Financial Services Report, Winter 2012

Edited by William Stern

(Lack of) Editor's Note

The holiday season is officially upon us – extra shopping week between Thanksgiving and Christmas and all. But it's been a bah humbug holiday season for the hard-working editors of the Financial Services Report because our fearless leader is in trial. And we don't mean one of those quick two-day deals; we mean a real, honest to goodness class action trial.

So, no witty remarks tying together the re-election of President Obama, the election of Elizabeth Warren to the Senate, Hurricane Sandy, or any of the other weighty events of the past quarter. Instead, we have our usual updates on privacy and arbitration, lots of Beltway and CFPB happenings, mortgage, operations, and preemption reports as well.

Until next time, we hope you have a wonderful holiday and all the best in the New Year!

BUREAU REPORT

World's Most Expensive Blue Sky

By Rick Fischer, Jim McCabe and Obrea Poindexter

On October 1, 2012, the CFPB brought its third major enforcement action against three American Express subsidiaries ("American Express"), requiring American Express to return $85 million to customers and pay approximately $14 million to the CFPB's civil money penalty fund, with another $14 million in penalties to other regulators.

The CFPB and other regulators alleged that American Express misled certain new account holders by stating that they would receive $300 when signing up for the Blue Sky credit card and satisfying other terms of the offer. American Express was also alleged to have (1) inappropriately used age as a factor in making credit decisions for applicants over the age of 35, (2) charged certain consumers late fees and interest in violation of the Truth in Lending Act ("TILA"), (3) failed to report that information was disputed by consumers when the information was furnished to credit bureaus, and (4) engaged in deceptive debt collection practices.

In connection with the alleged deceptive debt collection practices, the CFPB required American Express to "clearly and prominently" disclose "[a]ll material conditions, benefits and restrictions concerning any offer of [debt] settlement."

Who Watches Big Brother?

By Andrew Smith

Answering the question of who watches the watchers, on October 3, 2012, the Office of Inspector General ("OIG") published an evaluation of the CFPB's Consumer Response Unit and consumer complaint database. In light of the CFPB's intent to start collecting complaints about a wider variety of financial services and products, the OIG made five recommendations aimed at improving the processing of complaints and enhancing the CFPB's effectiveness.

Separately, the OIG also published a Work Plan indicating that it will examine the CFPB for compliance with Section 1100G of the Dodd-Frank Act, which requires the CFPB to consider the impact that proposed rules will have on the cost of credit for small entities. The OIG also plans to evaluate how the CFPB coordinates with other regulatory agencies and the extent to which financial institutions have a clear understanding of the CFPB examination process.

CFPB Asks Consumers to be Furnishers

By Rick Fischer and Andrew Smith

On October 22, 2012, the CFPB expanded its consumer complaint database to include information on credit reporting larger participants, thereby adding another tool to aid the CFPB's supervision and examination efforts.

The database was designed to accept complaints relating to incorrect information in credit reports, issues with complaint investigations, improper use of credit reports, an inability to obtain a credit report, and problems consumers face with creditor monitoring and identity protection services.

The database also allows consumers to highlight issues with specific consumer reporting agencies by use of a pull-down box that lists the three nationwide consumer reporting agencies, three check services companies, and five companies that provide information to specialty finance companies. Separately, the intake form asks consumers if they "believe the issue involves discrimination," including race, gender, or age discrimination.

Debt Collectors Join Larger Participant Club

By Leonard Chanin, Andrew Smith and Jim McCabe

On October 24, 2012, the CFPB released examination procedures for larger participants in the debt collection market, which direct examiners to focus on disclosures, complaint resolution procedures and compliance with the Fair Credit Reporting Act, Gramm-Leach-Bliley Act ("GLBA"), Electronic Fund Transfer Act ("EFTA) and Equal Credit Opportunity Act ("ECOA"), in addition to the Fair Debt Collection Practices Act ("FDCPA").

Similar to its consumer reporting market larger participant rule, the CFPB asserted that it may examine any activity of a larger participant debt collector once that entity becomes subject to supervision by the CFPB. Examiners are also directed to review a debt collection firm's litigation activities, including whether litigation involves "unfair or unconscionable means," "false, deceptive or misleading representations" or "harassing, oppressive, or abusive conduct in violation of the FDCPA".

CFPB: Greatest Hits

By Jim McCabe, Obrea Poindexter and Andrew Smith

On October 31, 2012, the CFPB released a report, entitled "Supervisory Highlights: Fall 2012," which contains an overview of the CFPB's supervisory and enforcement actions through September 30, 2012. The overview focuses on high-level examples of compliance failures and violations of consumer financial laws that the CFPB detected during supervisory activities.

