Alston & Bird Consumer Finance Blog

State Law

CFPB Issues Preemption Determination that State Commercial Financing Disclosure Laws Are Not Preempted By TILA

By ,

A&B Abstract:

The Consumer Financial Protection Bureau (CFPB) recently announced that it issued a final preemption determination concluding that certain state disclosure laws applicable to commercial financing transactions in California, New York, Utah, and Virginia are not preempted by the federal Truth in Lending Act (TILA). As covered in a previous post, we note that the California, Utah, and Virginia laws have already gone into effect, and New York’s is set to become effective on August 1, 2023.

State Commercial Lending Laws

After examining the state disclosure laws in California, New York, Utah, and Virginia, the CFPB recently affirmed that there is no conflict with TILA because the state laws extend disclosure protections to businesses seeking commercial financing, which are beyond the scope of TILA’s statutory consumer credit protections.  Specifically, the CFPB determined that TILA only preempts state laws under conflict preemption, which the CFPB interprets to mean that TILA preempts state laws only if they are “inconsistent” with TILA.

In California, New York, and Utah, state laws require lenders to issue disclosures in certain commercial financing transactions, the purpose of which is generally defined to mean primarily for other than personal, family, or household purposes.  This is in contrast to TILA’s application to consumer credit, which is extended primarily for personal, family, or household purposes.  In December 2022, the CFPB made a preliminary determination that New York’s commercial financing disclosure law was not preempted by TILA because the state law regulates commercial financial transactions rather than consumer-purpose transactions.

In Virginia, disclosures are required in connection with “sales-based financing,” which is defined generally as a transaction in which the financing is repaid by the recipient based on a percentage of sales or revenue.  “Recipient” means a person whose principal place of business is in Virginia and that applies for sales-based financing and is made a specific offer of sales-based financing by a sales-based financing provider.  Based on these definitions, it appears that the Virginia law would not apply to a consumer credit transaction.  However, the CFPB generally noted that, to the extent state law could apply to a consumer credit transaction, there would still be no inconsistency with TILA.

Accordingly, the CFPB found that the four states’ commercial financing disclosure laws are not inconsistent with and, therefore, not preempted by the federal TILA.

Takeaway

As states continue to propose and enact similar laws requiring disclosures in commercial financing transactions, an argument that federal law preempts such state laws is unlikely to succeed.  Thus, companies should monitor ongoing state regulatory trends in commercial financing transactions to ensure compliance with the consumer-style disclosure requirements that may apply.

New York’s Commercial Finance Disclosure Law Set to Take Effect August 1, 2023

By ,

A&B Abstract:

New York is one of the first states that enacted laws requiring consumer-style disclosures for commercial financing transactions (the “New York Law”). Previously, the New York Department of Financial Services (“NYDFS”) issued guidance stating that compliance with the requirements would be delayed until it issued final implementing regulations. Those final regulations were published on February 1, 2023, with an effective date of August 1, 2023 (the “Final Regulations”).

The Final Regulations

The Final Regulations make a few significant changes from the proposed rules, primarily in response to public comments. For example:

  • First, New York’s law will apply only where a recipient’s business is principally managed or directed from the state of New York or where the recipient (if a natural person) is a legal resident of the state of New York. This is a change from positions taken in prior proposed versions of the rule, in which New York would have required the disclosures if either the provider or recipient was located in New York.
  • Second, the Final Regulations clarify that subsidiaries of financial institutions (in addition to the financial institutions themselves) are exempt from the law.
  • Third, the Final Regulations modify notice requirements related to transfers to adhere to UCC norms.
  • Fourth, while the Final Regulations still require broker compensation disclosures, it does not impose strict requirements on the format of those disclosures as originally proposed.
  • Finally, the Final Regulations relaxed strict signature requirements, allowing for disclosures to be provided electronically and by other reasonable means.

Takeaways

New York is among a growing list of states, which include California, Utah, and Virginia, that have enacted laws requiring consumer-style disclosures for commercial financing transactions. As we covered in a previous post, the New York Law has many similarities to the California law that became effective on December 9, 2022. However, New York’s Final Regulations apply to commercial financing transactions of $2.5 million or less, whereas the California regulations apply only to transactions of $500,000 or less. And, as covered in another prior post, Utah also requires registration and disclosures for certain commercial financing transactions of $1 million or less as of January 1, 2023. Notable as well, Virginia has enacted somewhat similar laws applicable to sales-based financing which apply to transactions on or after July 1, 2022. In general, these disclosure laws require specifically formatted lender statements, including the order of the content and respective font sizes. New York has not provided model forms.

