Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Pepper has developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you keep abreast of relevant activities, below find a breakdown of some of the biggest COVID-19 driven events at the federal and state levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

• On November 4, the Consumer Financial Protection Bureau (CFPB) released research, finding that consumers in majority Black and Hispanic neighborhoods, as well as younger consumers and those with low credit scores, are far more likely to have disputes appear on their credit reports. As part of a series of reports focusing on trends in the consumer financial marketplace, the new research uses data on auto loan, student loan, and credit card accounts opened between 2012 and 2019. For more information, click here.

• On November 4, the Occupational Safety and Health Administration (OSHA) released the COVID-19 vaccination emergency temporary standard (ETS), which became effective on November 5. Employers covered by the standard must develop, implement, and enforce a mandatory COVID-19 vaccination policy, with the exception of employers that instead adopt a policy requiring employees to either get vaccinated or in lieu of vaccination, choose to undergo regular COVID-19 testing and wear a face covering at work. For more information, click here.

• On November 2, the CFPB issued an advisory opinion, affirming that consumer reporting companies, including tenant and employment screening companies, are violating the law if they engage in shoddy name-matching procedures. Regulators are concerned about the significant harms caused by false identity matching, where an applicant is disqualified from rental housing or a job based on having the same name as another individual with negative information in his/her credit history. Specifically, the CFPB affirmed that matching consumer records solely through the matching of names is illegal under the Fair Credit Reporting Act. For more information, click here.

• On November 1, the Treasury Department called on Congress to regulate issuers of “stablecoins” and urged financial agencies to assess whether the role of these fast-growing digital assets in the country’s payments system posed a systemic risk. For more information, click here.

• In October, the Consumer Bankers Association released a new white paper, “The Case For Regulation Through Rulemaking & Guidance,” that advocates for the CFPB to use rulemaking and informal written guidance in lieu of attempting to create new industry regulatory standards through enforcement. For more information, click here.

State Activities:

• On November 3, the New York State Department of Financial Services (DFS) announced proposed regulations that will “evaluate how well New York regulated banking institutions are serving their communities under an enacted amendment New York State’s Community Reinvestment Act (CRA) with respect to minority- and women-owned businesses.” The proposed regulation is subject to a 60-day comment period, following publication in the State Register. For more information, click here.

• On November 3, California Attorney General Rob Bonta announced the creation of a Housing Strike Force within the California Department of Justice and that his office would convene a series of tenant roundtables across the state. “California is facing a housing shortage and affordability crisis of epic proportion,” said Attorney General Rob Bonta. “Our Housing Strike Force, along with the tenant roundtables and Housing Portal, will allow DOJ to ramp up our efforts to tackle this crisis and advance housing access, affordability, and equity across California.” For more information, click here.

• On November 4, South Carolina Attorney General Alan Wilson issued a statement after OSHA released the details of its private employer vaccine mandate, indicating “[t]his is garbage and it’s unconstitutional so we will be fighting it. OSHA does not have the authority for this kind of mandate.” Attorney General Wilson stated South Carolina plans to join other states in filing a lawsuit to stop the regulations. For more information, click here.

• On October 29, the New York State Department of Financial Services issued proposed revisions to the regulation concerning third-party collection agencies and debt buyers. The amendments intend to help ensure consumers only pay debts they owe and pay them only once by improving consumers’ access to information about alleged debts and by mitigating opportunity for predatory debt collection. For more information, click here.

Privacy and Cybersecurity Activities:

• On November 5, the Federal Trade Commission (FTC) published tips intended to help small businesses bolster their digital defenses. Since the COVID-19 pandemic has forced small businesses into the virtual world, many businesses may not have the strongest cybersecurity practices due to lack of preparation time. The FTC recommends (1) making sure your tech team follows best practices to fend off a ransomware attack and (2) scheduling a security refresher for your employees. The FTC recommends a refresher for all staff — not just information technology personnel. To read the full article, click here.

• On November 2, Republicans in the House Energy and Commerce Committee released a draft privacy bill known as the Control Our Data Act (CODA). As currently drafted, CODA would not offer a private right of action and would prevent states from exceeding “one national standard” in privacy legislation. Cathy McMorris Rodgers argues that a “national standard will provide clear rules of the road and give Americans the same data protections wherever they go[.]” In addition, the bill calls for establishing a new administrative unit, the Bureau of Consumer Privacy Protection and Data Security, which would be tasked with enforcement, education, and rule making powers. For those interested in reading the full draft privacy bill, click here.

• On November 3, the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operative Directive (BOD) 22-01, which provides priorities and vulnerability management priorities for federal agencies. While these directives only apply to federal civilian agencies, CISA strongly recommends that any private businesses, as well as local and state governments, prioritize mitigation of vulnerabilities listed in CISA’s public catalog. These priorities include (1) establishing a process to review and update agency internal vulnerability management procedures, (2) defining necessary action to enable prompt response to actions required by this directive, and (3) remediating each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. With the rise of ransomware attacks and remote work, businesses and governments alike can take guidance from this directive. To read the full directive, click here.