The report underscores the CFPB's continued focus on governance and compliance issues, noting that several institutions exhibited weak or non-existent compliance management systems, including in the fair lending and credit reporting contexts. Specifically, the institutions failed to properly communicate policies and procedures to managers and employees, failed to properly train employees to be able to detect compliance weaknesses, or failed to have compliance management systems for entire product lines.

The report illustrated the CFPB's continued focus on credit card issuers, citing multiple violations of the Credit Card Accountability Responsibility and Disclosure Act of 2009. One example included an institution that increased the credit line of a cardholder who was under 21 years of age without notifying or seeking authorization from the adult "co-applicant." Another institution failed to establish policies and procedures or perform rate reviews on acquired portfolios within six months, as required by Regulation Z.

There were also several failures by institutions to establish proper controls over third-party service providers.

Big Brother Meets Big Data

By Obrea Poindexter, Sean Ruff and Andrew Smith

On November 14, the CFPB held an event at Google headquarters in Palo Alto to announce details of Project Catalyst. The project invites companies to identify regulations that could be improved to fit emerging technologies, as well as to partner with the CFPB to share product data and operational insights. As explained by the CFPB, Project Catalyst's goals include (1) establishing firm lines of communication with innovators to better understand the current situations in the market, (2) understanding new and emerging products in the market so the CFPB can adapt regulations and (3) engaging with innovators with ideas that "beget consumer-friendly innovation" and to "better understand what works and does not work for consumers."

The CFPB also announced that it is actively reviewing data from the following three financial services startups to better understand consumer use patterns. BillGuard, a company that alerts consumers to questionable debit and credit card charges and helps them resolve billing disputes, will provide billing dispute data to the CFPB. Plastyc, an alternative to traditional banking, will share data on "the value consumers place on easily depositing and obtaining immediate access to their funds." Simple, another banking alternative, will provide data that allows the CFPB to monitor how consumers track their own spending habits and "help the Bureau understand what tools can encourage saving."

OPERATIONS REPORT

Regulatory capital issues and the corresponding requirement for stress testing comprised much of the announced work of the federal banking agencies over the fall of 2012.

Regulatory Capital Estimation Tool

By Dwight C. Smith, III and Charles Horn

On September 24, 2012, the federal banking agencies released the "Regulatory Capital Estimation Tool," a device intended to help community banking and thrift organizations make sense of the proposed capital requirements and estimate the impact of the proposed rules on their business. For more information, read our Client Alert at http://www.mofo.com/files/Uploads/Images/121001-Regulatory-Capital-Estimation-Tools.pdf.

Final Rules on Stress Testing

By Dwight C. Smith, III and Charles Horn

On October 9, 2012, the three federal banking agencies approved final regulations to implement the Dodd-Frank Act's stress testing requirements. All banks, thrifts, and bank and thrift holding companies with assets greater than $10 billion must conduct annual stress tests. Those banking organizations with more than $50 billion in assets and other financial companies that have been designated as systemically important by the Financial Stability Oversight Council must also undertake a semi-annual test and are subject to a third test to be conducted by the Federal Reserve. The annual test will take place in the fourth quarter of each calendar year. The large banks are conducting their tests now; the midsized banks were given a one-year grace period and will begin testing in 2013. For additional background, review our News Bulletins available at: http://www.mofo.com/files/Uploads/Images/121109-Stress-Testing-and-Capital-Planning.pdf, and http://www.mofo.com/files/Uploads/Images/121022-Stress-Tests-Community-Banks.pdf.

Stress Testing by Community Banks

By Dwight C. Smith, III and Charles Horn

On the heels of the final stress testing rules for large and mid-sized banks, on October 18, 2012, the Office of the Comptroller of the Currency ("OCC") published OCC Bulletin 2012-33, Community Bank Stress Testing Supervisory Guidance. The Bulletin effectively requires "every bank, regardless of size, or risk profile, to have an effective internal process to (1) assess its capital adequacy in relation to its overall risks, and (2) to plan for maintaining appropriate capital levels." The nature of the testing will vary substantially, depending on the size and diversification of a bank. For further information, read our News Bulletin at http://www.mofo.com/files/Uploads/Images/121022-Stress-Tests-Community-Banks.pdf.

Deadline Eased for New Capital Rules

By Dwight C. Smith, III, Charles Horn and Oliver Ireland

On November 9, 2012, the three federal bank regulatory agencies announced that the new capital rules that were proposed on June 7, 2012, would not take effect on January 1, 2013. This date had been set by international agreement as the effective date for new Basel-based rules in all countries. The United States will not be the only jurisdiction to miss this deadline; European Union member countries will do so as well. The agencies gave no indication of when they might complete a final rule and what the effective date would be. For further information, please read our News Bulletin at http://www.mofo.com/files/Uploads/Images/121109-New-Capital-Rules.pdf.

