exchange Commission, held that administrative law judges (ALJs) are “officers of the United States” subject to the Appointments Clause.

The SEC has long been criticized for the process of choosing ALJs to hear enforcement matters. Going forward, ALJs will need to be appointed by the president or the head of the SEC. Holding for the requirement of an appointment, the court did not agree that ALJs are regular federal employees hired through the civil service process.

The case was brought by former investment advisor Raymond J. Lucia who appealed sanctions handed down by an ALJ that included a bar from the industry, as well as a $300,000 fine. Lucia argued that his constitutional rights were violated because the ALJ was not constitutionally authorized to have such broad power. Lucia asserted that ALJs should be subject to the Appointments Clause because they carry out judicial proceedings, including evidentiary rulings and rendering decisions. Lucia (as well as others), noted that the SEC rarely overturns or gives more than a passing review to ALJ decisions.

This decision should help level the playing field, at least within the SEC, for internally handled enforcement matters.

CFPB Issues Second Consent Order under Acting Director Mulvaney

CFPB Issues Second Consent Order under Acting Director MulvaneySecurity Group, Inc. and several of its wholly owned subsidiaries entered into a consent order with the Consumer Financial Protection Bureau (CFPB) in which it agreed to injunctive relief and to pay a $5 million penalty. Security Group is a financial services company that originates, purchases, services, and collects on short-term secured and unsecured loans. Security Group operates approximately 900 locations in 21 states.

The Highlights

The CFPB alleged that Security Group engaged in unfair activity in the following ways:

  1. In-person collection visits that included:Discussing debts with consumers in places where third parties could see or overhear the interaction;
    • Handing field cards to third parties, including family members and neighbors;
    • Identifying themselves as Security Finance when speaking with neighbors;
    • Informing third parties of consumers’ delinquency;
    • Visiting consumers’ places of employment when Security Group knew or had reason to know that consumers were not allowed to have personal visitors there; and
    • Visiting consumers’ homes or places of employment with excessive frequency.
  1. Collection calls to consumers’ places of employment that included:
    • Calling consumers on shared phone lines and disclosing or risking disclosing the existence of consumers’ delinquent debts;
    • Calling consumers after being told that consumers were not allowed to receive calls at work; and
    • Failing to properly track and review cease and desist requests, which resulted in calls to parties who had previously requested that calls cease.
  1. Collection calls to third parties that included:
    • Calling third parties, including credit references, supervisors, landlords, family members, and suspected family members in a manner that disclosed or risked disclosing the existence of a delinquent debt; and
    • Failing to properly track and review cease and desist requests, which resulted in calls to parties who had previously requested that calls cease.

The CFPB also alleged that Security Group violated the Fair Credit Reporting Act by:

    • Failing to maintain written policies and procedures related to credit reporting, including policies and procedures regarding the accuracy and integrity of consumer information;
    • Failing to provide accurate information to credit reporting agencies; and
    • Failing to promptly update reported accounts to reflect account activity such as payments and settlements.

Impacted Industries

The Security Group consent order has implications for any financial services company that (1) furnishes credit reports to the credit reporting agencies or (2) collects delinquent debts from borrowers. Likely the most important aspect of this consent order to financial services companies is the fact that the CFPB used UDAAP rather than the FDCPA to pursue its debt collection claims. So, the CFPB could pursue similar claims against first-party creditors as well as third-party debt collectors.

What It Means

First, the CFPB continues to live up to Acting Director Mulvaney’s promise to narrow its focus. Since Acting Director Mulvaney took over in November of 2017, the CFPB has issued only two consent orders, dismissed two high profile cases, taken steps to delay the effective date of payday lending rules, and generally slowed rulemaking while seeking community input in a series of requests for information. A second consent order, on its own, does not indicate a return to the volume of enforcement actions under former Director Richard Cordray.

