insideARM Weekly Recap – Week of October 28th, 2024

The world of debt collection is never at a loss for updates, but separating the important stuff from the background noise isn't always easy. At insideARM, our goal is to help you answer those questions. Every Monday, we bring you a recap of the need-to-know highlights to help you stay informed. 

On Tuesday, CFPB Bites featured a CFPB report exposing cash-back fees at major retail chains that disproportionately impact low-income communities, a report on ongoing issues in medical and rental debt collections, and a consumer advisory on hidden costs in video games. The CFPB also provided guidance to banks on obtaining consent for overdraft fees and defended the Small Business Data Rule in court. Notable enforcement actions targeted a deceptive membership credit card, a misleading mortgage lender, a mortgage servicer violating foreclosure policies, a national bank reporting inaccurate credit data, and a federal student loan servicer accused of mismanaging loans. 

On Wednesday, we circulated news that the CFPB has permanently banned private arbitration platform Ejudicate from handling consumer financial product disputes, citing misleading and unfair practices toward student borrowers. Ejudicate allegedly initiated sham arbitration proceedings on behalf of Prehired, a company previously shut down for illegal lending practices tied to its income share agreements. The CFPB found Ejudicate falsely claimed neutrality while earning contingency fees from settlements, forced consumers into arbitration without their consent, and limited borrowers' ability to contest claims. Along with the ban, Ejudicate received a nominal civil penalty due to its inability to pay. This action highlights the CFPB's focus on protecting consumers from deceptive arbitration practices under the Dodd-Frank Act. 

Finally, to close the week, we shared that New York Department of Financial Services cybersecurity regulations now require financial services firms to implement multi-factor authentication for all information system access and mandate annual training on social engineering tactics, including phishing and AI-driven threats. Chief information security officers must deliver annual reports to senior leadership on cybersecurity plans, risks, and improvements, while the governing body must oversee program resources and management. Entities must also establish encryption procedures, detailed incident response and recovery plans, and business continuity protocols. Additional requirements, including data retention and access management rules, are set to take effect in November 2025. 

As always, we thank you for reading the weekly recap to stay on top of this ever-changing industry! For a breakdown of the week of October 21st, click here.   

Have a question about how your company should react to the news above? We have a group for that! The weekly peer call hosted by insideARM’s Research Assistant is the perfect place to ask a question and get advice from industry colleagues who are facing the same challenges you are. Not sure if it is for you? Try it on for size with our 1-month free trial. Click here to learn more!