August 8, 2015

The Law of Prize Drawings: It's All Fun and Games, Until...

photo by Elliotphotos / foter

Everyone loves a game. Games activate the creative, imaginative portions of our minds in ways that captivate our attention. Games can help organizations engage with people, which is why marketing professionals love games. Businesses, governments and nonprofits have found tremendous success in garnering attention through various sorts of contests and games. Ancient rulers used games to win the allegiance of their subjects.  In more recent times...well, who among us hasn't played McDonald's Monopoly?

The uncertainty of outcomes is part of what makes games fun. Unfortunately, nefarious characters have also used games in unethical ways, causing state and federal governments to enact laws governing the use of certain games. Anyone who wishes to sponsor a game should give thought to whether these laws apply, in order to avoid running afoul of regulatory authorities and being sued in a class action. The following is a basic overview of the federal and North Carolina laws governing games and contests.

Lotteries


State laws restrict lotteries for two primary reasons. First is the potential for harm to the public (especially "problem gamblers"). Second, a state may create a government monopoly on lotteries, which allows it to raise money without competition. The penalties for violating these laws can be significant.
 
A lottery is generally defined by three elements: a chance for a prize for a price. Not all lotteries are easy to identify. A cash entry fee is certainly a telltale sign of a lottery, however, purchase requirements and noncash entry "prices" can also cause a game to be deemed a lottery. If a purchase is required to enter into a drawing or other game of chance, the event may well be a lottery. Courts in some other states have held that merely requiring participants to travel to the sponsor's premises to register is a sufficient "price" to cause the promotion to be deemed a lottery, even if the participants are not required to buy anything. North Carolina courts have never gone that far, but it should be remembered that nonfinancial, performance-based conditions to entry might cause a promotion to be considered a lottery.
 
Raffles
 
A "raffle" is nothing more than a specific type of lottery. It is a game in which the prize is won by random drawing of the name or number of one or more persons purchasing chances. For-profit entities are prohibited by North Carolina law from hosting a raffle. A tax-exempt nonprofit organization, candidate, political committee, or government entity is permitted to host up to two (2) raffles per year. If a nonprofit hosts the raffle, a certain percentage of the net proceeds must be used for charitable, religious, educational, civic, or other nonprofit purposes. There are also some specific items that the net proceeds of the raffle cannot be used to pay.
 
Sweepstakes/Prize Drawings
 
Under federal law, a chance to win a prize for which no money or other item of value is paid is called a "sweepstakes." (Often we see or hear these advertised on television or radio, and the announcer rattles off "no purchase necessary to enter.") There are federal requirements regarding the disclosure of terms and conditions, and other specific items. North Carolina law covers the same subject, although the term "sweepstakes" is not used. The requirements of North Carolina and federal law are similar, but there are a few differences. 
 
The sponsor of a prize drawing should disclose to each participant the following information: 
  • the name of the organization conducting the contest and its principal business address
  • all conditions that a participant must meet
  • an accurate description of each prize to be awarded
  • the retail value of each prize
  • the number of each prize to be awarded
  • the odds of receiving each prize
The law also contains requirements for the precise placement of certain disclosures on any advertisements.
 
A disclaimer should be included in all materials related to a sweepstakes or drawing that explains in clear terms that no purchase is necessary to enter or win, and that a purchase will not increase the chances of winning.
 
In addition to these statutory requirements, there are additional considerations that a drawing or contest sponsor will want to address in order to limit its liability under contract law and tort law. 
 
Tax Reporting Requirements
 
The Internal Revenue Code and U.S. Treasury regulations require an organization awarding a prize to file informational returns with the IRS when the prize is valued at a certain amount (currently $600), and to withhold a certain percentage of the winnings (currently 25%) if the value exceeds another amount (currently $5,000). Failing to file or withhold can result in the organization being held liable for the tax.
 
Alcoholic Beverage Law
 
North Carolina law addresses the sale or consumption of alcoholic beverages in connection with a game of chance. Sale or consumption of alcohol cannot occur in the same room while a raffle or bingo game is "being conducted." The statute does permit a drawing to occur in an adjacent room where alcohol is not sold nor consumed. Specifically, no alcohol may be sold, served or consumed in a room when any of the following activities are ongoing: when a "prize is won," a "random drawing by name or number" occurs, a person "purchases chances," winners are announces, or prizes are awarded.
 
