Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC, Florida AG sue “chargeback mitigation” company

    Federal Issues

    On April 12, the FTC and the Florida attorney general filed a complaint in the U.S. District Court for the Middle District of Florida alleging a “chargeback mitigation” company and its owners (collectively, “defendants”) used numerous unfair tactics to thwart consumers trying to dispute credit card charges through the chargeback process. The chargeback process allows consumers to contest unwanted, fraudulent, or incorrect credit card charges with their credit card companies. According to the complaint, the defendants regularly sent screenshots and statements on behalf of company clients to credit card companies allegedly showing that consumers had agreed to the disputed charges. However, the FTC claimed that in many instances, the misleading screenshots did not come from the merchant’s website where the consumer made the disputed purchase. The complaint further alleged that the defendants used a system that allowed company clients to run numerous small-value transactions via prepaid debit cards in order to raise the number of transactions, thus lowering the percentage of charges that were disputed by consumers. The service, the FTC maintained, “enabled fraudulent merchants to evade or delay chargeback monitoring programs, fines, and account terminations designed to protect consumers from fraud.”

    The FTC noted that three of the defendants’ major clients (for which the defendants disputed tens of thousands of chargebacks on behalf of each of the companies) were previously sued by the FTC for engaging in deceptive negative-option marketing practices. The complaint accused the defendants of ignoring clear warning signs that the screenshots were misleading, including instances where the name of the product referenced in the screenshot did not match the product in the disputed purchase. The defendants also allegedly often overlooked company clients that opened and used a large number of different merchant accounts to process charges. Asserting violations of the FTC Act and the Florida Unfair and Deceptive Trade Practices Act, the complaint seeks permanent injunctive relief, restitution, and civil penalties.

    Federal Issues State Issues FTC Enforcement Consumer Finance Florida Credit Cards Courts FTC Act

  • NYDFS, crypto payment company reach AML/cybersecurity settlement

    State Issues

    On March 16, NYDFS issued a consent order against a payment service provider for allegedly failing to comply with the state’s virtual currency and cybersecurity regulations. The company was licensed to engage in virtual currency business activity in the state pursuant to 23 NYCRR Part 200. Licensees under Part 200 are required to, among other things, comply with federal and state laws mandating effective controls to guard against money laundering and certain other illegal activities. A 2022 NYDFS examination revealed that, although the company made improvements to address deficiencies within its AML and cybersecurity compliance programs that were identified during a 2018 examination, the programs still required additional improvements to achieve regulatory compliance. NYDFS concluded that the company violated sections of Part 200 by allegedly failing to develop adequate internal policies and controls to maintain compliance with applicable AML laws or to develop procedures to ensure compliance with necessary risk management requirements under applicable OFAC regulations. Furthermore, the company violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to conduct periodic cybersecurity risk assessments and failing to timely appoint a designated chief information security officer responsible for overseeing, implementing, and reporting on the company’s cybersecurity program. Under the terms of the consent order, the company agreed to pay a $1 million civil monetary penalty and submit an action plan to NYDFS within 180 days detailing its remediation efforts. The company also agreed to conduct a comprehensive cybersecurity risk assessment within 150 days and to continue to strengthen its controls, policies, and procedures to prevent future violations.

    State Issues Digital Assets Privacy, Cyber Risk & Data Security State Regulators NYDFS Anti-Money Laundering Cryptocurrency Virtual Currency Payments Fintech Settlement 23 NYCRR Part 200 23 NYCRR Part 500 OFAC Risk Management

  • Colorado restricts vehicle value protection agreements

    State Issues

    On March 23, the Colorado governor signed SB 23-015, which prohibits placing conditions on the terms of a vehicle sale, lease, or the extension or terms of credit, upon the purchase of a vehicle value protection agreement. In addition, the bill requires, among other things, that such agreements must outline eligibility requirements, coverage conditions or exclusions, provide certain consumer notices, and must benefit the consumer “upon the trade-in, total loss, or unrecovered theft of a covered vehicle.” Providers of such agreements must also obtain a contractual liability insurance policy that guarantees their obligations under the agreement. Finally, the act establishes that value protection agreements themselves are not insurance and are exempt from state insurance regulations.

    State Issues State Legislation Colorado Auto Finance Consumer Finance

  • CFPB, New York AG ask court to lift stay after 2nd Circuit decision

    Courts

    On March 31, plaintiffs CFPB and the New York Attorney General moved the U.S. District Court for the Southern District of New York to lift its stay order in their litigation against a remittance provider in response to a recent U.S. Court of Appeals for the Second Circuit decision upholding the CFPB’s funding structure under the Constitution’s Appropriations Clause. (Covered by InfoBytes here.) The plaintiffs argued that the 2nd Circuit’s binding opinion has now “answer[ed] the question at the heart of this Court’s stay order: whether the Bureau’s statutory funding mechanism violates the Constitution.”

    As previously covered by InfoBytes, the district court had originally paused the proceedings at the defendant’s request when the Supreme Court was considering whether to hear an appeal in a different matter relating to the Bureau’s funding structure. The district court continued the stay after the Supreme Court agreed to review the 5th Circuit’s decision in Community Financial Services Association of America v. Consumer Financial Protection Bureau, where it found that the CFPB’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause. The Supreme Court is scheduled to review the 5th Circuit’s decision next term (covered by InfoBytes here).