Second, the CFPB appears to be focused on the debt collection industry.  Acting Director Mulvaney has, on several occasions, noted the significant number of consumer complaints related to debt collection and the importance of those consumer complaints in shaping the CFPB’s agenda.  While one debt collection consent order certainly does not indicate a trend, the limited evidence suggests the CFPB is paying additional attention to the debt collection industry.

Third, the CFPB’s allegations provide interesting insights into the CFPB’s views on debt collection and credit reporting practices.

  • The CFPB continues to disfavor in-person collection practices, and the Security Group consent order suggests that in-person collection efforts inherently run the risk of unfairly alerting third parties to the existence of a debt.
  • The Security Group consent order seems to suggest that calling a consumer on a shared line at the consumer’s place of employment, regardless of the precautions the debt collector may take to avoid disclosing its identity, may constitute an unfair practice because of the potential that this type of call could alert third parties to the existence of a debt.
  • The CFPB based part of its FCRA claims on a failure to report positive credit activity during a period in which Security Group implemented a credit reporting freeze while it evaluated and updated its credit reporting policies.

A Bid to Delay Implementation of the Payday Rule Ends in a Judicial Cul-de-sac

A Bid to Delay Implementation of the Payday Rule Ends in a Judicial Cul-de-sacLate last month, the CFPB took the extraordinary step of joining two trade groups in requesting a stay of a case challenging the bureau’s final payday/auto title/high-rate installment loan rule (“Payday Rule”) pending the CFPB’s reconsideration of the rule promulgated under the prior administration. Significantly, the joint motion also seeks a stay of the Payday Rule’s compliance date. The CFPB’s decision to join the plaintiff in requesting the stay of the rule is a firm indication of the bureau’s altered priorities under Director Mick Mulvaney. Indeed, the joint motion goes so far as to state that the CFPB’s rulemaking “may result in repeal or revision of the Payday Rule and thereby moot or otherwise resolve this litigation or require amendments to Plaintiffs’ complaint.” On this basis, the CFPB and the trade groups asked the federal court in Texas to stay the compliance date until 445 days from the date of final judgment in the litigation.

In response, several consumer advocacy groups filed amicus memorandum opposing the joint request for a stay. These groups argue that the CFPB’s decision to join the plaintiffs in seeking to stay the case and the Payday Rule compliance date deprive the court of the “benefit of adversarial briefing.” The consumer groups also argue that the CFPB lacks authority under 5 U.S.C. § 705 to delay implementation of the Payday Rule because Section 705 can only “stay agency action for the purpose of maintaining the status quo during judicial review.” The consumer groups argue that the CFPB is not seeking to maintain the status quo to protect against litigation uncertainties but rather to address uncertainties created by its reconsideration of its own rule. The consumer groups argue that, in fact, “the parties are not litigating and have no intention to do so,” and that application of Section 705 is therefore improper. The plaintiffs in the case filed a reply to the oppositions on June 11.

On June 12, 2018, the court entered an order staying the litigation and relieving the CFPB of the obligation to file an answer. Importantly, however, the order denied the request to stay the Payday Rule compliance date. This leaves the industry in essentially the same position that it was before the suit was filed. It is still possible that Director Mulvaney could propose a change to the rule extending the compliance date. Until then, impacted entities must continue to prepare for the August 2019 compliance date.

Financial Reform Legislation (S. 2155) Becomes Law with Industry Support

Financial Reform Legislation (S. 2155) Becomes Law with Industry SupportDescribed as “the first bipartisan banking law to be enacted in a decade” by the American Bankers Association, the Economic Growth, Regulatory Relief, and Consumer Protection Act was signed into law on May 24, 2018 following a vote of 258 to 159 in the House of Representatives. The act addresses a number of subjects ranging from mortgage lending and consumer protection to regulatory reform for community and large banks.