Time to Play!
  
By complying with the applicable state and federal laws, an organization can reap the benefits of a game without the risks. An expert who knows these rules and how to implement them can help an organization quickly and efficiently plan an event that will be fun and effective for everyone.


photo by torbakhopper / foter




Raleigh Attorney Matt Cordell has been named among the best lawyers in North Carolina by numerous organizations and peer surveys. 





 






July 3, 2015

What Does It Mean To Be "Certified" In Privacy And Information Security?

I recently became certified by the IAPP in information privacy and received the CIPP/US designation. "What does that mean?" you ask? Good question!

What is the CIPP/US designation?

The International Association of Privacy Professionals (IAPP) is a nonprofit association of privacy professionals--the largest in the world. The IAPP issues the Certified Information Privacy Professional (CIPP) designations, which are the most recognized information privacy certifications globally. The CIPP/US credential demonstrates an understanding of privacy and security concepts, best practices, and international norms, with a specific emphasis on U.S. privacy and information security laws. Applicants are tested to ensure they have the requisite knowledge in the following areas:

I. The U.S. Privacy Environment
A. Structure of U.S. Law
i. Constitutions
ii. Legislation
iii. Regulations and rules
iv. Case law
v. Common law
vi. Contract law
c. Legal definitions
d. Regulatory authorities
i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking regulators
vi. State attorneys general
vii. Self-regulatory programs and trust marks
e. Understanding laws
i. Scope and application
ii. Analyzing a law
iii. Determining jurisdiction
iv. Preemption
B. Enforcement of U.S. Privacy and Security Laws
a. Criminal versus civil liability
b. General theories of legal liability
i. Contract
ii. Tort
iii. Civil enforcement
c. Negligence
d. Unfair and deceptive trade practices (UDTP)
e. Federal enforcement actions
f. State enforcement (Attorneys General (AGs), etc.)
g. Cross-border enforcement issues (Global Privacy Enforcement Network (GPEN))
h. Self-regulatory enforcement (PCI, Trust Marks)
C. Information Management from a U.S. Perspective
a. Data classification
b. Privacy program development
c. Incident response programs
d. Training
e. Accountability
f. Data retention and disposal (FACTA)
g. Vendor management
i. Vendor incidents
h. International data transfers
i. U.S. Safe Harbor
ii. Binding Corporate Rules (BCRs)
i. Other key considerations for U.S.-based global multinational companies
j. Resolving multinational compliance conflicts
i. EU data protection versus e-discovery
II. Limits on Private-sector Collection and Use of Data
A. Cross-sector FTC Privacy Protection
a. The Federal Trade Commission Act
b. FTC Privacy Enforcement Actions
c. FTC Security Enforcement Actions
d. The Children’s Online Privacy Protection Act of 1998 (COPPA)
B. Medical
a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
i. HIPAA privacy rule
ii. HIPAA security rule
b. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
C. Financial
a. The Fair Credit Reporting Act of 1970 (FCRA)
b. The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
c. The Financial Services Modernization Act of 1999 ("Gramm-Leach-Bliley" or GLBA)
i. GLBA privacy rule
ii. GLBA safeguards rule
d. Red Flags Rule
e. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
f. Consumer Financial Protection Bureau
D. Education
a. Family Educational Rights and Privacy Act of 1974 (FERPA)
E. Telecommunications and Marketing
a. Telemarketing sales rule (TSR) and the Telephone Consumer Protection Act of 1991 (TCPA)
i. The Do-Not-Call registry (DNC)
b. Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
c. The Junk Fax Prevention Act of 2005 (JFPA)
d. The Wireless Domain Registry
e. Telecommunications Act of 1996 and Customer Proprietary Network Information
f. Video Privacy Protection Act of 1988 (VPPA)
g. Cable Communications Privacy Act of 1984
III. Government and Court Access to Private-sector Information
A. Law Enforcement and Privacy
a. Access to financial data
i. Right to Financial Privacy Act of 1978
ii. The Bank Secrecy Act
b. Access to communications
i. Wiretaps
ii. Electronic Communications Privacy Act (ECPA)
1. E-mails
2. Stored records
3. Pen registers
c. The Communications Assistance to Law Enforcement Act (CALEA)
B. National Security and Privacy
a. Foreign Intelligence Surveillance Act of 1978 (FISA)
i. Wiretaps
ii. E-mails and stored records
iii. National security letters
b. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA-Patriot Act)
i. Other changes after USA-Patriot Act
C. Civil Litigation and Privacy
a. Compelled disclosure of media information
i. Privacy Protection Act of 1980
b. Electronic discovery
IV. Workplace Privacy
A. Introduction to Workplace Privacy
a. Workplace privacy concepts
i. Human resources management
b. U.S. agencies regulating workplace privacy issues
i. Federal Trade Commission (FTC)
ii. Department of Labor
iii. Equal Employment Opportunity Commission (EEOC)
iv. National Labor Relations Board (NLRB)
v. Occupational Safety and Health Act (OSHA)
vi. Securities and Exchange Commission (SEC)
c. U.S. Anti-discrimination laws
i. The Civil Rights Act of 1964
ii. Americans with Disabilities Act (ADA)
iii. Genetic Information Nondiscrimination Act (GINA)
B. Privacy before, during and after employment
a. Employee background screening
i. Requirements under FCRA
ii. Methods
1. Personality and psychological evaluations
2. Polygraph testing
3. Drug and alcohol testing
4. Social media
b. Employee monitoring
i. Technologies
1. Computer usage (including social media)
2. Location-based services (LBS)
3. Mobile computing
4. E-mail
5. Postal mail
6. Photography
7. Telephony
8. Video
ii. Requirements under the Electronic Communications Privacy Act of 1986 (ECPA)
iii. Unionized worker issues concerning monitoring in the U.S. workplace
c. Investigation of employee misconduct
i. Data handling in misconduct investigations
ii. Use of third parties in investigations
iii. Documenting performance problems
iv. Balancing rights of multiple individuals in a single situation
d. Termination of the employment relationship
i. Transition management
ii. Records retention
iii. References
V. State Privacy Laws
A. Federal vs. state authority
B. Marketing laws
C. Financial Data
a. Credit history
b. California SB-1
D. Data Security Laws
a. SSN
b. Data destruction
E. Data Breach Notification Laws
a. Elements of state data breach notification laws
b. Key differences among states