While the California, Utah, and Virginia laws have already gone into effect, we expect additional states will also promulgate similar requirements in the future.

States Continue Trend Supporting Remote Work for MLOs and Mortgage Company Employees

By ,

A&B ABstract:

Effective July 1, Montana will become the latest jurisdiction to codify authorization for mortgage loan originators and mortgage company employees to engage in remote work. That legislation follows a general trend over the past year – and, more so, since the early days of the COVID-19 pandemic – to allow remote operations.

No longer a temporary measure necessitated by pandemic lockdowns, remote work is increasingly acknowledged by regulators as an acceptable permanent option for today’s working environment. Last year, 18 jurisdictions took action to extend temporary permission for, or permanently authorize, the practice, and the trend continues in 2023.

Updates to the Montana Mortgage Act

On February 16, Montana Governor Greg Gianforte signed House Bill 30, substantively amending the Montana Mortgage Act and adding requirements relating to the conduct of mortgage business from a remote location. Specifically, the measure requires that each employee or independent contractor engaged in remote work:

  • Does not meet with the public at an unlicensed personal residence;
  • Does not maintain physical or electronic business records at the remote location;
  • Does not display any signage or advertising of the entity or the MLO at a remote location;
  • Takes reasonable precautions to protect confidential information in accordance with state and federal laws; and
  • Ensures that their NMLS records designate a properly licensed location as the MLO’s official workstation and a manager as a supervisor.

Further, the amended Act mandates that a licensed entity must:

  • Have written policies and procedures for working remotely, and supervise and enforce those policies and procedures;
  • Ensure that any device used to engage in the mortgage business has appropriate security, encryption, and device management controls to ensure the security and confidentiality of customer information;
  • Maintain its computer systems and customer information in accordance with its information technology security plan and all state and federal laws; and
  • Annually review and certify that its employees and independent contractors engaged in the mortgage business from remote locations meet specific requirements, and, upon request, provide the Department of Administration with written documentation of such review.

As discussed further below, the Montana measure follows a pattern established by other states, where remote work requirements have been established by regulatory guidance, and by temporary and then permanent legislation, since mid-2020.

Remote Work Authorization Trends 2020 to Present

The purpose of the legislative and regulatory guidance on remote work has changed since the spring of 2020. Remote work was already considered increasingly viable prior to the COVID-19 pandemic. Permissions and adaptations for remote work accelerated drastically with the onset of the pandemic in the spring of 2020. Today, guidance initially necessitated as an emergency response has become a permanent approach to regulating remote work in many states, enabling mortgage companies to take advantage of the benefits of a new mode of operations.

Throughout the evolution of the remote work trend, industry associations have stepped in to survey the regulatory choices being made across states and to recommend best practices. In July 2020, the Mortgage Bankers Association (“MBA”) issued a letter to the Conference of State Bank Supervisors addressing near- and long-term considerations for allowing remote work. Since that letter, there has been much activity across states in implementing permanent and temporary remote work authorization. In recognition of the significant changes to the mortgage business resulting from the new normal of remote work, on June 7, 2022, the American Association of Residential Mortgage Regulators (“AARMR”) issued guidance on best practices for permitting employees to work remotely.

In general, the guidance requires licensed mortgage entities to:

  1. Develop policies and procedures for adequate supervision of MLOs working remotely;
  2. Ensure that MLOs refrain from meeting with consumers in their homes (unless, if applicable, the MLO’s home is licensed as a branch);
  3. Ensure that MLOs use a VPN or similar system of authentication for access to the company’s secure origination system;
  4. Maintain and update security for devices used to access the company’s secure origination system;
  5. Ensure that MLOs refrain from storing physical business records at any location other than the company’s licensed main office; and
  6. Ensure that documents are available at a licensed location for regulators to conduct examinations.

The majority of legislation enacted, and guidance adopted, by jurisdictions reflects the framework set out by the MBA and AARMR.

