InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California AG advocates for medical payment reforms
California Attorney General Rob Bonta submitted a letter to federal agencies urging the federal government to adopt regulations and statutory protections to help protect patients who may need to use medical credit cards and installment loans to pay for healthcare-related bills.
The letter notes that medical payment products exacerbate health disparities, that patients seeking medical care may not be in an appropriate position to make complex financial decisions, and offers California’s protections against medical payment products as a model framework.
In the letter, which is addressed to the U.S. Department of Health and Human Services, Centers for Medicare & Medicaid Services, the CFPB, and the Treasury, Bonta recommends (i) designating medical credit card debt as medical debt and not consumer debt; (ii) ensuring providers properly screen patients for financial aid and charity care before offering a medical payment product; (iii) limiting enrollment when patients may be distressed or under the influence of medication; (iv) providing written notice of financial assistance and potential eligibility for charity care; (v) making reasonable efforts to notify patients about the level of insurance coverage of medical expenses; and (vi) reducing patient cost-sharing responsibilities.
California governor signs executive order on GenAI
On September 6, California Governor Gavin Newsom signed an Executive Order (E.O.) instructing state agencies to evaluate how generative artificial intelligence (GenAI) may impact the State and its residents. Specifically, the E.O. requires certain state agencies to provide a report to the Governor which will examine “the most significant, potentially beneficial uses” of GenAI tools by the state. The report must also discuss “the potential risks to individuals, communities, and government and state government workers” from GenAI tools. Certain California agencies, including the Department of Technology, must perform a “risk analysis of potential threats to and vulnerabilities of California’s critical energy infrastructure by the use of GenAI.” The E.O. also requires that the State issue “general guidelines for public sector procurement, uses, and required training for use of GenAI,” and consider pilots of GenAI projects to be tested in “sandboxes.” Lastly, the E.O. directs the State to pursue a formal partnership with certain California higher education institutions to study the impacts of GenAI and support its safe growth.
California AG announces settlement with mortgage servicer
On September 1, California Attorney General (AG) Rob Bonta announced a settlement with a mortgage servicer for its alleged failure to properly process and grant mortgage deferment requests from California military reservists called to active duty. California’s Military and Veterans Code, which includes the California Military Families Financial Relief Act, allows reservists to delay paying mortgages, credit cards, property taxes, car loans, utility bills, and student loans. To defer payment, they must submit a written request and their military orders to the entity to which their payments are due. The AG noted that the California Department of Justice investigated the mortgage servicer’s processes for handling mortgage deferment requests and found that the servicer delayed granting the deferment requests, requested information for eligibility review outside of the 30-day timeframe to do so, and improperly denied deferment requests, on at least 10 occasions. Furthermore, the servicer allegedly attempted to collect payment from some borrowers during the requested deferral period by making calls and sending notices that warned that the servicer would foreclose on the borrowers’ properties if they failed to pay. The servicer also allegedly incorrectly charged some borrowers late fees and other charges for nonpayment of payments that should have been deferred. Finally, the servicer allegedly provided incorrect negative credit information to credit reporting agencies.
Under the terms of the settlement, the servicer agreed to, among other things, (i) pay $58,000 in civil money penalties; (ii) “remediate consumer harm”; (iii) disclose deferment request status to borrowers; and (iv) provide annual reports to the AG documenting compliance with the injunctive terms.
DFPI finalizes small business UDAAP and data reporting rule
DFPI recently approved the final regulation for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to commercial financial products and services. After considering comments and releasing three rounds of modifications to Sections 1060, 1061, and 1062, the final regulation will, among other things, bring protections to small businesses seeking loans, by (i) defining and prohibiting unfair, deceptive, and abusive acts and practices in the offering or provision of commercial financing to small businesses, nonprofits, and family farms; and (ii) establishing data collection and reporting requirements.
Previous InfoBytes coverage on the (i) initial modifications to the CCFPL proposed regulation can be found here; (ii) the second round of CCFPL modifications proposal is found here; and (iii) the third iteration of the modified CCFPL proposal is located here.
This DFPI regulation was notably finalized on the heels of the CFPB’s finalized Section 1071 rule on small business lending data, which similarly will require financial institutions to collect and provide the Bureau data on lending to small businesses (covered by InfoBytes here)
Sections 1060, 1061, and 1062 will be effective on October 1.
DFPI launches actions against crypto scams, initiates education campaign
On August 9, the California Department of Financial Protection and Innovation (DFPI) announced that it issued cease and desist orders against three entities (orders here, here, and here) for allegedly offering and selling unqualified securities, and making material misrepresentations and omissions to investor related to cryptocurrency investments. The entities allegedly created high-yield investment programs (HYIPs), which DFPI characterizes as “investment frauds that typically promise high returns with low risk, promise overly consistent returns, provide little details about the people running the HYIP, use vague language to describe how the HYIP makes money, offer referral bonuses, facilitate deposits and withdrawals with crypto assets, and use social media to gain attention and attract investors.”