Why did you decide to get the CIPP/US certification?

More and more people are claiming to be privacy experts these days, including a number of lawyers. Although very few law firms advertised a privacy practice group as of just a few years ago, almost all large law firms do now...with varying degrees of credibility. Some lawyers are holding themselves out as privacy experts when their expertise is limited to a couple of privacy laws and a specific context. They are nonetheless re-branding themselves as "privacy" lawyers. While there certainly are more lawyers who are competent in a range of privacy and information security issues than ever before, they remain few and far between. The CIPP/US certification is perhaps the best way to clearly and immediately demonstrate an understanding of the core concepts and legal issues of privacy and information security.

Does the CIPP/US designation guarantee expertise?

The CIPP/US designation does not guarantee expertise in any particular area of privacy law. The certification tests (there are currently two) do not require the depth of understanding that a true expert must have. For example, the study guides and tests cover financial privacy issues at a level of depth just beyond the surface. There is much more to know about financial privacy law and practice.  Furthermore, there are very accomplished lawyers in these spaces who are not certified by IAPP.   However, the CIPP/US designation does provide assurance that the certificate holder is at least aware of the salient issues and knows where to find answers or guidance, and those two items are very important. Furthermore, certification requires ongoing learning. Mainting IAPP CIPP certification requires the holder to fulfill 20 hours of continuing privacy education (CPE) per two-year period, to ensure the holder's knowlege remains up to date.

The CIPP/US certification is no guarantee of true legal expertise, but it does provide an independent confirmation of basic competence across a broad spectrum of privacy and information security law. It also tells you that the holder is continuing to build upon his or her knowledge in these areas.