State Response

Following the issuance of the MBA and AARMR guidance, several states have focused on effective implementation of key processes for remote operations. For example, jurisdictions including California, Kansas, Kentucky, Ohio, Pennsylvania, Rhode Island, Tennessee, and Washington require licensees to develop a written information security plan to ensure that the security goals for remote work are met.

States such as California provide specific requirements on the safeguards that must be included in the policy. In another common trend, California, the District of Columbia, Kentucky, Pennsylvania, Rhode Island, and Washington explicitly note that a remote location should not be advertised or represented to consumers as an operating location. Across states, licensees should ensure that consumer and licensee information and records remain accessible for regulatory oversight and exams.

2022 State Activity on Remote Work Authorization

In 2022, eight states (California, Kansas, Kentucky, Ohio, Pennsylvania (Amendment), Rhode Island, South Dakota, and Tennessee) enacted legislation addressing remote work. In addition to passing legislation, Pennsylvania enacted an amendatory measure and Rhode Island issued related guidance. Georgia, Oregon, and Washington adopted regulations implementing previous statutory measures. Finally, nine jurisdictions issued guidance, or extended temporary guidance, regarding remote operations: Colorado, the District of Columbia, Kansas, Maine, Oklahoma, Rhode Island, Vermont, West Virginia, and Wyoming.

As of February 2023,  there were significant developments in remote work guidance and legislation in Montana and California. Montana amended the Montana Mortgage Act to permit and establish the requirements for mortgage business employees to work remotely effective July 1, 2023. The California Department of Financial Protection and Innovation issued guidance permitting remote work by employees of a licensee under the California Residential Mortgage Lending Act.

Outliers and Special Considerations

Jurisdictions have not implemented remote work guidance uniformly. Mortgage companies and MLOs should be aware of unique requirements and restrictions in certain states.

Security and Data Privacy

Mortgage industry regulators and companies are particularly concerned with ensuring responsible handling of data and maintaining the security of company systems and consumer information in connection with remote operations. Reflecting this concern, California’s legislation requires companies to provide employees working remotely with appropriate equipment to perform the work and safeguard records and personal information. In addition to the prohibition on storing physical records at a remote location, California prohibits the receipt of business-related mail at a remote location.

Similarly, the new South Dakota and Rhode Island provisions on remote work mandate employee training on the confidentiality of conversations with, or relating to, consumers that are conducted from the remote location.

Location Requirements

Mortgage companies and MLOs should be aware of particular requirements for the location of an eligible remote work site. Pennsylvania expressly requires that the location where the remote work takes place is not owned or controlled by the licensee. Pennsylvania’s legislation would allow remote work from a location that is under the control of a subsidiary or affiliate of the licensee, if the location is only used by the licensee or on an incidental basis for consumer convenience. Note that under Pennsylvania’s provisions, in-person consumer interaction is permitted at a remote location if that location is not a personal residence.

Regulators may not apply all of these requirements as written. Rhode Island’s provisions include the requirement that the remote location be within a reasonable distance of the licensed place of business or branch location. Despite the text of the statute and regulations, the Department of Business Regulation issued regulatory guidance indicating that “MLOs are not required to live within a certain distance” of a main office or branch location. Instead, companies are required to provide proof of effective supervision of MLOs.

Supervisory Requirements

Some jurisdictions permit remote locations to be licensed as branches, even when the location is a personal residence. Georgia will consider a personal residence to be a branch and subject it to branch licensing requirements when the following conditions are met: (1) advertising the location as place of business; (2) receiving consumers; (3) maintaining physical files; or (4) arranging for the licensee to reimburse rent, utilities, or other expenses for the location. If none of the conditions are met, a personal residence that is a remote work location will not be considered a branch.

As an additional oversight measure, Kansas, Kentucky, and Tennessee require licensees to annually review and certify that employees engaged in remote work meet the applicable requirements under the relevant legislation.

Takeaways

As the Montana measure evidences, the trend towards authorizing and regulating remote work has not stopped in 2023. First, in January, the Nebraska and Virginia legislatures introduced bills related to allowing remote work. Second, more of the jurisdictions that in 2022 updated their remote work statutes are expected to adopt corresponding regulations or issue guidance to implement or supplement the new requirements for remote work authorization. For example, Vermont has announced that it will adopt regulations to implement the changes to its mortgage licensing statute that allow remote work in the coming months.