    The agencies argued primarily that (i) the 2nd Circuit “expressly considered and rejected the Fifth Circuit’s contrary view in CFSA;” (ii) it “did so notwithstanding that the Supreme Court will consider the same issue next Term”; and (iii) “[g]rants of certiorari do not change the law, and a district court remains bound by circuit precedent until the Supreme Court or the court of appeals changes that precedent.”

    On April 7, the court issued an order denying the Bureau's request and electing to keep the stay in place while the Supreme Court resolves the circuit split on this issue.

     

    Courts State Issues CFPB State Attorney General New York Enforcement Remittance Appellate Second Circuit Funding Structure Constitution U.S. Supreme Court Fifth Circuit

  • Virginia establishes program to implement CDFI fund

    State Issues

    On March 26, the Virginia governor signed HB 1411, which codifies the Virginia Community Development Financial Institutions Fund and creates the Virginia Community Development Financial Institutions Program to carry out the purposes of the fund. Among other things, the program will provide grants and loans to community development financial institutions (CDFIs) and other similar entities in order to fund small businesses, housing development and rehabilitation projects, and community revitalization real estate projects. Qualified recipients must emphasize microfinancing (defined as financing to small businesses in amounts of $100,000 or less) when using program funds. The Department of Housing and Community Development will oversee the fund and the program and is required to report annually on the fund’s use and impact. HB 1411 is effective July 1.

    State Issues State Legislation Virginia CDFI

  • Virginia and Kentucky enact requirements for auto renewals

    State Issues

    Recently, Virginia and Kentucky enacted measures relating to automatic renewal offers and continuous service offers.

    HB 1517 was signed by the Virginia governor on March 27 to amend the Consumer Protection Act in the Virginia code. The amendments provide that all businesses offering automatic renewals or continuous service offers that include a free trial lasting longer than 30 days are required to notify consumers of their option to cancel the free trial within 30 days of the end of the trial period. Providing this notice will avoid obligating a consumer to pay for the goods or services. Failing to timely notify a consumer is a violation of the Virginia Consumer Protection Act. Additionally, a business also violates the statute should it fail “to disclose the total cost of a good or continuous service [] to a consumer, including any mandatory fees or charges, prior to entering into an agreement for the sale of any such good or provision of any such continuous service.” HB 1517 is effective July 1.

    SB 30 was signed by the Kentucky governor on March 23 to amend state law by adding sections addressing the termination of automatic renewal offers and continuous service officers. Among other things, the new sections define several terms, including “automatic renewal,” “automatic renewal offer terms,” “clear and conspicuous,” “consumer,” and “continuous service.” Businesses are required to provide clear and conspicuous automatic renewal or continuous service offer terms to consumers before the subscription or purchase agreement is fulfilled. Business also must obtain affirmative consent before charging a consumer’s credit or debit account or a consumer’s account with a third party. Additionally, businesses must (i) provide an acknowledgement that includes the terms, the cancellation policy, and information regarding how to cancel in a manner that can be retained by the consumer; (ii) give consumers appropriate mechanisms for cancellation; (iii) provide users who accept an automatic renewal or continuous service online the opportunity to terminate in the same medium; and (iv) provide a notice regarding material term changes. SB 30 outlines exemptions (including contracts entered into prior to the effective date), and states that first-time violators must “provide a prorated refund for the contract subject to an automatic renewal provision from the start of the most recent term to the date on which the business was notified of and corrects the error.” The state attorney general also may bring an action for injunctive and monetary relief against businesses that either fail to provide a prorated refund or where it is a business’s second or subsequent violation. SB 30 is effective January 1, 2024.

    State Issues State Legislation Virginia Kentucky Consumer Finance Auto-Renewal

  • Wyoming to issue stable tokens

    State Issues

    On March 17, the Wyoming governor signed SF 127 enacting the Wyoming Stable Token Act, creating the Wyoming stable token commission, and authorizing the issuance of stable tokens in the state. Under the Act, a Wyoming stable token is “a virtual currency representative of and redeemable for one (1) United States dollar held in trust by the state of Wyoming” that may only be issued in exchange for a USD. Stable tokens will be issued by the Wyoming stable token commission—created by the Act and to be comprised of no more than four virtual currency/fintech subject matter experts. The commission is authorized to, among other things, (i) establish “the means used to issue, maintain and manage the Wyoming stable tokens and the manner of and requirements for redemption”; (ii) select which financial institutions will manage the stable tokens, and make and enter into contracts and arrangements for such services; (iii) seek rulings and other guidance from federal agencies related to the provisions outlined in the Act; (iv) prior to issuing any such tokens, issue a comprehensive report to a select committee overseeing blockchain, financial technology, and digital innovation technology, among others, on all actions taken under the Act; and (v) promulgate rules and regulations as necessary to administer the Act and ensure compliance. The Act also outlines criteria relating to liability limitations and requires that the commission endeavor to issue at least one Wyoming stable token no later than December 31.

