Data Breach. Yesterday, Equifax revealed that it incurred a massive data breach – impacting at least 143 million consumers. Equifax is reaching out to all of its clients – including many online lenders – to let them know what it is doing to mitigate the effects of this massive breach. Equifax’s official statement is that they are ensuring a breach like this never happens again, none of their core credit databases were penetrated, and they plan to offer every U.S. consumer free credit monitoring for a specified period of time.

What’s Next? There are already news reports that Equifax may not be handling the influx of concerned consumers well – requiring consumers to enter their last name and last six digits of their Social Security number (which has irked more than a few consumers). Interestingly, this request for “last six digits” seems to indicate that the typical requirement for last four is not enough to verify consumers’ identities after this breach.

Equifax, however, is doing the right thing by actively reaching out to their clients and consumers.  They have assured their clients that the breach related only to their consumer facing site and not to their core credit database, so consumers’ credit reports (detailing tradelines, etc.) were not exposed.

Lender Implications. Today, online lenders will review their third-party risk management protocols to better understand the nature of the breach and to develop a response to their impacted clients. Tomorrow, online lenders will have to get some comfort that Equifax has sufficiently handled this problem and, as they are handling this problem, online lenders need to ensure that Equifax is still able to handle other aspects of its relationship with these clients. Namely, Equifax has a large suite of fraud prevention products that the online lending industry relies on, among other related services.

Also of note, the long term effects of this breach may impact the integrity of the data that online lenders use for a variety of reasons (target marketing and prescreened offers, underwriting and pricing for instance).  If that impact is negative, it could hurt the operations of the online lenders and could also result in more fraud due to the speed of the process – online lenders will need to show how their security accounts for these highlighted risks.

OLPI will continue to monitor this story as it develops.  OLPI will also ensure that this issue – cyber security risks—is fully briefed at its 2nd Annual OLPI Policy Summit this month on September 25 in Washington, DC. For more information, please visit http://www.onlinelendingpolicysummit.com/

The 2015 decision by the Second Circuit Court of Appeals in Madden v. Midland Funding, LLC precipitated uncertainty among financial services providers and the secondary market.  Many legal experts believed the decision cast doubt on and generally ignored the longstanding legal principle of “valid-when-made.”  That is, a loan or contract that was non-usurious when it was made remain non-usurious when it is subsequently transferred to another person.  In Madden, however, the decision found that the sale and assignment of a loan to a non-bank by a national bank did not necessarily transfer to the loan purchaser the right to charge interest at the rate allowed by the national bank and specified in the loan contract.  Critics of the decision (including President Obama’s US Solicitor General) claim the court’s conclusion is wrong and violates contractual principles of assignment as well as the long standing legal precedent that loans are “valid-when-made.” Read More

Comptroller Curry will leave his post as Comptroller of the Currency on May 5.  President Trump appointed Keith Noreika to serve as acting comptroller.  Mr. Noreika is a banking law expert and a partner at the law firm of Simpson Thacher & Bartlett LLP.  He will keep the OCC running until President Trump names a permanent replacement (and that proposed permanent replacement is confirmed by the Senate). Read More