Sen. Mike Crapo (R-ID), chairman of the Senate Banking Committee, described the act as “a bipartisan compromise” with commonsense changes, while Acting Director of the Consumer Financial Protection Bureau Mick Mulvaney applauded the bill as “the most significant financial reform legislation in recent history.” Sen. Sherrod Brown (D-OH), ranking member of the Senate Banking Committee, however, has criticized the bill as a win for special interests and “a giveaway that loosens rules” for large banks. The act’s significance has already been recognized among industry groups including the Mortgage Bankers Association.

Three sections of the act are briefly highlighted: (1) Section 106’s response to employment barriers for loan originators; (2) Section 304’s restoration of the Protecting Tenants at Foreclosure Act of 2009; and (3) Section 401’s revisions to the asset thresholds set forth in Section 165 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank).

Section 106: Job Mobility and Barriers for Mortgage Loan Originators

Section 106 of the act amends the S.A.F.E. Mortgage Licensing Act of 2008 by addressing barriers for mortgage loan originators.    The act provides certain qualifying loan originators that are moving interstate or from a depository institution to a non-depository institution with “temporary authority” to originate loans in the state in which the originator seeks to be licensed.  The temporary authority serves as a “grace period” to allow originators who are shifting positions and who satisfy specific performance and eligibility criteria to become licensed.  David W. Perkins, et al., Congressional Research Service, Economic Growth, Regulatory Relief, and Consumer Protection Act (S. 2155) and Selected Policy Issues at 9 (Apr. 12, 2018).  In doing so, Section 106 addresses a concern raised by the real estate finance industry since S.A.F.E.’s enactment – job mobility for loan officers. Section 106’s amendments take effect 18 months after the act’s enactment.

Section 304: Restoration of the PTFA

Section 304 restores the Protecting Tenants at Foreclosure Act of 2009 (PTFA) by repealing its sunset provision. The PTFA had imposed “requirements on successors in interest to foreclosed properties in order to protect tenants,” Mik v. Fed. Home Loan Mortg. Corp., before expiring on December 31, 2014. The PTFA’s expiration left behind a patchwork of state and local laws protecting tenants in foreclosed property. However, effective 30 days after its enactment, the act restores Sections 701 through 703 of the PTFA and “any regulations promulgated pursuant to such sections, as were in effect on December 30, 2014.”

Section 401(a): Enhanced Supervision and Prudential Standards Thresholds

Section 401(a) of the act amends the asset thresholds established in Section 165 of Dodd-Frank, codified at 12 U.S.C. § 5365.

First, Section 401(a) raises Section 5365(a)’s asset threshold for enhanced prudential standards. Section 5365(a) originally provided that the Board of Governors of the Federal Reserve System “shall establish prudential standards for nonbank financial companies supervised by the Board of Governors and bank holding companies with total consolidated assets equal to or greater than $50,000,000,000.”  Prudential standards encompass, inter alia, risk-based capital, risk management, and liquidity requirements.  These standards were designed to be stringent and to reflect the risks posed by the failure of a large financial institution.  Section 401 of the act replaces Section 5365(a)’s $50 billion threshold with a $250 billion threshold. However, according to Section 401(f) of the act, “[a]ny bank holding company, regardless of asset size, that has been identified as a global systemically important BHC” under 12 C.F.R. § 217.402 is “considered a bank holding company with total consolidated assets equal to or greater than” $250 billion for purposes of Section 5365.

Second, for bank holding companies with total consolidated assets between $100 billion and $250 billion, Section 401(a) enables the Board of Governors to apply, upon a determination of appropriateness and consideration of certain risk-related factors, any prudential standard established under Section 5365.  Third, for publicly traded bank holding companies, Section 401(a) substitutes the asset threshold that triggers the risk committee requirement in Section 5365(h)(2) from $10 billion to $50 billion. In effect, Section 401(a) “exempt[s] banks with assets between $50 billion and $100 billion from enhanced regulation, except for the risk committee requirements.”  David W. Perkins, et al., Congressional Research Service, Economic Growth, Regulatory Relief, and Consumer Protection Act (S. 2155) and Selected Policy Issues at 31 (Apr. 12, 2018). As an additional resource, the Congressional Research Service has compiled a table of bank holding companies and intermediate holding companies with over $50 billion in assets, as of September 30, 2017, in CRS Report R45073.