Stress Testing and Capital Planning: Federal Reserve Issues Guidance for 2013 Cycle

By Dwight C. Smith, III, Charles Horn and Oliver Ireland

The Federal Reserve Board has issued instructions and guidelines for two 2013 stress-testing and capital-planning programs, each of which builds on similar programs from last year. The Comprehensive Capital Analysis and Review ("CCAR") 2013 describes the testing process and resulting capital plans that are required for the 19 bank holding companies ("BHCs") that participated in the CCAR for 2011 and 2012. The Capital Plan Review ("CapPR") 2013 sets forth the testing and capital-planning requirements for the 11 BHCs with $50 billion or more in consolidated assets that undertook a similar exercise last year. The instructions and guidelines for both programs implement the capital plan rule, 12 C.F.R. § 225.8, and reflect the supervisory concerns underlying the earlier testing and planning programs. For additional background, review our News Bulletins available at: http://www.mofo.com/files/Uploads/Images/121109-Stress-Testing-and-Capital-Planning.pdf, and http://www.mofo.com/files/Uploads/Images/121022-Stress-Tests-Community-Banks.pdf.

Stress Testing Scenarios

By Dwight C. Smith, III and Charles Horn

On November 15, 2012, the Federal Reserve Board released three sets of assumptions for the three scenarios— baseline, adverse, and severely adverse— that large banks are to use in conducting stress tests during the fourth quarter of 2012. The Board also proposed a policy statement that describes how it will develop scenarios in the future. The assumptions for the baseline scenario are based on the consensus view of economic prediction firms about the course of the economy over the coming three years. The severely adverse assumptions reflect recessionary conditions, including an unemployment rate of at least 10 percent. The adverse scenario is somewhere in between.

Regulatory capital was not the sole order of business in the regulatory sphere over the fall, however. Other important developments included the following:

Orderly Liquidation—FDIC Authority to Enforce Contracts

By Dwight C. Smith, III and Charles Horn

On October 9, 2012, the FDIC approved a final rule to clarify that, in connection with a receivership under Title II of Dodd-Frank, the FDIC may enforce contracts of subsidiaries or affiliates of an institution in receivership. This authority exists even where the contract includes a clause for termination, acceleration, or other remedies in the event of the parent's insolvency, financial condition, or receivership. If the FDIC exercises this power, it must either transfer the obligations supporting the contract (as well as related assets and liabilities) to a bridge institution or third party or otherwise provide adequate protection to the counterparty.

Large Bank Assessment Pricing Final Rule

By Dwight C. Smith, III and Charles Horn

On October 9, 2012, the FDIC issued a final rule to amend the system for deposit insurance assessments for large and highly complex banks. The system, put in place in 2011, looks to a bank's higher risk assets as an indicator of a bank's overall risk to the Deposit Insurance Fund. The final rule revised the definitions of "leveraged loans" and "higher-risk consumer loans" (subprime loans), clarified when an asset must be classified as higher risk, clarified the way in which securitizations are identified as higher risk, and defined certain other terms in the large bank assessment regulation.

Core Principles for Effective Banking Supervision

By Dwight C. Smith, III, Charles Horn and Oliver Ireland

The Basel Committee on Banking Supervision published a new set of "Core Principles for Effective Banking Supervision." The formal purpose of the Core Principles is to provide a set of standards by which the International Monetary Fund and the World Bank review the effectiveness of a country's banking supervision regime as part of the agencies' Financial Sector Assessment Program.

The Committee identified four themes that have emerged from the crisis and that animate many of the Core Principles:

• Systemically important banks
• Macroprudential issues and systemic risks
• Crisis management, recovery, and resolution
• Corporate governance, disclosure, and transparency

For additional background, review our News Bulletin at: http://www.mofo.com/files/Uploads/Images/120917-Effective-Banking-Supervision.pdf.

Domestic Systemically Important Banks

By Charles Horn

On October 11, 2012, the Financial Stability Board (the "FSB") approved and the Basel Committee on Banking Supervision (the "Basel Committee") published, a new set of regulatory guidelines for domestically systemically important banks ("D-SIBs"). As the name suggests, D-SIBs are banks whose failure could cause systemic harm to national financial systems but would not do so on a global basis. The D-SIB framework follows the publication almost a year ago of a process for identifying and supervising globally systemically important banks ("G-SIBs"). The D-SIB document similarly provides for enhanced regulation of D-SIBs, although it is somewhat less stringent and prescriptive than that for G-SIBs. For example, the D-SIB framework calls for an additional loss absorbency requirement but does not offer any specifics as the G-SIB framework does. For further information, see our News Bulletin at http://www.mofo.com/files/Uploads/Images/121011-Domestic-Systemically-Important-Banks.pdf.

