Consumer Financial Services Alert - February 24, 2009

The Obama Administration announced the framework of its $275 billion Homeowner Affordability and Stability Plan. The plan would allow homeowners with loans held or guaranteed by Fannie Mae or Freddie Mac having a loan-to-value ratio greater than 80% to refinance to a lower interest rate. The plan calls for (1) additional $200 billion in funding for Fannie and Freddie, (2) the Treasury Department to continue purchasing Fannie and Freddie mortgage-backed securities, and (3) increasing the size of Fannie and Freddie’s portfolios by $50 billion to purchase additional mortgage loans. The plan attempts to prevent foreclosures by incentivizing loan modifications. Under the plan, the federal government would match a lender’s interest payment reduction, dollar-for-dollar, that results from taking a borrower’s monthly payment from 38% of his or her monthly income down to 31%. Lower interest rates are expected to be in place for at least five years. Alternatively, lenders could choose to reduce principal balances, with the federal government sharing in the cost. Servicers would receive $1,000 for each eligible modification, and an additional $1,000 each year for up to three years as long as the borrower stays current. Servicers can also receive $500, and lenders $1,500, for modifying “at-risk” loans for which the borrower is still current. A borrower can receive up to $1,000 a year for up to five years towards reducing his or her principal balance if the borrower stays current. Lenders of modified loans would be provided a partial guarantee from the FDIC linked to declines in the home price index. The plan calls for “clear and consistent” mortgage modification guidelines, which the Administration expects to announce by March 4, 2009. Click here for a fact sheet on the plan.

An Illinois federal court ruled that plaintiffs’ mortgage brokers were necessary parties in a lawsuit alleging lending discrimination in violation of the Fair Housing Act and Equal Credit Opportunity Act. Plaintiffs alleged discrimination resulting from actions taken by their brokers “at the direction” of the defendant-lenders, and sought injunctive and other relief against the defendant-lenders that would impact plaintiffs’ brokers. In the face of these allegations and requests for relief, the court ruled that the brokers were necessary parties under Fed. R. Civ. 19 because “complete relief” could not be “accorded” without them and their ability “to protected [their] interests” would be “impaired” absent joinder. Click here for Steele v. GE Money Bank, N.D. Ill. No. 08-C-1880 (Feb. 17, 2008).

The Massachusetts Office of Consumer Affairs and Business Regulation issued a revised version of the new Massachusetts data security regulations on the Standards for the Protection of Personal Information of Residents of the Commonwealth. As previously reported in the October 7, 2008 and November 18, 2008 Alerts, the regulations impose very strict – and specific – data security requirements for all businesses with personal information of Massachusetts residents. The amendments to the regulations make two significant changes and one clarification.

First, the effective date of the regulations has been changed to January 1, 2010. The bulk of the regulations had been scheduled to take effect on May 1, 2009. Companies will have more time for compliance.

Second, there have been significant changes to the vendor management portions of the regulations. The prior version of the regulations contained specific rules regarding a company’s interactions with vendors and service providers having access to personal information of Massachusetts residents. Specifically, the prior version of the regulations required companies to, among other things, contractually obligate vendors to comply with the regulations (specifically referencing them) and to obtain written certifications of compliance from vendors. That level of specificity has been removed. The contractual provision requirement and vendor certification have been eliminated.

Instead, companies will be required to take “all reasonable steps” to (1) verify that all vendors with access to personal information have the capacity to protect personal information in the manner provided for in the regulations; and (2) ensure that the “protective security measures” used by the vendors to protect personal information are at least as stringent as those required to be applied under the regulations.

Third, the provision that mandates encryption for information that is transmitted wirelessly has been clarified. The revised regulations clarify that the encryption requirement applies only to “all data containing personal information” rather than to “all data” to be transmitted wirelessly.

With the effective date pushed back to January 1, 2010, companies will now have more time to get their policies and systems in order. The changes to the vendor and encryption provisions alleviate some of the burdens for companies covered by the rules. For most companies, the regulations continue to necessitate significant changes in data security practices.