InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
States urge Supreme Court to find CFPB funding unconstitutional
On July 10, the West Virginia attorney general, along with 26 other states, filed an amicus brief in support of respondents in Consumer Financial Protection Bureau v. Community Financial Services Association of America, arguing that the CFPB’s funding structure violates the Constitution and that by operating outside the ordinary appropriations process states are often left “out in the cold.” In their brief, the states urged the U.S. Supreme Court to uphold the U.S. Court of Appeals for the Fifth Circuit’s decision in which it found that the Bureau’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause (covered by InfoBytes here and a firm article here). The 5th Circuit’s decision also vacated the agency’s Payday Lending Rule on the premise that it was promulgated at a time when the Bureau was receiving unconstitutional funding.
Arguing that the Bureau is operating beyond the boundaries established by the Constitution, the states maintained that the current funding mechanism limits Congress’s ability to oversee the agency. “Even if the CFPB has done some good—and some would even dispute that premise—it wouldn't matter,” the states said, warning that “sidelining Congress can greenlight an agency to wreak havoc,” especially if the “agency wields broad regulatory and enforcement powers over the entire U.S. financial system, acts under the control of a single powerful figure, and lacks other protections from meaningful oversight.”
The appropriations process plays a crucial role in enabling states to influence agency actions indirectly, the states maintained, explaining that when an agency initiates a new enforcement initiative or significant rulemaking endeavor, it is required to publicly outline its projected work in order to secure the necessary funding to carry it out. “Disclosure on the front end of the appropriations process can empower affected parties—including the [s]tates—to take quick, responsive actions beyond lobbying their representatives (up to suing to stop illegal action, if need be).” In contrast, the Bureau’s insulation from this process has allowed it to hide its actions from public view, the states wrote. As an example, the Bureau has repeatedly declined to interpret or provide further clarity on how the provisions governing unfair, deceptive, or abusive acts or practices work.
The brief also highlighted examples of when Congress used funding cuts through the appropriations process to curtail agencies’ powers. Additionally, unlike the challenges of amending authorizing statutes, appropriations bills must be passed by Congress each year to avoid a government shutdown, which can be “a painful pill to swallow for the sake of standing up for an agency’s policy choice,” the states noted, adding that “[b]ecause appropriations involves both oversight committees and appropriations committees, agencies may have ‘less flexibility to ally themselves with executive branch officials or interest groups.’”
The states also urged the Court to “ignore doomsaying” about the consequences of finding the funding structure unconstitutional. Should the Court agree to invalidate the funding structure, Congress can pass a proper appropriations bill for the Bureau, the states explained, adding that “a rebuke from this Court would no doubt grease the sticky wheels of the legislative process and move them a bit faster.” Moreover, states could also fill any gaps should Congress somehow pare back the CFPB’s funding, the brief stressed.
Several amicus briefs were also filed this week in support of CFSA, including an amici curiae brief filed by the U.S. Chamber of Commerce and several banking associations and an amici curiae brief filed by 132 members of Congress, including 99 representatives and 33 senators, which urged the Court to uphold the 5th Circuit’s decision.
Hawaii amends money transmitter provisions
On July 3, the Hawaii governor signed HB 1027 (the “Act”) into law, amending several provisions relating to the Money Transmitters Modernization Act. The Act adds and amends several definitions. Changes include defining “money,” “receiving money or monetary value for transmission,” and “tangible net worth.” The definition of “money transmission” has also been amended to clarify its connection to business done in Hawaii, and “stored value” has been amended to mean monetary value “that represents a claim against the issuer evidenced by an electronic or digital record and that is intended and accepted for use as a means of redemption for money or monetary value, or payment for goods or services.” Stored value does not include “a payment instrument or closed loop stored value, or stored value not sold to the public but issued and distributed as part of a loyalty, rewards, or promotional program.”
Among the various exemptions, the Act also provides for an exemption for an agent of the payee to collect and process a payment from a payor to the payee for goods or services, other than money transmission services, provided certain criteria is met. Additional exemptions include certain persons acting as intermediaries, persons expressly appointed as third-party service providers to an exempt entity, and registered futures commission merchants and securities broker-dealers, among others. Anyone claiming to be exempt from licensing may be required to provide information and documentation demonstrating their qualification for the claimed exemption.
The amendments outline numerous licensing application and renewal procedures, including largely adopting the net worth, surety bond, and permissible investment requirements set forth in the Money Transmission Modernization Act. Several other states have also recently enacted provisions relating to the licensing and regulation of money transmitters (see InfoBytes coverage here and here).
The Act took effect July 1.