BELTWAY REPORT

CFTC: Segregated Means Segregated

By Daniel Nathan

The CFTC proposed new regulations and amendments to existing regulations in order to enhance protections of customer money and other assets held by futures commission merchants ("FCMs") and derivatives clearing organizations ("DCOs"), noting that the losses of "protected" customer funds at MF Global and Peregrine Financial demonstrated the need for new rules. The proposed regulations and amendments require FCMs to establish a risk management program, and allow the CFTC to order an FCM to transfer its customer business if it cannot "immediately certify," with supporting evidence, that it has sufficient access to liquidity to continue operating. The proposals require that the CFTC and SRO have read-only electronic access to accounts holding certain customer funds. The proposals prohibit an FCM from using one futures customer's funds to margin or secure the positions of another futures customer, and provide that an FCM bears sole responsibility for any losses resulting from the investment of customer funds in certain permitted financial investments; they also prohibit an FCM from withdrawing more than 25% of its residual interest in futures customer accounts unless the FCM's CEO, CFO, or other senior official pre-approves the withdrawal in writing.

Separately, the CFTC's Division of Swap Dealer and Intermediary Oversight issued guidance to FCMs clarifying that the practice of using a single combined customer omnibus account to hold both segregated and secured customer assets, regardless of the memo notation as to the allocation between segregated and secured assets, does not provide a clear delineation of the assets as required under CFTC Regulations 1.20 and 30.7. Furthermore, in the event of a bankruptcy, this practice may put customer funds at risk. Therefore, in order to ensure clear recordkeeping in accordance with CFTC Regulations 1.20 and 30.7, an FCM must maintain separate and clearly titled omnibus accounts with a carrying FCM for segregated and secured customer trading and assets.

ARBITRATION REPORT

Class Action Over Chase Bank Fees Sent to Arbitration

By Rebekah Kaufman

A New York federal judge dismissed a putative class action accusing Chase Paymentech, a subsidiary of JPMorgan Chase Bank, of breach of contract in connection with fees for online credit card processing, ruling the contract validly incorporates by reference terms and conditions that include an arbitration clause. Wendrovsky v. Chase Paymentech, 2012 U.S. Dist. LEXIS 150866 (S.D.N.Y. Oct. 15, 2012). Plaintiff entered into a Merchant Agreement with Paymentech that referenced, but did not include, the "Terms and Conditions," the latter of which contained an arbitration clause. The court rejected plaintiff's argument that a reasonable person would not have concluded that the "Terms and Conditions" referred to a separate document as opposed to the numerous terms and conditions contained within the Merchant Agreement itself: "The use of the words 'and' and 'collectively' put Plaintiff on notice that the 'Terms and Conditions for Merchant Agreement' was a separate document." Id. at *10. The plaintiff also argued that the arbitration agreement was unenforceable because it selected the National Arbitration Forum (NAF) as the arbitrator and the NAF had already signed a consent decree with the state of Minnesota in July agreeing not to process any new consumer arbitration. The court rejected the argument because the arbitration clause provided that the parties will agree on another arbitration forum if the NAF ceased operations.

Notice of Arbitration Clause in Welcome Email Not Sufficient

By Rebekah Kaufman

The Second Circuit held that an arbitration clause contained in terms and conditions that were emailed to a consumer in a welcome email after he had signed up for an online membership program is unenforceable for lack of notice. Schnabel v. Trilegiant Corp., 2012 U.S. App. LEXIS 18875, No. 11-1311-cv (2d Cir. Sept. 7, 2012). The court found the facts distinguishable from shrinkwrap license cases because the consumer here could participate in the membership program without ever opening the email containing the terms and conditions. In contrast, in shrinkwrap cases, where the terms and conditions are contained in the product packaging, the consumer manifests his or her consent to those terms by failing to return the product after having the opportunity to read the terms.

Ninth Circuit Will Rehear Student Loan Case Against KeyBank

By Rebekah Kaufman

The Ninth Circuit has granted a rehearing en banc in a case brought by a group of students under California's Unfair Competition Law (UCL) against KeyBank over the terms of their student loans. Kilgore v. KeyBank National Assn., No. 09-16703 (9th Cir.). A three-judge panel previously held that KeyBank could compel arbitration because the FAA, as interpreted in Concepcion, preempts prior decisions by the California Supreme Court, which held that UCL claims seeking public injunctions are not arbitrable as a matter of public policy. Kilgore v. KeyBank Nat'l Assn., 673 F.3d 947 (9th Cir. 2012). In granting the petition for a rehearing en banc, the Ninth Circuit will take a closer look at whether arbitration clauses are unenforceable where they would prevent parties from effectively vindicating their statutory rights. The argument will take place before the en banc court on Wednesday, December 12, 2012 at 10:00 a.m. in Pasadena.

