Protecting Children’s Online Privacy

QUESTION

We were recently cited for not having our website COPPA compliant. We offered our customers a chance to start a savings plan for their children’s college education and the children would be given access to see how their savings plan was growing. We are trying to do a review for COPPA compliance, but it seems to be somewhat of a daunting task. What are some of the COPPA requirements that we should be considering?

ANSWER

Compliance with the Children’s Online Privacy Protection Act (COPPA) can be challenging. Although you can conduct a website compliance review on your own, be careful, because there are a host of regulations that apply, of which COPPA is but one.

If you want a quick and cost-effective website compliance review, I suggest you contact us for a Website Tune-up!™ You will get the kind of diagnostics that let you make the updates you need to ensure compliance.

All institutions that operate websites (or even web pages) designed for use by children should be aware that the Federal Trade Commission adopted regulations to implement COPPA requirements. [15 USC § 6501 et seq.; 16 CFR Part 312. COPPA provides that the federal banking agencies are responsible for implementing its provisions regarding financial institutions. See 15 USC § 6505(b)]

You may be thinking COPPA does not apply to you, since you are a financial institution. But when you publish your website children may also have access to it. There’s a reason why certain disclosures qualify the applicant by affirming that he or she is eighteen years of age or older. A financial institution does not usually operate a website directed at children for financial purposes; however, COPPA requires website operators, including banks and other financial institutions, to comply with the regulations adopted by the FTC to implement COPPA, but leaves enforcement up to the federal banking regulators.

Operators of websites or online services directed to children or operators who have actual knowledge that the person from whom they seek information is a child must: 

• Post prominent links on their websites to a notice of how they collect, use, and/or disclose personal information from children.
• With certain exceptions, notify parents that they wish to collect information from their children and obtain parental consent before collecting, using, and/or disclosing the information.
• Not condition a child’s participation in online activities on the provision of more personal information than is reasonably necessary to participate in the activity.
• Allow parents the opportunity to review and/or have their children’s information deleted from the operator’s database and to prohibit further collection from the child.
• Establish procedures to protect the confidentiality, security, and integrity of personal information they collect from children.

The rules focus on operators of websites or online services specifically directed at children, but they also reach operators of general audience websites (in other words, non-child-directed sites). A website is not considered directed at children simply because it refers or links to other websites or online service(s) directed to children. [64 Federal Register 59893 (11/3/99)]

Nevertheless, operators of general audience websites are liable for violating the COPPA rules only if they: 

• Have actual knowledge that postings are being made by children under 13, or
• Fail to delete any personal information before it is made public and also fail to delete it from their records.

If a general audience website has a distinct children’s “portion” or “area,” then the operator is required to provide the protections of the FTC regulation for visitors to that portion of the site. The rule allows general audience websites with children’s areas to post the required link to the children’s privacy policy at the home page of the children’s area rather than the home page of the overall site. [Idem at 59894]

There are a host of rules involving COPPA. For instance, operators of child-directed sites must give notice and obtain parental consent in order to give a child an email account. Operators of general audience sites would only be required to provide notice and obtain parental consent if registration or other information reveals the person seeking the email account is a child.

In August 2009, the Office of the Comptroller of the Currency (OCC) revised its Comptroller’s Manual to include COPPA procedures that previously had appeared only in banking bulletins. So, expect regulators to be including COPPA compliance in regulatory examinations. The Controller’s Manual explains that the regulation requires an operator of a website or online service directed to a child, or any operator who has actual knowledge that it is collecting or maintaining personal information from a child, to: 

• Provide a clear, complete, and understandably written notice to the parent and on the website or online service of their information collection practices with regard to children, describing how the operator collects, uses, and discloses the information.
• Obtain, through reasonable efforts and with limited exceptions, verifiable parental consent prior to the collection, use, or disclosure of personal information from children.
• Provide a parent, upon request, with the means to review and have deleted the personal information collected from his or her child and to refuse to permit its further use or maintenance.
• Limit collection of personal information for a child’s online participation in a game, prize offer, or other activity to information reasonably necessary for the activity.
• Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children.

Jonathan Foxx

Managing Director

Lenders Compliance Group

Federal Consumer Financial Laws: Civil Money Penalties

QUESTION

Last week you discussed the tier-based penalties for violations of the FCRA. Your FAQ was in response to a question posed by counsel to a retail mortgage lender. I am also a lawyer and the compliance officer of a multi-platform mortgage lender. You mentioned that the tiered-based penalties apply to “Federal consumer financial law.” I have two questions. First, what laws are designated as a Federal consumer financial law? Second, you gave the 2018 adjustments for civil money penalties. What are the 2019 penalty amounts?