States endorse CFPB’s policy statement on abusive conduct
On July 6, the California attorney announced that he had joined a coalition of state attorneys general in submitting a comment letter endorsing the CFPB’s recently issued policy statement on abusive conduct in consumer financial markets. The multi-state coalition comprises Arizona, California, Colorado, Connecticut, the District of Columbia, Delaware, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New York, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, and Wisconsin. In April, the Bureau issued a policy statement containing an “analytical framework” for identifying abusive conduct prohibited under the Consumer Financial Protection Act, in which it broadly defined abusive conduct as anything that obscures, withholds, de-emphasizes, renders confusing, or hides information about the key features of a product or service. (Covered by InfoBytes here.)
In their letter, the state attorneys general emphasized the importance of preventing abusive conduct in consumer financial markets and highlighted the partnership between states and the Bureau in achieving this goal. The states also commended the Bureau for providing a clear, analytical framework for what constitutes abusive acts or practices and expressed appreciation for the agency’s use of real enforcement actions as examples of illegal abusive conduct. The multi-state coalition applauded the flexibility and guidance provided by the policy statement and complimented the Bureau for acknowledging the realities of modern consumer markets by clarifying that both acts and omissions can hinder consumers’ understanding of terms and conditions, including the use of fine print or complex language that limits comprehension.
District Court orders individual to pay $148 million in student debt-relief scam
On July 7, the U.S. District Court for the Central District of California entered a final judgment and order against an individual defendant accused of operating and controlling a deceptive student loan debt relief operation. As previously covered by InfoBytes, in 2019, the CFPB, along with the Minnesota and North Carolina attorneys general and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation for allegedly deceiving thousands of student loan borrowers. The Bureau and the states alleged that since at least 2015, the debt relief operation violated the Consumer Financial Protection Act (CFPA), Telemarketing Sales Rule (TSR), FDCPA, and various state laws by charging and collecting over $95 million in illegal advance fees from student loan borrowers. In addition, the Bureau and the states claimed that the debt relief operation engaged in deceptive practices by misrepresenting the purpose and application of the fees they charged and the nature and benefits of their services. Specifically, the debt relief operation allegedly failed to inform borrowers that, among other things, (i) they would request that the loans be placed in forbearance and interest would continue to accrue during the forbearance period, thereby increasing the borrowers’ overall loan balances; and (ii) it was their practice to submit false information about the borrowers to student loan servicers to try to qualify borrowers for lower monthly payments. The individual defendant was accused of owning, controlling, and managing the student loan debt relief operation, materially participating in the operation’s affairs, and providing substantial assistance or support while knowing or consciously avoiding knowledge that the operation was engaging in illegal conduct.
The individual defendant was held liable, jointly and severally, in the amount of approximately $95,057,757, for the purpose of providing redress to affected borrowers. Because the individual defendant was found to have recklessly violated the TSR and the CFPA, the court also imposed second-tier civil monetary penalties of $147,985,000 to the Bureau, of which $5,000 will be paid to each state. The final judgment also imposes various forms of injunctive relief, including permanent bans on engaging in consumer financial products or services and violating the TSR, CFPA, and similar laws in Minnesota, North Carolina, and California. The individual defendant is also prohibited from disclosing, using, or benefiting from customer information obtained in connection with the offering or providing of the debt relief services, and may not “attempt to collect, sell, assign, or otherwise transfer any right to collect payment from any consumer who purchased or agreed to purchase” a debt relief service from any of the defendants.
Illinois amends mortgage licensing provisions
On June 30, HB 2325 (the “Act”) was signed by the Illinois governor to amend The Residential Mortgage License Act of 1987. According to the amendments, residential mortgage licensees in Illinois must register every physical office where they conduct business with the Secretary of Financial and Professional Regulation. However, they are allowed to permit mortgage loan originators to work from a remote location if certain conditions are fulfilled. Conditions include but are not limited to: (i) the licensee must have written policies and procedures for supervising remote mortgage loan originators; (ii) access to company platforms and customer information must comply with the licensee's information security plan; (iii) mortgage originators' residences cannot be used for in-person customer interactions unless the residence is a licensed location; (iv) physical records cannot be stored at remote locations; and (v) electronics used at remote locations must be able to securely access the company’s systems. Moreover, "remote location" is not considered a full-service office as defined by the regulations. If the loan originator works remotely, their primary office is the office registered on the Nationwide Multistate Licensing System and Registry record, unless they choose another licensed branch.
The Act is effective January 1, 2024.