Section 401’s amendments take effect 18 months after the act’s enactment. However, for a bank holding company with total consolidated assets of less than $100 billion, Section 401’s amendments were effective on the date of its enactment, May 24, 2018. The import of Section 401(a) goes well beyond the subjects addressed in this blog and includes, inter alia, a requirement that the Board of Governors “differentiate among companies on an individual basis or by category” when prescribing prudential standards and amendments related to Section 5365(i)’s stress test subsection, as well as Section 5365(j)’s leverage limitation subsection.

Altogether, the Economic Growth, Regulatory Relief, and Consumer Protection Act, as well as the remainder of Section 401’s provisions, will warrant further analysis and attention both within the industry and among its observers.

Providing Banking Services to the Legal Marijuana Industry: Mitigating Risks to Maximize Potential Rewards

Providing Banking Services to the Legal Marijuana Industry: Mitigating Risks to Maximize Potential RewardsSince 1996, when California became the first state to legalize marijuana (at the time, for medicinal purposes only), 28 additional states and the District of Columbia have legalized marijuana to some extent. Public support for legalization continues to rise as more and more jurisdictions loosen their marijuana laws, with 64 percent of Americans in favor of legalization, nearly double the percentage that supported legalization in 2000.

While the use and possession of marijuana is still illegal under federal law, the long-term outlook for the legal-marijuana industry appears strong. This emerging industry took in approximately $9 billion in sales in 2017, with that number expected to grow to $11 billion in 2018 and $21 billion in 2021.

Despite these eye-popping numbers, the legal-marijuana industry is severely underserved by many of the industries it requires for support, perhaps none more so than the banking and financial services industry. Broadly speaking, the reason for this is obvious – the federal prohibition on marijuana found in the Controlled Substances Act. In light of that prohibition and the regulatory challenges that come with it, many financial institutions have decided that doing business with this industry is simply too risky.

But not all financial institutions share that view, and the number of institutions willing to reap the reward of engaging an underserved $11 billion industry continues to grow. Now, almost 400 banks and credit unions provide banking services to the legal-marijuana industry, more than three times the amount that served the industry in 2014.

Like most decisions in the financial world, whether to do business with the legal-marijuana industry is a question of risk tolerance. While the risks in this arena are certainly higher than most, so too are the potential rewards given the relative scarcity of competition compared to other industries.

To assist in evaluating those risks, this article provides a brief overview of two key laws governing a financial institution’s relationship with marijuana-related businesses: (1) the Bank Secrecy Act (BSA), and (2) the Federal Deposit Insurance Act’s prohibition of “unsafe or unsound practices” for banks insured by the Federal Deposit Insurance Corporation (FDIC). Future articles will provide a more in-depth look into each.

The Bank Secrecy Act

The BSA – along with its implementing regulations promulgated by the Office of the Comptroller of the Currency (OCC) – establish various recordkeeping and reporting requirements for national banks, federal savings associations, and agencies of foreign banks. The OCC, as well as the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and Office of Foreign Assets Control (OFAC), all play a role in enforcing the BSA.

On February 14, 2014, FinCEN issued guidance that, by its terms, “clarifies how financial institutions can provide services to marijuana-related businesses consistent with their BSA obligations” (the FinCEN Guidance). The FinCEN Guidance is expressly based on the Cole Memorandum – Obama-era guidance from the Justice Department that directed federal prosecutors to take a hands-off approach to legal-marijuana businesses in states where marijuana had been legalized to some degree. Although Attorney General Sessions rescinded the Cole Memorandum on January 4, 2018, FinCEN has since indicated that the FinCEN Guidance remains in effect.