ANSWER

Thank you for your valuable question. Last week we published our FAQ, entitled FCRA: Penalties for Non-Compliance. The response to the article was high. Obviously, there is some concern about such matters. However, as I’ve said many times, a strong compliance management system can substantially reduce and mitigate regulatory hazards. Our CMS Tune-up!™ is affordable and will get you started in the right direction. Download our Presentation for details!

To your first question regarding “Federal consumer financial law,” this term includes:

• Alternative Mortgage Transaction Parity Act (AMTPA),
• Consumer Leasing Act (CLA and Regulation M),
• Electronic Fund Transfer Act (EFTA and Regulation E),
• Equal Credit Opportunity Act (ECOA and Regulation B),
• Fair Credit Billing Act (FCBA, addressed in Regulation Z),
• Fair Credit Reporting Act (FCRA),
• Home Owners Protection Act (HOPA, primarily regarding mortgage insurance),
• Fair Debt Collection Practices Act (FDCPA),
• Parts of the FDIC Act and Gramm-Leach-Bliley Act,
• Home Mortgage Disclosure Act (HMDA and Regulation C),
• Home Ownership and Equity Protection Act (HOEPA, addressed in Regulation Z),
• Real Estate Settlement Procedures Act (RESPA and Regulation X),
• S.A.F.E. Mortgage Licensing Act (SAFE Act),
• Truth-in-Lending Act (TILA and Regulation Z),
• Truth-in-Savings Act (TISA),
• Section 626 of the Omnibus Appropriations Act of 2009 (addressed in the MAP and MARS rule, CFPB Regulations N and O, respectively), and
• Interstate Land Sales Full Disclosure Act.

To your second question about the 2019 adjustments to civil monetary penalties, on January 1, 2019 the Consumer Financial Protection Bureau (CFPB) increased the maximum civil money penalties for violating a Federal consumer financial law to $5,781 per day for a Tier 1 penalty; $28,906 for a Tier 2 penalty (“reckless” engagement); and $1,156,242 for a Tier 3 penalty (“knowing violation”).

Just to provide some additional information, for 2019 the CFPB also adjusted several of the civil monetary penalty amounts, pursuant to the Federal Civil Penalties Inflation Adjustment Act, as follows:

• Increased the maximum appraiser independence penalties to $11,563 per day for a first violation (up from $11,279 in 2018) and $23,125 per day for subsequent violations (up from $22,556 in 2018);
• Increased the RESPA escrow statement maximum penalty to $94 per failure with the annual cap adjusted to $189,427, and raised the maximum penalty for “intentional disregard” to $190 per failure with no annual cap;
• Increased the maximum penalties for violation of the Interstate Land Sales Full Disclosure Act to $2,014 per violation, with a $2,013,399 annual cap; and
• Increased the maximum penalty for a loan originator violating the SAFE Act to $29,192 per violation.

The Federal Civil Penalties Inflation Adjustment Act requires federal agencies to annually adjust for inflation the civil monetary penalties within their jurisdiction according to a statutorily prescribed formula. The agencies apply a cost-of-living adjustment multiplier determined by the Director of the Office of Management and Budget (OMB) to the current penalty amount.

Jonathan Foxx, PhD, MBA

Managing Director

Lenders Compliance Group

FCRA: Penalties for Non-Compliance

QUESTION

I am the General Counsel for a company that is primarily a retail mortgage lender, but we do originate as a mortgage broker for certain loan products. We recently went through a state banking examination and were told in the exit interview that we may have some FCRA violations. It is my understanding that the FCRA’s penalties are tier-based. What are the tier-based penalties for violations of the FCRA?

ANSWER

The Fair Credit Report Act (FCRA) does, indeed, have a sliding scale of penalties for non-compliance, which vary based on the willfulness of the non-compliance.

For willful failure to comply, your company would be liable to an aggrieved consumer in an amount equal to the sum of (1) any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000, (2) punitive damages as the court may allow, and (3) the costs of the action together with reasonable attorneys’ fees as determined by the court. [15 USC § 1681n]

For negligent non-compliance, your financial institution would be liable to the consumer in an amount equal to the sum of (1) any actual damages sustained by the consumer as a result of the failure, and (2) the costs of the action together with reasonable attorneys’ fees as determined by the court. [15 USC § 1681o]

An action may be brought in any appropriate United States district court without regard to the amount in controversy, or in any other court of competent jurisdiction, within two years from the date on which the liability arises. [15 USC § 1681p] However, if the defendant has materially and willfully misrepresented any information required by the FCRA to be disclosed to an individual and the misrepresented information is material to the establishment of the defendant’s liability, the action may be brought at any time within two years after discovery by the individual of the misrepresentation. [15 USC § 1681p]

The FCRA also gives the Consumer Financial Protection Bureau (CFPB), Federal Trade Commission (FTC), and other appropriate federal regulatory agencies the power to bring civil enforcement actions. [15 USC § 1681s]

