Private Loan Potpourri & Ask the Lawyers

advertisement
Private Loan
Potpourri & Ask
the Lawyers
Dino Tsibouris
Tsibouris & Associates, LLC
dino@tsibouris.com
Regulation P
UPDATE
Dino Tsibouris
Tsibouris & Associates, LLC
dino@tsibouris.com
Regulation P
• CFPB amended Regulation P in October
• Allows limited web posting of annual privacy
notices under certain conditions
• Applies to a financial institution (“FI”) that does not
share in a way that gives rise to an opt out
Regulation P
• Gramm Leach Bliley §503 requires a FI to provide
initial and annual notices describing their privacy
policies
• Must describe whether and how the FI shares
nonpublic personal information with third parties
Regulation P
• If FI wants to share nonpublic personal information
with nonaffiliated third parties, must give
opportunity to opt out of sharing
• Exceptions:
• Third-party service providers
• Joint marketing arrangements
• Account servicing
• Legal compliance
Regulation P - FCRA
• Similarly to GLBA, the FCRA places restrictions on
an FI providing a consumer information containing
customer credit information to others
• FCRA §603 - Sharing credit information with
affiliates is not deemed a “consumer report” if:
• The consumer is notified; and
• given the option to opt out
Regulation P - FCRA
• FCRA § 624 (“Affiliate Marketing Rule”) – affiliate of
FI may not receive transaction history from FI
unless consumer is given notice and opportunity to
opt out
• Optional; may be included in GLBA initial and
annual notice
• May use alternative delivery if not only method
• Included in model notice - opt out must be indefinite
• Separate notice - limit to 5 years subject to renewal if
disclosed
Regulation P
• Common practice to mail printed copies of their
GLBA
• Section 503(c)(4) of GLBA and Reg. P require
notices to include FCRA §603 notice and opt out
• Many currently provide electronically if the
consumer consents and acknowledges receipt of
the notice
• Referred to as the “standard delivery methods”
Regulation P
You may reasonably expect that a customer will
receive actual notice of your annual notice under 12
CFR 1016.9 if:
The customer uses your Web site to access financial
products and services electronically and agrees to receive
notices at the Web site, and you post your current privacy
notice conspicuously in a clear and conspicuous manner
on the Web site.
Regulation P
GLBA Section 503(a) “Annual Notice” baseline
requirement:
‘as long as a “clear and conspicuous disclosure” is
provided “in writing or in electronic form or other form
permitted by the regulations.”’
Regulation P
• You may now post annual notice on website under
the following conditions:
• No opt out rights triggered under GLBA or FCRA and
FCRA opt-out notices have been provided already or
independent of proposed GLBA web notice;
• Information practices have not changed since the last
notice (initial, annual, or revised)
• The model form provided in Regulation P is used.
Regulation P
• Access requirements:
• The 3 C’s: Continuous, clear, and conspicuous posting
on a page of the FIs website
• No login or “agreement to any conditions” to access the
notice
• Must provide in writing within ten days of telephone
request
Regulation P
• Is this an agreement?
Regulation P
• Web page may only include annual privacy notice
• “Only content on the web page”
• Information such as navigational menus and links to
other supplemental information (including privacy
information) is not “content” and is permissible
Regulation P
• FIs who change their privacy policies should deliver
revised notices using the standard delivery
methods
• Subsequent notice would use alternative delivery
• Name changes for FI/affiliates are not a change in
privacy practices; alternative delivery permitted
• Minimum “not less than annually” standard allows
for midyear corrections/more frequent delivery
Regulation P
• May use alternative delivery if information in
privacy notice has not changed since it was
provided in the immediately previous notice
(whether initial, annual, or revised).
• If methods of information disclosure or sharing is
eliminated, alternative delivery is acceptable
without a new standard notice (“no changes other
than elimination”).
Regulation P
• “Notice of availability”
• Must annually state that the privacy notice is
posted on the FIs website and that it will be mailed
if you call their number
• May combine the reminder with another
mandatory disclosure or notice – statements,
coupon books, but not ads or newsletters
• May use an existing “E-SIGNed” method of delivery
if available
Regulation P
• Must meet all conditions for alternative delivery by
the due date of the first annual privacy notice you
intend to use it for
• Notice of availability
• Telephone number
• Access via website
• Use of Model Form
Regulation P
Privacy Notice
Federal law requires us to tell you how we collect,
share, and protect your personal information. Our
privacy policy has not changed and you may review
our policy and practices with respect to your
personal information at [Web address] or we will
mail you a free copy upon request if you call us at
[telephone number].
Do-Not-Track
Features:
Legal Developments
Kelly Lipinski
McGlinchey Stafford
Website Privacy Policy
• California Online Privacy Protection Act of 2003
• Applies to any operator of a commercial website or online
service (e.g., mobile application) that collects personally
identifiable information (“PII”) about California residents who
visit the website.
• Requirement to conspicuously post website privacy policy
online.
• Specific content must be included in the policy. For example:
• Categories of PII that is collected
• Categories of third parties with whom an operator may share PII
• Description of the process to review PII that is collected and to
learn of changes to the website privacy policy.
