Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.
Our bank and loan servicing clients also face novel challenges affecting their industry due to COVID-19, particularly the ever-changing rules and regulations concerning evictions and foreclosures. We closely track these updates and have assembled an interactive tracker containing state orders and guidance documents regarding residential foreclosure and eviction moratoriums.
To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:
Privacy and Cybersecurity Activities
- On December 20, Congress agreed to pass legislation expanding the Pell Grant program, which will result in hundreds of thousands of students becoming newly eligible for Pell and millions of current recipients receiving larger awards. The bill also repeals the ban on Pell eligibility among incarcerated students and restores Pell Grant eligibility for students defrauded by their institutions. The bipartisan agreement is part of a $1.4 trillion omnibus spending bill, which congressional leaders plan to pair with the nearly $900 billion COVID-19 economic relief deal. For more information, click here.
- On December 18, the Consumer Financial Protection Bureau issued the second part of its final rule to implement the Fair Debt Collection Practices Act (FDCPA), focusing on requirements regarding certain disclosures for consumers. The rule requires debt collectors to provide disclosures about the consumer’s debt and rights in debt collection and to take specific steps to disclose the existence of a debt to consumers (orally, in writing, or electronically) before reporting information about the debt to a consumer reporting agency. The rule also prohibits debt collectors from making threats to sue, or from suing, consumers on time-barred debt. For more information, click here.
- On December 18, the Federal Reserve Board voted to affirm the Countercyclical Capital Buffer (CCyB) at the current level of 0%. In making this determination, the board followed the framework detailed in its policy statement for setting the CCyB for private-sector credit exposures located in the United States. The buffer could help moderate fluctuations in the supply of credit. The CCyB is released when economic conditions deteriorate to support lending and economic activity more broadly. For more information, click here.
- On December 18, the Federal Reserve Board released a second round of bank stress test results this year, which showed that large banks had strong capital levels under two separate hypothetical recessions. Earlier this year, the board conducted its annual stress test and additional analysis in light of the COVID-19 event. Those results revealed banks generally had strong levels of capital, but considerable economic uncertainty remained. For more information, click here.
- On December 15, the Federal Deposit Insurance Corporation passed a final rule allowing industrial loan companies to become subsidiaries of any other company not under the Federal Reserve’s supervision, after all concerned parties signed written agreements with the FDIC. The rule becomes effective on April 1, 2021. For more information, click here.
- On January 5, 2021, the Washington State Department of Licensing will hold a public hearing on its remote work rule — a proposed permanent rule allowing employees of licensed collection agencies to work off site if data security and remote call review measures are in place. The temporary rule is in effect through February 17, 2021. For more information, click here.
- On December 16, the Superior Court of the District of Columbia struck down a ban on landlords filing new eviction cases as unconstitutional. The court found that property owners are entitled to go to court to regain possession. The moratorium on filing eviction notices denies “property owners their day in court for an extended and indefinite period[.] The District therefore has a demanding burden to demonstrate a reasonable fit and proportionality between the legislature’s goals and the means it chose to achieve these goals. Because the District has not carried its burden, the filing moratorium does not pass constitutional muster.” For more information, click here.
- On December 15, the Nevada Department of Business Industry Financial Institutions Divisions granted another extension to its guidance, which allowed employees of licensed collection agencies to work from home through March 31, 2021. The guidance was set to expire on December 31, 2020. For more information, click here.
- On December 3, the Idaho Department of Finance extended its temporary guidance regarding remote work during the COVID-19 pandemic from December 31, 2020 to June 30, 2021. Licensees are expected to meet the requirements of the original guidance. For more information, click here.
- Effective September 28, the Arizona Department of Insurance & Financial Institutions collection agencies licensed in Arizona no longer need to maintain branch licenses. For more information, click here.
Privacy and Cybersecurity Activities:
- On December 18, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) shared its top five posts of the year, two of which notably discuss security basics for those working remotely during the pandemic. As we head into 2021, it is worth looking back at the top two most-read NIST posts of 2020. In Telework Security Basics, NIST outlined simple steps individuals can take to ensure their Wi-Fi is protected. In Preventing Eavesdropping and Protecting Privacy on Virtual Meetings, NIST shared precautions to help make sure virtual meetings do not unnecessarily create opportunities for bad actors to perform data breaches or security incidents. Check out NIST’s Top 5 Blogs of 2020 to read about the remaining three top posts of the year. While we’re on the topic, be sure to check out how a business’s staff could reduce its cyber risks by reading Troutman Pepper’s article here.
- On December 18, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued guidance on how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits the use of health information exchanges (HIE) to disclose protected health information (PHI) for certain public health activities (PHA). In issuing this guidance, HHS provides examples specifically relevant to COVID-19. The guidance offers answers to several questions, such as:
- What is an HIE?
- When does the HIPAA Privacy Rule permit a covered entity or its business associate to disclose PHI to an HIE for purposes of reporting the PHI to a PHA, without an individual’s authorization?
- Can a covered entity rely on a PHA’s request to disclose a summary record to a PHA or HIE as being the minimum necessary PHI needed by the PHA to accomplish the public health purpose of the disclosure
- May a covered entity disclose PHI to a PHA through an HIE without receiving a direct request from the PHA?
- May an HIE provide PHI it has received as a business associate of a covered entity to a PHA for public health purposes without first obtaining permission from the covered entity?
- Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for public health purposes? Is an HIE that is a business associate required to provide such notice?
HHS’ full guidance can be found by clicking here.
- On December 17, the New York State Department of Financial Services (DFS) announced a partnership with Global Cyber Alliance to help small businesses comply with DFS Cybersecurity Regulation and Best Practices. DFS recognizes that many small businesses have been forced to move online, and it hopes this new partnership will assist them in protecting themselves and their customers from cybercrime. The partnership brings a free cybersecurity toolkit to help small businesses identify hardware and software, update defenses against cyber threats, strengthen passwords and multifactor authentication, back up and recover data, and protect email systems. To read the full announcement, click here.
- On December 17, the Federal Trade Commission (FTC) reminded consumers to stay vigilant during the holidays, especially as the pandemic is likely to move much of the shopping online. For consumers thinking about sending e-cards to family and friends, the FTC reminds consumers to:
- Research the website or company offering the service;
- Share only the information required for the service and be wary of including personal information;
- Don’t click links from unexpected texts or emails; and
- Ignore calls that ask consumers to act immediately.
To read the FTC’s full post, click here.