Further, some states that have not yet authorized remote work for MLOs and mortgage company employees have passed legislation authorizing remote work by employees of companies holding certain non-mortgage licenses. Colorado passed legislation in 2022 to permanently allow supervised lender licensees to work remotely. Colorado is one of the states that has also opted to extend temporary authorization for regulated entities that are not covered by the new legislation, including mortgage licensees into 2023. Based on the activity we have seen so far this year, and announcements regarding anticipated rulemaking activity, MLOs and mortgage company employees should expect future developments in this area.

* We would like to thank Associate, Rachel Myers, for their contribution to this blog post.

Merrily the State CRAs Roll Along

By

A&B ABstract:

While we wait on the final interagency rule from the Federal Reserve, OCC, and FDIC, Illinois and New York are continuing along with their state Community Reinvestment Acts (CRA).

Illinois CRA Developments

Illinois announced that it would hold public hearings, two on March 2, 2023 and a third on March 8, 2023, to discuss revisions to its proposed rulemaking.  The comment period was extended to March 16 to accommodate these hearings and invite further public engagement on their final rule.  The Illinois final rule, unlike the federal final rule, will not only apply to state-chartered banks, but also to state-licensed nonbank lenders and state-chartered credit unions.  To that end, the three hearings are split among the three groups: the Bank Community Reinvestment hearing at 10 a.m. C.T. on March 2, the Mortgage Community Reinvestment hearing at 2 p.m. C.T. on March 2, and the Credit Union Community Reinvestment hearing will be at 1 p.m. C.T. on March 8.  The hearings are to be conducted in person, with dial-in and WebEx accessibility.  The IDFPR published the details for interested attendees in the Illinois Register here.

New York CRA Developments

New York, meanwhile, has updated the New York CRA regulations with additional data collection and reporting obligations in connection with minority- and women-owned businesses (“MWBEs”).  New York revised its CRA statute effective January 2020 to underscore its commitment to serving MWBEs as well as low- and moderate-income communities.  In furtherance to that revision, New York’s Department of Financial Services will now collect data concerning whether a loan or investment benefits MWBEs, in a manner consistent with fair lending laws.  This record collection will enable institutions serving these communities to receive CRA consideration for their activities in their state CRA examinations.  The NY CRA was amended in 2021 to apply to both state-chartered banks and state-licensed non-depository lenders.

Takeaway

It remains to be seen whether Illinois or New York will issue anything further before the prudential regulators come out with the much-anticipated final CRA rule.  Conventional wisdom would anticipate their waiting, but with potential legal challenges to the final CRA rule under consideration by certain banking trade groups, the states may be ready to continue moving forward independently for now and synching back up again once the final federal CRA rules are in effect.

The COVID-19 National Emergency is Ending: Are mortgage servicers ready?

By ,

A&B Abstract:

On January 30, 2023, President Biden informed Congress that the COVID-19 National Emergency (the “COVID Emergency”) will be extended beyond March 1, 2023, but that he anticipates terminating the national emergency on May 11, 2023. The White House Briefing Room reiterated the President’s position on February 10, 2023. Given the significant updates mortgage servicers made to their compliance management systems (“CMS”) to ensure compliance with the myriad of COVID-19-related laws, regulations and guidance issued in response to the pandemic, servicers should begin evaluating their CMS now to determine whether updates are necessary to minimize the risk of non-compliance and consumer harm as the COVID Emergency comes to an end. Set forth below, we discuss some of the key areas on which servicers should focus as they develop a plan for winding down COVID-19 protections.

Background

The COVID-19 pandemic created unprecedented operational challenges for mortgage servicers – challenges servicers sought to overcome through significant actions that were taken at the outset of the pandemic and over the last three years to implement the myriad of federal and state laws, regulations, and guidance that were enacted or promulgated in response to the pandemic.

Indeed, in response to the pandemic, the US Congress passed the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act, Sections 4021 and 4022 of which provided certain borrowers impacted by the pandemic with certain credit reporting and mortgage-related protections.