 
 
* The N.C. State Bar, the regulatory body that supervises and disciplines lawyers licensed in North Carolina, prohibits a lawyer from using the term "specialized" to describe anything other than a N.C. Bar-issued certificate of specalization in one of a very limited number of fields of law.  There is no specalization available from the N.C. State Bar for privacy, information security, or any related field of law.  


June 27, 2015

A New Role with the YLD, the Future of the Legal Profession

Those of you know me well or who read this blog regularly know that I believe in the Young Lawyers Division of the North Carolina Bar Association and the more than 6,400 young lawyers who belong to it.  In the past eight years, I have witnessed young lawyers volunteer to help thousands of people with significant legal needs and do important work to improve the legal profession.  This is a great group of people, and I am immensely honored that they have elected me to lead them.  I will take office as Chair of the YLD in June of 2016.  In the meantime, if you are a service-minded lawyer under 36, or if you have ideas about what the YLD can do to further its missions (service to the public, service to the bar, and leadership training), please let me know


June 15, 2015

Five Simple Steps You Can Take to Protect Your Loved Ones on Elder Abuse Awareness Day

This post is a PSA.  Those of you who know me well (or read this blog regularly) know that I have spent a considerable amount of of time and energy trying to help people prevent elder financial abuse.  The elderly in the United States lose an estimated $2.6 billion annually due to elder financial abuse and exploitation.  Today is the eighth annual Elder Abuse Awareness Day, which seems like an appropriate time to suggest a few simple steps you can take to help protect your loved ones from elder financial abuse.

1.  If his or her bank offers the opportunity (and is in North Carolina), ask your loved one to provide the bank with a list of trusted persons to whom the bank may speak in the case of suspicious activity.  I've written and spoken about this topic frequently, and you can read my comments here, here, here, here and here.

2.  Encourage your loved one to talk to an elder law attorney about naming a trustworthy person as attorney-in-fact to look after your loved one's interests.  Discourage your loved one from granting a power of attorney to anyone who is not 100% trustworthy and competent.

3.  A small number of unscrupulous telemarketers prey on the elderly.  One way to reduce the potential for this kind of abuse it to put your loved one's telephone number(s) on the national Do Not Call registry by filling out the form available here

4.  Social media is not just for young people.  Many older adults have social media accounts these days.  Fraudsters sometimes use information gathered from social media to help them perpetrate frauds, such as spearphishing attacks.  Ask your loved ones to allow you to set privacy settings on their social media accounts so that strangers (and anyone else they shouldn't trust) will not be able to gain access to information that would help in such attacks.

5.  Encourage your loved one to obtain their free annual credit report and help them review the report for evidence of identity theft.  I have written about how to get a free credit report (as well as how to respond to identity theft) here.

Thank you for taking the time to read this post.  I hope this information will help you as you try to protect your loved ones from the growing threat of elder financial exploitation. 

June 2, 2015

Potential Opportunities for Cost Sharing by Community Banks

At the North Carolina Bankers Association's Annual Convention today, Kris Kiefer, Deputy Comptroller at the OCC, and John Henrie, Regional Director of the FDIC, referenced a recent OCC paper regarding bank pooling of resources to obtain better services at lower cost. 

The paper, titled “An Opportunity for Community Banks: Working Together Collaboratively,” describes ways in which community banks might collaborate to lower costs and obtain specialized expertise. The paper outlines how community banks can structure cooperative arrangements, and emphasizes the need for effective oversight of those arrangements.

Community banks can collaborate in several ways, according to the OCC, such as:
  • exchanging information and ideas;
  • jointly purchasing materials or services;
  • sharing back-office or other services;
  • sharing a specialized staff member or team;
  • jointly owning a service organization;
  • participating in disaster mitigation agreements; and
  • jointly providing/developing products and services.
In some cases, community banks will want to form an entity (such as an LLC) to engage in activies. The regulatory issues to be addressed in those situations will be whether the activities are permissible and whether the investment by the banks in the entity are permitted.  The OCC has its own rules and guidance for permissible activies, and has published guidance based on prior decisions.  State chartered banks may generally follow those rules and guidance, despite being regulated by other agencies.  Often the entities will be considered "noncontrolling investments" or "bank service companies," which are different from a regulatory standpoint than the "bank operating subsidiaries" that many banks may be more familiar with.  Often an application will be required.

