Maryland Legal Alert for Financial Services

In this Issue

NCUA Adopts Rule Requiring Federally Insured Credit Unions to Report Cyber Incidents

Convenience Fee Concerns Continue

CFPB Targets “Junk Fees” in Special Supervisory Report

Newest Survey of CFPB UDAAP Actions Released

NCUA Adopts Rule Requiring Federally Insured Credit Unions to Report Cyber Incidents

In February 2023, the National Credit Union Administration (NCUA) adopted a final rule that will require a federally insured credit union to notify the NCUA within 72 hours (or sooner, if possible) after it has reason to believe that it has experienced a “reportable cyber incident.” Under the rule, a “cyber incident” is an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.  To be “reportable,” the cyber incident must both be significant and lead to a (i) substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety or resiliency of operational systems and processes, (ii) a disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities, or (iii) a disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization (also known as a CUSO), cloud service provider, or other third-party hosting provider, or by a supply chain compromise. 

The rule will become effective on September 1, 2023.  

Affected credit unions should also consider whether they have separate notification and remediation obligations under state law, such as the Maryland Personal Information Protection Act.

For more information concerning this topic, please contact Andrew D. Bulgin.

Contact Andrew D. Bulgin | 410-576-4280

Back to In This Issue.

Convenience Fee Concerns Continue

We reported in our February 2022 and June 2022 Maryland Legal Alerts about the Fourth Circuit Court of Appeals (Court) “convenience fee” decision from January 2022, holding that mortgage servicers are debt collectors under the Maryland Consumer Debt Collection Act (MCDCA). The Court held that convenience fees charged to borrowers who paid monthly mortgage bills online or by phone violated the MCDCA even though the borrowers were told they would incur the fee if they paid online or by phone.  The Court made clear that the MCDCA covers an entity that is not a typical third-party debt collector. Under the Court’s rationale, even a financial institution collecting its own debts could be a collector under the MCDCA.

On May 12, 2022 (supplemented with an address update on May 13, 2022), the Office of the Commissioner of Financial Regulation (Commissioner) issued an advisory concerning the Court’s decision.  The Commissioner’s advisory instructed all lenders and servicers (even lenders collecting their own debts) to: (i) review their records to determine if improper convenience fees have been assessed; and (ii) undertake appropriate reimbursements to affected borrowers.  The advisory also instructed lenders and servicers that attempts to “circumvent” the decision by directing borrowers to a payment platform that collects such a fee; or requiring borrowers to amend existing loan documents to include the fee “could also violate Maryland law.”

Because the Court’s decision held that there was no basis under Maryland law for a mortgage servicer to collect a convenience fee, during the 2022 legislative session draft legislation was proposed that would have permitted convenience fees that were pass-through expenses of third-party payment processors under certain circumstances.  Unfortunately, the proposal was not enacted during the 2022 legislative session and no similar proposal has been introduced so far during the current legislative session. This leaves Maryland lenders subject to Maryland law in the position of not having a statutory basis under Maryland law to collect a convenience fee.

Before taking any action concerning convenience fees, financial institutions should consult with counsel regarding the state of existing Maryland law.

For more information concerning this topic, please contact Christopher R. Rahl.

Contact Christopher R. Rahl | 410-576-4222

Back to In This Issue.

CFPB Targets “Junk Fees” in Special Supervisory Report

We reported in our December 2022 Maryland Legal Alert on the Consumer Financial Protection Bureau’s (CFPB) efforts to identify and target financial institutions’ reliance on so called “junk fees.”  In a “special edition” of the Supervisory Highlights, the CFPB reported on its recent findings in this area, noting instances where the CFPB observed institutions charging “junk fees” in the areas of deposits, auto servicing, mortgage servicing, payday and small-dollar lending, and student loan servicing.

The CFPB identified the following “junk fees” as constituting unfair, deceptive, and/or abusive acts or practices:

• Overdraft fees for deposit account transactions authorized against a positive balance but settled against a negative balance;
• Multiple non-sufficient funds (NSF) fees for a single deposit account transaction;
• Assessing late fees which exceed contractual limits in an auto loan agreement;
• Assessing late fees for missed monthly payments after the auto loan servicer accelerated the loan balance;
• Assessing estimated repossession fees that exceed average repossession cost;
• Charging payment processing fees that exceed the servicer’s actual cost for processing the payments;
• Charging for repeated property inspections on collateral when the mortgage servicer knew that the inspectors had an incorrect address;
• Including private mortgage insurance (PMI) premiums that the borrower did not owe on monthly statements;
• Failing to waive late charges, fees, and penalties that were subject to waiver under the CARES Act;
• Charging PMI premiums that should have been automatically removed;
• Splitting and re-presenting payments without customer authorization, leading to multiple NSF fees for payday and small dollar loan customers;
• Charging unauthorized repossession fees (including fees to recover personal property in a vehicle); and
• Assessing late fees that resulted when servicers reversed payments that were made with credit cards, after customers were allowed to make such payments (against company policy).

The CFPB continues to signal that it is heavily scrutinizing any fees and charges assessed to customers. At a minimum, financial institutions should evaluate whether any fees it charges are authorized by contract and/or applicable law. Additionally, financial institutions should review their fees to assess the degree to which such fees could be construed as being hidden/undisclosed or whether the fees might be deemed excessive in light of the circumstances in which they arise (e.g., payment processing fees which exceed the servicer’s processing costs).

For questions concerning this topic, please contact Bryan M. Mull.

Contact Bryan M. Mull | 410-576-4227

Back to In This Issue.

Newest Survey of CFPB UDAAP Actions Released

In case you missed it, we have updated our recurring article: A Survey of Activities Identified as Unfair, Deceptive, or Abusive by the CFPB. The article provides a detailed summary of enforcement actions brought by the Consumer Financial Protection Bureau (CFPB) concerning unfair, deceptive, and abusive acts or practices (UDAAPs) in the second half of 2022.

A review of the specific acts or practices identified by the CFPB as being problematic and resulting in UDAAP violations is instructive for industry participants in conducting their own internal compliance reviews to ensure that they do not engage in similar practices.

If you have questions about this topic or for assistance with any compliance review, please contact Bryan M. Mull or Christopher R. Rahl.

Contact Bryan M. Mull | 410-576-4227

Contact Christopher R. Rahl | 410-576-4222

Back to In This Issue.