Nevada requires licenses for EWA providers
The Nevada governor recently signed SB 290 (the “Act”) outlining several requirements for providers of earned wage access (EWA) products. EWA products allow individuals to access their earned income before receiving their regular paycheck. To operate such services in Nevada, providers must obtain a license from the Nevada Commissioner of Financial Institutions. The licensing requirements apply to both “employer-integrated” services, where the provider receives verified data directly from the employer or the employer’s payroll service to deliver unpaid wages, and “direct-to-consumer” services where the provider delivers unpaid wages after verifying the earned income based on data not obtained from the employer or their payroll service. Notably, the Act specifies that EWA products are not loans or money transmissions under Nevada law and are not subject to existing laws governing these products. The Act outlines application and fee requirements (licenses will be issued via the Nationwide Multistate Licensing System and Registry) and requires licensed EWA providers to submit annual reports to the commissioner by April 15 of each year.
Providers of EWA products are also subject to certain prohibitions, which include: (i) sharing any fees, voluntary tips, gratuities, or other donations with an employer; (ii) the use of credit reports or credit scores to determine eligibility for an EWA service; (iii) the imposition of late fees or penalties for nonpayment by users; (iv) the reporting of a user’s nonpayment to a consumer reporting agency or a debt collector; (v) coercion of users to make payments through civil action; and (vi) restrictions on using a third-party collector or debt buyer to pursue collections from a user.
Additionally, EWA providers must, among other things, (i) implement policies and procedures to respond to questions and complaints raised by users (responses must be provided within 10-business days of receipt); (ii) disclose to the user his or her rights, as well as all related fees, prior to entering an agreement; (iii) allow users to cancel their EWA agreements at any time without being charged a fee; (iv) conspicuously disclose that any tips, gratuities, or donations paid by the user do not directly benefit any specific employee of the EWA provider or any other person (providers must also allow users to select $0 as an amount for such a tip); (v) comply with the EFTA when seeking payment of outstanding proceeds, fees, or other payments from a user’s depository account; and (vi) reimburse users for any overdraft or non-sufficient funds fees incurred as a result of the provider attempting to collect payment on a date earlier than disclosed to the user or in an amount different from what was disclosed.
On or before September 30, the commissioner is required to prescribe application requirements. EWA providers who were engaged in the offering of EWA services as of January 1, 2023, may continue to provide services until December 31, 2024, if the provider submits an application for licensure by January 1, 2024, and otherwise complies with the Act’s provisions. The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act and on July 1, 2024, for all other purposes.
Connecticut implements measures for auto-renewals
On June 28, the Connecticut governor signed HB 5314 (the “Act”), enacting measures relating to automatic renewal offers and consumer agreements. The Act, among other things, includes newly defined terms such as “automatic renewal provision.” The Act stipulates that any business that enters into a consumer agreement that contains an automatic renewal or continuous services provision must provide various consumer notices and enable any consumer who enters into such an agreement online to terminate online. Notices include a description of the actions the consumer must take to terminate, and if disclosed electronically, a link or other electronic means. Also, to be disclosed before renewal, in any consumer agreement containing an automatic renewal provision, must be the amount of the recurring charge and the amount of the change if the charges are subject to change (if such change in amount is known by the business). The business must further disclose the length of the term for such an agreement, unless the consumer chooses the length of the term, as well as any minimum purchase obligations and contact information for the business. The business must also establish a means for communication with consumers, such as email, toll-free phone number, or website if the agreement is contracted online. The Act also stipulates the nature of the disclosures for consumers before entering such an agreement, before the business makes a material change to the terms of the agreement, and before a consumer enters an agreement that offers a gift or free trial period. Additionally, the Act provides that no person doing business can impose any charge or fee for providing bills to consumers in paper form.
The Act is effective October 1.
Texas enacts data broker requirements
The Texas governor recently signed SB 2105 (the “Act”) to regulate data brokers operating in the state. The Act defines a “data broker” as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The Act’s provisions apply to data brokers that derive, in a 12-month period, (i) more than 50 percent of their revenue from processing or transferring personal data, or (ii) revenue from processing or transferring the personal data of more than 50,000 individuals, that was not collected directly from the individuals to whom the data pertains. Among other things, the Act requires covered entities to post conspicuous notices on websites or mobile applications disclosing that they are a data broker. Data brokers must also register annually with the secretary of state and pay required fees. Additionally, data brokers must implement a comprehensive information security program to protect personal data under their control and conduct ongoing employee and contractor education and training. Data brokers are required to take measures to ensure third-party service providers maintain appropriate security measures as well.
The Act does not apply to deidentified data (provided certain conditions are met), employee data, publicly available information, inferences that do not reveal sensitive data that is derived from multiple independent sources of publicly available information, and data subject to the Gramm-Leach-Bliley Act. Additionally, the Act does not apply to service providers that process employee data for a third-party employer, persons or entities that collect personal data from another person or entity to which they are related by common ownership or control where it is assumed a reasonable consumer would expect the data to be shared, governmental entities, nonprofits, consumer reporting agencies, and financial institutions.
The Texas attorney general has authority to bring an action against a data broker that violates the Act and impose a civil penalty in an amount not less than the total of “$100 for each day the entity is in violation,” as well as the amount of unpaid registration fees for each year an entity fails to register. Penalties may not exceed $10,000 in a 12-month period. By December 1, the secretary of state is required to promulgate rules necessary to implement the Act. The Act is effective September 1.
Connecticut establishes rules for virtual currency kiosks
On June 27, the Connecticut governor signed HB 6752 (the “Act”) to establish certain requirements for owners or operators of virtual currency kiosks in the state. Among other things, the commissioner has the authority to establish regulations, forms, and orders that govern the use of digital assets, such as virtual currencies and stablecoins, by regulated entities and individuals. When adopting, amending, or rescinding any such regulation, form, or order, the commissioner may consult with federal financial services regulators, regulators from other states, as well as other stakeholders and industry professionals to promote the consistent treatment and handling of digital assets. Definitions for “virtual currency address,” “virtual currency kiosk,” and “virtual currency wallet” have also been added.
The Act further provides that prior to engaging in an initial virtual currency transaction with a customer, the owner or operator of a virtual currency kiosk is required to provide clear and conspicuous written disclosures in English regarding the material risks associated with virtual currency. These disclosures should cover several key points, including a prominent and bold warning acknowledging that losses resulting from fraudulent or accidental transactions may not be recoverable, transactions in virtual currency are irreversible, and that the nature of virtual currency may lead to an increased risk of fraud or cyber-attack. Disclosures must also address a customer’s liability for unauthorized virtual currency transactions, a customer’s right to stop payment for a preauthorized virtual currency transfer (along with the process to initiate a stop-payment order), and circumstances in which the owner or operator will disclose information regarding the customer’s account to third parties, unless required by a court or government order. Additionally, customers must be provided upfront information relating to the amount of the transaction, any fees, expenses, and charges, and any applicable warnings. It is the responsibility of the owner or operator of a virtual currency kiosk to ensure that every customer acknowledges the receipt of all disclosures mandated by the Act, and to provide receipts upon completion of any virtual currency transaction. The Act is effective October 1.
Court delays enforcement of California privacy regulations
The Superior Court for the County of Sacramento adopted a ruling during a hearing held June 30, granting the California Chamber of Commerce’s (Chamber of Commerce) request to enjoin the California Privacy Protection Agency (CPPA) from enforcing its California Privacy Rights Act (CPRA) regulations until March 2024. Enforcement of the CPRA regulations was set to begin July 1.
The approved regulations (which were finalized in March and took effect immediately) update existing California Consumer Privacy Act regulations to harmonize them with amendments adopted by voter initiative under the CPRA in November 2020. (Covered by InfoBytes here.) In February of this year, the CPPA acknowledged that it had not finalized regulations regarding cybersecurity audits, risk assessments, and automated decision-making technology and posted a preliminary request for comments to inform this rulemaking. (Covered by InfoBytes here.) The June 30 ruling referred to a public statement issued by the CPPA, in which the agency explained that enforcement of those three areas would not commence until after the applicable regulations are finalized. However, the CPPA stated it intended to “enforce the law in the other twelve areas as soon as July 1.”
In March, the Chamber of Commerce filed a lawsuit in state court seeking a one-year delay of enforcement for the new regulations. The Chamber of Commerce argued that the CPPA had finalized its regulations in March 2023 (rather than the statutorily-mandated completion date of July 1, 2022), and as a result businesses were not provided the required one-year period to come into compliance before the CPPA begins enforcement. The CPPA countered that the text of the statute “is not so straightforward as to confer a mandatory promulgation deadline of July 1, 2022, nor did the voters intend for impacted business to have a 12-month grace period between the [CPPA’s] adoption of all final regulations and their enforcement.”
The court disagreed, finding that the CPPA’s failure “to timely pass final regulations” as required by the CPRA “is sufficient to grant the Petition.” The court stated that because the CPRA required the CPPA to pass final regulations by July 1, 2022, with enforcement beginning one year later, “voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” The court added that it was “not persuaded” by the CPPA’s argument “that it may ignore one date while enforcing the other.” However, staying enforcement of all the regulations for one year until after the last of the CPRA regulations have been finalized would “thwart the voters’ intent.” In striking a balance, the court stayed the CPPA’s enforcement of the regulations that became final on March 29 and said the agency may begin enforcing those regulations on March 29, 2024. The court also held that any new regulations issued by the CPPA will be stayed for one year after they are implemented. The court declined to mandate any specific date by which the CPPA must finalize the outstanding regulations.