While some nonetheless viewed Sessions’ rescission of the Cole Memo as weakening the FinCEN Guidance, the pendulum may have swung back on April 13, when Colorado Senator Cory Gardner – who began blocking the confirmation of Justice Department nominees after Sessions rescinded the Cole Memo – announced that he received a commitment from President Trump “that the Department of Justice’s rescission of the Cole Memo will not impact Colorado’s legal marijuana industry.” The White House confirmed that Senator Gardner’s statement was “accurate,” but did not offer details as to how the Administration would implement President Trump’s directive. Given Trump’s directive and FinCEN’s indication that its Guidance remains in effect, financial institutions transacting with marijuana-related businesses should still look to the FinCEN Guidance to clarify their BSA obligations in this space.

The FinCEN Guidance requires that a financial institution engaging a marijuana-related business conduct substantial, and, importantly, continuing due diligence to determine whether that business is (1) complying with state law, (2) interfering with any of the eight priorities listed in the Cole Memorandum, or (3) otherwise engaging in “suspicious activity,” including a list of “red flags” enumerated in the Guidance. The institution must then file one of three marijuana-specific Suspicious Activity Reports (SAR), and continue filing SARs throughout its relationship with the marijuana-related business. Which of the three depends on what the institution uncovers in its due diligence:

  • The institution should file a “Marijuana Limited” SAR if “it reasonably believes, based on its customer due diligence,” that the business “does not implicate one of the Cole Memo priorities or violate state law[.]”
  • The institution should file a “Marijuana Priority” SAR if “it reasonably believes, based on its customer due diligence,” that the business “implicates one of the Cole Memo priorities or violates state law[.]”
  • The institution should file a “Marijuana Termination” SAR if “it reasonably believes, based on its customer due diligence,” that it must terminate its relationship with the business “to maintain an effective anti-money laundering compliance program[.]”

While the FinCEN Guidance mandates an onerous compliance program for financial institutions doing business with the legal-marijuana industry, the costs of such programs can be passed through to the legal-marijuana client. Given the dearth of supply and substantial demand for financial institutions willing to do business with them, such clients understand the need for and are willing to pay such fees.

“Unsafe and Unsound Practices”

The FDIC provides deposit insurance to its member banks, and all federally- and nationally-chartered banks, and nearly all state-chartered banks, are required to have FDIC Insurance. FDIC-insured banks that engage in “unsafe or unsound practices” are subject to FDIC enforcement actions. While the FDIC has broadly declared that “committing violations of law” is an unsafe and unsound practice, courts have interpreted the phrase “unsafe or unsound practice” as a “flexible concept which gives the administering agency the ability to adapt to changing business problems and practices in the regulation of the banking industry.”

Given the federal prohibition on marijuana, providing banking services to legal-marijuana businesses can put an institution’s FDIC Insurance at risk. But a financial institution serving the legal-marijuana industry may be able to decrease the risk that the FDIC would deem such service an “unsafe and unsound practice” through certain actions, like limiting marijuana-related deposits to a small percentage of its total deposits to decrease liquidity risk and ensuring its employees are well-trained on its policies and procedures for serving the industry.

Notably, unlike their bank counterparts, credit unions are not supervised by the FDIC, and the FDIC does not insure their deposits. Those deposits are instead insured by the National Credit Union Administration (NCUA), which also supervises federally-chartered credit unions. The NCUA has indicated that it will follow the FinCEN Guidance when examining the federally-chartered credit unions it supervises, and state-chartered credit unions are not supervised by federal banking regulators. For these reasons, many view the regulatory environment for providing banking services to the legal-marijuana industry as more favorable for credit unions than their bank counterparts.


Until marijuana is legalized at the federal level or Congress passes legislation protecting financial institutions that serve the legal-marijuana industry, providing banking services to that industry will be a risky endeavor. But financial institutions can minimize that risk to an extent by building out a robust compliance program. While that program may be costly, financial institutions can recoup those costs through the fees they charge to the legal-marijuana client, which can provide a potentially lucrative opportunity for financial institutions willing to engage with the industry.