    State Issues Digital Assets Wyoming Virtual Currency State Legislation

  • Iowa becomes sixth state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On March 28, the Iowa governor signed SF 262, establishing a framework for controlling and processing consumers’ personal data in the state. Iowa is now the sixth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, and Utah (covered by Special Alerts here and here and InfoBytes here, here, and here).

    • Consumer rights. Iowa consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their personal data processed by a controller (“except as to personal data that is defined as personal information pursuant to section 715C.1 that is subject to security breach protection”); and (iv) opt out of the sale of their data.
    • Controller responsibilities. The Act requires controllers—the persons that determine the purpose and means of processing personal data—to respond to consumers’ requests free of charge within 90 days (the response period may be extended an additional 45 days under extenuating circumstances). A controller must also provide a consumer, without undue delay, of its justification should it decline to take action regarding the consumer’s request, as well as instructions for appealing the decision. Controllers are also required to implement reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data, and must not process collected sensitive data without notifying the consumer and allowing for the opportunity to opt out of such processing (or in the case of data involving a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act). Controllers may not violate state and federal laws that prohibit discriminatory practices when processing personal data and may not discriminate against a consumer for exercising any of the provided consumer rights. Contacts that purport or waive or limit consumer rights shall be deemed void and unenforceable.
    • Disclosures. Controllers are required to provide consumers “a reasonably accessible, clear, and meaningful privacy notice” that outlines the categories of personal data to be processed, the purpose for processing the data, and how consumers may submit requests to exercise their personal rights (a controller may not require a consumer to create a new account to exercise consumer rights). The privacy notice must also outline the categories of data that may be shared with third parties, as well as the categories of applicable third parties, and clearly disclose when personal data is being sold or used in targeted advertising to allow a consumer the right to opt out of such activity.
    • Processor duties. Processors shall help controllers fulfill their obligations under the Act. A contract established between a controller and a processor will “govern the processor’s data processing procedures with respect to processing performed on behalf of the controller,” and must “clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties.”
    • Exemptions and limitations. The Act also outlines various processing exemptions, including those related to pseudonymous data, and addresses certain actions that a controller or processor is able to take with respect to complying with federal, state, or local laws, investigations, or law enforcement agency inquiries, among others. The Act also limits the collection of personal data to what is adequate, relevant and necessary in relation to the purposes for which such data is processed, and requires controllers to implement data security protection practices.
    • Enforcement. Although the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 90 days to cure the alleged violation before the attorney general can file suit. Should the controller or processor continue to violate the Act, the attorney general may seek an injunction and civil penalties of up to $7,500 for each violation.

    The Act takes effect January 1, 2025.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Iowa Consumer Protection

  • California OAL approves CCPA regulations

    Privacy, Cyber Risk & Data Security

    On March 30, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) approved the agency’s first substantive rulemaking package for implementing the California Consumer Privacy Act (CCPA). The approved regulations are effective immediately. The CPPA noted that the approved regulations update existing CCPA regulations to harmonize them with amendments adopted under the California Privacy Rights Act (CPRA), which was approved by ballot measure in November 2020 to amend and build on the CCPA. In February, the CPPA voted unanimously to adopt and approve the regulations, which have not been substantively changed since the CPPA voted on modifications last year (covered by InfoBytes here). The final regulations and supporting materials are now available on the CPPA’s website.

    The CPPA has already begun additional rulemaking. The agency issued a preliminary request for comments on cybersecurity audits, risk assessments, and automated decision-making to inform future rulemaking in February. Comments were due at the end of March.

    Privacy, Cyber Risk & Data Security Agency Rule-Making & Guidance State Issues State Regulators California CPRA CPPA CCPA

  • Utah repeals some collection agency registration requirements

    On March 17, the Utah governor signed HB 20 to repeal several of the state’s collection agency statutory provisions. Specifically, the bill repeals provisions that (i) require collection agencies to register with the Division of Corporations and Commercial Code and have on file sufficient bond in the amount of $10,000 (see Sections 12-1-1 and 12-1-2); (ii) stipulate bond terms and require certain records relating to registrations and bonds to be maintained with the Division and open to public inspection (see Sections 12-1-3, and 12-1-5); (iii) relate to violations and penalties and specify that “[a]ny person, member of a partnership, or officer of any association or corporation who fails to comply with any provision of this title is guilty of a class A misdemeanor (see Section 12-1-6); (iv) outline exceptions (see Section 12-1-7); (v) govern assignments of debts involving collection agencies and limit activities as to the assignments (see Section 12-1-8); (vi) specify that information about a consumer’s credit rating or credit worthiness sent to a consumer reporting agency is void if the collection agency does not have a bond on file (see Section 12-1-9); and (vii) require certain registration forms and application fees for collection agencies seeking approval to conduct business in Utah (see Section 12-1-10). Limitations and terms of collection fees and convenience fees imposed by creditors or third-party debt collection agencies will remain unchanged by the amendments (see Section 12-1-11). The changes take effect May 3.

    Licensing State Issues State Legislation Utah Debt Collection

Pages

Upcoming Events