I should mention that court decisions have pointed out that the FCRA penalties are not readily available for each and every FCRA violation. I know this seems odd, but courts have disagreed as to whether the section that requires furnishers of information to conduct investigations and report necessary corrections creates a private action enforceable by consumers. [15 USC § 1681s-2(b)] For instance, Nelson v Chase Manhattan does uphold the private action, whereas Elmore v North Fork Bancorporation hedges a bit, noting that it does, but still recognizes the disagreement. [See Nelson v. Chase Manhattan Mortgage Corporation, 282 F.3d 1057, 1059–60 (9th Cir. 2002); Elmore v. North Fork Bancorporation, Inc., 325 F. Supp2d 336 (SDNY 2004)]

To get a sense of how this issue is adjudicated, consider the section that imposes upon furnishers a duty to provide accurate information [15 USC § 1681s-2(a)], which may only be enforced by federal or state agencies or officials. A 2005 court decision held that a plaintiff had no cause of action to protest a lender’s erroneous report of an unwanted, unfunded (i.e., non-existent) loan to consumer reporting agencies, after the plaintiff asked the lender to correct its reporting and the lender promptly, the following day, did so. [Ornelas v. Fidelity National Title Co. of Washington (W.D. Wash. Dec. 9, 2005)]

The FCRA generally provides penalties as I’ve described above. But the Dodd-Frank Act (DFA) offers the possibility of substantially higher penalties than those specified by the FCRA, the FCRA being a “Federal consumer financial law” within the meaning of the DFA. These penalties (which the CFPB may inflation-adjust from time to time) vary from up to $5,000 per day for any violation, to $25,000 per day for a violation “recklessly engaged in,” and to $1,000,000 per day for a provision “knowingly violated.” 

For instance, in January 2018 the CFPB adjusted the civil monetary penalty amounts, as required by the Federal Civil Penalties Inflation Adjustment Act. The CFPB increased the maximum civil money penalties under the Consumer Protection Act for violating a Federal consumer financial law to $5,639 per day for a Tier 1 penalty, $28,195 for a Tier 2 penalty (“reckless” engagement), and $1,127,799 for a Tier 3 penalty (“knowing violation”).

Even firms that are not subject to the CFPB’s enforcement authority are subject to these penalties, which could be sought by their prudential regulator or an applicable State Attorney General or state regulator, and perhaps by consumers as well.

Jonathan Foxx, PhD, MBA

Managing Director

Lenders Compliance Group

Excluding Fees from the Finance Charge

QUESTION

I am the compliance officer of a regional mortgage banker. As an attorney, I am familiar with several regulatory guidelines involving the Truth in Lending Act with respect to allowing certain charges to be excluded from the “finance charge” if itemized and disclosed to the consumer. Is there a test for excluding fees from the finance charge?

ANSWER

The Truth-in-Lending Act (TILA) and Regulation Z, its implementing regulation, allow the following charges to be excluded from the “finance charge” if itemized and disclosed to the consumer: 

(1) taxes and fees prescribed by law that actually are or will be paid to public officials for determining the existence of or for perfecting, releasing, or satisfying a security interest;

(2) the premium for insurance in lieu of perfecting a security interest (i.e., “non-filing insurance”) to the extent the premium does not exceed the fees described in item (1) that otherwise would be payable; and,

(3) any tax levied on security instruments or on documents evidencing indebtedness if the payment of the taxes is a requirement for recording the instrument securing the evidence of indebtedness.

Let’s call it the “three-prong test.”

Condensed to a brief outline, the three prongs are:

(1) paid to a public official,

(2) perfecting a security interest, and

(3) prescribed by law.

To drill down a bit, a creditor may aggregate the fees described in items (1) and (2) for disclosure purposes, rather than itemizing them according to the specific fees and taxes imposed. With respect to excluding a fee from the finance charge, Regulation Z makes clear that sums must be actually paid to public officials to be excluded under item (1), such as charges or other fees for filing or recording security agreements, mortgages, continuation statements, termination statements, and similar documents. Other examples include intangible property or other taxes. [§ 1026.4, Comment 4(e)-1]

Now to applying the three-prong test!

A federal bankruptcy court in Alabama considered whether an electronic filing fee required by state law for filing a Uniform Commercial Code (UCC) statement fell within item (1), even though the fee was paid to the state and then passed along by the state to a third-party electronic service provider. The case I have in mind is Hall v. Republic Finance, LLC. [Hall v. Republic Finance, LLC, N.D. AL, Feb. 5, 2019]

Hall borrowed $3,533.54 from Republic Finance. The itemization of amount financed section of her note reflected that the amount financed included a charge of $24.75 for “Amounts Paid to Public Officials” for filing and termination fees, where $15.00 of the fee was attributed to “File” and $9.75 to “Access.”