Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

Our bank and loan servicing clients also face novel challenges affecting their industry due to COVID-19, particularly the ever-changing rules and regulations concerning evictions and foreclosures. We closely track these updates and have assembled an interactive tracker containing state orders and guidance documents regarding residential foreclosure and eviction moratoriums.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On September 23, the Consumer Financial Protection Bureau (CFPB) released its first in-depth report analyzing complaint submission patterns by U.S. Census tract. The report, “Consumer Complaints Throughout the Credit Life Cycle, by Demographic Characteristics,” finds that the complaints from wealthier communities and communities with higher percentages of white, non-Hispanic residents more frequently concerned loan origination and performing servicing, while the complaints from communities of color and lower-income communities more frequently concerned credit reporting, identity theft, and delinquent servicing. The report based its findings on the nearly one million consumer complaints submitted to the CFPB between 2018 and 2020, and uses a novel approach to classify complaints by matching the relevant consumers to census tract-level U.S. Census demographic data. For more information, click here.
  • On September 22, the Internal Revenue Service announced that it awarded new contracts to three private sector collection agencies to collect overdue tax debts. Beginning September 23, taxpayers with unpaid tax bills may be contacted by one of the following three agencies: CBE Group, Inc., Coast Professional, Inc., and ConServe. For more information, click here.
  • On September 21, U.S. senators voted 49-48 to advance the nomination of Rohit Chopra — President Joe Biden’s pick to lead the CFPB — from the Senate Banking Committee to the Senate floor. Chopra faces a final confirmation vote as early as this week. For more information, click here.
  • On September 21, U.S. Senators Catherine Cortez Mastro, Sherrod Brown, and Elizabeth Warren introduced a new bill that would reward whistleblowers for reporting wrongdoing to the CFPB, with as much as a 30% settlement award or up to $50,000 if the settlement is less than $1 million. For more information, click here.
  • On September 21, the U.S. House of Representatives Committee on Rules passed amendments on credit reporting and medical debt collection for service members and private student loans. For more information, click here.
  • On September 20, the Department of Justice (DOJ) announced that it entered into a consent order with the New Jersey Higher Education Student Assistance Authority (HESAA) to settle the DOJ’s claim that HESAA violated the Servicemembers Civil Relief Act (SCRA) by obtaining unlawful court judgments against two military servicemembers for amounts owed on student loans. The settlement requires HSEAA to pay $15,000 to the two servicemembers and a civil penalty of $20,000 to the United States. It also requires HESAA to provide SCRA training to its employees and outside counsel and develop new policies and procedures consistent with the SCRA. For more information, click here.

State Activities:

  • On September 23, the governor of California signed a debt collection bill into law that will adjust how collectors address situations, where an individual claims a debt is fraudulent as a result of identity theft. The law will likely take effect on January 1, 2022. For more information, click here.
  • On September 23, the West Virginia attorney general filed a lawsuit, seeking to fine a New York collection agency for operating in the state without a license, while also banning the company from collecting debts in the state. For more information, click here.
  • On September 22, the California Department of Financial Protection and Innovation issued its first enforcement action against a debt buyer and debt collector, resulting in a $375,000 fine for unlawfully threatening to sue consumers and submitting negative information to credit bureaus without notifying consumers. For more information, click here.
  • On September 20, the Massachusetts Legislature held a hearing on a bill that would require companies calling individuals in that state and using a Caller ID number displaying a Massachusetts area code to have a physical presence in the state or face fines of up to $10,000 per call. For more information, click here.

Privacy and Cybersecurity Activities:

  • On September 24, the PCI Security Standards Council (PCI SSC) issued guidelines to support principles and procedures that outline the application of remote assessments. The organization developed the “PCI SSC Remote Assessment Guidelines and Procedures” to meet the changing needs of the payments industry due to shifts caused throughout the COVID-19 pandemic. The guidelines specifically address concerns that may result from an assessor’s inability to complete an assessment on site. The PCI SSC guidelines include:
    • Feasibility considerations for the use of remote assessments;
    • Steps to properly plan and prepare for the remote assessment;
    • Detailed guidelines and best practices on the use of remote testing methods for different types of testing activities;
    • Requirements and expectations for PCI SSC assessors regarding the use of remote assessment activities; and
    • Report template addendum to document the use of remote assessment methods.

To read the full announcement, click here.

  • Last week, reports revealed that several health organizations suffered data breaches. In one instance, hackers demanded that the health provider pay $5.9 million to release data obtained in a ransomware attack. The hackers allegedly acquired access to the organization’s systems and encrypted more than one thousand files from invoices, research, and other material. In a similar report, hackers allegedly encrypted a health care center’s financial records and demanded $30,000 for their release. For those interested in learning how states are considering ways of limiting an organizations’ response options during a ransomware attack, check out our article by clicking here.

Leaders are reminded to follow several precautions to protect against ransomware. CISA recommends that businesses should:

    1. Never click on links or open attachments in unsolicited emails;
    2. Back up data regularly and keep it on a separate device;
    3. Segment data based on use cases;
    4. Practice proper cyber hygiene;
    5. Follow safe practices when using devices that connect to the internet;
    6. Restrict users’ permission to install and run software applications;
    7. Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing;
    8. Update software and operating systems with the latest patches; and
    9. Configure firewalls to block access to known malicious IP addresses.

For the complete list of recommendations, check out CISA’s Ransomware Guide. For business leaders interested in evaluating their cybersecurity practices on their networks, check out CISA’s Cyber Security Evaluation Tool.