MORTGAGE REPORT

Supreme Court May Give Lenders an Early Christmas

By Michael Agoglia andTom Noto

The Supreme Court may take up another case testing whether the Fair Housing Act allows disparate claims. In Township of Mount Holly v. Mt. Holly Gardens Citizens in Action, the Third Circuit held that disparate impact claims are cognizable under the Fair Housing Act, consistent with other circuit courts' holdings on the question. Mount Holly filed a writ petition, and the Supreme Court has issued an "Invitation" to the United States Solicitor General to express its views on whether the Court should take up the case. Supreme Court watchers generally interpret an Invitation as an indication that the Court is inclined to grant review but first wants the government's views on the broader implications of the case. The news comes on the heels of the last minute settlement of Magner v. Gallagher, which, as we reported in our Fall Newsletter, was engineered to avoid Supreme Court review of these issues.

CFPB Touts Stepped up Enforcement Efforts

By Michael Agoglia and Tom Noto

In the "Supervisory Highlights" report discussed above, the CFPB details a range of alleged mortgage-lending violations that the fledgling agency says it uncovered this year. These violations include not only bread-and-butter issues like untimely borrower disclosures, but also harder-to-predict issues like employee training. In a saber-rattling tone reminiscent of the DOJ's FCPA pronouncements a few years ago, the report focuses on lenders' training, compliance programs, and third-party oversight. The CFPB also outlined its policy for lenders to appeal a negative compliance rating: "Appeals will be handled by a committee that includes management at CFPB headquarters in Washington, D.C. and representatives of regional offices that were not involved in the matter under review." Not surprisingly, many industry advocates are taking a skeptical view of their prospective chances at an appeal before a "committee" of CFPB management and staffers. These developments underscore the wisdom of proactively developing training and compliance programs—including procedures for overseeing any third party agents or vendors involved in lending activities— before the CFPB comes knocking.

Nothing but the "Best" (Facts and Data) for the CFPB

By Michael Agoglia and Tom Noto

The CFPB is keeping busy. As we reported in September, it issued the hefty 425-page proposed rules implementing Dodd-Frank's mortgage servicing provisions and expects to issue final rules by this January. As if that weren't enough, in addition to its day-to-day regulatory and oversight responsibilities, it has ventured into new territory with the Federal Housing Finance Agency to create a "National Mortgage Database." Director Richard Cordray explained, "In order to understand what is going on in the mortgage marketplace and develop appropriate consumer protections, we must have the best facts and data." The database promises to be a treasure trove of information "spanning the life of a mortgage loan from origination through servicing," including detailed loan-level data, going as far back as 1998. (The CFPB promises that the database will not contain personally identifiable information and that it will use "appropriate precautions" to make sure individual consumers cannot be identified through the database.) For further information, see our News Bulletin at http://www.mofo.com/files/Uploads/Images/120913-CFPB-Proposes-National-Mortgage-Servicing-Rules.pdf.

Banks Gain Traction as HAMP Dismissals Wind Their Way Into Appeals

By Michael Agoglia

The Fifth Circuit has joined the Fourth and Eleventh Circuits in holding that Home Affordable Modification Program ("HAMP") Trial Payment Plans ("TPPs") do not promise permanent modifications to borrowers who participate in a TPP. As we previously reported, the Seventh Circuit allowed claims based on a TPP to proceed because the servicer, by countersigning and returning the TPP, certified that the borrower was qualified for a permanent modification. Meanwhile, the HAMP cases that have survived dismissal, at least in part, continue to work their way through the district courts. Class certification briefing in the consolidated loan modification MDLs in the Central District of California and the District of Massachusetts is scheduled for early 2013.

Sooner State Borrowers Cash in on Mortgage Settlement Sooner

By Michael Agoglia

Oklahomans were skeptical when their state was the only one to opt out of a national mortgage settlement—which promised comprehensive reform and cash payments and other relief to a variety of borrowers in 49 states. But now they may be singing "O-K-L-A-H-O-M-A [Attorney General] OK!" In October, Oklahoma borrowers received their first settlement checks as a result of Oklahoma's separate settlement with five of the country's largest banks. The Oklahoma settlement is narrower than the national one—banks agreed to pay residents who lost their homes after being assured that their loans would be modified, paying $18.9 million in total. Oklahoma Attorney General Scott Pruit said about 700 Oklahomans have applied for relief, and the average pay-out is $11,000 per claim and ranges between $5,000 to $20,000. The $25 billion national settlement allows for a wider range of compensation under a wider range of circumstances, but checks are not likely to issue until April.

Lenders Not "Flipping" Over New Appraisal Rules

By Michael Agoglia and Tom Noto

The OCC, FRB, CFPB, FDIC, and other agencies proposed strict new appraisal requirements for "higher-risk mortgage loans," implementing relevant provisions of the Dodd-Frank Act. In addition to defining what constitutes a "higher-risk mortgage loan," the proposal would require lenders to (1) obtain a written appraisal by a certified or licensed appraiser based on a personal visit of the property's interior; (2) obtain a second appraisal from a different appraiser under certain circumstances; and (3) give a free copy of each appraisal and related disclosures to the borrower. The second appraisal requirement appears to be aimed at discouraging fraudulent "flipping," but regulated entities have objected that the proposed rule would make legitimate transactions too costly and complicated.