As with loan participations and syndications, the guidance makes clear that bank collaborations should be documented in a binding agreement that allocates the resposibilities and risks associated with the activity. 

Ideally, collaboration in areas in which it makes sense would enable community banks to achieve better outcomes at lower costs, increase their range of services, and enhance the expertise available to them.


 





June 1, 2015

TILA-RESPA Integration Will Be Here In Two Months. Are You Ready?

As all mortgage lenders know by now, beginning August 1, the new TILA-RESPA integrated disclosure requirements will become effective for any lender that makes more than five mortgage loans in a calendar year.  With two months to go, now is a good time to make sure your institution is ready.
 
If you have been paying attention, you know that the rule covers much more than just two new disclosure forms.  This is a complex, substantive change in the law.   In fact, the CFPB has published hundreds and hundreds of pages of rules and guidance.  I am not going to attempt to describe the new rules in detail here. (The final rule alone is 1,888 pages.) Instead, I just want to point out a few things and recommend a checklist for assessing your progress as you prepare for the August 1 deadline.
 
First, as I am sure you know, the new Loan Estimate form combines two existing forms, the Good Faith Estimate (GFE) and the initial Truth-in-Lending disclosure into one form.  The Loan Estimate must be provided to an applicant (placed in the mail) no later than the third business day after he or she submits a loan application.  
 
When Is An Application "Complete"?

One thing I want to be sure you understand is that unlike under the current rules, after August 1, a loan application that you might otherwise consider "incomplete" may trigger the Loan Estimate obligation.

The rule defines a loan application as having six of the seven elements that RESPA required: consumer’s name, consumer’s income, consumer’s social security number to obtain a credit report, property address, estimate of the value of the property and mortgage loan amount sought. The definition in the rule does not include RESPA’s seventh, catch-all term “any other information deemed necessary by the loan originator.” So, while you used to be able to deem a loan application incomplete for purposes of RESPA if it lacked some additional information that you deemed necessary, you no longer have that discretion. 
 
Also be careful about this: An application must be in writing, but any written record of an oral conversation is sufficient to trigger the requirement.

Even if a complete application has not been received, it will be permissible to provide an "early written estimate."  You should, however, include a clear disclaimer on any such estimate.
 
Revised Disclosures

Sometimes, disclosures need to be revised.  If a revised disclosure is necessary, it must be received by the customer at least four business days prior to closing, which means that it if is mailed, it must be mailed seven business days before closing.
 
Did You Endorse That Service Provider?

Separate from the Loan Estimate is a required list of settlement services for which the customer can shop. You must identify at least one provider for each service. Do you have a policy for how you will identify these providers for each market area? How many will you list for each category? Are you going to vet them? If not, do you have a disclaimer ready? (Hint: the model form does not have one.)
 
Collecting Fees

There are also new restrictions on fees that can be collected prior to giving a Loan Estimate and prior to a consumer’s consent to proceed. For example, no fee other than a credit report fee can be collected prior to the Loan Estimate and consumer consent to proceed. 
 
Pre-Closing Disclosure
 
As most of you know, the other major document required by the new rules is the Closing Disclosure, which as you know, combines two existing forms, the HUD-1 Settlement Statement and final Truth-in-Lending disclosures, into one form, and must be provided to consumers at least three business days before closing the loan. 
 
Mistakes are going to happen, but if they are caught in time, they can be corrected.  The rule says you can retroactively cure violations by refunding the excess portion of a cost or fee to the consumer, and delivering corrected disclosures to reflect the refund, within 60 days after closing.  You’ll need to decide if you want to set up a post-consummation review process to ensure that you provide corrected Closing Disclosures to catch these and correct them.  
 
