InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Washington State Attorney General obtains civil penalties against debt collection agency for medical debt collection practices
On March 19, the Washington State Attorney General (AG) obtained an order from the King County Superior Court providing that a debt collection agency must pay civil penalties for allegedly failing to comply with the Washington Collection Agency Act and Consumer Protection Act when collecting medical debts, specifically by failing to provide the required disclosures in its consumer communications. The court found that the debt collection agency sent 82,729 debt collection notices to medical debtors without the necessary disclosures, which included notification of the debtor’s right to request the original or redacted account number assigned to the debt, the date of last payment, and an itemized statement. The notices also did not inform the debtor that the debtor may be eligible for charity care from the hospital or provided contact information for the hospital. According to the AG’s Office, the collection agency “unlawfully collected payments from … patients without providing critical information about their rights when faced with medical debt. By excluding the legally required disclosures about financial assistance in its collection letters, [the collection agency] created barriers that kept patients who likely qualified for financial assistance from learning about and accessing help with their hospital bills.”
The court ordered a civil penalty of $10 per violation for the debt collection agency’s 82,729 alleged violations of the state Consumer Protection Act, totaling $827,290. Additionally, the court ordered the debt collection agency to reimburse the AG’s office for the costs of bringing the case, which is estimated to exceed $400,000 and to update its practices to comply with Washington law. In determining the civil penalty amount, the court found, among other things, that the debt collection agency acted in bad faith by “fail[ing] to take basic compliance steps,” and “fail[ing] to obtain the correct license … maintain an office in the state, and … include the mandatory disclosures on medical and hospital debt.”
As previously covered by InfoBytes, the AG successfully sued the nonprofit health system in early February, entering a consent decree pursuant to which the health system must pay $158 million in patient refunds, debt forgiveness, and AG costs.
Virginia enacts HB 880, provides protections from lien enforcement against primary residences
On March 8, the Governor of Virginia signed HB 880 (the “Act”), which will prohibit enforcement of a lien against real estate if the real estate is the judgment debtor’s primary residence and the amount of the lien does not exceed $25,000. Additionally, if the lien will arise from fees charged by a common interest community association (under certain chapters of Virginia law), the Act will prohibit court action to enforce the lien, given the sum of all judgments, (excluding interest and costs), is $5,000 or less. The Act will also impose recordkeeping requirements for such common interest community associations, specifically, (i) to maintain individual assessment account records; and (ii) to maintain records of any recorded lien during its effective duration. The Act will go into effect on July 1.
Indiana enacts SB 220 on cyber incident notification guidelines
On March 11, the Governor of Indiana signed SB 220 (the “Act”) which will add cyber incident notification guidelines for financial institutions. The Act defined the term "corporation" as the following entities organized in Indiana, including a (i) bank; (ii) trust company; (iii) corporate fiduciary; (iv) savings bank; (v) savings association; (vi) industrial loan and investment company with federal deposit insurance; (vii) credit union; and (viii) bank of discount and deposit.
According to the Act, a corporation will be required to inform the director of the department about a reportable cyber incident or notification incident following the same protocol mandated by the corporation's federal regulatory body or deposit insurance provider. If a corporation does not have a federal regulatory body or deposit insurance provider, it must report the cyber incident to the director of the department using the procedures outlined in U.S.C. 12 CFR 748.1(c), which despite typically applying to federally insured credit unions, will also apply to corporations. The Act will go into effect on July 1.
Utah amends provisions on notifications and definitions of commercial financing transactions
On March 13, the Governor of Utah signed into law SB 25, a bill that amended certain provisions related to commercial financing transactions, specifically repealing provisions related to disclosing commercial financing transactions and adding the requirement that a party subject to the notification requirement must submit evidence of registration with the NMLS. The bill also amended Section 7-27-101 of the Laws of Utah, to update the definition of the term “broker” and separate it from the term “provider.” Under Section 7-27-202, the bill removed certain disclosures for commercial financing transactions, including disclosures previously required for open-end credit plans after disbursing funds. Additionally, under Section 70C-1-302, the bill updated two more defined terms: “Commissioner” and “Nationwide database.” Lastly, under Section 70C-8-202, the bill amended certain notification requirements, specifically indicating the party shall file a notification via the NMLS, and such notification will be required annually on or before December 31. The bill will go into effect on May 1.