PRIVACY REPORT

Senate Cybersecurity Efforts Fail Again

By Nathan Taylor

On November 14, 2012, the Senate once again failed to invoke cloture on legislative debate on the Senator Lieberman (I-VT) cybersecurity bill supported by Democrats (S. 3414). S. 3414 would address cybersecurity through regulatory means, including creating a National Cybersecurity Council to be chaired by the Department of Homeland Security. The Cybersecurity Council would, among other things, assess cybersecurity risks across the nation's principal sectors, establish a procedure for the designation of private-sector computer systems and assets as covered "critical infrastructure," and adopt "voluntary" cybersecurity practices. The approach supported by the Republicans (Senator McCain's (R-AZ) bill (S. 2151)) would address cybersecurity through non regulatory means, such as eliminating barriers to enhanced cybersecurity information sharing between the government and the private sector. The Senate had failed in August on a similar vote, but Senate Majority Leader Reid (D-NV) was committed to making floor time available for S. 3414 during the post-election "lame duck" Congress. Following the Senate's November vote, Majority Leader Reid indicated on the floor that "cybersecurity is dead for this year." Although that outcome appears likely, it is not certain.

Rumored Cybersecurity Executive Order

By Nathan Taylor

The administration began the current cybersecurity debate in May 2011 when it responded to a Senate request with suggested legislative language to address cybersecurity. In light of the apparent stalemate in Congress, the administration is reported to be drafting an executive order related to cybersecurity that would include elements of the Lieberman cybersecurity bill (S. 3414). The draft reportedly would direct a number of federal agencies to create a new cybersecurity council at DHS with representatives from various agencies, including the director of national intelligence (similar to S. 3414). The draft reportedly also would direct certain federal agencies to develop voluntary cybersecurity guidelines for owners of critical infrastructure (similar to S. 3414). Although prominent Democrats have urged the president to issue such an executive order, the administration apparently believes that more dialogue on the issue should occur in Congress. As a result, it is not clear if or when the administration actually will issue such an order.

Senator Rockefeller Cybersecurity Letter

By Nathan Taylor

On September 19, 2012, Senator Rockefeller (D-WV) sent a letter to the CEOs of each Fortune 500 company requesting their input on the nation's cybersecurity needs and their concerns with respect to the Lieberman cybersecurity bill (S. 3414). The letter expressed the Senator's strong belief that the Senate's recent failure to pass cybersecurity legislation leaves the country increasingly vulnerable to cyberthreats. More pointedly, the Senator's letter apparently blames the Senate's failure to pass S. 3414 largely on the U.S. Chamber of Commerce and other business lobbying groups. As a result, the Senator's letter is intended to solicit the CEOs' "views on cybersecurity, without the filter of beltway lobbyists."

FTC Internet Privacy Enforcement Actions Against Google and MySpace

By Nathan Taylor

Over the past few months, the Federal Trade Commission has brought two notable Internet privacy enforcement actions involving both MySpace and Google. On August 8, 2012, Google agreed to a $22.5 million civil penalty to settle FTC claims that Google circumvented the privacy settings of Apple's Safari Web browser to allow the tracking of user activity, violating an earlier privacy settlement between Google and the FTC. The fine is the largest imposed by the FTC on a company for violating an existing FTC consent order. The consent agreement also requires Google to disable all the tracking cookies "it has said that it would not place on consumers' computers."

In addition, on September 11, 2012, the FTC approved a final order settling its allegations that MySpace misrepresented its protection of users' personal information by sharing users' Friend IDs, ages, and genders with third-party advertisers. Among other things, the settlement specifically bars MySpace from future privacy misrepresentations and requires MySpace to implement a comprehensive privacy program. In approving the final order, the FTC rejected certain comments it received in response to the proposed consent agreement that argued that the FTC should require MySpace to obtain affirmative, opt-in consent before materially exceeding the privacy settings of users. The FTC ultimately concluded that the mandated comprehensive privacy program would address these concerns.

FTC on Dumpster Patrol

By Nathan Taylor

On November 7, 2012, the FTC announced that it had reached a settlement with a payday lender regarding the improper disposal of credit report information. The FTC alleged that the lender failed to take reasonable measures to protect consumer information by dumping documents in unsecured dumpsters, in violation of the FTC's rule regarding the disposal of credit report information and the FTC's Safeguards Rule. As a result, the FTC will impose a civil penalty of $101,500. Each of the actions brought by the FTC historically under its disposal rule has involved improper disposal in dumpsters. In light of the penalty sought by the FTC, the stakes are clearly high.