Website Privacy Policy
Developments
• FTC Report, Protecting Consumer Privacy in an Era
of Rapid Change
• Proposed a setting on a consumer’s browser that
would convey the consumer’s privacy choices when
visiting a website.
• Whether the consumer wants to be tracked or not.
• Consequences of heeding the consumer’s wishes.
Browser Supported DoNot-Track Feature
Website Privacy Policy
Developments
• In 2014, California strengthened its Internet privacy
requirements.
• Concerned about operators that collect data on
consumer behavior and then sell it to data brokers.
• “Do-Not-Track” function and what an operator
does with this message.
• Website operators are not required to heed consumer’s
choice.
• However, operators must tell consumers what they do
with this browser setting.
Website Privacy Policy
Developments
• An operator must add two items to its website
privacy policy:
• Disclose how it responds to Web browser "do not track"
signals regarding the collection of PII about an
individual's online activities over time and across thirdparty Web sites or online services, if the operator
engages in that collection.
• Disclose whether other parties may collect PII about an
individual’s online activities over time and across
different Web sites when a consumer uses the
operator's Web site or service. Cal. Bus. & Prof. Code §
22575.
Website Privacy Policy
Developments
• California Attorney General Guidance
• Guidance on drafting privacy policies.
• Collaboration with IT to say what you mean and
mean what you say.
• Service provider and marketing input.
Fair debt
collection
practices act
Rulemaking Update
David A. Head
Weltman, Weinberg & Reis Co., L.P.A.
Fair debt collection
practices act
• Enacted in 1977
• Federal Trade Commission had enforcement
powers over the FDCPA, but could not make rules
• Case law has interpreted the law inconsistently
• Dodd-Frank Act in 2010 empowered the Consumer
Financial Protection Bureau to make rules and
enforce the FDCPA
FDCPA
• Consumer protection act
• Debt collectors treat consumers fairly
• Prohibit certain methods of debt collection
• Addresses issue of proper and appropriate debt
collection practices and techniques
• Debt collector defined as third party collecting on
behalf of another
• A violation of the FDCPA does not erase a
legitimate consumer debt that is owed
Advanced Notice of
Proposed Rulemaking
• 2013 - CFPB began debt collection rule-writing
process
• November 2013 – CFPB issued the ANPR for debt
collection practices
• February 2014 – ANPR comment period ended
• December 2014 – Pre-rule activities scheduled
through December
• Unknown when Proposed Rule will be issued for
additional comment
Anpr areas of interest
• Transfer and accessibility of information
• Ensure info is accurate when transferred
• Validation, dispute and verification
• Ensure consumer has clear understanding of rights
• Communications
• Technology update needed (telephone, mail, telegraph)
• Cell phone, email, text, social media
ANPR Areas of Interest
• Unfair, Deceptive and Abusive Acts or Practices
• First party/creditor liability for debt collection
• CFPB Bulletin 2013-07
• Prohibition of UDAAP in consumer debt collection
• Originating creditors included
• Enforcement Action against ITT Educational Services,
Inc. and Corinthian Colleges allege UDAAP violations,
including abusive collection practices
ANPR Areas of Interest
• Time-barred debt
• Amicus briefs in Buchanan v Northland Group, Inc. and
Delgado v Capital Management Services
• “A debt collector’s communication need not contain overtly
false statements to be misleading or deceptive; omissions may
also deceive”
• Communication contained no threat of litigation, but CFPB/FTC
argued that actual or threatened litigation is not necessary
• Offer of settlement can be misleading because it implies legal
enforceability
ANPR Areas of Interest
• Litigation practices
• Venue and pleading requirements/documentation
• State and local debt collection exemptions
• Recordkeeping, monitoring and compliance
• Federal registration
Private Loan
Potpourri & Ask
the Lawyers
Dino Tsibouris
Tsibouris & Associates, LLC
dino@tsibouris.com
Higher Ed Privacy
• Federal Trade Commission enforces GLBA
• Stated that a college or university that fits
within the definition of a “financial
institution” is compliant with GLBA’s
Privacy Rule if it complies with the
Federal Educational Rights and Privacy
Act (FERPA) (20 USC 1232g/ 34 CFR Part
99)
• 16 CFR 313.1
Higher Ed Privacy
• FERPA (20 USC 1232g/ 34 CFR Part 99)
requires you to protect “personally
identifiable information”
• Broader than “nonpublic personal
information” as defined in GLBA
• Includes records maintained by your
agents and contractors
Higher Ed Privacy
• “Personally identifiable information”
includes, but is not limited to:
•
•
•
•
Names of student, parents, family members
Their addresses
Personal identifiers
Other direct identifiers (D.O.B., birthplace, mother’s maiden
name)
• Linkable information (alone or in combination with other
information that could identify the student)
Higher Ed Privacy
• “Parent” means the student’s parent but
includes:
• A natural parent
• Guardian
• Individual acting as a parent in the
absence of a parent or guardian
Higher Ed Privacy
• Annual notice of rights to parents of
students or eligible students in
attendance
• Notification of policy using means
reasonably likely to inform
Higher Ed INFOSecurity
• FTC Safeguards Rule to protect nonpublic
personal information does not exempt
institutions of higher education
• You must comply
• FTC – Very limited enforcement power
over nonprofits (subject to exceptions on
a case by case basis)
• State AG
Higher Ed Security
• Risk assessments
• Comprehensive program to address risks
• Policies
• Training
• Adequate resources
• Event response
• Updating
Higher Ed Pressure Points
• If you aren’t compliant with FERPA, did
you just violate GLBA also?