Utah amends its Consumer Sales Practices Act
On March 13, the Governor of Utah signed HB 443 (the “Act”), also known as the Utah Consumer Sales Practices Act Amendments, into law. The Act will amend class action lawsuits and will clarify provisions related to “targeted solicitations” involving financial information. According to the Act, “targeted solicitation” will be defined as any written or oral advertisement for a product or service that (i) is addressed to the consumer’s personal account; (ii) contains specific account information (iii) is offered by a supplier that is not sponsored by or affiliated with the financial institution managing a consumer’s personal account; and (iv) is not authorized by the financial institution managing the consumer’s personal account. The Act will go into effect on May 1.
Indiana enacts HB 1284 regarding change in terms for deposit accounts
On March 12, the Governor of Indiana signed HB 1284 which codified a new chapter regarding a contract for a deposit account between a depository institution and a consumer may be changed occasionally, subject to the terms of the deposit account agreement. The bill will provide that after continued use of the deposit account by the consumer after a modification to the agreement has been disclosed through written notice by the depository institution, then it will be considered clear or “prima facie” evidence that the consumer will accept the new terms. The depository institution must provide written notice of the changes at least 30 days before the effective date of any change to the deposit account agreement. The bill will go into effect on July 1.
Utah amends credit report disclosures to protect consumers
On March 13, the Governor of Utah signed into law HB 99, a bill that amended certain provisions related to consumer credit protections. Specifically, the bill made an addition to the Credit Services Organizations Act at Utah Code 13-21-7.5, adding a disclosure requirement when a credit services organization provides a credit report to a consumer. The disclosure must identify the consumer reporting agency that provided the information, the credit score model used to calculate the score, and the minimum and maximum possible scores under the model. This bill will go into effect May 1.
Wyoming SF 96 amends regulations for banks offering custodial or fiduciary services for digital assets
On March 15, the Governor of Wyoming signed SF 96 (the “Act”), which amended regulations for banks offering custodial or fiduciary services for digital assets, made conforming adjustments, and set an effective date. The Act clarified the commissioner’s ability to petition for discharge of receivership duties at the commencement of a bankruptcy proceeding. With respect to digital asset custodial services, the Act included two new provisions which detailed how (i) a bank will be permitted to offer custody services for stablecoin reserves as long as these services align with the guidelines of the Act and adhere to the commissioner's rules and regulations; and (ii) a supervised trust company chartered within Wyoming will be authorized to offer custodial services for digital assets, provided that it would meet the requirements of the Act and follow the commissioner's rules and regulations. The Act will go into effect on July 1.
Washington State enshrines new act on uniform special deposits
On March 13, the Governor of Washington State signed into law SB 5801, enshrining a new chapter titled the Uniform Special Deposits Act. The law will apply to special deposits under account agreements that intend to establish a special deposit. In Section 5, a “special deposit” is characterized as a bank deposit for the benefit of two or more beneficiaries, denominated in a currency for the purposes stated in the account agreement, and “subject to a contingency.” The law further described the process for determining a permissible purpose, payment to a beneficiary by a bank, and the duties and liability of the bank, among others. It also described that, unless provided for in the account agreement, special deposits will terminate five years after the date it was first funded. The Uniform Special Deposits Act will go into effect July 1.
New Hampshire enshrines a new consumer privacy law
On March 6, the Governor of New Hampshire, Chris Sununu, signed into law a sweeping consumer privacy bill. Under the act, consumers will have the right to confirm if a controller (an individual who controls personal data) is processing their personal data, a right to access that data, as well as correct inaccuracies, obtain a copy, delete, and opt-out of the processing of the data for targeted advertising purposes. The act also imposed limits on collectors, including that a controller shall (i) limit the collection of data to only what is adequate, relevant, and reasonably necessary for the intended purpose; (ii) establish and maintain administrative security practices to protect the confidentiality of consumer personal data; (iii) not process sensitive data without obtaining the consumer’s consent or, if the data concerns a known child, process the data in accordance with COPPA; (iv) provide an easy means for consumers to revoke consent; and (v) not process personal data for targeted advertising purposes without consumer consent. The bill further outlined a processor’s responsibilities and required controllers to conduct a data protection assessment for each action that may present a risk of harm to a consumer. The act will go into effect on January 1, 2025.