Compliance Newshub
State News

Illinois Senate Bill 2615 amends the Residential Mortgage License Act of 1987. 

• Provides that mortgage loan advertisements must reference the Nationwide Multistate Licensing System and Registry's Consumer Access website, except where exempted by the Secretary of Financial and Professional Regulation. 
• Provides that a licensee shall not advertise its services in Illinois in any media, whether print or electronic, without including its unique identifier. 
• Replaces "Commissioner" with "Secretary" in order to update references to the Secretary of Financial and Professional Regulation. 
• Makes other changes. 

Effective immediately (August 10, 2018).

ZwillGen blog--Jason Wool

Ohio has become the first state to enact legislation providing liability protection for businesses that implement a written cybersecurity program that “reasonably conforms” to certain cybersecurity frameworks or laws to protect personal information. This approach is in stark contrast to that taken by California in its recently-passed Consumer Privacy Act, which established a private right of action against organizations that fail to maintain such reasonable security measures.

The Ohio law makes available protections to businesses that access, maintain, communicate, or process “personal information” or “restricted information” via systems, networks, or services located in or outside of the state. Personal information has the same definition as the state’s breach notification law. Restricted information means any other information about an individual that, alone or in combination with other information, can be used to distinguish or trace an individual or that is linked or linkable to an individual, the breach of which is likely to result in a material risk of identity theft or fraud to person or property.

The liability protection provided by the law is an affirmative defense to any tort complaint brought under the laws of Ohio or in an Ohio court, which alleges that the failure to implement reasonable information security controls resulted in a data breach. To qualify for the affirmative defense, the business must have implemented a written cybersecurity program containing administrative, technical, and physical safeguards for the protection of personal information and/or restricted information that:

1. Reasonably conforms to one of a designated set of cybersecurity standards or laws; and
2. Is designed to protect the security and confidentiality of the information, protect against anticipated threats or hazards to security or integrity, and protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud; and
3. Is appropriate in scope and scale in light of the size and complexity of the business, the nature and scope of the business’ activities, the sensitivity of the information, the cost and availability of tools to improve security and reduce vulnerabilities, and the resources available to the covered entity.

The standards with which a business’s security program may conform include the NIST Cybersecurity Framework; NIST’s SP 800-171, SP 800-53 and 800-53a; FedRAMP; the CIS Controls; and the ISO 27000 family. The affirmative defense is also available where a business’s cybersecurity program conforms to the PCI Data Security Standard (PCI DSS) and one of the other standards. Finally, a business that is regulated or that is subject to certain security regulations can also take advantage of the affirmative defense if its cybersecurity program reasonably conforms to one of several data security laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Modernization Act of 2014, and the Health Information Technology for Economic and Clinical Health (HITECH) Act (45 CFR part 162).

The list of frameworks and laws/regulations raises several questions. For instance, the standards listed vary in terms of complexity and the burden of implementation, raising the question of why a business would choose to implement a more complex standard (e.g., NIST SP 800-53) over a less stringent one (e.g., NIST SP 800-171, which is ostensibly a slimmer version of SP 800-53). In addition, the law would provide an affirmative defense to businesses that implement a cybersecurity program that reasonably conforms to some laws/regulations that don’t always address specific cybersecurity requirements, such as GLBA and the portion of the CFR cited in relation to HITECH. Finally, it is unclear from the law why an entity would choose to implement the PCI DSS in addition to another framework if it has the option of implementing a single security standard to gain the affirmative defense provided by the statute.

Moreover, proving that a business qualifies for the safe harbor is likely to be challenging to establish. For example, some of the standards (e.g., NIST) do not have a standard certification process, so it may be difficult to demonstrate reasonable conformity with such standards. It is likely to be similarly challenging to demonstrate conformity with the specified data security laws, given the flexible nature of their requirements (e.g., the HIPAA Security Rule includes some requirements that are “addressable” but not necessarily “required”).