Additional Disclosures
 
Beyond the two primary disclosures, there are others to have ready by August 1:
  • the post-consummation escrow cancellation notice (aka "Escrow Closing Notice") 
  • the post-consummation mortgage servicing transfer
  • partial payment notice

Record Retention 
 
You probably need to update record retention policies as well.  
  • Keep a copy of the Closing Disclosure (and all documents related to the Closing Disclosure) for five years after consummation, even if you sell the loan and the servicing rights.
  • Keep the Post-Consummation Escrow Cancellation Notice (Escrow Closing Notice) and the Post-Consummation Partial Payment Policy disclosure for two years. 
  • For all other evidence of compliance with the Integrated Disclosure provisions of Regulation Z (including the Loan Estimate) maintain records for three years after consummation of the loan.
  • Be sure you know when to use the new forms versus when to continue to use the existing disclosures (GFE, initial and final TIL, and the HUD-1)
    • Specifically, the TILA-RESPA rule does not apply to HELOCs, reverse mortgages or mortgages secured by a mobile home or by a dwelling that is not attached to real property (i.e., land). (§ 1026.19(e) and (f))
    • However, certain types of loans that are currently subject to TILA but not RESPA are subject to the new integrated disclosure requirements, including: construction-only loans, vacant-land loans, and loans secured by 25 acres or more.
  And Many More...
 
Here are a few things you’ll want to think about, such as the following: 
  • Do you have policies and forms for pre-consummation and post-consummation disclosures? 
  • Also, think about how a consumer will give the required indication of intent to proceed with a loan? Are you going to have a form?
  • How are you going to track the new tolerances?
In addition, I suggest you take a look at the Readiness Questionnaire in Part 2 of the CFPB’s Mortgage Rules Readiness Guide. I encourage you to work through the TILA-RESPA Integration section that begins on page 15 and ends on page 21.  This is not mandatory (and it has not been added to the Exam Manual), but it may be useful to help determine how ready you are and what you need to do next. 


My hope is that each of you reading this article will be buoyed with confidence that you are well-prepared for the August 1 compliance deadline, but if you are not, I hope this article will help you identify the areas that need work in the final days before implementation.



  

May 30, 2015

The CFPB Wants More Information About Mortgage Loans. Guess Who's Going to Collect It.

As you may know, the Consumer Financial Protection Bureau collects data from mortgage lenders about mortgage loans. It is currently attempting to dramatically expand the scope of information that mortgage lenders are required to provide to it.  
 
The Home Mortgage Disclosure Act (HMDA, or, as I like to call it, "Hmm Duh") was enacted in 1975 and the Federal Reserve Board was given rulemaking authority (through which it authored Reg. C) until July 21, 2011, when the Dodd-Frank Act transferred that authority to the CFPB. HMDA requires lending institutions to report certain mortgage loan data. The Dodd-Frank Act also directed the CFPB to expand the HMDA dataset to include additional information about loans that would be helpful to better understand aspects of the mortgage market.  
 
The CFPB proposed changes to the data that mortgage lenders are required to collect and report was proposed in July of last year. (That proposal was 572 pages--svelt by CFPB standards.)  The proposal went well beyond what the Dodd-Frank Act required. The comment period ended in October, and we are now awaiting the final rules. Here's what the proposal entails:
 
More Loans
 
Regulation C currently uses a “purpose” test to determine whether a mortgage loan transaction must be reported. Loans made to purchase, refinance, or improve a home are covered. The proposed rule would require that covered lenders report, with some exceptions, all loans secured by dwellings. "Dwelling" isn't limited to primary residence—it includes vacation homes, multi-family, and rentals. home equity lines of credit  (HELOCs), which were not previously always covered unless the use of proceeds related to the home, will always be covered if the proposed rule is adopted.
 
Higher Reporting Threshold
 
Currently, Regulation C requires banks to submit HMDA data even if they make only one home loan in a given year; however, the proposal would set a 25 loan threshold. For purposes of counting the threshold, only closed-end loans (including reverse mortgages)--not HELOCs--are counted. 
 
New Information
 
The proposed rule would add not only the 17 new data fields called for by Dodd-Frank, but also 20 additional fields that the CFPB believes are necessary to help it monitor the marketplace. 
 