Section 4021 of the CARES Act amended the Fair Credit Reporting Act by adding a new section providing special instructions for reporting consumer credit information to credit reporting agencies when a creditor or other furnisher offers an “accommodation” to a consumer affected by the pandemic during the “covered period,” which ends 120 days after the COVID Emergency terminates.

Section 4022 of the CARES Act granted forbearance rights and protection against foreclosure to certain borrowers with a “federally backed mortgage loan.” Specifically, during the “covered period,” a borrower with a federally backed mortgage loan who is experiencing a financial hardship that is due, directly or indirectly, to the COVID Emergency may request forbearance on their loan, regardless of delinquency status, by submitting a request to their servicer during and affirming that they are experiencing a financial hardship during the COVID Emergency. When the CARES Act was enacted, there was uncertainty in the industry as to how to define the “covered period” as the term was undefined. However, because the borrower must attest to a financial hardship during the COVID Emergency, the industry came to understand the “covered period” to be synonymous with the COVID Emergency, such that borrower requests received outside the COVID Emergency need not be granted.

Additionally, under Section 4022, a servicer of a federally backed mortgage loan were prohibited from initiating any judicial or nonjudicial foreclosure process, moving for a foreclosure judgment or order of sale, or executing a foreclosure-related eviction or foreclosure sale (except with respect to vacant and abandoned properties) through May 16, 2020.

In response to the CARES Act, mortgage servicers were inundated with directives issued by the US Department of Housing and Urban Development (“HUD”), the US Department of Veterans Affairs (“VA”), the US Department of Agriculture (“USDA”), the Consumer Financial Protection Bureau (“CFPB”), as well as the guidelines published by Fannie Mae and Freddie Mac (collectively, the “Agencies”), as the Agencies (other than the CFPB) were tasked with implementing the protections afforded by the CARES Act.  As result of these directives, servicers were required to quickly implement changes to their servicing operations, while ensuring accurate communication of such changes to its customers. For example, HUD alone issued over 20 mortgagee letters since the outset of the pandemic that were directly related to the operations of HUD-approved servicers.

In addition to the Agencies, several states either passed legislation, promulgated regulations or issued directives that mortgage servicers were required to implement. Servicers were also required to respond to the CFPB’s Prioritized Assessments, inquiries from Congress, and requests from the Agencies. Accordingly, servicers devoted substantial legal, compliance, and training resources to ensure compliance with applicable laws and requirements.

In implementing the foregoing laws and regulations, servicers made significant updates to their CMS and the various components that support an effective CMS, including, among others, policies, procedures, training, scripting, correspondence, system updates, and vendor management. Similarly, now that the COVID Emergency appears to be nearing an end, servicers should reevaluate what updates are necessary to effectively wind-down COVID-19 protections while minimizing regulatory risk and consumer harm.

Below we discuss several issues servicers should be particularly mindful of in developing a plan for winding down COVID-19 protections.

Key Areas of Focus for Servicers

Agency/GSE Guidelines: The myriad of Agency guidance issued in response to the pandemic included new and evolving requirements regarding the offering of COVID-19 Forbearance Plans, COVID-19-specific loss mitigation options, and other COVID-19-related borrower protections. For example, HUD, VA, and USDA have largely tied a borrower’s ability to request an initial COVID-19 Forbearance to the expiration of the COVID Emergency. HUD has indicated that a borrower may only request an additional forbearance extension of up to six months if the initial forbearance will be exhausted and expires during the COVID Emergency. On the other hand, Fannie Mae and Freddie Mac have previously informally indicated that servicers should continue to process borrower requests for COVID-19 Forbearances until the GSEs announce otherwise. Moreover, there is the possibility that all or some of the Agencies will expand post-forbearance COVID-19 protections to a broader class of borrowers given the apparent success of the streamlined options. On January 30, 2023, HUD issued a mortgagee letter (which was corrected and reissued on February 13th) extending its COVID-19 Recovery Loss Mitigation Options to include additional eligible borrowers, increase its COVID-19 Recovery Partial Claims, and add incentive payments to servicers. Notably, the mortgagee letter does not appear to update HUD’s existing guidance on the availability of COVID-19 Forbearance Plans, and it temporarily suspends several of HUD’s non-COVID-19 loss mitigation options, such as all FHA-HAMP options. In preparing for the end of the COVID Emergency, servicers should ensure that they identify and carefully review applicable Agency guidelines to determine what, if any, updates to existing processes are necessary.