Nevertheless, in light of the increasing data security risks for many organizations, the Ohio Data Protection Act may grant some relief. And for observers concerned that a law such as Ohio’s could have the unintended effect of creating a cybersecurity standard of care or otherwise creating a roadmap to plaintiffs, the bill also provides that it “shall not be construed to provide a private right of action” and that it “is intended to be an incentive” and does not “create a minimum cybersecurity standard that must be achieved[.]”

MBA Newslink--Mike Sorohan

The highest court in Maryland gave the mortgage industry a victory last week, supporting arguments in a Mortgage Bankers Association-led amicus brief that Maryland law does not require securitization trusts organized under the laws of other states to be licensed in the state as collection agencies.

On Aug. 2, the Maryland Court of Appeals ruled that the Maryland Collection Agency Licensing Act, known as MCALA, does not require a "foreign" (non-Maryland based) statutory trust acting as a securitization vehicle to obtain a license as a debt collection agency. The ruling overturned lower court decisions found that such trusts were subject to MCALA's licensing requirements.

The court issued the ruling based on several consolidated cases: Blackstone v. Sharma; Shanahan v. Marvastian; O'Sullivan v. Altenburg; and Goldberg v. Neviaser. In each of these cases, the plaintiffs argued that "foreign" (i.e., non-Maryland) statutory trusts could not act through licensed mortgage servicers in collecting mortgage debts because they were not licensed in Maryland (and subject to MCALA).

Lower court rulings had supported a narrower interpretation of MCALA, requiring mortgage securitization trusts to be licensed as debt collectors in Maryland. Those rulings sent shockwaves among through the secondary mortgage market, putting hundreds and possibly thousands of foreclosure cases on hold.

In November 2017, MBA; the Maryland Mortgage Bankers and Brokers Association; the Maryland Land Title Association; the Maryland Bankers Association; and Maryland Realtors, working with law firm Buckley Sandler LLP, filed an amicus brief with the Court of Appeals, arguing that requiring the licensing of securitization trusts organized under the laws of other states would have "serious and lasting adverse consequences" for the mortgage industry.

"Requiring a license for such entities, which are inactive investment vehicles that do not interact directly with borrowers or initiate foreclosures, will not enhance consumer protection or otherwise further the objectives of MCALA," the brief noted. "Instead, the expected consequences of the lower courts' application of MCALA will be overwhelmingly negative: it will potentially cloud title for many Maryland homeowners and reduce the liquidity of Maryland's mortgage market, thereby increasing the cost of mortgages to Maryland borrowers."

Last week, the Maryland Court of Appeals agreed. In its 64-page ruling the majority held that "the legislative intent and history of [MCALA] did not intend to force registration on foreign statutory trusts."

Justin Wiseman, MBA Associate Vice President and Managing Regulatory Counsel, said the ruling is a "positive outcome" for the real estate finance industry in Maryland.

"It's heartening to see the Maryland Court of Appeals recognize the consumer protections in MCALA are not applicable to passive statutory trusts that have no consumer interactions," Wiseman said. "It's a very favorable court ruling as the alternative would have been incredibly disruptive. A different decision might have impaired or invalidated foreclosures because of the licensing question and added significant costs as the secondary market scrambled to figure out how to apply the decision."

Illinois House Bill 5176 amends the Property Tax Code and the Code of Civil Procedure. 

• Provides that a purchaser of a property shall publish a notice in a newspaper published in that municipality or, if the property is not in a municipality or no newspaper is published in the municipality, then the purchaser shall publish a notice in a newspaper in the county (regardless of the property being located in a municipality in a county with less than 3,000,000 inhabitants). 

Effective immediately (August 3, 2018).

Mortgage Daily--Mortgage Daily staff

Ballard Spahr LLP--Kay Fitz-Patrick

On August 3, 2018, Arizona began accepting applications for its regulatory sandboxthat “enables a participant to obtain limited access to Arizona’s market to test innovative financial products or services without first obtaining full state licensure or other authorization that otherwise may be required.”  In March 2018, Arizona’s Governor signed into law legislation directing the state’s Attorney General to create the sandbox.  The Attorney General is also responsible for the application process and oversight of the sandbox.