Eleventh Circuit Breathes New Life into Data Breach Case

By Nathan Taylor

On September 5, 2012, the Eleventh Circuit reinstated a data breach class action, finding that the plaintiffs alleged sufficient facts to make it plausible that a company was negligent in failing to protect two unencrypted laptops containing Social Security numbers and health information for more than 1 million individuals. Two named plaintiffs in particular alleged that they had been careful to protect their sensitive information and had never been victims of identity theft before the laptops were stolen. But within two years after the theft, these two individuals were victims multiple times of identity theft. The plaintiffs had alleged, among other things, negligence, breach of contract, and breach of fiduciary duty. The district court had dismissed, on the ground that the plaintiffs had failed to plead sufficient facts to make it plausible for a jury to find that the company's negligence caused their damages. But the Eleventh Circuit concluded that these allegations were "sufficient to cross the line from merely possible to plausible."

FTC to Host Workshop Exploring Privacy Implications of Comprehensive Collection of Internet Users' Data

By Nathan Taylor

On October 15, 2012, the FTC announced that it will hold a workshop on December 6, 2012, in Washington, D.C., to explore the practices and privacy implications of comprehensive collection of Internet users' data. This announcement follows a promise that the FTC made in its March Privacy Report to hold a workshop dedicated to the issues raised by entities that have the ability to collect data about computer users across the Internet. It is not clear what the outcome of the workshop will be, but if it follows recent FTC practice, the result will be a staff report highlighting privacy issues associated with such comprehensive collection of data and offering "best practices" to address them.

California Law Limits Employer Access to Employee Social Media Accounts

By Nathan Taylor

On September 27, 2012, California Governor Brown signed a bill that restricts employer access to the "personal social media" of employees and applicants for employment. Specifically, California A.B. 1844 prohibits an employer from requiring or requesting an employee or applicant to do any of the following: (1) disclose a username or password for the purpose of accessing personal social media; (2) access personal social media in the employer's presence; or (3) divulge any personal social media, except in connection with the investigation of allegations of an employee's misconduct or violation of applicable laws. A.B. 1844 is similar to recently enacted laws in Delaware, Maryland, and Illinois. In addition, during this legislative season, at least 13 states have proposed legislation restricting employer access to employee social media accounts.

FTC Issues Guidance for Mobile App Privacy and Advertising

By Nathan Taylor

On September 5, 2012, the FTC published a brief guide to assist developers of mobile applications in complying with truth-in-advertising, privacy, and data security principles. In publishing this advice, the FTC makes clear that its enforcement authority under Section 5 of the FTC Act against unfair or deceptive acts or practices applies in the mobile app arena, and with equal force to large and small developers. The FTC's guidance briefly lays out the practices that developers should follow to avoid such enforcement, thereby suggesting that more enforcement is on the horizon. The guide explains general consumer protection principles and applies them in the context of mobile apps. For example, the FTC advises that app developers advertise their apps truthfully and explains that "pretty much anything" a company tells a prospective user about what the app can do, expressly or by implication, is an "advertisement" requiring substantiation for claims as they would be interpreted by the average user.

California AG's OPPA Crackdown

By Nathan Taylor

On October 30, 2012, California Attorney General ("AG") Harris announced that her office would begin notifying the developers of as many as 100 mobile apps that their apps do not comply with the state's Online Privacy Protection Act ("OPPA") and that they have 30 days to comply. The OPPA requires a commercial website operator or online service provider, including a mobile app developer, that collects personally identifiable information from consumers residing in California to post a conspicuous privacy policy. Because OPPA applies to any company that collects data on California residents, companies both within and outside of California are subject to enforcement. The California AG has indicated that, in identifying non-compliant apps, the initial focus would be the most popular apps available on the Apple App Store and Google Play. This announcement comes as no surprise. The AG previously reached an agreement with the major platforms that distribute and sell mobile apps, requiring them to distribute only apps that have privacy policies that consumers are able to review prior to download. At that time, the AG's office told app developers that they had six months to come into compliance with OPPA.

PREEMPTION REPORT

Getting Out of Dodge

By Nancy Thomas

The Sixth Circuit held there is federal subject matter jurisdiction over a declaratory judgment action that alleged that a suit brought by Cleveland officials in state court was preempted by the National Bank Act. Chase Bank USA, N.A. v. Cleveland, 695 F.3d 548 (6th Cir. 2012). As loyal readers may recall, Cleveland sued several financial institutions on the theory that their subprime lending practices constituted a public nuisance by contributing to foreclosures that caused the city's financial crisis. Because Chase is not diverse to Cleveland, Chase could not remove the suit to federal court. Instead, Chase filed a declaratory judgment action in federal court alleging the state law suit is preempted by the NBA. The district court dismissed the suit for lack of subject matter jurisdiction, but the Sixth Circuit reversed, finding that the suit fell within a line of cases recognizing that federal courts can hear pre-emption-based challenges to state actions brought against state officials.