The new information required by the Dodd-Frank Act includes, for example:
 
  • the property value; 
  • term of the loan; 
  • total points and fees; 
  • rate spread;
  • the duration of any teaser or introductory interest rates;
  • prepayment penalties;
  • bonamortizing features;
  • loan officer number;
  • the applicant’s or borrower’s age; 
  • credit score;
  • application channel (retail or broker)
The CFPB's additional 20 fields include the following:
  • applicant’s debt-to-income ratio
  • loan-to-value ration (LTV)
  • the automated underwriting system used
  • the reason for denial (currently optional) 
  • Qualified Mortgage (QM) status
  • the interest rate of the loan, and 
  • the total discount points charged for the loan
  • fees 
  • certain property information
  • manufactured housing data
All of this is ostensibly to allow CFPB to see how the mortgage market is functioning, and specifically to determine how the "Ability to Repay" rule is affecting the market. (Although without a "before" data set, how can they know?)

Reporting Timeframe
 
Mortgage lenders currently report annually by March 1 for the preceding calendar year. Under the proposal, mortgage lenders that make 75,000 or more loans will have to start reporting quarterly. 
 
Reporting Format and Method

The proposed rule would align many of the HMDA data requirements with the widely used Mortgage Industry Standards Maintenance Organization ("MISMO") data standards, including the Uniform Loan Delivery Dataset ("ULDD") that is already used by the government-sponsored enterprises (GSEs).
 
The CFPB is considering creating its own web-based HMDA software that mortgage lenders would use to report their data. That sounds like a bad idea to me. (Remember how well the federal government's last big website rollout went?)
 
Public Disclosure
 
The CFPB did not state what, if any, of the new data proposed to be collected would be made available to the public. The bureau is still considering this issue.  (If the data is made a available to the public, you can bet that some special advocacy groups will be scrutinizing the data and drawing inferences from it.)

Final Rule Expected This Year.
 
The CFPB has not announced when the final rule will be published, but most people expect it to be this year. I have seen a prediction for July, but that seems too soon to me. There are too many details around the reporting format and method to expect a final rule this summer, given the CFPB's many other initiatives.

Fair Lending Focus

Aside from the increased burden on mortgage lenders, I predict that the primary consequence of this change will be an increase in enforcement actions against mortgage lenders.  Obviously this new data will enable CFPB and others to evaluate equal credit opportunity issues, and probably will facilitate more disparate impact type claims

May 9, 2015

The CFPB's Consumer Complaint Database Will Soon Include Consumers' Complaint Narratives. Are You Ready?

In case you missed it, the CFPB is trying to become the next Yelp or Angie's List.

The CFPB began accepting complaints from consumers as soon as it opened its doors in 2011—with over half a million currently on file.  In June of 2012, it started publishing a limited amount of data from the complaints on its website. Now, it has decided to give consumers a platform to "publicly share their stories." 

The CFPB's website already allows a consumer to describe his or her complaint in narrative form in a text box on the complaint webpage. The consumer can also attach documents to the complaint. The CFPB forwards the complaint to the company, requests a response, gives the consumer a tracking number, and updates the consumer on the status of the resolution.

In March, the CFPB revised its consumer complaint policy to allow consumers to publish their grievances—in their own words—on the CFPB's website.   Beginning later this month (May 2015), when consumers submit complaints to the CFPB, they will have the option to check a box to share their narrative. The narratives will have names, telephone numbers, account numbers, Social Security numbers, and other identifiers redacted. The CFPB will not, however, verify the truth or accuracy of the facts asserted in the consumer's complaint. 

Banks and other companies will be given the option to select from a limited list of structured response options within 180 days after the consumer complaint is routed to them. The response cannot be customized. Actually, the final policy says that the financial institution can "recommend" one of the pre-set response to the CFPB, but the CFPB reserves the right to reject the response.

Complaints will be listed in the public database only after the financial institution responds to the complaint or after it has had the complaint for 15 days, whichever comes first. The CFPB will publish the consumer complaint narrative when the financial institution provides its public-facing response, or after the financial institution has had the complaint for 60 days, whichever comes first. If, within 15 days of receiving a notice of the complaint, a financial institution tells the CFPB that it has no record of a financial relationship with the complaining person, or if the financial institution tells the CFPB that it believes the complaint is fraudulent, the CFPB is not supposed to publish the complaint.

Despite the fact that this sort of information can become stale and of marginal value over time, the CFPB has determined that complaints will remain on the public database indefinitely.  Furthermore, the final policy fails to address whether complaints will be removed or changed when a financial institution merges or is acquired, or when a division is spun out.

I have written and spoken before about the importance of online reputation management for financial institutions. This development underscores the need for each financial institution to have a comprehensive online reputation management strategy. Aside from behaving honestly and ethically, the best (but not the only) thing a financial institution can do to protect its reputation online is to inundate the web with positive content. While there are some legal concerns to address when a financial institution expands its presence on the web, this strategy is the most effective way to ensure that the overall narrative reflects the financial institution's mission and message.


Image credit: matt cordell using (x-ray delta one)



March 1, 2015

Data Security Breaches, Unauthorized Transfers, and Corporate Accout Takeovers ...What You Missed!

On Friday, I had the honor to join some distinguished speakers for an all-day continuing legal education seminar on computer technology and the law.  My fellow presenters were:
  • Clark Walton, former CIA forensic computer analyst, lawyer with Alexander Ricks, and founder of computer forensic firm Reliance Forensics (and formerly Chair of the NCBA Young Lawyers Division and the American Bar Association's Young Lawyer of the Year).
  • Ashden Fein, lead prosecutor of Private Bradley Manning in the WikiLeaks trial and now lawyer with Covington & Burling in Washington, D.C.
  • Chris Swecker, former Assistant Director of the FBI, lawyer, and security consultant.
  • Kim Korando, employment lawyer with Smith Anderson.
  • Joyce Brafford, law practice technology guru with the NCBA's Center for Practice Management.
It was a fascinating day, and I enjoyed hearing from these great speakers more than I enjoyed speaking myself.  (I was under the weather and quite hoarse.  My apologies to all who had to endure my voice.)

In the course of my presentation, we discussed the various legal response requirements following a data security breach, as well as liability for unauthorized transfers in consumer and commercial accounts. 

The program was well-attended in person and by webinar, but if you missed the opportunity to attend, I am providing a link to my slideshow here.  I hope you find it useful.

February 9, 2015

NC Commissioner of Banks Ray Grace Re-Appointed

Commissioner Ray Grace -photo by M. Cordell
Today, Governor McCrory appointed Ray Grace to serve as North Carolina's Commissioner of Banks for another term.  Although Commissioenr Grace has been "appointed," the process actually works like a nomination; His appointment must be confirmed by each house of the General Assembly. 

After serving in the Marine Corps during the Vietnam War, Grace graduated from college and immediately joined the Office of the Commissioner of Banks as a trainee examiner in 1974. He has served in various roles over the years, and has deep experience in the regulation and supervision of North Carolina financial institutions. 

After former Commissioner Joseph A. Smith, Jr., resigned effective February 16, 2012 to become the nationwide mortgage settlement czar, then-Governor Beverly Purdue appointed Grace, then Deputy Commissioner, to serve as Acting Commissioner. Under the banking statute in effect at the time, Governor Purdue was required to submit the name of a permanent successor to the General Assembly within four weeks. She nominated Ray Grace by the end of the month, and he became Acting Commissioner. However, as I predicted back in February of 2012, the confirmation process took much, much longer.  Governor McCrory re-nominated Acting Commissioner Grace more than a year later, in March of 2013. The Senate approved on May 15, 2013, and the House approved on June 6, 2013.  Commissioner Grace's initial term was the remainder of what would have been Joe Smith's final term, expiring March 31, 2015.  

Under the new banking statute, Governor McCory was required to appoint a Commissioner of Banks by February 1.  Apparently it took a few days for that appointment to be publicly announced.  Assuming he is confirmed by the General Assembly, the Commissioner's term will continue for four years (until March 31, 2019).