To be considered for admission, applicants must complete the nine-page application and pay a $500 application fee.  Each application must be for an innovative financial product or service as defined by the enabling legislation.  For example, products or services regarding most types of credit extending services, such as peer-to-peer lending and online marketplace lending, and innovative products and services for money transmission and investment management would be eligible.  However, “securities trading, insurance products, or services that provide solely deposit-taking functions” are not eligible products.

Applicants must provide details regarding the innovative financial product or service, the testing plan, a “Consumer Protection Plan,” and exit plan.  For the Consumer Protection Plan, applicants must identify the targeted consumers; how the applicants plan to market to those consumers and disclose their participation in the sandbox; the key risks to consumers; the plan to address the risks; and how the applicants will monitor and assess the testing of the product or service to protect consumers in the event the test fails.

The Attorney General has indicated that he will take a holistic approach to determine the applicant’s ability to conduct a test that does not place undue risk on consumers.  The Attorney General may consider factors such as “capitalization; insurance or bonds and their terms; compliance or legal support; accounting practices; cash on hand; and the number and expertise of active advisors and key personnel.”  A weakness in any one area will not necessarily prevent an applicant’s admission into the sandbox.  Applicants will be notified of a decision within 90 days of submitting the application and payment.

The CFPB recently named the sandbox’s architect and former head of fintech initiatives at the Arizona Attorney General’s office, Paul Watkins, as Director of the Bureau’s Office of Innovation.  See our blog about Mr. Watkins.  In June 2018, Ballard Spahr attorneys held a webinar, “The Regulatory Sandbox – What it Means for Fintech Companies,” in which the topics included a discussion of the concept of a regulatory sandbox, the benefits and risks associated with using one, and what a possible sandbox created by the CFPB might look like.  Mr. Watkins was one of the webinar speakers and discussed the Arizona initiative.  We have also previously blogged about Arizona’s regulatory sandbox.

Bankers Advisory--Adam Faria

The Washington Department of Financial Institutions has adopted new provisions under its Consumer Loan Act. In addition to technical and readability changes, the new provisions help to clarify the roles of parties investing in, owning, and servicing residential mortgage loans. Additionally, the new provisions clarify what residential mortgage loan servicing activities can be conducted outside of the United States.

Under its rule making order the following definitions have been modified for clarity:

“Individual servicing a residential mortgage loan” means a person who on behalf of a lender or servicer licensed or exempt from licensing in this state: Collects or attempts to collect payments on existing obligations due and owing to the licensed or exempt lender or servicer, including payments of principal, interest, escrow amounts, and other amounts due; works with borrowers to collect data and make decisions necessary to modify either temporarily or permanently terms of the obligations; or otherwise finalizes collection through the foreclosure process. For the purpose of this definition “on behalf of a lender or servicer” means that the individual person is employed by the lender or servicer and does not receive any compensation or gain directly or indirectly from borrowers for performing the described activities. (WAC 208-620-11(2))

“Servicer.” Persons directly engaged in servicing. (WAC 208-620-11(5)(b)(i))

“Master servicer.” Persons responsible for ongoing servicing administration either by directly servicing or through servicing agreements with licensed or exempt subservicers. Except that the director may issue a license waiver to a master servicer servicing or administrating the servicing of fewer than twenty-five loans. (WAC 208-620-11(5)(b)(ii))

“Subservicer.” Persons directly servicing pursuant to a servicing agreement with a master servicer. (WAC 208-620-11(5)(b)(iii))

WAC 208-620-530 adds a provision relating to the maintenance of records electronically. Under the new provisions, a cloud service may be used for records maintenance; however, the servers used to store the records must be located in the United States or its territories.

WAC 208-620-553 prohibits certain loan servicing activities outside of the United States including: receiving payments and maintaining of payment records, collection activities, and communications with consumers. Activities that may be conducted outside of the United States include: data entry, document review, recommendation for action, records searches, and analysis of credit disputes and escrow accounts.

These provisions take effect September 1, 2018 and may be found in their entirety at: https://dfi.wa.gov/sites/default/files/cla-adopted-rules.pdf

Rhode Island Banking Bulletin 2018-2 provides a Mortgage Foreclosure Disclosure Form Pursuant to R.I. Gen. Law 34-27-3.1.  The Disclosure form provided in both English and Spanish versions must be provided to an individual consumer mortgagee by a mortgagor in order to comply with R.I. Gen Law 34-27-3.1. 

FORM 34-27-3.1 NOTICE OF DEFAULT AND MORTGAGEE’S RIGHT TO FORECLOSE AND NOTICE OF AVAILABILITY OF MORTGAGE COUNSELING SERVICES

State of Washington
DEPARTMENT OF FINANCIAL INSTITUTIONS
DIVISION OF CONSUMER SERVICES
P. 0. Box 41200 • Olympia, Washington 98504-1200
Telephone (360) 902-8703 • TDD (360) 664-8126 • FAX (360) 664-2258  •  http://www.dfi.wa.gov

July 25, 2018

TO: Licensees under the Consumer Loan Act 

RE: Temporary Waiver of Certain Fees 

Dear Licensee:

As you may know, the Department of Financial Institutions is self-supported. Fees paid by the financial service providers we regulate fund the agency's activities. The agency does not receive any funding from the state General Fund or other tax revenue source. We carefully manage fees paid by you, our licensees under the Consumer Loan Act, chapter 31.04 RCW.

I am pleased to inform you that after careful analysis of our budget, we will be waiving portions of some fees and waiving other fees in their entirety. The Department has authority to waive fees under WAC 208-620-650. The fee waivers will be in the following areas:

• Examination Hourly Fees: Hourly fees charged on consumer loan company examinations are temporarily waived for the period July 1, 2018, through December 31, 2019. Please note that we will still require the payment of travel expenses in connection with examinations.
• Annual Assessments on Residential Mortgage Loans: The assessment on the following categories of loans will be temporarily waived for the calendar year 2018: a) residential mortgage loans in portfolio on December 31, 2017; b) residential mortgage loans brokered in 2018; and c) residential mortgage loans purchased in 2018. Residential mortgage loans made during the 2018 calendar year will continue to be assessed. As a reminder, the assessment for calendar year 2018 is due on March 1, 2019.
• Mortgage Loan Originator Renewal Fees: Mortgage Loan Originator Renewal Fees for the 2019 calendar year will be reduced from $155 to $75. This is a temporary waiving of $80 per MLO renewal for the calendar year 2019. As a reminder, our renewal process for calendar year 2019 opens November 1, 2018.

Again, these fee waivers are temporary, but we will continue to evaluate the possibility of additional fee waivers going forward.

Sincerely,

Charles Clark,

Agency Deputy Director

Director of Consumer Services

Ballard Sparh, LLP--Cyber Advisor Blog--Philip N. Yannella

Just as many US businesses were scrambling to meet GDPR compliance, California quickly passed a broad new privacy act, giving businesses another privacy compliance headache. We’ve previously blogged on the dramatic history behind the eleventh-hour passage of the California Consumer Privacy Act (CCPA), so we won’t rehash that story here.  Instead, the focus of this post will be on the overlap between the CCPA and the GDPR. 

It’s not quite right to call the CCPA a “mini-GDPR,” as some news reports have dubbed the Act. The GDPR contains 99 Articles, 173 recitals and is over 100 pages long whereas the CCPA is 16 pages long (on my printer).  Substantively the GDPR contains many provisions that are absent from the CCPA, including: requirements for lawful processing; data and storage limitations; provisions for the appointment of data protection officers, local representatives, and performing a  data protection impact analysis; specific requirements for data processors (service providers under the CCPA), business process mapping and documentation generally, and a draconian civil penalty structure.

That being said, there is some overlap between the two privacy laws, particularly regarding disclosure requirements and subject access rights. Understanding these areas of overlap is important for US companies wondering what they should be doing over the next year and five months to prepare for the launch of the CCPA in January 2020.  Leveraging a company’s compliance process may be Step 1

We begin the analysis by noting overlap between the definition of key terms under the GDPR and CCPA. As you see below, both laws broadly define key concepts in very similar ways.

There are some important differences between the laws though. For one, the CCPA has an express carve-out for “public information” that doesn’t appear in the GDPR, though the exception is applicable only if using the public information for the same purpose for which it was collected.  And while both laws provide exceptions for aggregate or deidentified data, the definition of deidentification under the CCPA contains the word “reasonably”, making it arguably broader than the GDPR, which treats any data that could be re-identified – no matter how remote the risk  – as personal information.

Still, one can reasonably assume that the same processing of the same personal information will likely trigger compliance obligations under both laws. So where do those obligations overlap? Primarily in two areas: disclosure and subject access rights.

With regard to the former, both laws follow the principle that consumers/data subjects have a right to know what personal data a business is processing about them at or before the time the data is collected. The CCPA has a specific requirement for website disclosures that address processing of personal information.  Both laws also require specific disclosures concerning the sale or sharing of personal information with third parties.   The chart below provides a side by side comparison of these obligations.

The next area of overlap is subject access rights. Notably the CCPA, like the GDPR, provides a right of access and right of erasure to consumers.  The CCPA however does not provide a right of rectification or broad right of objection as the GDPR does.

On the flip side, the CCPA provides consumers with an explicit opt-out right for the sale of personal information. Under the GDPR, data subjects can opt out of data selling if a business relied on consent as a lawful basis (as they liked would need to do) and could object to the practice, under certain circumstances, but don’t have an explicit right to opt-out of the selling of their personal information,

The CCPA is likely to be amended, at a minimum, to address the drafting errors. There are numerous provisions in the Act that are superfluous, appear to be missing words, or contradict other provisions, creating inconsistent and unclear obligations for businesses.

Assuming there are no significant amendments to the CCPA’s substantive requirements, however, companies that do business in California will need to consider how to address the Act’s disclosure requirements and accommodate subject access rights. One obvious approach is for such businesses to leverage any GDPR compliance work they have done to date.  Revising online privacy policies, data mapping, developing a process for addressing subject access requests, and revising agreements with service providers are all projects typically needed to reach GDPR compliance.  Businesses covered by the CCPA as well as the GDPR may be able to utilize work done for the latter to reach compliance with the former.  Compliance with the GDPR however does not ensure compliance with the CCPA.

DSNews--Blair T. Gisi

Within the last several months, the Kansas Court of Appeals has taken a closer look at the procedure for confirming Sheriff’s Sales in Kansas. K.S.A. §60-2415(a) states, “If the court finds the [sale] regular and in conformity with law and equity, it shall confirm the same.” That statute goes on to set out that, under the courts’ equitable powers, the only basis a court may use to deny a confirmation of sale is finding a bid “substantially inadequate.” While that term is not specifically defined in, we know that a sale for the total debt owed (i.e., “judgment, taxes, interest, and costs”) “shall be deemed adequate.” K.S.A. §60-2415(b).

In two recent situations, the Court of Appeals reviewed what appears to be a common practice in many jurisdictions where the Motion and Order for Confirmation of Sheriff’s Sale are submitted, and sometimes even entered, simultaneously.  

The defendant-borrower in JPMorgan Chase Bank, Nat'l Ass'n v. Taylor, 417 P.3d 272 (Kan. Ct. App. 2018) objected to the district court confirming the sheriff’s sale the same day the Motion to Confirm Sheriff’s Sale was filed without notifying her of the Order to Confirm Sheriff’s Sale ever having been filed.  

Following judgment, Chase purchased the property at the sale for the full judgment amount and shortly thereafter, filed its confirmation pleadings. The defendant-borrower was sent a copy of the Motion to Confirm Sheriff’s Sale and eleven days later, she objected to the same, alleging that by not bidding the fair market value of the property, Chase was “cheating her out of equity. 

Despite the objection, however, the district court in Taylor entered the order confirming the sheriff’s sale the same day the motion was filed and when the defendant-borrower learned of this, she appealed claiming a violation of her due process rights for failure of the district court to hear and consider her objection.  

The Court of Appeals, relying upon Kan. Sup. Ct. Rule 133, found that because the objection to the Motion for Confirmation of Sheriff’s Sale was filed eleven days after the motion, it was untimely and even though the Order confirming sale was entered prematurely, there was no error by the district court in failing to consider an untimely objection. 

Of particular note in this matter is that despite the full-debt bid and the statute dictating that the sale shall be deemed adequate, the Court of Appeals seems to go out of its way to discourage this type of practice and stating that, “any procedure adopted by a district court that allows for automatic approval of a sheriff’s sale without at least waiting to see if someone files an objection is subject to a later ruling that it is void as a violation of due process.” Taylor at 8-9.

Reverse Mortg. Sols., Inc. v. Goldwyn, 2018 Kan. App. LEXIS 36 (Ct. App. July 6, 2018) decided just earlier this month, considered a number of interesting elements related to a Sheriff’s Sale, including the procedure for confirming the sale. This case involved a foreclosure of a reverse mortgage and subsequent in rem judgment against the borrower’s heir which then resulted in Reverse Mortgage Solutions purchasing the property at sheriff’s sale at a price less than the full-debt owed.  

Similarly, the district court granted the motion requesting confirmation of the sheriff’s sale the same day it was filed. And, similarly, after an appeal claiming the order confirming sheriff’s sale was entered prematurely, the Court in Goldwyn, as in Taylor, agreed that the district court should have allowed time for any opposing parties to respond to the motion.

However, the thrust of the defendant-borrower’s argument was that because the sale was not for the fair market value of the property, the sale should be deemed substantially inadequate. The Court correctly noted that even if that argument were true, the failure to bid fair market value does not necessarily mean the sale is substantially inadequate. The reliance on this argument allowed the Court to find that the premature entry of the order was harmless error and the confirmation of sale was upheld.  

While neither of these cases ultimately resulted in unconfirmed sales, district courts in Kansas appear to be taking note of the scrutiny the Court of Appeals has been giving the confirmation of sheriff’s sale and at least one district has recently begun requiring hearings on all Motions to Confirm Sheriff’s Sale regardless of whether the sale was for the total debt or there is no deficiency judgment.  

Bankers Advisory--Adam Faria

The Georgia Department of Banking and Finance has adopted new provisions pertaining to mortgage lenders, brokers, and servicers including updates to its mortgage servicing standards, and provides new provisions for mortgage lenders, brokers and servicers that meet the definition of “loan or finance company” under the Bank Secrecy Act.

Chapter 80-11-1-.06 requires that any person subject to the licensing requirements of the Georgia Residential Mortgage Act that meets the definition of a “loan or finance company” under the Currency and Foreign Transaction Reporting Act of 1970 must develop a written anti-money laundering program and comply with all filing, record keeping, currency transaction, and suspicious activity reporting as required by the Bank Secrecy Act.

Chapter 80-11-6 updates mortgage servicer standards relating to loss mitigation activity after a foreclosure process has commenced. Under the new rules a mortgage servicer shall not conduct a foreclosure sale before evaluating a borrower’s complete loss mitigation application if the application is received after a foreclosure process has been started and more than 37 days prior to the foreclosure sale. Additionally, if a servicer is not required to evaluate the loss mitigation application, then the servicer must notify the borrower that the application was not timely received. The updated rule also makes exempt the requirement for a loss mitigation appeal process if the loss mitigation application was received less than 90 days prior to a foreclosure sale.

Chapter 80-11-6 also updates provisions relating to notices of service transfers. Under the new rules the notice of service transfer requirement does not apply if, at the time of settlement, the servicer provides to the borrower written initial disclosures of the transferee that comply with the provisions of this chapter.

These provisions are effective July 17, 2018 and the full text of the update may be found at:https://dbf.georgia.gov/sites/dbf.georgia.gov/files/related_files/document/DBF-Final-Rulemaking_6-27-2018.pdf