The cease and desist orders are just one of the tools DFPI employs to address investment scams involving crypto assets, also using enforcement actions, social media, and a Crypto Scam Tracker. DFPI has posted videos to its social media accounts that are directed towards the same group of individuals targeted by the crypto community in order to educate investors about its enforcement actions and violations of law. The Crypto Scam Tracker was launched earlier this year to help Californian’s identify and avoid scams involving cryptocurrency. (Covered by InfoBytes here).
Dubai to facilitate personal data transfers with California-based entities
On August 9, the Dubai International Financial Centre Authority (DIFC) Commissioner of Data Protection issued a “first-of-its-kind” adequacy decision, declaring California’s data protection regime as “substantially equivalent and low risk.” The DIFC deemed the California Consumer Privacy Act (CCPA) of 2018, as amended by the California Privacy Rights Act of 2020, equivalent to DIFC’s DP Law 2020—opening the door to facilitate personal data transfers between DIFC and California-based entities without the need to apply additional contractual measures. The DIFC further noted that CCPA Regulations provide procedures, guidance, and clarity on the requirements of the CCPA and highlighted the key aspects of CCPA, including (i) concepts and definitions; (ii) breach notification requirements; (iii) enforcement authority; (iv) notifications to the commissioner; and (v) commissioner authority and objectives. The DIFC’s decision outlines nine observations regarding California’s data protection regime that informed its adequacy decision. In its press release, the DIFC noted that the CCPA “gives consumers control and protection over personal data collected by businesses” and limits data collection and processing to what is fair, lawful, and necessary. The DIFC added that this adequacy decision sets a precedent for Dubai to build “similar relationships with various US states and the US privacy framework in the future.”
Governor Hochul unveils statewide cybersecurity strategy for New York
On August 9, Governor Hochul announced New York’s first-ever statewide cybersecurity strategy to protect the state’s digital infrastructure from cyber threats. The cybersecurity strategy articulates a set of high-level objectives and agency roles and responsibilities, as well as outlines how existing and planned initiatives will be weaved together in a unified approach. The central principles of the strategy are unification, resilience, and preparedness, with a focus on state agencies working together with local governments to strengthen the entire state’s defenses. Included in the plan was a $600 million commitment to improve cybersecurity, including (i) a $90 million investment for cybersecurity in Fiscal Year 2024; (ii) $500 million to enhance healthcare information technology; and (iii) $7.4 million for law enforcement entities to expand their cybercrime capabilities.
California Privacy Protection Agency announces its first inquiry
On July 31, the California Privacy Protection Agency (CPPA) announced a review of the data privacy practices of “connected vehicle” manufacturers and related technologies. Executive Director of the CCPA Ashkan Soltani stated in the press release that the agency is “making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.” The vehicles in question contain tracking technology that raised data concerns under the California Consumer Privacy Act. Notably, this is the first action from the agency’s enforcement division.
Oregon enacts registration requirements for data brokers
On July 27, the governor of Oregon signed HB 2052 (the “Act”) into law, effective upon passage. The Act provides that a “data broker” cannot collect, sell or license brokered personal data within Oregon unless they first register with the Department of Consumer and Business Services. Brokered personal data includes, among other things, name (or the name of a member of the individual’s immediate family or household), data or place of birth, maiden name of the individual’s mother, biometric information, social security or other government-issued identification number, or other information that can “reasonably be associated” with the individual. A data broker does not include consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act, among others. There are certain exceptions to the requirement, including, among others, selling the assets of a business entity a single time, The Act stipulates a civil penalty in an amount less than or equal to $500 for each violation of Act or for each day in which violation continues. Civil money penalties are capped at $10,000 per calendar year.
DFPI concludes MTA licensure not required for data processor
On July 25, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter concluding that a company that merely receives payment instructions, orders, or directions to transmit money or monetary value does not constitute “receiving money for transmission” requiring licensure under the California Money Transmission Act (MTA).
Citing the California regulations, DFPI states that to “receive money for transmission,” a person must actually or constructively receive, take possession, or hold money or monetary value for transmission; merely receiving instructions, orders, or directions to transmit money or monetary value does not constitute “receiving money for transmission.”
As described in the letter, the data processor facilitated payments made by customers to contracting merchants in exchange for goods and services sold by merchants. The data processor forwards customer account and transaction details to partner financial institutions for debiting the customer’s account, and also facilitates refunds initiated by the merchants, including sending ACH instructions to the partner financial institution. However, the data processor at no point handles transferred funds or has custody or legal ownership of the rights to the transferred funds. DFPI, based on several factors and not solely limited to the services described, determined that the inquiring data processor’s payment system does not constitute money transmission or require an MTA license.