Policies, Procedures, and Training: Whether a servicer created a specific COVID-19/CARES Act policy and/or updated its existing policies to reflect applicable COVID-19 protections, servicers must now review and update those policies to ensure they do not inaccurately reflect requirements no longer in effect as a result of the termination of the COVID Emergency. As a reminder, Regulation X requires servicers to maintain policies and procedures that are reasonably designed to achieve the objectives in 12 C.F.R. § 1024.38. Commentary to Regulation X clarifies that “procedures” refers to the actual practices followed by the servicer. Thus, servicers should ensure that its procedures reflect its policies. It is also important that updated and accurate training and job aids are provided to servicing employees, particularly to consumer service representatives, to ensure clear, accurate, and up to date information is communicated to consumers. It’s also a good time to ensure that policies, procedures, and training reflect the expiration of certain CFPB COVID-19-related measures. For example, the enhanced live contact requirements for borrowers experiencing COVID-19 related hardships were in effect from August 31, 2021 through October 1, 2022.

Scripts, Letters and Agreements: The CFPB called for mortgage servicers to take proactive steps to assist borrowers impacted by COVID-19 including prioritizing clear communications and proactive outreach to borrowers. In response, servicers updated communications through emails, texts, letters, loss mitigation agreements, buck slips, periodic statements, and other standard communications alerting borrowers of requirements for accepting and processing requests for forbearance, approving forbearance requests, providing credit reporting accommodations, and providing information on post-forbearance loss mitigation options and foreclosure. One of the standards the CFPB uses in assessing whether an unfair, deceptive, or abusive act or practice (“UDAAP”) occurred is whether a representation, omission, act or practice is deceptive, meaning that it misleads or is likely to mislead the consumer, the consumer’s interpretation of the representation is reasonable under the circumstances, and the misleading representation, omission, act or practice is material. Thus, it is important for servicers to review their communication library to make sure outdated CARES Act and other COVID-19-related information is not included in borrower communications.

System Updates: Throughout the last three years servicers were required to implement substantial system enhancements to ensure compliance with the myriad of requirements that arose in response to the pandemic. These enhancements included, among others, stop codes to ensure compliance with applicable foreclosure moratoria; changes to loss mitigation decisioning systems to reflect new and revised loss mitigation waterfalls; updates to borrower-facing websites and interactive voice response (“IVR”) systems to provide borrowers with information on available COVID-19 protections and to facilitate a borrower’s ability to self-serve when requesting a COVID-19 Forbearance; enhancing credit reporting systems to ensure accurate credit reporting for borrowers who are provided an accommodation under the CARES Act; and implementing system updates to ensure compliance with applicable fee restrictions. Given the significant time, effort, and resources required to implement the foregoing enhancements, servicers should begin evaluating their systems now to determine what changes are necessary to reflect that some or all of these protections will no longer be in effect.

State Law: In response to the COVID-19 pandemic, several states (including but not limited to California, the District of Columbia, Maryland, Massachusetts, New York, and Oregon) enacted their own protections, most of which have since expired. Now is the time for servicers to ensure that their CMS is updated to reflect that these laws are no longer in effect.

Instructions to Service Providers: Many servicers rely on third-party service providers to provide certain support functions. During the pandemic, reliance on such service providers was even more critical as servicers worked to implement the above-referenced requirements. Such service providers include, among others, print/mail vendors, foreclosure counsel, and third-party customer support representatives. In preparing for the end of the COVID Emergency, servicers should ensure accurate and consistent instructions are provided to, and appropriate oversight is exercised over, service providers to ensure compliance with applicable law and to minimize UDAAP risk.

Takeaway

The implementation of federal and state COVID-19 protections required that servicers devote substantial time, effort, and resources to ensure consumers could avail themselves of available protections and to minimize the risk of harm. Unfortunately, when the pandemic first began, servicers did not have the luxury of time when implementing these measures. However, given that the end of the COVID Emergency is not until May 11th, servicers should utilize this time to think through what impact the termination of the emergency will have on their current processes and controls, and begin making necessary updates.