Stay Out of My Insurance

By Nancy Thomas

A Massachusetts federal court ruled that a state law limiting the amount of mortgage insurance lenders can require is preempted as to federal thrifts. Silverstein v. ING Bank, FSB, 2012 U.S. Dist. LEXIS 135105 (D. Mass. Sept. 21, 2012). OTS regulations list laws regarding private mortgage insurance as a category of state laws that are expressly preempted, and the court reasoned that any claim based on the state statute would be attempting to regulate mortgage lending. The court further held that common law claims based on the same alleged state law violation were preempted as well.

Preemption Confusion

By Nancy Thomas

California federal courts continue to struggle with whether state law foreclosure challenges are preempted as applied to federal thrifts. Although California federal courts have almost uniformly held a state statute requiring servicers to contact borrowers regarding foreclosure alternatives are preempted by OTS regulations as state-law regulation of mortgage "processing, origination, and servicing," we continue to see a few federal courts disagreeing. See Roussel v. Wells Fargo Bank, 2012 U.S. Dist. LEXIS 153798 (N.D. Cal. Oct. 25, 2012); Fernandez v. Wells Fargo Bank, N.A., 2012 U.S. Dist. LEXIS 155505 (N.D. Cal. Oct. 29, 2012); but see Fowler v. Wells Fargo Bank, 2012 U.S. Dist. LEXIS 162198 (N.D. Cal. Nov. 13, 2012) (finding claims for violation of the statute are preempted by HOLA and OTS regulation).

Interesting Interest Rate Ruling

By Nancy Thomas

Plaintiff may not pursue state-law claims challenging the substitution of a new, allegedly higher interest rate index for ARM loans acquired from a federal thrift when the original index became unavailable. Campidoglio LLC v. Wells Fargo & Company, 2012 U.S. Dist. LEXIS 142624 (W.D. Wash. Oct. 2, 2012). The court held that breach of contract and state consumer protection claims based on the theories that the loan acquirer improperly charged inflated interest rates due to use of the new index and did not disclose information needed to verify the index accuracy were expressly preempted by OTS regulations; but the breach of contract claim alleging the new index was not OTS-approved as required by express contractual terms was not. One other note, the court followed the analysis of the majority of district courts in the Ninth Circuit in finding the applicable preemption analysis is determined by the charter of the originating lender, rather than the current loan holder.

PLASTICS REPORT

CFPB Schools Congress on Credit Card Agreements

By Leonard Chanin and Obrea Poindexter

On November 1, 2012, the CFPB released the 2012 Annual Report to Congress on College Credit Card Agreements. The report coincided with the launch of a database where individual agreements can be reviewed. The report shows that the majority of college credit card agreements are between issuers and affiliated organizations, such as fraternities and sororities, alumni associations, and foundations related to an institution.

The report, required by Section 305 of the CARD Act, also shows that from 2009- 2011, the number of agreements, the total number of open accounts at year-end, the amount of payments by issuers to universities, and the number of new card accounts opened have all decreased.

The 2012 report is the third annual report drafted pursuant to this provision of the CARD Act, and the first since the CFPB inherited reporting responsibilities from the Federal Reserve Board. Information is gathered from credit card issuers, who by law must (1) submit the terms of any agreement with a college or university, (2) provide data on the number of accounts pursuant to each agreement and (3) disclose payments made to the university as part of the agreement.

CFPB Demonstrates Ability to Fix

By Rick Fischer, Oliver I. Ireland and Obrea O. Poindexter

On November 7, 2012, the CFPB published a proposed rule ("Proposed Rule") to amend the Regulation Z ability-to-pay requirements. The CFPB stated that it "believes that § 1026.51(a), as currently in effect, may unduly limit the ability of certain individuals who are 21 or older to obtain credit and is proposing amendments to Regulation Z that it believes are more consistent with the plain language and intent of the [CARD] Act."

The CFPB proposed to alter the FRB's extension of the independent ability-to-pay requirement to applicants age 21 or older by amending Section 1026.51(a) in two ways. First, the Proposed Rule would remove all references to the "independent" ability to pay, as that requirement currently applies to applicants who are 21 or older. Second, the Proposed Rule would amend Section 1026.51(a)(1)(ii) to allow credit card issuers to consider income and assets to which an applicant who is 21 or older has a "reasonable expectation of access."

The CFPB also proposed to amend the Commentary to Regulation Z to provide that a credit card issuer may consider any income or assets to which an applicant has a reasonable expectation of access. Comments are due January 7, 2013.

For additional background, review our client alert available at: http://www.mofo.com/files/Uploads/Images/121019-CFPB-Reg-Z.pdf.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved