Private Loan Potpourri & Ask the Lawyers Dino Tsibouris Tsibouris & Associates, LLC dino@tsibouris.com Regulation P UPDATE Dino Tsibouris Tsibouris & Associates, LLC dino@tsibouris.com Regulation P • CFPB amended Regulation P in October • Allows limited web posting of annual privacy notices under certain conditions • Applies to a financial institution (“FI”) that does not share in a way that gives rise to an opt out Regulation P • Gramm Leach Bliley §503 requires a FI to provide initial and annual notices describing their privacy policies • Must describe whether and how the FI shares nonpublic personal information with third parties Regulation P • If FI wants to share nonpublic personal information with nonaffiliated third parties, must give opportunity to opt out of sharing • Exceptions: • Third-party service providers • Joint marketing arrangements • Account servicing • Legal compliance Regulation P - FCRA • Similarly to GLBA, the FCRA places restrictions on an FI providing a consumer information containing customer credit information to others • FCRA §603 - Sharing credit information with affiliates is not deemed a “consumer report” if: • The consumer is notified; and • given the option to opt out Regulation P - FCRA • FCRA § 624 (“Affiliate Marketing Rule”) – affiliate of FI may not receive transaction history from FI unless consumer is given notice and opportunity to opt out • Optional; may be included in GLBA initial and annual notice • May use alternative delivery if not only method • Included in model notice - opt out must be indefinite • Separate notice - limit to 5 years subject to renewal if disclosed Regulation P • Common practice to mail printed copies of their GLBA • Section 503(c)(4) of GLBA and Reg. P require notices to include FCRA §603 notice and opt out • Many currently provide electronically if the consumer consents and acknowledges receipt of the notice • Referred to as the “standard delivery methods” Regulation P You may reasonably expect that a customer will receive actual notice of your annual notice under 12 CFR 1016.9 if: The customer uses your Web site to access financial products and services electronically and agrees to receive notices at the Web site, and you post your current privacy notice conspicuously in a clear and conspicuous manner on the Web site. Regulation P GLBA Section 503(a) “Annual Notice” baseline requirement: ‘as long as a “clear and conspicuous disclosure” is provided “in writing or in electronic form or other form permitted by the regulations.”’ Regulation P • You may now post annual notice on website under the following conditions: • No opt out rights triggered under GLBA or FCRA and FCRA opt-out notices have been provided already or independent of proposed GLBA web notice; • Information practices have not changed since the last notice (initial, annual, or revised) • The model form provided in Regulation P is used. Regulation P • Access requirements: • The 3 C’s: Continuous, clear, and conspicuous posting on a page of the FIs website • No login or “agreement to any conditions” to access the notice • Must provide in writing within ten days of telephone request Regulation P • Is this an agreement? Regulation P • Web page may only include annual privacy notice • “Only content on the web page” • Information such as navigational menus and links to other supplemental information (including privacy information) is not “content” and is permissible Regulation P • FIs who change their privacy policies should deliver revised notices using the standard delivery methods • Subsequent notice would use alternative delivery • Name changes for FI/affiliates are not a change in privacy practices; alternative delivery permitted • Minimum “not less than annually” standard allows for midyear corrections/more frequent delivery Regulation P • May use alternative delivery if information in privacy notice has not changed since it was provided in the immediately previous notice (whether initial, annual, or revised). • If methods of information disclosure or sharing is eliminated, alternative delivery is acceptable without a new standard notice (“no changes other than elimination”). Regulation P • “Notice of availability” • Must annually state that the privacy notice is posted on the FIs website and that it will be mailed if you call their number • May combine the reminder with another mandatory disclosure or notice – statements, coupon books, but not ads or newsletters • May use an existing “E-SIGNed” method of delivery if available Regulation P • Must meet all conditions for alternative delivery by the due date of the first annual privacy notice you intend to use it for • Notice of availability • Telephone number • Access via website • Use of Model Form Regulation P Privacy Notice Federal law requires us to tell you how we collect, share, and protect your personal information. Our privacy policy has not changed and you may review our policy and practices with respect to your personal information at [Web address] or we will mail you a free copy upon request if you call us at [telephone number]. Do-Not-Track Features: Legal Developments Kelly Lipinski McGlinchey Stafford Website Privacy Policy • California Online Privacy Protection Act of 2003 • Applies to any operator of a commercial website or online service (e.g., mobile application) that collects personally identifiable information (“PII”) about California residents who visit the website. • Requirement to conspicuously post website privacy policy online. • Specific content must be included in the policy. For example: • Categories of PII that is collected • Categories of third parties with whom an operator may share PII • Description of the process to review PII that is collected and to learn of changes to the website privacy policy. Website Privacy Policy Developments • FTC Report, Protecting Consumer Privacy in an Era of Rapid Change • Proposed a setting on a consumer’s browser that would convey the consumer’s privacy choices when visiting a website. • Whether the consumer wants to be tracked or not. • Consequences of heeding the consumer’s wishes. Browser Supported DoNot-Track Feature Website Privacy Policy Developments • In 2014, California strengthened its Internet privacy requirements. • Concerned about operators that collect data on consumer behavior and then sell it to data brokers. • “Do-Not-Track” function and what an operator does with this message. • Website operators are not required to heed consumer’s choice. • However, operators must tell consumers what they do with this browser setting. Website Privacy Policy Developments • An operator must add two items to its website privacy policy: • Disclose how it responds to Web browser "do not track" signals regarding the collection of PII about an individual's online activities over time and across thirdparty Web sites or online services, if the operator engages in that collection. • Disclose whether other parties may collect PII about an individual’s online activities over time and across different Web sites when a consumer uses the operator's Web site or service. Cal. Bus. & Prof. Code § 22575. Website Privacy Policy Developments • California Attorney General Guidance • Guidance on drafting privacy policies. • Collaboration with IT to say what you mean and mean what you say. • Service provider and marketing input. Fair debt collection practices act Rulemaking Update David A. Head Weltman, Weinberg & Reis Co., L.P.A. Fair debt collection practices act • Enacted in 1977 • Federal Trade Commission had enforcement powers over the FDCPA, but could not make rules • Case law has interpreted the law inconsistently • Dodd-Frank Act in 2010 empowered the Consumer Financial Protection Bureau to make rules and enforce the FDCPA FDCPA • Consumer protection act • Debt collectors treat consumers fairly • Prohibit certain methods of debt collection • Addresses issue of proper and appropriate debt collection practices and techniques • Debt collector defined as third party collecting on behalf of another • A violation of the FDCPA does not erase a legitimate consumer debt that is owed Advanced Notice of Proposed Rulemaking • 2013 - CFPB began debt collection rule-writing process • November 2013 – CFPB issued the ANPR for debt collection practices • February 2014 – ANPR comment period ended • December 2014 – Pre-rule activities scheduled through December • Unknown when Proposed Rule will be issued for additional comment Anpr areas of interest • Transfer and accessibility of information • Ensure info is accurate when transferred • Validation, dispute and verification • Ensure consumer has clear understanding of rights • Communications • Technology update needed (telephone, mail, telegraph) • Cell phone, email, text, social media ANPR Areas of Interest • Unfair, Deceptive and Abusive Acts or Practices • First party/creditor liability for debt collection • CFPB Bulletin 2013-07 • Prohibition of UDAAP in consumer debt collection • Originating creditors included • Enforcement Action against ITT Educational Services, Inc. and Corinthian Colleges allege UDAAP violations, including abusive collection practices ANPR Areas of Interest • Time-barred debt • Amicus briefs in Buchanan v Northland Group, Inc. and Delgado v Capital Management Services • “A debt collector’s communication need not contain overtly false statements to be misleading or deceptive; omissions may also deceive” • Communication contained no threat of litigation, but CFPB/FTC argued that actual or threatened litigation is not necessary • Offer of settlement can be misleading because it implies legal enforceability ANPR Areas of Interest • Litigation practices • Venue and pleading requirements/documentation • State and local debt collection exemptions • Recordkeeping, monitoring and compliance • Federal registration Private Loan Potpourri & Ask the Lawyers Dino Tsibouris Tsibouris & Associates, LLC dino@tsibouris.com Higher Ed Privacy • Federal Trade Commission enforces GLBA • Stated that a college or university that fits within the definition of a “financial institution” is compliant with GLBA’s Privacy Rule if it complies with the Federal Educational Rights and Privacy Act (FERPA) (20 USC 1232g/ 34 CFR Part 99) • 16 CFR 313.1 Higher Ed Privacy • FERPA (20 USC 1232g/ 34 CFR Part 99) requires you to protect “personally identifiable information” • Broader than “nonpublic personal information” as defined in GLBA • Includes records maintained by your agents and contractors Higher Ed Privacy • “Personally identifiable information” includes, but is not limited to: • • • • Names of student, parents, family members Their addresses Personal identifiers Other direct identifiers (D.O.B., birthplace, mother’s maiden name) • Linkable information (alone or in combination with other information that could identify the student) Higher Ed Privacy • “Parent” means the student’s parent but includes: • A natural parent • Guardian • Individual acting as a parent in the absence of a parent or guardian Higher Ed Privacy • Annual notice of rights to parents of students or eligible students in attendance • Notification of policy using means reasonably likely to inform Higher Ed INFOSecurity • FTC Safeguards Rule to protect nonpublic personal information does not exempt institutions of higher education • You must comply • FTC – Very limited enforcement power over nonprofits (subject to exceptions on a case by case basis) • State AG Higher Ed Security • Risk assessments • Comprehensive program to address risks • Policies • Training • Adequate resources • Event response • Updating Higher Ed Pressure Points • If you aren’t compliant with FERPA, did you just violate GLBA also? • Are the school’s joint ventures or spinoffs no longer nonprofit or independent of the school? • Do you update your comprehensive programs? • What about your credit union? Higher Ed Pressure Points • EPIC – ED does not adequately investigate FERPA complaints • California Student Online Personal Information Protection Act (No K-12 student profiling allowed, EPIC Student Privacy Bill of Rights) • Debt collector practices/Quality control reports (EPIC settlement, 2013) Higher Ed Pressure Points • Markey/Hatch proposed “Protecting Student Privacy Act” • Safeguards for private companies holding student data • Prohibits using data for marketing • Parents can access/correct data at the company • Transparency/limitations Credit reporting Update Kelly Lipinski McGlinchey Stafford Credit Reporting & disputes • Fair Credit Reporting Act • Credit reporting agencies must notify furnisher if a consumer disputes information provided by the furnisher. • Furnisher must investigate the dispute using “all relevant information”: • Information on hand. • Information provided by the CRA. • Information provided by the consumer. Credit Reporting & disputes • CFPB Expectations for FCRA Compliance: • System that can receive information from CRAs; • Investigate “all relevant information”; • Report the results of the investigation. • If dispute is valid, furnisher must provide corrected information to every nationwide CRA to which it reported. • Not only the CRA that initiated the investigation. • If FCRA process isn’t written down, it doesn’t exist. Credit Reporting & disputes • Vendor management issue: • Verification versus dispute. • Understand what matters are handled as “verification” requests instead of “disputes”. • Uniform policy of deleting trade line upon receipt of a dispute is insufficient and does not comply with FCRA. • Investigation may reveal systemic problems. Private Loan Potpourri & Ask the Lawyers Dino Tsibouris Tsibouris & Associates, LLC dino@tsibouris.com Student LINES of credit • Use of open end credit for private student loans is increasing • A line of credit is established based on credit criteria • Borrow up to the credit limit • Draw period • Repayment period • Popular with credit unions and startups Student LINES of credit • Truth-in-Lending open end disclosures apply • Private student loan disclosures under TILA §140 do not apply to open-end credit Student LINES of credit 12 CFR 1026.2(a)(2) - Open-end credit means consumer credit extended by a creditor under a plan in which: • The creditor reasonably contemplates repeated transactions; • The creditor may impose a finance charge from time to time on an outstanding unpaid balance; and • The amount of credit that may be extended to the consumer during the term of the plan (up to any limit set by the creditor) is generally made available to the extent that any outstanding balance is repaid. Student LINES of credit • Truth in Lending Act - 1980 amendments first required that the creditor have reasonably contemplated repeat sales • Senate report discusses “spurious open end credit,” which occurs when “a merchant styles what is likely to be a one-time credit extension in the form of a purchase on an open end (revolving charge) plan” Student LINES of credit Staff Commentary - 2(a)(20) Open-end credit. 3. Repeated transactions. Under this criterion, the creditor must reasonably contemplate repeated transactions. This means that the credit plan must be usable from time to time and the creditor must legitimately expect that there will be repeat business rather than a one-time credit extension. The creditor must expect repeated dealings with consumers under the credit plan as a whole and need not believe a consume r will reuse a particular feature of the plan. Student LINES of credit Staff Commentary - 2(a)(20) Open-end credit. …The determination of whether a creditor can reasonably contemplate repeated transactions requires an objective analysis. Information that much of the creditor's customer base with accounts under the plan make repeated transactions over some period of time is relevant to the determination, particularly when the plan is opened primarily for the financing of infrequently purchased products or services. Student LINES of credit • The Benions argue that “likely” means more than 50 percent probable, that a probability of more than 50 percent is equivalent to a frequency of more than 50 percent, and hence that the issuer of a private label credit card violates the Act unless more than 50 percent of the purchases made with the card are repeat purchases-and anyway that bigticket items are not eligible for credit card credit. • Benion v. Bank One, 1998 (7th Cir.)(Claim rejected) Student LINES of credit • Line may be underwritten at opening • May evaluate creditworthiness of borrowers periodically or on ad hoc basis (soft pulls) • Must not perform underwriting because a person requested an advance • Must have policies, procedures, and training • Risk: converting the advance to a closed-end loan subject to closed-end disclosure requirements