• Are the school’s joint ventures or spinoffs
no longer nonprofit or independent of the
school?
• Do you update your comprehensive
programs?
• What about your credit union?
Higher Ed Pressure Points
• EPIC – ED does not adequately investigate
FERPA complaints
• California Student Online Personal
Information Protection Act (No K-12
student profiling allowed, EPIC Student
Privacy Bill of Rights)
• Debt collector practices/Quality control
reports (EPIC settlement, 2013)
Higher Ed Pressure Points
• Markey/Hatch proposed “Protecting
Student Privacy Act”
• Safeguards for private companies holding
student data
• Prohibits using data for marketing
• Parents can access/correct data at the
company
• Transparency/limitations
Credit reporting
Update
Kelly Lipinski
McGlinchey Stafford
Credit Reporting &
disputes
• Fair Credit Reporting Act
• Credit reporting agencies must notify furnisher if a
consumer disputes information provided by the
furnisher.
• Furnisher must investigate the dispute using “all relevant
information”:
• Information on hand.
• Information provided by the CRA.
• Information provided by the consumer.
Credit Reporting &
disputes
• CFPB Expectations for FCRA Compliance:
• System that can receive information from CRAs;
• Investigate “all relevant information”;
• Report the results of the investigation.
• If dispute is valid, furnisher must provide corrected
information to every nationwide CRA to which it
reported.
• Not only the CRA that initiated the investigation.
• If FCRA process isn’t written down, it doesn’t exist.
Credit Reporting &
disputes
• Vendor management issue:
• Verification versus dispute.
• Understand what matters are handled as “verification”
requests instead of “disputes”.
• Uniform policy of deleting trade line upon receipt
of a dispute is insufficient and does not comply
with FCRA.
• Investigation may reveal systemic problems.
Private Loan
Potpourri & Ask
the Lawyers
Dino Tsibouris
Tsibouris & Associates, LLC
dino@tsibouris.com
Student LINES of credit
• Use of open end credit for private student loans is
increasing
• A line of credit is established based on credit
criteria
• Borrow up to the credit limit
• Draw period
• Repayment period
• Popular with credit unions and startups
Student LINES of credit
• Truth-in-Lending open end disclosures apply
• Private student loan disclosures under TILA §140 do
not apply to open-end credit
Student LINES of credit
12 CFR 1026.2(a)(2) - Open-end credit means consumer
credit extended by a creditor under a plan in which:
• The creditor reasonably contemplates repeated
transactions;
• The creditor may impose a finance charge from time to
time on an outstanding unpaid balance; and
• The amount of credit that may be extended to the
consumer during the term of the plan (up to any limit
set by the creditor) is generally made available to the
extent that any outstanding balance is repaid.
Student LINES of credit
• Truth in Lending Act - 1980 amendments first
required that the creditor have reasonably
contemplated repeat sales
• Senate report discusses “spurious open end credit,”
which occurs when “a merchant styles what is likely
to be a one-time credit extension in the form of a
purchase on an open end (revolving charge) plan”
Student LINES of credit
Staff Commentary - 2(a)(20) Open-end credit.
3. Repeated transactions. Under this criterion, the creditor
must reasonably contemplate repeated transactions. This
means that the credit plan must be usable from time to
time and the creditor must legitimately expect that there
will be repeat business rather than a one-time credit
extension. The creditor must expect repeated dealings
with consumers under the credit plan as a whole and need
not believe a consume r will reuse a particular feature of
the plan.
Student LINES of credit
Staff Commentary - 2(a)(20) Open-end credit.
…The determination of whether a creditor can reasonably
contemplate repeated transactions requires an objective
analysis. Information that much of the creditor's customer
base with accounts under the plan make repeated
transactions over some period of time is relevant to the
determination, particularly when the plan is opened
primarily for the financing of infrequently purchased
products or services.
Student LINES of credit
• The Benions argue that “likely” means more than
50 percent probable, that a probability of more
than 50 percent is equivalent to a frequency of
more than 50 percent, and hence that the issuer of
a private label credit card violates the Act unless
more than 50 percent of the purchases made with
the card are repeat purchases-and anyway that bigticket items are not eligible for credit card credit.
• Benion v. Bank One, 1998 (7th Cir.)(Claim rejected)
Student LINES of credit
• Line may be underwritten at opening
• May evaluate creditworthiness of borrowers
periodically or on ad hoc basis (soft pulls)
• Must not perform underwriting because a person
requested an advance
• Must have policies, procedures, and training
• Risk: converting the advance to a closed-end loan
subject to closed-end disclosure requirements
Download