Meltdown of the Iran Nuclear Deal—Sanctions Update

Meltdown of the Iran Nuclear Deal—Sanctions UpdateOn May 8, 2018, President Donald Trump announced that the United States would no longer participate in the Joint Comprehensive Plan of Action (JCPOA), the international agreement regarding Iran’s nuclear activities and sanctions imposed on Iran that was entered into in July 2015. The Treasury Department’s Office of Foreign Asset Control quickly issued a frequently asked questions bulletin explaining how the U.S. will re-impose sanctions that had been lifted pursuant to the JCPOA. The U.S. withdrawal from the deal will occur over either a 90-day (ending August 6, 2018) or 180-day (ending November 4, 2018) wind-down period, depending on the type of activity at issue. Here are some key takeaways:

  1. Until the expiration of the applicable wind-down period, all prior guidance, waivers, and licenses effectively remain in place (though under temporary wind-down waivers).
  2. Non-U.S. persons owed payment for goods or services supplied to non-Iranian persons that were legal under the JCPOA can still receive payment even after expiration of the wind-down period provided such payments do not involve U.S. persons or the U.S. financial system.
  3. All persons removed from the SDN (Specially Designated Nationals) List under the deal will be re-designated as such by November 5, 2018. These persons and entities will be subject to secondary sanctions after that date. Secondary sanctions are those targeting non-U.S. citizens and companies abroad that interface with the U.S. financial sector. This category of sanctions has been used particularly aggressively as it relates to Iran.
  4. Any specific or general licenses extended under the JCPOA will be revoked, including the licenses related to commercial aircraft sales and the importation of Iranian carpets and foodstuffs. Any applications still pending will be denied.

Because of the complexity of U.S. sanctions, individuals should confer with an attorney about the application of the new authority to their specific circumstances.

Florida Third District Court of Appeal’s Ruling in Favor of Reverse Mortgage Lender Signals New Positive Outlook for Non-Borrowing Spouse Issue

Florida Third District Court of Appeal’s Ruling in Favor of Reverse Mortgage Lender Signals New Positive Outlook for Non-Borrowing Spouse IssueReverse mortgage lenders received a significant victory in Florida’s Third District Court of Appeal last week when the court issued its decision in OneWest Bank, FSB v. Palmero. After previously ruling in Smith v. Reverse Mortgage Solutions, Inc. and Edwards v. Reverse Mortgage Solutions, Inc. that the surviving spouses of borrowers who had taken out reverse mortgage loans also qualified as “borrowers” under the terms of the mortgage and thus had the right to remain in the property after the death of a spouse, the court changed course in Palmero, outlining the conditions under which a lender could prove that “borrower” meant only the person who actually “borrowed” the money.

In Palmero, the lender brought a foreclosure action against Luisa Palmero, claiming that her deceased husband Roberto had taken out a reverse mortgage and that his death triggered the lender’s right to accelerate the mortgage debt and commence foreclosure proceedings. The mortgage granting the security interest to the lender defined the borrower as “Roberto Palmero, a married man reserving a life estate unto himself with the ramainderman [sic] to Luisa Palmero, Idania Palmero, a single woman and Rene Palmero, a single man.” Mr. and Mrs. Palmero executed the mortgage on separate signature lines underneath the statement “BY SIGNING BELOW, Borrower accepts and agrees to the terms contained in this Security Instrument and in any rider(s) executed by Borrower and recorded with it.” However, only Mr. Palmero signed the promissory note evidencing the payment obligation associated with the reverse mortgage.

Further, only Mr. Palmero was named as the borrower in the loan application and loan agreement. Mrs. Palmero executed a “non-borrower spouse ownership interest certification” in which she certified that “should [her] spouse predecease [her] . . . and unless another means of repayment [was] obtained, the home where [she] reside[s] may need to be sold to repay Reverse Mortgage debt incurred by [her] spouse” and that “[i]f the home where [she] reside[s] [was] required to be resold,” Mrs. Palmero agreed that she understood “that [she] may be required to move from [her] residence.” After trial, the circuit court granted judgment in favor of Mrs. Palmero, concluding that (1) she was not a “borrower” under the terms of the mortgage and thus Mr. Palmero’s death triggered acceleration of the loan, but (2) that federal law prevented the lender from foreclosing on the property while Mrs. Palmero, the non-borrowing spouse, remained alive.

On appeal, a majority of the panel of the Third District Court of Appeal affirmed the circuit court’s holding that Mrs. Palmero was not a “borrower,” but reversed the judgment in favor of Mrs. Palmero by rejecting the argument that federal law precluded foreclosure. In holding that the circuit court properly determined that Mrs. Palmero was not a “borrower,” the court held that it was required to read all of the documents executed at the origination of the reverse mortgage together. The court determined that reading the definition of “borrower” in the mortgage, along with the loan application executed by Mr. Palmero, the note executed by Mr. Palmero, and the non-borrower spouse certification executed by Mrs. Palmero, made it clear that Mrs. Palmero was not a “borrower” under the reverse mortgage. The court recognized its prior holdings in Smith and Edwards in which it held that a foreclosing entity failed to demonstrate that it was entitled to foreclose against the surviving spouse on a reverse mortgage, but distinguished those cases based on the evidence of the contemporaneously signed documents that made it clear that Mrs. Palmero was not a “borrower.”

The court further held that federal law did not preclude the lender’s foreclosure. The court first held that Mrs. Palmero had failed to raise at trial the defense that federal law precluded the foreclosure, and thus the defense had been waived. The court also rejected the argument on the merits, finding that federal law did not require Mrs. Palmero to be a “borrower” in order for the reverse mortgage to be insurable by the federal government.

Going forward, Palmero stands as a significant cut against the broad interpretation of Smith and Edwards that many Florida trial courts had adopted in order to hold that a surviving spouse had the legal right to remain in property secured by a reverse mortgage after the borrower’s death. Palmero demonstrates that a lender may demonstrate that the surviving spouse is not a “borrower” under the mortgage by introducing the other documents executed at the time the loan is originated—most significantly, the non-borrower spouse ownership interest certification, in which the non-borrowing spouse expressly recognized the fact that the borrower’s death would allow the lender to accelerate the loan and proceed to foreclosure.

FFIEC Highlights Cyber Insurance for Financial Institutions

FFIEC Highlights Cyber Insurance for Financial InstitutionsThe Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement emphasizing the need for lenders and servicers to include cyber insurance in their risk management program. Although the FFIEC did not announce new regulatory requirements or expectations, the announcement is further evidence of what most in the industry have already recognized: Cyber coverage is quickly becoming indispensable.

Among the points highlighted by the FFIEC:

  • Financial institutions face a variety of risks from cyber incidents, including risks resulting from fraud, data loss, and disruption of service.
  • Traditional insurance coverage may not cover cyber risk exposures.
  • Cyber insurance can be an effective tool for mitigating risk.
  • Insurance does not remove the need for an effective system of controls as the primary defense to cyber threats.
  • The cyber insurance marketplace is growing and evolving, requiring due diligence to determine what insurance products will meet an organization’s needs.

Although not specifically mentioned in the FFIEC statement, financial institutions should be aware that cyber coverage can be an important source of mitigating regulatory risk associated with data breaches – if the organization purchases a policy that provides regulatory coverage. Today, there are a number of insurers offering products that reimburse costs for investigating and responding to a regulatory investigation or enforcement proceeding, as well as provide coverage for administrative penalties. Given amplified scrutiny from regulators in the area of data security, the importance of such coverage continues to increase. With a rapidly changing market, institutions should carefully review policies to be sure that the scope and limitations of coverage match their exposure.